Data Privacy: The Basics

January 27, 2023

According a 2022 poll by Ipsos, 84% of Americans are highly concerned about their personal data safety and privacy on the internet. Further, 37% reported that they have fallen victim to an online data breach. More specifically, 86% of Americans believe that businesses and organizations collect more information than they need and 51% are worried that this data could fall into the wrong hands. 

Given the growing concern Americans have regarding data privacy as shown in the statistics above and in honor of data privacy week, our analysts decided to shed some light on what data privacy is, why it is important to understand, the role the darknet plays in data privacy and how DarkOwl views data privacy. According to the National Cybersecurity Alliance, the goal of Data Privacy Week is to spread awareness about online privacy – data privacy should be a priority both for individuals and organizations. 

An Intro to Data Privacy 

According to the Storage Networking Industry Association “data privacy, sometimes also referred to as information privacy, is an area of data protection that concerns the proper handling of sensitive data including, notably, personal data but also other confidential data, such as certain financial data and intellectual property data, to meet regulatory requirements as well as protecting the confidentiality and immutability of the data.” 

Personal data or Personally Identifiable Information (PII) is data tied to a specific individual that could potentially identify them. This would include one’s social security number, address, contact information, medical records, online behavior and more. Data privacy is the idea that an individual can decide what personal information to share and with whom. 

As the internet plays a vital role in our daily lives, data privacy importance continues to increase. Understanding what you are sharing and how that information is being used is increasingly vital to ensure your data is protected. 

Cybercriminals Are After Your Personally Identifiable Information (PII)

A recent study conducted by Imperva revealed that 42.7% of the time, hackers go after personally identifiable information (PII). The number of compromised records year-over-year has grown 224% since 2017 and cybercriminals target PII on the darknet, as it is the most valuable information to then commit fraud or identity theft. The darknet continues to grow at an alarming rate, and as the darknet data market grows with increased product variety and volume, prices fall.

PII and Credentials

DarkOwl’s Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search the largest commercially available source of darknet data.

The data stored in DarkOwl’s repository offers a stark glance into the vast amount of PII exposed on the darknet and deep web. As of time of publishing, DarkOwl’s database contains:

  • 392,474 Unique social security numbers
  • 9,333,991,605 Email Addresses
  • 2,543,145,887 Unique email with associated passwords 
  • 1,974,025,999 IP Addresses
  • 16,725,211 Credit Card Numbers
Figure 1: Example of PII being offered for sale on a Tor darknet site, including Social Security Numbers, Source: DarkOwl Vision
Figure 2: Example of Corporate Gmail accounts being sold for as little as $13.16 USD on a darknet marketplace, Source: DarkOwl Vision

Exploitable Financial Banking/Credit Card Info

Figure 3: Breakdown of exposed Credit Card Numbers in DarkOwl’s data by type, Source: DarkOwl Vision

One of the ways that threat actors leverage the trove of PII on the darknet – including data such as credential, healthcare, and account information – is to cross reference data with other potentially unconnected information (like CC numbers) to parse together and exploit payment information. This often includes hacked and verified credit cards, some of which come with a pre-disclosed balance.

DarkOwl frequently observes these types of items for sale on darknet marketplaces, as pictured here.

According to a recent study done by Privacy Affairs, credit card data, such as a Walmart account with credit card information, can be purchased for just $10 and a USA backed credit card details with CVV for just $17.

By having visibility into the exposed data on the darknet, businesses can ensure their clients and customers PII is not being exploited for financial gain.

Figure 4: Sample of average cost per sale of credit card information on dark web, Source: Privacy Affairs
Figure 5: Example of multiple accounts and credit card/financial assets for sale – likely as the result of threat actors taking advantage of various instances of leaked data, Source: DarkOwl Vision

Tips to Protect Your Data 

For Individuals

The National Cybersecurity Alliance provides lots of tips and tricks to help individuals protect and manage their personal data, from adjusting privacy settings to turning on multi-factor authentication (MFA) and how to identify phishing messages. This article from CyberNews also provides tips and free tools to protect your data.

Some tips from DarkOwl analysts: 

  • Don’t reuse passwords across different accounts 
  • One in five passwords is “easy to guess” – make sure your password does not include personal information such as birth dates or family names. 
  • Use an automated complex password manager like Lastpass, Bitwarden, or 1Password
  • Use multi-factor authentication (MFA) for important accounts like financial and banking sites
  • Follow this step-by-step guide to removing your personal info from common web directories such as ZoomInfo and Whitepages.com

For some interesting statistics around passwords, check out our infographic and more information on password best practices, check out our blog.

For Businesses

For businesses, the Federal Trade Commission provides a great resource when it comes to protecting personal information for their employees and customers, as most all companies keep some level of personal information in their files. If this information is leaked or falls into the wrong hands, there is a large risk of reputational and financial loss, not to mention law suites. As the FTC states, “safeguarding personal information is just plain good business.”

Additional tips from DarkOwl’s IT and Security Teams center around honing in what matters the most to your business. For example, a company that houses large quantities of sensitive customer data in-house will likely need to focus on safeguarding that information via internal measures to a greater extent than a company that works with third party companies to store such information. In the latter case, a greater emphasis may be placed on managing potential risks to the vendor storing this customer data, as well as putting additional restrictions around email communications and network privileges granted to that vendor.

Phrased differently, in order for companies to keep their data safe, security teams need to audit and assess what data is the most vital to protect the operations and privacy of the organization and its customers, as well as what type of data that is. Once determined, business should:

  • Control access to that data by implementing least privilege access measures
  • Encrypt it
  • Install an alerting system that logs actions and can alert proper people on events

Further recommendations include:

  • Implement security training across the company
  • Physical safe guard if you house on premises data
  • Move to the cloud
  • Monitor third-party access
  • Keep software up to date
  • Routinely check industry standards
    • Security Technical Implementation Guides (STIG)
    • National Institute of Standards and Technology (NIST)
    • Institute of Electrical and Electronics Engineers (IEEE)
    • Open Web Application Security Project (OWASP)
    • International Organization of Standards (ISO 2700)

DarkOwl’s Stance on Data Privacy

DarkOwl considers Data Privacy to be one of the most paramount aspects of business’ cybersecurity posture. To put this into practice, we have continually invested in technologies and practices that ensure that both our internal system data, and all information related to our clients and partners are highly protected.

For example, customer search and query information process by the DarkOwl API offerings is not saved or logged for any period. Furthermore, all end-user login information is safeguarded in accordance with the most up-to-date privacy and security recommendations, including least privilege access parameters as well as others that minimize human risk.

Of additional note, none of the data we collect is purchased or illegally obtained, making DarkOwl the most prolific darknet dataset in the industry to exist on the market that does not enable or perpetuate cybercrime. You can find out more about where we get our data here.


To learn more how your business can make sure to protect your customers, prospects, and employees PII, contact us.

What is Retail Fraud?

January 25, 2023

The simplest way to describe retail fraud is theft from a commercial retail establishment resulting in financial loss and harm to the retailer. Retail fraud is a criminal offense and there is a myriad of ways retail fraud can occur, both physically in a store and virtually online. With a shift towards more e-commerce-centric shopping environments, virtual retail fraud at scale has surged and darknet cyber criminals are at the crux of this fraud economy. In this blog, DarkOwl analysts review some of the most popular methods in use by cyber criminals and retail fraud related discussions observed in underground criminal networks.

Purchasing and/or Reselling Goods for Less than Market Value

Freebie Bots

Since most retailers have inventory available for purchase online, there is a growing network of opportunistic software developers deploying “bots” designed to capitalize on human errors and mispriced product SKUs (stock-keeping unit). Freebie bots scour the Internet, scraping e-commerce websites to discover items that have been accidentally mispriced and then purchase those products in bulk for resale. The developer or administrator of the bot will resell those items on other sites such as eBay, alibaba, and others, gaining significant profit. Since the retailer is beholden to transact at the erroneous price, the retailer is negatively impacted financially because they end up filling a high volume of mispriced orders.

Such bots are regularly discussed and traded on popular darknet adjacent chat platforms like Discord. In the figure below, threat actors discuss the “cook group bot” where deals from online food services are scraped and available for exploitation.

Figure 1: Source DarkOwl Vision
Figure 2: Freebie bot advertisement Source: Telegram, Channel Redacted

Counterfeits

The illicit trade of counterfeit goods is a long proven multi-billion-dollar international industry – which according to counterfeit experts, continues to be led by China. According to Europol, surface web monitoring helps crack down on the major counterfeit goods suppliers, but many sophisticated networks have simply shifted to the darknet and use decentralized darknet markets to sell their counterfeited items.

DarkOwl has observed darknet marketplaces that feature a section of “counterfeit goods” comprised of physical counterfeited items a buyer can purchase and have sent to them directly. Watches and fine jewelry are the most common physical goods offered on underground marketplaces, but clothing and electronics are also often on offer.

Figure 3: Listing for counterfeit Rolex watches on Nemesis Source: Tor Anonymous Network

Sweethearting

Sweethearting is a term used to describe a type of social engineering where employees are manipulated by criminals to give away or falsely discount products for purchase and/or potential future resale. Employees are often eligible for store discounts, 20 to 30% off the purchase total, which are applied to purchases initiated by the fraudster.

Employees typically give these undeserved discounts to close friends and family members, but in other cases, employees have been conned into giving them to criminals as well. Such discounts can add-up over time. One such example of costly Sweethearting involved an ex-Amazon employee from Arizona who issued $96,000 worth of refunds to accounts that they owned/were under their control.

Point of Service (POS) Malware

In addition to social engineering-led fraud, there are a subset of threat actors who develop malware and viruses designed to take advantage of Point of Service systems (POS) to conduct advanced retail fraud.

Such malicious code installs remote command and control of the front and back ends of the system, and manipulate prices at scale or as needed for individual fraudulent transactions. Often, such malware is utilized to apply steep discounts and manipulate SKU prices. A threat actor can remotely and temporarily manipulate the price without the retailer’s knowledge, and transactions still appears legitimate until a financial audit discovers the price (and subsequent profit) discrepancies. 

Figure 4: POS malware advertised Source: Telegram, Channel Redacted

Refund-Specific Fraud

There are multiple forms of e-commerce fraud which usually entail purchasing items online, with intention to keep items, but receive financial compensation for defect or issue with delivery of the item. Popular methods of e-commerce refund fraud discussed on the darknet include using refunds-as-a-service, directly targeting employees, and did not arrive (DNA) fraud.

Refunds-as-a-service are a darknet affiliate scheme, primarily discussed on Telegram, where refund fraud is committed at scale on behalf of a customer. Customers outsource and solicit expert advice to receive a full or partial financial refund for items bought online and in stores. Like other “as-a-service” commodities on the darknet, the “refund serviceproviders facilitate fraud for a percentage of the refund.

In this model, the buyer purchases the product and then simply provides the refund service provider the details of their order and account and card information associated with it. The service provider then impersonates the customer and utilizes a series of advanced social engineering and phishing techniques to carry out the fraud. These include the use of chat bots to tell emotional stories of lost or damaged goods with the goal to illicit enough sympathy from the customer service representative to give a refund regardless of the company refund policies.

Proficient social engineers on the darknet can perform this refund service several times a week to easily make money without ever selling their methods. DarkOwl has observed compensation packages averaging 10% of the order value.

Figure 5: Source Telegram, Channel Redacted

Directly Targeting Employees

Similar to Sweethearting, another advanced social engineering refund method involves criminals directly targeting employees. DarkOwl has witnessed threat actors who specialize in fraud discuss the methods that they’ve employed to socially engineer retail employees to get discounts or refunds they didn’t qualify for or deserve. This type of fraud is typically accomplished by forming an emotional connection with the employee and using the connection to extort them and steal from the retailer.

Figure 6: Source DarkOwl Vision from Tor Anonymous Browser

In addition to targeting employees emotionally to get discounts, some refund groups may try and recruit employees to come work for them. This provides the criminal group direct insider access to POS systems, gift cards and voucher codes, and credit card transactions.

Figure 7: Source DarkOwl Vision

Did Not Arrive Fraud

Did not arrive (DNA) fraud is one of the oldest methods of e-commerce-specific refund fraud. In this scam, customers claim that their package never came or was stolen, and will ask for a full refund even though the items did arrive. The international popularity of large e-commerce retailers like Amazon has propelled this type of fraud.

Empty Box Fraud

A similar kind of fraud is empty box or partial-empty box refund fraud. In this case the purchaser lies and claims that an item was packed incorrectly, damaged, or that it was stolen during the shipping process and asks for a full refund. Similarly, a fraudster will order a small high value item with a large low value item  and initiates refund claiming that the high value item was not in the package delivered.

Figure 8: Source DarkOwl Vision

Receipt Fraud

Adjacent to retail refund fraud is receipt fraud, which entails generating fake receipts for goods never purchased at the retailer, often for the sole purposes of refund initiation or submitting falsified expense reports.

Threat actors specializing in receipt generation subscription models offer fraudsters access to numerous retailers’ receipt templates for as little as $9.99 USD per month.  Both online and in-store purchase receipts are available for purchase. Electronics retailers like Best Buy, NewEgg, and CDW are regularly mentioned in addition to shipping services like FedEx and UPS.

Figure 9: Fake Fuel Purchase Receipt, Source DarkOwl Analysts

FTID (Fake Tracking ID) Scams

DarkOwl has witnessed increased mentions of tracking-related fraud, where scammers purchase expensive and valuable items, such as electronics with the intent to initiate a return and refund. They request a refund, which prompts the retailer to send them a shipping value to affix to the returned items’ package. Instead of placing the shipping label on a parcel, they put the shipping label on an empty envelope or piece of junk mail, which upon delivery to the mailbox of the business will be mistaken for trash and thrown away. The scammer has the tracking information to prove the label was returned to the retailer’s business address, receives the refund, and keeps the high-valued item.

In the example pictured below, a fraudster on a Telegram channel boasts how Amazon workers regularly steal from returned item mail sorting facilities which can be used as a potential theory why the item was not correctly returned.

Figure 10: Source Telegram Channel, Redacted

Wardrobe Fraud

Wardrobe fraud or “wardrobing” is popular with female fraudsters who purchase high valued clothes with the intent for single use and fraudulent return. Often a customer orders an item of clothing, typically expensive clothes for a black-tie or formal event, wears it one time, by concealing the tags inside the dress, or re-attaches them, and then sends the clothes back to the retailer after use. It is often likely that these worn clothes will be damaged and/or dirty. This type of fraud is conducted both in-store purchases and online.

Darknet Threat Actors Discuss Bypassing Physical Security Measures for Theft

One of the oldest forms of retailer fraud and commerce crime is physical theft of goods from a store. During this research, DarkOwl analysts also uncovered conversations where threat actors revealed methods to bypass loss prevention physical security measures utilized in-stores, such as electronic article surveillance (EAS) ink-tags and RFID (radio-frequency identification) disruption.

Figure 11: Source DarkOwl Vision

Retailers at the Epicenter of Consumer Phishing Attacks and Identity Theft

Fake/Spoofed Websites and Sellers

Oftentimes, a retailer’s brand and reputation will be exploited by threat actors so that they can carry out elaborate scams with advanced phishing and social engineering attacks – mainly with the intention to commit identity theft. Criminals lure victims to malicious sites – with links often delivered via phishing emails claiming to be a reputable, popular store – and typically advertise a promotion or deal to entice the consumer to click. Phishing emails have become increasingly more sophisticated as their delivery mechanisms are designed to evade spam filters using techniques such as URI fragmentation and domain hop architecture.

From our Darknet Glossary, “spoofing” is a method used by cybercriminals in which they falsify the origins of network communication to mislead or misdirect the recipient into thinking they are interacting with a known and trusted source. These websites look legitimate and very similar to the real retailer’s site. Some can also have malware that a customer can unknowingly download.

Spoofing and tricking unsuspecting customers into buying from fraudulent sites is often accomplished by typo-squatting, whereby fraudsters impersonate legitimate sites and services and trick people into using them by changing the spelling of the site ever so slightly so that most don’t notice the difference.

Fraudulent websites can damage the reputation of a commercial retailer and take away sales from customers who would have bought products from the legitimate business. Spoofed websites resulting in unhappy customers hurts trust in the brand, potentially impacting future sales and revenue.

The figures below demonstrate sites that have been verified as phishing domains, e.g. Brazilian Wal-Mart and Well Fargo client login page which harvest banking authentication credentials.

Figure 12: Wal-Mart phishing site deployed in Brazil, Source: phishtank.org
Figure 13: A verified phish website for Wells Fargo Bank Source: phishtank.org

Offers to build fake websites and all the tools to facilitate complex phishing campaigns are readily available for sale on the darknet.

DarkOwl analysts observed “custom made websites” available for sale on a darknet marketplace ranging from $50 – $300 USD. Likewise, guides on “how to phish” and create fake e-commerce websites are on offer on darknet marketplaces for as little as $5 – $10 USD with advertised financial profit of $10K USD per month.

The most popular exploited retailers are Uber, Amazon, and Netflix and phishing kits often sold in conjunction with “lead lists” containing thousands of private email addresses and phone numbers that can be utilized for sending spam in large volumes.

Figure 14: Netflix “scampage” website for sale Source: Kerberos Market,Tor Anonymous Browser
Figure 15: Netflix Payment Validation Phishing Site Sample Provided as Proof by Threat Actor
Figure 16: Advertisement for Phishing Kit Guide, Source Kerberos Market, Tor Anonymous Network

Falsifying the Authentication of Scam Pages through Website Certificates

DarkOwl analysts have also noticed website certificates such as SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates for sale in darknet fraud communities. Giving a spoofed website an authentic SSL/TLS certificates helps threat actors with their detection-evasion measures and makes the phishing/scam website to look more authentic.

Certificates provide machines a unique identity and communicate trust to visitors of the website and search engines alike. This way hackers and threat actors avoid getting flagged as not trustworthy. DarkOwl also found Russian-based threat actors offering Extended Validation (EV) certificates, widely regarded as the most trustworthy kind of machine identity, for sale on the darknet for upwards of $2400 USD.

Figure 17: EV Certificates for sale on the darknet, Source DarkOwl Vision
[FIGURE TRANSLATED]
EV Code Signing Certificate for sale.
Name and cost
• EV Code Signing certificate – $2450 (production time 1-2 weeks)
EV Code Signing Certificate – $ 2450 (production time 1-2 weeks)
• Recording service to our USB Token and shipping across Russia – $200
* $50 discount per review
* A physical USB token is required for EV certificates.
* * 50 $ discount per review
* EV certificates require a physical USB token.
Suitable tokens for an EV certificate:
USB tokens for EV certificate:
SafeNet eToken 5100
SafeNet eToken 5105
SafeNet eToken 5110
SafeNet eToken 5200
SafeNet eToken 5205
SafeNet eToken Pro 72K
It is possible to register code signing certificates for a specific company name, the conditions are discussed individually.

Fake Delivery and Shipping Notifications – via Email and SMS Phishing Campaigns

Fraudsters and scammers will use lead lists to send large volumes of fake delivery and/or shipping notifications – appearing to come from trusted retail and delivery sources – indicating that there has been an issue with the delivery, it has been delayed, or a fee need to be paid for the package to be delivered.

Usually, the notification includes a link to a fraudulent site prompting users to enter their financial information and PII (which can be leveraged by actors later) or to pay a fee to release the shipment. Such phishing campaigns using retail commerce providers occurs via both email and SMS delivery.

Gift Card, Rewards Programs, and Retail Promotion Fraud

Gift card fraud is a lesser-known form of retail fraud, yet popular amongst darknet threat actors. Gift card fraud can occur via insider threats, i.e. employees steal legitimate gift cards, as well as externally, i.e. consumers redeem stolen or counterfeit gift cards.

Fraudsters easily utilize gift cards and vouchers for illicit purchases because these forms of payment have less security protection than traditional credit cards.

Figure 18: Source Telegram, Channel Redacted

Loyalty programs and customer rewards are also stolen and/or counterfeited for resale. DarkOwl analysts have observed numerous prominent retailers mentioned in darknet fraud advertisements, such as Macy’s, Nordstrom, Kohl’s Cash, AMC Theatres, Office Depot, Bath and Body, Top Golf, DSW, Target, Costco, American Eagle, Southwest Airlines, Marcus Theatres, and numerous restaurant and coffee chains. Most gift card and reward program fraud on offer in the darknet are US-based retailers. 

Figure 19: Fraud Vendor Shop, Source: Deep Web

Phishing emails disguised as reward program promotions also lure customers to join fake loyalty programs and enter their personal information, which is systematically harvested, stored, organized by retailer into “logs,” and resold in mass in various darknet data brokerage communities across Tor and Telegram.

Figures 20 & 21: Examples of Phishing reward program promotions, Source DarkOwl Analysts

Final Thoughts

Cyber criminals and those involved in retail fraud have become more convincing, sophisticated, and organized with every holiday season. Retail fraud obviously harms commercial retailers fiscally, but also impacts the retailer’s reputation, trust in the brand, and customer loyalty overtime.

The darknet and darknet-adjacent chat applications play an important role in the evolution and proliferation of such virtual and physical theft techniques and tactics. The darknet provides and interconnected web of fraud methods that can be learned, shared, and constantly updated to outsmart legitimate retailers and trick their consumers.

Retailers can benefit from a regular darknet monitoring service for indications of the most up-to-date methods and malware used for retail fraud, to employ effective detection and countermeasures, and setup recognition education programs for their employees and stakeholders.


Interested in learning how darknet data plays a vital role in preventing, catching and remediating retail fraud? Contact us.

Insights From the Darknet: API Security

January 12, 2023

API Security professionals can benefit from darknet data in forming a more comprehensive understanding of malicious threat actor Tactics, Techniques, and Procedures (TTPs) in order to inact effective detailed security recommendations, remediations, and product solutions.

API Security related topics, such as “API hacking”, “stolen API tokens”, and “API MITM attacks” are regularly discussed in detail in darknet forums. Similarly, API tokens are frequently sold and traded in underground digital marketplaces, as is API exploitation code is shared amongst threat actors.

Considering that API security incidents affected 95% of organizations in the last year (Source), it is more important than ever that the information security community remain aware of shifts in threat actor discussions regarding APIs and the various TTPs that threat actors use to exploit them.

Examples of API Security Incidents

Recent security incidents impacting APIs highlight the need for increased awareness and protection of digital supply chain assets. For example, in 2018, a vulnerable USPS Informed Visibility API endpoint leaked over 60 Million US residents information. USPS performed and published an audit that detailed some of the issues that resulted from the incident, although many of the key data is redacted.

More recently, in April 2022, Github admitted that attackers targeted private repositories using the Github API using stolen OAuth tokens. This was likely via a Microsoft OAuth flaw that occurred in December 2021.

Toyota warns of possible data theft after access key left exposed on GitHub

Recently, Toyota was notified of a breach that happened as the result of an API access key for T-Connect, the official Toyota connectivity app, being left publicly available on GitHub. Their T-Connect connectivity app powered utilities like wireless access to vehicles.

Toyota has since announced that over 2,900 records were exposed since then, giving access to customer names, customer information, and so forth. This is one example of what the threat landscape looks like and what the implication can be of API credentials getting into the wrong hands.  

FTX users lose millions to 3Commas API exploit

Similarly, recently, FTX and 3Commas revealed that an API exploit was used to make illegitimate FTX transactions. This was done using API keys that were obtained from users via phishing attacks that enabled them access to lateral systems. Eventually, the platform 3Commas came forth publicly to admit that the API keys were obtained from outside of their platform, but the implication still posed a risk to their users. Risk of user account exploitation included threat actors being able to make offsite, unauthorized financial transactions.

An investigation revealed that DMG trades were conducted using new 3Commas accounts and that “the API keys were not obtained from the 3Commas platform but from outside of it.” This suggests that cyber criminals likely gained keys from phishing or browser information stealers, which are frequently discussed and advertised on the darknet.

Informed Delivery Leaks 60 Million Users’ PII

Poor access controls of a United States Postal Service (USPS) API endpoint resulted in a wealth of US persons’ private information available to criminals

In 2018, a vulnerable USPS Informed Visibility API endpoint leaked over 60 Million US residents information. USPS performed and published an audit that detailed some of the issues that resulted from the incident, although much of the sensitive data is redacted.

USPS Informed Visibility API Code prior to November 20, 2018

Darknet Threat Actors Readily Discuss API Security

On the darknet, stolen API secrets, keys, and session tokens are shared openly and in closed communities. Authenticated darknet discussion forums on Tor, transient paste sites, and Telegram especially popular with API attack enthusiasts.

Examples from DarkOwl Vision: Stolen API Keys & Security Tokens

Pinnacle, Telnyx, and other API tokens are frequently offered for purchase on darknet forums such as DARKMONEY and similar ‘hacking’ Telegram channels.

Telegram groups offer ‘key checkers’ – where the API key is tested ahead of time on behalf of the threat actor. Another example shows Twitter tokens being offered for sale on ‘cracking’ Telegram group.

Example of Twitter tokens for sale on Telegram (Source: DarkOwl Vision)
Twitter and Discord tokens are shared on transient paste sites, like pastebin.com (Source: DarkOwl Vision)

In another example, DarkOwl analysts have observed a TikTok API token generator for username scanning. Below is a translation of the listing:

“This tool will generate and validate TikTok API tokens, also known as session IDs. This is useful if you are checking usernames through the TikTok API and you have run out of IDs with no speed limit! I advise using 30-100 streams and would definitely turn on a Vpn, because your IP address can be limited very quickly, be careful!”

DarkOwl has also increasingly observed API penetration testing utilities – like GoBuster or Wfuzz – discussed in detail by non-english speaking darknet users. Similar technical discussions are now appearing on malware developer centric surface web sites, such as CSDN.

Threat actor activity/discussions surrounding API penetration tools (Source: DarkOwl Vision)

Why API Security is so Important

APIs tend to be an underserved element with respect to cybersecurity postures of most enterprises. However, as organizations continue to make efforts to digitally transform their application ecosystems, enterprise services increasingly rely on APIs. As a result, APIs are emerging as the backbone of modern communication and application ecosystems. As more organizations move towards the cloud and similar API technologies, having visibility into any and all credentials that could be exploited is exceedingly crucial.

This shift towards dependency on APIs in the commercial landscape echoes what DarkOwl analysts are seeing in the darknet. Discussions around API exploits, API keys, stealing API keys, and selling them is a relatively new phenomenon in the darknet over the last couple of years, that we expect to continue to grow. 


Interested in learning more about how darknet data informs API security? Check out our webinar on this topic that we hosted with our partner Corsha for more real-world examples and predictions regarding the future of API security.

Watch the webinar

Content, Content, Content: Top Research Pieces from DarkOwl in 2022

January 03, 2022

Thanks to our analyst and content teams, DarkOwl published over 100 pieces of content this year, a new record for the team. DarkOwl strives to provide value in every piece written, highlighting new darknet marketplaces and actors, trends observed across the darknet and adjacent platforms, exploring the role the darknet has in current events, and highlighting how DarkOwl’s product suite can benefit any security posture. Below you can find 10 of the top pieces published in 2022.

Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are published.

1. Impacts of Ukraine Invasion Felt Across the Darknet 

Figure 1: GhostSec Leaks Data from domain[.]ru Hosting Provider

Beginning in February, the DarkOwl team actively tracked the fallout from Russia’s invasion of Ukraine, through April. The effects of the kinetic military operation caused ripples across the global cyber space including critical underground ecosystems across the deep and darknet, resulting in the first ever global cyberwar. Read blog.

In August, CEO and Co-Founder, Mark Turnage, hosted a webinar on the topic of cyberwar, “What Does a Real Cyberwar Look Like.” Ukraine’s call for help sparked off the first ever global cyberwar which for the first time in history has been waged between two countries simultaneously with a land war. This webinar looked at what we have learned from the cyberwar to date. The transcript and recording can be found here.

2. Darknet Cartel Associated Marketplaces  

In August, DarkOwl analysts discovered multiple escrow-enabled decentralized marketplaces on the dark web that claim to be affiliated with the Sinaloa Cartel. One such marketplace called “Cartel de Sinaloa” is reportedly directly associated with the Sinaloa Cartel and Los Chapitos. Their marketplace uses the same logo – a red and black skull with “Cartel de Sinaloa” written underneath it – as the avatar of a Facebook group page operating with the same name. Another marketplace calling itself “The Sinaloa Cartel Marketplace” focuses on offering hitman for hire style services. Both services require authentication for user access, which forces visitors to create a username and password to view the marketplace past the login screen and adds protection from bots and crawlers. Read more. 

Figure 2: Cartel de Sinaloa Marketplace (post-authentication) on Tor

3. Industrial Control Systems & Operational Technology Threats on the Darknet

Industrial control systems (ICS) and their adjacent operational technologies (OT) governs most everything societies rely on in the modern age. Manufacturing facilities, water treatment plants, mass transportation, electrical grids, gas, and oil refineries… all include some degree of ICS/OT incorporated in their industrial processes. Research from DarkOwl analysts identifies an alarming number of threats on the darknet and deep web that could effectively target and compromise Critical Infrastructure. Full report here.

4. Glossary of Darknet Terms 

The darknet is home to a diverse group of users with complex lexicons that often overlap with the hacking, gaming, software development, law enforcement communities, and more. DarkOwl’s Glossary of Darknet Terms is a continually evolving resource that defines the common vernacular, slang terms, and acronyms that our analysts find in places like underground forums, instant messaging platforms (such as Telegram), as well as in information security research pertaining to the darknet. Check it out. 

5. Pardon Me While I Steal Your Cookies – A Review of Infostealers Sold on the Darknet 

In this research, our team reviewed some of the most widely proliferated infostealers on offer on the darknet and discovered an elaborate data exfiltration ecosystem, with low-entry cost, providing cybercriminals access to a wealth of personal information without the victim’s knowledge. We also learned many infostealers are offered in alignment with a malware-as-a-service (MaaS) or “stealer-as-a-service” (SaaS) rental model with subscriptions-based access to the malware executables and associated command and control C2 botnets. Read here. 

Figure 3: Offer for Redline Stealer for sale on Darkfox Darknet Marketplace

6. Tensions Between China & Taiwan Realized on the Darknet 

Through August and September, DarkOwl analysts took note of an increased amount of darknet activity surrounding the current geopolitical tensions between China and Taiwan. Using darknet, deep web, and high-risk surface web data, this report endeavors to shed light on the digital underground’s reaction to the countries’ political tensions stemming from China’s “One-China Principle” and its refusal to recognize Taiwan’s independence. 

This report demonstrates how recent cyberattacks in August augment political criticism of Taiwan. Of particular note is the on-going barrage of leaks surfacing as a result of attacks against key organizations in both countries, and discusses the general darknet sentiment regarding China’s global reputation and their potential invasion of Taiwan. Full report here. 

7.  Understanding Darknet Intelligence (DarkInt)

The darknet (or “dark web”) is a thriving ecosystem within the global internet infrastructure that many organizations struggle to incorporate into security posture, but is becoming an increasingly vital component. In certain cases, that is because taking raw data and turning it into actionable security intelligence requires leveraging DARKINT – or data points sourced from the darknet and other OSINT sources that together form a risk and/or investigative portfolio. Learn more.

8. The Darknet Economy of Credential Data: Keys and Tokens

The darknet, which is also referred to as the dark web, is a segment of the internet that is only accessible by using specialized software or network proxies. Due to the inherently anonymous and privacy-centric nature of the darknet, it facilitates a complex ecosystem of cybercrime and illicit goods and services trade. Adjacent to the darknet is the deep web and instant chat platforms that play an increasing critical role in facilitating this illicit information availability. Pseudo-anonymous discussion forums and vendor marketplaces hosted on the deep web along with Telegram private and public channels provide additional platforms by which threat actors communicate and circulate sensitive and stolen credential data.

In this blog, we review how sensitive, server-side access credential data – such as AWS private/secret keys, Django secret keys, and API tokens – are captured, circulated, and sold across darknet marketplaces and criminal communities. Read here.

Figure 4: Source DarkOwl Vision

9. Darknet Economy Surges Around Abortion Rights 

In June, users across darknet forums have voiced interest in abortion-related pills and services following the leaked Supreme Court documents and advocate for organized protests in support of and against the potential ruling. Once the U.S. Supreme Court officially issues their ruling, we anticipate a more concerted response from darknet marketplaces in offers for abortion related drugs and services. The darknet will also continue to be a resource for activists to organize political protests and circulate sensitive information related to the abortion debate. Read more. 

Underground Abortion Railroad
Figure 5: Source Dread Darknet Discussion Forum

10. Dark Web Cyber Group Spotlight: SiegedSec 

DarkOwl analysts regularly follow “darknet threat actors” that openly discuss cyberattacks and disseminate stolen critical corporate and personal data. Such analysis helps DarkOwl’s collection team direct crawlers and technical resources to potentially actionable and high-value content for the Vision platform and its clients. In this edition, analysts dive into SiegedSec, who formed in late February 2022, coincidently days before the invasion of Ukraine, adopted variations of the tagline, “sieging their victim’s security.” DarkOwl analysts observed SiegedSec provide proof of the defacement and/or compromise of at least 11 websites with rather juvenile and crude language and graphics included in the defacements. In April, the group claimed they had successfully defaced over 100+ domains offering proof of a hosting chat dialogue indicating the account passwords had been changed and the defacements corrected, but the group hinted they still had access to the domains. DarkOwl analysts also discovered several thousand compromised LinkedIn profiles with references to SiegedSec. Check it out. 

2022, That’s a Wrap!

Thank you to everyone who reads, shares and interacts with our content! Anything you would like to see more of, let us know by writing us at [email protected]. Can’t wait to see what 2023 brings! Don’t forget to subscribe to our newsletter below to get the latest research delivered straight to your inbox every Thursday.

DarkOwl 2022 Recap: A Quick Reflection & Updates

December 29, 2022

With 2022 at a close, our content and marketing teams reflect on a number of exciting events, trends and changes the DarkOwl team experienced this year. We look forward to an even more successful and prosperous 2023 and wish the same for all our customers, partners and readers! Thank you for your support over the past year and continuing to read, engage and share our content. We hope you continue to find the topics we cover valuable, enlightening and interesting. Last marketing plug of the year… don’t forget to sign up for our weekly newsletter to make sure you receive updates about latest from our research and content teams! 

In Person is Back! 

Around the World for Conferences

As our EVP of Sales likes to say “in person is back,” and we are so glad to be able to see our customers, partners, and prospects face to face after a couple years of a virtual world. In 2022, the team attended several events all around the world from San Francisco, Las Vegas, London, Prague, Paris, Dubai, Hyberbad, and many more. Thank you to everyone who sat down with DarkOwl along the way. We hope to see even more you on the road in 2023. Check out where we will be in 2023 and request time to meet here.

RSA Conference 2022 in San Francisco
RSA Conference 2022 in San Francisco

Employee Fun and Events

Not only did the team around the world for client meetings and conferences, but throughout the year the Headquarters in Denver, CO hosted several employee events, welcoming all remote employees several times to team building weeks, Sales Kick Offs, and the annual Holiday Party. With a workforce that is becoming more and more remote friendly and DarkOwl focusing on finding the best talent, making sure that everyone at DarkOwl stays connected is of upmost importance.

Sales Kick Off Escape Room Team Building
Happy Halloween! Dressing up as CEO, Mark Turnage, to celebrate
Group picture after the annual chili cook off

New Products and Enhancements

DarkOwl places great emphasis on learning from customers and making sure our products are always providing value. We make a continuous effort to enhance our dark web data products with features geared towards analyst and threat intelligence teams. Below are a couple highlights of big launches we had this year. 

Ransomware API Launch

Button Ransomware API

In June, DarkOwl added, Ransomware API to the product suite. Ransomware API allows users to monitor ransomware sites for indicators of compromise. This product was created as a direct response to customer requests and needs. Our insight and historical perspective into the darknet is unique, and we wanted to make it easy for people to find this critical information about their vendors or clients. With this API product, content on these sites – including organization mentions – can now serve as an important risk indicator for a variety of use cases. 

Leveraging the world’s leading and continuously updated darknet data index, you can gain insight into potential risk by conducting targeted ransomware searches. Ransomware API enables users to safely query continuously sourced and updated ransomware sites, primarily but not exclusively hosted in TOR and Telegram, run by criminal gangs, and threat actors to detect mentions of criminal activity against an organization.

Read more about Ransomware API on our product page or in our interview with Director of Product, Sarah Prime. 

Entity Explorer 

In November, DarkOwl released a new feature to Vision UI, “Entity Explore,” enabling end-users to gain more relevant insights from their vast dataset of dark web content. Entity Explore shows results for queries in the form of a new dashboard, around tokenized objects with critical contextual information. The dashboard also incorporates new features geared toward increasing analyst efficiency and functionality, enabling things such as ease of exporting and parsing of information to best lead users towards actionable intelligence. 

Entity Explore was developed as the result of feedback from DarkOwl’s clients, who were seeking an easier way to drill into the dark web exposure and easily export that information for reporting and further analysis. With Entity Explore, users are now able to extract data from DarkOwl’s collection in a format that has mainly been limited to DarkOwl’s API Customers.

As of early October, DarkOwl Entity API uncovered and archived  over 9 billion emails, 16 billion credit card numbers, almost 2 billion IP addresses and over 390 million cryptocurrency addresses in the past year.

You can read more about Entity Explore and it’s features here

A Year of Growth 

2022 was exciting for the DarkOwl team, both in the sense that our product features and suite grew and also that the team continues to experience growth. That trend is not stopping as we are so proud to be able to continuing to invest our employees as well as grow across all teams. Check out our open positions. Join us in our mission to be the world’s leading darknet content and tools provider, empowering clients to continually improve their cybersecurity defenses.

Expanded Data Collection

One of DarkOwl’s key differentiators is our product team’s ability to respond to the needs of our clients and collect the data that matters the most to them. This year, DarkOwl was proud to assist our national security and government partnerships by providing crucial insights into data leaks and cyber activity surrounding the war in Ukraine.  

For many of our commercial clients, the darknet remains a hub for criminal activity for things such as ransomware – a problem faced by over two-thirds of organizations. As such, we ensured we had access to the areas of the darknet frequented by these groups, including the blogs that many ransomware gangs host and update themselves on Tor.  

We also saw data aggregators in the threat intelligence space reiterating a need for a vaster coverage for not only traditional darknets, but also emerging darknet adjacent spaces. Based on this need, we nearly doubled our expansion into messaging services such as Telegram and similar popular chat platforms. As of time of publication, our AI-powered crawlers have access to over 11,700,000 documents from 1,700+ Telegram Servers. We also added 714,513,235 email addresses, 100,532,810 new plain text passwords and increased our domains by 22.7%.

As cybersecurity incidents become more sophisticated, more and more critical data is being shared on the darknet. This year, DarkOwl partnered with numerous organizations both domestically and internationally to bring more darknet data to threat prevention and intelligence analysts than any year prior.  

Clients Seeing Increased Demand for Dark Web OSINT

We understand how incredibly challenging it is to maintain insight into everything the threat actors have insight into. This year, we put an emphasis on leveraging our company’s expertise in darknet technology to gather the data that allows our clients and their customers to stay ahead of potential threats. This includes former military – as well as the sociology of users on hidden networks – 

As supported by conversations that DarkOwl team members had at with several of our customers at the DoDIIS Worldwide Conference this winter, our OSINT technology partners are receiving consistent positive feedback on the data they’re finding by accessing DarkOwl’s database through their existing threat intelligence platform via DarkOwl’s API products. 

Newly announced partnerships include: 

DarkOwl Makeover 

One of our earlier updates from this year came in the form our a total rebranding of DarkOwl’s website this February. The redesign concept came from an internal discussion about how DarkOwl as a brand could re-interprate how we represent hidden networks such as the darknet. Our vision (no pun intended) was to use Art Deco design concepts to represent the darknet as a complex component of the internet, rather than an elusive “hidden” concept.

Old Website Homepage
New Website Hompage

DarkOwl’s Commitment to Supporting Non-Profit Causes 

DarkOwl is proud to partner with several non-profit organizations focused on making the world a better place. In honor of National Non-Profit Day, we sat down with key members of the National Child Protection Task Force and the International Justice Mission to get a glimpse into the work that they do on a day-to-day basis and how DarkOwl contributes. Hearing their stories and how our work behind the scenes is making a difference, makes day-to-day tasks so much more worth it. You can read the full blog here. 

We Adopted an Owl 

For the holiday season and to honor our commitment to non-profit organizations, we donated to the Raptor Education Foundation on behalf of our clients and partners. As a result of this donation, we adopted an adorable, wide-eyed Great Horned Owl! We are so excited to welcome this “unusually large male raptor” (as he’s been described by his handlers) to the DarkOwl family. You can learn more about him on his dedicated adoption page. 

Don’t miss any updates from DarkOwl in 2023 and get weekly content delivered to your inbox every Thursday.

DoDIIS Worldwide 2022: Strengthening and Elevating Critical Technology Partnerships

December 20, 2022

The annual DoDIIS Worldwide Conference is one of the premier gatherings of threat intelligence technology companies that service national defense initiatives. This year, representing DarkOwl at DoDIIS were Chief Business Officer, Alison Halland, and Director of Strategic Partnerships, Chris Brown.

Transcending Strategic Competitors through Innovation, Adaptation, and Collaboration

Per their website, the DoDIIS Worldwide Conference brings “senior decision makers, technical experts, and innovators from across the Department of Defense, Intelligence Community, industry, academia, and FVEY partners will come together to collaborate and share unique insights.

The theme of this year’s conference – Transcending Strategic Competitors through Innovation, Adaptation, and Collaboration – underscores the urgent race to collectively develop and unleash emerging technologies to maintain strategic and tactical advantage. Mission success in an era of strategic competition demands a willingness to embrace disruption and elevating partnerships to serve as overwhelming force multipliers.”

The DarkOwl team reported that, much like years past, attendance at DoDIIS leads to sophisticated conversations about the role of darknet data in threat intelligence technology products serving the defense industry. Through our partner Carahsoft, DarkOwl was given a dedicated monitor to give demos of Vision UI, our darknet search platform.

These conversations also provided the opportunity for the DarkOwl team to share updates on our data collections as our product team has made significant additions over the past year, including the expansion into authenticated forums, and open chat platforms such as Telegram.

DarkOwl at Carahsoft’s Partner Pavilion (Source: Twitter.com)

Elevating Partnerships

In the spirit of this year’s conference theme, the DarkOwl team spent a significant portion of time understanding how we can best optimize and elevate our current partnerships. Present at DoDIIS this year were a number of DarkOwl’s current data platform clients, including Proofpoint and OSINT Combine. The general consensus from these conversations is that their customers are finding significant value in having the ability to access and search DarkOwl’s vast database of darknet and deep web content from within their existing threat intelligence platforms.

This also offered the DarkOwl team the opportunity to see updated demos of our customers’ platforms and gain insight into how their users interact with our data. This feedback enables our collections teams to continue to gather data that is of critical interest to our customers’ users – and is unique to the darknet, such as the activity of certain ransomware gangs.

For nearly 20 years, the DoDIIS Worldwide Conference has served as the premier information technology conference to hear from distinguished speakers, collaborate with trusted partners, and experience ground-breaking technical solutions to support the warfighter. The conference is an immersive in-person event designed to bring together leading subject matter experts, decision makers, and stakeholders to collaborate and partner. Read more about DoDIIS Worldwide 2022 on their website.


DarkOwl looks forward to continuing their presence at DoDDIS. You can see what conferences we will be attending coming up and request time to chat with us.

Understanding the Difference Between Darknet Adjacent Chat Platforms, Part 1

December 15, 2022

In the early days of the internet, online communities and internet power users relied on web-based technologies like bulletin board systems (BBS), Usenet newsgroups, and internet relay chat (IRC) to communicate with each other near-real-time. Many of these technologies formed some of the earliest communications avenues for cyber criminals using the internet to hack networks and steal information.  Even though many of these chat protocols persist and are still in use today by criminal communities, newer chat platforms, especially those that include privacy-enhanced features like end-to-end encryption or anonymity are preferred by many threat actors that collaborate across the dark web. 

Many of the chat platforms and networks we will discuss today include channels and communities that are perfectly legitimate and even could be casually considered a form of ‘social media.’ Despite this, DarkOwl refers to chat platforms such as IRC, Telegram, and qTox that have considerable use by darknet cyber criminals as ‘darknet adjacent’ for their role in persisting illicit goods trade, fraudulent activities, and cybercrime.

Internet Relay Chat (IRC) 

In the late 1980s, IRC was the protocol of choice for communicating real-time with others across the internet. Shortly after, AOL’s instant messenger and their associated chat rooms skyrocketed in popularity as widespread use of the internet spread around the US and abroad. IRC was codified in 1993 as RFC 1459 as an open-source networking protocol, and even though it was originally developed by the Finnish software developer, Jarkko Oikarinen, a.k.a “WiZ”, IRC does not belong to any specific person or group. As use of AOL’s platform diminished in the 2000s, IRC persisted in use, especially amongst technology-savvy and privacy conscious internet users. The size and volume of content distributed via IRC is unknown as there are hundreds of IRC servers and thousands of channels available to connect to at any given time. IRC severs with malicious conversations are often hosted on Tor. Many IRC clients like HexChat support traffic over SOCKS5 proxy for enhanced privacy and security. A virtual private network (VPN) is often recommended to provide additional security protection to IRC server nicks.

Figure 1: Source – HexChat

Telegram

In 2013, the Russian-born French Emirati entrepreneur, Pavel Durov, launched Telegram messenger. Pavel had established his leadership in Russian-internet technologies, founding the Russian Facebook equivalent social media conglomerate, VKontakte (VK), six years before debuting Telegram. Pavel advocates for personal data privacy in its public advertising of Telegram, stating that selling user data is not a core feature of its software business model nor is user information shared with marketers, advertisers, or third parties — a stark contrast to similar services offered by Facebook’s (Meta’s) Whatsapp and Google Hangouts. Telegram also features a ‘secret chats’ option where all messages are end-to-end encrypted and impossible to screenshot by the chat participants on their device.

Most Telegram channels are public and open for any Telegram user to join. Others are only accessible by invitation. Channels are typically ‘read only’ with the channel owner posting most of the messages and content where Telegram groups allow participants of the groups to start the conversations more akin to a live chat format with dynamic activity from the members of the channel.

In recent years, Telegram channels promoting cybercrime and fraud have surged in volume and usage. The Ukraine-Russia military conflict increased popularity in Telegram considerably with thousands of channels – for both countries – sharing live updates from the battlefield and cyber targets for hacktivism and military cyber campaigns. Information operations campaigns have leveraged right-wing extremism Telegram channels for circulating anti-US and anti-NATO related dis[mis]-information since the war began.  

Telegram has historically required a phone number, e.g. SIM or VoIP, to join the application as Telegram levied OTP and multi-factor authentication for the account security. In recent news, Telegram officially announced they would no longer require SIMs for account activation, but users could instead register using ‘blockchain-powered’ phone numbers sold for $16 USD per account by Fragment — another entrepreneurial endeavor by Durov. Conveniently, payments for the anonymous phone numbers are possible through Telegram’s own cryptocurrency token known as The Open Network(TON).

In addition to the no-SIM sign-up, there are several other features in Telegram’s latest release (V9.2) including Topics 2.0, custom emojis and a emoji search feature for iOS, temporary QR codes, and a global auto-delete timer for destroying chat messages for both users.

Discord

While Telegram was created with user’s privacy in mind, Discord was developed with the intent to facilitate open and fast Internet-based communication across online communities, content creators, and friends. Discord developers designed the platform with video gaming communities as its targeted userbase and the application has been publicly available since 2015. Since its growth in popularity, the application hosts servers and channels where private and public users are invited to talk openly about any topic imaginable; many Discord servers support voice and video communications as well. Such deanonymizing features of Discord are a serious red flag for serious darknet users tempted to use the Discord platform although many users suggest simply using a voice changer to obfuscate the sound of one’s voice.

In 2017, Discord allowed for publishers and developers to have their servers verified using social media or other verification methods to receive a Discord badge – like the Twitter blue checkmark – to designate them as official communities. Each server can host hundreds of channels that users utilize to instantly message or share files between channel members. In 2021, Discord launched a new feature called ‘Threads’ which are temporary text-only based channels that have an auto-destruction feature, like Signal’s self-destruct message feature. In late 2022, Discord debuted “Forum Channels” which mirror the format used across Tor or deep web criminal forums where discussions are organized by a topic with an original post and subsequent posts/comments on the original poster’s message are listed sequentially below in a thread like format. This feature was clearly designed to keep users on platform to facilitate the demand for highly structured, and organized discussions instead of freestyle chat. 

Figure 2: Source – discord.com

qTox

Another privacy-first focused darknet adjacent chat platform is qTox. Also simply called “Tox” this chat platform is built by and for the users, meaning the source code is a free and open source (FOSS) project without any centralized servers or protocols that could be compromised. The platform forces perfect forward secrecy (PFS) as default – meaning a unique session key is generated with every chat. qTox also employs curve25519 for its key exchanges, xsalsa20 for symmetric encryption, and poly1305 for MACs.

Instead of registering with a phone number or an email address, qTox are assigned a unique 76-character Tox ID. The Tor onion routing protocol is used to store and locate Tox IDs increasing the security of linking users to their other OSINT personas or accounts. Deanonymization of Tox IDs and qTox users without using direct, advanced social engineering methods is impossible.qTox developers have recently formalized the TokTok project with Tox protocol documentation where they clearly state their mission – to promote universal freedom of expression and to preserve unrestricted information exchange – which in addition to the privacy-conscious nation state actors and cybercriminals also benefit from.

Figure 3: Source – tax.chat

WeChat

One of the most predominant social applications in China is WeChat, also known as Weixin (微信). WeChat is often confused with its sibling microblogging site, Sina Weibo which is also widely used across the country. Where Weibo features content for mass distribution and behaves more like a social media platform like Twitter, WeChat is designed as a ‘semi-closed’ platform facilitating more   direct 1-1 communications and smaller group conversations, which is why it has increased in popularly across Mandarin-speaking cybercriminals. Similar to Discord, WeChat offers instant messaging, voice, and video calls over the internet. Open source information detailing the technical specifications of WeChat is limited since the platform is owned by Tencent and use of the application is restricted to users located in mainland China. The app is leveraged heavily by the Chinese government for digital surveillance of their citizens’ online behavior and the app’s user’s device data.

Both WeChat and Weibo are considered social media so any data collected from WeChat, should be targeted to those specifically linked or referenced by darknet forum and marketplace users.


Interested in reading more content like this? Stay tuned for Part 2 where we will dive into even more Darknet adjacent platforms. Sign up to our newsletter below to be the first to know when it goes live.

Darknet Data Use Cases: Commercial

December 8, 2022

In our previous blog on dark net use cases, we focused on intelligence agencies, law enforcement, and government and how darknet data plays a critical role in their investigations and reporting. In this blog, DarkOwl analysts outline the top commercial darknet use cases and detail real-world applicative use cases and examples of DarkOwl’s software-as-a-service (SaaS) darknet data platform and help identify and describe how key data sources in the criminal underground can be leveraged to facilitate analysis and reporting required across commercial entities’ security departments.

Event & Executive (VIP) Protection

Key corporate executives, CXOs, Board Members, and essential technical staff are at elevate risk of targeting for social engineering and phishing attacks from threat actors. Some high-profile executives, political and government employees require increased physical protection as threats of direct violence against them appear in darknet sources and social media.

Data from the darknet can serve as predictive telemetry of potential threats against corporate and government leadership. DarkOwl has observed threat actors leaking detailed personal profiles, termed “doxxes”, of individuals in the darknet. Social anarchist groups also utilize the darknet for coordinating attacks against key facilities and events that are contrary to their beliefs.

A dox (also doxx) is a detailed public record of someone’s identity. To ‘dox’ someone is to publish private information about that person – as a form of public shame and generated to enact revenge on the company or person for some perceived wrongdoing. The dox presents a significant security threat to the company and the individual, with detailed information such as their mobile phone numbers, residential address, social media accounts, bank accounts, and familial associations publicized and subsequently targeted for phishing, fraud, and even kidnapping for murder or extortion.

The personal information of executives and VIPs are often shared on darknet websites which specialize in the distribution of doxxes. While many of the executive dox shared on the darknet observed by DarkOwl include familiar celebrity VIPs like Mark Zuckerberg or Jack Dorsey, other lesser known executives are also exposed as a result of some grievance experienced by the psychologically delicate cybercriminal.

Figure 1: Source DarkOwl Vision

In another example, earlier this year while Roe vs Wade was in the process of being overturned by the US Supreme Court, cyber criminals leaked detailed information from the justices to the deep web. In 2021, anti-democratic party hacktivists similarly leaked personal details of key cabinet members and staff from President Biden’s Administration and suggested their homes and families be targeted for extreme fraud and murder.

Figure 2: Source DarkOwl Vision
Figures 3 and 4: Source DarkOwl Vision

Cyber Investigations

DarkOwl’s darknet data can significantly augment cyber-criminal investigations by providing key additive informational components – often in conjunction with other open sources like social media activity – to create a more comprehensive picture of the case itself, the criminal’s behavior, and psychological intentions, or simply fill in critical intelligence gaps and solidify evidence such that indictments and subsequent legal action may be executed.

Using DarkOwl in conjunction with other open sources and utilities, an investigator can easily identify and a track threat actor’s digital fingerprints and subsequent virtual breadcrumbs, such as social media accounts, usernames, aliases, avatars, email addresses, PGP keys, and cryptocurrency wallet identifiers.

The snapshot example below details how DarkOwl identified and tracked a Portuguese-speaking threat actor involved in mobile device malware development. The lower third of the graphic, consisting of evidence collected from the darknet and DarkOwl Vision – confirmed the suspect’s activities across various underground communities in the darknet and a leaked IP address provided a potential physical location of João Pessoa, Brazil.

Figure 5: Source DarkOwl Analyst, July 2020

Situational Awareness: Ransomware

Russia’s late February military invasion of Ukraine and on-going offensive operation was preceded by numerous opportunities for geopolitical situational awareness prior to the invasion, and subsequent monitoring of the conditions is available with a surge of new Telegram channels documenting live events ‘on-the-ground’ and conversations between users that have unique perspectives of the conflict.

Commercial organizations, including retail outlets, are targeted daily by dozens of active ransomware-as-a-service (RaaS) gangs that operate exclusively on the darknet. A ransomware incident against a commercial organization can cause serious loss of revenue and interrupt operations for weeks while incident response and remediation is carried out. Shoprite, in South Africa, experienced a ransomware attack from Ransom House group who subsequently leaked the usernames, IDs, and personal information of its consumers when the company failed to pay the extortion.

Figure 6: Source DarkOwl Vision

Insider Threat Risk

Many employees who are unhappy with their employers – including both corporate or government civilians – often rant in darknet chat rooms and forums, under the cloak of anonymity, about their working conditions, abusive bosses, or annoying coworkers. Sometimes the posts include calls for ‘darknet hackers’ to revenge them and attack the organization’s networks so they don’t have to work.

DarkOwl users can monitor the darknet for malicious mentions of their organizations that include information that is limited to employees and staff with authenticated or limited access to information, e.g. the ‘insider threat.’

DarkOwl uncovered a post on a darknet forum where a corporate employee detailed organizational issues with members of a specific team at the company and called out the management team leaking their names and their emails accordingly. With this information, the company can launch an internal investigation to identify the employee and mitigate the risk to the organization, through supervisor and HR intervention and/or termination.

Figure 7: Source DarkOwl Vision

International ransomware threat actors also regularly solicit for insider threats to shorten the cyber-attack lifecycle by using employees with direct access to company IT resources instead of brute forcing network credentials or exploiting vulnerable network devices. Often instead of the network appliance mentioned the specific company name is included in the solicitation.

Figure 8: Source DarkOwl Vision

Brand and Reputation Risk

Corporate brand recognition, reputation, public perceptions are paramount in establish market share and sustaining fiscal certainty in uncertain economic conditions. Darknet data can be utilized to uncover derogatory mentions of a company or corporate identity that can help mitigate risks to the organization’s long-term success.

The image below includes an announcement on Telegram by pro-Ukrainian hackers calling for the boycott of purchasing Nestle products due to their continued operation in Russia and subsequent economic support for the Putin-backed Kremlin.

In the days following the post on Telegram, prominent darknet threat actor group, KelvinSec compromised Nestle’s company network and leaked sensitive databases containing their customers, transaction, and shipping data.

Figure 9: Source DarkOwl Vision
Figure 10: Source DarkOwl Analyst

Counterfeiting and Identity Theft

DarkOwl’s darknet data can provide indication of concerted efforts to sell or circulate counterfeit goods and identifications, in addition to monitor for potential identity theft. Passports, driver’s licenses, and military identity cards are regularly offered for sale on darknet marketplaces.

Darknet fraudsters intent on financial fraud of individuals are sophisticated enough to bypass identification verification utilities, such as ID.me. Users on Telegram offered a compromised ID.me with driver’s license and social security number for $20K USD earlier this year. Others offer “ID.me bypass” methods for sale on fraud forums and public chats.

Figure 11: Source DarkOwl Vision

Driver’s licenses are available for sale across many darknet marketplaces and Telegram groups. A vendor on Nemesis decentralized darknet market offered USA driver’s license templates to create fake identification cards for as little as $5.00 USD with guaranteed refund if the template was unsuccessful. Canadian templates are more expensive at 300 CAD for a template of only the province of Quebec.

Figure 12: Source DarkOwl Analyst

Large data leaks, like GiveSendGo shared on DDoSecrets, includes photographs and scans of US and Canadian military identification cards that could be leveraged by threat actors for identity fraud and/or unauthorized access to military installations.

Figures 13 and 14: Source DarkOwl Vision

Supply Chain Risk Mitigation

Supply chain attacks are industry-agnostic cybersecurity attack methods that cause damage and destruction to an organization via compromising less secure elements in the organization’s supply chain. This has been observed across many ransomware groups – who operate within the darknet and target suppliers and vendors of major victims and utilize the organizational data, exfiltrated from the compromised network to carry out additional attacks on the same organization and vendors and suppliers connected to the victim.

DarkOwl’s darknet data platform supports continuous monitoring for and quantifying supply chain and vendor risks. Many third, fourth, and even fifth party vendors do not always expeditiously inform their stakeholders of critical cyberattacks and the early mention of the supplier on a ransomware blog site hosted on the darknet can assist all organizations connected to the victim, regardless of role or capacity, establish a solid defense posture with increased security awareness and proactive protection. Simply monitoring for mentions of an organizational website domain over time can be an indicator of risk.

In the example graphic below, DarkOwl captured where various organizations connected to the Volvo car corporation were attacked by multiple ransomware groups over the course of a year. It is highly likely that the data exfiltrated from the attacks in 2021 was utilized in the subsequent attacks against Volvo’s subsidiaries and their suppliers.

Figure 15 Source: DarkOwl Marketing, Presentation Recap Blog Here

DarkOwl uses machine learning to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching.

Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and secure manner without having to access the darknet itself.

To learn more about darknet use cases and how to apply them to your business, contact us.

The Art of Combolist Cracking and Credential Stuffing

December 01, 2022

The Science of Credential Stuffing

DarkOwl regularly reviews topics designed to inform both corporate and personal entities of threats discussed on the darknet. In this blog, we will cover credential stuffing to augment other research activities like, “The Darknet Economy of Credential Data: Keys and Tokens” and “Zoom Accounts For Sale on the Darknet Highlight On-Going Need for Better OPSEC” which also discuss credential data risks. We will discuss the motivations and techniques behind combolist cracking and credential stuffing attacks and explore some of the recent darknet communities that rely on credential stuffing operations for their own criminal agendas.

Automation and the Credential Stuffing Attack Methodology

Credential stuffing – often shortened to simply ‘cred stuffing’ – is the process of automatically testing exposed username and password combinations against website login forms for potential account take over (ATO) or malicious exploitation. When we think of darknet threat actors we often visualize sophisticated computer users, with elite programming and scripting skills, conducting cyber operations at scale with numerous monitors of black screens and scrolling green text. Credential stuffing utilizes customized and readily available scripts to test thousands (if not millions) of credential combinations against web applications for verification automatically.  

In software development lingo and even some corners of the darknet, this process is described as technically a form of “fuzzing” or ‘black-box’ testing of a website or web server application. Many of these scripts and functional utilities are in circulation for free across darknet communities – with tutorials and instructions – and available for the novice cybercriminal interested in entering the ‘cred stuffing’ market little knowledge of elite scripting or hacking.

Wordlists & Wordlist Generators

Wordlists and compromised lists of email address and password combinations are the foundation for credential stuffing operations. Many multi-million record data leaks in circulation on the darknet like Collection #1-5, RockYou, and the Compilation of Many Breaches (COMB) make potential username/password combinations easily discoverable and exploitable at scale. Such leaks are utilized as input for credential stuffing scripts and applications. Wordlists are also in regular circulation amongst darknet threat actors, and some are already integrated into Linux distributions favored by pen-testers and hackers alike.

Figure 1: Wordlist Github Repository Popular with Offensive Security Specialists, Source: https://github.com/kkrypt0nn/wordlists

There are numerous Wordlist generator utilities one could use to automate the creation of random strings of a specified length of alphanumeric characters, symbols, and common dictionary words. DarkOwl analysts have observed mentions of CeWL and Pydictor on forums popular with Chinese threat actors and others like BEWGor (yes, pronounced “booger”), Crunch, and the Common User Passwords Profiler (CUPP) across other deep web communities.

Figure 2: Source DarkOwl Vision

Another user on Telegram enthusiastically referred other channel members to a repository containing Bopscrk, advertised as a “smart and powerful” wordlist generator that combines wordlist data and personal information for the account targeted like date of birth and favorite musical artists, to generate customized permutations of passwords with higher probability of success.

Figure 3: Source DarkOwl Vision
Figure 4: Source Redacted

Links to wordlist text files and wordlist generators are shared across darknet forums and chatrooms that facilitate ATO and many of them are hosted on Github. As of time of writing, there are over 5,000 repositories containing wordlists on Github alone. Dictionary lists in English are the most common, but other languages are also available.

Figure 5: Summary of Wordlists Available on Github, Source: https://www.github.com

Scalable exploitation of stolen or compromised data will persist and we anticipate the development of more sophisticated automation utilities and maintenance of existing lists to continue. Since offensive security specialists will also continue to develop and utilize wordlists for their network vulnerability assessment activities, cybercriminals will leverage these where available. Anything that is readily in use for offensive security purposes will also be exploited for malicious gain.

Credential Validation Applications & Proxy Lists

Once a threat actor has several wordlists in their arsenal, they will utilize credential stuffing utilities and botnets to test various username and password combinations (called ‘combos’) against web applications and websites. Often cybercriminals will reuse web application testing programs like OpenBullet or SentryMBA that were originally designed for good but are now coveted and circulated by cybercriminals for optimizing crime. Older programs like Vertex and Apex work similarly to Sentry, but struggle to authenticate with more enhanced SSL or HTTPS secured websites.

Figure 6: Screenshot of SentryMBA Application

Credential stuffing programs are traded hand-in-hand with proxy lists in order to conduct operations while resembling organic network traffic and obfuscate the reality that all the account logins originate from the same IP address. Programs such as AzLiquidGold, SlayerLeecher, BlackBullet, STORM and Snipr were designed by hackers with the pure intent as proxy-enabled scrapers and “combo-checkers.” Residential proxies are available for purchase for under $5 USD on most darknet forums and marketplaces.

Figure 7: Source Darknet Forum Tor Browser

Credential Stuffing and the Darknet Data Community

There are numerous deep web and darknet forums and Telegram channels that support the credential stuffing economy of the darknet. Users in the darknet often refer to those in the business of validating and circulating authentication user/password combinations through the process of credential stuffing as “crackers.”  Actors share validated credential data on darknet forums and describe them as “freshly cracked” on markets and Telegram groups. Other accounts on offer are described as “logs” – which can be confusing when the vernacular is mixed with malware-based information “stealer log” offers. However, in the credential stuffing and cracker community, “logs” is short for “logins.”

Figure 8: Source Cracking Forum via Tor Browser

Accounts are further advertised as high quality (HQ) or ultra-high quality (UHQ) with and without two-factor authentication (2FA) or described as full access (fa) indicating that some additional personally identifiable information (PII) is available to maintain persistent access the online account. Accounts for popular online commercial applications, email providers and streaming services are compiled and sold in bulk for a higher price. Some accounts sell for as little as $1.50 USD per account and combos in higher volumes, e.g. 100,000 accounts for Hotmail or Outlook for 100 Euros.

Figure 9: Source DarkOwl Vision
Figure 10: Source DarkOwl Vision

Higher volume databases of cracked accounts also appear on forums as “combolists” that are traded and sold for further exploitation. Some combolists are advertised by web platform, geographic region, and others are simply described as “mixed combos.” DarkOwl has observed several advertisements containing millions of verified account credentials in a single file.

But I Have Multi-Factor Authentication…

Defensive security measures like multi-factor authentication (MFA) provide some degree of protection against account takeover using a compromised server username/password combination. Unfortunately, one cannot assume MFA is 100% effective at protecting the victim account from an ambitious cybercriminal. Many individuals disregard exposure in a combolist with such security measures in place, and will not even bother to update the account with a new more complex password. The flaw in this logic is that once a combo has been verified, especially for a target with high probability of financial or information return, such as blackmail or extortion crime, then a cybercriminal will willingly purchase the combo with more malicious intention. Using an exposed combo for a personal email account like Yahoo facilitates additional targeted phishing or social engineering on social media or other platforms to obtain additional PII to bypass MFA, e.g. security question answers, seed phrases, mobile phone numbers, and digital identity authenticator tokens.

Other leaks of personal data, such as LinkedIn profiles and telecommunications and mobile phone provider’s databases, provide the foundation for conducting a targeted attack against a victim, especially for websites with basic SMS-based One Time Password (OTP) protection. There are also tools readily available like Burp Suite that support OTP-bypass attacks installed in Kali Linux. When MFA bypassing for more sophisticated applications is required such is the case with corporate network accounts, then the cybercriminal might utilize simswapping, also known as simjacking or port-out scamming techniques.

While a simple commercial combolist and verified accounts appear for free or even relatively cheap in the darknet marketplaces, accounts with potentially higher financial return like validated accounts from banking or financial institutions and cryptocurrency wallets trade at significantly higher prices. One user on Telegram advertises individual Coinbase accounts for sale at $60-100 USD depending on the value of the wallets. Even cold wallets have been successfully compromised using sophisticated social engineering methods that cyber fraud criminals pride themselves on.

Figure 12: Source Telegram, Channel Redacted

In Conclusion

While credential stuffing as a technique is not new, the new tools and tactics that are emerging are increasingly sophisticated. As ransomware attacks have become more frequent in recent years and continue to be on the rise, the availability of leaked credential and user data has as well. This ultimately makes credential stuffing even more efficient as a means of brute forcing account takeovers, as there is more data for hackers to cross reference and attempt to use to gain access.


Get in touch to learn how DarkOwl can help.

Understanding the Difference Between the Surface Web, Deep Web, and Darknet

November 29, 2022

The internet, social media, and mobile devices are the fundamental requirements for conducting business and engaging in society. Whether checking email, catching up on industry news or accessing customer information, most of us use the internet (and the deep web) throughout the day, every day, in a variety of capacities. But, do we understand how it works – technically – even at a basic level? Do we understand the differences between the internet and the deep web or what it means to go even darker into the decentralized anonymous networks like the darknet?

Below is a breakdown of the various layers of the internet, from “regular” search engine-compatible websites to complex hidden networks.

The Internet

The term internet is short for internetwork, which is a system created by connecting any number of computer networks together. An internet allows for communication between devices that are a part of that internetwork.

The internet is the most well-known example of an internetwork. This is the internet that we find indispensable to our daily lives, and it links billions of devices across the world through a network of networks using standardized procedures or protocol. The traditional server client architecture and HTTP protocol is the backbone of the internet and used extensively in websites and mobile applications.

Browsing websites on the web is not the only way in which information is shared via the internet. Email, instant messaging, and file transfer protocol (FTP) are other ways to share information like emails, messages, and files.

To clarify, the web is not synonymous with the internet and should not be confused with it. The “world wide web” is simply a way of accessing websites over the medium of the internet.

The Surface Web

The websites we browse each day make up only a small percentage of the internet.

These sites, collectively known as the surface web (or “clearnet”), are visible and accessible to common search engines such as Google and Yahoo. Youtube videos, blogs, Instagram are all examples of surface web content most interact with every single day. While estimates vary, many experts agree that the surface web comprises roughly 4% of all online content. For more reading on how search engines crawl and index web content, there are several articles that describe systems like Google in detail.

High Risk Surface Web

High risk surface web consists of areas of the surface web that have a high degree of hosting criminal or illicit content. Many of the users of the high risk surface web also maintain access to other, darker networks and communities. This includes some “chan”-type imageboards, transient paste sites, and other select non-authenticated forums that mirror dark web sites with surface web top level domains (TLDs).

While .com domains are the most common website domain, DarkOwl regularly tracks various TLDs that are popular with criminals. Our analysts have observed an increase in .top, .ru, and .cc TLDs. Many high risk surface websites popular with Chinese threat actors end in the TLD .cn.

Below the Surface

Beyond the surface web, an estimated 96% of online publicly accessible content is hosted in the deep web and the darknet.

The Deep Web

The deep web consists of website content that cannot be found or directly accessed via surface web search engines such as Google and DuckDuckGo. Examples of deep web sites include websites that require any authentication credentials, such as registered email address and password, unlinked sites that require the direct URL to access, sites that are purposefully designed to keep search crawlers out, and databases. The majority of content resides in the deep web. 

Deep web databases commonly have their own search functionality which allows users to access the data contained within them. Government databases, patient medical records, and library catalogs are just a few examples of deep web databases. While these databases do not always require login credentials, many of them do.

Banking website portals for accessing account holder data and credit card statements are technically in the deep web because most banking websites will not allow access to their sensitive servers without authorization. Most social media is technically deep web content.

A specific example is the Denver Property Taxation and Assessment System website which allows users to search property assessment and tax data by entering a Denver-based address into the system. However, if you enter this same Denver-based address into a Google search (and even include terms such as ‘property assessment’ or ‘tax data’), you will not find any documents or URL results from the Denver Property Taxation and Assessment System website. This database and its search functionality are one example of a deep web database that is hidden from surface web search engines and technically resides in the deep web.

The Darknet and The Dark Web

Beyond the deep web is the darknet.

The darknet is any anonymous network, built on top of the internet, that is purposefully hidden, meaning it has been designed specifically for anonymity. Unlike the deep web, the darknet is only accessible with specialized tools and software – browsers and other protocols beyond direct links or credentials. You cannot technically directly access the darknet by simply typing a darknet address into your web browser, even though browsers like Brave offer private tabs with Tor for enhanced privacy.

Most people associate the darknet with Tor, but Tor is one of many darknets available. Let’s explore some of these darknets in more detail:

  • Tor, or The Onion Router, is an overlay network comprised of volunteer-operated servers that help route internet client-server traffic to provide obfuscation to users accessing the network. Theoretically, Tor is like a virtual private network (VPN) but with a VPN the servers are centralized to the VPN provider. With Tor, users connect through a series of virtual tunnels rather than making a direct connection between a client and server. The identity of the client IP address is unknown to the requesting website server, and the IP address of the server is only known to the exit node but not the originating client.
  • I2P, or the Invisible Internet Project, is an anonymous overlay network – using the distributed peer-to-peer (p2p) model – intended to protect communication from surveillance and monitoring. It was designed as a self-contained internet and behaves much like an ‘internet’ inside the internet. The I2P router relies heavily on Java to I2P browser, but i2pd is built on C++ for those adverse to Java. I2P routing is described as “garlic routing” where Tor is “onion routing.” It originated in 2003 as a ‘fork’ of Freenet.
  • ZeroNet is another example of a decentralized peer to peer network built on the Blockchain that functions as a darknet. Zeronet relies on BitTorrent network trackers to resolve network handshaking between peers. Instead of IP addresses in the network, nodes are assigned their own public key, more specifically a Namecoin (Bitcoin) cryptography address. The entry IP address of the network user is not technically private and Zeronet developers offer bundling Zeronet with Tor for additional anonymity.
  • Freenet is distributed, peer to peer anonymous network which allows users to anonymously share files, browse and publish “freesites” (web sites accessible only through Freenet) and chat on forums. It is a distributed ‘data store’ allowing the content to be available on the network even though the originator or publisher is no longer on the network. Communications by Freenet nodes are encrypted and are routed through other nodes to make it extremely difficult to determine who is requesting the information and what its content is. The distributed data store nature of the Freenet environment is ideal for microblogging and media sharing, but also puts the users of the network at risk of unknowingly hosting illicit or CSAM content as encrypted fragments of media are stored on the hard drive of every user in the network.
  • Lokinet is another example of an overlay decentralized network built on the Blockchain that serves as a darknet providing enhanced anonymity and privacy. Lokinet relies on a multi-hop low-latency onion routing protocol (LLARP) for routing traffic but is not limited to TCP traffic for serving HTTP requests. Since Lokinet sits in the network layer, it can handle and IP-based protocol like UDP and ICMP making it a highly secure option for web-based video and voice conferencing applications. The Loki network is developed atop the Oxen Blockchain which also hosts the end-to-end encrypted chat application, Session.
  • Yggdrasil is an IPv6 overlay fully encrypted mesh network where each node in the network is assigned a cryptographic public key (like Zeronet) and routing is highly adaptable, using spanning trees for synchronization. Keys are assigned in alignment with the most optimized routes between all network participants. Yggdrasil nodes serve as routers and paths are built automatically without any data store or shared address book of the network. Yggdrasil is still considered ‘proof of concept’ and is designed as a more scalable version of CJDNS.

Navigating these networks can be frustrating and challenging for any OSINT/Darknet investigator and the public often incorrectly uses the terminology associated with these different layers of the internet. Any website that hosts or serves illicit content whether it is in the surface web, deep web, or darknet is technically a segment of the “dark web.” Dark web and darknet are often used interchangeably by us and other information security researchers.

Join us next time when we explore more darknets and darknet adjacent chat platforms like Telegram and Discord. Get on the list so you don’t miss it!


The darknet is a thriving ecosystem within the global internet infrastructure that many organizations struggle to incorporate into security posture, but is becoming an increasingly vital component. Contact us to learn how we can help.

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.