Legends Never Die: RaidForums Legacy Continues Despite Seizure

About RaidForums

In March 2015, a discussion forum known as RaidForums emerged on the deep web. The forum quickly gained popularity amassing hundreds of thousands of users and became a reliable resource for breached and leaked databases in addition to combolists, cracked software, and adult content. The forum’s popularity crossed various underground communities with young script kiddies, prominent darknet threat actors, and seasoned data brokers all active and aiding in the forum’s success.

The forum is recognizable by a lavender-haired female as the default avatar for members and anime persona featured on the banner of the forum.

RaidForums Landing Page before the RaidForums Seizure
RaidForums Landing Page – Before RaidForums Shutdown

The forum also features a real-time ‘shoutbox’, private direct messages between users, and a credit system for accessing cloud-based hosting URLs of high-valued data leaks.

RaidForums’ administrator, using moniker “Omnipotent,” has been a key figure in the forum since its inception. While Omnipotent states the United Kingdom as their location on his Github profile, their exact location is unknown. There is a possible open-source connection between Omnipotent and the real identity, “K Gopal Krishna,” but nothing concrete to solidify an association.

Unusual Activity Begins on RaidForums

In late January and early February of this year, the forum mysteriously began experiencing connection issues and some users received an SQL internal error for the MyBB forum platform and couldn’t login. This all coincidentally occurred when Omnipotent was allegedly away for vacation (January 31st through February 7th).

MyBB SQL Error Page for RaidForums from Early February 2022
MyBB SQL Error Page for RaidForums from Early February 2022

On the forum’s Telegram chat, one user suggested Omnipotentwas on life support after fighting a mountain lion.” The comment sparked tremendous speculation and suspicion on the security of the forum and the whereabouts of its leadership.

Telegram chat: "We don't have any information on when the site will be up, please don't ask. Pray Omnipotent as he currently on life support after fighting a mountain lion."
Source: RaidForums Telegram

According to DarkOwl Vision, less than three days later, the domain was back online and operational on February 11th, 2022.

Observation from our Analysts: Outages like those experienced in early-February was unusual, but not concerning. The website had experienced domain issues in the fall of 2021, when the Brazilian government attempted to have NameSilo – the domain’s registrar – shutdown the forum. This forced Omnipotent to setup mirror domains, like rfmirror[.]com while they migrated their services back to CloudFlare.

Key Data Leaks During RaidForums’ Short UpTime

During the weeks leading up to the invasion in Ukraine, various threat actors shared sensitive information pertaining to the Ukrainian cyberattacks from January and February. DarkOwl published an extensive analysis of Ukrainian data leaked leading up the to invasion. Several RaidForum users, like Carzita also claimed to be actively targeting Ukrainian government websites prompting alerts from the Ukrainian government. (Source: DarkOwl Vision)

Some threat actors, like the alias NetSec, claimed to be targeting the US government and military networks using Anonymous-style hashes such as #RaidAgainstTheUS. In the days leading up to the invasion of Ukraine, NetSec shared email addresses and hashed passwords for the U.S. Strategic Command (stratcom[.]mil), U.S. Special Operations Command (soc[.]mil), the Defense Technical Information Center for the US Government (dtic[.]mil) and Lockheed Martin defense contractor employees.

On February 22nd, 2022, NetSec claimed to be working with “some Russian folks” to develop a zero-day for enterprise platforms used by the US Government by targeting an individual who worked directly for the enterprise platform. The threat actor refers to eis.army.mil – which resolves to the Program Executive Office (PEO) Enterprise Information Systems (EIS) for the Army.

NetSec is a self-proclaimed cybersecurity hacktivist reportedly in Switzerland with possible US citizenship, but not directly working with a government or for a company. They refer to being the “devil in the red hat” and feature women in their avatars in social media and forums, often in swimming suits or a big red hat.

Post from NetSec referring to being the "devil in the red hat"
Source: DarkOwl Vision

On the evening of the invasion, RaidForums leadership projected a zero-tolerance approach to Russian actors on the forum. Moot, another staff administrator of RaidForums posted in a thread titled, “RAIDFORUMS SANCTIONS ON RUSSIA,” stating that anyone connecting to the forum from a Russian IP address would be banned.

RaidForums post titled "RaidForums Sanctions on Russia"
Source: RaidForums

Seizure Unofficially Announced

On the 25th of February, users were no longer able to successfully log into the RaidForums domain. On the same day, a prominent moderator from the forum, Jaw posted to the forum’s Telegram that the raidforums.com domain had been seized and the current website domain was run by law enforcement as a honeypot and phishing operation.

Another RaidForums moderator, moot, locked the chat and Jaw suggested rf[.]to would be the new domain for future RaidForums operations. It’s unclear how Jaw confirmed the seizure of the RaidForums domain. Some speculate Omnipotent was allowed to call from inside police custody and notified Jaw directly. The rf[.]to domain is unresolvable and according to WHOIS records was setup around the same time as rfmirror[.]com.

Chat where RaidForums moderator, moot, locked the chat and Jaw suggested rf[.]to would be the new domain for future RaidForums operations.
Source: Telegram

Databreaches.net was unable to get confirmation from British or US law enforcement whether the RaidForums domain was seized. The FBI’s outright, “decline to comment” indirectly confirmed the community’s suspicions.

To this day, the raidforums[.]com domain continues to load but the forum is inactive. The domain’s registration information changed on February 25th, 2022. Some threat actors state the new name services for RaidForums is the same servers the FBI has previously used with WeLeakInfo and is associated with an FBI hosted CloudFlare account.

Cyber Dork post stating that state the new name services for RaidForums is the same servers the FBI has previously used with WeLeakInfo.
Source: breached[.]co

RaidForums Replacements Quickly Emerge

Raid Forums 2

Right after the forum’s outage in early February, the deep web domain raidforums2[.]com was registered and protected by CloudFlare. RaidForums 2 (RF2) is reportedly administrated by the moniker, “burkelukeand claims no association with the original RaidForums domain. The administrator stated RF2 would be focused on computer science with coding sections and workshops.

Post by “burkeluke," claiming no association with the original RaidForums domain.
Source: RaidForums2

RF2 has been slow to adoption, but its members are well known including AgainstTheWest (a.k.a. Blue Hornet) who quickly used RF2 to share leaks it obtained through campaigns against critical Russian and Chinese targets in recent weeks. The forum also has a section dedicated to the SAMSUNG and Nvidia source code leaks released by LAPSUS$.

Raidforums’ staff aliases like Omnipotent and Jaw appeared, but their authenticity is in question. More than likely, these are classic cases of alias hijacking.

As of time of writing there are 1,025 registered members, 369 posts and 211 threads.

Breached Forums

When Jaw announced the raidforums[.]com domain had been seized and was now a honeypot, a legacy user of the community, pompomurin, reportedly DDoS attacked the domain to prevent users from exposing themselves and limit the FBI’s success in obtaining the credentials they sought by keeping the domain alive. The RaidForum user pompompurin is known for prominent commercial data leaks such as CVS and Park Mobile and represented by an adorable avatar – the beret wearing golden retriever character from the Japanese Sanrio Hello Kitty franchise. According to their surface web blog, pompur[.]in, pompompurin, resides in Canada.

During the first week in March, pompomurin setup BreachedForums (BF) on the domain: breached[.]co and opened the site on March 16th for registration and forum discussion. The forum is setup identically to RaidForums complete with the same color scheme, shoutbox, and default avatars. pompompurin claimed no direct affiliation with RaidForums; yet stated that if RaidForums ever returned in an official capacity, then he would shut down BF and redirect the domain to the main RaidForums site.

Post by pompomurin claiming no direct affiliation with RaidForums and if RaidForums ever returned in an official capacity, then he would shut down BF and redirect the domain to the main RaidForums site.
Source: BreachedForums

The popularity and wide acceptance of BreachedForums is evident with the sheer volume of posts and memberships already active on the forum. In less than three weeks activity, the BF domain has registered 3,293 members, with 13,707 posts across 1,939 threads.

The Databases section of the forum includes over 80 unique ‘official’ datasets maintained by the forum’s staff with over 1 Billion records. DarkOwl estimates over 700 unofficial commercial and government data archives have been distributed by members in the leaks and databases sections of the forums.

Many of the posts are related to the conflict in Ukraine with shares of sensitive data exfiltrated in conjunction with Anonymous’s #opRussia cyber campaign.

The BF domain is already being targeted by malicious actors and/or law enforcement. Earlier this week, the forum was offline briefly after the domain was reported to its hosting provider for containing illicit content and CSAM. As a result, pompomurin setup a new onion service on Tor as well as five alternate mirrors in the deep web.

The breached[.]co domain was unreliable and timed out numerous times while writing this report.

Question about something you read or interested in learning more? Contact us to find out how darknet data applies to your use case.

Version Control Systems and Software Supply Chain Risk

A review of the ongoing darknet risks associated with the compromise of Version Control Systems (VCS) and other software supply chain version control systems. Our full report can be found here.

Research from DarkOwl analysts continues to indicate that software programming and engineering tools are a viable exploitation vector

Last week, a maintainer for NPM package – a widely used package manager for the JavaScript programming language – showcased how potentially powerful supply chain attacks on software development and components can be. This individual, an open-source software developer known as RIAEvangelist, intentionally embedded malware in the latest stable release of a popular repository called node-ipc out of protest for Putin’s atrocities against Ukraine. The malware is officially labeled ‘peacenotwar’ and deploys with a readme file titled WITH-LOVE-FROM-AMERICA.txt, and notably only is triggered to install on devices with a Belarus or Russia geo-located IP addresses.

Developers and security researchers around the world have been equally appalled and conflicted by the intentional sabotage of an open-source software package. Many are particularly concerned about the reputational damage these incidences cause to the open-source software development movement.

Despite general widespread sentiments against Putin’s invasion of Ukraine, the open source software development community has marked RIAEvanglist’s NPM package as malicious, because this individual chose to deploy malware in the digital supply chain ecosystem.

“This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia's aggression that threatens the world right now. This module will add a message of peace on your users’ desktops, and it will only do it if it does not already exist just to be polite.” 

     - peacenotwar source code description

Exploitation of software-build processes and code repositories facilitates wider, more-catastrophic distribution of malware and enterprise-level software compromise. By poisoning software development, update processes, and link dependencies, threat actor’s malicious codes can be potentially distributed to thousands of users without need for social engineering, e-mail compromise, or drive-by-download malware delivery mechanisms.

In recent months, DarkOwl has observed a significant increase in instances of malware developers mentioning or discussing direct attacks to international software supply chain. In many cases, this chatter was centered around plans that involved targeting popular open-source software developer repositories like Github and Bitbucket, as well as associated software digital support infrastructure.

Exploiting Version Control Systems (VCS) and poisoning supply chains is not a new threat vector. In 2021, the Kaseya ransomware attack – via a simple malicious software update pushed to thousands of users by notorious ransomware gang, REvil – highlighted the extensive threat to software supply chains and cloud-based commercial software repositories. (Source)

The December 2020, the Solarwinds attack similarly inspired international concern for the integrity of commercial enterprise software and underscored the need for widespread implementation of zero trust architectures. (Source)

Another example of a threat actor group exploiting digital supply chain vulnerabilities is the hacking group LAPSUS$. The increasingly active group most recently announced that they had acquired privileged access to digital authenticator Okta’s networks via a support engineer’s thin client. The result of Okta’s compromise exposed significant intelligence findings, and highlights the overarching risks at stake to any software development and operational lifecycle. (Source)

Brief summary of how LAPSUS$ leveraged supply chain exploits to compromise global software company Okta:

  • LAPSUS$ most likely gained access to Okta using credentials purchased on the deep web marketplace: Genesis Market, proving the underground continues to feed criminal empires.
  • AWS credentials and code repository tokens were likely stored in company Slack messaging systems that LAPSUS$ then utilized to move laterally through peripherally associated digital infrastructure.
  • LAPSUS$ clearly stated they were not interested in Okta, but the customers Okta supported and had access to.
  • Okta’s implementation of zero trust architectures called into question given level of access available to third-party support engineer account.
  • Okta estimates at least 366 unique clients’ organizational data could have been accessed by the threat group via the initial compromised privileged access.

We are witnessing – in real time – the terrifying realization of the dangers to software supply chains via malicious compromise of the tools and infrastructure critical to supporting the software development lifecycle. Any product or service that touches one’s network, i.e. customer relationship management (CRM) software, software version control (VCS) utilities, authenticators, payroll and timekeeping accounting systems, cloud service providers, internal employee messaging platforms (Slack, Teams, etc.) are all potential targets for compromise.

Research from our analysts

Version control systems and software supply chains are a viable and high consequential attack vector readily exploited by cybercriminal organizations, nation state actors, and hacktivists from the darknet. DarkOwl believes there will be continued and increased attacks against dependency libraries and software package managers, such as NPM and PyPI, with the intention of stealing information and establishing long term persistence in the victim machines. Read full report here.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case.

Review of Ransomware Gang Activity Since Ukraine Invasion

In light of disturbances in the darknet due to nationalistic fractures amongst ransomware and cybercriminal groups, DarkOwl analysts did a cursory review of activity across ransomware-as-a-service (RaaS) gangs since the invasion of Ukraine.

We reviewed the number of reported victims by RaaS groups and the location of the victims, and determined the following:

  • Conti and Lockbit 2.0 lead in total number of victims announced since the 24th of February, 2022.
  • Conti was offline for almost a week due to infrastructure leaks and fractures with their Ukrainian-aligned affiliates. Since March 1st, the group has resumed locking and leaking victims’ networks around the world.
  • Several key Tor services for well-known RaaS gangs, including Pay2Key, Blackbyte, Cuba, are online and active; however, they have not shared any victim’s data since the invasion on February 24th, 2022.
  • A new RaaS group called Pandora Gang hit multiple victims in a matter of days, including two victims from Japan.
  • STORMOUS ransomware has been heavily targeting Ukraine.
  • STORMOUS most recently attacked 4A Games (Ukraine) and EPIC Games (US).
  • Given the severity of the attacks against Nvidia and SAMSUNG, LAPSUS$ is now being categorized as a RaaS gang, even though they do not have an affiliate program that we are aware of.
  • US, Canada, UK, Czech Republic, and Germany have the highest volume of ransomware victims in the distribution of victims by location published in the last two weeks.
  • Many ransomware victims have direct connection to US and Western critical corporate/government operations and supply chains.

NOTE: The charts below do not take into consideration attacks by Russia against Ukraine networks in conjunction with HERMETIC WIPER attacks or leaks released by Free Civilian. The totals, as reported by the Ukraine government, would exceed that of those counted here for the US.

LAPSUS$ Group: Additional Findings

The cybercriminal group LAPSUS$ has ramped up their activities since the invasion – emboldened by their attacks against Nvidia and SAMSUNG.

They recently solicited experts in various specific industries for their next victim selection, possibly looking for insiders to assist. Telecommunications, software development/gaming, hosting, and call-centers were among the industries requested.

Over the weekend, LAPSUS$ also implied they were responsible for recent “cybersecurity incident” with Ubisoft.

DarkOwl will continue to monitor RaaS activity and update as new information becomes available.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case.

[DEVELOPING] Impacts of Ukraine Invasion Felt Across the Darknet

Last updated: April 18 18:30 UTC

The DarkOwl team are actively tracking the fallout from Russia’s invasion of Ukraine. The effects of the kinetic military operation are causing ripples across the global cyber space including critical underground ecosystems across the deep and darknet.

18 April 2022 – 01:12 UTC

DDoSecrets Leaks 222GB of Data from Gazregion Collected by Anonymous Hacktivists

Three different hacktivist groups (Anonymous, nb65, and DepaixPorteur) submitted archives consisting of emails and sensitive corporate files from Gazregion, a Russian supplier specializing in gas pipelines construction with direct support to Gazprom.

There have been numerous claims of attacks against Gazprom since invasion of Ukraine by Anonymous and other cyber offensive groups. nb65 posted to social media they compromised SSK Gazregion on April 3rd with their version of CONTI ransomware.

18 April 2022 – 01:12 UTC

nb65 Claims Attack Against Russian JSC Bank PSCB with CONTI Ransomware

The Hacktivist group, Network Battalion 65 had claimed they successfully attacked JSC Bank PSCB in Russia and successfully encrypted their network with their version of CONTI ransomware.

The group stated they managed to exfiltrated over 1TB of data including financial statements, tokens, tax forms, client information, and sensitive databases before deleting all backups to prevent data and functionality restoration.

The hacktivists further taunted the bank stating how grateful they were the stored so many credentials in Chrome – a browser for which several emergency security patches have been recently released.

We’re very thankful that you store so many credentials in Chrome. Well done. It’s obvious that incident response has started. Good luck getting your data back without us.

15 April 2022 – 21:59 UTC

GhostSec Leaks Data from domain[.]ru Hosting Provider

The Hacktivist group, GhostSec claimed to target Russian internet domain registration provider, domain[.]ru in a cyberattack. The group managed to exfiltrate over 100MB of data including screenshots of sensitive files and excel spreadsheet data.

According to the README file in the data leak, during the breach, GhostSec identified over 4TB of SQL databases, but in all the excitement the team’s presence was caught by the company’s intrusion detection systems and kicked off the network before the SQL data could be harvested.

15 April 2022 – 17:52 UTC

nb65 Confirms Attack on Continent Express; DDoSecrets Leaks 400 GB of Russian Travel Agency’s Data

The attack on a Russian travel agency occurred several days ago and was shortly after confirmed by the organization. DDoSecrets assisted nb65 in leaking over 400GB of sensitive files and databases from the travel agency. The details of the leak have not been confirmed.

15 April 2022 – 14:32 UTC

Anonymous Takes Over Pro-Russian Discord Accounts

Hacktivists from the Anonymous Collective have successfully taken control of several pro-Russian accounts on the chat platform, Discord, and are now using these accounts to circulate pro-Ukrainian messaging. An Anonymous member @v0g3lsec – who has been extremely active in the #opRussia campaign – shared an image of a hacked account where they posted links and information about the information operations group, squad303 to share truths about the invasion via SMS, WhatsApp, and email with random Russian citizens.

14 April 2022 – 20:02 UTC

DDoSecrets Leaks Unprecedented Amount of Email Data from Russian Organizations

In the last three days, DDoSecrets uploaded archives for five (5) different organizations across Russia totaling 1.97 Million emails and 2 TBs of data.

  • 230,000 emails from the Blagoveshchensk City Administration (Благове́щенск) – 150GB
  • 230,000 emails from the Ministry of Culture of the Russian Federation (Министерство культуры Российской Федерации) responsible for state policy regarding art, cinematography, archives, copyright, cultural heritage, and censorship – 446 GB
  • 250,000 emails from the Deptartment of Education of the Strezhevoy (Стрежево́й) City District Administration – 221GB
  • 495,000 emails from the Russian firm Technotec, which has provided oil and gas field services along with chemical reagents used in oil production and transportation – 440GB
  • 768,000 emails from Gazprom Linde Engineering, which specializes in designing gas and petrochemical processing facilities and oil refineries – 728GB

13 April 2022 – 17:09 UTC

CISA Issues Alert About Destructive Malware Targeting US Critical Infrastructure

A joint advisory issued by the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) details how nation state actors (likely sponsored by the Russian government) have demonstrated the capability to gain full system access to multiple industrial control system (ICS) and affiliated supervisory control and data acquisition (SCADA) devices. The critical alert indicated there is an immediate HIGH cybersecurity risk to critical infrastructure around the US. The devices include:

  • Schneider Electric programmable logic controllers (PLCs);
  • OMRON Sysmac NEX PLCs; and
  • Open Platform Communications Unified Architecture (OPC UA) servers.

For more information read the advisory along with recommended security mitigation measures here: https://www.cisa.gov/uscert/ncas/alerts/aa22-103a

12 April 2022 – 15:31 UTC

ATW | Blue Hornet Announces That They are a “State-Sponsored” Group

The “GOD” account representing AgainstTheWest (APT49) on the new BreachedForums (with many users from the now officially seized RaidForums) announced moments ago that they are indeed a “state-sponsored” cyber group with “direct instructions to infiltrate, attack and leak the country of China, Russia, Iran, North Korea & Belarus.” The group’s Twitter account was also blocked by Russia’s Kremlin account earlier this week and the notification of this block was included in the post.

There is no way to verify the accuracy of the statement posted and it’s unclear whether or not the group will continue their operations in support of Ukraine.

11 April 2022 – TIME UNKNOWN

CONTI Claims Responsibility for Cyberattack Against German Wind Turbine Company

On the 31st of March, Nordex wind turbine manufacturing company in Germany suffered a significant cyberattack. CONTI has claimed responsibility for the attack (over 10 days later) posting the company’s name to their public-facing Tor service of victims. We anticipate that sensitive corporate data will be leaked by the RaaS gang shortly.

11 April 2022 – 20:58 UTC

Anonymous Compromises Regional Government of Tver, Russia; Leaks 130,000 Emails from Governor’s Mail Server

Hacktivists from the Anonymous Collective using the monikers DepaixPorteur and wh1t3sh4d0w0x90 have compromised the domain tverreg[.]ru believed to be associated with the Regional Government of Tver, Russia. Tver is located 110 miles (180km) northwest of Moscow on the banks of the Volga River. The archive is over 116GB in size and consists of over 130,000 emails exfiltrated from Governor Igor Rudenya’s email system dating from 2016 through 2022. The governor was appointed by President Putin in 2016.

Anonymous shared a leak consisting of Russian regional governors on the darknet on 23 March 2022.

11 April 2022 – 14:35 UTC

Finland Suffers Cyberattack; Announces They Will Expedite Application for NATO Membership

On April 8th, the Finnish government confirmed many of its military, defense, and foreign affairs webservers experienced unsophisticated, yet concerted DDoS attacks likely originating from Russian threat actors. The cyberattacks coincidentally occurred just as Ukraine President Zelenskyy started to address the Finnish Parliament on the status of the war in Ukraine around 10:30 GMT.

On the same day, the Finnish Minstry of Defense confirmed, hours earlier, Russia state-owned aircraft also breached Finland’s airspace off Porvoo in the Gulf of Finland – the first time in over 2 years. The aircraft, an Ilyushin IL-96-300 cargo transport airplane, was traveling east to west and landed in Berlin.

Both Finland and Sweden have signaled they will be submitting applications to join NATO. According to open-source reporting, Finland will likely finalize their application during the month of May in time for a NATO summit scheduled in Madrid, Spain in June.

Kremlin spokesman, Dmitry Peskov stated that Russia would have to “rebalance the situation ” with its own measures should Sweden and Finland choose to join NATO.

09 April 2022 – 03:39 UTC

ATW | BH Group Leaks Data Stolen from Russian Temporary Work Agency and Recruitment Firm: Rabotut

AgainstTheWest (Blue Hornet) announced on their Telegram channel they have successfully targeted the domain (rabotut[.]ru) for Rabotut, a “federal scale service” supplier in Russia. According to the threat actor, the archive includes the organization’s entire backend and front end source code, API keys, and SSL keys. According to open-sources, Rabotut is a temporary workers agency and provides contract employees to a number of critical government and corporate businesses around the country.

Contents of leak are in the process of verification by Darkowl analysts.

08 April 2022 – 21:41 UTC

KelvinSecurity Team Targets Russian Cryotcurrency Scam Website: alfa-finrase

KelvinSec released data reportedly from the domain (alfa-finrase[.]com) known for trading in fraud data, e.g. passports, driver’s license, and other sensitve PII. The group claims to have exploited the website, shutdown a cryptocurrency scam, deleted 400GB from the site’s server, and exposed 1.4GB of customer data from the deep web store.

07 April 2022 – 19:30 UTC

DDoSecrets Leaks Over 400,000 Russian Organization Emails Exfiltrated by Anonymous Operations

The leak site, DDoSecrets once again assists Anonymous hactivist collective in distributing sensitive data exfiltrated from companies and organizations in Russia. Three archives were leaked – within minutes of each other – for three organizations: Petrofort, Aerogas, and Forest. The data from these corporate email archives date back over decades of commercial activitiy.

  • Petrofort: 244GB archive consisting of over 300,000 emails between employees and clients. Petrofort is one of the largest office spaces and business centers in Saint Petersburg.
  • Aerogas: 145GB archive consisting of over 100,000 emails between employees and clients. Aerogas is an engineering company supporting Russia’s critical oil and gas infrastructure and supports such as: Rosneft, NOVATEK, Volgagaz and Purneft.
  • Forest (Форест): 35GB archive consisting of over 37,000 emails between employees and clients. Forest is a Russian logging and wood manufacturing company associated with many high-valued construction projects across the company.

A representative from DDoSecrets earlier shared thoughts about the extraordinary volume of leak data coming out of Russia earlier this week in a social media post.

06 April 2022 – 21:42 UTC

Anonymous Claims to Attack Russian MAUK Cinema, Mirkino Belebey

Members of Anonymous using the aliases ShadowS3c and Anonfearless3c have allegedly targeted servers for the Russian cinema and movie theatre, Mirkino Belebey (domain:mirkino-belebey[.]ru). The Mirkino theatre is also known as the MAUK Cinema a.k.a. “World of cinema” in the Belebeevsky District of Russia.

The hacktivists have leaked screenshots with credential data from the breached database containing hundreds of usernames, email adresses, and passwords.

This entry will be updated if/when the leak contents can be confirmed.

06 April 2022 – 20:42 UTC

Hajun Project Identifies Russian Soldiers Who Sent Parcels from Belarus Back to Russia

On April 3rd, the Hajun Project published three hours of surveillance camera footage from a CDEK delivery service located in Mazyr, Belarus. The video shows several soldiers from the Russian Armed Forces sending, among other things, items stolen from Ukrainians, during their “special military operation.”

Using leaked personal data available across the darknet and deepweb, the Hajun Project further confirmed the identities of the Russian military consignors and have released the names and phone numbers for at least 50 of the servicemen that sent parcels around the same time as the published camera video.

The Hajun Project maintains a Telegram channel and Twitter account monitoring and tracking the movement of military land and air assets in Belarus.

05 April 2022 – 16:22 UTC

Ukraine’s Defense Intelligence Agency (GURMO) Conduct SCADA Attacks on Gazprom

Due to the sensitivities of on-going military operations, there is limited detail available on the nature of the attack, but it appears that offensive cyber units under the direction of Main Director of Intelligence for the Ministry of Defense of Ukraine conducted SCADA cyberattacks against Gazprom pipelines. The attacks began within 48 hours of a fire at an oil depot in Russia’s Belgorod region last Friday, that western media reported was the first time Ukrainian helicopters had been spotted going across the border.

The cyberattacks likely triggered an underground gas leak from a highly pressurized gas pipeline in the village of Verkhnevilyuysk; the leak was reported in Russian open sources. Shortly after this, an explosion occurred in a main gas pipeline “Urengoy-Center-2” that civilians captured on Russian social media platform, VK as a large fire occurred in the Lysvensky district of the Kama region near the village of Matveevo.

Over pressurizing gas lines through disrupting infrastructure industrial control systems (ICS) is a documented method for using cyber to cause kinetic damage to pipeline critical infrastructure. The Congressional Research Services detailed such security risks to ICS in their 2021 report.

05 April 2022 – 14:21 UTC

Anonymous Leaks Data from Russian Rations Supplier, Korolevskiy

The company, Korolevskiy (korolevskiy[.].ru) appears to supply Russian companies and organizations with grain, nuts, and confectionaries in addition to rations for the military. This cyberattack could impact the availability of some food ingredient supplies, such as sugar, which is already in short supply and skyrocketing in price across the country due to sanctions.

The data leak includes an 82GB archive containing thousands of emails exfiltrated from the company’s mail servers.

05 April 2022 – 12:29 UTC

nb65 Claims to Hack Civilian Travel Service in Retaliation for Bucha Massacre

Anonymous and hacktivists around the world step up their offensive against Russia after images of Russian soldiers’ war crimes and atrocities against civlians in Bucha emerged on Monday.

Network Battalion 65 (nb65) reportedly targeted Continent Express (continent[.]ru), a Russia-based travel and supply company, with Conti’s ransomware variant in retaliation for the crimes.

Continent Express is one of the largest agencies for travel in Russia and helps arrange tickets and accomodations. As of time of writing the public facing website for continent[.] is operational.

Details of the group’s threatening message posted to social media called out the company’s CEO Stanislav Kostyashkinis in the image below.

“Why, you ask? The answer is simple. We read and watched the coverage of Bucha with horror. The utter lack of humanity in the way Russian soldiers have treated the civilian population of Ukraine left us all in tears. The world has pleased with your country to put an end to this madness drive by the mind of a cowardly tyrant: your president.”

(Update 6 April 2022) Earlier today, Continent Express posted to their news section of the website acknowledging the cyberattack but stated that important data and booking systems were not affected.

04 April 2022 – 12:29 UTC

DDoSecrets Distributes Data Exfiltrated by nb65 From Russian Broadcasting Company

Earlier in the campaign, nb65 leaked a sample of files and emails from All-Russia’s State Television and Broadcasting Company (VGTRK / ВГТРК). The Russian state-owned broadcaster operates five national TV stations, two international networks, five radio stations, and over 80 regional TV and radio networks and has been heralded as essential for the “security of the state.”

According to former VGTRK employees, Kremlin officials have dictated how the news should be covered, and provided incendiary phrases meant to discredit Ukraine. According to the former employees, editors normally have freedom to make decisions, but “where big politics are concerned, war and peace, he has no freedom.”

The 786 GB archive contains over 900,000 emails and 4,000 files spanning 20 years of operations at the broadcaster.

04 April 2022 – 06:24 UTC

Anonymous Leaks List of Russian Soldiers Deployed in Bucha

Anonymous shared a PDF file containing the identities of the members Russia’s 64 Motor Rifle Brigade that was positioned in the Kyiv suburb of Bucha. Since Russia’s withdrawl from the village, the atrocities and war crimes carried out by members of the Brigade have come to light.

The PDF consists of 87 pages detailing the identities of over 1,600 members of the Bridage, including their full name, date of birth, and passport number.

The file most likely originated from the Ukrainian government or intelligence services.

03 April 2022 – 06:16 UTC

Anonymous Shares Data Leaked from Russian Federal Agency for State Property Management

Anonymous shared a single PostGreSQL database, presumably from the domain: rosim.gov.ru, containing over 785MB of logged domain Internet activity available via the domain user: kluser. Much of the data is several years old, including IP addresses, domains, user agents of site vistors. Without further analysis, the value of leaking this data other than psychological operations and information warfare is unclear.

03 April 2022 – 05:07 UTC

nb65 Claims to Compromise Russian Gas Pipeline Supplier: SSK Gazregion

nb65 shared on social media that they have successfully hacked SSK Gazregion LLC (domain: ssk-gaz.ru) – a prominent natural gas pipeline construction company – with an ‘improved’ version of Conti’s ransomware. They taunted the company’s IT department, claiming that they also deleted all backups and restoring services would be an issue for the department.

They also claim to have exfiltrated 110GB of sensitive files, emails, and company data during the operation and trolled the company further stating it took forever to steal the data with the “chincy ass soviet connection” they were using for Internet connectivity.

“Federal Government: This will stop as soon as you cease all activity in Ukraine. Until then, fuck you. Your Preisdent is a coward who sends Russian sons away to die for his own ego. War in Ukraine will gain your country nothing but death and more sanctions. none of your internet facing tech is off limits to us.”
“We won’t stop until you stop.”

03 April 2022 – 04:24 UTC

ATW Release Dox of KILLNET Member

Similar to the personal details shared for various APT cyber groups in China, Russia, and North Korea, ATW targeted the pro-Russian cyber group, KILLNET. They released a dox containing the Russian national’s personal information, his social media, contact information, and familial associations.

KILLNET claimed to launch cyberattacks against Polish government and financial networks in support of Putin’s invasion in Ukraine. Last week, KILLNET also reportedly conducted DDoS attacks against the International Cyber Police agency, CYBERPOL and hacked the ticketing system at Bradley International Airport in Connecticut.

02 April 2022 – 17:28 UTC

Darknet Threat Actor, spectre123 Releases Sensitive Databases for the Indian Government and Military

The threat actor is well-known for targeting governments and defence contractors and has been circulating sensitive government databases for some time. This weekend, they released a “mega leak” of Indian government data for the PM Modi adminsitration’s “turning a blind eye to the humanitarian crisis…. in Ukraine.”

Over 40 GB of data is included in 11 different archived files and includes classified (up to TOP SECRET) and Confidential government documents from the following sectors: ALISDA, DGAQA, MSQAA, DRDO, DDP, Joint Defence Secretary India, BSF, MOD and the Indian Navy.

“The Indian government has a remarkably twisted propensity towards turning a blind eye to the humanitarian crisis in their own nation and now as well in Ukraine. It continues to do business with Russia and refuses to speak on the war, all in an effort to maintain their shallow political interests. These documents have been released to show that there are consequences for taking such foolish decisions.”

02 April 2022 – 06:13 UTC

ATW | BH Claims to Leak Personal Details of Members of Nation State APT Cyber Groups: ATP3, APT40, APT38, & APT28

The AgainstTheWest group continued their offensive against Chinese, North Korean, and Russian nation state cyber groups. Releasing a dox-style text file on Telegram and the deep web forum, breached.co, the ATW group included the names, email addresses, socials and Github accounts, credit card data, front companies, and other identifying information about the group’s participants along with other shocking revelations. Some include:

  • APT38: China and North Korea have collaboratively had a mole inside the United States Congress since 2011.
  • APT3: Threat actors are closely aligned with employees from Tencent – the Chinese technological giant behind WeChat and QQ.
  • APT38/APT3: The alias “ph4nt0m” appears in information for both groups and is believed to be affiliated with APT17 from China.
  • APT40: Threat actors are randomly connected to employees of ByteDance, the parent company for TikTok.

We are unfortunately unable to corroberate the veracity of the information shared by ATW (Blue Hornet).

01 April 2022 – 20:13 UTC

Anonymous Attacks Russian S-300 Supplier: Lipetsk Mechanical Plant

Anonymous shared another large archive of data stolen from a prominent Russian defense manufacturing facility. The archive is nearly 27GB total and consists of company emails and sensitive documents.

Russia’s “Lipetsk Mechanical Plant” produces several defense products for the Russian military and industrial defense complex. Today, the plant is one of the leading and main manufacturers of modernized self-propelled tractors for S-300V4 anti-aircraft missile systems in Russia. The S-300 is one of Russia’s premier air-defense platforms.

01 April 2022 – 16:00 UTC

Anonymous Leaks Multiple Data Archives From Critical Moscow-Based Organizations

Coordinating today through DDoSecrets on distribution, Anonymous shared several highly significant archives, consisting of over 500GB total of emails, files, and databases from critical Russian organizations with close ties to the Russian government.

  • Department for Church Charity and Social Service of the Russian Orthodox Church: Database containing 57,500 emails from the Russian Orthodox Church’s charitable wing.
  • Capital Legal Services: 200,000 emails exfiltrated from a prominent Russian law firm includes an additional 89,000 emails are located in a “Purges” mailbox, consisting largely of bounced email notifications, cron jobs and other server notifications.
  • Mosekspertiza: Three archives consisting of a) 150,000 emails b) 8,200 files and c) multiple databases totally over 400GB of data. Mosekspertiza is a state-owned company setup by the Moscow Chamber of Commerce to provide expert services and consultations to Russian businesses.

1 April 2022 – 08:56 UTC

GhostSec Wreaks Additional Havoc on Alibaba

After ATW attacked Alibaba Cloud days before, Ghost Security has allegedly hacked and deleted Alibaba’s UAE branch’s ElasticSearch service database. They included a leak to the database extracted from the company on their Telegram channel.

We have also deleted everything and even cleared the backups so there is no recovery, and we left a little celebration from us <3

31 March 2022 – TIME UNKNOWN

German Wind Turbine Company Impacted by Cyberattack

A German-based wind turbine – Nordex – with over $6 billion dollars in global sales faced a cyberattack that incident responders caught “in the early stages.” It’s likely the attack is retaliation for Germany pausing on the Nord Stream 2 natural gas pipeline deal with Russia.

“Customers, employees, and other stakeholders may be affected by the shutdown of several IT systems. The Nordex Group will provide further updates when more information is available.”

In the early days of the cyberwar, a cyberattack on the satellite communications company Viasat caused 5,800 Enercon wind turbines in Germany to malfunction.

31 March 2022 – 19:43 UTC

Anonymous Leaks 62,000 Emails from Moscow-Based Marathon Group

Anonymous again targets associates of those closest to Putin launching recent cyberattacks against Marathon Group. The Marathon Group is an investment firm owned by Alexander Vinokurov. Vinokurov is the son-in-law of Russian Foreign Minister Sergei Larov and is under heavy sanctions by the EU for providing financial support to Russia. The leaked archive is over 51GB in size and is being distributed via DDoSecrets.

31 March 2022 – 14:31 UTC

Ukraine Government Sets Up Website for Whistleblower Reporting

The Ukrainian Prosecutor General’s Office in coordination with the National Agency on Corruption Prevention and Task Force Ukraine deployed the Whistleblower Portal on the Assets of Persons Involved in the Russian Aggression against Ukraine. The website is setup to provide a secure and anonymous method for the submission of tips and evidence of corruption any activities causing national harm. The website will ideally help in the “tracing, freezing, and confisicating of assets of those involved in Russia’s War Crimes.”

Many OSINT sleuths have identified Russian oligarchs’ and government officials’ assets, like super yachets parked in international ports and submitted photographs via posts on social media. This website could be used to officially report supporting information leading to the seizure of those assets or other correlative intelligence obtained through leaks shared by Anonymous.

30 March 2022 – 22:09 UTC

Database Containing the PII of 56 Million Ukrainian Citizens Leaked on Deep Web

A user on the forum breached.co leaked an arhive containing the personal identification information for over 56 Million citizens of Ukraine. The database includes the full name, dates of birth, and address for the individuals. Its unclear the origins of the data. Members of the forum stated it was the Ukrainian Tax Service and could be dated back to 2018.

30 March 2022 – 21:53 UTC

ATW Continues Offensive Against China, Leaks Alibaba Cloud & Ministry of Justice of PRC Data

The AgainstTheWest/Blue Hornet group have ramped up their attacks against Chinese targets and leaked the largest archive they have exfiltrated to date. ATW successfully breached the e-commerce company Alibaba and have dropped a 30GB archive consisting of Alibaba’s cloud endpoint environment, source code, and customer data. They also released a smaller database obtained from the Ministry of Justice of the People’s Republic of China. Both were shared to the deep web forum, breached.co.

30 March 2022 – 19:49 UTC

Anonymous Continues to Encourage SCADA Attacks; Leaks Default Credentials for COTS Hardware Suppliers

Members of the Anonymous Collective circulate spreadsheets and websites containing the default factory credentials for most commercial-off-the-shelf (COTS) vendor hardware. Hardware, that in turn, is often affiliated with and successfully exploited via SCADA-based industrial control system (ICS) cyberattacks.

One list includes 138 unique products including manufacturers such as Emerson, General Electric, Hirshmann, and Schneider Electric accompanied with default factory settings such as username: admin and password:default. Another resource is a surface web website (intentionally not included but available upon request) which lists 531 vendors and over 2,100 passwords deployed with hardware from the factory.

Sadly, most companies will rely on the default passwords upon installaton and do not bother with updating to a more robust credential security standard.

30 March 2022 – 18:19 UTC

Anonymous Leaks 5,500 Emails Stolen from Thozis Corporation

Anonymous successfully attacked Thozis Corporation – a Russian investment firm with links to Zakhar Smushkin of St. Petersburg. According to the Panama Papers, the company is registered in the British Virgin Islands. The firm is allegedly involved in one of the largest development projects in Russia, including a project to build a satellite city within St. Petersburg.

The trove of leaked emails likely include sensitive documents and agreements between the Russian government, its societal elite, and other international entites.

DDoSecrets assisted in the publication of the 5.9GB archive obtained by Anonymous.

30 March 2022 – 17:55 UTC

GhostSec Leaks Shambala Casino Network Data

GhostSec claimed a few days ago they had successfully attacked a prominent casino operator in Russia, known as Shambala.

The hacktivist group targeted the casino as they believed members of the Russian government used Russian casinos to move cash into different currencies besides the Ruble. At least 27 computers were reportedly compromised, data exfiltrated, systems locked, and files erased.

29 March 2022 – 06:12 UTC

Russian Aviation Sector Suffer Additional IT Operational Impacts

A post shared on the Russian Telegram channel, Авиаторщина, indicates that the aviation industry of Russia will have additional impacts to their IT support with the withdrawl of the Swiss-based company, SITA as of 29 March.

According to the Telegram post, SITA shutting down their operations will impact numerous systems utilized by the aviation industry and airlines across Russia.


“Products for pilots such as AIRCOM Datalink, AIRCOM FlightMessenger, AIRCOM FlightTracker, and AIRCOM Flight Planning services will no longer be available. Such software is utilized by airlines and flight crews to plan, perform aeronautical calculations and track flights, and more accurately calculate remaining fuel, flight time, etc.”

The company – choosing to withdrawl from operating in Russia due to Putin’s invasion – suffered a significant cyberattack on 24 February, the same day as the invasion of Ukraine, resulting in the compromise of passenger data stored on their SITA Passenger Service System (US) Inc. servers. SITA supports numerous international air carriers.

This annoucement comes within days of the cyberattack against Rosaviatsiya (see below), Russia’s Federal Air Transport Authority.

(Update 30 March – 23:42 UTC) No alias associated with Anonymous has claimed credit for the 28 March cyberattacks against Rosaviatsiya which resulted in 65TB of lost agency data. Interestingly, new Anonymous groups have only recently joined the campaign, including RedCult, increasingly the likelihood that widespread industry sector attacks will continue across Russia.

28 March 2022 – 18:23 UTC

nb65 Claims to Hack JSC Mosexpertiza; Steals 450GB of Sensitive Data

In a social media post, nb65 hacktivist group claims they compromised Joint Stock Company (JSC) Mosexpertiza, Moscow’s independent center for expertise and certifications, via the domain mosekspertiza.ru.

They claim they also infected the domain with, none other than Conti’s “crypto-locking ransomware variant” – released earlier this month in the opRussia campaign. In the process of hacking the network nb65 also exfiltrated 450GB of emails, internal documents, and financial data.

28 March 2022 – 17:07 UTC

Anonymous Leaks 140,000 Emails from Russian Oil & Gas Company, MashOil

Distributed via DDoSecrets, the Anonymous hacktivist collective recently targeted MashOil, releasing over 140,000 sensitive corporate emails from the company.

Moscow-based, MashOil manufacturers equipment for hydraulic fracturing and enhanced oil recovery (EOR); injection, nitrogen and cementing equipment; top drive mobile drilling rigs; directional drilling equipment; and, ejector well clean-up.

Anonymous continues to target companies in Russia and any companies that continue to contribute to economic and financial viability for the Russian Federation.

28 March 2022 – 12:41 UTC

Anonymous Leaks Russian Document Ordering Propaganda Video Development

Knowing propaganda is widely circulated by both Ukrainian and Russian affiliated organizations, Anonymous has leaked an official Russian document, titled “On holding informational events on the Internet”, dated 21 March 2022, stating this was an official “order issued” by the Russian government to develop videos to discredit the Ukrainian military and their treatment of prisoners of war (POWs). The order was signed by the “Temporary Minister of Defense of the Russian Federation”, Dmitry Bulgakov and decrees:

  1. Develop and distribute a series of video materials demonstrating the inhuman behavior of the military personnel of the Armed Forces of Ukraine and nationalist formations on the territory of Ukraine in relatinos to prisoners who showed a voluntary desire to surrender
  2. Develop and distribute sermographic materials, evidence of the use of briefings by captured military personnel of the Armed Forces of the Russian Federation during the filming
  3. Provide informational support for materials in the comments, the main argument is the violation of the Geneva Convention on the Treatment of Prisoners
  4. To impose control over the implmtnation of this order on the head of the Information Warfare and Disguise Department of the Ministry of Defense of the Russian Federation

(UPDATE 29 March 2022 – 20:56 UTC) DarkOwl advises that recent open source intelligence research suggests this letter could be fake and disseminated as part of an information operations campaign. Researchers caught signature mismatches of the Russian official, Bulgakov. Such data is a reality in the the fog of asymmetric warfare.

28 March 2022 – 11:58 UTC

Ukrainian Defense Intelligence Doxxes 620 Russian FSB Agents

The Ukrainian Military Intelligence Agency of the Ministry of Defence of Ukraine, known simily as Defence Intelligence of Ukraine or GUR, has leaked the identities of over 600 Russian FSB spies. The database includes the agents’ full names, dates of birth, passport numbers, passport dates of issue, registration addresses as well as other identifying markers for the FSB employees.

Many of these agents may be conducting covert operations around the world and leaking their identities may compromise the success of their operations.

28 March 2022 – 11:05 UTC

ATW (BH) Targets Chinese Companys and Government Organizations

After a brief vacation announced on 23 March, the AgainstTheWest (Blue_Hornet) group returns with concerted attacks against a number of Chinese companies and government organizations. The group claims they successfully attacked the following:

The group also referenced a supply-chain software dependency attack, via a poisoned burgeon-r3 NPM package.

  • Fenglian Technology-Digital Ecological Platform Solution
  • Bluetopo China security development tool
  • China Pat Intellectual Property
  • Weipass
  • Ministry of Transport China
  • Freemud Software (supplier to Starbucks)
  • China Joint Convention Committee.

Shortly after the announcement and initial round of leaks, the group also released source code affiliated with China Guangfa Bank, along with associated Maven releases. The group also claims to have breached the Chinese social messaging platform, weChat.

We are still evaluating the data and determining the specific types of data compromised and released.

28 March 2022 – 03:22 UTC

Russian Federal Air Transport Agency, Rosaviatsiya Confirms CyberAttack; 65TB of Data Erased

The civil aviation agency Rosaviatsiyan responsible for air cargo transportation confirmed with a letter shared on the Russian Telegram channel, Авиаторщина that their website domain favt.ru was offline since Saturday due to a significant cyber attack. The attacks had severely impacted their ability to plan and conduct flight operations and the agency had resorted to pen-and-paper-based operations in the interim.

The notice stated that over 65TB of emails, files and critical documents had been allegedly erased along with the registry of aircraft and aviation personnel. There were no systems backups to restore from because according to the agency spokesperson, the Ministry of Finance had not allocated funds to purchase backups.

“All incoming and outgoing emails for 1.5 years have been lost. We don’t know how to work…”
“The attack occurred due to poor-quality performance of contractual obligations on the part of the company LLC ‘InfAvia’, which carries out the operation of the IT infrastructure of the Federal Air Transport Agency.”

27 March 2022 – 20:44 UTC

Anonymous Leaks 2.4GB of Emails from Russian Construction Company, RostProekt

Over the weekend, DDoSecrets helped Anonymous distribute over 2 gigabytes of sensitive company emails exfiltrated by breaching a prominent Russian construction company, RostProekt (in Russian: РостПроект). The company primarily operates in Russia, with the head office in Moscow Oblast. RostProekt is a primary contributor to Russia’s lumber and other construction materials merchant wholesalers sector. The breach may impact construction projects in the country.

As of time of writing, the website for the company is online.

25 March 2022 – 20:36 UTC

nb65 Leaks Sample Internal Data from the All-Russian State Television and Radio Broadcasting Company (VGTRK)

The nb65 hacktivist team targeted and released data affiliated with a state-sponsored propaganda broadcasting company of the Russian Federation, VGTRK. The All-Russia State Television and Radio Broadcasting Company, also known as Russian Television and Radio (native: Всероссийская государственная телевизионная и радиовещательная компания) owns and operates five national television stations, two international networks, five radio stations, and over 80 regional TV and radio networks. It also runs the information agency Rossiya Segodnya.

nb65 claims they have successfully compromised the organization’s network and exfiltrated over 750GB of data, much of which consists of employee email (.pst) files from the company’s email network. The group claims to be ‘watching’ for their ‘eventual incident response.’

The group continued to troll the organization…

“Your blue team kinda sucks. Hard to find good IT help when all your techies are fleeing the country, eh?”

25 March 2022 – 18:36 UTC

Anonymous Releases Files Exfiltrated from the Central Bank of Russia

Anonymous has released data the hacktivists collected while conducting attacks against the Central Bank of Russia. The archive, broken up into 10 separate parts consists of over 25GB of archived data consisting of over 35,000 files of sensitive bank data. Earlier in the campaign, we observed several posts containing targeting information, e.g. domains, IP addresses, etc for the bank on the deep web.

24 March 2022 – 20:49 UTC

GNG Claims to Hack Russian Mail Server, mail.ru

Georgia’s Society of Hackers (GNG) announced today they successfully attacked Russia’s equivalent to Gmail, mail.ru, including their maps.mail.ru subdomain. The hacktivist group is in process of exfiltrating the data and will provide the detailed data dump in the next few days.

As of time of writing this, the maps.mail.ru website is online and operational.

24 March 2022 – 14:11 UTC

Anonymous Shares Proof of Hacked ATMs in Russia

Earlier today, users at what appears to be a Sberbank ATM reportedly located in Russia experienced technical errors when selecting the Russian language on the screen. Upon selection, the ATM monitor quickly flashes to the Ukrainian flag and the words Glory to Ukraine (Слава Україні!). See the video captured video here.

ATM malware is widely circulated on the darknet and used extensively in the fraud and financial crime communities.

24 March 2022 – 10:43 UTC

Pro-Russian Killnet Launches Anonymous-Style Campaign Against Ukraine – Targets Poland and NATO

The pro-Russian cyber threat actor group, Killnet have been conducting attacks against Ukraine for several weeks and have stepped up their demands and threats against Ukraine and western Europe. Today, they released a video on social media, mirroring the ominous messaging of an Anonymous-style video with the Russian flag in the background. During the video, the group stated they would attack targets in Poland for their assistance to the Ukrainian government during the invasion. They recently also posted specific targeting information for the National Bank of Poland on their Telegram channel.

“…together with the Russian cyber army, we disabled 57 state websites of the Kiev regime, 19 websites of nationalist parties…”

The group also referred to the Colonial Pipeline attack in the US from May 2021.

[translated] “Let’s remember American gas company attack, which resulted in 40% paralyzed infrastructure of America for few days.”

23 March 2022 – 16:45 UTC

AnonGhost Claims to Hack Russian Street Lighting System and Drops Proofs of Access to Moxa Industrial Wireless Networking Infrastructure

AnonGhost known for their attacks against industrial control systems, continued their campaign against Russia by targeting МонтажРегионСтрой г. Рязань street light control system. They stated they successfully shutoff the street lights at 19:35 Moscow time and it was a “gorgeous show.”

Shortly before announcing the breach of the lighting contol panel, AnonGhost also provided proof of access to Moxa (moxa.com) industrial networking devices. They leaked proof of access to router information for a industrial wireless Moxa device, its associated OnCell specifications, along with defacement of the device’s name, description, and login message.

In addition to the proofs they linked to a pastebin file containing over 100 Russian Moxa IP addresses for additional targeting.

It’s unclear where the Moxa device compromise is physically located or whether the Moxa compromise provides direct access to the streetlight control system.

23 March 2022 – 02:44 UTC

BeeHive Cybersecurity Claims They Are Running Ransomware Campaigns Against Russian Targets

When one thought they only hijacked Discord users and trolled pro-Russian ‘hackers’ like @a_lead_1, BeeHive Cybersecurity claims they have been quiet because they are running ransomware operations against targets across Russia.

Oh, in case you guys were curious why we’ve been so quiet. May or may not have a new #ransomware operation running in Ru right now. Alas, we find allies quicker than Putin finds ways to invade Ukraine. We’ll have more details soon but…consider this the public disclosure.

This would not be the first Russia-specific ransomware variant to emerge. According to Trend Micro, RURansom was detected targeting Russian-specific devices with AES-CBC encryption and hard coded salt. Another ransomware variant recently detected, known as “Antiwar” appends the file extension, “putinwillburninhell” to encrypted files.

22 March 2022 – 19:14 UTC

ATW (Blue Hornet) Compromises Russia’s Hydrometeorology and Environmental Monitoring Service with Bitbucket

The AgainstTheWest / Blue Hornet team has recently leaked several internal documents from Russia’s Hydrometeorology and Environmental Monitoring service (spelled by the threat actors as ROSHYDRO). According to open sources, the monitoring service is hosted on the meteorf.ru domain. The data leaks consists of 45 PDF files containing historical software change descriptions and feature requests from the company’s internal software development tracking system. ATW refers to a superadmin account for the GIS FEB RAS Team on Bitbucket in the leak.

21 March 2022 – 22:44 UTC

ATW Returns to Campaign with Attacks Against Almaz-Antey

After a disruption in the ATW team’s cyber activities due to personal issues, the ATW/Blue Hornet team returns leaking a 9GB archive of data allegedly exfiltrated by breaching Almaz-Antey’s corporate networks. The data leak includes employee login data, multiple documents containing PII, confidential and classified intellectual property, schematics, and SQL database files.

Almaz-Antey (Russian: ОАО “Концерн ВКО “Алмаз-Антей”) is one of Russia’s largest defense and arms enterprises, known for the development of Russian anti-aircraft defense systems, cruise missiles, radar systems, artillery shells, and UAVs.

21 March 2022 – 15:26 UTC

Anonymous Targets Russian Software Developer, naumen.ru

Hacktivists from the Anonymous collective have leaked data exfiltrated from Naumen, a software vendor and cloud services provider in Moscow. The company markets itself as “world class IT solutions fully adapted to the Russian market” and lists several prominent international companies as partners. The leaked data consists of an SQL database containing thousands of usernames, email addresses, hashed passwords, and associated PII. The specific purpose and origins of the database from inside Naumen is unclear, but partner companies could experience supply chain / vendor risk issues.

21 March 2022 – 03:27 UTC

KelvinSec Targets Nestle for Continued Commercial Operations in Russia

The KelvinSec ‘hacking’ team have reportedly compromised Nestle in retaliation for continuing to operate and distribute their products in Russia. The group leaked multiple databases from Nestle consisting of customer entity data, orders, payment information, and passwords (10GB total). The group insisted its a “partial” database leak and more data may be released in the future.

Nestle defended its business decision after President Zelenskyy called the company out to protestors on Saturday night in Bern, Switzerland.

(Update 3/22 – 01:48 UTC) Anonymous issues warning and gives a number of US companies 48 hours notice to pull out of Russia or become targets of the #opRussia cyber offensive campaign. Example corporations include: Subway, Chevron, General Mills, Burger King, citrix, and CloudFlare.

20 March 2022 – 23:33 UTC

Anonymous Compromises Russian Social Media VK to Send Message to Millions

Anonymous accesses VK’s messaging platform and sends direct messages to over 12 million Russian users of the social media app. The message, written in Russian, speaks to the realities of the war in Ukraine, the demise of the Russian economy, and threatens that users using the Russian “Z” insignia on as their profile avatar will be targeted by international authorities.

VK users have shared proofs of the message received to confirm the campaign in VK occurred.

20 March 2022 – 15:32 UTC

GhostSec Leaks Military Asset Monitoring System and More from Russian Networks

The leak includes data exfiltrated from a military operational readiness monitoring website (orf-monitor.com), including inventory tracking of key Russian military assets; a leak of a Russian investment company that includes recent Chinese contract data; and lastly, technical data leaks from Russian Defense Contractor Kronshtadt, that includes computational specifications related to their UAVs, along with military operational doctrine, etc.

GhostSec teased on their Telegram channel they had more data coming and this archive they were sharing was a sample of a much bigger dataset.

20 March 2022 – 13:40 UTC

Honest Railworkers in Belarus Help Stop Lines Going to Ukraine

According to open source reporting and the hacktivist group known as Cyber Partisans, the railways going out of Belarus into Ukraine have stopped. Earlier in the campaign, Cyber Partisans disrupted rail operations in Belarus using cyber attacks against ticketing systems and switching systems; however, others report that the rails are inoperable due to “honest railworkers” who do not want to see Belarus military equipment transported into Ukraine for use in this war. (Source)

“I recently appealed to Belarusian railway workers not to carry out criminal orders and not transport Russian military forces in the direction of Ukraine. At the present moment, I can say that there is no railway connection between Ukraine and Belarus. I cannot discuss details, but I am grateful to Belarus’s railway workers for what they are doing” – Oleksandr Kamyshin, director of the Ukrzaliznytsya state railroad

20 March 2022 – 10:28 UTC

Arvin Club Takes Down STORMOUS Ransomware’s Tor Onion Service

Shortly after STORMOUS ransomware gang setup a Tor onion service, the Arvin Club ransomware group compromised their site and leaked SQL databases, information, and performance schemas. It’s unclear whether or not this attack occurred out of STORMOUS’s Russian allegiance or if Arvin merely wanted to teach the cyber criminals a lesson in setting up secure sites on the darknet.

The STORMOUS ransomware group had previously operated only on Telegram.

(UPDATE) As of 3/22 the Tor service is still offline.

20 March 2022 – 02:18 UTC

Anonymous Leaks Database from Russian Aerospace Company Utair

Hacktivists from the Anonymous collective have released the customer database for Russia’s Utair airlines. (Russian: ОАО «Авиакомпания «ЮТэйр»). The JSON database appears to have been collected long before the 2022 #opRussia campaign, as the MongoDB is dated 2019. There are records containing personal data for over 530,000 clients using Utair’s services.

18 March 2022 – 21:29 UTC

nB65 Leaks Data from Russian Space Agency

After a disappointing trolling exercise against Kaspersky, the nb65 hacktivist group returns with data leaks from Russia’s Space Agency, Roscosmos. The group claims they still have persistent access to the agency’s vehicle management system and leaked the IP of the compromised network to prove their access. The leaked data archive consists of over 360MB of user and operations manual, along with solar observatory logs.

Hours earlier, the group also claims to have compromised tensor.ru and leaked 1.6GB of compromised emails for a corporate mailbox for the Russian digital signature company.

18 March 2022 – 15:39 UTC

Russia Targets Ukraine Red Cross Website in Cyber Attack

The Ukrainian Red Cross reported their Internet web servers have been hacked, likely by Pro-Russian cyber threat actors. The website domain – redcross.org.ua – is currently offline with the statement “account disabled by administrator.”

The social media account for the Ukrainian Red Cross stated that no personal data of beneficiaries stored on the website were compromised by the cyber attack.

The Ukrainian Red Cross staff and volunteers are busy and actively providing medical aid and support to vulnerable and wounded Ukrainian civilians across the country as Russian military continue their barrage of cruise missile strikes.

17 March 2022 – 11:43 UTC

AnonGhost Leaks Screenshots of GNSS Satellite Hacks Along with IP Addresses

AnonGhost shared several screenshots as proof of attacks they conducted against Russia’s Trimble GNSS satellite interface. They claimed on social media that other “fake Anonymous” accounts had taken credit for the operation. They also leaked 48 unique IP addresses associated with the GNSS satellite systems. The group did not specify the nature of the attacks against the Russian assets.

17 March 2022 – 09:23 UTC

Anonymous Claims to Have Located Putin’s Bunker

Using OSINT analysis involving satellite imagery and topography and landmark comparisons like rivers and powerplants, the Anonymous community claims they have detected President Putin’s bunker. There no means to verify the accuracy of these assertions.

cred: @paaja6 & @IamMrGrey2

17 March 2022 – 03:58 UTC

Anonymous Leaks 79 GBs of Emails from R&D Department of Transneft – OMEGA

DDoSecrets released the data on behalf of Anonymous hackers operating in cyber campaigns against Russia. Anonymous compromised email inboxes of OMEGA Company, the R&D arm of Russia’s state-controlled pipeline company known as Transneft [Транснефть]. Transneft is the world’s largest oil pipeline company with over 70,000 kilometres (43,000 miles) of trunk pipelines and transports an estimated 80% of oil and 30% of oil products produced in Russia. The emails cover the accounts’ most recent activity, including after the introduction of US sanctions on February 25, 2022. Some of the emails reflect some of the effects of those sanctions.

16 March 2022 – 10:47 UTC

Russian Foreign Intelligence Service (SVR) Requests Information via Tor

Russia’s external intelligence agency has issued instructions on how to establish secure communcations via their Virutal Reception System (VRS) to relay any threats to the Russian Federation. The call for leads, found on svr.gov.ru, details how to install the Tor anonymous network, details the v3 .onion address of their secure communications system, and advises the informant using PGP in order to further encrypt the details of any messages provided.

“If you are outside Russia and have important information regarding urgent threats to the security of the Russian Federation, you can safely and anonymously share it with us via the virtual reception system (VRS) of the SVR over the TOR network.”
If you are in hostile environment and/or have reasons to worry about your security, do not use a device (smartphone, computer) registered to you or associated in any way with you or people from your personal settings for network access. Relate the importance of information you want to send us with the security measures you are taking to protect yourself!

15 March 2022 – 11:48 UTC

Pro-Russian Group Xaknet Threatens to Attack Critical Infrastructure Information Centers

“We cannot endlessly give you ‘lessons of politeness.’ We demand the cessation of hacker attacks against Russian infrastructures, we demand the cessation of the activities of information centers for the dissemination of fakes.
In case of refusal, we will be forced to use the most sophisticated methods, and reserve the right to act as the enemy does. Critical information infrastructure facilities will become a priority target for the group. All work will be aimed at the complete destablization of the activities of the aforementioned CIIs.”

It’s unclear from the threats what specific websites or services the cyber threat group considers critical infrastructure information services. The IT Army of Ukraine’s extensive information operations spread across most all social media platforms and information communication mediums across Russia.

15 March 2022 – 07:19 UTC

User on Telegram Leaks New Letter from FSB

A user on pro-Ukrainian Telegram channel (name redacted) has released a new letter, reportedly from an FSB agent, translated into English.

The temperature has really risen here, it’s hot and uncomfortable. I won’t be able to communicate for some time here in the future. I hope we can chat normally again in a few days. There are a lot of things that I have to share with you…
The questions are raised by the FSO (Federal Protective Service of the Russian Federation, aka Putin’s Praetorian Guard) and the DKVR (Russian Military Counterintelligence Department). It is precisely the DKVR that is mounted on horseback and is looking for “moles” and traitors here (FSB) and in the Genstaff (General Staff of the Armed Forces of the Russian Federation) regarding leaks of Russian column movements in Ukraine. Now the task of each structure is to transfer the fault to others and to make the guilt of others more visible. Almost all members of the FSB are busy with this task at the moment.

The focus is on us more than others at the moment, due to the hellish circumstances regarding the intra-political situation in Ukraine: We (the FSB) have released reports that at least 2,000 trained civilians in every major city of Ukraine were ready to overthrow Zelensky (President of Ukraine). And that at least 5,000 civilians were ready to come out with flags against Zelensky at the call of Russia. You want to laugh ? We (FSB) were supposed to be the judges to crown Ukrainian politicians who were supposed to start tearing each other apart arguing for the right to be called “Russia’s allies.” We even set criteria on how to select the brightest of the most competent (among Ukrainian politicians). Of course, some concerns have been raised about the possibility that we may not be able to attract a large number of people (Ukrainian politicians) to Western Ukraine, to small towns and to Lvov itself. What do we actually have? Berdyansk, Kherson, Mariupol, Kharkiv are the most populated pro-Russian areas (and there is no support for Russia even there). A plan can fall apart, a plan can be wrong. A plan can give a result of 90%, even 50%, or 10%. And that would be a total failure. Here it is 0.0%.

There is also a question: “How did this happen?” This question is actually a (misleading) trap. Because 0.0% is an estimate derived from many years of work by very serious (high-ranking) officials.
And now it turns out that they are either agents of the enemy or simply incomprehensible (according to the FSO / DKVR who are now looking for “moles” within the FSB).

But the question does not end there. If they are so bad, then who appointed them and who controlled their work? It turns out that they are people of the same quality but of a higher rank. And where does this pyramid of responsibilities stop? At the boss (Putin).
And this is where the evil games begin: Our dear Александр Васильевич (Alexander Vasilyevich Bortnikov – Director of the whole FSB) cannot fail to understand how badly he got caught. (Bortnikov realizes the deep mess he is in now)

And our evil spirits from the GRU (Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation) and the SVR (Foreign Intelligence Service – equivalent to the CIA) understand everything [and not only from these two organizations]. The situation is so bad that there are no limits to the possible variations (of events that will happen), but something extraordinary is going to happen.”

Shortly after a first letter from an FSB whistleblower surfaced around 5 March, Putin quietly placed his FSB chief, Sergei Beseda and his deputy on house arrest last Sunday. While telling the public he arrested them for embezzlement charges, according to open-source reports, the “real reason is unreliable, incomplete, and partially false information about the political situation in Ukraine” and Putin is holding them responsible for the Ukrainians’ success in the invasion thus far.

14 March 2022 – 12:00 UTC

Russian State Duma of the Federal Assembly Confirms Censorship of VPNs

Citing it was “a difficult task” Alexander Khinshtein, chairman of the State Duma Committee on Information Policy, commented that Russia’s media and propaganda agency, Roskomnadzor has been tasked with blocking over two dozen VPNs [virtual private networks] across Russia. (Source)

We anticipate that number to increase as Putin continues to crack down on Russian citizens’ media consumption.

VPNs have been targeted by Russian authorities since 2017, when an initial VPN law was passed. In 2019 many of the VPN providers across Russia received compliance demands from Roskomnadzor representatives via email – captured in the image below.

The demand for VPNs in the country has reportedly increased by over 2,000% in the last month. Users on Telegram encourage widespread use of anonymity tools like VPNs and Tor, and share links to VPN services still in operation and accessible in the region. Many of the VPNs are available via Telegram directly and offer free trial subscriptions to Russian users.

14 March 2022

Russian Cyber Actors Setup IT Army of Russia Group

The collective of cyber threat actors self identifies as the “IT Army of Russia”, mirroring the IT Army of Ukraine Telegram initiative, and claims it has targeted critical Ukrainian cyber services with DDoS attacks. The group has less than a 100 subscribers and many of the members are affiliated with the Killnet forum.

The group recently posted a detailed dox containing personal information for President Volodymyr Zelenskyy [in Ukrainian: Володимир Олександрович Зеленський]. The dossier contains specific information such as his date of birth, passport number, car registration details, and familial associations.

13 March 2022 – 09:31 UTC

Anonymous Germany Exfiltrates Data from Russian Rosneft Operations in Germany

An Anonymous hacktivist group from Germany, referring to themselves as “AnonLeaks” had access to the networks of Russia’s Rosneft subsidiary in Deutchland for almost two weeks and exfiltrated over 20 terrabytes of corporate data. According to a preliminary review, the data consists of laptop backups, virtual disk images, excel files, work instructions, and other operational information for the refinery.

Anonymous Germany emphasizes they did not have access to critical infrastructure in Germany, nor was the intent of their operation to access critical infrastructure for the refinery or compromise it in any way.

Rosneft is Germany’s third largest petroleum refinery company, processing roughly 12.5 million tons of crude oil per year.

(Update) Details of the leaked data has appeared on a dedicated Tor darknet service setup by the hacktivists.

13 March 2022 – 07:19 UTC

nB65 Claims to Be Jonathan Scott, a US-based Malware Researcher

Since the invasion, a social media account reportedly affiliated with the group nB65 was extremely active in sharing their leaks and targets across Russian networks – including claims of accessing Roscomos Space Agency. Most recently, they stated they had access to Kaspersky’s source code, with many teasers in the hours leading up to a what amassed to a disappointing dump of publicly available code from the Russian antivirus software developer. The group essentially trolled Kaspersky and received heavy criticism from members of the information security research community.

The owner of the group’s Twitter account claimed today they were in real life, Jonathan Scott, a US-based Computer Science PhD student researching mobile spyware and IoT malware. Shortly after, the Twitter account for the group was deleted.

11 March 2022 – 06:25 UTC

GhostSec Claims to Access, Shutdown, and Deface Control Panel of Russian ICS via SCADA Attack

GhostSec continues their offensive against Russian critical infrastructure with attacks affecting industrial controls systems. Today, they claimed they successfully accessed an unknown Russian industrial control system, deface the control panel, and shut the system down. They also stated they deleted the backups to make restoring services more challenging.

They included the screenshot below which appears to correlate to a typical ICS system. The name or location of the network was not identified.

11 March 2022 – 01:34 UTC

BeeHive Cybersecurity Enters Campaign and Targets Pro-Russian Discord Users

A pro-Ukrainian group, known as “BeeHive Cybersecurity” claims to have attacked over 2,700 pro-Russian Discord users, compromising their accounts and defacing their profiles with statements about the realities in Ukraine posted in English, Ukrainian, and Russian.

The group insinuates that they “CnC [command and control] the platforms of the ignorant” and use compromised devices to help combat disinformation.

10 March 2022 – 12:30 UTC

KelvinSec Leaks Private Chats from Darknet Tor Service: Database Market

KelvinSec, a pro-Ukrainian cyber threat actor on the darknet, has leaked 3,178 files containing the private chats from DATABASE Market. DATABSE is a relatively newly-launched service on Tor, where carding and fraud cyber-criminals congregate and transact.

The service is allegedly hosted by IT Resheniya on the IP address KelvinSec reported they infilitrated the market via an insecure direct object reference vulnerability, commonly called “IDOR” which gives an attacker access to the website’s hidden information.

The compromised Tor service is still active as of time of writing.

10 March 2022 – 11:24 UTC

DDoSecrets Leaks Over 800GB of Data from Russian Media Censor, Roskomnadzor

The whistleblower leak site, DDoSecrets has obtained 360,000 files from Роскомнадзор (Roskomnadzor) via hacktivists from the Anonymous campaign against Russia. Roskomnadzor is a Russian state-controlled agency responsible for monitoring, controlling and censoring Russian mass media. The agency is responsible for the recent crackdowns on digital bans of Facebook, Twitter, and YouTube. The two part dataset totals over 800 GB including files, emails, and information critical about their operations.

10 March 2022 – 08:35 UTC

GhostSec Hits Hundreds of Printers Across Russia

GhostSec reportedly hacks hundreds of printers across Russia to spread the message about realities in Ukraine. They tagged on to the announcement an obscure 4chan meme, “Hey Russia do you liek mudkipz?” on their Telegram channel. The stated they are targeting Russian government and military networks for the printer exploit.

9 March 2022 – 20:05 UTC

Pro-Russian Group, devilix-EU Joins Campaign Against Ukraine and the US

Late last week, a new Pro-Russian persona appeared on social media and began sharing pro-Russia propaganda, Pro-Trump rhetoric, and counter #opRussia Anonymous content. Over the last five days, they’ve ramped up their attacks claiming to have compromised AWS instances, Microsoft IIS sysstems, and performed BGP hijacking with mentions of several US-based IP addresses.

The group makes further claims that they’re named after their own custom ransomware, “DEVILIX shark.”

DEVILIX named as me is one of the strongest viruses on the world DEVILIX shark is ransomware which can do anything we can create BotNet. where we want. Just a Simple but it’s not.

They most recently shared their thoughts about the cyber war in Russian, declaring that this was not about Ukraine and Russia, but the US and NATO and their intent to keep Russia and Ukraine divided.

Я вижу, что речь идет о двух сторонах, России и Украине. Почему мы разделены из-за политики? Разве вы не видите, что здесь делает Запад и хочет, чтобы мы были разделены. НАТО избежало конфликтов, и теперь привет! Слава России

[Google Translate]

I see that we are talking about two sides, Russia and Ukraine. Why are we divided because of politics? Don’t you see what the West is doing here and wants us to be divided. NATO has avoided conflicts, and now hello! Glory to Russia

8 March 2022 – 21:05 UTC

Anonymous Hacks Hundreds of Russian Security Cameras, Many Affiliated with Russian Government Ministries

Hacktivists from the Anonymous Collective successfully tapped the security camera feeds of hundreds of retail businesses, restaurants, schools, and government installations across Russia. They setup a website to share the leaked camera feeds — all to discover some where critical security offices. Anonymous also defaced security camera displays with the message:

Putin is killing children
352 Ukrainian civilians dead
Russia lied to 200rf.com
Slava Ukraini! Hacked by Anonymous

8 March 2022 – 18:34 UTC

nb65 Group Claims to Have Acquired Kaspersky’s Source Code

After keeping quiet for several days, the group sent out mysterious posts across social media claiming to have accessed Kaspersky source code and found “interesting relationships” in this code.

They also claimed it was “sloppier than Putin’s invasion.”

7 March 2022 – 17:31 UTC

22nd Member of Notorious TrickBot Gang Doxxed

The pro-Ukrainian affiliate of the Trickbot cybercriminal empire has leaked the personal identity of 22 key members of the gang along with private chats between group members. Since the 4th of March, DarkOwl has seen the following aliases mentioned: baget, strix, fire, liam, mushroom, manuel, verto, weldon, zulas, naned, angelo, basil, hector, frog, core, rocco, allen, cypher, flip, dar, and gabr.

7 March 2022 – 13:01 UTC

Digital Cobra Gang Claims 49 “A-Groups” Led by Conti and Cobra Are Attacking America Cyberspace

The Pro-Russian group entered the campaign shortly after Anonymous started #opRussia (28 Feb) with the statement:

“DIGITAL COBRA GANG DCG has officially declared cyber war on hackers who attacking Russia as well and to protect justice”

They’ve given little indication of success, other than inflated claims they have acquired over 92Tb data from US’s military personnel files but no proof has been published.

Earlier today, they posted that members of Conti were helping and 49 “A-team” groups were hacking Amera.

(9 March 2022) – US AWS and Azure cloud platforms have experienced higher than normal traffic on the network but no major disruptions.

7 March 2022 – 06:44 UTC

RedBanditsRU Leaks Russian Electrical Grid Source Code Data

The pro-Russian group, originally assembled to counter-hack Anonymous and cyber actors targeting Russian organizations, posted today that they are leaking the source code Rosseti Centre’s [mrsk-1[.]ru] electrical grid networking infrastructure. Rosseti Centre provides reliable electricity for more than 13 million people in the subjects of the Central Federal District of the Russian Federation.

The group is sharing this information because they believe Putin and his supporters are “leading this country to an apocalypse state.”

DarkOwl warns security researchers opening these archives should always use isolated sandbox environments in the event there is malware and viruses included in the leak.

7 March 2022 – 04:55 UTC

AgainstTheWest (ATW) Returns to the Fight and Drops Multiple Leaks of Russian Corporate Data

In the last 24 hours, ATW dropped URLs for at least 7 leaks corresponding to various Russian technical companies and organizations, reportedly breached by the cybercriminal group. ATW’s participation in the campaign has been controversial as they have had multiple dramatic departures and returns to the campaign and reports of “health issues” of some of the team’s members.

Security researchers reviewing the information from dataleaks last week calls into question the veracity of the information ATW is sharing. Checkpoint released analysis stating that after, “checking their claims deeper reveals that for many of the claims there are no solid proofs apart of very generic screenshots that are allegedly from the breached organizations.”

(Update 7 March 2022 – 18:36 UTC) The group also posted to their Telegram channel that they had successfully breached a Russian cybersecurity company that has been “hording” US-based government data, exposure of multiple SonarQube instances and requested someone get in touch with them immediately. It’s unclear if this is legitimate or just further ego inflation.

6 March 2022

Free Civilian Tor Service Leaks Entire DIIA Contents

Recently, the administrator of Free Civilian shared a post on their Tor service containing the entire Ukraine’s DIIA database of users. They stated the buyer of the database consented to the release, with the understanding some records were deleted. The downloads consist of 60+ archives containing gigabytes of data. The download links have been unstable since DarkOwl discovered them.

The administrator also expressed desire to have the ban on their “Vaticano” Raid Forums account lifted, claiming this leak proved the legitimacy of the information they shared back in January.

Recently, screenshots of an indictment for the alleged seizure of Raid Forums on VeriSign has been in circulation, after users spoke of rifts between pro-Ukrainian users and Russian hackers, potential FBI seizures, and the alleged hijacking the alias of former admin Omnipotent on Darknet World. Prominent users from the forum have setup RF2 and advised any old working Raidforums links are likely phishing logins for the FBI.

6 March 2022 – 18:43 UTC

Anonymous Continues Information Warfare Against Russian Media; Video Services Wink and ivi Stream Anti-War Messaging

After Putin’s overt authoritarian take on media sharing the realities of the war in Ukraine, Anonymous managed to hack Russian video services Wink and ivi to stream pro-Ukrainian messages and video of the conflict.

This weekend, Putin’s parliament passed a “fake-news” law imposing prison sentences for media using the words “war” or “invasion” prompting numerous western outlets to pull their journalists and suspend operation.

6 March 2022 – 15:39 UTC

AnonGhost Enters Campaign and Claims SCADA Attacks Against Multiple Russian Infrastructure Targets

This weekend, AnonGhost entered Anonymous’ #opRussia campaign with a vengence, and claims today they have hacked multiple Russian infrastructure control systems via SCADA attacks and “shut it down.”

They list the following targets:

  • Волховский РПУ> Volkhov RPU
  • Бокситогорский РПУ> Boksitogorsk RPU
  • Лужский РПУ> Luga RPU
  • Сланцевский РПУ> Slantsevsky RPU
  • Тихвинский РПУ> Tikhvinsky RPU
  • Выборгское РПУ> Vyborg RPU

This is after they leaked data from 9 Russian commercial servers hours earlier.

  • azovkomeks[.]ru
  • vserver24[.]ru
  • dvpt[.]ru
  • ach[.]gov[.]ru
  • itmo[.]ru
  • vpmt[.]ru
  • pvlt[.]ru
  • hwcompany[.]ru
  • corbina[.]ru

DarkOwl is in the process of pulling in this data to review and assess the contents of all of the databases.

The AnonGhost group is reportedly one of the more senior anonymous hacktivist teams in the underground, with reporting of the group going back to the early 2010s. According to open-source reporting, AnonGhost was led by Mauritania Attacker. In an online interview with a hacker’s blog in 2013, Mauritania Attacker claimed to be a 25 year old male from Mauritania who started hacking at a young age by joining TeaMp0isoN and ZCompany Hacking Crew (ZHC), two hacking groups known for their attacks of high-profile targets such as NATO, NASA, the UN, and Facebook. (Source)

For those who remember Stuxnet, SCADA type attacks are controversial as there is a fine line between disruption and destruction. Services knocked offline but able to be restored is disruptive and inconvient, causing delays in operation and psychological concern over the safety of such services. However, disruptions that lead to destructive events, e.g. hard disks wiped and unrecoverable, de-railed trains, power plant overheating resulting in explosions, & satellites falling out of the sky are considered serious and may be interpreted as an act of war and result in severe retaliation.

Yesterday, Putin declared western sanctions an act of war and uttered similar threats about hacking satellites earlier this week.

6 March 2022 – 14:52 UTC

GhostSec Returns with Leaks from Russia’s Joint Institute for Nuclear Research (JINR) and Department of Information (DOI) FTP Server Data

Hours ago, an archive consisting of several gigabyte emerged from GhostSec reportedly containing information from Russia’s nuclear research and disinformation activities. GhostSec has been silent for most the last week, perhaps busy with this activity.

According to their website (jinr.ru), the Joint Institute for Nuclear Research is an international intergovernmental organization established through the Convention signed on 26 March 1956 by eleven founding States and registered with the United Nations on 1 February 1957.

As of time of writing, the public facing website is online.

6 March 2022 – 12:34 UTC

Anonymous Dumps Leak of 139 Million Russian Email Addresses

An archive of over 139 Million email addresses, broken up into 15 separate files with mail_ru at the beginning of each file, lists the email addresses for presumed account holders for mail_ru services. VK (VKontakte) assimilated mail.ru email services into its internet services conglomerate in the fall of 2021.

The files included two additional HTML files with ominous warnings – possibly shared on the servers from which these leaks were obtained.

[image translation]

Russian soldiers!
If you think that you are going to an exercise, in fact you are being sent to Ukraine to DIE.

DarkOwl has not determined the veracity of this data, nor confirmed how these emails were obtained; some combolists of this nature are created as an aggregation of other leaked data.

As of time of writing, mail.ru’s public facing website is still online and operational.

5 March 2022 – 20:41 UTC

Anonymous Targets Russian FSB; Letter Appears from Possible FSB Whistleblower

The Federal Security Service (FSB) of the Russian Federation [Федеральная служба безопасности (ФСБ)] is the principal security and intelligence agency of Russia and the main successor agency to the Soviet Union’s KGB.

Earlier today, Anonymous hacktivists targeted the FSB (at the direction of the IT Army Ukraine) and managed to take the external facing website offline. Rumors on social media and chatrooms suggested Anonymous managed to “breach” the FSB’s server.

Shortly after the announcement of the website’s offline status (e.g. #TangoDown) a deep web paste emerged containing a list of 62 subdomains for the fsb.ru domain. This could be for additional targeting and exploitation.

The stability and alliances of members of the FSB are in question by threat intelligence and security researchers across the community. Last night, an alleged FSB whistle-blower letter surfaced (via the founder of http://gulagu.net) that damned Russia’s military performance in Ukraine and predicted a disaster for the RU in the next weeks and months. An English translation of the letter has appeared in the deep web (excerpt below).

To be honest, the Pandora’s box is open – a real global horror will begin by the summer – global famine is inevitable (Russia and Ukraine were the main suppliers of grain in the world, this year’s harvest will be smaller, and logistical problems will bring the catastrophe to a peak point). I can’t tell you what guided those at the top when deciding on the operation, but now they are methodically lowering all the dogs on us (the Service).
We are scolded for analytics – this is very in my profile, so I will explain what is wrong. Recently, we have been increasingly pressed to customize reports to the requirements of management – I once touched on this topic. All these political consultants, politicians and their retinue, influence teams – all this created chaos. Strong. Most importantly, no one knew that there would be such a war, they hid it from everyone.
And here’s an example for you: you are asked (conditionally) to calculate the possibility of human rights protection in different conditions, including the attack of prisons by meteorites. You specify about meteorites, they tell you – this is so, reinsurance for calculations, nothing like this will happen. You understand that the report will be just for show, but you need to write in a victorious style so that there are no questions, they say, why do you have so many problems, did you really work badly. In general, a report is being written that when a meteorite falls, we have everything to eliminate the consequences, we are great, everything is fine.
And you concentrate on tasks that are real – we don’t have enough strength anyway. And then suddenly they really throw meteorites and expect that everything will be according to your analytics, which was written from the bulldozer.
That is why we have a total piz_ets – I don’t even want to pick another word.

5 March 2022 – 16:37 UTC

Anonymous Claims to Breach Yandex (Russia’s Mail and Search Service); Leaks Account Credentials

DarkOwl discovered two leaks shared through the Anonymous hacktivist collective network consisting of over 5.2 Million user accounts’ email addresses and password combinations. We are in the process of analyzing this data leak to determine the veracity of its contents. 1.1 Million Yandex accounts were previously dumped in 2014. Many hackers are using #opRussia to opportunistically claim clout for breaches that did not occur, when in reality they are circulating old previously dumped data and/or verifying accounts by credential stuffing.

5 March 2022 – 15:23 UTC

Paypal Suspends Service in Russia

Paypal announced on LinkedIn they would be halting its operations in Russia; a statement released days after suspending signing up new users on the payment platform on Tuesday. Dan Schulman, CEO wrote:

We remain steadfast in our commitment to bring our unique capabilities and resources to bear to support humanitarian relief to those suffering in Ukraine who desperately need assistance. We will also continue to care for each other as a global employee community during this difficult and consequential time.

On Wednesday, 3 March, the IT Army of Ukraine launched a petition calling for all supporters to sign a petition on change.org:


While Ukraine protects its people and places, and Russia faces the radical consequences of its war crimes, the most popular payment service via PayPal is still available to the aggressor. This means that it also helps finance the bloody war against Ukraine through PayPal.
We are absolutely sure that modern technologies are a powerful response to tanks, grads and missiles. We call on the company to block its services in Russia via PayPal and launch them in Ukraine, as well as provide an opportunity to raise funds to restore justice and peace in our country and the world.

5 March 2022 – 15:03 UTC

Anonymous Leaks Private RocketChat Conversations from Russian Government Officials

Anonymous is targeting Russia by any means possible and managed to collect private chats between Russian officials on the messaging service, rocket.chat. After review, these chats are different from the ones dropped by @contileaks last week.

The chat includes the network ID, username, and “real name” of 14 members of the chat group. The domain associated with the leak corresponds to the official website of the Russian government and the Governor of the Moscow region.

5 March 2022 – 06:04 UTC

squad303 Sets Up SMS Messaging System to Text Random Russian Citizen Phone Numbers

With the lack of Russian media coverage of the invasion of Ukraine and the intentional misinformation spread by Putin’s disinformation agencies, a pro-Ukraine hacktivist collective, known as squad303 setup an SMS messaging system for citizens around the globe to use to randomly text Russian citizens a scripted message about the nature of world events.

The squad303 team also setup an API for more advanced users.

Update: As of 8AM UTC, 6 March 2022, the service had been used to send over 2 Million texts Russian mobile phone numbers.

The team also reports of suffering from heavy DDoS attacks from pro-Russian cyber actors.

5 March 2022 – 02:34 UTC

Anonymous Hackers Claim to Have Accessed Communication Data for a Russian Military Satellite

After nb65’s reported success accessing Roscosmos earlier this week, it appears that members of the Anonymous collective under the campaign #opRussia have ventured into breaching the communications of Russian military satellite for data collection. The satellite – designated COSMOS 2492 (aka glonass132) is likely active in geospatial intelligence collection over Ukraine for Russia. (note: the original indication of the connection occurred 4 March 2022 @ 09:35 by Anonymous collective member, @shadow_xor.)

DarkOwl also uncovered a leak shared by LulzSec member @shadow_xor titled, “Leak_RUSAT_shadow_xor.zip” which contains significant geopositioning data since the satellite’s launch in 2014. The hacker stated they could not change the coordinates of the satellite, but did capture orbital, passage, and communications data.

Our original reporting on this suggested the hackers were Russian-based, but further analysis only indicated that a number of Russian-based hackers supported the attack on COSMOS 2492.

4 March 2022 – 18:16 UTC

Putin Officially Bans Facebook in Russia

In order to combat the information operations campaign against them online, Putin ordered for ISPs to block Facebook servers and websites across Russia. Security researchers also note an uptick in Russian trolls on social media with bot accounts promoting Putin’s military operations in Ukraine.

Putin’s parliament also passed a law imposing prison terms of up to 15 years for individuals spreading intentionally “fake news” about the military. The terms “invasion” and “war” are no longer allowed in press and media coverage.

Several foreign and Western media outlets, including BBC, CNN, and Bloomberg, have temporarily suspended reporting on the war from Russia.

4 March 2022 – 09:44 UTC

NB65 Teases Information Security Community with Riddles on their Activities

NB65 – the pro-Ukrainian group who claimed responsibility for accessing and shutting down Russia’s spy satellites via SCADA vulnerabilities – teased the information security community that they been quiet cause they were parsing and analyzing numerous vulnerabilities in Russian cyber targets.

If we seem quiet, it’s because we have an olympic sized swimming pool worth of data and vulnerabilities. But here’s some fun that you can participate in…

DarkOwl discovered a post matching the target hidden in the riddle and the content suggests the group has access to RUNNET: Russia’s UNiversity Network.

4 March 2022

IT Army of Ukraine Calls for Volunteers to Support the Internet Forces of Ukraine

Ukraine’s Ministry of Digital Transformation steps up its information warfare against Putin’s propaganda by forming the Internet Forces of Ukraine (ITU). Forming a separate Telegram channel at the start of the month, the channel is dedicated to posting instructions and guidance for citizens around the world that want to aid Ukraine and lack an IT/cybersecurity background.

Друзі, наш ворог, окрім наявної війни у наших містах та селах, веде також інформаційну війну. Не вірте фейкам, не вірте брехні пропаганди путіна – ніякої капітуляції України НЕ БУДЕ!!! У нас потужна армія, ми сильні духом і нас підтримує весь світ! Тому, не ведіться на провокації і вірте в Україну. Поширюйте це серед рідних та близьких у соціальних мережах, щоб вони також не велись на нісенітниці кремля. Ми разом і ми переможемо!!🇺🇦

Friends, our enemy, in addition to the existing war in our cities and villages, is also waging an information war. Do not believe fakes, do not believe the lies of Putin’s propaganda – there will be no capitulation of Ukraine!!! We have a powerful army, we are strong in spirit and we are supported by the whole world! Therefore, do not be fooled by provocations and believe in Ukraine. Spread this to your family and friends on social networks, so that they also do not fall for the Kremlin’s nonsense. We are together and we will win!! 🇺🇦

4 March 2022 – 01:46 UTC

Trickbot Gang Members Doxxed and Links to FSB Confirmed

At 15:00 UTC, before DarkOwl could even finish analyzing the ContiLeaks, a Ukrainian-aligned underground account leaked details of key members of the infamous TrickBot gang. Over the course of the day at a cadence of every 2 hours, dossiers for the individuals appeared on social media. Private chats between members of the gang were included with each of the leaks. 7 male members and their aliases identified: baget, fire, strix, mushroom, manuel, verto, and liam. Twitter has since suspended the account.

3 March 2022 – 20:54 UTC

Russian-Aligned Hackers Target Anonymous Hacktivists in Canada

A pro-Russian cyber group using the name Digital Cobras, claims to have been targeting #opRussia hackers from the Anonymous collective across the US, UK, Greece, and Canada. Earlier today, they posted several names of individuals along with pictures of some of the alleged members of Anonymous.

They also claimed to have “hacked Anonymous’ servers” and downloaded over 260gb of their files and tools. They also claimed to have full access of the administration of Tor Project, including their crypto accounts.

Anonymous does not possess servers or centrally locate their information or tools as it is an organic decentralized collective of hacktivists around the world. Similarly, the Tor Project is run by a network of volunteers.

It is very likely this group is designed to spread disinformation and FUD.

3 March 2022

Size of Zeronet Anonymous Network Increases Since Invasion

In the week since the Putin launched an invasion against the Ukrainian people, DarkOwl has noticed an increase of 385 Zeronet domains in the last week and a near 20% increase in the network’s activity. Zeronet has been historically most heavily used by Chinese threat actors. The trend in “new domain” activity appears to have started on or about February 27th, within hours after the IT Army of Ukraine rallied the underground.

The Tor Project has reported significant increases in the number of unique addresses on Tor on the same day.

DarkOwl Zeronet Reporting
Tor Project data on onion address surge

3 March 2022 – 17:10 UTC

Anonymous Leaks Database Containing Bank Account Holders Information

bkdr – member of the Anonymous hacktivist collective – released an Excel spreadsheet containing the personal information of over 8,700 business bank account holders in Russia. Full names, passport, DoBs, account standing, etc are included in the file.

3 March 2022 – 15:40 UTC

Pro-Russian Cyber Team, Killnet Claims To Hack Vodafone Services in Ukraine

Killnet, a Pro-Russian organized threat actor has claimed they were successful in attacking Vodafone’s telecommunications services across Ukraine. The group shared links to the vodafone.ua website (as offline) and network graphs proving the website suffered an outage.

The group also claims to have attacked “Anonymous” networks directly, prompting criticism as the Anonymous hacktivist has no central severs or repositories.

[Google Translate]

Cellular communication services under the Vodafone trademark on the territory of Ukraine are provided by the partner of Vodafone Group plc, PRO “VF Ukraine”

3 March 2022 – 05:22 UTC

Anonymous Breaches Private Server in Roscosmos and Defaces Website

v0g3lSec – member of the Anonymous hacktivist collective – claims to have infiltrated private servers at the Russian Space Agency, Roscosmos and exfiltrated files from their Luna-Glob moon exploration missions. The archive consists of over 700 MBs. Many of the files are drawings, executables, and technical documents dating back to 2011. A scientific review of the content would be needed to assess the value of the information collected.

In addition the website for the Space Research Institute (IKI) Russian Academy of Sciences (RAN) was also defaced by the same group.

3 March 2022 – 01:11 UTC

Anonymous Leaks Data from Rosatom, Russia’s State Atomic Energy Corporation

According to DarkOwl’s preliminary review of the 74 files, the leak appears to be a mixture of budget data, conference materials, powerpoint presentations, and technical files dating back to 2013. There is random mixture of information included that it is unclear whether this was obtained directly from a breach of the corporation’s servers, an employee at the organization, or collected via OSINT and compiled for use in #opRussia.

“There is no place for dictators in this world. You can’t touch the innocent, Putin. No secret is safe. State Atomic Energy Corporation Rosatom has been hacked!”

2 March 2022 – 19:55 UTC

ATW Quits Campaign – Cites Conflict with Anonymous, Attribution, and Twitter Suspension

Drama in the group started yesterday with AgainstTheWest claiming Anonymous was taking credit for their successes in the cyber war against Russia. They briefly turned their attention to China announcing several new victims, including the Chinese Science, Technology and Industry for National Defence organization. After their suspension from Twitter earlier today, they announced retirement claiming they had no means for communicating with the public. (Analysts note rebrand to BlueHornet occurred shortly after their announcement)

2 March 2022 – 19:09 UTC

Conti Leak Source Code, Panel, Builder, Decrypter Appear on Darknet Forum

Less than 48 hours after a pro-Ukrainian leaked the infrastructure of the CONTI gang’s operation, including botnet IP addresses and source code executables, users begin circulating the ransomware gang’s critical data across popular darknet forums and discussion boards.

2 March 2022 – 16:35 UTC

Leak Documents Surface Proving War Against Ukraine was Approved on 18 January

Anonymous hackers released photographs of captured documents from Russian troops titled, “WORKING MAP”, and authored by the commander of Russia’s Bomb Battery of the Black Sea Fleet. The maps and documents affirm to the public that the invasion of Ukraine was approved on January 18th with intention to seize the country sometime between 20 February and 06 March 2022. Liveuamap, under intermittent DDoS since this started, confirmed the data.

2 March 2022 – 13:52 UTC

XSS Admin Reports XMPP Jabber Service Ransomed and Heavy DDoS Attacks

A darknet forum popular with the Russian-speaking community has been experiencing technical issues, suffering from Jabber service outages and heavy DDoS attacks. The forum is well known in the darknet for malware discussions and coordination of attacks. The admin shared a post that the jabber service was hit with ransomware and the contents of the chats wiped from the services. They nonchalently suggested users register and continue using the service.


The server didn’t work yesterday. Because of ransom (which, by the way, is prohibited here) we were listed in a spamhouse. Instead of reporting the violation, the “brilliant” spamhouse immediately leafed through us. In principle, for many years I got used to their “adequacy”. I’m not surprised at anything. We have more than 21,000 users, and no one is able to check everyone. To do this, in fact, they came up with feedback contacts (xmpp, e-mail), they are listed everywhere.

Why, I wonder, they don’t block gmail.com ? So many, so to speak, violators of law and order use it, and nothing, for some reason they are not immediately listed.
In parallel with this, a powerful DDoS attack was conducted on us.
Our XMPP project is not commercial, completely free and subsidized. I’ve never understood the point of attacking toads.
At the moment, the functionality has been restored.
An unpleasant moment. Backups according to the law of meanness turned out to be broken. The last one alive was a week ago. Suddenly someone has lost contacts or a toad has disappeared, re-register.

2 March 2022 – 10:33 UTC

Leak Appears with Russian Air Force Officer’s Information

Anonymous leaked another database containing the personal information for over 300,000 of Russia’s military personnel and civilian citizens. The archive, titled “Translated Base Database” contains 35 separate database files containing personal details of the individuals. Information includes: full name, date of birth, age, passport number, address, occupation, etc.

1 March 2022 – 20:46 UTC

Russian Criminal Gang TheRedBanditsRU Recruits on Social Media – Offers Payments for Affiliates

The RedBandits openly recruit “affiliates for certain jobs” stating they did not want white hats, but that they want to “speak to exploit Devloplers, Spammers (phishing skills, vishing etc), Pentesters. We’re building an army!” They incentivize skilled hackers to join their cause for monetary gain, claiming partners would be paid well and to apply directly via qTox.

Earlier today, the group claimed that they did not agree with Putin as a leader nor of his invasion of Ukraine, but will protect him as a citizen of Russia.

“War is good for no one, come, take my hand, make money help your family”

1 March 2022 – 12:57 UTC

STORMOUS Ransomware Group Aligns With Russia

The STORMOUS ransomware group, which has been targeting international victims with their ransomware strain for months, claimed their alliance with the Russian government and threatens greater attacks against Ukraine.

The STORMOUS team has officially announced its support for the Russian governments. And if any party in different parts of the world decides to organize a cyber-attack or cyber-attacks against Russia, we will be in the right direction and will make all our efforts to abandon the supplication of the West, especially the infrastructure. Perhaps the hacking operation that our team carried out for the government of Ukraine and a Ukrainian airline was just a simple operation but what is coming will be bigger.

1 March 2022 – 09:26 UTC

Ukrainian Paper Leaks Personal Data for 120,000 Russian Military Personnel

In an effort to target the Russian soldiers invading Ukraine, the Centre for Defence Strategies in Ukraine has acquired the names and personal data of 120,000 servicemen who are fighting in Ukraine. Ukrainian newspaper, Ukrayinska Pravda has leaked the details of the soldiers which could be one of the biggest information warfare campaigns using doxing mid-military conflict, ever seen.

The doxxed soldiers are likely to face increased engagement on social media and direct phishing attacks.

1 Mar 2022 – 00:38 UTC

NB65 Takes on Russia’s Satellite Technology

nB65 claims that they successfully accessed Russia’s Roscosmos Space Agency and deleted the WS02, ‘rotated’ the credentials and shut down the server. They did not provide any leaks with the social media announcement.

The Russian Space Agency sure does love their satellite imaging. Better yet they sure do love their Vehicle Monitoring System.
Network Battalion isn’t going to give you the IP, that would be too easy, now wouldn’t it? Have a nice Monday fixing your spying tech. Glory to Ukraine.

28 February 2022 – 23:54 UTC

ATW Targets Russia’s Electrical Grid

AgainstTheWest Leaks Information from Russia’s PromEngineering corporation. Archives of corporate emails between employees, clients, vendors, as well as blueprints and engineering documentation for power stations around Russia are included in the leak.

28 February 2022 – 22:00 UTC

CONTI’s Entire Infrastructure Leaked

Does this signal the end of CONTI’s reign as leading RaaS?

Ukrainian aligned affiliate decides to destroy CONTI ransomware gang’s operation by exfiltrating and sharing 141 additional JSON data files of private Jabber chats from 2020, details of their server architecture, their sendmail phishing campaign data information, command and control botnet architecture, and ransomware executables (password protected). Analysis confirms that the gang uses BazarLoader backdoor for installing persistent malware on infected machines.

DarkOwl analysts also noted from leaked Jabber messages that RaaS affiliates were persistent at determining how to evade AV/EDR protection systems like Sophos and Carbon Black. Stating that they had setup sales calls and demos with Carbon Black and Sophos AV providers’ sales teams using proxy companies to gain more information, test the product and attempt to find specifics of the product’s AV/EDR bypass mechanisms.

This reminds us all the importance of vetting and verifying all commercial in-bounds for requests for demos and sales information, especially when it might present an opportunity to learn critical corporate intelligence.

The affiliate leaking the details wrote how this war against their people and Ukraine was breaking their heart.

My comments are coming from the bottom of my heart which is breaking over my dear Ukraine and my people. Looking of what is happening to it breaks my heart and sometimes my heart wants to scream.

28 February 2022 – 21:41 UTC

STORMOUS Ransomware Hits Ministry of Foreign Affairs of Ukraine

The Pro-Russian STORMOUS ransomware gang claims to have attacked Ukraine’s Ministry of Foreign Affairs, mfa.gov.ua using their custom ransomware. The group posts victims’ information on their Telegram channel, posting in both English and Arabic. The group stated the Ukraine government network “fragile” and called for DDoS attacks them.

Their network is fragile – their various data has been stolen and distributed according to their phone numbers, email, accounts and national card numbers with an internal network hacked and access to most essential files. This is with placing denial attacks on their main site !

28 February 2022 – 18:00 UTC

China’s Huawei Steps in to Assist Russia with ISP Network Instability

According to Chinese deep web forums, Huawei is reportedly building a mobile broadband in Russia to help with internet outages. As of 26 February, at least 50,000 technical experts will be trained in networking and securty in Russia’s R&D centers.

28 February 2022 – 12:00 UTC

Russian Gas Station Pumps Hacked

Video of disabled electric vehicle (EV) charging stations in Russia surface, displaying error status and the following warning:

”Putin is a dick”, “Glory to Ukraine”, ”Glory to our heroes”,” death to our enemies”

27 February 2022 – 23:06 UTC

Anonymous for Ukraine Leaks Customer Data from Sberbank Russia

While Anonymous leaked the files, the credit for the hack goes to Hacktivist group, Georgia Hackers Society. The two text files (bygng.txt & bankmatbygng.txt) appear to be personal data from the financial institution with the bankmat file containing 4,568 records.

27 February 2022 – 21:00 UTC

CONTI RaaS Suffers for Professing Their Allegiance to the Russian Federation

DarkOwl just discovered 393 JSON files containing private Jabber chats from the ransomware group since January 2021 leaked online. Many of CONTI’s affiliates were displeased with the group’s alliance with Russia.

27 February 2022 – 19:00 UTC

ATW Claims to Take Down CoomingProject Ransomware Group

AgainstTheWest assesses “CoomingProject are actually one of the dumbest “threat” groups online.” AgainstTheWest statement on Twitter:

“RIP CoomingProject. All data on them is being passed to relevant authorities in France.”

27 February 2022 – 16:54 UTC

Cyberpartisans Take Belarusian Railway’s Data-Processing Network Offline

The hacktivist group of cyber specialists located in Belarus managed to force the railway switches to manual control mode, to significantly slow down the movement of trains. The webservers for the railway’s domains (pass.rw.by, portal.rw.by, rw.by) are also offline.

The rail services are being essentially held hostage until Russian troops leave Belarus and there is peace in Ukraine.

27 February 2022 – 11:00 UTC

AgainstTheWest Ransomware Gang Enters the Campaign

AgainstTheWest (ATW) claims to have attacked Russia’s Department of Digital Development and Communications of the Administration of the Pskov Region with their own custom “wiper” malware. All data has been reportedly saved and deleted.

27 February 2022 – 09:00 UTC

Anonymous Attacks Russian Critical Infrastructure

Tvingo Telecom offers fiber-optic networking, internet and satellite services. Tvingo Telecom is a major provider to Russian clients.

27 February 2022 – 00:00 UTC

GhostSec Leaks More Data and Claims Attacks Against Belarusian Cybercriminals, GhostWriter

GhostSec is active in the Anonymous cyber war against Russia and released a sample of databases stolen from additional government and municipality sites across Russia (economy.gov.ru and sudak.rk.gov.ru).

They state on their Telegram channel they have been conducting attacks against “Russian hackers” and the “hacker group GhostWriter” (a.k.a. UNC1151).

26 February 2022 – 18:00 UTC

IT ARMY of Ukraine Now Active on Telegram

A Telegram Channel titled “IT ARMY of Ukraine” appeared earlier today to help coordinate cyber activities against Russia. The channel has already accumulated over 96K followers. Posts are shared in Ukrainian and English containing target server IP addresses and media for mass distribution on social media.

Videos of what events are really happening across Ukraine have appeared on intercepted Russian State Television channels.

В найближчу годину буде одне із найголовніших завдань!

26 February 2022 – 16:00 UTC

Anonymous Hackers Interrupt Russian State Television

Multiple reports across underground chatrooms suggest Russian television was allegedly briefly interrupted to play Ukrainian music and display national images. (Source)

Ukraine’s telecommunications’ agency also announced that Russia’s media regulator’s site was down as well.

26 February 2022 – 09:00 UTC

Russia Restricts Facebook and Twitter to Control Information

Open source internet monitoring reporting organizations discovered Twitter has been blocked by multiple ISPs across Russia. Ukraine’s government is regularly posting on social media to show the Russian people they are still fighting in the invasion. Cybercriminals and hacktivist campaigns also disrupt Russia’s information operations by calling out disinformation bots and taking critical communications sites offline. Twitter has reportedly blocked account registrations from IPs originating in the Russian Federation.

Russia’s state-controlled television station, RT, is still offline.

26 February 2022 – 01:00 UTC

Hackers Leak Data from Belarusian Weapons Manufacturer Tetraedr on the Darknet

Anonymous Liberland and the Pwn-Bär Hack Team announce the start of #OpCyberBullyPutin and leak a two-part archive (200GB total) of confidential employee correspondences from prominent defense contractor and radar manufacturer, Tetraedr in Belarus. The first part is the most recent 1,000 emails from each employee inbox, in .EML format. The second part is a complete archive of each inbox in .PST format.

The hacktivists stated they successfully attacked the company through an unpatched ProxyLogon security vulnerability.

25 February 2022 – 23:30 UTC

Russian Military Radio Frequencies Hijacked

Ukrainian radio frequency (RF) hackers intercepted Russian military numbers stations UVB-76, frequency 4625KHz, and trolled Russia communications by playing Swedish pop group Caramella Girls’ Caramelldansen on top of the radio waves.

The group also successfully intercepted frequencies utilized by Russian strategic bomber planes.

25 February 2022

CoomingProject Ransomware Group Announces Support for Russia

Another ransomware gang sides with Russia officially declaring war against anyone conducting cyber attacks against the Russian government on their Telegram channel.

“Hello everyone this is a message we will help the Russian government if cyber attacks and conduct against Russia”

25 February 2022 – 21:00 UTC

Russia’s Gasprom Energy Corporation Knocked Offline

Headquartered in St. Petersburg, Gasprom (ПАО “Газпром”) is the largest natural gas transmission company in Eastern Russia. The company is mostly owned by the Russian government even though the shares are traded publicly.

The Anonymous hacktivist collective, operating their campaign against Russia via the hashtag #OpRussia, has claimed responsibility.

25 February 2022 – 20:00 UTC

Anonymous Hackers Leak Database for Russia’s Ministry of Defense (MoD)

Russia’s gov.ru and mil.ru website server authentication data, including hundreds of government email addresses and credentials, surface on transient deep web paste sites and Telegram channels. Another leak consisting of 60,000 Russian government email addresses is also now in circulation.

GhostSec, also participating in Anonymous’s cyberwar against Russia, #OpRussia, claimed all subdomains for Russia’s military webservers were offline hours earlier as of 11:00 UTC.

Over around 100+ subdomains for the russian military were hosted on this IP (you may check DNSdumpster for validation) now all downed. In Support of the people in Ukraine WE STAND BY YOU!

25 February 2022

CONTI’s decision to side with Russia has dire consequences for the RaaS Gang

The ransomware-as-a-service (RaaS) gang CONTI (a.k.a. CONTI News) has officially sided with the Russian Federation against “Western warmongers” in the conflict.

Many of their affiliate partners are reportedly in disagreement – siding with Ukraine – which became evident once certain private chats were leaked on their internal affiliate platform on social media. It’s uncertain how these political divisions will impact the effectiveness of the ransomware gang’s campaigns. Conti revised their WARNING statement claiming they do “not ally with any government and we condemn the ongoing war.”

25 February 2022 – 16:30 UTC

Hundreds of Russian IP Addresses Appear on Deep Web for Targeting

Over 600 IP addresses correlating to key Russian web services emerge on transient paste sites and underground hacker forums. (Source DarkOwl Vision)

25 February 2022 – 05:00 UTC

Anonymous Threatens to Take Russian Industrial Control Systems Hostage

The hacker group known as Anonymous stepped up its participation in defending Ukrainians through its cyber war with Russia. In an ominous video posted to Twitter, the group called for UN to establish a “neutral security belt” between NATO and Russia to ease tensions. They elevated their influence by threatening to “take hostage industrial control systems” against Russia. Expect Us. We do not forgive. We do not forget.

“If tensions continue to worsen in Ukraine, then we can take hostage… industrial control systems.” Expect us. Operation #Russia Engaged

24 February 2022 – 19:00 UTC

Free Civilian Tor Service Announces 54 New Ukrainian Government Database Leaks

The administrator of the Free Civilian Tor Service – who DarkOwl analysts believe is the Raid Forums threat actor, Vaticano – updated their database leaks service, stating they had confidential data for dozens of Ukrainian government services. DarkOwl analyzed these databases closely and confirmed the threat actor likely exfiltrated the data in December 2021. (Source)

24 February 2022 – 17:00 UTC

Russia’s FSB Warns of Potential Attacks against Critical Infrastructure as a result of Ukraine Operations

The National Coordination Center for Computer Incidents (NCSCI) released an official statement warning citizens of Russia of imminent cyber attacks and for the country to brace for the disruption of important digital information resources and services in response to the on-going special military operation in Ukraine.

“Attacks can be aimed at disrupting the functioning of important information resources and services, causing reputational damage, including for political purposes” – NCSCI

24 February 2022 – 05:00 UTC

Cryptocurrency Markets Crash in Wake of Invasion

Bitcoin cryptocurrency fell below $35,000 USD for the first time since January in reaction to the Russian troops crossing over the Ukraine border. Ethereum fell more than 12% in the last 24 hours.

According to open-source reporting, the collective cryptocurrency market has plummeted over $150 billion dollars in value since the tensions began.

beginning of post

Analysis of Ukrainian Data Released on the Darknet in Lead-up to Russian Invasion

DarkOwl is aware that as of February 23rd, 2022 Ukraine’s digital infrastructure came under further significant DDoS attacks, with several government and financial websites under duress. Hours later Russia launched direct kinetic attacks against strategic targets around the country and ground forces crossed the border on multiple fronts. Ukraine’s critical infrastructure is under direct attack, martial law declared, and civilians are struggling to withdraw funds from ATMs. Our analysts will continue to update with key insights from the darknet as they become available.

In mid-January 2022, open-source and public news media reported that several Ukrainian government networks had been compromised during a series of cyberattacks the night of 13th-14th of January, including deployment of what security researchers have identified as the “WhisperGate” malware. Within hours of the attack, data described as originating from the Ukrainian government appeared on forums across the darknet and deep web.

DarkOwl observed a surge in Ukrainian government related leaked data in January, but has not uncovered conclusive evidence this data was stolen during the cyberattacks days before or merely released immediately after as part of a psychological intimidation campaign against the people of Ukraine.

Additional Ukrainian government and civilian data appeared on a Tor onion service called “Free Civilian,” that DarkOwl assesses to be possibly affiliated with a threat actor using the moniker “Vaticano” on Raid Forums.  The user was banned from the well-known deep web forum late January 15th, by moderator Jimmy02, who stated:

“For one reason or another I have determined that this is a bad database, this could mean its a fake or just a shitty sample.”

Given increasing international tensions and the on-going cyberattacks against Ukraine, DarkOwl analysts compiled and reviewed Ukraine-related data on popular deep web forums and Tor hidden services shared in recent weeks. Most of the data “archives” consisted of raw text files, emails, spreadsheets, SQL databases, scanned photographs and PDF files containing various types of personally identifying information (PII).

While many of the leaked archives of data were created within a few hours of the attacks in mid-January, there are no indications they were directly obtained as a result of the attacks.

Mid-January Cyberattacks and Website Defacements

On 13th-14th of January, 2022, multiple Ukrainian government, non-profit, and information technology organizations experienced cyberattacks and public-facing website defacements. The attackers used a ransomware-esque malware attack, rendering many systems inoperable in addition to defacing official government websites across the country loading an ominous message in Ukrainian, Polish, and Russian.

“Ukrainians! All your personal data was uploaded to the internet,” the message read. “All data on the computer is being destroyed. All information about you became public. Be afraid and expect the worst.”

Microsoft’s incident responders indicated the destructive malware campaign was designed to mimic extortion-based ransomware, by deleting critical files, locking down the systems, and loading a ransom note demanding $10,000 USD in Bitcoin. The ransom demand was for show and irrelevant to the attackers’ intentions.

The Security Services of Ukraine (SBU) reported they were investigating the matter closely together with the State Service of Special Communications and the Cyber ​​Police and believed that over 70 organizations across Ukraine had been targeted by “special services of Russia” the night of the attacks on 13/14 January. While 10 organizations were subject to “unauthorized interference” no personal data had been compromised or leaked. (Source)

Cyberattack Methods Analyzed and Possibly Reused

Cybersecurity units at Microsoft, Crowdstrike, and Palo Alto Networks have published expert descriptions of the threat attack vectors deployed on the night of the January 13 cyberattacks against cyber targets across Ukraine. Technical analysis suggests a vulnerability in the OctoberCMS content management system allowed for the website defacements. The attackers also utilized the WhisperGate destructive wiper malware family to lock down the networks in a ransomware-style campaign.

According to Microsoft, WhisperGate involved two stages: the first stage overwrites the master boot record (MBR) with a ransom note; and, the second stage downloads a data-corruption malware named Tbopbh.jpg that overwrites targeted files with a fixed number of 0xCC bytes. Incidentally, the malicious file was downloaded from a Discord server.

By utilizing open source intelligence and DarkOwl Vision, our analysts discovered multiple instances of MBR-style attacks – including an attack against Banco de Chile attack from 2018. WhisperGate also shares strategic similarities with previous PotNetya attacks used against Ukraine back in 2017.

DarkOwl also noticed a cybersecurity researcher (@Petrovic082) using the hashtag #KillMBR on Twitter which they linked to potential malicious executables associated with the malware family. Users active on Chinese bulletin boards have since been closely analyzing the uploaded executables for reuse and virus detection. (Source)

Breaking news indicates Russia deployed a new hard disk wiper malware variant called HermeticWiper (KillDisk.NCV) across strategic cyber targets on the 23rd of February prior to the full-scale military invasion of Ukraine sovereign territory.

Analysis of Leaked Data Found in the Dark Web

On the 14th of January, the now-banned Raid Forums user known as Vaticano posted what appeared to be a user SQL database for the my.diia.gov.ua website. This leak surfaced within hours of the ransomware attack and website defacement on the DIIA server in Ukraine, although the raw user database from DIIA appears to have been created in late December.

Other users on Raid Forums doubted the veracity of the data posted by Vaticano, asking “where is the full data base?” calling it “bullshit and fake advertising,” “not true and old information,” or that the “data is identical to the old leak.”

In response to the criticism, Vaticano shared additional databases from their “archive” described as “medstar.sql” and “somefilesfromnotcatholic.zip” discussed below.


According to the leaked data, a DIIA SQL database, users.sql, was generated via a PostgreSQL database dump, and dated 24 December 2021, 12:17:17 EST. A table, public.users, appears to contain email addresses, passwords, dates of birth, phone numbers, home addresses, passport numbers, ID card numbers, and foreigners’ document numbers.  The SQL file is likely an excerpt of a larger database. DarkOwl found 103 email addresses for users of the service, with most consisting of accounts from personal email providers such as gmail.com and ukr.net.


The website, medstar.ua is a commercial cloud-based ‘digital-medicine provider’ with telemedicine, prescription, medical imaging, and laboratory medical services in Ukraine.

The medstar.sql leaked database does not contain any header information to denote the name of the tables or date of extraction. However, the SQL table appears to be a registry of 669 medical appointments with the patient’s personal information, e.g. full name, date of birth, phone number, address, age, gender, and even photo with links to an external website domain: health.mia.software containing their image and scans. The doctor’s information is also included with each record, with 606 doctors affiliated with the territorial medical association of the Ministry of Internal Affairs. The appointments covered a range of specializations such as therapy, neurology, infectious diseases, etc.

The latest appointment date in the database was November 30, 2021, suggesting this file was likely created sometime in December before the new year.


The files contained in the archive somefilesfromnotcatholic.zip are all date/timestamped: January 15th 2022 / 12:48. The archive consists of five folders, each containing 20 subfolders spanning several years of various official letters, photographs, and applications for government services. One folder contained letters directed to the Ukrainian Ministry of Internal Affairs requesting the production of specific license plates for individuals. The data archive includes several Ukrainian citizens’ personal information such as phone numbers, email addresses, driver’s licenses, passports, and national identification information related to vehicle registration and driving. The latest data file in the archive was date/timestamped: November 15th, 2021/19:58.

Notably, the archive appears to be a sample of a larger dataset of vehicle data the threat actor has in their possession.


Less than 18 hours later and on the original thread, Vaticano shared an archive of supposedly stolen emails from the Ukrainian Ministry of Community and Territories Development server, mail.minregion.gov.ua. The sample included 79 email messages (.msg files) with various correspondences between employees of the organization in November and December 2021. The messages appear to have originated with one email address, and the latest message was dated December 20th, 2021, 14:17:18 EET.

It’s unclear if this a subset of a larger volume of emails the threat actor has access to, or whether they only had access to one user’s mailbox within the organization. DarkOwl was able to extract 425 unique group and individual e-mail addresses from the archive shared.


Shortly before getting banned on Raid Forums, the user Vaticano shared yet another database on the original thread, labelled, diia_filestorage_db01.rar. The archive consists of 81JSON files with records containing unidentified applicant user information, e.g. full name, date of birth, passport number, phone number, email address, physical address, photo, and COVID vaccination and medical data privacy consent. The latest applicant record was dated October 22nd, 2021.

According to their website, DIIA is a mobile app developed by the Ministry of Digital Transformation of Ukraine and launched in 2020. It allows Ukrainian citizens to upload digital versions of their official documents in their smartphones, instead of carrying physical ones, for identification and verification purposes. It’s likely that this dataset is a sample of a larger set of files held by the threat actor. DarkOwl found 77 unique personal email addresses for Ukrainian citizens in the database, mentioned mostly from gmail.com and ukr.net.

Free Civilian

Within a week of Vaticano’s exile from Raid Forums, the Tor onion service “Free Civilian” appeared online offering to sell various databases from government organizations across Ukraine along with a personal statement detailing the drama between the admin of the Tor service and the moderators of Raid Forums, declaring the forum is no longer “the island of freedom” anymore. (Source: DarkOwl Vision)

Additional data proofs on the Free Civilian onion service confirmed that the leaks Vaticano shared on Raid Forums were smaller samples of data from larger databases they had access to and were offering for sale on the darknet site.

On the Tor onion service, the size of the databases for sale were significantly larger than the samples shared on Raid Forums. The DIIA database size was 765 GB and offered for sale at $85K USD, with a price increase to $125K USD by early February. Another database, titled, “e-driver.hsc.gov.ua” database containing Ukrainian driver and vehicle information was listed at 431GB and offered for sale for $55K USD. The samples from Free Civilian correlated to the samples Vaticano provided in the somefilesnotcatholic.zip archive on Raid Forums.

Free Civilian lists several other databases for sale summarized below:

  • wanted.mvs.gov.ua – Ukraine’s government database of criminal records.
  • health.mia – Ministry of Internal Affairs servers hosting patient health data.
  • mtsbu_samples_db – Ukraine’s Motor (Transport) Insurance Bureau.

As of the date of publication, both the DIIA and e-driver.hsc.gov.ua databases were marked as sold.

More Ukraine Data Surfaces

Banning Vaticano did not stop Ukraine-related data from appearing on Raid Forums. Another user shared a sample called “PFU of Ukraine” which consists of a text file containing over 53,000 names of individuals in Ukraine and phone numbers.

DarkOwl uncovered 156 unique email addresses in the file. The domain pfu.gov.ua is associated with the Ukrainian government’s pension fund website.

Days after the PFU leak, a post titled, DTEK[UA] appeared with the offer to sell over 200 credentials exfiltrated from employees at a large energy investor in Ukraine. The post also stated the vulnerability used to extract the data was also available. The Raid Forums user has history on the forum authoring at least 46 posts. (Source: DarkOwl Vision)

A leak titled “Ukrainian Police Dox” also emerged containing a zip file of various PDFs with PII for officials dated October 2020.

There is no evidence to conclude any of the recently shared data was sourced during the mid-January cyberattacks.

The Ukrainian data leaks in January were not the first time Ukrainian government and citizen data has been exposed in the underground. Last year, DarkOwl captured numerous spreadsheets and database archives allegedly affiliated with Ukraine disseminated and discussed on a Telegram channel known for stolen data brokerage.

DarkOwl also follows the popular Telegram channel, DB Leaks (a.k.a. @d3atr0y3d)who shares posts in English and in Russian and uploads files believed to have been captured from compromised sites and servers around the world. Coincidentally, they shared the same DIIA archive shared by Vaticano on the 23rd of January, within days of the appearance of the Free Civilian Tor service. (Source: DarkOwl Vision)

Furthermore, in fall 2021, they uploaded several Ukraine-specific databases including a list of personnel assigned to the Special Operation Forces of Ukraine and Ukrainian candidates for local parliamentary elections. The figure below includes more examples of the types of data they shared.

The channel has also posted leaked databases from targets inside Russia, including the list of donors to the FSK, the non-profit, Anti-Corruption Foundation, setup by Alexei Navalny.

Interestingly, during the second half of 2021, several other Raid Forums users circulated information about Ukraine’s nuclear power plant, a spreadsheet of stolen and lost weapons in Ukraine, residents of Ukraine, and companies registered in Ukraine along with information pertaining to the country’s financial and economic activity. (Source: RaidForums)

Closer analysis revealed these archives were re-shares of various posts on the DB Leaks Telegram channel dropped earlier in 2021, perhaps by proxies of @d3atr0y3d or one of their associates (information support) at their request directly.

Who is Vaticano?

Vaticano, the Raid Forums user who caught the attention of DarkOwl analysts in mid-January, created their account on the deep web forum within hours of their first post and has no prior history on the forum. The Vaticano persona includes an avatar of the Pope surrounded by flames along with calls for the people of Ukraine to return to the Catholic Church.

Vaticano discouraged another user on the forum from leaking manuals for Polish Army logistical resources in an attempt to align with the original messaging of the website defacements in 2022 to blame Poland for the attack. (Source)

Another user on the forum tried to vouch for Vaticano commenting that they knew he was in Russia.

“Lolz guru, my friend knows this user. He is in Russia.”

Vaticano further attempted to cloud their origins in a comment after sharing the sample of minregion email server messages, requesting if anyone could “read their language”, referring to the Ukrainian text in the email messages from the compromised email accounts.

The Tox ID listed on the Free Civilian Tor service and potentially administrated by Vaticano, does not match the Tox ID included in the ransomware note deployed the night of the mid-January attack.

Polish “DIS” connection

The mid-January Ukrainian government website defacements included references to several controversial historical events between Ukraine and Poland. It mentioned Volyn, a part of Poland that Ukraine annexed in 1939 and the Organization for Ukrainian Nationalists (OUN), which was a far-right political group that operated in the region of Galicia –part of Poland before WWII.

Research suggests that such allusions were likely part of a Russian-originated false-flag operation to incriminate Poland for the January attacks. Polish journalists noticed that the Polish translation of the threatening message was a non-native speaker and likely produced using Google Translate.

Cyberattacks Continue

On the 14th-15th of February 2022, Ukraine’s Ministry of Defense, its Armed Services along with Privatbank, Oschadbank, and Monobank financial institutions, experienced severe DDoS attacks resulting in the organizations being taken offline. According to open-source reporting, many Privatbank users received fake text messages stating the bank’s cash machines were out of service, which caused additional stress on the bank’s network – with a surge of users checking their account balances at ATM locations around the country.

Last August, DarkOwl observed a senior and extremely active user on Raid Forums offer a database containing over 40 Million Privatbank users’ personal information including their name, date of birth, and phone number. This dataset could have easily been utilized to target Privatbank customers in this information operations campaign against Ukraine. (Source: DarkOwl Vision)

The date of the DDoS attack, while it could be insignificant, is exactly one month after the defacement and malware attacks in January. The malfeasance from the DDoS was not large enough to be categorized as a full cyberattack, but with geopolitical tensions rising to possibly the brink of war, the campaign was likely apart of a larger asymmetric psychological operation.

US Intelligence reporting of the second wave of cyber attacks in February assessed that Russia’s Main Intelligence arm, GRU was responsible.

Propaganda and Disinformation

The sheer volume of propaganda in open-source reporting renders correlating darknet findings against OSINT around the conflict challenging, if not impossible. Tor discussion forums known for historical propaganda circulation are surprisingly absent of any Ukraine-specific reporting in recent months while some users on Telegram shared fake photos of mushroom clouds inciting fear that Russia had used a nuclear weapon against eastern Ukraine.

One could interpret the lack of information as stemming from the possibility that the Russians did not have need in using typical darknet services for dissemination; the disinformation and misinformation campaigns are directly targeting other sources and platforms; or, it is already embedded within other news media sources. According to Reuter’s, Ukraine’s Deputy Secretary of the National Security and Defense Council, Serhiy Demedyuk, officially attributes the 13/14 January defacements to a cybercriminal group operating out of Belarus identified as UNC1151.

“This is a cyber-espionage group affiliated with the special services of the Republic of Belarus.”

Mandiant assesses that UNC1151, also identified as the “Ghostwriter” campaign, as responsible for direct espionage and obtaining confidential information for Belarusian dissidents, media entities, and journalists. Other research indicates that UNC1151 are potentially affiliated with Russia-supported anti-NATO disinformation campaigns that have been in circulation over recent years, replacing genuine articles on news sources with fake ones and spreading false quotes of political and military officials across Lithuania, Latvia, and Poland. However, direct attribution of UNC1151’s role in recent cyberattacks in Ukraine is indeterminate.

DarkOwl also found a darknet threat actor group known as Cyberpartisans trying to help defend Ukraine from Russia’s aggressions. The group claimed responsibility for an attack against the Belarusian rail network system to stymie Russia’s movement of troops towards Ukraine, despite the movement of troops via rail would not be a necessity for an invasion. The Cyberpartisians self-identify as a pro-democracy group of hacktivists, and last year tapped Belarus’s Ministry of Internal Affairs phone lines, leaking conversations between officials about organized protests against the country’s infamous dictator on Telegram.

In recent weeks, Lukashenko has been overtly supportive of Putin, jointly overseeing strategic military exercises in Belarus, including launches of Russia’s hypersonic missiles in a public show of the two countries’ alliance and continued cooperation. Belarus will undoubtedly play a critical role in the region in the events unfolding.

DarkOwl is monitoring the darknet as the conflict in Ukraine ripples throughout the European continent impacting the global economy and stressing international partnerships and alliances. We anticipate a fluctuation in underground network and criminal activity across Tor and other anonymous networks in the near term. We also forecast the KillMBR/KillDisk destructive wiper malware and attack methodologies debuted in Russia’s asymmetric operations against Ukraine’s critical digital infrastructure to be widely adopted by other criminal gangs and nation-state sponsored cyber operatives in future campaigns.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case.

Darknet Threat Actor Report: LAPSUS$

In order to curate interesting darknet data collection from sources across the deep web, Tor, I2P and other “darknets” our analysts regularly follow “darknet threat actors” that openly discuss and disseminate stolen critical corporate and personal data.

In December 2021, DarkOwl witnessed increased activity on the darknet regarding the cybercriminal gang known as LAPSUS$. The group appears to have preference for attacking Portuguese-speaking organizations using data extortion-style campaigns and leverage compromised AWS servers where possible. Thus far, LAPSUS$’s attacks seem to have little critical impact to the victim’s organizational operations, with seasoned darknet community members stating the group is “amateur.”

DarkOwl believes the cybercriminal group has potential to become a formidable darknet threat actor with the increasing frequency of attacks in recent weeks. The lethality and economic impact of the attacks against their victims have yet to be determined.

Vodafone Telecommunications in Portugal

Since last December, the darknet threat actor group known as LAPSUS$ has been actively targeting Portuguese speaking services across Latin America and Portugal including prominent media and telecommunications companies on both continents.

Most recently, between 7 and 8 February, Vodafone Portugal – a subsidiary of Vodafone Group in the UK – stated in a press release the company was subject to a “deliberate and malicious cyberattack with the aim of causing damage and disruption.” Open-source reports indicate the attack impacted Vodafone’s 4G/5G voice and SMS service as well as its television services, but no ransom was demanded. While there is limited information about the attack in the press, Vodafone persists no subscriber or sensitive customer data was accessed or stolen.

On the LAPSUS$ Telegram channel, the group posted Vodafone with the eyes emoji without directly claiming credit for the attack. When someone directly asked if they were responsible for the Vodafone outage affecting millions of mobile phone subscribers, they stated:

“we don’t confirm or deny this yet.”

LAPSUS$’s Flurry of Activity Since December 2021

DarkOwl analysts began closely following LAPSUS$ across the darknet, deep web, and adjunct communication platforms since they claimed responsibility for a major cyberattack against the Brazilian Ministry of Health in mid-December. The cyberattack, allegedly “ransomware in nature” compromised Brazil’s Ministry of Health COVID vaccination records database, deleting the entire database contents, and defacing its website with the following message:


“The internal data of the systems were copied and deleted. 50 Tb of data is in our hands. Contact us if you want the data back”

The Brazilian government acknowledged their web services were offline and inaccessible to users for a short period of time without directly admitting it was LAPSUS$ who carried out the attack. The attack was like other ransomware/extortion-based attacks in the reported deletion of data; however, there was never a monetary ransom demand stated nor evidence of the group possessing the data or sharing compromised records on the darknet – despite cheers from their online supporters to release information on President Bolsarno’s vaccination status.

The group posted a statement on Telegram indicating that they had gained access to the Ministry of Health’s Amazon Web Services (AWS) and claimed they did not want to post evidence of their access because they still had access to the system despite the Ministry of Health restoring their services.

On Christmas Eve, the LAPSUS$ group attacked Claro and Embratel Telecommunications companies in Brazil reportedly stole over 10 PB (10,000 TB) of sensitive corporate information and SIM details for Claro customers across mass data storage systems such as: AWS, 2x Gitlab, SVN, x5 vCenter (MCK, CPQCLOUD, EOS, ODIN), Dell EMC storage, and Telecom/SS7.

The group shared screenshots detailing their level of access to the Claro network infrastructure and data on the dark web. We are still investigating how the group originally gained access to Embratel and Claro’s infrastructure. The group emphasized the extent of their access in the companies, highlighting they had access to over 1,500 virtual machines in use by Embratel and 23 unique hosts (IP addresses). From the screenshots, DarkOwl confirmed they used Windows Remote Desktop application to connect to many of the compromised computers within the Claro Network on their web browser. The screenshots included network management utilities for the network and their SIM network.

They also shared screenshots from a Powerpoint presentation they found on Claro’s network that detailed how law enforcement intercepts phone calls, SMS messages, and Claro customer network activity. 

(Note: the images below have been blurred intentionally so as not to reveal PII)

It is unclear from the screenshots shared whether members of the LAPSUS$ group used their local machines or a virtual environment to carry out the attacks. Nevertheless, the desktop of the browser screenshot suggests the OS was Windows and the temperature was 4 degrees Celsius at 21:56 on December 25, 2021.

Applying some simple OSINT analysis using historical weather databases, we discovered São Paulo, Brazil did not have weather conditions at that date/timestamp, but London, United Kingdom experienced similar weather patterns. This either means that the LAPSUS$ Group includes members from around the world or their computing environments are set to the UK/GMT time zone.

Regardless of their physical location, the LAPSUS$ group has preference for attacking Portuguese-speaking organizations on both the South American and European continents. Representatives of the group speak English on their Telegram channel.

In early January, the group conducted similar defacements to the Ministry of Health in Brazil for Impresa, a major media outlet, parent to SIC and Expresso in Portugal.  The group’s access to Expresso’s direct digital resources was extensive. During the attack LAPSUS$ members sent phishing SMS texts to Expresso’s subscribers, posted tweets from the news media’s verified Twitter account, and defaced its Twitter account, pasting to the top of the page the phrase:

 “Lapsus$ is officially the new president of Portugal.” (Source)

Information security researchers have noted that the text on the defacement is ‘Brazilian’ Portuguese – instead of Portuguese from the European continent – increasingly the likelihood the threat actors are based out of Brazil. LAPSUS$ claimed in their defacement they had access to their cloud services at AWS.


The data will be leaked if the necessary amount is not paid. We have access to the ‘cloud’ panels (AWS). Among other types of devices, the contact for the ransom is below.

Note from our analysts: When we think of “exposed credentials” we generally think of e-mail or server authentication data, e.g. username, e-mail address and/or password. The darknet is also haven for other types of critical corporate data credentials, including developer AWS cloud account identifiers, such as: Keys and Secrets for S3 buckets and web services.

Image: Example AWS_SECRET credentials shared on the deep web (Source: DarkOwl Vision)

Barely a week after the attacks, LAPSUS$ announced on their Telegram channel their next victim had been Localiza Rent a Car SA. The attack appeared to be a DNS spoofing attack on their website, redirecting Localiza website visitors to a porn site instead.

According to open-source reporting, the company reported a “partial interruption” and there was no evidence any customer data or sensitive information was stolen. No ransom demand was made either. 

Less than two weeks later, LAPSUS$ shared a Twitter post from Portugal-based Francisco Martins speaking of how the Grupo Cofina attack was against the company and not an attack on press freedom and another post referencing a popular Cofina journalist. LAPSUS$ never officially claimed responsibility for attacking the Portuguese media outlet that impacted multiple digital content platforms including: Correio da Manhã (Morning Mail), Sábado (Saturday) magazine, Jornal de Negócios (Business Journal), Diário desportivo Record and CMTV. (Source)

Technical specifics of the attack against Cofina are still murky, with little to no information coming directly from LAPSUS$. Security researchers note similarities in the “no ransom demand” style of ransomware, e.g. file corruption and extortion carried out by LAPSUS$, and the fact the group hit other major Portugal-based media companies merely weeks before.

Portugal’s Judicial Police (PJ) are actively investigating the incident and it is not proven LAPSUS$ carried out the attack. The group could be posting to their Telegram to infer their connection without proof and gain criminal credibility.  

Image: Twitter Post Circulated on LAPSUS$ Telegram channel the day of Cofina attack. (Source)


“The Lapsus group just wanted to shut up Tânia Laranjo #Respect”

Additional Historical Evidence Surfaces

Using DarkOwl Vision, DarkOwl detected previous activity from the LAPSUS$ on the deep web and darknet including posts in July 2021 on RaidForums and other darknet forums claiming they had compromised networks and stolen data for the FIFA soccer games from EA. On those posts, they shared their PGP Key, signed the posts “LAPSUS$”, and logged into the forums using the pseudonym, 4c3.

Image: (Raid Forums, URL available upon request)

Posts from the group on another darknet forum last summer were shared in the English language detailing to EA that they found a Remote Code Execution (RCE) vulnerability in the “frostbite engine” and they had no intention to target console users. This is a typical approach to trying to extort a company for specific vulnerability, e.g. “malicious bug bounty.”

In August 2021, the LAPSUS$ group ended up leaking the EA/FIFA data they had stolen after their attempt at extorting the company for $28 Million USD had failed to materialize. (Source: Raid Forums)

Users on RaidForums indicated the 4c3 moniker for LAPSUS$ on the forum was also tied to a CryptBB staff member known as Cyberjagu who was also trying to sell the EA source code. 4c3 denied any connection. According to open-source reporting, analysts with Blackberry’s Research and Intelligence Division confirmed Cyberjagu is some sort of “intermediary” for the cybercriminal group behind the EA/FIFA attack.

Drama Between Doxbin & LAPSUS$

In early January, the “dox” of a potential LAPSUS$ member surfaced on the controversial deep web paste site known as “Doxbin” and has received over 7,000 views as of time of writing. The dox – intentionally not included here – suggested the LAPSUS$ member was actually a 16-year-old teenager residing in Kidlington, UK and regularly used the pseudonym(s) SigmA, wh1te, and Breachbase in the underground. The dox may have been leaked in retaliation after LAPSUS$ shared hacked internal docs from Doxbin on their Telegram channel on the 5th of January.

According to the LAPSUS$ Telegram channel and the LAPSUS$ Twitter, SigmA (@sigmaphoned/Alexander) might be a “high-ranking” member of the LAPSUS$ group. Since late January, many of the users on Telegram have been trying to reach SigmA, but he’s not responding to messages. The January dox suggested might be in the process of relocating to Spain with his family. (Source: DarkOwl Vision)

Image: Users in LAPSUS$ Telegram Channel inquire about SigmA’s whereabouts

A Preference for Monero Leads to a Telecommunications Phishing Campaign

Last summer, LAPSUS$ also posted a Monero address on a deep web forum discovered by DarkOwl Vision. The same address was also included in numerous scam/phishing reports from users with British mobile telecom providers, EE and Orange. In July, users from EE reported receiving an ominous message from LAPSUS$ demanding EE pay them “4 millions USD” after making normal iTunes purchases. Perplexing to users, the texts arrived from historical “iTunes messaging” phone numbers.

Image: (Source)

Curious about something you’ve read? Interested to learn more? Contact us to learn how darknet data applies to your use case

From DarkOwl’s CTO: Deciphering Darknet Big Data

Ramesh Elaiyavalli has joined DarkOwl as its Chief Technology Officer, bringing a wealth of data science expertise and a zest for solving complex technical problems. We spoke to Ramesh to give our readers an opportunity to hear his unique thoughts and present a fresh perspective about the critical intersection between the darknet and big data.

One thing I’ve learned since joining DarkOwl is that the darknet, the deep web and all that encompasses the underground criminal ecosystem is constantly evolving, in size, shape, and color. Having automated crawlers deployed in the darknet since 2015, the team at DarkOwl knows firsthand the challenges of maintaining in-depth knowledge of this everchanging digital data landscape.

I’ve also noticed that some darknet-centric companies operate with a focused mission of threat intelligence and security awareness providing custom, highly tailored intelligence products to answer their customers’ cybersecurity questions. At DarkOwl we employ a more agnostic viewpoint, focusing on maintaining the largest set of commercially available darknet data with prudent consideration for the various “V’s” of Big Data philosophy, applying them to all data discovered across many different anonymous networks and deep web criminal communities.

While we have the in-house expertise to dig deep into the diverse anonymous data sources at our disposal, our products are designed to drive high-value business decisions through fast, frequent collection of accurate, and disparate data from a wide array of distributed data sources.

Big Data Forces Ingenious Architectures

The NIST Data Interoperability Framework defines “Big Data” as large amount of data in the networked, digitized, sensor-laden, information-driven world. The authors of that framework describe “Big Data” and “data science” as essentially buzzwords that are essentially composites of many other concepts across computational mathematics and network science.

Data can appear in “structured” and “unstructured” formats. According to IBM, not all data is created equal. Structured data is often quantitative, highly organized, and easily decipherable, while unstructured data is more often qualitative, and not easily processed and analyzed with conventional tools.

In the last decade the amount of unstructured data available to an individual has skyrocketed. Think about the amount of raw data a person consumes or generates on any given day, through mediums like SMS text messaging, watching, and/or creating YouTube videos, editing, and sharing digital photographs, interacting with dynamic web pages, and keeping up with the demands of social media.

The darknet and deep web is a vast source of data: structured, semi-structured and unstructured that forces an ingenious data architecture to collect, process, analyze, and distribute meaningful and targeted datasets to clients and users across diverse industry verticals such as FinTech, InsureTech, Identity Protection and Threat Intelligence providers. At DarkOwl we employ a modified model of “Big Data” often depicted by the “V’s” of Big Data.

Volume – DarkOwl endeavors to deliver petabytes of data processed in real time with crawlers operating across different anonymous networks, deep websites, and platforms. As of this week, our Vision system has collected and indexed over 278 million documents of darknet data across Tor, I2P, and Zeronet in the last year. Our entities system has uncovered and archived over 8 billion email addresses, 13 billion credit card numbers, 1.6 billion IP addresses, and over 261 million cryptocurrency addresses.

Velocity – DarkOwl’s resources are designed to provide fast and frequent data updates, such as collecting from real-time instant messaging sources and capturing live discussions between users on darknet forums. In the last 24 hours, our system crawled and indexed over 2.5 million new documents of data.

Veracity – DarkOwl collects the most accurate data available from legitimate and authentic sources discovered in the darknet, deep web, and high-risk surface web. DarkOwl scrapes darknet data without translation in its native language to avoid contextual loss from automated in-platform translation services.

Variety – The data DarkOwl discovers is disparate from diverse and distributed data sources such as Tor, I2P, Zeronet, FTP, publicly available chat platforms with instant or new real-time messaging. We collect everything from darknet marketplace listings for drugs and malware to user contributions to forums and Telegram channel messages.

Value – DarkOwl delivers its data in a variety of delivery mechanisms along with our expert insights to help drive high-value business decisions for our clients and stakeholders. Darknet raw data helps provides valuable evidence for qualitative investigations to quantitative risk calculations.

Voices – We added an additional “V” to the model to include the voices of the various personas and threat actors conducting criminal operations in the underground. Our Vision Lexicon helps users easily decipher and filter by marketplace, vendors, forums, threat actor pseudonyms, and ransomware-as-a-service (RaaS) operators.

Multi-Dimensional Darknet Data Collection Strategies

Before we can jump into the technological architectures available to deliver scalable Big Data, we should discuss the multi-dimensional facets of data collection from dark networks. There exists an unspoken spectrum of darknet data collection. On one end of the spectrum, there is a collection strategy focused on directing a small number of assets to facilitate incredibly deep and near-constant coverage of a relatively tiny segment of what is presently an unquantifiable data space. Defining this segment outside of publicly known, well-established sources of malicious activity without buying illegal data or compromising our integrity is tricky.

On the other end of the spectrum is a collections strategy focused on sending out a much larger number of assets to facilitate broader collection across many different sources to capture and characterize as much of this unquantified data space as possible. At DarkOwl we show preference for this end of the spectrum as it increases the variety and veracity of our Big Data model. We also dedicate collection resources to a smaller, select number of darknet services that require authentication, solving a captcha or puzzle, or is accessible by invitation only. We attempt to augment our broad-spectrum strategy by collecting from these sources at a greater depth and higher frequency than other sites.

I think it’s also important to add here a third dimension of time. Collecting data from a given source once without revisit or frequent updates is of considerably less value than data collected at a regular operational tempo. Likewise, DarkOwl also has a strict retention policy for documents from the darknet – much from sources no longer available or offline – in support of historical analysis and developing analytical trends over time. Many of the documents help characterize and track the evolution of voices of threat actors for law enforcement investigations and others feed risk calculations such as the original date compromised corporate credentials and company exposure on the deep web appeared.

Our data collection strategy endeavors to balance these three dimensions: breadth, depth, and time in our data collection strategy to ultimately maximize the “Vs” of Big Data with an emphasis on contributing to the value of our clients’ bottom line.

Big Data Delivery Mechanisms

Data warehouse – A data warehouse consists of mostly structured data. Think of it as a giant database that you can access via SQL. Here you can store names, SSNs, phone numbers, email addresses and so on – with very large volumes. Data warehouses are traditionally based on RDBMS technologies such as Oracle, DB2, Postgres etc., and they take a ton of resources to build and maintain, hence the drop in popularity over time. We do not have a data warehouse at DarkOwl.

Data lake – A data lake consists of a combination of structured AND unstructured data. Mostly unstructured data – as in medical transcriptions, court documents, audio, video, screen shots and so on. The structured data is mostly to tag and link the unstructured data. Data lakes are more popular now due to the ease of creating lakes. Data lakes are supported by cloud native vendors such as Amazon AWS, Google Cloud, Microsoft Azure, etc. At DarkOwl, we populate many of our customer’s data lakes. We can also stand up a custom data lake which contains a subset of our data that we give customers access to.

Data feeds – Data feeding describes the process of pushing parts of our Big Data over to the customer side. For example, we feed only credentials to some customers, or only credit cards to another, and in some cases, we provide a daily snapshot of everything we have visibility of directly to the customer for their own business use case. Feeds are technically accomplished by setting up a receiver on customer side – usually as a secure Amazon S3 bucket. We can also set up feeds into Azure or Google storage. Keep in mind, feeds are always this point in time forward. If customers need data from the past, we will charge separately for a one-time dump, also called “data hydration” or “seeding.”

Data streaming – To process data coming at us rapidly, we use open-source industry technologies such as Kafka at DarkOwl. Such services are mostly for internal use, but we could easily setup our customer as one of the subscribers to our data stream. This especially makes sense when the velocity of data is very high, which is often the case for darknet data. For example, take Tesla. Their car is a moving big data machine. Every turn, every camera is emitting massive amounts of data that cannot be pushed fast enough to a customer’s data lake via a data feed. In these high frequency data situations, we will allow customers to consume directly from our Kafka stream. We will obviously only explore this option if we trust the customer and they pay us lots of money.

At DarkOwl, we have a variety of customized solutions we can deploy quickly to satiate the needs of all our customers.

Final Thoughts

As you can see, the data science challenges of collecting, organizing, and delivering continuous relevant darknet Big Data are intellectually fascinating and absolutely exhilarating to undertake.

I look forward to augmenting and refining DarkOwl’s Big Data product line through implementing new technical solutions and expanding into novel, cutting-edge anonymous sources. Reach out to us directly as I look forward to having a conversation about how your company or organization could benefit from Darknet Big Data from DarkOwl.

Darknet Indicators of Anomalous Health Incidents (AHIs)  

The U.S. Department of State and three-letter agencies across the U.S. Intelligence Community – which staffs a mixture of darknet intelligence and open-source intelligence (OSINT) researchers across a variety of security sectors – have had increasing concern by reports of what the U.S. Government identifies officially as “anomalous health incidents” (AHIs). The news media has generally labeled these incidents as reports of “Havana Syndrome,” due to the fact that the location of the first reports originated from diplomats located at the U.S. embassy in Cuba in 2016, but continues today around the globe.

An interim intelligence report on the subject was recently released by the CIA after President Biden’s call for answers as to the cause of the incidents and Congress passed the HAVANA Act last fall to help compensate victims. The report, briefed by government officials to POLITICO in mid-January, has received criticism for its “preliminary” intelligence assessment, which concluded no U.S. foreign adversary nor specific directed energy weapon is likely behind the nearly 1,000 allegedly directed attacks against government personnel stationed in embassies around the world.

Given the lack of inter-agency coordination on the interim report, it’s unclear whether these findings signal a finale to USG’s overarching investigation. According to open source reporting, there are still several cases the CIA could not explain and CIA Director William Burns issued a statement suggesting the agency will continue to look into the matter.

“We have reason to believe the interim report does not even represent the consensus of the full CIA, instead reflecting the views of a subset of officials most interested in resolution and closure.” - Statement from CIA Director William Burns

Recognizing the uncertainty of the findings and widespread outrage from AHI victims, DarkOwl sought out to gather and assess data across the darknet and deep web to provide supplemental indication of the public sentiment regarding AHIs, as well as additional insights into the potential technological sources that may be targeting diplomats and intelligence officials.

Chatter Spreading Potential Nation-State Sponsored Propaganda

During our research, we discovered indications of deep web users sharing Russia-sponsored anti-US propaganda related to mind-control and directed energy induced schizophrenia. For example, one user shared a link to content of this nature via a WordPress “blog” that directly references and links to an “independent research news website” called “Global Research” (globalresearch.ca). In 2020, the State Department identified the allegedly Canadian news outlet as a Russian controlled propaganda front.

  • According to DNS records, the WordPress blog domain cited (youarenotmybigbrother.blog) on the deep web is hosted on a server located at the IP address:, located in San Francisco, California.

  • DarkOwl reviewed the “Canadian” Global Research website for mentions of “Havana Syndrome” and surprisingly found no recent mentions of “Havana syndrome” or AHIs or any official neurological research, but instead found multiple re-shares of articles citing a study from the University of Edinburgh directly contradicting the State Department’s 2018 commissioned report from the University of Pennsylvania, peer reviewed and published by the Journal of the American Medical Association (JAMA).

  • The general lack of reporting related to Havana Syndrome on the Global Research website, including disinformation suggesting the incidents are caused directly by the USG or non-foreign directed energy sources, is significant and warrants further analytical review of other known Russian-sponsored propaganda websites.

  • Since the release of the interim CIA report last week, darknet and deep web users are aggressively re-sharing articles and podcasts “debunking” the idea of Havana Syndrome entirely as a mass psychogenic illness resulting from an internal U.S. government propaganda disinformation narrative to demonize Russia and destabilize to US-Cuba geopolitical relations.

Some deep web users hypothesize the remote possibility that US adversarial governments – such as Russia and China – use lower earth orbit satellites and even cellphone towers to direct nefarious RF signals attack targeted individuals.

  • In summer 2021, an anonymous user of the deep web imageboard known as 4chan, theorized that AHIs are caused by Russian space assets or US-based cell phone antennas that have been potentially converted into a microwave microphone to detect speech and inadvertently over-amplifies the signal causing brain damage. Other users of the same forum also imply that these attack vectors could be deployed by the US against their own personnel as part of some sort of covert operation.

  • On the subreddit /r/TargetedEnergyWeapons, Reddit users shared video from a 1985 CNN news report of a U.S. based RF directed energy weapon called the “Brain Bomb” that the U.S. government reportedly never pursued to discredit the USG.

4chan discussion about “Havana Syndrome” being caused by Russian-space listening devices (original thread removed by website since discovery)

Technical Materials Related to AHIs on the Darknet

Our analysts identified numerous mentions of the US government’s historical activities related to psychotronic and psychological warfare. Several deep web users circulated “blogs” – dating back to 2010 – that include a comprehensive archive of information related to potential neurological and psychological weapons developed by DARPA and the US Military as well as similar tools at the disposal of Russian intelligence arms.

The aforementioned blog highlights reports from the early 2000s that Putin supposedly outlawed the use of weapons of psychotronic influence with the intent to cause harm, despite the fact psychotronic weapons were specifically mentioned in open-source reporting of Russia’s advanced weapons state procurement plans outlined for 2011-2020.

“The development of weaponry based on new physics principles; direct-energy weapons, geophysical weapons, wave-energy weapons, genetic weapons, psychotronic weapons, etc., is part of the state arms procurement program for 2011-2020”

— Russian Defense Minister Anatoly Serdyukov after meeting with Putin in March 2012

DarkOwl analysts also observed numerous darknet and deep web users discussing and resharing a 1976 declassified intelligence report from the Defense Intelligence Agency titled, “Biological Effects of Electromagnetic Radiation (Radiowaves and Microwaves) Eurasian Communist Countries (U).”

Segment from declassified 1976 DIA report shared on the darknet

Another report shared across darknet and deep web users originated from the U.S. Army and dates back to December 13th, 2006 . The report was released through an official Freedom of Information Act request by a Mr. Donald Friedman of California, USA.

The document contains an unclassified addendum to another intelligence assessment, which was developed by the National Ground Intelligence Center (NGIC) and likely originated in the late nineties, based on the document number. The US Intelligence Community downgraded the report from SECRET//NOFORN and details the “Bioeffects of Select Nonlethal Weapons”.

Darknet users referencing this report generally used it as supporting evidence that the US military has extensive research on the effects of microwave radiation for battlefield and crowd control use. Like the March 1976 report, the NGIC intelligence reporting regarding the effects of directed pulsed radio-frequency correlate with the symptoms experienced by diplomats and intelligence personnel reporting AHIs.

The report also identifies that the associated technology is readily commercially available, but would need to be customized for intensity variability and targeted use.

US Army response to 2006 FOIA request dated, 13 December 2006.

Segment from the NGIC report detailing the technology’s biological influence on the subject.

The NGIC report further identifies auditory phenomenon experienced by subjects, e.g. “clicking, hissing, ticking, and buzzing” consistent with the 2018 JAMA report consolidating the findings from the University of Pennsylvania clinical study of AHI victims. These symptoms are near identical to symptoms connected with the “Frey Effect,” discussed extensively across chat platform users and Reddit discussion forum participants as well as research conducted by the Robert Lansing Institute.

“Ability to hear the “sounds” depends on high frequency hearing and low ambient noise. Pulsed RF/MW in the 2.4-10,000MHz range produces perceived noises that resemble sounds “such as a click, buzz, hiss, knock, or chirp”–just as diplomats report. ”

— Quote Correlating Diplomats’ Symptoms to the Frey Effect (Source: Robert Lansing Institute)

Segment from the NGIC report detailing the technology’s biological influence on the subject.

One darknet Tor service we identified has over 1,400 technical documents detailing numerous radio frequency (RF) and directed energy (DE) based technologies utilized for such subjects as: mind control, remote viewing, psychoacoustic effect, and electronic surveillance.

Much of the content includes academic research and intelligence agency and military documentation as well as biographies of key academic and intelligence researchers in paranormal studies and mind control related topics. The originating domain has not been online since November 2018, but all available content from the domain is archived in the DarkOwl Vision database of historical darknet records.

Source DarkOwl Vision (DocID: 68eafa7fafe9be29be48f419d8c1fb89b4fa5707)

On another user on Tor posted a report as recently as late August 2021, describing US Navy sound-based non-lethal weapon program. According to the post, this program utilizes a recording of the target’s own voice, captured with a long-range microphone, that the system distorts by applying phase shifting and auditory track overlay and feedback.

The weapon, called the Acoustic Hailing and Disruption (AHAD) system, then transmits the high intensity auditory signal directly back to the target using a parametric speaker, disorienting them to the point of they are confused and cannot speak.

Darknet post detailing US and Russian non-lethal weapon technologies. (Source: DarkOwl Vision – DocID d75544cb73549b3db675562290debec678700692)

A darknet discussion forum user talks of Active Denial Systems (ADS) to cause a sensation of being on fire for crowd control. (Source: DarkOwl Vision – DocID 1b851c844c50ed2099adce8ba48e4963146dc6b3)

The same darknet service also highlights a similar technology called the 5P-42 Filin that has purpotedly been in production since 2019 by the Russian military. This technology allegedly uses a pulsed beam of light to disrupt a target’s vision and cause temporary nausea.

According to additional open-source reporting, the Filin, also known as the “Eagle Owl” in Russian, was originally manufactured for use on large naval warships and frigates by Russian state military contractor, Ruselectronics, and considered a “weapon of mass disorientation.”

A ground-based portable version of the same system is in development (if not already in production) for use by special forces in close-combat anti-terrorism operations.

Brochure detailing technical specifications of the Russian 5P-42 Filin Weapon System. (Source)

AHIs on the darknet and deep web: AHI technologies for sale and hobbyist experimentation

DarkOwl analysts also observed that EMF-based technologies and associated hardware could be purchased from darknet marketplaces and improvised using COTS products to conduct targeted rogue AHIs and human neurological experimentation.

During the course of our investigation, we also uncovered evidence of electromagnetic frequency generators, designed for jamming wideband telecommunications signals such as: GSM, LTE, and GPS for sale on darknet marketplaces for under $500 USD.

With the knowledge provided across other darknet and OSINT sources about ADSs, the device could be easily improvised and repurposed for a malicious objective. DarkOwl detected an advertisement for limited quantities of a military-grade frequency jammer in September 2020 for $1,200 USD.

The documents shared on that darknet domain includes specific frequencies and intensities of unique RF and DE waveforms to cause specific bioeffect and could be easily replicable by hobbyist electrical engineers with access to darknet and deep web content.

In one circumstance, a San Francisco-based Medium user known as “Jay” has purportedly been “targeted by DEW [directed energy weapons] for the last four years” and has since been researching directed energy extensively to better understand the threat. As of November 2018, he had concluded the frequency of the threat fell within the range of 18 and 50 GHZ conducting measurements with commercially off the shelf (COTS) Narda and Trifeld electromagnetic frequency (EMF) meters.

Other deep web sites also include posts with detailed step-by-step instructions for how to make “Home Made” Active Denial Systems using commercially-available 2.4GHz wavelengths using items readily available inside someone’s residence. The author implies the length of the 2.4GHz waveforms can remotely induce headaches, fevers, cataracts, or other chronic-fatigue symptoms in a human target.

“Home Made” Directed Energy Weapon described on the deep web (Source redacted for security purposes)

AHI conspiracy theories on the darknet and deep web

At the conclusion of our analysis, we determined that most of the content related to AHIs from underground darknet and deep web sources is driven by conspiracy theories. For example, in July 2021, one user on a Telegram channel postulated that “Havana syndrome” and “Monkeypox” were a concerted agenda to cover up adverse reactions from the COVID vaccination.

By and large, this type of fear, uncertainty, and doubt is widely circulated and quite popular across the deep web, in particular, “anti-vax” communities and clearly not remotely accurate, given AHIs were recorded well before the COVID-19 pandemic.

Source DarkOwl Vision DocID: 5c860642d80f221e6a86199fb915877285140bea

Long before reports of AHIs surfaced in public news media, the darknet and its associated underground communities housed a considerable population of anti-government advocates with deep rooted beliefs in a “deep-state” – including the notion that western governments sanction and/or actively conduct non-consensual psychological and neurological experiments on its populations.

Believers are equipped to evangelize other forum and chatroom members, armed with reports relating to government projects like Mk Ultra, NSA’s TEMPEST, and “Silent Talk” and detailed research pertaining to peripheral topics such as synthetic telepathy, active denial systems, and psychotronic influence. Many times, such users are quickly labeled “tin-foiled hats” and easily dismissed; however, DarkOwl analysts have witnessed their influence increase since the Guardian published information leaked by Edward Snowden and increased circulations of reports of AHIs outside of Cuba and China.

Some darknet discussion forum users assert they had been directly attacked with directed energy attacks in a similar fashion to AHIs of deployed State Department personnel. There is no way to confirm the veracity of such statements.

Darknet users discussing the Havana Syndrome (Source: DarkOwl Vision -DocID: 47c5b3b89f1176fe6f025b3346af860fcb680d49)

Some deep web users have also been circulating blog content from the surface web that supports the idea of a global New World Order with the ability to control mass populations and targeting individuals with AHI for a specific and often nefarious agenda. Users point to the persecutory delusion known as “gang stalking” and associated websites replete with technical and academic content in attempt to legitimize their conspiracy theory and their perception of being targeted directly by the government.

  • According to DNS records, the blog referenced above (gangstalkingmindcontrolcults.com) is hosted on a server at the IP address: and is located in Menifee, California.


During the course of our research, our analysts identified a significant quantity of Havana Syndrome-related information across numerous sources in the underground. Much of this information is directly tied to anti-US propaganda, disinformation campaigns, and baseless conspiracy theories. However, there is also legitimate information on active denial directed energy weaponry circulating in a violence-inciting atmosphere on the deep and dark web, which can easily enable and embolden an ordinary person’s ability to successfully carry out sinister attacks using AHI technology.

Curious about something you’ve read? Interested to learn more? Contact us to learn how darknet data applies to your use case

Disappearance of Darknet Markets Point to Potential Exit Scams or Seizures  

After observing unusual darknet marketplace activity over the past few weeks, our analysts performed a retrospective investigation that uncovered a widescale shift of the active-marketplace spectrum. This investigation was prompted by the observation that, over the last two weeks, a number of prominent darknet marketplaces suddenly went offline without any indication of their return, or any explanation regarding the cause of their disappearance. Upon further analysis, data demonstrated that in late December, URLs for over 30% of the known darknet markets operating on Tor would not load. The volume of downed marketplaces prompted DarkOwl’s team to take a closer look, only to discover an underground community as perplexed as we were.

Was this the result of a coordinated marketplace Exit Scam?

Figure 1: Graph depicting the status of darknet markets over the last 9 weeks

In response to this sudden mass-closure of darknet markets, users on the popular discussion forum, Dread suggested that it was a concerted “Exit Scam.” So, what is an exit scam?

The darknet is home to many a scammer and darknet marketplaces have historically been a high-stake risk for buyers, who will often deposit cryptocurrency on the market “in escrow” to transact through the market with illicit goods’ vendors. Over the years, DarkOwl has witnessed several marketplaces shutdown without warning to their buyers or vendors and escape with several million dollars’ worth of their customers cryptocurrencies in the process. This can occur similarly with vendors who take their buyers funds for a good or service and never deliver. Either scenario is referred to as an “exit scam.”

Very few marketplace administrators publicly “retire” and gracefully shutdown their operations like White House Market (WHM) did back in October 2021.

More often, the darknet rumor mill across forums and discussion boards hints at the potential “exit scam” of a market a few weeks prior to its disappearance. For example, when Wall Street Market (WSM) shutdown in April 2019, it was believed that WSM admins had exit scammed their buyers and vendors with one moderator further attempting to extort the market’s users for 0.05 BTC or risk them leaking their known physical addresses of record from transacting on the market. Shortly after Germany’s criminal police unit, known as Bundeskriminalamt (BKA) announced they had seized the market, its digital infrastructure, and arrested at least three administrators in Germany.

Tracking the online/offline status of darknet markets per week

DarkOwl analysts compiled the following table, which tracks the status of each darknet marketplace in question over the course of the weeks during which the heightened activity occurred.

A market’s status is changed to CLOSED once the market has been OFFLINE for 3 to 4 weeks in a row or the administrator of the market has announced retirement or exit scam on a public discussion forum or Dread subdreadit.

Figure 2: Chart depicting the status of darknet markets over the last 9 weeks

Did persistent DDoS attacks lead to marketplace admin retirements?

Other theories around this shift in the market point to the potential scenario of administrator burnout and subsequent retirement after reportedly repeated DDoS attacks in recent months.

In the middle of December, Torrez Market officially stated their retirement with the market admin, known as mrBlonde, advising darknet users to “use common sense” and avoid using an “established market” stating that as the older the market gets, the more likely it will be to collapse.

Shortly before the new year, a DDoS attack appeared to have affected a handful of markets, including Cartel Market who posted they were experiencing outages which took the market without any official word from their administrator. Vendors on the market suggest they lost access to their accounts prior to the DDoS attack.

Around the same time Cannazon also suffered from DDoS attack and then posted they were “retiring” and not pulling an exit scam.

“Everyone knew this day would come. No market will be here forever. We are officially retiring.”

— Cannazon Team PGP Message

DDoS attacks prior to market shutdown have been analogous with the “canary-in-the-coal-mine” to a market seizure by an international law enforcement effort. Law enforcement could have easily taken over the Cannazon admins’ accounts and posted the PGP message on Dread. Nevertheless, there are some indications from the darknet community that a war between marketplaces has emerged in recent week with DDoS as the weapon of choice.

As of time of writing, users from World Market stated they were getting 502 errors and the market appeared to be under heavy DDoS attack. Two days ago, the market administrator, Lovelace posted a message directed at Dark0de claiming the competitor market team were using a circuit tool attack (DDoS) against World Market’s main mirror and ASAP Market. The comments included a lengthy post by DeSnake, the administrator of the recently revitalized AlphaBay Market.

Coincidentally, the URLS for the market called “Potluck Market” since mid-November, have been redirecting to World Market. Potluck market supposedly closed back in late 2020 after a scandal ensued when the market staff hired a known pedophile. Potluck staff member, Florida, shared how equally important verifying staff before hiring is to OpSec in a lengthy post on Dread shortly before the closure.

Late last week, Dark0de was also inaccessible and two weeks ago the market’s admin posted they too were under DDoS attack on their Dread subdreadit.

DarkFox market was offline for over 5 days for “maintenance” and many Dread users feared it too was exit scamming, but as of time of writing, the market appears back online and stable along with a new mirror equipped with “anti-DDoS filters.”

On a German discussion forum, one user posted that they believe Monopoly Market – offline since the end of 2021 had also exit scammed.

Users on Dread have been equally concerned with posts titled “RIP Monopoly” on their subdreadit. The moderator for the subdreadit, ShakyBeats, proposed locking down the board until word from the market administrator was heard. Another user indicated that the exit scam theory was weak considering a week before it went down the administrator launched an “update” to the market server software that updated critical dates of the vendor and buyer’s activities for orders on the market. The user theorized this would be lost effort if the administrator had planned to scam a week later.

Notably, after the DDoS attack that impacted Cartel, around the end of December, several markets including: ASAP, Yakuza, TOR2Door, Monopoly, Archetype, and TOR Market all went offline and seemingly headed to a “CLOSED” status. But this week, TOR2Door and TOR Market rallied back online.

Versus Market, a popular market throughout 2020 and offline since early November after enabling DDoS protection, also suddenly reappeared operational without any announcement of their return.

Four other markets: Quest, Hermes, Nemesis, and MGM Grand also appeared back online after being offline since early November. DarkOwl has no indication these market administrators are working together, but their appearance all at the same time is suspicious.

–   DarkOwl Vision has knowledge of Nemesis market since fall of 2021, and their market launch page claims they have been operational since May 2021. The subdreadit for the market, /d/NemesisMarket has been banned for rules violations, suggesting this market may have been run by scammers.

–   The Hermes subdreddit appeared on Dread a year ago with a post claiming they had 500 users registered from their market moderator, Stitch3s. There has been no new activity since the re-launch.

Final Thoughts

DarkOwl determined during this quick analysis that darknet markets are experiencing instability with many markets either under heavy DDoS and possibly on the verge of exit scam. DarkOwl believes Monopoly, Cartel, Yakuza, and Archtype are offline permanently and Torrez and Cannazon exited due to retirement.

While some suspect that it was a large-scale Exit Scam operation, others have hinted that it could be the by-product of an international law enforcement operation. Interestingly, at the end of last week, seven of the markets that were previously offline and had been assessed as closed permanently appeared from the ashes, only eliciting further skepticism around the markets and their credibility in general.

It’s unclear whether the DDoS activity against the markets that have recently disappeared is related to a law enforcement activity as the Justice Department has yet to post any seizure banners or make any official announcements. DarkOwl will continue to follow this closely and provide more information as it comes available.

Curious about something you’ve read? Interested to learn more? Contact us to learn how darknet data applies to your use case

Tor project announces domain name scheme shift

Last summer, the Tor Project announced that in October it would be ending support for its legacy v2 domain naming scheme, and began encouraging darknet administrators to start migrating their hidden darknet websites – known as onion services – to the more secure v3 address scheme. For non-technical users of the Tor anonymous network, this seems inconsequential nor applicable to them, except Tor’s onion service addressing nomenclature – designated as v2 versus v3 – is the primary mechanism by which services hosted on the network are accessed.

Maintaining persistent access and knowledge of this darknet landscape is critical to provide continuous coverage of data from the dark web.

When the projected time of the cutover came in mid-October, Tor services were not immediately “shut off” and inaccessible as expected. Tor project removed v2 introduction points with Tor version 0.4.6, but the effects are only realized for relay operators that updated their node with the latest software version.

Within that month, Tor Project did update the Tor Browser to version 10.5.10 disabling v2 and rendering v2 onion services unavailable. However, DarkOwl discovered depreciated v2 onion services are still accessible with legacy browser client executables. Then, just this week, Tor Project released Tor Browser 11.0.1 which includes additional features like a blockchain explorer.

Now that v2 onion services are no longer supported by the Tor Project, DarkOwl estimates a decrease of 62% of known onion services across the Tor network.

Screen Shot 2021-10-16 at 4.28.55 PM.png

In the last year, many onion services providers on Tor have published both a v2 and v3 address, which replicates their website content on both address types to ease the transition and “mirror” the content accordingly, thereby minimizing content loss. Read below for more details on the evolution of the different onion service address types and why v3 addresses are preferred.

How Many Tor v3 Onions Have Emerged?

DarkOwl maintains one of the largest databases of Tor darknet content, including historical and “deep” darknet records. DarkOwl’s crawlers monitor the Tor network for mentions of Tor onion services and schedules new v3 addresses discovered for crawling and indexes the content into its searchable Vision SaaS platform for its clients to access.

Due to the nature of the network and its privacy focused topology, it is impossible to quantify the real number of services operating on the network at any given time. V2 onion descriptor information is stored in plain text in the hidden service directory (HSDir) and at one time, provided some indication of the volume of services available, but such information is not available for v3 services.

In fact, according to Tor Project metrics, there could be upwards of 600,000 v3 onion services active in the network, but that number is extrapolated from relays operating as onion-service directories.

A recent technical blog on v3 onion services suggests many of the v3 services are “barely used” – or setup to merely act as slave services for a malicious botnet.

In the last six weeks, DarkOwl’s Vision platform has observed an average of 104,095 active .onion services across both address schemes of which: 62% are v2 addresses and 38% are v3 addresses.

These numbers are determined by a daily snapshot of DarkOwl’s collection stack seeded by DarkOwl’s network intelligence gleaned by crawling the network 24/7 since 2016. These numbers are not reflective of the true total number of onion services active in the network on any given day.

DarkOwl analysts also noted that during the month of July 2021, when the option to create new v2 onion services was removed from the codebase by Tor Project, DarkOwl Vision witnessed a surge in new v3 addresses and identified 2963 new v3 onions in the last two weeks of July alone.

Figure 1: Average Number of Onion Services Online According to DarkOwl’s Database

Tor Users Respond

Most Tor onion service providers have embraced the network address deprecation and encouraged its visitors to add their new v3 address to their browser bookmarks.

Some darknet website administrators assumed the v2 onion services were inaccessible back in July and disabled all their v2 addresses when the Tor Project simply disabled the creation of new services in the 0.4.6. release last summer.

Figure 1 Tor Onion Service Provider’s Depreciation Announcement on I2P. Source DarkOwl Vision Document

Figure 2: Tor Onion Service Provider’s Depreciation Announcement on I2P. Source DarkOwl Vision Document

Other users are skeptical of the shift, especially those that firsthand experienced multiple concerted v3 onion service outages in January. All v3 onion services were offline for more than 3 hours at a time when the consensus health check failed, due to excessive traffic directed at the directory authorities – possibly due to uncontrolled DDoS between darknet markets.

According to the Tor Project, the implementation bug was fixed in the July 0.4.6 release to default to a “reasonably live” version of the consensus health when a “live” consensus is unavailable.

Figure 2 Source DarkOwl Vision Document about v3 domain outage due to consensus health

Figure 3: Source DarkOwl Vision Document about v3 onion service outage due to consensus health

History of Tor & Decentralized Network Security

The original purpose of the “The Onion Router” (Tor) protocol was to provide US government intelligence operatives in the field secure communications without compromising their digital or physical location. In 1996, the first “0th generation” onion router (OR) was setup as an experiment in encrypted network topography in a virtual environment on a single computer. Because it included export-restricted technology, the “1st Generation” Tor was developed and successful in its mission of providing a concealed internet for the US government for several years. By the year 2000, the “1st generation” Tor had reportedly served upwards of 5 million network accesses a day. In 2003, the “2nd Generation” Tor came along with network improvements, hence where the term “onion v2” originates. DarkOwl Vision Users Can Read More in DocID – f4dafdd81bd9dac95d017a84d4c39d1c71f7dd5f

In 2006, when the US Naval Research Laboratories handed over Tor to a group of volunteers at the Tor Project, the network’s purpose was to provide a decentralized, censorship resistant platform for users to communicate and share information.

The Tor platform quickly became a haven for criminal activity, facilitating anonymous communication across underground digital communities and forums, elaborate drug marketplaces, child pornography and human trafficking. Consequently, deanonymizing onion services hosting criminal content has been a focus of many three-letter acronyms government and law-enforcement (LE) agencies around the world. Academic researchers and computer network science experts have received numerous grants and government funding to extensively study deanonymization attack methodologies and many journal publications exist.

Over the years, DarkOwl has witnessed successful deanonymization through various techniques including rendezvous point circuits (a.k.a. the cookie attack), time-correlation attacks, distributed denial of service attacks, which often force a criminal onion service to a LE-controlled guard node, (a.k.a. sniper attack), and circuit fingerprinting attacks.

Tor Project states that v3 onion service addressing is secure against enumeration attacks as well as other attacks that aren’t related to keys.

  • An adversary who runs a relay on the Tor network can slowly learn a list of all the v2 onion services, via the v2 HSDir system.
  • An adversary who can factor 1024-bit RSA keys can impersonate a v2 onion service.
  • An adversary who can generate around 2^40 RSA keys can expect to generate two that correspond to the same onion address (a collision attack).

Earlier this year, German researchers published a TLS traffic analysis attack methodology, demonstrating 100% successful Tor onion service deanonymization in 12.5 days or less.

Tor v2 versus v3

Tor onion service addresses are intentionally not memorable, relying on a random string of non-mnemonic characters and numbers followed by the “.onion” top level domain (TLD). This string is automatically generated when the onion service is originally configured using a public key.

V3 onion service addresses are discernible by their lengthy 56-character address, e.g. Tor Project’s v3 address looks like: http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid[.]onion, where its v2 address is 16-characters: http://expyuzz4wqqyqhjn[.]onion.

The 16-character v2 address hashes represent an 80-bit number in base32 that contains the RSA public key of the onion service, where the v3 is 256-bit representation of its Elliptical Curve Cryptography (ECC) public key. Therefore, the onion service address is essentially a cryptographic representation of the originating domain’s information and a principal justification for network administrators encouraging exclusively using a more secure form of addressing.

The v3 address utilizes SHA3/ed25519/curve25519 cryptography which is considerably more secure than v2’s SHA1/DH/RSA1024 address encryption. The v2 addresses have been the standard for 15 years and the network overdue for a more secure mechanism to become standard.

The Tor Project announced it would be deprecating the v2 address format in July 2020 and outlined a specific timeline of the depreciation process, first removing the option to create new v2 onion services earlier this year and and releasing a new network client and browser in October that rendered v2 onion services inaccessible.

1. September 15th, 2020

0.4.4.x: Tor will start warning onion service operators and clients that v2 is deprecated and will be obsolete in version 0.4.6.

2. July 15th, 2021

0.4.6.x: Tor will no longer support v2 and support will be removed from the code base.

3. October 15th, 2021

Release Tor client stable versions for all supported series that will disable v2 entirely.

Tor Development Continues and v2 [WARN]

In July, Tor Browser began displaying a “deprecated soon” warning message every time a v2 onion service was accessed. Since mid-October, instead of the warning page, the Tor Browser client logs records numerous [WARN] messages when the client accesses a legacy v2 onion service, despite displaying the website contents in the browser.

Figure 3 Depreciation Warning Notification on all v2 Onion Services from July 2021 onward

Figure 4: Deprecation Warning Notification on all v2 Onion Services from July 2021 onward

According to the developer’s comments on the Tor Project’s Github, eliminating v2 from the Tor network involves:

o   Modifying HSDir to stop accepting or serving v2 descriptors

o   Introduction points will stop allowing introductions for v2.

o   Refusing the TAP connection from the service side for rendezvous points.

Figure 5: Tor Browser Application Logs Warning of Depreciated Onion Service Connection. Tested with TBB version 10.5.8.

These changes were scheduled to be released with version 0.3.5.x-final, but the actual release date of that update is unclear and no due date specified. Even though the introduction points no longer allow for v2 onion service address introductions, the effects of this will not actually be realized until every relay operator updates to the latest version of the Tor executable with these latest changes.

In early October, Tor Developer David Goulet edited Tor Project issue #40476 removing the 3rd bullet above stating:

“I decided to NOT remove the Rendezvous code path for TAP connections as it would create more complexity to the patch for which I'm trying to keep minimal.” - David Goulet, Tor Developer

Goulet merged the ticket with the disable SOCKS connections for v2 addresses in mid-October and closed the ticket.

Interestingly, in version tor-, last modified less than a month ago, developer release notes focus on a new consensus method for v3 network congestion control and closes ticket #40476 by returning “bad hostname” for v2 onion service addresses.

Onion service v2 addresses are now not recognized anymore by tor meaning a bad hostname is returned when attempting to pass it on a SOCKS connection. No more deprecation log is emitted client side. Closes ticket 40476.

As of October 26th, Tor source code version was available for download from the Tor Project and appears to incorporate all the changes mentioned above. One minor difference our analysts noted that the changelog states, “Send back the extended SOCKS error 0xF6 (Onion Service Invalid Address) for a v2 onion address” instead of “bad hostname.”

And v4 is already here

In 2019, rumors of a v4 onion service address emerged and many Tor onion service network administrators supposedly already mirror their content on v4 addresses.

The v4 onion services reportedly uses less CPU computational activity and subsequently less electricity to reduce e-pollution. There is allegedly also additional error handling, improved bootstrap reporting, and support for adaptive circuit padding to prevent time-based deanonymization attacks.

DarkOwl has not observed any v4 addresses in the network, nor has Tor Project released any documentation about v4 addresses for confirmation or analysis.

 Curious about something you’ve read? Contact us to learn how darknet data applies to your use case

A Look Back at the Top Darknet Events of 2021 & Predicting Upcoming Trends

As companies across all industries continue to prepare and bolster their security structure for 2022, DarkOwl analysts have performed a review of key darknet-oriented security events from the past year and summarized them in the list provided below.

For each summary, our analysts also provided a predictive forecast estimating whether the type of threat would continue in 2022. Each event is scored with either the assessment “likely to decline”, “likely to continue” or “likely to escalate.” Additional predictions are found at the end of the look-back analysis.

1. Ransomware Groups Lethality Increases Through Sophisticated Persistence and Detection Evasion

In 2021, ransomware-as-a-service (RaaS) gangs stepped up their operational playbook by utilizing backdoors to maintain persistent access to their victims – which allowed them to retain access both during an attack campaign and then potentially long after ransom payment was applied and decryption keys were released.

One of the most noteworthy examples of this is the widely known botnet Trickbot, which was weaponized and has since been assessed as the arsenal’s of Conti and Diavol RaaS gangs. Dubbed as “Trickboot,” this backdoor operative infects the UEFI/BIOS bootkit. DarkOwl archived their research and observations from the darknet in their WhitePaper titled: Establishing Footholds: A look at Ransomware-as-a-Service from 5,280 Feet earlier this year.

Korean researchers also published their discovery that malware could be installed on some solid-state drives (SSDs) in devices with “flex capacity”, a hidden area called over-provisioning for use by the device manufacturer for optimization. In December 2021, BleepingComputer highlighted that while the technology to conduct such attacks was readily available, there is no indication any such attacks are occurring in the wild – just yet.


2. InsureTech Industry Booms In Attempt Underwrite Policies for Cyber Attacks Against Commercial Organizations

A decade ago, we had no construct of the concept of “Cyber Insurance”, nor ever thought such a policy would ever be required. Underwriters are now faced with the challenges of determining the security risks facing an organizations with little statistical data and actuary information to work from. Despite these challenges, the insurtech industry is booming in a race to quantify the risks an ever-evolving threat presents to their clients and themselves.

This year, we witnessed cyber insurer, CNA become a victim of ransomware after Russian criminals encrypted their network with the Phoenix Locker. CNA reportedly paid $30 Million USD to the criminals to gain access to their systems. Shortly after, REvil was spotted taunting their victims with their own cyber insurance policies in attempts leveraged them to pay higher ransoms.


3. Critical Supply Chain Attacks Highlight Vulnerability of Software Dependent Systems

2021 was definitely the year of supply chain attacks. Between Kaseya, Accelion, and rounding out the year with log4Shell, cyber criminals uncovered how effective malicious software updates and unpatched dependent software vulnerabilities really were.

  • REvil is believed to have exploited over 2,000 victims after replacing Kaseya’s Virtual System Administrator (VSA) software auto-update with their ransomware program.
  • Luckily, developers appear to have won the race to patch an Apache log4j vulnerability, with CISA officially stating that other than an attack against the Belgium Ministry of Defence, most log4Shell type-attacks have had minimal impact, e.g. cryptomining, etc.
  • DarkOwl uncovered dozens of mentions of malicious Github repositories containing log4j-related exploits on darknet malware forums and discussion groups.

Unfortunately, vulnerabilities similar to the log4j attack vector – malicious remote code execution using the Java Directory Naming Interface – has been uncovered affecting the H2 Java SQL console as well.


4. Data Brokers and Access as a Service Surge as Major Darknet Commodity

Data brokering has been a viable darknet commodity with offers for databases for sale regularly across darknet and deep web forums. During 2021, DarkOwl observed “access-as-a-service” develop as a major darknet commodity serving RaaS operators and organized cyber criminal groups. For example, some “initial access brokers” offered for auction a domain administrator credential for a potential multi-million dollar victim on some popular darknet forums. Such credentials sell quickly at upwards of $30,000 USD.

Other criminals offer subscription model data services with persistent access to sensitive and confidential intelligence for a monthly fee.


5. Infamous REvil Gang Finally Shut Down, But Over a Dozen New RaaS Gangs Emerge Shortly After

In October, Tor sites for REvil went officially offline signaling an end to their operations after the FBI compromised the server backups for the notorious RaaS gang. DarkOwl witnessed and detailed darknet forum drama shortly after their disappearance.

Despite their departure from the RaaS scene, LockBit has stepped up to assimilate the surviving REvil affiliates and has increased their operations considerably.

DarkOwl has detected over a dozen new Raas groups emerge in the last 90 days including Sabbath, Cerber 2021, and Khosari.


6. Attacks Against Healthcare Organizations by Cyber Criminals and RaaS Groups Despite Claims They Would Not Target Medical Industry

In the last year, attacks against HealthCare groups have increased exposing a significant volume of patient personally identifiable information (PII) in the dark web.

Hundreds of hospitals have been impacted by ransomware resulting in turning away patients who need critical care. It’s unclear how many deaths and/or preventable injuries have occurred as a result of ransomware and cyber criminal campaigns against medical institutions.

DarkOwl has observed several adjunct medical groups, optometry, pharmacy, and DNA diagnostics centers’ data for offer on darknet markets.

Previously, RaaS gangs had demonstrated some veil of morality claiming they would not target the medical industry.


In 2021, darknet fraudsters continued to exploit government subsistence programs for unemployment and small business funding. DarkOwl estimates the going rate for a detailed unemployment fraud method varies between $200 and $300 USD and offered specifically by state, suggesting that different state unemployment systems may require unique techniques for direct exploitation.

Further, DarkOwl uncovered that the darknet has numerous offers for COVID testing and vaccination related fraud such as negative PCR test results for testing and COVID vaccine certificates for as little as $150 USD.


8. Increase in Darknet Marketplaces Use of Alternative Cryptocurrencies

DarkOwl found that the total number of darknet marketplaces tripled by the end of the year and 86% of the active markets support Monero in addition to Bitcoin. In recent years, darknet criminals have been demanding currency alternatives to the traceable Bitcoin be available and Monero appears to be the leading contender in darknet marketplaces.

Many of the markets also accept Litecoin, but less-trusted coins are also seeing some acceptance. Global Dreams Market surprisingly accepts DogeCoin and Evil Corp Market began accepting Dash earlier this year.

Additionally, the infamous darknet marketplace, AlphaBay came back to life and re-surged use of I2P peer-to-peer network.


9. Colonial Pipeline Ransomware Attack Highlighted Critical Infrastructure Risk

In early May 2021, Colonial Pipeline was forced to shutdown its pipeline after suffering a ransomware attack carried out by the RaaS organization known as DarkSide. The criminal gang successfully accessed Colonial’s networks simply using the credentials for an old VPN account that the group had discovered on the darknet. Colonial did not have multi-factor authentication (MFA) turned on for the account, which could have prevented the intrusion.

The shutdown caused shortages of fuel across the Southeastern United States and resulted in increased fuel prices and economic impact for months afterwards.

The ransomware attack highlighted how vulnerable critical infrastructure is and the immediate and pressing need to shore up critical utilities and telecommunications infrastructure networks from future attacks. Not only are the services rendered unusable for a significant amount of time, but the financial impacts ripple throughout the economy and destabilize the supply chain.


10. 8kun Reputation Hit by Jan 6th Insurrection; Surge in Activity Across Alternate Darknet Imageboards

After the violent siege on the U.S. Capitol on January 6th did not result in former President Trump being declared winner of the 2020 U.S. Presidential Election, 8kun enthusiasts and Qanon followers from the murkier corners of the dark web were greatly disenchanted that Q’s predictions of a real-life political “reckoning” for the alleged deep state cult never were realized.

As a result, in 2021, 8kun (a.k.a. 8chan, led by Ron and Jim Watkins) became less popular in the darknet as many MAGA believers who frequented the dark web service left to return to their lives and the reality that Biden was officially U.S. President.

There was also plenty of fear at increased law enforcement surveillance on the board as they searched for alleged participants in the January 6th riots.

This fear also led to many ‘anons’ dispersing to other existing Imageboards on the darknet and the formation of new “chans” around the deep web. In the summer of 2021, DarkOwl identified over two dozen new Imageboards — not affiliated with 4chan or 8kun — many in non-English languages supporting the refugee. Over the year, board chatter focused around COVID-specific conspiracies and misinformation campaigns centered on vaccine safety and efficacy as well as international rules regarding quarantine, travel, and vaccine mandates.


11. Iran and Israel Continue Shadow Cyber War

In the last year, DarkOwl has witnessed a surge in Iranian and Israeli-specific leaks on the darknet signally an escalation of the shadow cyber war between the two countries. Similarly, new ransomware groups, like Moses Staff — likely affiliated with Pay2Key and/or BlackShadow — attack critical targets in Israel without demanding ransom payment, suggesting the attack is politically, not financially motivated. In November, Israel’s Cyber Unit claimed responsibility for shutting down websites for BlackShadow after the cyber criminals leaked the user database from a popular LGBTQ+ dating app, Atraf, in Israel.

In October 2021, over 4,300 gas stations across Iran was inoperable due to a cyberattack, possibly as a result of on-going conflict with Israel. Shortly after, on the anniversary of the death of Iranian general Qassem Soleimani, two Israeli media websites were defaced with an ominous message on his behalf and an image of a fist and missile striking Israel’s nuclear facility at Dimona.

The two countries show no sign of slowing down their cyberattacks against each other and security researchers around the world fear their conflict will impact Western nations’ infrastructure at some point in the future.


12. Tor Deprecation Changed The Shape, Volume, and Perceptions of the Darknet

Last October, users of the darknet braced themselves for the deprecation of the historical v2 “hidden” onion service expecting a concerted network shift to the more secure v3 onion service domain architecture. With many relays still operating versions of old Tor executables, that did not exclude routing v2 services, many domains we expected to disappear overnight persisted, weeks later. After the Tor Project released version 11.0.1 of the Tor Browser Bundle, all historical onion services were no longer accessible from the web browser. DarkOwl estimates this resulted in the disappearance of over 64,000 active domains.

In addition to Tor, privacy enthusiasts and long-time darknet users have been eagerly exploring other anonymous “dark” networks, including meshnets like Yggdrasil and web 3.0 networks like Peernet. We anticipate use of such networks to increase in the near future.


Copyright © 2022 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.