What are Basic Web Application Attacks?

May 21, 2026

Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees. 

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, brute force attacks, zero-day exploits, doxing, data harvesting, IoCs, credential stuffing, ransomware as a service, and push bombing. In this edition, we dive into basic web application attacks.

A basic web application attack is an attempt to exploit vulnerabilities in a website or web app to gain unauthorized access, steal data, or disrupt service.

As organizations continue to migrate their operations to the cloud and rely heavily on web-based interfaces, the surface area for potential cyber threats has expanded significantly. Web applications power everything from online banking to internal business tools. Without proper fortification, they remain primary targets for malicious actors. Attackers are focusing their efforts on exploiting the applications themselves. Basic web application attacks are some of the most common methods threat actors use to compromise systems, steal data, and gain unauthorized access – and they don’t have to be complex. They exploit vulnerabilities in the application’s code, logic, or database connections.

These attacks often exploit vulnerabilities outlined by organizations like the OWASP, which tracks the most critical web security risks. The goal of these attacks varies, ranging from the theft of sensitive customer data and intellectual property to the total takeover of the administrative backend.

Understanding the fundamental methods attackers use to compromise these systems is the first step in building a resilient security posture. While there are dozens of techniques, let’s review the most common:

  • SQL Injection (SQLi): The attacker targets the server’s database and inserts malicious SQL code into an input field (like a login form or search bar). If the application does not properly sanitize this input, the malicious code is executed by the backend database, allowing the attacker to query, modify, or delete data directly from the database.
  • Cross-Site Scripting (XSS): The attacker targets the application’s users and injects malicious JavaScript into a webpage that other users then load. When a victim visits the compromised page, their browser executes the script, which can be used to steal session cookies, log keystrokes, hijack account credentials, or redirect the user to a fraudulent website. This works when applications don’t properly validate or escape user-generated content.
  • Broken Access Control: Access control ensures that users cannot act outside of their intended permissions. A failure in these controls—such as allowing a standard user to access an administrative URL or view another user’s private files—is known as Broken Access Control. This is a critical vulnerability that often leads to unauthorized information disclosure and data modification.
  • Broken Authentication: An attacker exploits weak passwords, session tokens, or login mechanisms to impersonate legitimate users — often through credential stuffing or brute force. This is made possible by oor password policies, lack of MFA, or predictable session tokens.
  • Cross-Site Request Forgery (CSRF): Attackers trick a logged-in user’s browser into making an unwanted request to a site they’re authenticated on. For example, while a user is authenticated in their banking app, they might click a malicious link in a different tab that triggers a hidden request to transfer funds. Because the user is already authenticated, the web application treats the request as legitimate. This can happen when applications trust requests from authenticated sessions without verifying their origin.

Basic web application attacks continue to persist and are so effective because they exploit fundamental weaknesses that are common across many organizations. Every internet-facing application represents a potential target for attackers, significantly expanding the available attack surface. Many of these attacks are also relatively simple to execute, often requiring minimal tooling and allowing threat actors to automate exploitation at scale. Despite their simplicity, the impact can be severe—even a single vulnerability may expose sensitive databases, compromise user accounts, or disrupt critical services. In many cases, these risks are amplified by human and development-related factors, including rushed deployment timelines, misconfigurations, and the absence of secure coding practices throughout the software development lifecycle.

Most web application attacks follow a predictable lifecycle that allows threat actors to efficiently identify and exploit vulnerabilities. The process typically begins with reconnaissance, where attackers scan applications for exposed endpoints, login forms, APIs, and user input fields that may reveal potential weaknesses. Once areas of interest are identified, attackers move into vulnerability identification by testing inputs and application behavior for flaws such as injection points or insecure configurations. After discovering a viable weakness, the exploitation phase begins, during which attackers execute the attack by injecting malicious code, bypassing authentication controls, or hijacking user sessions. Successful exploitation is often followed by post-exploitation activity, including data exfiltration, privilege escalation, lateral movement, or establishing persistence within the environment. Because this process is structured and repeatable, web application attacks can be easily scaled across large numbers of targets.

The consequence of a successful web application attack includes: technical downtime, account takeover, data breaches, reputation damage, and financial loss.

Equifax

One of the most well-known examples of a web application attack occurred in 2017, when attackers exploited a vulnerability in the Apache Struts web application framework used by Equifax. The flaw allowed remote code execution through a vulnerable web application component. The breach exposed personally identifiable information (PII) of ~147 million individuals, including names, social security numbers, and birth dates. The incident highlighted how unpatched web application vulnerabilities can become entry points for large-scale data breaches.

Progress Software

In 2023, attackers exploited a SQL injection vulnerability in the MOVEit Transfer managed file transfer platform, allowing unauthorized access to sensitive data stored by thousands of organizations worldwide. The vulnerability was leveraged by the Clop ransomware group to extract data from government agencies, healthcare providers, universities, and financial institutions. The campaign ultimately impacted more than 2,000 organizations and exposed the data of nearly 100 million individuals, demonstrating how a single web application flaw can create widespread downstream impact.

Microsoft

In 2024, researchers identified a serious cross-site scripting (XSS) vulnerability in on-premises deployments of Microsoft Dynamics 365. The flaw allowed attackers to inject malicious JavaScript into application pages through improperly sanitized input fields. If exploited, attackers could execute scripts within victim browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed under legitimate user accounts. The incident reinforced that XSS remains one of the most persistent and commonly exploited web application vulnerabilities.

In many cases, it’s not advanced techniques that cause the most damage— it’s the fundamentals done poorly. To defend against a web application attack, organizations need to reduce risk with a combination of secure development practices and defensive controls:

  • Input Validation and Sanitization: Never trust user input—validate and sanitize everything. Implement strict validation rules to ensure only the expected data types are processed.
  • Use Parameterized Queries: Prevent SQL injection by separating code from data. Using parameterized queries (prepared statements) is the most effective way to prevent SQL injection.
  • Implement Output Encoding: Protect against XSS by properly escaping content. A strong CSP (Content Security Policy) can significantly reduce the risk of XSS by restricting the sources from which scripts can be loaded.
  • Enforce Strong Authentication: Use MFA, secure session management, and robust password policies.
  • Regular Patching and Updates: keep frameworks, libraries, and servers up to date.
  • Security Testing and Audits: Conduct frequent vulnerability scans and manual penetration testing to identify and remediate flaws before they can be exploited by threat actors. Incorporate static and dynamic analysis, penetration testing, and vulnerability scanning.
  • Follow Established Frameworks: Leverage guidance from OWASP, including the OWASP Top 10.

Curious to learn more about dark web monitoring? Contact us.

Inside the Arabic Darknet: Cryptocurrency, Charities and What Investigators Need to Know

May 19, 2026

The intelligence community’s understanding of Arabic-language activity on the dark web has lagged significantly behind research focused on English-speaking environments.

A newly published, prestigious ‘Scopus Q1’ study is beginning to close that gap, and the findings carry direct operational implications for government investigators, law enforcement agencies, and cybersecurity analysts working the MENA (Middle East and North Africa) region and beyond.

The study is written by Dr. Mohammad Shadi Alhakeem, Assistant Professor of Cybersecurity & Digital Forensics, College of Forensic & Investigative Sciencesat the Naif Arab University for Security Sciences (NAUSS). This blog is based on peer-reviewed research published in IEEE Access: “Investigating Cryptocurrency-Enabled Illicit Activities on the Arabic Deep/Dark Web” by Prof Mohammad Shadi Alhakeem.

The Arab world’s digital footprint is enormous and growing fast. Internet penetration across the region has reached approximately 70%, with countries like Saudi Arabia exceeding 99%.

Meanwhile, the Middle East and North Africa ranked seventh globally in on-chain cryptocurrency value received in 2024 — roughly $338.7 billion in a single twelve-month period.

That’s not just economic activity.

It’s a substantial attack surface.

The combination of widespread internet access, high cryptocurrency adoption, and anonymizing technologies like the Tor network has created fertile conditions for illicit activity — much of it conducted in Arabic and largely invisible to investigators relying on English-language intelligence sources. This study is one of the first systematic efforts to document what’s actually happening in this space.

The researchers used DarkOwl Vision as the primary tool for identifying and analyzing Arabic-language content containing cryptocurrency addresses. DarkOwl Vision indexes one of the world’s largest databases of dark web content, spanning Tor, I2P, ZeroNet, Telegram, and Discord, without requiring investigators to directly access dangerous or illicit networks themselves.

Figure 1: Sample of a finding from the Arabic Darknet containing Monero Donation Address, Source: DarkOwl Vision

This matters operationally. Standard OSINT approaches often require analysts to navigate anonymization networks directly, exposing them to harmful content and operational risk.

DarkOwl automatically and anonymously indexes this content, sanitizes explicit material, and presents results in plain text — protecting the analyst while delivering the intelligence. Its filtering capabilities allowed the team to narrow more than 3.1 million initial results to actionable data by applying filters for language, cryptocurrency entity type, network source, and crawl timeframe.

From that starting pool — spanning July 2024 through June 2025 — the team identified 4,711 results containing cryptocurrency addresses. After de-duplication, that yielded 95 unique addresses tied to illicit activity, each analyzed for type, linked activity, source network, appearance frequency, and total funds received.

The resulting 95 addresses were classified across six categories:

Unverified Humanitarian Aid Solicitations (UHAS) — Campaigns soliciting cryptocurrency donations, primarily framed around aid to Gaza, with no affiliation to any recognized humanitarian organization. This category accounted for the largest number of unique addresses and the largest volume of funds received. More than 85% of all tracked payments — including one address that received approximately $50,000 — flowed to UHAS addresses, reflecting sophisticated exploitation of public sympathy.

Dark Web Marketplaces (DWM) — Platforms facilitating the trade of illicit goods, including drugs, within the Tor ecosystem.

Cyber Threat Actors (CTA) — Entities conducting malicious cyber operations, predominantly affiliated with pro-Iranian hacktivist groups including 313 Team and LulzSec.

Terrorism Financing (TF) — Activity directly linked to financing terrorism, with specific ties to ISIS. Despite representing fewer unique addresses, this category generated the highest frequency of appearances across DarkOwl’s dataset.

Child Sexual Abuse Material (CSAM) — Multilingual onion sites serving as platforms for uploading and distributing CSAM.

Dark Web Blogs and Forums (DBF) — A catch-all for political discussions, sexual content, and other material from onion sites outside the five primary categories.

One of the study’s most operationally significant findings is the behavioral distinction between actors using pseudonymous cryptocurrencies like Bitcoin (BTC) and Tether (USDT) versus those using privacy coins like Monero (XMR) and Zcash (ZEC).

BTC and USDT dominated by volume and appeared predominantly on Telegram.

Privacy coins were concentrated almost exclusively on Tor-based Onion sites.

The platform choice wasn’t random — threat actors are deliberately matching their anonymity tools, pairing privacy coins with the Tor network for maximum operational security.

For investigators, BTC and USDT transactions leave traceable blockchain records. Specialized tools like Crystal Expert, TRM Labs, and Chainalysis Reactor can analyze transaction histories, identify clustering patterns, and link addresses to real-world entities.

Monero and ZCash are a different problem entirely. Their cryptographic design obscures transaction details at the protocol level, and the study was unable to determine the volume of funds received by any privacy coin address. Given that these addresses are disproportionately linked to Terrorism Financing and CSAM, that blind spot is not a minor inconvenience — it’s a critical investigative gap.

None of the 95 addresses appeared on both Telegram and the Tor network. The platform separation was absolute — a clear sign of deliberate compartmentalization designed to prevent de-anonymization. These actors understand the forensic trail that cross-platform address reuse creates, and they’re avoiding it. Some Monero addresses had first appearances in DarkOwl’s dataset dating back to early 2022, indicating operations that have run continuously for years.

Telegram is where the volume is, but the Tor network is where the most serious crimes are concentrated.

Agencies with limited resources should weigh their coverage accordingly. Unverified humanitarian solicitations deserve coordinated public awareness efforts — the financial flows are substantial, and these campaigns risk eroding public trust in legitimate aid organizations. For terrorism financing and CSAM cases, traditional blockchain analysis won’t be sufficient where privacy coins are involved: acquiring darknet monitoring, forensic tools and building relationships with Virtual Asset Service Providers is essential.

This research was made possible through DarkOwl, and the capabilities it demonstrates aren’t limited to the research context — they’re what DarkOwl delivers to government agencies, law enforcement, and intelligence teams every day.

DarkOwl Vision’s combination of breadth across platforms, depth of historical data, and analyst safety makes it the tool of choice for exactly the kind of cross-platform, multilingual, cryptocurrency-focused investigations this study documents.

The Arabic dark web is no longer uncharted territory. Mapping it accurately — and keeping that map current — requires the right intelligence infrastructure. DarkOwl is where that work happens.


Curious to see more? Contact us.

Stolen, Weaponized, and Sold: Real Stories of Data Extortion Attacks

May 14, 2026

Data theft extortion, as the name suggests, occurs when a hacker unlawfully gains access to an organization’s sensitive data or systems and then demands payment in exchange for restoring access or halting the attack. More broadly, extortion encompasses any scenario in which a threat actor demands compensation to cease malicious activity.

Organizations can fall victim to these attacks in several ways, including data breaches, exploitation of system vulnerabilities, and social engineering tactics that deceive employees into granting unauthorized access. While companies continue to strengthen their defenses, attackers are simultaneously evolving their methods, often becoming more sophisticated and escalating their tactics.

This blog explores several well-known data theft extortion incidents, examining how they were carried out and how organizations responded.

In October 2020, hackers contacted 40,000 patients from the Finnish psychotherapy provider Vastaamo, demanding €200 in bitcoin within 24 hours, followed by €500 within an additional 48 hours, threatening to release their personally identifiable information (PII) and therapy records if they refused to pay. Prior to the emails, Vastaamo had refused to meet the hackers’ demand when they received a ransom of €450,000 in bitcoin. In the initial response, the hacker posted 300 patient transcripts in a public forum. Eventually, a 10-gigabyte data file appeared on dark web sites containing private notes between at least 2,000 patients and their therapists.

The information was obtained due to the company’s inadequate security practices. Sensitive data belonging to patients was not encrypted or anonymized. Records were first accessed in 2018, and the security flaws were not fixed until March 2019.

In October 2022, the National Bureau of Investigation identified the suspect in the breach as 25-year-old Aleksanteri Kivimäki. He was subsequently charged in absentia at the Helsinki District Court with multiple offenses, including aggravated data breach, attempted aggravated extortion, aggravated distribution of information violating private privacy, blackmail, breach of confidentiality, and falsification of evidence. He was eventually convicted and sentenced to six years in prison. The attack prompted the Finnish government to implement enhanced security measures to safeguard citizens’ data, while also providing support to victims and introducing new legislation addressing data theft and extortion.

In late 2024, the threat actor group Scattered Lapsus$ Hunters (SLH) gained access to corporate Salesforce data by using social engineering techniques, specifically vishing (voice phishing). Between March 2025 and June 2025 attackers gained access to Salesloft’s corporate GitHub account. Salesloft is a sales engagement platform featuring an AI chatbot, Drift, which integrates with Salesforce and other applications. After compromising the GitHub account, the attackers downloaded content from multiple repositories, created their own user within the organization, and established custom workflows.

On October 03, 2025,SLH launched a data leak Tor site extorting 39 companies that were impacted by the Salesforce breaches. The companies extorted in the link include Disney/Hulu, FedEx, Google, McDonald’s and more. A separate entry on the site requested that Salesforce pay a ransom to prevent impacted customers (approximately 1 billion records containing personal information) from being released. The group set an October 10 deadline for Salesforce to pay the ransom, or for potentially affected companies to contact the group to secure their data. Salesforce refused to negotiate with the threat actors, believing their threats were unsubstantiated and offered support to any of their affected clients.

While the group had threatened to release all information if their demands were not met, eventually they only leaked data from six companies. The victims included Albertsons, Engie Resources, Fujifilm, Gap, Qantas, and Vietnam Airlines. Qantas and Vietnam Airlines each had more than five million customer records exposed.

The automobile manufacturer, Jaguar Land Rover (JLC), disclosed in September 2025 that they had been victim to a cyberattack that “severely disrupted production activities”. The attack began on August 31 leading JLC to halt production the following day, and by September 22 the disruption had forced a complete shutdown of its production lines for three weeks, with employees instructed to remain at home.

The threat actor Scattered Lapsus$ Hunters (SLH) took responsibly for the attack via a Telegram channel. JLC has not released details on how the information was compromised, but SLH has typically used social engineering campaigns to attack its victims.

The type of extortion used by SLH has not been released to the public but eventually the UK Government had to step in and loan JLR £1.5 billion. Without the loan, the government claimed that people will be “laid off in the thousands”. Based on the latest financial results released by JLR, the cyberattack had a substantial impact on its profitability. The company reported a loss before tax and exceptional items of £485 million in Q2 and £134 million for the first half, compared with profits of £398 million and £1.1 billion, respectively, during the same period last year. The government later referenced the attack and loan when outlining reasons for the country’s weak GDP in Q3 2025.

Corporate executives experienced an extortion campaign following Oracle E-Business Suite’s (EBS) data breach. The ransomware group Clop sent emails to multiple executives claiming their data was stolen from Oracle’s EBS systems. In the email the group claims they successfully infiltrated the system and exfiltrated sensitive data. Their email begins with a blunt introduction, identifying themselves and suggesting the victim verify their reputation online.

The group goes on to state that they have copied “a lot of documents,” including private files and other confidential information, which they now claim to control. Rather than focusing on system disruption alone, the attackers emphasize data possession. The threat escalates if payment is refused. The group warns that stolen data will be distributed, either sold to other malicious actors or publicly released through their own channels, including blogs and torrent platforms. This dual-threat approach (financial loss combined with reputational damage) is a hallmark of modern ransomware campaigns.

Organizations affected by the attacks included Logitech, Harvard, Envoy Air, the United Kingdom’s National Health Service and The Washington Post. Clop is known for carrying out large-scale, carefully coordinated extortion campaigns that target organizations across multiple industries and regions, aiming to exploit vulnerabilities and extract data from many victims simultaneously rather than focusing on a single sector or location.

If your business was victim to a data breach or extortion incident, consider taking the following steps:

  1. Secure Operations
    Act quickly to contain the breach by securing systems, fixing vulnerabilities, locking affected physical areas, and mobilizing a response team with forensics, legal, and technical experts to investigate the cause and scope. Stop further data loss by taking affected equipment offline (without powering down), monitoring access points, replacing compromised systems if possible, and updating all credentials to prevent continued unauthorized access.
  2. Fix Vulnerabilities
    Work with forensic experts to assess the breach: check encryption, review backups and logs, identify who had and still has access, and limit it if unnecessary. Determine what data was compromised, how many people were affected, and whether you can contact them. Examine who (within and outside) your organization has access to information and examine if privileges need to be changed.
  3. Notify Appropriate Parties
    Determine legal requirements as some states have specific laws and regulations regarding who needs to be notified. Additionally, law enforcement can aid in the investigation process and should be notified shortly after initial discovery.

Curious how DarkOwl can help? Contact us.

Threat Actor Spotlight – Handala Hack Team

May 12, 2026

First appearing on the scene in December 2023, Handala Hack Team (Handala) established their presence as a pro-Palestinian hacktivist group via a Telegram channel and X account. The group described itself as a “small fighter of Hamas,” suggesting it was formed in response to the October 7 attacks that marked the start of the Israel–Hamas war. It was widely regarded as a front for Iran’s cyberwarfare operations and as one of several personas employed by the Iranian Ministry of Intelligence to claim responsibility for cyberattacks, a conclusion later confirmed by the Justice Department.

Early activity suggested the group primarily targeted the Israeli government and its citizens. Following Operation Epic Fury in February 2026, it carried out two significant attacks targeting the U.S.-affiliated Stryker medical manufacturer and FBI Director Kash Patel.

The first large scale attack by Handala targeted Israel’s Iron Dome. A high-level target for many hacktivist groups, Handala claimed to have successfully hacked into a “multi-purpose tactical radars company” – DRS RADA. The group shared several screenshots that appear to show internal system interfaces, along with evidence of defaced websites (specifically rada[.]com and rada[.]co[.]il). They also issued a threat to release up to 2 terabytes of data. At first glance, this suggested a potentially serious breach. However, a closer look revealed some important gaps. The official website for DRS RADA (drsrada.com) was not on the list of domains that were defaced. No actual data leaks or downloadable files were made available to support the claim of a large-scale exfiltration leaving researchers with questions of the groups claims to be “taken seriously”.

In 2024, the group also shifted its focus toward disrupting infrastructure targeting Israeli civilians. Using a spear-phishing tactic, residents of the Ma’ala Yosef Regional Council received text messages that appeared to come from the MyCity mobile app, a crisis management platform used by local authorities. The messages urged recipients to click a link and download an application which raised concerns about a targeted attempt to compromise personal devices. In the same month, Handala reportedly carried out a ransomware attack against Ma’agan Michael Kibbutz, exfiltrating approximately 22GB of data and sending more than 5,000 warning text messages. The ransom note included criticism of both the kibbutz and Israel, underscoring the group’s political motivations. Ma’agan Michael is widely regarded as one of the largest and most financially successful kibbutzim in Israel, making it a high-profile target.

On March 11, 2026, Handala claimed to have wiped tens of thousands of systems and servers belonging to medical technology company, Stryker. In a statement Handala stated “over 200,000 systems, servers, and mobile devices have been wiped and 50 terabytes of critical data have been extracted,”. The attack allegedly forced offices in 79 countries to shut down. The group did not give details on logistics but declared it targeted the company in “retaliation for the brutal attack on the Minab school” as well as the companies alleged “Zionist” ties. According to media outlets, a Stryker spokesperson announced, “We are currently experiencing a global network disruption affecting the Windows environment.” Originally it was assumed the group used wiper malware but following an investigation Stryker claimed no malware or ransomware was found on their systems.  

Following this attack, the Justice Department officially confirmed the connection between Handala and Iran’s Ministry of Intelligence and Security (MOIS).  According to the department, the MOIS used the Handala-hack[.]to domain to carry out the Stryker attack. This led to seizure of four domains used by the group (Justicehomeland[.]org, Handala-Hack[.]to, Karmabelow80[.]org, and Handala-Redwanted[.]to).

On March 27, Handala claimed it had breached the personal email account of FBI Director Kash Patel: “All personal and confidential email of Kash Patel, including emails, conversations, documents, and even classified files, is now available for public download.” Watermarked personal photos and documents were subsequently released, including email correspondence from Director Patel’s time prior to assuming the role.

The attack appeared to be carried out in retaliation for the FBI’s seizure of Handala-linked domains after its earlier cyberattack on medical technology company Stryker. In their statement regarding the breach of Director Patel’s personal email account, the FBI reiterated that the Department of State’s Rewards for Justice program is offering up to $10 million “for information leading to the identification of the Handala Hack Team out of Iran.” The seized information appeared to be historical, and the FBI claimed that no government information was acquired or breached.

Handala’s operations are less about flashy, cutting-edge exploits and more about what works. As seen in their claims regarding the attack on Israel’s Iron Dome, the group appears to have overstated its impact to project capabilities beyond what it actually achieved. This pattern is consistent with broader hacktivist behavior, where exaggerated claims and unverified assertions are used to amplify perceived effectiveness. Similar tactics have been observed among pro-Iranian groups such as Ababil of Minab and APT Iran, both have blended propaganda with cyber operations.

The group blends destructive malware with social engineering and practical intrusion techniques, creating a toolkit that’s both effective and adaptable. Instead of chasing novel vulnerabilities, they rely on a mix of commercially available tools, custom-built payloads, and “living-off-the-land” methods, leveraging legitimate system features to stay under the radar.

This pragmatic approach gives them a high degree of flexibility. They can quickly adjust tactics depending on the target while still achieving their core objective: disruption. As evidenced by their spear-phishing campaigns, the group has reached hundreds of thousands of individuals but achieved minimal success beyond the initial contact stage. Just as importantly, their campaigns are designed to have a psychological edge, amplifying the impact beyond the immediate technical damage.

The activities attributed to the Handala Hack Team highlight the evolving nature of modern cyber warfare. Operating under the appearance of grassroots hacktivism, the group has been linked to actions that blur the line between data theft, psychological pressure, and disruptive digital attacks. Their operations ranging from wiping large numbers of corporate devices to exposing personal information of individuals tied to defense and security sectors. All designed to create both reputational damage and operational disruption.

As geopolitical tensions increasingly extend into cyberspace the broader message is difficult to ignore, digital infrastructure and personal data are becoming central targets. Whether the target is a corporation, a government-affiliated organization, or a high-profile individual, the boundary between physical and digital conflict continues to erode. As the war with Iran persists Handala will remain an active threat.


Check out our recent blog on Handala’s rebrand and target expansion.

[Webinar Transcription] DarkOwl and Carahsoft – Darknet Investigations for Government

Recorded April 23, 2026

During this webinar, Jennifer Ewbank, DarkOwl Board Director and Former Deputy Director of CIA for Digital Innovation, and DarkOwl’s Chief Business Officer, Alison Halland, explore darknet data’s threat-intelligence capabilities across government and enterprise environments.

In this interview-based session, attendees gained:

  • A forward-looking view of how regulatory frameworks and intelligence practices will reshape cyber-defense requirements over the next decade.
  • First-hand perspective on how darknet intelligence informs national-level investigations.
  • Deep insight into criminal ecosystem behaviors and the evolving tactics threat actors rely on within anonymous networks.

NOTE: Some content has been edited for length and clarity.


Jennifer – I’ve really been looking forward to this conversation with Alison and great to have all of you who’ve dialed in and welcome to those who watch later in recorded version. To kick us off, I just wanted to observe that I think most people think of the dark web as a place where criminals and conspiracy theorists gather – and I suppose that’s true. But the real story is maybe a bit more interesting and the reason we’re here today is that there’s a bit more utility in it all as well.

So today, we want to pull back the curtain a bit on what’s actually there in the darknet, how serious investigators are using information that is collected there, and why increasingly it matters to all sorts of organizations that may really think that this dark corner of the internet has nothing to do with them.  It probably does.  So Alison Halland is Chief Business Officer of DarkOwl.

DarkOwl is a fantastic company that maintains the world’s largest commercially available index of darknet content. They turn it into insights and intelligence for governments and enterprises and others who track these things.  So, this hour together is a conversation. It’s not a lecture. Please do pop your questions into the chat. We want to know what’s of interest to you, what catches your attention. 

So with that preamble, we’re going to turn to a question to kick it off.  And really, maybe we should start at the beginning because not everyone spends a lot of time studying the dark web.  So, let’s start with the basics, Alison. When we say darknet or dark web, what are we actually talking about? And how does DarkOwl collect from that hidden corner of the online world? 

Alison – Yeah, thank you, Jennifer. And a big thank you to Jennifer, who has been so helpful as a board member to DarkOwl and helped us steer both our collection and our product in a way that’s going to help folks conduct these investigations. So, this slide in the background summarizes where DarkOwl collects data from.

So, Jennifer’s direct question was, what is the darknet? And interestingly, we’re in a space where I’m not entirely sure there’s consensus on that. I would say most people would agree that Tor is kind of the tried-and-true darknet source. However, DarkOwl’s take is if there are conversations or criminal activity or, you know, interesting back and forth going on, that is an area that we want to collect from.

So, our definition of dark web and dark web adjacent is sometimes broader than some others in the space. I would directly point to this lower right-hand corner, our direct messaging platform collection.  There is no doubt that Telegram is our most requested data source today. Just given that community, what they the talking about, the transient nature of it.

We also get a lot of requests for our marketplace and forum data. That I would definitely highlight as well as an area that, historically, we have a strong collect here – part of that is a reflection of our history and some of the personas that we’ve honed over the years. This is quite frankly a difficult, meaning time consuming, expensive place to collect from. It takes a manual work at the onset. Sometimes other providers will defer away from this area, whereas DarkOwl has traditionally hung our hat on really making sure that we have collected from those forums and marketplaces to make sure that we can illuminate that space for the folks coming in and doing investigations. 

Jennifer – Great. Well, thank you so much.

Back where I started, I think most people I talked to about the dark web assume that it’s largely going to be drug dealers and ransomware gangs who operate there. And they do, don’t get me wrong. But is that still really the reality or has this changed in recent years? And what does it look like today? 

Alison – It is absolutely an ever-changing ecosystem. The groups and categories you just described flourish in the space, but so do a lot of others. One great example is when people think of dark web marketplaces, they immediately go to narcotics – and narcotics is the most reflected marketplace listing by category in our dataset. However, at least at my time at DarkOwl, the range in what people are selling has grown exponentially. So, you can buy anything from someone’s AWS keys to, I mean, it’s just exploded in terms of what’s being listed there. So, Jennifer, I do think you’re correct that people tend to have a pretty narrow view, but there are so many uses for this data, both on the government and commercial side in terms of understanding how the criminals are acting in this environment. I’m sure there’s folks on this call that have a ton of experience in this space. 

And as everyone knows, 2025 was a pretty big year of upheaval for the dark web and, you know, this ecosystem in regards to just so many changes. I mean, when the XSS forum got taken down by Europol, I mean, people don’t just give up – they then move to a different platform, a different forum. There are so many conversations happening in the background at DarkOwl around where are we collecting from next? Are we try to move to the next platform or the next Telegram channel and understanding what those flows and data movements look like is extremely important, as you know, from your previous work, Jennifer.

Jennifer – That’s so true. I just think that the diversity of activity that’s represented on the dark web these days is really noteworthy. I imagine there are those who maybe aren’t as familiar who’d be surprised by some of the entities that are that are operating there, and what they try to do. It’s everything as we’ve said from the criminals to, you know, hacktivists, to you name it, all sorts of bad guys.

Alison – And it’s reflective of like real world events too. When the conflict broke out in Iran, within three or four days DarkOwl added about 140 Telegram channels to our collection. These were either channels that had just sprung up or had kind of recategorized their their purpose and they were reflective of both sides of the war and obviously those are conversations that are pretty pertinent to a lot of use cases. 

Jennifer – And you mentioned, you didn’t use this word but how sites come and go, right and this almost is ephemeral nature where they’re moving targets is is that the reality these days to you know authorities kind of glom on to some sort of criminal activity and then they what rebrand move. How do you track that? 

Alison – And part of that is we try and be a member of that community so that we understand where things are going, but that is that is absolutely the reality – everything is shifting and changing. Some of these marketplaces will gain a huge following, a huge transaction volume and then overnight they’ll be an exit scam and and those you know that entire marketplaces is gone and those sellers are trying to relocate and a lot of that conversation on where to go, what to do, happens in some of the areas that we’re collecting from. So, we try and be a part of that and follow right along.

Jennifer – I think that’s where your tradecraft and your history really come into play, where you’re able to maintain that collection over time and the insights derived from it. One little kind of asterisk I’ll put on the conversation about what’s out there is just to highlight for folks how the marketplace on the dark web for deep fakes and synthetic personas has just exploded in the last couple of years along with technology developments that make it much more achievable, easily so and less expensive to create fake personas, face images, faces, voices, you name it, entire video packages that you can purchase in an online marketplace just as if it were a regular online store with customer reviews and money back guarantees and all of that kind of stuff. I say that kind of funny way but the reality is pretty grim – how easily one can acquire really sophisticated tools that can defraud a financial entity that can defraud people and then there’s a whole scope of just really personal tragedy out there with non-consensual intimate imagery which is for sale on the dark web. So, lots of things happening there, very little of it good. 

Alison – And like the speed of creation with AI on the table is so much faster and you know I think a lot of times folks kind of giggle at the fact that some of the same, all the same marketplace dynamics, are in place like especially in a criminal environment where the only thing you can hang your hat on is you know your reviews or your reputation. So, everything matters in the same way it does if you were transacting legal goods: reviews, reputation, all of that’s really important, so we see a lot of that in terms of how vendors are trying to promote their listings. 

Jennifer – Crazy. So, when I was still in government, of course we looked across all these various open source areas as a place where we’re just trying to find some kind of signal in all of that volume of noise, right. We used to talk about a tsunami of data out there and really just trying to figure out what is happening how can you derive insights that are helpful. In the commercial world, of course I see that now every day with companies I’m working with. The thing about the darknet data that I found interesting and that I still find really interesting is just how much, and you’ve touched on this, how much behavioral insight is there, like how do organizations form, how do they operate, how do their businesses operate, and all of that goes far beyond just “hey I’m selling this illegal product.” So, the collection posture I think is really important here and DarkOwl has done a really fantastic job of maintaining those insights. 

Let’s go just a bit deeper and think about how darknet intelligence works in practice right. So, you’ve defined what it is given us some examples of the kinds of information that’s out there, the kinds of actors who operate there. I want to think about how the data actually get used – how does darknet intelligence contribute to open-source intelligence investigations and, maybe for me and for all of those who’ve signed in, can you walk us through what an analyst is doing when they’re looking for this information and analyzing it?

Alison – I think a pretty typical workflow is coming into the darknet data set with some sort of indicator or an entity. So, trying to identify a person of interest that may be behind and they may come into that investigation having gotten a username off of traditional social media or an email address from a data leak and then taking that breadcrumb and putting it into the DarkOwl dataset can often be the puzzle piece that’s missing. A lot of the investigations previously, 10-15 years ago, weren’t including this dataset. I think given the structure of the dark web and the fact that folks know that there is some obfuscation happening and that their identity is somewhat protected I think oftentimes they’re a little more loose on what on what they’re sharing or or presenting.

Coming into the dataset with let’s say it’s a username, J EWBANK, and then you pop that into the DarkOwl data and lo and behold there’s a vendor on a marketplace that goes by that same name, or an iteration on it, or there happens to be a Telegram channel that’s focusing on extremism and has a user in there with a similar name and now all of a sudden you have a user ID and you can pivot from there. So, oftentimes it’s coming into the data with an entity and then grabbing one more that you didn’t have previously and either taking that through a different dataset or continuing to follow those breadcrumbs within our data and finding additional pieces of information. There is a whole, especially with the onset of AI and looking at bigger datasets more quickly, there is a whole workflow here around just like migration in conversations and movement and you know obviously there’s not a geolocation ability within our dataset in the traditional fashion but you can do a lot through language detection and you know a lot of other techniques as well to figure out where people might be physically located. 

Jennifer – Thank you. You may have already alluded to this, but I think of the darknet as this kind of you know, as this cavernous area with little corners and dark rooms and alleys, and bad dudes and vendors hiding there in the shadows, but is there a particular corner these days somewhere out in there in the darknet that you’re finding particularly productive in terms of supporting investigative activities?

Alison – Yeah, I would point right back to Telegram. That’s just become such a critical collection target for us and we’ve seen a growth in just in terms of volume around records that are being collected. We also interestingly, I will say that, oftentimes a prospect will ask you know how many Telegram channels do you have and my response is often it’s it’s not so much the quantity but the quality because there are groups being stood up for you know non-criminal reasons and making sure that you have eyes on the subset that you’re interested in can be crucial because there is a lot of noise. So, I would point to Telegram absolutely and some of the techniques that we’re using to try and get into those channels. You know these are workflows that can be cumbersome if you’re trying to do it in a manual fashion one-off versus we’re trying to aggregate and use some of those skills so that we can park all that data in a central location and people can query across all different channels versus having to do that in a one-off basis. 

Jennifer – That makes a lot of sense, that’s really where I think expertise comes into play because you could see where somebody might just think it might want to have access to like I want them all that that’s not necessarily going to be helpful I think you can be overwhelmed that way – so the quality of the data is always critical.

A related question – the way you’ve described Telegram, it almost seems to me like it’s now serving as different, let’s say different layers of this ecosystem, right accomplishing different things. It used to be just you know hey we’re going to communicate in something that’s relatively private. So, is it a place where for example, when a site goes down, do people kind of bump to Telegram for a while? Is it a place where you see indicators of bad actors planning, and of course it’s a marketplace too, but like do you think of it in that way? Do you think of it as as layers or different functions, or is it just the case that, and this is powerful, but with your collection you can kind of accomplish all of that and you just make sure you’re focused on the high quality data?

Alison – No, I think there’s definitely categories that emerge across it. The three that jump to mind that I know our analysts talk about a lot is the signal layers, so around people signaling hey we are going to do this or have some sort of action, and then there’s definitely a migration layer, when marketplaces go down or forums you know where are we moving what like that becomes the communication channel on you know where are we gonna migrate, and then like you said there is a whole I think of Telegram outside of the dark camp marketplaces, but I probably shouldn’t. There’s so much transaction happening in Telegram channels as well where the sole purpose is to sell in a marketplace fashion, whether it’s, you know, stealer logs or narcotics.  So, I would say those three, the signal layer, the migration layer, and then also the marketplace layer would be the three, I think my analysts would highlight. 

Jennifer – It’s fascinating because there’s so many different paths that an investigation could take.  And I think of the signal layer as being kind of an almost an intelligence layer where you can see what will happen in a sense, right?  I think a migration, as an investigative layer, like what’s happening now and the marketplace layer could probably be a forensic layer later. I mean, there are lots of different uses, but I think about them also in a temporal fashion like how do you lay that out across an investigation.

So anyways, fascinating stuff. Let’s go back to the marketplace topic where we kind of landed. And I know that you and your team mentioned to me that you’ve expanded your dark web marketplace collection pretty significantly and you have a new capability that you’re calling ‘Darkmart’, if I’m not mistaken. I’m wondering if you can, oh, there it is.  If you can give us a sense of kind of what that is and more importantly for those who are thinking about how open-source intelligence can support investigations, what does this kind of data tell you? What does it reveal? 

Alison – We did do a big revamp to our Darknet Marketplace Content, and what I mean by that is our collection was always strong in these areas, but the structure behind the data made the workflows somewhat manual and challenging to say, okay, well, I’m interested in this vendor on this one marketplace. So, what are the first 10 questions you want to ask? Like, well, what other markets are they on? What country do they ship from? What category are they? Do they have listings in? So we have taken all that data on our historical collect and put a lot more structure around it.

There’s an oversight view that I think has been, and this was from direct feedback from our users that has been really powerful in our launch of ‘DarkMart’, which is our word for these darknet marketplaces.  And to your direct question, doing these investigations in lieu of the structure was a time consuming process. So, now if you just look at some and choose any one bullet on here, just the ability to sort and sift through all of this marketplace data is a lot easier and more compelling.  And what we heard from some of our government clients is there are use cases you could be at, you know, be on the drug enforcement side of the house and you’re specifically tasked with a specific drug versus you could be someone who’s law enforcement in a small five eyes country that’s just trying to view what’s being sold coming out of their country. And those exact asks pre-structuring were hard to discern, whereas now with the marketplace data restructured within DarkOwl, you can do that much more quickly. I could even jump in and show an example of that. But the ability to sort and sift through this has just become so much easier with our new ‘DarkMart’ release. 

Jennifer – Well, that’s really powerful, as you say, without structure around the data, you have a richness, the riches of all the collection, but without the ability to gain the insight and I think, or at least not to do it conveniently, and if you’re not an expert, right, you’re, your analysts are all experts can do that, not every company, every entity, every government agency has people who are deeply experienced in that. So, having an interface to help you get there is really important.

Here’s a funny question because people talk about the dark web and the marketplace and such, what did the listings contain? Like, what does that look like?  And, and then maybe pivot off that, it’ll become obvious, but how does an investigator use that data? 

Alison – So I’m now in our platform right now. So, this is a live view into just the subset of our data that we call ‘DarkMart’. So, we have about half a million listings showing up right now and you can see that we have 83 markets that we’re now capturing in this new structured format. We still have a lot of markets that we’re moving over into this. It’s definitely an evolution. But for instance, if you wanted to just come in and see, you know, you were interested in what category and I mentioned earlier, like most of the listings are in narcotics, but I think all these other subsets are definitely growing in quantity as well.

But let’s see, let’s pop into one market.  So, this marketplace, Prime, has categories and vendors selling across all different subsets. So, to answer your direct question, you know, what do the actual listings look like? So, let’s actually wanted to pull up a more expensive one. So, here we have someone. So this, this is a good representation of how we’ve restructured this data.

So, within two clicks, we’re able to see, okay, here’s a vendor that goes by this username. And they were first seen on January 8th of this year. They last changed their listing a couple of weeks ago. And this is what they claim to have the, some source code for Bitcoin. They have a listing. You can contact them.  Let’s do business. Not business. So this, this would be pretty typical of a listing. There are also some that contain reviews and we always capture what currencies they’re operating in. So, as we think about this from like a country standpoint, in terms of, what people’s mission is this can be helpful as well. 

Jennifer – It’s literally vendor drugs for cheap.

Alison – Yeah. You can also go out into the live market and see what imagery vendors are presenting and what categories are growing. And I think this speaks back to your earlier, kind of that signals layer around, you know, what categories are growing from a marketplace standpoint, which would point to, you know, going back to those items and being like, what are we doing from a protection standpoint that we’re missing if these are so easily fraudulently being sold? 

Jennifer – I think that’s another benefit of the restructuring of the data and the interface for users is to get a sense of where the trend lines are and get that insight earlier in the cycle so that you, whatever your role might be somewhere, you can really start planning for it. 

Alison – In pretty short order, you can see the use cases both across government and commercial in terms of just what these listings look like. And as you mentioned earlier, and, you know, I won’t spend the time digging through a lot of these, but you can pretty quickly find someone for very cheap selling, you know, deep fakes, like you said, or access and all of these vendors are starting to specialize just like we do in industrial economy. So, that time to execute is so much shorter. 

Jennifer – Crazy. So, you mentioned earlier, I can’t remember the name of the vendor you mentioned, but you mentioned one of the big ones that was taken down in ’25. And so what happens when a major vendor does get taken down? I mean, I assume they pop up again somewhere else, but what do you see? What’s the normal pattern there?

Alison – Yeah. I just clicked on one of our vendors that we have in our marketplace. You can see that this vendor is, we believe, is active on 25 different markets. And you can see the number of listings as well. So, you know, the hypothesis there under the scenario you just described would be that if any one of these markets was either taken down by law enforcement or had a exit scam that those listings would migrate somewhere else. So, with this new restructuring, that is something we can absolutely track as things ebb and flow. And you can do it both at the vendor level. We’ve also had some of the shipping companies ask us to do it across and we have an awesome blog on our site around what is the preferred shipping method for criminals, which if you are, you know, working at one of those companies, whether it’s government backed or commercial, understanding why you’re being selected to ship those drugs versus someone else is important. The aggregation of this data can be really powerful and is something you can do today that wasn’t as easy prior to our data restructuring.

Jennifer – That’s awesome. It’s both scary but also really fantastic that the capability exists and that there are smart people working on all this stuff. I think also passing earlier, you mentioned Infostealer, kind of malware and it’s one of the big stories in cybersecurity is really the explosion in this kind of malware. I’m wondering, could you maybe spend a moment and let our colleagues online here understand what is DarkOwl seeing on the dark website of all of that dynamic? 

Alison – Yeah, absolutely. I mean, the number we are asked about Infostealer logs on multiple times a day and that is an emerging space. I have some stats written down here that Infostealer has infected over 11 million machines in 2025, estimate that it produced about 3 billion stolen credentials.  And that’s such a easy way for people to transact and probably the most traded commodity on the darknet. And the thing about the Stealer logs is they can bypass MFA entirely. I think there’s a lot of movement happening around people trying to protect against that. But in the meantime, the understanding that data is out there is very timely because they can be exploited almost instantaneously. So yes, Infostealers is a huge category. And I don’t see that decreasing. If anything, I think it will continue to grow and grow as people move away from traditional passwords. 

Jennifer – Yeah, I think the credential side is where a lot of the action is. And is, so, you know, everything is as a service these days? So, is this an area as well?  Have they jumped on the bandwagon? Is it malware as a service and all that? 

Alison – Yeah. I don’t have it handy right here, but there’s malware as a service subscriptions that start as low as $30 a month. So yeah, the specialization and the execution and frankly the price is coming down precipitously. 

Jennifer – You see that I think across all of these, let’s just say more nefarious corners of the web where the “as a service” is exploding. You’ve had ransomware as a service. Now malware as a service, specifically credentials, deep fakes as a service. Everything’s a service these days. Even criminals are innovating, right? 

Alison – Yeah.  There’s, I mean, we have one of, I would say probably one of our most frequently visited, or some of our most frequently looked at telegram channels are those that are selling, stealer log subscriptions. And you and I in preparation for this call, were talking about how as recently as January, there was a researcher that discovered that database containing like 150 million login password pairs.  And they think it was compiled entirely from Infostealer operations. So, that gives you a sense for the scale.

Jennifer – So I, you know, intuitively, I gather that there’s a specific connection here in the supply chain for ransomware.  And I’m wondering, you know, what, what does that supply chain look like for, for bad actors in the ransomware, ransomware world?  Say that three times fast. 

Alison – Yeah, in the same way that all the market dynamics work on the customer service side, you know, the same exists from a supply chain standpoint.  think a pretty typical supply chain workflow would be that the infostealer harvest, like they grab the credentials, then the initial access broker would like package those up and sell them on a marketplace or on one of those telegram channels. And then the ransomware operators buy those, that access. And then they get in and grab the files and then, you know, approach company and say, yeah, here’s what I have and, and pay the ransomware. So, it’s definitely, and we talked about this earlier, the specialization is happening in the same way it’s happening for all of us on the right side of the fence. 

Jennifer – Yeah, exactly. Thank you.

Like all things, I have to assume that the dramatic improvements in generative AI are having a big impact in this area. Is that correct?  I mean, is that accurate to assume that AI is also fueling this pipeline? 

Alison – Yes, absolutely. And you know, they also have the advantage of not having to ensure that those AI deployments are being done in an ethical or safe or sort of consumer-friendly way. So, some would argue that, that speed of adoption is even faster in this ecosystem. 

Jennifer – Let’s scope out a little bit, zoom out. Around the world, we’re seeing a lot of interest in regulatory action around the space. Leak, you know, legislation, like Europe’s been very active in these, these related categories with all sorts of protections on data and the models that are used for AI and lots of other things. And in here in the States, of course, the SEC has its own filing requirements for those who will fall prey to ransomware and other cyberattacks. But I’m just wondering if one does agree that there’s an upsurge, uptick in interest in regulatory and legislative actions in this space. Does that change the calculus for companies, organizations, government agencies and departments on the kinds of intelligence or insights that they would want to collect from the darknet? 

Alison – I think there’s a shift happening or it’s already happened from a reactive to more of a proactive intelligence posture. I’m going to date myself a little bit, but I’ve been at DarkOwl coming up on either 10 or 11 years, and I remember one of the first demos I ever did was with a CISO and, and she said to me, I don’t think I want to know if the information’s out there.  And, you know, I think that was, knowing was not, knowledge was not power at that time. That was potentially, oh, no, we haven’t done our job as an organization, or we haven’t protected our information. Whereas in today’s world, you can just walk the floors of any cyber conference, the number of TPRM and third-party risk management providers has skyrocketed. So, the responsibility and the onus to know not only what’s out there, but how it got out there, and have that proactive angle of like, I’m hiring a vendor in this category.  You know, are they reputable?  Do they have exposure is becoming the norm? Compared to what it was previously. 

Jennifer – Now, that makes a lot of sense. Ultimately, it just seems wherever one is in this ecosystem on the right side of the fence, as you say, your ultimate goal is to collapse the timeline between exposure of data and vulnerability, and the bad actor’s ability to use it against you. And having that insight, particularly from deep collection and kind of an interface and analytic framework around it would be super helpful. And unlike the CISO that you met years ago, I think more and more CISOs and cyber defenders today are eager to get those insights so that they can be prepared before the bad day happens. That makes me think though, because you mentioned the CISO and others working in cyber defense and risk. Is there something about the darknet threat landscape that you think they consistently or that many consistently underestimate? 

Alison – Um, yeah.

Jennifer – You know, some key aspect of it, you wish people would understand better or maybe they just don’t have the insight yet. 

Alison – It’s that the old methodology is we just need to kind of protect our own four walls, batten down the hatches and whatever’s happening outside is not telling or informative. And that is not the case. The darknet can be very much a leading indicator of what that exposure looks like, where those vectors of attack might be coming from. Demonstrating and making sure that people have visibility is extremely important, not just that they responded correctly to an attack. 

Jennifer – And attacks are far more, intrusions are far more, sophisticated and subtle and multi-layered than they were even just a few years ago and I think understanding the threat environment and the threat environment around all of your partners and vendors and anything in your supply chain is really critical because you’re only as secure as the weakest link in that chain.

Alison – Yeah, not only like the weakest link, but the speed at which that stolen data moves from exposed to exploitation is fast.

Jennifer – That timeline is collapsing pretty dramatically. I think if you go back just a few years when a vulnerability was identified and publicized in order to get patches, you had time, right? Today that timeline is really collapsed with the power of AI and how bad dudes can manipulate that to get an exploit out of a vulnerability through reverse engineering. It’s really, really rapid.

So lots of value out there in this kind of information. And I think really relevant to investigators and analysts across a broad range of functions. So, we’ll turn to our friends and colleagues who’ve dialed in in a moment, but maybe last kind of question forward-looking, right?  So, let’s look out over the next couple of years and if you had to, your crystal ball, how does that threat landscape evolve? And as we’ve touched on once or twice already, how does AI fit into that picture?  Both for, let’s say the threat actors who are out there, how is it gonna help them?  But also for defenders because we want to defend.

Alison – My short answer would be that this category of data will continue to be a very integral part of investigations. I think historically has been either overlooked or bypassed because it was hard to aggregate and look through this data alongside other data, but that’s where AI is gonna be so powerful in that respect. Do I think if we did the same webinar five years from now that Telegram would be where everyone was communicating? Probably not. I think that where all that happens, I think we’ll continue to flux, but there will, I don’t see any scenario where this data isn’t an important piece of the puzzle. And I think looking at the bigger puzzle is a much easier task with some of the amazing developments that are happening in AI, so that organizations like the one you work for aren’t that timeline to figuring out or getting some intelligence that could lead to an action or investigation should be shorter as well, not just the criminals are gonna benefit from AI. 

Jennifer – Yeah, thank you.  We don’t want them to benefit but the defenders need to benefit. So, we’ve spent about 45 minutes and we’ll turn to questions here in a moment, but if let’s just say it for the folks who’ve dialed in and maybe later for those who watch on the platform, is there something you think that someone should go do? Like if they return to the office, is there something that they might take away from this conversation? Is there an action that would be helpful for them?

Alison – The low hanging fruit is out there. Go get a dark web risk assessment done, understand what information both of your own as an individual or your organizations is out there. And that will give a lot of insight into where, I think that would be the one task I would do in short order. And then if there are folks on the phone that are doing investigations in this space, I would just think about time and energy spent having someone who can aggregate this information and make it searchable and queryable is gonna be a good use of that skill set so that those analysts continue to connect the dots but aren’t spending 20 minutes waiting for a tor page to load.

Jennifer – Yeah, exactly. So, I wanna encourage anyone who’s on the call to drop a question in the chat.  I have it up on my screen here, we’ll watch for those.

You know, not every organization is big with a wealth of resources, right? And a lot of small organizations out there that might have more limited both capabilities due to fewer staff and resources in terms of money. But is there an entry point for smaller organizations when it comes to darknet data and intelligence? 

Alison – Absolutely, and oftentimes, from a just pure economic standpoint, the price point of a dedicated darknet tool for a smaller medium business might not be feasible but there is dark web data going into everything from larger thread intel platforms to MSSPs. I think we all know that those small and medium businesses are oftentimes the target just as much as the bigger ones, just given that actors know that they don’t have the security posture of a bigger firm. So, I do think there is, not only can this data help a small and medium business, but I think there are more ways for them to get that today given that this data is being fed through a lot of different layers, not just directly. 

Jennifer – Now, I think the vulnerability of small and medium size enterprises is really something that needs much more attention and I add into that group, charitable organizations, hospitals, schools, community colleges, lots of places that you wouldn’t think should be huge targets but they’re lucrative targets for the ransomware world because they’re often less defended and criminals go back there because they’re successful. So, a really important area, I think, for dark web data to help give insights into what the threat landscape reveals about their organizations. 

There are a lot of companies out there who offer a variety of different kind of threat intelligence insights.  And everyone’s kind of packaged differently, they do different things. Is there differentiation there? I mean, there are some big names out there that I won’t mention, but how in that environment are these capabilities differentiated or are they all the same?

Alison – No, they’re definitely not all the same and I think it comes down to, you know, depth of collection in any one area and the structure and usability of that data.  And there’s some, there are a lot of folks aggregating threat intel from all different data sources. I think DarkOwl, one of the reasons I love our mission is that we are so committed to staying focused on this space and continuing to provide compelling data. It comes off the dark web and not trying to spider into other areas. So, we’re often turned to fill that plug for other organizations. But yes, everyone has pros and cons. I mean, it’s a big Venn diagram and we’re a data provider and there’s gonna be overlap with others, but there’s oftentimes a delta between a lot of the different providers. 

Jennifer – Awesome.  I’m gonna ask maybe another question. While we wait to see if anybody has something that is burning in their minds. So, I don’t mean this one to sound like a challenge, right? But I’ve heard this question. So, you talked about personas and the collection and over time.  Are you ever asked about the legality of all of that? And I know more. 

Alison – Yes. All the time, oftentimes from people applying to jobs, how are you able to legally do this?  You know, we’re, I think the title of this webinar and the tech expo that we’re attending next week, it’s all around OSINT, open-source intelligence and DarkOwl skill resides on the fact that this data is hard to get to and it’s hard to find and it’s time consuming to get to. But at the end of the day, it is open-source information.  So, we are able to legally collect this because it’s defined as open source. It may be hard to get to.  You may have to create a login or become part of a community, but that’s the definition and we follow DOJ guidelines and we don’t purchase stolen data. We don’t go behind firewalls. So the data that we hold is ethically collected and considered open source. 

Jennifer – Great. I knew that, of course, being on the board. But I just wanted others who might have that question, because I’ve heard that question before too. So, I just wanted others to hear directly from you. 

And then maybe as a final question just because of the world I came from before coming into the private sector, my sense is that nation-state actors out there use a lot of the same darknet infrastructure as the criminals do. A, I guess, is that accurate? And B, are there areas where those two worlds overlap most directly? 

Alison – I mean, yes, in terms of targeting the US.  I was in preparation for this looking up some stats and IBM X-Force produced a report that said that North America is now the most attacked region for the first time in six years. So, from a nation-state perspective, there is no doubt that the targets on our back may be more so than ever an understanding that all of these ecosystems support those nation-state actors as well as the reality. 

Jennifer – I think that reflects a growing sense that I’ve had or insight that I had in government too.  But it’s clearer now that how a lot of these activities, these illicit activities against companies and organizations in the country really have a national security flavor to them these days and kind of teasing apart what is a national security threat, what is a commercial threat, what’s an economic threat.  These days, that’s harder and harder because it’s just, it’s all interconnected in a way that’s really powerful today.

So, I think we are nearing the end.  Maybe Allison, is there any last bit of advice or observation you want to offer for those who’ve dialed in? 

Alison – I do want to share with folks that we, DarkOwl, will be attending the OSINT Tech Expo next week, which is being hosted by Carisoft at their office in Reston, Virginia.  So, if anyone on the call is attending, and correct me here, Gabi I think if they’re a government employee, they’re able to attend either a free or at a reduced cost. But anyway, I just wanted to highlight that.  We will be attending.  And if any folks want to see the data set live, I’d be more than happy to do that for anyone. 

Jennifer – Well, that’d be fantastic. In the notes, I’m going to call an audible here and ask if maybe Gabi can help us in the notes afterwards just to make clear, to specify how people can look for that expo.  I see it’s on the screen here, but maybe in the notes later, it’ll be helpful as well.  OK, so I want to say thanks to Alison who sat here through an interrogation for almost an hour and answering question after question.  I really thank all of you as well who signed in to listen today and then welcome those who watch on the platform later.

And I should take a special note here as well for Carahsoft for hosting and organizing the webinar.  And if folks walk away with maybe one thing, there’s lots in what Alison had to say.  But I think for me, I would just note that the dark web is no longer, dark web data is no longer something just for a few specialized investigators. I think with the advent of new tools and ability to query and analyze the data, I think it becomes a much more useful capability for a broader range of folks in government and in industry.  And so it’s kind of your live feed, if you will, on how the criminal ecosystems are changing and how the threat landscape is changing.  And ultimately, whether you’re in government or industry, it should give you a better optic into how you protect yourself.  You monitor the threat landscape in order to protect yourself and your friends and allies. So, we will make sure that there are links to all the DarkOwl resources in the notes later.  And as Gabi said, if somebody has a question that didn’t get answered during the webinar, DarkOwl will be happy to answer it after.  And everyone hopes to see as many of you as possible at the OSINT Expo being hosted by Carahsoft at the end of the month.  So OK, I think with that, I’ll turn it over to you.

Alison – Thank you, Jennifer.  I just want to thank you personally.  You’ve been so helpful to DarkOwl and the pace at which you operate in a post-retirement state and amount of businesses and speaking engagements and you still have your finger on the pulse and I’m very grateful that you’re on our board.  So, thank you.

Jennifer – Oh, thank you.  It’s a pleasure, and you’ve got a great team.  Great team, great product. 


Questions? Contact Us.

Threat Intelligence RoundUp: April

May 04, 2026

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs – The Hacker News

The Cybersecurity and Infrastructure Security Agency (CISA) announced advanced persistent threat (APT) actors are conducting “exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley.“ Specifically, the activity has caused PLC disruptions across multiple U.S. critical infrastructure sectors through malicious project file interactions and manipulation of HMI and SCADA display data. These attacks have targeted Rockwell Automation and Allen-Bradley PLCs used in government facilities, water and wastewater systems, and the energy sector. Following initial access, the threat actors launch C2 using Dropbear, Secure Shell (SSH) software, on victim endpoints to enable remote access. Read full article.

2. FBI confirms hack of Director Patel’s personal email inbox – Bleeping Computer

On March 27, the Iranian hacking group Handala claimed it had breached the personal email account of FBI Director Kash Patel. “All personal and confidential email of Kash Patel, including emails, conversations, documents, and even classified files, is now available for public download” the group stated. Watermarked personal photos and documents were subsequently released, including email correspondence from Director Patel’s time prior to assuming the role. The attack was carried out in retaliation for the FBI’s seizure of Handala-linked domains after its earlier cyberattack on medical technology company Stryker. Article here.

The North Korean hacking group APT37 has been running a social engineering campaign on Facebook, using direct messages to build trust with targets before ultimately delivering the RokRAT malware. Using two separate accounts the threat actor employed a pretexting tactic, pretending to share encrypted PDF files with technical details about military weapons via Facebook Messenger or Telegram. They then convinced recipients to install a specialized PDF viewer in order to access the documents. The malware uses Zoho WorkDrive as a control server. This allows it to take screenshots, run commands remotely, gather information about the infected computer, and explore the system. It can also avoid being detected by security tools like Qihoo’s 360 Total Security while hiding its malicious activity within normal-looking traffic. Read more here.

Rockstar Games is the latest company reportedly targeted by the hacking group ShinyHunters, which has claimed responsibility for a recent data breach. The information was obtained following a security incident with Anodot, a data anomaly detection company. ShinyHunters discovered the information from “Snowflake environments using authentication tokens stolen during a recent Anodot security incident.” The group published over 70 million records from Rockstar Games data that included “in-game revenue and purchase metrics, player behavior tracking, and game economy data for Grand Theft Auto Online and Red Dead Online.” Read here.

5. Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations – The Hacker News

Check Point Researchers are tracking an ongoing password-spraying campaign that targets Microsoft 365 environments primarily in Israel and the UAE. The activity was carried out in three waves of attacks that took place throughout March 2026. The campaign unfolded in three distinct stages. It begins with aggressive scanning or password-spraying attacks launched from Tor exit nodes to identify vulnerable accounts. Once access is gained, attackers proceed with the login process, establishing a foothold in the system. In the final phase, they exfiltrate sensitive data, often including entire mailbox contents, completing the breach. Learn more.

6. Fake Ledger Live app on Apple’s App Store stole $9.5M in crypto – Bleeping Computer

A fake Ledger Live App, available via the Apple App Store, has stolen $9.5 million in cryptocurrency from 50 victims. The victims were tricked into entering their seed/recovery phrases into the app, giving attackers full access to their wallets and allowing them to spend digital assets. Investigators claim, “the attackers used several wallet addresses to receive funds across multiple chains, including Bitcoin, Ethereum, Tron, Solana, and Ripple.” The stolen accounts were laundered through 150 deposit addresses on KuCoin. The company announced the accounts were frozen until April 20. Read full article.

7. Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack – The Hacker News

Lotus, a data-wiping malware, was uploaded to a publicly accessible platform in December 2025 and subsequently used in targeted attacks against energy and utilities organizations in Venezuela. Two batch scripts initiate the destructive phase of the attack and prepare the environment for execution of the final wiper payload. Upon execution, the wiper neutralizes recovery mechanisms, overwrites physical drive contents, and recursively deletes files across affected volumes, leaving systems nonfunctional. No embedded extortion or payment instructions are present, indicating a non-financial motive. Read full article.

8. Researchers Detect ZionSiphon Malware Targeting Israeli Water, Desalination OT Systems – The Hacker News

The malware, ZionSiphon, was designed to target Israeli water treatment and desalination systems. The virus was first discovered following the Twelve-Day War between Israel and Iran in June 2025. Once executed, ZionSiphon scans the local subnet for devices, attempts communication via Modbus, DNP3, and S7comm, and alters configuration parameters such as chlorine dosing and pressure. The Modbus attack path is the most developed, while DNP3 and S7comm components remain incomplete, suggesting ongoing development. It can also spread via removable media and will self-delete on systems that do not meet its targeting criteria. Numerous implementation flaws suggest the malware has either been prematurely deployed or still in a developmental stage. Learn more.


Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

Evolving Threat Patterns: Handala’s Operational Shift and Ashab al-Yamin Amplification Across Telegram

April 29, 2026

Recent activity from Handala Hacking Team and Ashab al-Yamin highlights a growing overlap between cyber operations, influence campaigns, and real-world incidents. While these actors are not necessarily coordinated, their activity reflects similar patterns across Telegram and affiliated platforms, where claims, media, and narratives move quickly through a shared ecosystem.

Analysis for this report was conducted using DarkOwl Vision, leveraging keyword-based searches and targeted monitoring of Telegram channels to identify relevant activity and amplification patterns.

On April 26, 2026, the Handala hacking group announced a rebrand to The Handala Popular Resistance Front (HPR), signaling a potential shift in both branding and operational focus.

In the same announcement, the group claimed responsibility for an attack targeting an office allegedly linked to a company associated with the Shabak’s Iran Desk in Israel. The claim was posted twice to Handala’s official Telegram channel and included links to a bot designed to recruit potential insiders in Israel. This indicates a more deliberate effort to facilitate human-enabled access rather than relying solely on external cyber intrusion.

Figure 1: Handala Telegram Post + Insider Recruitment Bot

The content was rapidly reshared across affiliated Telegram channels, including accounts that have historically been aligned with Iranian Ministry of Intelligence messaging and insider recruitment advertisements:

  • Iranian Intelligence Voice (English)
  • Iranian Intelligence Voice (Arabic)
Figure 2: Resharing Across MOI/IRGC-Aligned Channels

This announcement followed a data leak released approximately 24 hours earlier across Handala-linked surface websites, including Handala-Hack and Handala-Redwanted. The leak allegedly exposed sensitive information tied to more than 100 Israeli personnel, including individuals allegedly associated with the IDF’s Maglan Unit, a specialized commando unit responsible for covert and high-risk operations.

Figures 3 & 4: Handala Leak Data / Maglan Unit Exposure

In a separate but related release on April 28, 2026, Handala also claimed to have exposed personal information tied to 2,379 U.S. Marines stationed in the Gulf region. The accompanying messaging emphasized surveillance capabilities, including identities, routines, and personal details, while framing the release as a limited demonstration of broader access. The tone of the post focused heavily on psychological pressure, warning of future escalation and reinforcing the perception of persistent monitoring.

While the veracity of these claims remains unconfirmed, the messaging reflects a clear expansion in targeting scope, extending beyond Israeli entities to include U.S. military personnel. This aligns with broader narrative patterns observed across Iran-aligned ecosystems, where exposure of personal data is used not only as proof of access, but as a mechanism for deterrence and intimidation.

Figure 5: Handala Claim of U.S. Marines Exposure

Handala’s recent activity shows a clear progression from leaking sensitive information to rapid amplification, to issuing targeting claims, and ultimately to encouraging insider recruitment. Recent claims involving the exposure of both Israeli and U.S. military personnel further suggest an expansion in targeting scope. This sequence reflects more than opportunistic hacktivism. It aligns with structured influence and access-enablement playbooks observed across Iran-aligned operations, where cyber activity is used to support both psychological pressure and real-world targeting narratives.

While direct command-and-control relationships remain unverified, the consistency in messaging, targeting focus, and amplification pathways suggests integration into a broader proxy-aligned ecosystem rather than isolated activity. Attribution across this ecosystem is intentionally diffuse, but the operational patterns remain consistent.

April 29, 2026 (0500 MST) – A knife attack in London was first reported via Telegram by the Al Faqaar channel as a text-only alert.

Al Faqaar functions similarly to established IRGC-aligned media outlets such as Sabereen News, acting as an early dissemination node for emerging incidents. As Ashab al-Yamin has moved away from centralized official channels, Al Faqaar increasingly operates as a primary publisher, often posting first and shaping how events are framed across the broader network.

Figure 6: Initial Al Faqaar Text Post

Following the initial alert, Al Faqaar published a series of updates between 0500 and 0830 MST, providing near real-time coverage of the incident, including developments related to the attack and the subsequent arrest.

Video of Knife Attack

Figure 7: Attack Footage

Video of Arrest by Police

Figure 8: Arrest Footage

Final Official Video Release

Figure 9: Branded Ashab/Al Faqaar Media Output

Notably, the messaging in the final video frames the attack as being carried out by “lone wolves,” introducing ambiguity in how the operation should be interpreted. This framing may suggest the attackers were self-directed individuals acting without direct operational control. However, the speed and structure of the subsequent media release and amplification indicate the incident was either anticipated or quickly incorporated into a broader narrative framework.

Rather than demonstrating direct coordination, the use of “lone wolf” language may reflect a deliberate strategy that allows groups to claim or amplify attacks while maintaining plausible deniability. In this model, the line between inspiration, opportunistic amplification, and operational involvement remains intentionally blurred.

Shortly after the release of the final video, the same content was reshared across at least 25 Telegram channels associated with the broader Islamic Resistance and Axis of Resistance ecosystem. In this instance, Al Faqaar appears to have served as the initial distribution point before wider propagation.

This activity reflects a decentralized dissemination model where speed, redundancy, and narrative control take priority over centralized branding. Channels such as Al Faqaar function as early distribution nodes within a wider media architecture that exhibits consistent coordination patterns without relying on a single authoritative source. The rapid propagation across aligned channels reinforces a pattern in which content origin is less important than how quickly it is amplified, enabling near real-time narrative shaping across a broader network of aligned actors.

  • Hybridization of Threat Activity: Handala’s evolution highlights the convergence of cyber operations, influence messaging, and physical-world targeting.
  • Escalation via Insider Recruitment: The use of Telegram bots to solicit insiders signals movement toward enabling real-world access.
  • Proxy-Aligned Propagation: Handala and Ashab-related content are consistently amplified through channels aligned with Iranian intelligence and proxy media ecosystems, even where formal attribution remains unclear.
  • Speed Over Attribution: Decentralized Telegram networks enable near real-time dissemination, allowing narrative shaping to outpace verification.
  • Structured Ambiguity: Attribution is deliberately obscured, but coordination patterns remain observable across platforms.

Follow along as we keep an eye on developments. Follow us on LinkedIn.

Understanding the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)

April 28, 2026

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) represents one of the most significant shifts in U.S. cybersecurity regulation in over a decade. Signed into law in March 2022, CIRCIA establishes mandatory cyber incident reporting requirements for organizations operating across all 16 critical infrastructure sectors. With CISA’s final rule expected in May 2026, the window for preparation is rapidly closing.

This blog explains what CIRCIA requires, which organizations are subject to compliance, and how DarkOwl’s dark web intelligence platform positions covered entities to meet their obligations proactively—before an incident ever occurs.

CIRCIA—the Cyber Incident Reporting for Critical Infrastructure Act of 2022—grants the Cybersecurity and Infrastructure Security Agency (CISA) authority to mandate reporting of cyber incidents and ransomware payments from owners and operators of critical infrastructure. The law tasks CISA with developing and enforcing a rulemaking process that creates standardized, time-sensitive reporting obligations across the private and public sectors.

Substantial Cyber Incidents: Covered entities must report significant cyber incidents to CISA within 72 hours of reasonably believing an incident has occurred.

Ransomware Payments: Any ransomware payment made by a covered entity must be reported to CISA within 24 hours of the payment being made.

These requirements are not merely informational. Organizations must demonstrate that they have the infrastructure and processes in place to detect incidents, assess their significance, and report within these tight windows. Failure to report carries legal consequences, including subpoena authority granted to CISA.

CISA estimates that approximately 300,000 entities will be subject to CIRCIA’s reporting requirements once the final rule takes effect. Coverage spans all 16 critical infrastructure sectors designated by the Department of Homeland Security:

The final rule will define specific thresholds and criteria for which organizations within each sector qualify as “covered entities.” Based on the NPRM and public comments, covered entities are expected to include:

Importantly, covered entity status is not limited to large enterprises. The breadth of the estimated 300,000-entity scope reflects CISA’s intent to create comprehensive visibility across the critical infrastructure ecosystem, from utilities and hospitals to transportation networks and financial institutions.

CIRCIA’s reporting obligations create a fundamental challenge: organizations cannot report what they cannot detect. The 72-hour window for substantial cyber incidents and the 24-hour window for ransomware payments demand that covered entities have continuous, proactive threat detection capabilities—not reactive, post-breach discovery processes.

DarkOwl provides dark web intelligence and credential exposure monitoring that directly addresses this challenge. Our platform enables organizations to identify indicators of compromise, data exposure, and threat actor activity before they escalate into reportable incidents—or to detect them the moment they do.

Threat actors frequently surface intent, tooling, and stolen data on dark web forums, marketplaces, and encrypted channels days or weeks before a formal attack is launched or discovered by the target organization. DarkOwl’s continuous monitoring of these environments provides covered entities with:

  • Early warning of data exfiltration, including stolen credentials, proprietary documents, and sensitive internal communications appearing on dark web markets
  • Detection of ransomware group communications referencing an organization or its vendors, often preceding deployment of ransomware payloads
  • Identification of threat actor reconnaissance and targeting activity associated with specific sectors or infrastructure types
  • Alerting on newly compromised credentials that may indicate an active breach or imminent attack

This intelligence directly supports the 72-hour reporting window by giving security teams a head start—enabling them to investigate, scope, and assess the significance of potential incidents before the clock starts.

Credential theft is among the most common precursors to significant cyber incidents. Compromised usernames and passwords—particularly those tied to privileged accounts, VPNs, or cloud infrastructure—frequently appear on dark web forums and criminal marketplaces following data breaches at third-party services.

DarkOwl’s credential exposure monitoring enables covered entities to:

  • Continuously scan for employee and customer credentials appearing in dark web breach compilations and stealer logs
  • Receive actionable alerts when new credential exposures are detected, enabling rapid password resets and account lockdowns
  • Attribute credential exposure to specific breach events, supporting incident scoping and regulatory notification decisions
  • Maintain an ongoing audit trail of exposure detection and response actions—critical documentation for demonstrating compliance due diligence

CIRCIA does not simply require organizations to report incidents—it implicitly requires that they have the detection infrastructure capable of identifying those incidents within compressed timeframes. Regulators and legal counsel will increasingly ask whether covered entities exercised reasonable diligence in monitoring for threats.

By deploying DarkOwl’s platform, organizations create a documented, auditable record of proactive threat intelligence activity. This serves multiple compliance functions:

  • Evidence of reasonable cybersecurity diligence in the event of a regulatory inquiry or breach litigation
  • Structured detection workflows that align with incident response plans and reporting procedures
  • Intelligence feeds that can integrate with SIEM, SOAR, and incident response platforms to accelerate detection-to-reporting timelines
  • Sector-specific threat intelligence relevant to each of the 16 critical infrastructure categories

CIRCIA’s scope extends to organizations that are integral to critical infrastructure operations—including technology vendors, managed service providers, and supply chain partners. A breach at a third-party vendor can create a reportable incident obligation for a covered entity, even if the covered entity’s own systems were not directly compromised.

DarkOwl supports supply chain risk management by monitoring for dark web activity associated with key vendors and third-party partners, providing covered entities with a broader view of their threat exposure across the entire organizational ecosystem.

CIRCIA represents a fundamental shift in how the U.S. government expects critical infrastructure operators to approach cybersecurity. Mandatory reporting obligations, compressed timelines, and broad sectoral coverage create both regulatory urgency and strategic imperative: covered entities must build proactive threat detection capabilities or face significant compliance risk.

DarkOwl’s dark web intelligence and credential exposure monitoring platform is designed precisely for this environment. By surfacing threats early—often before they escalate into reportable incidents—DarkOwl enables covered entities to meet their CIRCIA obligations, demonstrate proactive due diligence, and strengthen their overall security posture.


How can DarkOwl help your company prepare for CIRCIA compliance? Contact Us.

What is Push Bombing?

April 23, 2026

Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees. 

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, brute force attacks, zero-day exploits, doxing, data harvesting, IoCs, credential stuffing, and ransomware as a service. In this edition, we dive into push bombing.

Push bombing, also known as “MFA Fatigue” or “MFA Spamming,” is a deceptive social engineering tactic in which an attacker repeatedly triggers MFA push notifications to the victims device. Multi-factor authentication (MFA) has long been considered a cornerstone of modern cybersecurity. By requiring users to verify their identity through an additional factor—like a push notification to a mobile device—organizations have significantly reduced the risk of account compromise. Multifactor authentication is not invincible. As always, attackers adapt. Attackers increasingly exploit user behavior instead of cryptographic weaknesses. And this is where push bombing comes into the scene.

The goal is simple: flood a target with repeated MFA push notifications in the hope that they will eventually “approve” one. At a high level, push bombing is a shortcut. Instead of breaking through authentication controls, attackers pressure users into opening the door for them.

The process usually begins after an attacker has already obtained a user’s valid credentials, often through phishing, credential stuffing, or darknet data leaks. Once the attacker attempts to log in, the system sends a push notification to the legitimate user’s mobile app. When the user denies the request, the attacker immediately triggers another, and another—sometimes hundreds of times in a row, often in the middle of the night when the victim is less likely to be alert. Attackers often combine push bombing with chat-based impersonation, fake IT support calls, and SMS messages – creating a sense of urgency and legitimacy.

The Cybersecurity and Infrastructure Security Agency has published guidance highlighting this growing tactic.

Early warning indicators include:

  • Multiple MFA prompts within short time periods
  • Authentication approvals outside normal working hours
  • Users reporting repeated push requests they did not initiate

When a user comments, “I keep getting login prompts even though I’m not trying to sign in” that’s not a help desk or internal IT nuisance. It’s an intrusion attempt in progress.

Push bombing is actively used in real-world attacks and breaches by threat actors targeting organizations of all sizes, often as the final step in an account takeover chain. Consequences of a successful push bombing attack extend way beyond the single compromised account. Once inside, attackers can:

  • Launch impersonation or fraud campaigns
  • Access sensitive corporate systems
  • Move laterally across networks
  • Steal data or deploy ransomware

Uber

In 2022, a threat actor associated with the Lapsus$ group gained access to Uber’s internal systems. After obtaining a contractor’s password, the attacker sent a barrage of MFA requests. When the contractor initially ignored them, the attacker contacted them on WhatsApp, pretending to be from Uber IT, and told them they needed to approve the request to stop the notifications. The contractor complied, giving the attacker full access to the corporate environment.

Cisco

Also in 2022, Cisco fell victim to a series of sophisticated push bombing attacks. After compromising a user’s personal Google account to find stored credentials, the attackers moved to the corporate network. They used a combination of voice phishing (vishing) and MFA fatigue to trick the employee into granting access, eventually allowing the attackers to move laterally through the network.

What makes push bombing especially dangerous is its simplicity. It doesn’t require sophisticated malware or zero-day exploits—just stolen credentials and persistence.

Of course DarkOwl will always recommend using MFA, but let’s go one step further: choose a phishing-resistant MFA. Not all MFA is equal. SMS codes and push prompts can be bypassed (push fatigue, SIM swaps). Where available, use FIDO2 keys, WebAuthn, and passkeys, particularly for privileged and external-facing accounts for phishing-resistant authentication. Never approve a push you didn’t initiate; report repeated prompts to IT. Ask your org to move critical apps to phishing-resistant MFA.

Push bombing is the second stage of a compromise; the first stage is the loss of credentials. Awareness of when your employees’ or customers’ credentials have been leaked on the darknet can help you stay ahead of these attacks.

Leveraging a continuously updated darknet data index enables organizations to detect security gaps before a threat actor begins a push bombing campaign. By monitoring for leaked usernames and passwords associated with your domain, you can proactively force password resets and invalidate sessions, neutralizing the attacker’s ability to even trigger that first notification.


Curious to learn more about dark web monitoring? Contact us.

Q1 2026 Product Updates and Highlights 

April 21, 2026

The team is excited to share the new capabilities, platform improvements, and notable darknet intelligence collected across January, February, and March. 

Q1 was a big quarter for the DarkOwl platform. We’ve been laser-focused on one goal: helping analysts work faster and smarter — surfacing the right intelligence at the right moment, without ever breaking their flow. Here’s a look at what’s new. 

It’s never been faster to assess vendor scale, longevity, and risk — all without leaving the market listing result you’re already looking at. Vendor Context delivers an instant, comprehensive snapshot of any known vendor — directly within a Market Research listing. With a single click, analysts can see: 

  • Total markets and listings the vendor has appeared in 
  • First and last observed activity dates 
  • Top markets where the vendor is most active 
  • Primary shipping sources 
  • The vendor’s five most recent listings across all markets 

Vendor Context expands on DarkOwl’s market dataset and features, providing a purpose-built, structured investigative capability specifically designed for darknet marketplace analysis. Markets are among the most operationally significant environments on the dark web—serving as hubs for the sale of drugs, weapons, stolen data, counterfeit goods, and as nexus points for the criminal networks. DarkOwl’s enhanced market holdings now include more than 431,000 listings which extract vendor identity, product description, category, price, accepted payment methods, shipment origin/destination, reviews, and more. 

A substantial portion of threat actor activity, forum discussions, marketplace listings, and leaked data originates from Russian, Chinese, Arabic, Farsi, and other non-English-speaking communities. Global threat intelligence means working across dozens of languages. We’ve made that dramatically easier with Translation for search results. Instantly translate any text from search or alert results inline, now covering all 52 languages supported by Vision UI. No external tools, no copy-pasting — just highlight, click, and read. And because we know it matters for sensitive environments: translation runs entirely within the DarkOwl platform, with no data leaving our closed environment. 

  • Expanded Site Lexicon and Context — Data Sharing and File Repository are now recognized site categories, with full Site Context enabled across results — making it easier to identify and investigate these areas of the darknet. Key press releases, law enforcement actions, and major news coverage are now linked directly within a new media reporting field in Site Context. 
  • Export by Date Range — Generate time-based reports from Case Findings to share only the most relevant data or align exports with reporting or investigative timeframes.  
  • Save as Finding Snippet — Highlight any text in a result, click “Save as Finding Snippet,” and the Add Finding panel opens automatically. Analysts can save both the original and translated text as separate snippets within the same Finding — ideal for reporting, collaboration, and evidence tracking. 
  • Additional UX improvements — A Case Overview redesign to ensure critical alerts are now front and center; easier navigation in Actor Explore; additional fields on results from Paste sites. 

For teams building on the DarkOwl API, Q1 brought expanded data access and improved developer experience: 

  • Paste-specific fields now available in Search API: author, postDate, expires, and key 
  • Media Reporting in Context API for sites  
  • Updated API documentation for a smoother integration experience 

Our data collection team continues to astonish us with the quantity of data made available across all DarkOwl  products. Let’s highlight just some of that growth year over year:

  • 21% increase in credit card numbers
  • 20.5% increase in email addresses
  • 9% increase in IPs

Our collection and research teams had a busy quarter. Here’s a snapshot of some of the most significant data leaks and original research that happened in Q1. 

Original Research

In March 2026, our team published an in-depth analysis of how dark web and adjacent communities responded to the escalating conflict between Iran, Israel, and the United States. Hacktivist groups launched over 149 DDoS attacks against 110 organizations—107 of them in the Middle East—within days of the strikes. Jihadist communities on Telegram and Rocket.Chat used the conflict to amplify recruitment narratives, including a call for “global cyber jihad” from a group claiming al-Qaeda ties. Iranian-aligned militia channels circulated target lists and operational claims, while a notable crossover emerged between extremist ideological communities as groups linked to Nihilistic Violent Extremism blurred traditional political lines. DarkOwl continues to monitor these ecosystems as the conflict evolves. 

Leaks of Interest  

Posted on January 9, 2026, this leak exposed personal data for approximately 324,000 BreachForums users. The exposed data includes usernames, email addresses, and IP addresses for a large population of actors who may participate in buying and selling stolen data. The data came from a database backup dated August 11, 2025, inadvertently left in a publicly accessible directory during a site restoration. A 4,400-word manifesto attributed to a threat actor using the pseudonym “James” accompanied the data, framing the leak as deliberate retaliation against the forum’s users following attacks on French infrastructure.  

Posted on ShinyHunters on February 4, 2026, this dataset purports to contain 1 million records from Harvard’s Alumni Affairs and Development systems. The breach originated from a vishing campaign in November 2025 where attackers impersonated support staff and bypassed Multi-Factor Authentication in real time. Researchers describe the exposed data as a “map of influence”—including private home addresses and mobile numbers for prominent individuals alongside sensitive donor contracts and internal strategy documents. The combination of donor financial data, direct contact information, and internal strategy documents creates a rich target for spear-phishing, fraud, and reputational exploitation across a high-profile institution’s network. For security teams evaluating their own exposure, this is immediately relevant to how they think about vishing defenses and privileged access to constituent or membership systems. 

Posted to DarkForums on March 3, 2026 by threat actor FulcrumSec, this breach exploited an unpatched React application on LexisNexis AWS infrastructure via a React2Shell vulnerability combined with a weak RDS master password. The actor claims to have exfiltrated over 2GB of data including plaintext credentials and contact details for 118 U.S. government employees—including federal judges and DOJ attorneys. LexisNexis characterizes the data as largely pre-2020 legacy records. FulcrumSec frames the attack as separate from a 2024 breach that prompted a class-action lawsuit and states it was not geopolitically motivated, but intended to highlight a “sustained pattern of negligence.” For organizations that rely on LexisNexis—law firms, financial institutions, government agencies—exposure of the underlying records is a direct concern. The inclusion of federal judiciary and DOJ contact information in a publicly accessible darknet post significantly elevates risk.  


Curious how these features and data can make your job easier? Get in touch! 

Copyright © 2026 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.