Since the beginning of July, information security researchers who have been keeping up with the darknet ransomware community have been anxiously awaiting the debut of AvosLocker’s official Tor service, which will be used as a forum for the ransomware-as-a-service (RaaS) group to communicate with the public about their victims. In early July, DarkOwl observed a v2 Tor onion service branded with AvosLocker’s name and brand logo – a purple bug with green-tipped antennae – stating that the reader’s (victim’s) network and hard drives had been “encrypted using AES-256 military grade encryption.”

The landing page (pictured below) included a simple form where victims with an “ID” could enter the darknet service to begin negotiations with the AvosLocker team on their ransom payment and status of their extorted data. An ID is only available to those who received a ransom note upon encryption of their computer networks.

The new onion service – collected by DarkOwl automated crawlers on the Tor anonymous network earlier this week – lists at least six victims consisting of a mixture of transportation and logistics corporations and legal firms across the globe.

Editors note: DarkOwl has intentionally chosen not to disclose the victims’ names and has sanitized all mentions of victims in the screen captures below included in this piece

DarkOwl also detected an AvosLocker affiliate registration and login portal on their original v2 Tor service. The registration form indicates AvosLocker issues invitation codes for access to the domain.

There is no mention of AvosLocker or their logo on the affiliate-related portal onion services (pictured below).

Returning back to AvosLocker’s debut of their new, branded onion service, it is worth noting that ransomware operators set up public PR-oriented blogs for any number of reasons:

1.     They are truly a brand-new ransomware operator conducting ransomware campaigns against victims, employing a unique ransomware encryption cipher, as well as other tactics, techniques and procedures (TTPs);

2.     They are an existing RaaS affiliate with enough profitable and successful operations to warrant their own victim shaming Tor service; or

3.    They are a seasoned ransomware operator who is intentionally attempting to obfuscate their operation’s identity by rebranding and changing aliases of key members.

The fact AvosLocker is operating as a RaaS gang employing the traditional “affiliate” model – as noted by the login portal above – means it is highly unlikely they are an affiliate of an existing RaaS group and more likely a rebranding of existing RaaS operator.

Accompanying this theory, DarkOwl analysts quickly observed that the AvosLocker’s new service has striking resemblance to other websites established on Tor, more specifically the infamous Doppelpaymer RaaS gang.

DarkOwl has no indication that AvosLocker is an affiliate of Doppelpaymer, or if it has merely copied the HTML/CSS templates employed by the Doppelpaymer group; it is not uncommon for hosts of Tor onion services to create websites that look and feel like previously published services.

In contrast to the AvosLocker’s service, the Doppelpaymer leaks service on Tor requires the visitor to solve a reCAPTCHA and enable Javascript for the domain to load properly.

Doppelpaymer has plenty of justification to rebrand their operations, but there is insufficient evidence at this time to confirm AvosLocker is their new brand. In December of 2020, the FBI issued a warning against the Doppelpaymer RaaS gang after a series of attacks last fall in Europe resulted in the death of healthcare patient in Germany. (Source)

The last victim posted on the Doppelpaymer leak service is dated back to May of 2021, and the last one before that was in February. This might suggest Doppelpaymer could be slowing down its operations to avoid additional scrutiny from the media and law enforcement.

Interested in learning more? Contact us to learn how darknet data applies to your use case

Late last week, DarkOwl analysts observed the REvil ransomware as a service (Raas) cyber-criminal organization publicly announce its latest victims of their ransomware operations on their darknet onion service, some of which have direct associations to western militaries and governments.

Previous assessments have suggested the targets selected by REvil and similar RaaS groups were completely random and indiscriminate. Without directly naming or shaming the companies who fell victim to REvil’s ransomware attack, DarkOwl endeavors to merely highlight the suspicious timing of these specific announcements – along with threatening language included in the release – and the lack of any mention, nor claim of responsibility attacks against global meat distributor, JBS SA attack during Memorial Day weekend; an attack that temporarily impacted meat supplies around the world and caught the attention of the U.S. White House and international authorities.

These latest victims highlight the increasingly vulnerability of supply-chain attacks against critical service providers and the potential impacts to national security in the U.S. and abroad.

REvil Threatens to Share Sensitive Victim Data to Foreign Military Agencies

REvil representatives continually maintain their financially-motivated and opportunistic stance with numerous darknet forum posts stating that they want no part in geopolitical affairs nor act on behalf of any government. In these latest victim announcements, REvil included sensitive military contract information and critical personally identifiable information (PII) of the victim’s employees, such as copies of employee passports, payroll statements, and national identification numbers, as “proof” of the legitimacy of the attack.

More sinisterly, they also acknowledge the sensitivity of the data they’ve stolen and stated they would not hesitate to share this information with other foreign military agencies of their choice, directly contradicting earlier positions of agnosticism in international government affairs or military operations.

Many sources have already confirmed the likelihood that REvil is a Russian-based cyber-criminal organization. The recent string of ransomware attacks by REvil, their affiliates and similar groups, suggest that these organizations are indeed directly targeting critical supply-chain targets with unique technological and critical infrastructure focus, instead of indiscriminately targeting victims for monetary gain.

It is also noteworthy to point out that there is no current consensus on how long RaaS operators like REvil can maintain unauthorized access to victim networks, during which time they would be able to extract data and conduct potentially cyber-espionage-like activity before making themselves known. In other words, the target’s networks are freely accessible to these criminals for an unknown period of time before they finally pull the plug on the operation by deploying a ransomware variant, which then locks down the network, notifies the victim, and begins the phase of extorting target by demanding a ransom.

One security researcher recently shared their analysis of the latest version of REvil’s source code, version 2.05, stating that persistence of the malware was maintained through creating a registry key under SOFTWARE\Microsoft\Windows\CurrentVersion\Run (on Windows machines), which allows the malware to run every time the user reboots their machine. Other ransomware analysis of victims of the Pysa/Mespinoza strain, detailed an 8 hour campaign, launched via a compromised RDP account, where threat actors moved laterally throughout the entire domain harvesting additional credentials and data wherever possible (Source). This, however, is unsurprising as it is well-known that REvil and other popular RaaS operators leverage stolen VPN, RDP, and user credentials where available – often actively sold and traded on the darknet – and readily prey on unpatched server-side software and remote working products like Citrix ADC.

What other kinds of companies are REvil and their affiliates considering as potential targets?

In an interview conducted earlier this year, REvil representative known simply as “Unknown/UNKN”, stated many of their affiliates had unprecedented access to national security assets (directly or indirectly) including, “a ballistic missile launch system, one to a U.S. Navy cruiser, a third to a nuclear power plant, and a fourth to a weapons factory.” The veracity of this extremely serious claim has not been verified by DarkOwl nor the interviewer who spoke directly with Unknown. Others skeptical of interviews with such unreliable threat actors note that this particular “Unknown” could have been an imposter, as alias hijacking is common in across darknet communities. 

However, supporting the ransomware group’s claims of their alarming access to such national entities are recent reports confirming that another ransomware victim is a company that manages the US fleet of military vehicles. While not presently determined to be directly attributed REvil, this incident is indicative that ransomware groups as a whole are indeed successfully compromising vendors supporting US and allied military efforts.

An Ever-Expanding and Continuous Operation

REvil fingerprints have also been recently detected in a new strain of ransomware known as Episilon Red, which information security researchers directly associate with a concerted attack on Microsoft Exchange mail servers. In late May, another new ransomware variant known as Prometheus setup a new Tor onion service claiming they were a “Group of REvil” in their ransom note and branding. Security researchers indicate that Prometheus, operating now for over a month, pens their ransom notes very similar to MountLocker and Medusalocker ransomware variants.

Despite the media attention the JBS SA attack garnered, REvil shows no sign of slowing down or scaling back their operations. In an interview conducted with Russian OSINT YouTube channel last week, they suggested they had previously limited themselves from conducting attacks against U.S. targets, although DarkOwl notes several of their victims over the past year included retail, health, legal, and agricultural companies with operations headquartered in the U.S.

The group’s spokesperson also showed no concern for being considered “terrorists” by the U.S. government or intelligence community, boasting their confidence in prosecution immunity, being sheltered by Moscow, who undoubtedly allows them to operate freely without legal consequence. They concluded their interview with the statement “We are not going anywhere, we are not going anywhere. We will work harder, harder, and harder.” (Source)

DarkOwl will continue to monitor this ongoing story and update as our analysts uncover information.

Breached data from ransomware attacks often wind up on the darknet. Contact us to see if your organization has been the victim of a cyber attack to gain insight into the full extent of your company’s darknet exposure.

JUMP TO A SECTION:

What is an Imageboard and Why is it called a Chan? 

Key Players

The Language of the Chans

Topic Boards and Types of Content

How Imageboards are Evolving on the Darknet

An Introduction to Imageboards of the Darknet

The darknet is replete with an extensive array of content, including onion services and communities that intelligence and investigative analysts have noted are home to cyber criminals, scammers, and threat actors. Typically, the most common hubs for these users are darknet marketplaces and blogs/forums. However, recently, our analysts have observed the increasing presence of a legitimate and growing segment of the darknet, comprised of a community of free-speech enthusiasts who utilize imageboards known as “chans.”

The rise of QAnon and the coordinated siege of the U.S. Capitol in January shined a spotlight on one wildly popular imageboard known as 8chan, bringing about significant coverage in mainstream media. In the wake of such recent events, we have observed an increase in imageboard hosting on the darknet, including many direct copies of the 8chan codebase that are serving as new safe havens for emerging, controversial chan boards. In fact, DarkOwl has identified over two dozen alternative chans on the darknet – not related to 4chan or 8chan – across numerous languages (Russian, Korean, Japanese, German, and English) that are currently online and active.

An imageboard is considered a type of bulletin-board-like forum that revolves around the posting of images, often alongside text and discussion. Imageboards are characterized by a community of users with non-identifiable usernames, usually simply “Anonymous” – that rely on a system of tripcodes instead of registration with credentials. A tripcode is the hashed result of a unique password that allows one’s identity to be recognized without storing any data about the user and entering a particular password will let one “sign” one’s posts, often necessary for moderators and staff, with the tripcode generated from that password. 4chan and 8chan (or 8kun) implemented secure tripcodes that are not reproducible across different imageboards and are more resistant to the hashed password getting hacked or cracked. The originating IP address of the user is known to the administrator of the imageboard, but the pseudo-anonymity of the forum structure led to its users calling themselves “anons.”

The very first imageboard was 2channel, (2ちゃんねる, 2chan, or 2ch) first launched over two decades ago by Hiroyuki Nishimura, a Japanese Internet entrepreneur and student based in the United States at the time. By hosting the board outside of Japan, Nishimura managed to circumvent Japanese internet censorship and grew the predominantly Japanese online community millions of daily users with a level of influence in society many described as comparable to that of traditional mass media like television, radio, and magazines. Nishimura named the imageboard 2channel after the physical channel older televisions would need to be turned to, to use auxiliary devices like 1990s video game consoles.

In 2003, not long after the success of 2channel, Christopher “moot” Poole (at the time age 15 years old) launched an English language counterpart to 2channel known simply as 4chan. Poole already had a history as an active participant on the comedy surface web bulletin board known as “Something Awful” which funneled users to 4chan and quickly increased its popularity, forming a whole new genre of internet subculture including the “Cult of Kek” (Pepe the Frog), the conversational meme factory, and resources for rare adult fandom like My Little Pony.

The pseudo-anonymity provided by 4chan also enabled discussions from a rather darker segment of society where disturbing fetishes and hate speech are not just authorized but glorified. Illegal content such as child pornography and gore increased the need for fairly strict moderation on the site by its hundreds of volunteer moderators stationed around the world; Poole and a part-time developer were the only official staff of the board. In 2014, 4chan was central to the Gamergate controversy, an online harassment campaign dedicated to directly targeting and doxing females because of anger regarding feminist or progressive ideals found at the time in the video game industry.

By this time, alternative imageboards known as “alt-chans” had emerged including Wizardchan whose userbase consisted of virgin men or “incels” (slang derived from “involuntary celibate”) who define themselves as unable to find a romantic or sexual partner despite desiring one and ultimately often despised the sheer existence of the entire female gender. To this day there is crossover in the users between imagebaords – Wizardchan’s users also post in threads on 4chan and vice versa.

Due to the increased moderation of content on 4chan, a prominent user and admin of Wizardchan known as Fredrick Brennen, using the pseduonym “Hotwheels” founded “infinitychan” (using a sideways “8” for infinity, or simply 8chan or 8ch), redesigning the codebase to include user-created and moderated boards on the channel. In 2013, Brennen advertised the new imageboard as a “free speech friendly alternative to 4chan” and 4chan’s eventual blanket censorship of all Gamergate related discussions significantly increased 8chan’s rapid success and popularity in the first years of its operation. 8chan quickly outgrew Brennen’s ability to host the volume of posts by its thousands of daily users and illegal content became increasing difficult to moderate. In late 2014, he partnered with Jim Watkins in the Philippines to host and help scale the platform, using Watkins data center company N.T. Technology while Brennen served as admin and the public face for the board. (Source)

8chan’s content became increasingly obscene and its users linked to several violent international hate crimes including the mass shooting at a Christchurch mosque in 2019, the Poway Synagogue shooting, and El Paso shooting at a Walmart targeting Hispanics shortly thereafter – with all three shooters posting racist and xenophobic manifestos on the imageboard within hours of the attacks. Around the same time, Brennen resigned as the imageboard’s admin and launched a campaign to get the site shutdown permanently with direct attacks against both Jim and Ron Watkins across social media and the mainstream news media. In late 2019, Watkins rebranded 8chan to 8kun after widespread public criticism of the site with support from Russian hosting providers affiliated with cybercriminal activity.

The imageboards mentioned above are considered the grandparent-chans creating the ‘foundational’ platforms for fast-paced discussions, fueling mob-like mentalities and are still widely popular underground online communities. Nevertheless, there are hundreds of “alt-chans”, many of which have a growing presence of users on the darknet, including not only a mirror of 2channel, but 16chan, nanochan, 64chan, Korchan, Kohlchan, and others. The surge in new imageboards and their use of the darknet is indicated by conversations that express how its users are increasingly concerned over the concerted ‘attack on free-speech’ that occurred in the wake of the January 6th riots and as well as members of the US Congress’s call for a repeal of Section 230 of the Communications Decency Act, which has historically protected the hosts of controversial social platforms from legal consequence. (Source)

The following lists the founders and critical players of the most popular and widely discussed imageboards in public media. Due to the nature of the content and its users and creators inherent desire for digital privacy many of the owners and administrators of imageboards are completely anonymous or known only by their pseudonyms.

Imageboards pride themselves on providing a platform to advocate free-speech and the purest freedom of expression and many users utilize the forums as an outlet for venting internal frustration, speaking on the boards in ways that they would never, ever speak in real life. In 2010, 4chan administrator, “moot” was called to testify in the trial of David Kernell, a 4chan user who was eventually convicted of hacking of Sarah Palin’s email during the 2008 Presidential election and leaking screenshots from her account on the imageboard. The administrator’s role in the trial turned from ordinary to awkward when moot was asked to define and explain the community’s lingo and terms that were used in the posts and comments included in the prosecution’s discovery. Terms he testified about included such vernacular as “b tard”, “troll”, “peeps”, “lurker” and OP (original poster).

In the last decade, the culture and language of the chans has only become even more exclusive and insular to its chan-community, preventing many new users and investigative analysts from engaging its users or even further parsing what they are reading in any given thread from darknet data collection systems. The influx of right-wing extremism and domestic terrorism observed with the popularization of QAnon on 8chan (or 8kun), increased the use of phrases specific to Q’s posts such as “Patriots”, “Trust the Plan”, “Great Awakening”, “WWG1WGA” (where we go one we go all), “Panic in DC”, “deep state”, and the idea of “sheep” or those who follow main stream media blindly.

Imageboard users go to great lengths to directly insult each other on the thread and openly attack anyone of non-Caucasian race or non-evangelical Christian religious beliefs. Most of the lingo is too obscene and vulgar to be mentioned here, but there are some standard key phrases used across all the imageboards that provides general context to many an anon’s post. Several of these have made it into urbandictionary.com, whose definitions were included directly where available.

based: A word used when you agree with something; or when you want to recognize someone for being themselves, i.e. courageous and unique or not caring what others think. Especially common in online political slang.

redpilled: A word used to describe when a left leaning liberal have shifted their beliefs into alignment with the right. The phrase was adapted from the movie, The Matrix, where Morpheus is offering to enlighten Neo to the Matrix: “You take the red pill, you stay in Wonderland, and I show you how deep the rabbit hole goes.”

shill: This word describes a person who is pretending to agree with a conspiracy and intentionally circulates false information or acts totally insane in an effort to discredit said conspiracy. Someone who shills could also be someone directly lying in a post to deceive or cause controversy.

larp: An acronym meaning “live action role play” – when whatever post has been stated is not real or intended for comedic or dramatic effect, as if it occurred in a play.

/b/tard: A derogatory insult to address users who are found in the /b/ section of the board or to insinuate that their post is random or nonsensical.

lurker: A person who ‘lurks’ or browses the board and never posts anything.

newfag: A newcomer to the imageboard who is considered a nuisance to the discussion. Often this person is trying too hard to fit in.

neckbeard: A word derived from conjoining of the words “neck” and “beard,” to denigrate a male user on the board as characterized by an inflated sense of self-worth and a powerful sense of entitlement, particularly to affection, subservience and sexual acts from women.

neet: A person considered a failure in life who is unemployed and lounges all day playing video games or watching anime. 

waifu: A word used in the manga sub-genre to describe a fictional female character that they love and would marry if they were real.

glow: If the word glow is associated with an insult or someone says, “you glow” that would intimate that you’ve been perceived as law enforcement or a government agent.

troll/trolling: As it relates to imageboards, trolling describes the deliberate act, (by a troll – noun or adjective), of making random unsolicited and/or controversial comments on various internet forums with the intent to provoke an emotional knee jerk reaction from unsuspecting readers to engage in a fight or argument.

Persistent topic boards are a characteristic of chan forums. From its inception, 4chan required an administrator to create all topical boards to guide its users’ discussion, leading to a sort of standard that has persisted to newer chans. Alternatively, 8chan infamously provided creative freedom to its users to launch and moderate its own topical boards – a backend board style adapted by several imageboard developers.

Nevertheless, there are some board topics that are persistent across all of the imageboards, including the alt-chans across the surface web and darknet. Such well-known and highly popular sub-boards include:

• /b/ – random: The sub-board /b/ was the first board Poole created on 4chan and it was the catchall for any random thread about any sort of content including cartoon pornography and debased memes.  It is considered community etiquette across most all imageboards to limit discussions that are specialties or the focus of other boards on the channel. Many imageboards recognize the power of /b/ to such an extent it is the only board available on its entire platform.

• /pol/ – politically incorrect: The /pol/ sub-board covers wide range of subjects, including politics, culture, social issues, religion, law, finance, and current events. It has become most well-known for its divisive content and hate speech with posts including neo-Nazism, white supremacy, and xenophobia. Nearly all imageboards online today have an active /pol/ board and some even include additional country specific politics, like /polru/ for Russian political discussions. Some non-English speaking alt-chans have created an /intpol/ sub-board instead of /pol/, which stands for international politics as many of the English-speaking /pol/ boards are heavily influenced with U.S.-focused political partisanship. Last year, 8kun renamed its /pol/ board to /pnd/ for politics, news, and debate much to the protest of its userbase.

• /a/ – anime: Given the imageboard’s roots in Japanese anime subculture, and 2channel’s founder being Japanese, most imageboards have a sub-board called /a/ dedicated to sharing and discussing anime. Many posts on this sub-board also includes a very specific sub-genre of animated pornography known as “hentai” short for hentai seiyoku translated as a “perverse” or bizarre sexual inclinations.

• /g/ – technology: The /g/ sub-board got its start on 4chan, and other imageboards have quickly adapted this topical board for “discussing computer hardware and software, programming, and general technology.” This channel often includes a wide-range of posts that might asking recommendations for which Linux distribution to install or pictures of users’ home technology setups.

  Last week, DarkOwl analysts observed a post on /g/ on how to successfully hack Apple’s recently released AirTags product with detailed instructions from a security researcher’s blog on the surface web, demonstrating how /g/ could be used to uncover security vulnerabilities.  Within minutes of the post appearance, /g/ moderators removed the thread validating user complaints of how heavily moderated 4chan can be and what attracts many users to imageboards hosted exclusively on the darknet with more relaxed moderation policies.

Most imageboards have a surface web domain address and accessible directly from the public Internet. Imageboards are considered pseudo-anonymous, since a user’s IP address is known and likely logged by the imageboard administrator, especially for users accessing the site directly on the surface web.  While many users access imageboards using a Virtual Private Network (VPN) proxy, 8chan utilized Tor off and on over the last five years to mirror its content, to provide additional anonymity to its users accessing the imageboard and to mitigate DDoS attacks against its Internet domains.

Other imageboards, including 2channel, have a persistent presence on the darknet providing its users additional layers of operational security. Some imageboards like endchan have mirrors across other alternative darknets including Oxen and Yddrasil for additional data redundancy and wider client support to its userbase.

Many imageboards are strictly accessed through the surface web have strict rules about what can and cannot be uploaded and its administrators comply with all law enforcement requests for information and readily handover logs. Others give moderators the power to disallow users posting from a Tor exit node, in the case where users access the surface web domain using the Tor Browser Bundle for anonymity.

Other darknet exclusive imageboards have more lenient rules and allow its users to post illegal content including violence, pornography, and gore. Gurochan, an imageboard that originated over a decade ago, recently returned online and predominantly includes threads with gore and necrophilia.

An Increasingly Evolving Darknet Threat

The imageboard community on the surface web is rapidly evolving and many services are migrating directly to or mirroring their content across the darknet(s). Knowing that 4chan is now heavily moderated and often called a law enforcement honeypot, and that many users of 8kun have disappeared with the failure of a real-life political “reckoning” for the alleged deep state cult at the heart of the QAnon conspiracy, the imageboard underground digital community is thriving as a safe haven for people to direct their shills and troll campaigns.

As previously mentioned, during the course of this content research, DarkOwl identified over two dozen alternative chans on the darknet – not related to 4chan or 8kun – across numerous languages (Russian, Korean, Japanese, German, and English) that are currently online and active. To support its Vision users in conducting their most effective and efficient investigative analysis we have also created a “Groups” filter using these domains, so Vision UI users can easily target their searches directly into these communities without direct or a-priori knowledge of the onion service addresses. Hopefully this post, with its primer on historical context and guide to imageboard community lingo, will help end users develop intelligent targeted queries to find content of interest.

In the year plus since the COVID-19 pandemic took hold, DarkOwl analysts have continued to observe widespread coronavirus-related scams on the darknet. From bootlegged PPE, to “COVID infected blood,” to fake vaccination cards, there appears to be no shortage of individuals willing to take advantage of this global crisis to pursue their goals, be it to spread disinformation or simply to make money.  

To gain insight into potential threat actors aiming to defraud individuals and corporations alike, DarkOwl turned to the darknet to take a closer look. In doing so, we identified scammers purportedly selling COVID-19 vaccines, vaccination passports and cardstock records of vaccination as issued by the the Center for Disease Control (CDC). DarkOwl has also observed a number of disinformation campaigns related to the efficacy and legitimacy of the COVID-19 vaccine across major deep web and darknet discussion boards creating additional conflict and polarization across forum users.

Vaccination Cards for Sale on the Darknet

In the past few months, DarkOwl has noted a number of scammers offering vaccination record cards for sale, priced around $150 USD on average.

One vendor, known only as as “darknetdeals” also offers negative COVID-19 PCR tests for sale for those needing negative COVID-19 tests for travel and work.

Users on deep web discussion boards discuss their surprise regarding the nature of the vaccination record cards issued in the U.S. and the generic grey cardstock it was printed on, along with handwritten name and dates of the first and second doses, for vaccines with multi-dose administration. DarkOwl has not engaged the threat actor nor purchased a card to verify whether this is a legitimate offer or scam, but the opportunity could appeal to anti-vaxxers who desire to travel and dine-in restaurants without receiving the vaccine.  

Other offers have also surfaced on Telegram with “coronavirus certificates” and vaccine passports available for purchase. The price was not disclosed on the channel.

Vaccinated individuals across the US have shared post-vaccine selfies with the CDC-stamped paper card issued by their vaccination provider proudly in hand across social media. Scammers could not only utilize the photo of the card to create fake cards for sale on the darknet, but steal the personalized information such as full name and date of birth for identity theft and fraud.

Vaccine Doses Still for Sale on Darknet Markets

DarkOwl continues to see several COVID-19 vaccines offered for sale across darknet marketplaces and classified-like paste sites. In recent months, there has been a surge in vaccines on offer, including Russia’s Sputnik vaccine developed by Gamaleya. On one new darknet market alone, there are 5 different vendors offering vaccines ranging in price from $40 to $888 USD per dose. Pfizer vaccines tend to be more expensive than the other vaccines on offer.

DarkOwl had observed offers for COVID-19 vaccines on other darknet markets back in December, with prices ranging from $500 to $4000 USD. One vendor received feedback stating that they purchased five vials of the Pfizer vaccine for $2000 USD and it was packaged in a shipping container the size of a pizza box along with dry ice to maintain the significantly cold temperature requirement. It was unclear whether these were intended to be single doses or multi-dose spread out by 21 days, as suggested by the manufacturer.

While these could theoretically be ‘stolen’ vaccines, it is more likely they are counterfeit vaccines with vials of unknown and possibly lethal substances. Last week, open sources reported that authorities had discovered fake coronavirus vaccines containing distilled water were administered to at least 80 patients in a clinic in Mexico, while a darknet scammer was arrested in Poland for selling vaccines that actually contained an anti-wrinkle agent. Luckily, the Polish doses do not appeared to have been administered to anyone.

Other offers for vaccines are clearly scams without any intention to deliver a single vial.

One vendor on a market known for its promotion of “rippers” (a.k.a. scammers), stated they had the “most-effective” “Pfitzer” vaccine for sale for $500 USD. The contact information associated with the vendor has only emerged on the darknet in recent weeks and is also connected with offers for various pharmaceuticals including ecstasy and Adderall.

Some scammers have established darknet onion services with elaborate backstories of their accessibility to COVID-19 vaccines and medicines. One domain is supposedly setup by Wuhan Institute of Virology Lab Scientists and Doctors who have medicine exclusive to China to treat COVID-19 and vaccines that the Chinese government is keeping secret from the rest of the world. They are not ‘selling’ the vaccines and medicines but shipping them after Bitcoin donation is received. They also refuse to respond to ‘long emails’ and ‘investigative questions,’ and their written text includes a number of typos. (Quoted below)

Disinformation Persistent Across Boards and Chans

If fake vaccines filled with unknown substances do not undermine the public’s confidence in vaccine distribution, there is plenty of disinformation rampant across the political threads on darknet and deep web discussion boards to stoke collective fears and personal anxieties. A recent thread on one discussion board included links to the original Moderna patent with skepticism and a link to a controversial article suggesting the mRNA vaccines cause cancer.

Others suggest the vaccine impacts fertility, stating how they now have lowered sperm counts since taking the vaccine. Some users call out other users for “shilling” a term from the urban dictionary that in conspiracy terms refers to a person who is intentionally circulating false information or acts totally insane in an effort to discredit a conspiracy – revealing an active information war is at play on the boards.

The fabricated conspiracies on such forums are particularly imaginative and controversial. For example, another post on a forum insinuated that the entire narrative around the dangers of mRNA vaccines was intentionally developed to shift people to prefer vaccines that are indeed gene therapy experiments instead.

Based on our observations, vaccine resistance is not limited to the United States. One user on Telegram expressed outrage over how a certificate of vaccination was required to receive services from a hair salon in Demark as of April 2021. The post was written with a tone of desperation including the sentence “We need help” at the end, signaling this is becoming a global issue of controversy and potential social uprising.

Vaccine Data on the Darknet

Critics of the CDC’s vaccination records on easily obtainable grey cardstock and the ease at which they are counterfeited is justification for a digital vaccine passport program. Developers have not delayed as there are now numerous vaccine passport apps available across the widely used mobile app stores. Even New York has announced a new vaccine status program for mobile phones after partnering with IBM to develop a scannable barcode, similar to the QR codes used by airlines for boarding.

Since last year, the International Air Transport Association (IATA) has been working on an app called Travel Pass for use across their 290 airline participants for laboratories and healthcare providers to send PCR test results and vaccination records for flyers to present for compliant air travel. (Source)

The U.S. CDC’s website emphasizes the importance of their centralized Immunization Information System (IIS) which includes a repository of all vaccinations records for each state and according to their website, COVID-19 vaccine providers are required to report detailed information about each vaccination given at the county and state level. Personal information for vaccination recipients includes full name, date of birth, residential address, sex, race and ethnicity in addition to the vaccine’s production information from the manufacture such as expiration date, dose and lot numbers for tracing which vaccination was administered.

The CDC’s COVID-19 specific IIS includes a number of different digital information systems for tracking and managing COVID-19 vaccine data:

• VAMS: vaccination administration management system available for vaccination providers use – contracted by the CDC for development by Deloitte Consulting.

• IZ Gateway: the immunization gateway, a central cloud storage system to enable IISs, federal agencies, and private partners to connect and share immunization information.

• VaxText: second dose reminder system that vaccine recipients can enroll with to receive SMS text message reminders for their next vaccination date based on the vaccine they received.

• VTrks: vaccine ordering system which includes vaccines for each provider along with associated shipping information.

• VaccineFinder: vaccine provider lookup system to provide the contact information for vaccine providers, hours of operation, and types of vaccines available.

Many COVID vaccine clinics have decided against the CDC endorsed VAMS administration system and instead procured commercial application alternatives such as PrepMod for mass vaccine scheduling and data administration. DarkOwl has observed some darknet users complaining about having issues using PrepMod’s system effectively and some states are considering abandoning the PreMod product for systemic design issues and persistent bugs.

Given the frequency and ease at which cybercriminals are compromising commercial database systems and regularly selling or leaking millions of records of customer authentication data and financial information on the darknet, vaccination record data sets are at risk of compromise.

Large scale databases of personally identifiable data associated with the vaccine distribution, like the CDC’s IZ Gateway and VaxText systems or any number of commercial and government vaccine passport apps in circulation, will be a prominent target for darknet cyber exploitation enthusiasts in the coming months, if they are not already attempting to gain unauthoritzed access to such systems around the globe.

Related Read: COVID Scams on the Darknet Part 1

Risk is a word regularly used across information security circles and CISO agendas. And, in light of the recent surge of indiscriminate organizational ransomware attacks, companies are aggressively attempting to identify and mitigate any cybersecurity risk that could lead to potentially extensive financial and reputation damage, especially from a high profile cybersecurity attack or data breach. Meanwhile, individual persons also struggle to know how concerned they should be in mitigating their own personal risk to when, not if, their sensitive personal information appears on the deep web and darknet.

In this blog, DarkOwl analysts dig into the domain of risk, taking a closer look at the threats corporations and individuals face, how risk is calculated and mitigated.  Underground digital communities within hidden and anonymous networks are an integral role in identifying the threats at play, and DarkOwl works alongside its partners to help provide the critical monitoring of potential markers of risk using its darknet search platform.

What is risk and what is the darknet’s role in risk calculations?

Risk is traditionally thought as a multiplier of likelihood and severity, or consequence of outcome; however, in cybersecurity the definition is expanded for consideration of intention or threat. For example, in a personal risk scenario, one’s leaked credentials (e.g. usernames, e-mail addresses and passwords) might appear in commercial data breach leaks which poses one degree of risk, but the minute those same credentials appear in conjunction with direct malicious intent to cause financial or direct harm, then their personal risk increases dramatically; DarkOwl has observed similar specific targeting frequently in the darknet. The same would be true for the intention of an attack against a corporation or government organization, but this is understandably much harder to quantify.

The U.S. Department of Homeland Security (DHS) defines risk as the “potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences” such that: likelihood is defined as “the chance of something happening, whether defined, measured or estimated objectively or subjectively, or in terms of general descriptors (such as rare, unlikely, likely, almost certain), frequencies, or probabilities” and consequence is given as “the effect of an event, incident, or occurrence, including human consequence, economic consequence, mission consequence, psychological consequence.”

The DHS risk assessment model is more simplify defined as a function of three variables: threat, vulnerability, and consequences with full recognition “these values are not equal” as stated by DHS Secretary Chertoff in 2005. “For example, some infrastructure is quite vulnerable, but the consequences of an attack are relatively small; other infrastructure may be much less vulnerable, but the consequences of a successful attack are very high, even catastrophic.”

In organizational risk calculations, threat includes anything that can cause harm to the organization and that could expand to include threats from natural disaster (wildfire, hurricanes, and earthquakes) or even a significant hardware / backup failure that triggers a disruption in services or production and not necessarily exclusive to cybersecurity attacks by external malicious entities.

There are numerous interpretations, philosophies, and variations on this formula and luckily organizations are given extreme flexibility in conducting internal risk assessments by applying risk models of varying degrees of detail and complexity of threat identification and vulnerabilities – of which cybersecurity has become increasingly critical.

Threat calculations are often tied to scenarios with likelihoods of occurrence that involve an adversary’s intent, capability, and targeting. When we look at the darknet’s role in risk and threat vectors, especially when considering the risk to a company’s brand or stakeholders, malicious threat actors who conduct operations in the underground (e.g. cybercriminal organizations, nation state actors and proxies, and cyber opportunists) proactively hunt for and attempt to exploit sensitive data for personal financial gain by whatever means possible, often manipulating unpatched vulnerabilities and crafting new exploits in the wild.

DarkOwl analysts also regularly witness critical corporate and personal information actively shared across various underground digital communities in the darknet and deep web and have categorized the types of vulnerable data at risk accordingly, delineating corporate and individual personal risk, with careful consideration that these two are intricately interrelated due to the fact humans are one of many risks corporate organizations must consider when calculating their cybersecurity risk. The region where corporate and individual risk overlap is of most critical consideration as well as the extent and volume of readily available information for threat actors to launch their attacks.

Likewise, the more accumulated data a threat actor has access to for an individual or a corporation increases the risk accordingly.

Corporate Risk and The Darknet

The possibility of a cybersecurity attack against a corporation feeds a number of different corporate risk calculations: the loss of customer data presents a significant risk to a company’s brand, reputation and stakeholders; there’s moderate risk for loss of sales due to counterfeit goods offered on the darknet and direct reputational attacks on discussion forums and social media; there is direct risk via the executives and key leadership of an organization for business e-mail compromise (BEC) phishing attacks or financial extortion through physical threat to executive’s family; and, there is risk to attack via third (and fourth) party vendors and suppliers.

The consequences of an attack against a corporation can include:

1. Unauthorized access to a corporate network

2. Misuse of information by an authorized user

3. Loss of access to corporate data (via deletion or encryption)

4. Disruption of service or productivity

5. Reputational loss and damage to brand or corporate image

The risk of unintentional data compromise

As nearly every security researcher and infosec professional would agree, the volume of organizational data leaks via unauthorized network intrusion attacks over the last twelve to eighteen months is troubling. Identity Force identified over 74 organizations across every industry segment that suffered network intrusion attacks in 2020 resulting in public reporting of sensitive PII leaked for malicious use on the deep web and darknet. From April through December 2020, DarkOwl observed 144 victim companies and non-profit organizations mentioned by the REvil ransomware criminal gang on their darknet data leak onion service, Happy Blog, such that the “real” volume of compromised corporate information and customer authentication data in circulation from 2020 is likely significantly higher.

While large commercial data leaks receive press coverage, with phrases like “millions of records of user data exposed” there is an unknown number of organizations that have likely secretly dealt with a critical cybersecurity incident without ever disclosing the breach to their customers or users due to the consequences of reduced consumer confidence.

Extortion as a service is an increasingly successful sector of the underground criminal ecosystem and involves stealing sensitive personal or corporate information and then leveraging unauthorized access to this information to force the victim to pay, essentially blackmailing the victim, in exchange for quasi protection of their data. Threat actors utilize hacking forums and discussion boards across the deep web and darknet to explore potential vulnerabilities, sometimes expressing interest in specific industries, companies, and individuals, then finally sharing or selling the sensitive information they have stolen – resulting in significant reputational and/or financial loss for the victim organization.

Lately, darknet onion services that are hosted by cybercriminal gangs have been a key repository for the stolen and extorted data collected from victim networks via ransomware attacks.

DarkOwl has documented over two dozen unique ransomware-specific onion services for public release of information about their victims if the demanded ransom is not paid. Some ransomware groups even mock their victims using terms like “Wall of Shame” to taunt companies who attempt to avoid public disclosure of their compromise and sensitive data leak. Brian Krebs reported that the REvil ransomware gang started e-mailing customers of its victims to increase the pressure on the victim organization to pay the demanded ransom.

Notably, a reader of Kreb’s report commented on the optics around the fact they had received the notification e-mail from the criminals three months after the victim’s third-party let their customers know about the attack at the end of December 2020.

Counterfeiting risk is brand risk

The darknet is home to a lesser-known segment of corporate brand risk with offers of counterfeit goods on darknet markets. DarkOwl has historical captures of illegal ticket sales for the MLB and NFL and counterfeit sports memorabilia for sale on darknet markets as well as offers for more luxury brands such Rolex and Gucci counterfeit merchandise for sale. The sale of counterfeit physical goods is a persistent and viable market in the underground economy.  

Executives and key leaderships are critical targets

Some criminals utilize traditional open-source intelligence (OSINT) techniques to uncover the names, e-mail addresses and family relationships of an organization’s executives and key leadership to conduct pointed phishing campaigns via e-mail, SMS or traditional in-person and telephone-based social engineering to gain malicious access to a corporate victim’s network.

Popularly targeted executives include Facebook’s Mark Zuckerberg, Amazon’s Jeff Bezos and Twitter’s Jack Dorsey who often appear on the darknet in public “dox,” (defined both as a verb and noun) to publicly name or publish private information about that person — or the personal information published — especially as a way of punishing the person or getting revenge. The emergence of such ‘dox’ across anonymous networks and criminal communication platforms increases the overall risk to a company and those individuals as the threat, i.e. intention for attack increases significantly with the mention alone.

Vendors and other third parties increase risk

As witnessed by the massive SolarWinds supply chain attack last year, nation state actors and cybercriminals are increasingly sophisticated and opportunistic seeking to exploit third and fourth party suppliers and vendors to cause harm against the victim organization. Third parties include any unit an organization works with including but not limited to vendors, such as suppliers and manufacturers, partners, affiliates, distributors, resellers, and agents. Third parties may have access to information such as: corporate sensitive data, financial data, contract terms and pricing, strategic planning data, intellectual property, credential data, personally identifiable information (PII) of customers and employees and protected health information (PHI) and can unknowingly contribute to a threat actor gaining unauthorized access to a corporate network. Today, organizations should consider investing in a comprehensive third party risk management program as discussed extensively in a recent report by Upguard.

While it is not always overtly clear who or what organization a threat actor may be intending as their next target, monitoring the darknet and deep web for mentions of a company’s name, along with names of its executives and key leadership, and network information such as domains, e-mail and IP addresses can be a helpful marker for quantifying the potential threat or intent of harm against an organization. DarkOwl’s DARKINT Exposure Scores are one of many potential quantifiable metrics a corporation can use to measure and understand a company’s business risk. Scores can also be utilized for self-risk assessments, as well as brand monitoring and vendor risk management.

Last summer, DarkOwl evaluated an assortment of industry sectors using its DARKINT Exposure Scoring system across hundreds of companies, classified as small, medium, and large for mentions of their website and email domains. Not surprisingly, Colleges & Universities had the largest scores and Insurance and Hospital & Health industries followed closely behind.

The Software Development sector had the smallest percentage of companies with no exposure, i.e. a greater volume of compromise and the industries covering Hospitals & Healthcare and Grocery Stores had the highest percentage of companies with no exposure. The raw data of which companies were included in the research and statistical analysis of the research are available for discussion upon request.

Individual Risk and the Darknet

With the most recent news of Facebook’s exposure of over 530 Million user’s e-mail addresses and phone numbers, it seems as though nearly everyone has some extent of their personal information exposed and often actively traded and sold in the underground. Threats to individual personal risk appearing on the deep web and darknet are more actually extensive than account credentials alone. DarkOwl has observed several criminals specialize in trade of other critical PII such as national identification numbers, mailing and billing addresses, dates of birth, social media profiles, and even more concerning financial data like bank account numbers and credit and debit card numbers along with their card verification values (CVVs), expiration dates and security personal pin codes.

Individuals are at risk of social engineering

Personal individual risk increases with the extent of the information exposed, where and how it has been distributed. Cybercriminals are increasingly creative in their techniques to gain access to this illicit information with astute social engineering and mass phishing campaigns. Criminals actively seek to obtain an individual’s sensitive personal information necessary for a financial institution’s security verification process such as one’s mother’s maiden name, historical personal residence and billing addresses and answers to key security questions, sometimes obtained through links to phishing website or “fake” copies of popular commercial websites with username and password login form fields, sent through “SMS bomb” or spam e-mail phishing attacks. A popular technique —  both discussed openly with methods traded in underground forums —  is sending out fake mobile phone notifications. Spammers text delivery notices via SMS with a link to a phishing URL (often a shortened URL, e.g. “bit.ly”) for companies like DHL or UPS that are designed to harvest the victim’s mobile IP address, IMEI number, mobile phone model and software version along with sensitive personal information input by the victim in search for the non-existent package. The Federal Trade Commission (FTC) issued advisories early last year on how to recognize a widely distributed FedEx scam via SMS text message and in February researchers reported that over 10,000 Microsoft users were affected with a FedEx phishing campaign that was not detected by Exchange Online Protection (EOP) or Microsoft Defender for Office 365.

The risk of password reuse and credential stuffing

Credential stuffing is a widespread technique utilized by cybercriminals to test if historically exposed e-mail addresses and password combinations are valid logins across multiple commercial websites. For example, many victims exposed by the MyFitnessPal data breach may have changed the password on their compromised personal account, thinking innocently they had successfully protected themselves; however, the victim continued to use the same compromised e-mail address and password combination from MyFitnessPal to login to shop on Nike’s website for fitness related equipment.

Opportunistic cyber criminals automate the testing of large ‘combo lists’ containing compromised e-mail addresses and passwords against commercial websites and once a successful authentication occurs readily steals the PII and financial information, often saved, on the e-commerce shopping platform’s user profile. Last week, the largest combination list of all time known as COMB or Compilation of Many Breaches, consisting of over 3.2 billion e-mail addresses and cleartext passwords from data breaches going back as far as 2012 were shared on a darknet hacker forum.

Circling back to the overlap between individual and corporate risk, credential stuffing using malicious software and botnets affects not only the individuals but also the commercial organizations whose user accounts are surreptitiously accessed, as many immediately assume access was achieved due to vulnerabilities with the commercial service provider’s technical configuration instead of a simple credential stuffing technique conducted en masse. The uncertainty potentially erodes consumer and stakeholder confidence warranting that commercial agencies consider credential stuffing in their internal security frameworks and corporate risk assessments as well.

The risk of identity theft and financial fraud

While a personal e-mail address or password leak is easily mitigated by using complex passwords and password managers, the greatest threat to an individual is financial fraud and/or personal identity theft. 

Aggregated compromised personal data about an individual, referred by underground actors as “fullz,” and sometimes augmented with data gathered via criminals who have conducted attacks against insurance, mortgage, and credit agencies, is assumed to be used in some attempt to defraud a program for monetary gain or personal identity theft with very strong likelihood as witnessed with large scale pandemic unemployment assistance fraud conducted over the last year.

Individual risk calculations

Ultimately, what does the fact any of your personally identifiable information is on the darknet really mean? Your level of concern is directly correlated to your individual risk and calculating individual risk using information exposed on the darknet is measured by not only the location of and volume of credentials and PII exposed, but also a factor of time – that is, how long the information has been available and the likelihood of exploitation by a malicious actor. Of course, this likelihood of occurrence increases immediately once there is direct intent and targeting of the person either individually or in conjunction with a campaign against a corporation, regardless of what types or volume of personal data is already accessible.

• E-mail address and password leaks: Individual risk increases slightly with the website where the credentials have been used, i.e. banking application or health portal. Individuals can mitigate risk by using unique, complex passwords and password managers.

• Personal financial data like credit and debit cards: Individual risk is higher if the card is still in use. Most banks have fraud prevention and do not hold the cardholder responsible for illegal purchases with stolen credit and debit card data.

• Identity verification information: Individual risk increases with the more sensitive data accessible to a threat actor. For example, if a bank account number along with the full name of the account holder, their physical residential addresses, and other key identity verification information such as their mother’s maiden name, the name of their first dog, and secondary school mascot is obtained, then a threat actor has enough information to impersonate them and take control of the account. Compromise can be mitigated by visiting the bank in person with a form of identification (passport or driver’s license), closing down the compromised account, and opening a new one.

Only an individual can ascertain the degree of personal cybersecurity risk they are comfortable with, given the types of information they have shared publicly and the value they place on their personal information, their individual brand, and digital reputation. In a hyper-connected society that is increasingly reliant on networked digital information systems to function, everyone’s exposure and subsequent risk is increasing to some extent. For some individuals, this risk is gradual and others exponential.

It’s Risky Business Regardless

Threats posed to individuals and corporations from the darknet where sensitive corporate or personal information is leaked by cybercriminals is diverse. Criminals employ increasingly sophisticated social engineering and technical attack vectors to pilfer information that could lead to full identity theft for an individual or corporate extortion with multi-billion ransom demands. 

Whats more, threat attack vectors and vulnerabilities are rapidly evolving. With the now global acceptance of Bitcoin and companies like Tesla accepting Bitcoin payments to purchase their vehicles, soon cryptocurrency addresses for individuals and companies will have to be considered in this model and protected accordingly, if they are not already being targeted for middleman attacks. The deep web, anonymous networks, and various chat platforms will continue to be home for trading these commodities of data and DarkOwl will continue to assist its clients and partners to help provide the most comprehensive darknet database necessary for critical monitoring of potential markers of cybersecurity risk to corporations and individuals.

In April 2020, within weeks of widespread lockdown and quarantine caused by the coronavirus or COVID-19 pandemic, the U.S. Bureau of Labor and Statistics reported that over 23.1 million people were unemployed across the United States. This surge in out-of-work adults caused record spikes in unemployment claims across state benefits systems, many of them unable to accommodate the increased demands in benefit requests.

As a result, fraudsters on the darknet and deep web quickly capitalized on flaws in the state-run unemployment benefits systems, directly compromising claimant accounts to redirect unemployment payments, submitting false unemployment claims using illegally obtained personally identifiable information (PII).

Aiding in the exploitation of these programs are the plethora of available detailed step-by-step instructions known as ‘methods’ or ‘sauce’ that are readily available for purchase across the darknet.

Serious fraud yields serious capital for cyber criminals

With record numbers of persons unemployed comes record financial programs to cover these claims. The Coronavirus Aid, Relief and Economic Security (CARES) Act, signed into law in March, 2020 at $2.2 trillion USD, provided multiple lines of funding for unemployed U.S. workers including $260 billion USD in direct funding for expanded unemployment insurance. 

1. The original unemployment supplemental was known as the Federal Pandemic Unemployment Compensation (FPUC) program. This program provided an extra $600 per week for individuals who already qualified for state unemployment compensation from late January 2020 through July 31, 2020.   

2. The Pandemic Emergency Unemployment Compensation (PEUC) funding program provided an extended benefit period to individuals who have exhausted their unemployment benefits under existing state or federal law, have no right to regular unemployment benefits under any state law or other compensation under any federal law.   

3. The Pandemic Unemployment Assistance (PUA) program was setup to provide unemployment compensation to individuals who would not ordinarily qualify for unemployment such as: gig workers and freelancers, independent contractors and self-employed persons, or those who have exhausted all other rights to state or federal unemployment (including PEUC). Qualifying individuals were eligible to receive up to 39 weeks of benefits for being unemployed between January 27, 2020 and December 31, 2020. 

The difference between PEUC and PUA is that the PEUC essentially extends benefits by up to 13 weeks for individuals otherwise qualified to receive regular unemployment, but who have exhausted those benefits. DarkOwl has observed both programs mentioned extensively across the fraud community in the darknet and deep web.

In December 2020, the U.S. Government passed the Continued Assistance Act (CAA), totaling $900 billion, which extended the federal benefits of the CARES Act from December 27, 2020 to March 13, 2021. The CAA extended the benefits for an additional 11 weeks, and also provides an extra $300 per week for all benefits recipients. 

This act also included a new supplemental known as Mixed Earners Unemployment Compensation (MEUC) program intended to address gaps in the original stimulus package penalizing with those mixed income from multiple sources who receive lower unemployment benefits because they were only deemed eligible for regular state unemployment or PEUC due to their wage-based income.

The MEUC program is subject to state discretion and very few states have adopted the new payment terms of providing mixed income earners an extra $100 USD per week. 

Overview: Pandemic-related unemployment fraud on the darknet

“Sauce” for sale

On the darknet, fraudsters and cybercriminals have become intimately familiar with these programs offering elaborate guides and tutorials detailing how to fraudulently make claims against the different financial unemployment assistance programs. Described as “sauce,” fraudsters offer the methods for sale on darknet marketplaces, in private and public chatrooms, and on social media.

The going rate for a detailed unemployment fraud method varies between $200 and $300 USD and offered specifically by state, suggesting that different state unemployment systems may require unique techniques for direct exploitation.  

According to DarkOwl Vision, PUA is mentioned more often than PEUC, likely cause there is fewer historical work data reporting requirements for freelancers and sole proprietors covered by the PUA method and thus easier to defraud. DarkOwl has observed the PUA “sauce” for sale for the specific states listed below – with over 75% of the United States mentioned in offers across the darknet and deep web. This does not indicate that only these states have been exploited, but merely that these are the states observed advertised in the darknet communities DarkOwl has access to over the last year.

Pandemic Unemployment Assistance exploitation “how-to” guides are being sold for the following states:

Fraudsters selling PUA and PEUC methods are highly adaptive and acutely aware of security methods states are implementing to combat fraud, often updating the “sauce” frequently with the latest and greatest information. This includes new offers of “backpay sauce” opportunities with the latest relief funding being approved for states that ran out of unemployment relief funds.

According to the most recent fraud group chatter, Ohio has been mentioned more frequently with the phrase “Ohio is lit and still paying” acknowledging that some states’ anti-fraud methods are not as effective as others.

Telegram and Social Media are playing a large part in the spread of this type of fraud

While the fraud community continues to thrive on Tor, many threat actors are active on chat platforms such as Telegram as well. Many popular fraud channels and supergroups contain users selling the latest sauce and new exploitation methods, including large Telegram communities with upwards of 100,000 members.