Darknet Marketplace Snapshot Series: OMG!OMG! Market

November 22, 2022

In DarkOwl’s Darknet Marketplace Snapshot blog series, our researchers provide short-form insight into a variety of darknet marketplaces: looking for trends, exploring new marketplaces, examining admin and vendor activities, and offering a host of insights into this transient and often criminal corner of the internet. This edition features OMG!OMG! market.

Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are published.

OMG!OMG! Market: An Intro

OMG!OMG! market is a large Russian-based decentralized darknet marketplace that this year has been elevated as a ‘Premium Darknet Drug Market’ following Hydra’s seizure in April of 2022. Recently, DarkOwl has observed the market being mentioned more frequently in drug-trade related discussions and advertisements on Russian forums. Many of the vendors on OMG!OMG! were active for years on Hydra, once again showing that although a marketplace is seized, the illicit trade shifts elsewhere and continues. 

To access the marketplace on the Tor network and view vendor’s offerings, market visitors must solve a number and text-based captcha. 

Figure 1 OMG!OMG! Marketplace Landing Page (pre-authentication) Source: Tor Anonymous Browser

The landing page for the marketplace lists the daily exchange rates for Bitcoin and offers the site in both English and Russian. Users can also change the language of the site by clicking on the corresponding flag icons. The look and feel of OMG!OMG! market is very similar to Hydra, with the market’s logo on the top left, search bar in the center, and image-linked vendor shops arranged in a table on the main page. 

Figure 2 OMG!OMG! Marketplace Landing Page Source: Tor Anonymous Browser

Unique Characteristics of OMG!OMG! Marketplace

OMG!OMG! market shares characteristics that many other darknet marketplaces have; however, there are additional unique qualities that make this marketplace stand out. 

Like most other marketplaces, Bitcoin is the only currency accepted and an ESCROW payment system is utilized. Users must have an account and money deposited in their Bitcoin wallets on the market to contact the administrators. The site claims it updates the conversion rate between Bitcoin and Rubles every 15 minutes. The marketplace does not list the number of vendors or sellers. However, DarkOwl analysts noted that there are over 3,400 vendors advertising on the marketplace, but, not all of those shops may be active. Like some other darknet marketplaces, OMG!OMG! market has a forum connected to the market. However, this part of the site gives the translated error message: “This section is under reconstruction.” 

For security and anonymity purposes the marketplace encourages all users to install a PGP key and to use two-factor authentication for accounts.  

Each vendor selling within the marketplace displays the number of deals they have completed. Some vendors have a blue checkmark next to their shop nameas well, to indicate that they have been verified by the market’s administration. A selectable heart button is accessible in each vendor shop so that customers may “favorite” certain products. 

What really sets OMG!OMG! marketplace apart is its unique ordering and delivery mechanisms. Once a user places an order, the delivery is primarily set by location. A user is prompted to select their location immediately when accessing the site’s landing page – which is as odd for a darknet market that is designed to promote anonymity. This location data allows for corresponding products and vendors with the same location as the customer’s the option of “instant transactions.” After a customer sets their location in the marketplace, they can look for products in the search bar that are able to be delivered to them by sellers nearby.

After customers pay, the vendors, or potentially their hired couriers, will physically hide the purchase like a drop (referred by vendors as “treasure”) around the customer’s geographic location. Finally, the customer will receive coordinates and photographs to find and collect their purchases.

Figure 3 Regional Vendor Mapping from OMG!OMG! Market Source: Tor Anonymous Browser

There are three order options: instant, pre-order, and mail. An instant order, as described above, can be collected by the customer around their location right after they pay online. For a pre-order, the customer waits for confirmation from the seller until they transfer the item to a specified drop location. This takes more time but is customized and more secure than instant. Mail orders need to be confirmed by the seller and shipped by the seller via post or courier.

Figure 4 Regional Delivery Selection OMG!OMG! Market Source: Tor Anonymous Browser

There are also three different ways that instant delivery packages will be hidden to avoid possible interception or theft. DarkOwl extracted the excerpt below from the OMG!OMG!’s FAQ page; the original content was in Russian. 

Editors note: We determined “bookmark” as translated by Google Translate means “delivery.”


[TRANSLATED IMAGE]
“There are 3 types of bookmarks – prikop, cache, magnet.
Prikop – the packed goods will be buried shallowly in the ground (possibly in the snow in winter). This type of bookmark provides sufficient reliability from the discovery of a treasure by an outsider, but it happens that it can be difficult to find such a treasure yourself. 
 
Cache – a packaged item is disguised as a third-party item and left in a secluded place or just on the street. Such treasures are often quite easy to remove, the reliability of detection by strangers can be different and depends on the masking. 
 
Magnet – the packaged product is attached to a metal surface in a place inaccessible to a direct view. Usually such treasures are very easy to shoot, but there are not very many reliable places for them.”

OMG!OMG! marketplace’s instant delivery features are built for those customers only residing in Russia, but vendors also deliver internationally such as to the United States and Europe. The marketplace advertises they support customers in and recruits dealers from the nearby Commonwealth of Independent States (CIS) countries:

“We invite dealers from Kazakhstan and Belarus – we have a significant increase in customers from these countries.”

OMG!OMG! Market: The Products

Drugs are by-far the most common good offered for sale on OMG!OMG! market. The categories of drugs advertised include: cannabinoids, stimulants, euphoretics, psychedelics, dissociates, opioids, and pharmaceuticals.

In addition to drugs, other common illicit goods, such as fraudulent documents, e.g. University diplomas, Russian passports, residence permits, driver’s licenses, letters from the internal Ministry of Affairs, etc., are available on the market. There does not appear to be products such as weapons or listings that are human-related. The “rules” portion of the market explains that shops including human trafficking or “renting” shops are not allowed on the site.

DarkOwl analysts observed digital goods like bank accounts, Qiwi wallets, and SIMs for sale in addition to source code and software, such as Telegram bots.

Figure 5 a fraudulent university diploma from OMG!OMG! source: Tor Anonymous Browser
[TRANSLATED IMAGE]
“Diplomas and certificates original workmanship, all degrees of protection. Data for the layout: 
1. Name 
2. Date of birth and place of birth 
3. Last place of study (what and in what year was completed, before “entering” a university, technical school, college or vocational school) 
4. Full name of the educational institution (which needs to be made) 
5. Specialty 
6. Years of study 
7. Form of study
8. Approximate estimates (possible as a percentage) 
9. Degree for universities (specialist, master or bachelor) 
10. Full name, address, and phone number of the recipient (Required, this information is needed for the courier service to make delivery) 
11. if there are any samples, then attach them too 
Strictly on the points on the layout, check all the points carefully. After its coordination and approval, the document goes into production, where it will be impossible to correct errors! Manufactured and shipped within 3 working days 
 
More than 5 years on the market! Over 150,000 trades on Hydra.”

The translated advertisement above includes the volume of trades the seller had on Hydra market to establish reputation on OMG!OMG! The OMG!OMG! market administrator added a light blue banner by the seller’s name to indicate the number of deals completed on OMG!OMG! for additional creditability. In this case, the vendor DARKOTIK has had amassed several thousand transactions (3,480 total).  Many of the drug listings offer detailed information about the products.

Some include direct quotes of buyers’ experiences:

[TRANSLATED IMAGE]
Ecstasy users describe their internal state usually as euphoria, intimacy and closeness to other people – “all people are my friends”; a feeling of “flying, endless happiness, high sensitivity.”

Users who purchase products can provide feedback ratings on quality, delivery, and service on a scale from 1-5 to further establish vendor credibility. The veracity of the information posted is unclear and could easily be falsified.

Figure 6: Diamond product review OMG!OMG! Market source: Tor Anonymous Browser

Some vendors with drug listings have an additional information button next to the product listing. Following this link provides in-depth information for estimated dosage, preparation methods, and description and duration of the product’s effects.

Another category not common with other darknet decentralized marketplaces is job opportunities. This section includes options to apply for commercialized drug distribution supporting roles such as: Pawnbroker, Stock, Carrier, Manager, Chemist, and Grower.

Figure 7: work opportunity listings on OMG!OMG! Market Source: Tor Anonymous Browser

Below is a translated description for a job listing advertised on OMG!OMG market:

[TRANSLATED IMAGE]
We are glad to welcome you to “Black Star Mafia”, the fastest growing shop on the site! Due to recent events, many of us have lost our jobs and, consequently, our means of subsistence. 
Experience is not required, we teach from A to Z all the subtleties of conducting shadow activities for your successful and safe development, a manager is assigned to you, someone who will guide you by the hand to the result throughout the entire journey, and will help you at a difficult moment to lighten your burden, reduce all the difficulties are gone. 
 
For communication, write to us in the PM of the store, we answer around the clock!”

These work advertisements are likely to keep up with the premise of the marketplace that they will deliver directly to you if you are in Moscow.

OMG!OMG! Market: Across the Darknet

OMG!OMG! has been advertised extensively on other popular Russian darknet forums and markets, like Rutor. Many of the vendors active on the marketplace transact across multiple darknet markets including Alphabay, Nemesis, and Narnia.

Figure 8: OMG!OMG! Market on Rutor Source: DarkOwl Vision

DarkOwl has not identified any functional mirrors of the site. The site itself claims that “any other sites, projects, mirrors, etc. have nothing to do with us and are scammers.” Some of the vendors present on OMG!OMG! marketplace have built out their professional operations across the darknet.

One vendor, known as Black Star Mafia, appears to have been involved in drug sales on the darknet for years. They have also been mentioned on Wayaway. A post crawled by DarkOwl Vision in 2018 identified Black Star Mafia in a forum advertising amphetamines in a discussion thread also mentioning coordinates, similar to how instant transactions work on OMG!OMG!

Another post, crawled by Vision in 2019 from an onion site, also identifies Black Star Mafia as a drug dealer and promotes the professionalism and experience of their hoarders. In this instance they are responding to a dispute over a product order and are outlining the requirements necessary for the dispute.

The administration of OMG!OMG! market is designed to moderate and intervene if there is a dispute between vendors and customers. The rules section of the site details that the names of Administration accounts are highlighted in red.

The use of PGP keys and 2FA mentioned earlier may at some point may have caused difficulties for the vendors. Posts crawled by DarkOwl Vision detail vendors having issues with enrollment, having funds correctly credited to accounts, and 2FA. A string of posts in a discussion thread sees multiple vendors on OMG!OMG! market describing issues they are having on the market, with some of them commenting at “WD” to intervene. After multiple vendors discussed issues they were having with 2FA and enrollment on OMG!OMG! one commenter wrote:

“WD Don’t you think it’s a seam project and nothing more? Solve the issue in coordination with this site. How many people will suffer before you make the right decision?”

There was also some doubt cast on whether the admin of OMG!OMG! still had control over their account and access to the PGP key. Someone repeatedly brought up issues with 2FA and the market admin responded that it was temporarily out of order and would be fixed soon. After issues were not resolved, vendors questioned if they still had access to their accounts. A self-identifying OMG!OMG! admin responded that they were still in control of their PGP key and promised to update the canary within 60 days and provided the latest Bitcoin hash. Later, another user in the thread pointed out that the admin was very behind with their promised updates.

“With this message, the site admin confirms that everything is fine with him, he did not fuck up his PGP key, and undertakes to update this message within 60 days. Only the date in the message 2021-07-13 is July 13, 2021, that is, this message was left 9 months ago, and already overdue by 7 months.
Either the admin is no longer an admin, or he blew the key, or simply forgot – in any case, these are serious arguments against the site – and in my opinion an official comment is necessary.
Are you pretending not to notice again?”

While researching and writing this piece DarkOwl analysts observed multiple days where the site was unavailable, which is likely a continuation of the general trend of widespread DDoS attacks against the Tor network. With Hydra out of the way, OMG!OMG! market could be poised for success or targeted to law enforcement intervention. Some of Hydra’s previous vendors appear to have made the migration to OMG!OMG!. However, the more successful a darknet marketplace grows, the larger of a target it can become to law enforcement efforts.

Additionally, prolonged issues with market access, vendors’ ability to access accounts, and discrepancies in money transferred and credited to accounts could all limit the use and retention of the marketplace by vendors and customers alike.


Subscribe to email to receive the latest research directly into your inbox every Thursday and don’t miss our next Darknet Marketplace Snapshot.

.

[Webinar Transcription] What Role Does Darknet Data Play in API Security?

November 10, 2022

Or, watch on YouTube

Mark Turnage, CEO and Co-Founder of DarkOwl, and Anusha Iyer, CTO and Co-Founder of Corsha, discuss how API Security professionals can benefit from darknet data in forming a more comprehensive understanding of malicious threat actor (TA) tactics, techniques, and procedures (TTPs) and providing effective detailed security recommendations, remediations, and product solutions. API Security related topics, like “API hacking”, “stolen API tokens”, and “API MITM attacks” are regularly discussed in detail in darknet forums, tokens sold and traded in underground digital marketplaces, and API exploitation code shared amongst threat actors.

For those that would rather read the presentation, we have transcribed it below.

NOTE: Some content has been edited for length and clarity.


Kathy: Hi, everybody. Thank you for joining today’s webinar. 

Before we begin, I want to take a moment and introduce our speakers. Anusha Iyer, President, CTO, and Co-Founder of Corsha, and Mark Turnage, CEO and Co-Founder of DarkOwl, both of whom have many years of experience working in the cybersecurity industry. Anusha is a Carnegie Mellon alum. She started in the Washington, DC area at the Naval Research Lab. At NRL her focus was on reverse engineering and tactical edge networking. She started Corsha with a friend a few years ago and is passionate about helping organizations get API security right, and making security accessible, easy to adopt, and even self-assuring. Mark is a graduate of Yale Law School, Oxford University, and the University of Colorado, Boulder. He serves on numerous corporate and nonprofit boards, and is a private investor in technology, software, and manufacturing startup companies. He is also a senior advisor to the Colorado Impact Fund and a technology advisor to the Blackstone Entrepreneurs Network. And now I’d like to turn it over to Anusha to begin our webinar.  

Anusha: Thank you Kathy and thanks to everyone for joining. We have an exciting agenda today. We’re going to look at API security and specifically API credentials and what an API security related incident looks like. We’ll tell you a little bit about Corsha as well as DarkOwl. We’ll go into why API security is so critical, some mechanisms to combat some of the threats and the attacks that we’re seeing, how the darknet can provide insights on this problem. Then [I’ll] turn it over to Mark to talk about DarkOwl and what is the darknet, how DarkOwl can deliver darknet data and give you more insights and analytics into where information is showing up on the darknet. And particularly with respect to APIs, what are threat actors saying about APIs on the darknet? And then we look forward to your questions and final thoughts.

DarkOwl and Corsha actually met a few months ago at Black Hat and had an interesting conversation around the proliferation of API credentials and how they are increasingly being used to gain unauthorized access to systems and services.

Increasingly we are seeing these types of data showing up on the dark web and being leveraged to execute breaches against organizations, like Toyota. Recently Toyota was notified of a breach where they had an API access key for T connect system. That’s part of their connectivity app to give things like wireless access and so forth to vehicles, and apparently, they had inadvertently checked in a hard-coded API secret into a repo about five years ago. It’s been available for five years in a public repo. And then they just released that over 2,900 records were exposed since then, giving access to customer names, customer information, and so forth. This is one example of what the threat landscape looks like and what the implication can be of API credentials getting into the wrong hands.  

Similarly, recently FTX and 3Commas revealed that an API exploit was used to actually make illegitimate transactions, to FTX transactions. And this was done using API keys that were obtained from essentially users and phishing attacks actually accessing other systems. Right, so 3Commas, the platform came out and said that the API keys were obtained from outside of the platform, but certainly still pose the risk of being able to then be used off-environment, unauthorized, to then make financial transactions. These trades were basically from keys that were gained from phishing and browser information stealers. 

Kathy: We’ve had a questions come in on these first couple of slides. Someone would like to know, is the fact that APIs are being targeted – is that a relatively new phenomenon?  

Anusha: That’s a great question. It is an increasingly leveraged phenomenon. I wouldn’t say that it is new necessarily, but it is increasingly leveraged. Because APIs tend to be an underserved element with respect to cybersecurity postures of most enterprises. Increasingly organizations are relying on APIs. As they look towards digitally transforming application ecosystems into microservices, APIs end up forming the backbone of communication and application ecosystems. And further, more and more organizations are moving towards cloud, moving towards ephemeral scale, and that just creates a proliferation of environments where these credentials are potentially obtainable. 

Mark: And that’s echoed by what we’re seeing in the darknet where discussions around API exploits, API keys, stealing API keys, and selling them is a relatively new phenomenon in the darknet over the last couple of years. We’re seeing the same thing from the criminals’ perspective that Anusha is observing in real life.  

Anusha: Absolutely. I would come at it from the perspective that we see the movement of organizations using more APIs, but you’re absolutely right from an exploit perspective. It is fairly new. And it makes a lot of sense, they tend to be large types of information. With the automation it’s easy to lose track of what’s legitimate and what’s not. Great question.  

Another one, this one was actually a 2018 leak where it was the USPS API endpoint. And in this instance, it was more of an authorization vulnerability where if someone has a USPS account they could actually change search parameters and do a much more expansive search and essentially get records for an entire data set without being limited to exactly what they should be seeing. It’s both on the authentication side but also on the authorization side in terms of how these credentials are provisioned, leveraged, and so forth.  

With that, let me hop into Corsha and tell you about our story and why we’re going after this problem space. Both myself and my co-founder come out of the DoD intelligence world. We’re focused on: how do we stop these breaches? How do we prevent unauthorized access to sensitive systems and services? And [we] decided to start course at the intersection of machine identity and API security. A lot of our early customers are out of the Department of Defense and we are working closely with Gartner to define this category and to define the space, if you will. What we’re finding increasingly is that API authentication, authorization, and security in general substantially lags behind all of the resources, effort, and human capital, put into human identity and access management. Now we need to think of these machines as entities, and as the same first-class type citizens as humans because they are accessing systems and services at a far greater rate and at a far greater impact even than just humans logging into accounts. So we started CORSHA and we’re very focused on how we can help with this API credential and API identity problem. I’m probably telling a lot of folks that are online something that they already know, which is that today API secrets are just glorified system passwords. They are largely static, often shared, rarely rotated, and don’t have a lot of good hygiene around them. They get leaked, sprayed, and sprawled across tons of environments. Mark, I’m sure you’re probably seeing this on the other end in terms of where they’re coming from, whether it’s CIC/D pipelines, whether it’s things like logs, deployment or cloud platforms, or even team collaboration sites. We already saw an instance with Toyota of GitHub. But I would venture to say that most organizations, just for the ease of sharing, probably inadvertently have leaked API keys, even internally, across systems. Because today the model of authentication is largely static, they’re ripe targets for adversaries.  

Kathy: A question based off this slide: can’t secret managers like Vault or KeePass prevent these attacks from happening?  

Anusha: It’s a great question. To some degree. They provide a secure mechanism to store the keys internally. But, oftentimes these APIs live in hybrid environments even in the control of hybrid parties. You may have an API that you expose to a partner, a vendor, or a customer. You would then have to rely on them properly leveraging a vault or a password manager or maintaining good hygiene around secrets to access your systems and services. So that’s part of the challenge here, is that vaults and password managers tend to be very environment or entity-controlled specific. 

Because we’re using these static, essentially bearer model credentials, for authentication and even authorization, they are almost acting as proxies for machine identity. And the challenge is that they’re not very strong proxies because they are static and they’re difficult to maintain hygiene around. Whether it’s a key, or a token –like an O-auth token, a JSON web token, or even a PKI certificate –because they essentially prescribed that bearer model of authentication where “as long as I hold it, I can leverage it, it doesn’t matter where I’m coming from,” they turn into ripe targets for adversaries. I’ll stop here and say that when we talk about a machine, what are we really talking about? In our terminology we like to think of it from the zero-trust approach to it where it’s a non-person entity. Anything where you’re trying to access a system or service and there isn’t a human identity to back that access is where the API authentication approach breaks down a little bit. Whether that’s a Kubernetes pod, a docker container, VMs, even physical IoT devices –those tend to all be areas where static credentials end up getting leveraged in some way, shape, or form. Increasingly we’re seeing that these are the new attack sector vector that is increasingly in vogue. 

To give you a very quick overview of what we are doing at Corsha, what we’ve done is we’ve come up with an API security platform where we can pull some lessons learned from the human identity and access management space. And we’ve come up with a way to not only do dynamic machine identity for API clients, but then leverage that to do fully automated MFA for machines. Think of a second dynamic factor where you can make sure that API calls are going with one time use MFA credentials. This gives you a lot of those nice benefits that we’ve seen on the human side with MFA where now you can pin access to only trusted machines. Even if a key inadvertently gets checked into a public GitHub repo, if MFA is enforced as a secondary factor, you’re okay there. That’s the idea: to elevate these API clients as first-class citizens, regardless of what their form factor in a way that is easy to adopt, easy to integrate, no code change, so that it doesn’t place burden on DevSecOps teams and make their day to day easier. So that they’re not having to worry about things like credential rotation as part of their workflows. 

Just very high level, the essence of what we are trying to provide is security, visibility, control, even the ability on a fine-grained level to do things like start and stop access for a client. That’s a little bit of a difference with, say, this approach and say a vault. Because if you give an API key to a third party, you don’t necessarily have control over their vault. But with machine-driven or an identity-first approach to it, you can say, okay, from a control plane I’m going to dynamically start and stop API access for this collection of machines. And in that way have the expectation of access matching your threat surface. That’s a quick overview of CORSHA and the product and the problem space. I would love to turn it over to Mark and hear more about DarkOwl and what you’re seeing on the Darknet.  

Mark: Thank you. The darknet is an interesting place and DarkOwl was set up specifically to allow organizations to monitor the darknet for threats to their core missions. As you can see in the lower right hand corner, our clients include many of the world’s largest cybersecurity companies who effectively use our platform and use our data to monitor on behalf of their clients. We also work, as does Corsha, with various agencies in the US Government. What we do is we go into the darknet at scale and we extract data at scale from tens of thousands of darknet sites on a daily basis. We index that data, we store that data, and we make that data available to our clients and make it searchable to our clients.  

The question I get is what really is the darknet or the dark web? The two terms are conflated.  

We all spend most of our time in the surface web. What you can search for off of your Google browser is effectively the search web. It represents a relatively small percentage of the data that is available by the internet, in spite of the fact that if I search for any term I’m going to find thousands, if not tens of thousands of results on my Google browser. It’s actually a relatively small percentage of the data that’s out there. Most of the data is fire-walled and it’s in what we call the deep web. My bank account information is available to me because it’s authenticated, I have the credentials, but it’s not available to Anusha and vice versa. By volume, most of the data that’s available via the internet is actually in the deep web. We specialize in the darknet, which is below the deep web. The darknet is dark for two reasons. It’s dark because you can’t get there from your Google browser. It usually requires a specialized browser or specialized access. What it does is it obfuscates user identity. Oftentimes the traffic is itself encrypted. And because of that, it is the perfect environment for criminals to operate in. Anusha and I can conduct a transaction, we can have a conversation, we can conduct a criminal transaction, buy or sell exploits with each other, drugs – there are any number of other things that we can do. A law enforcement agency could be sitting in the middle of that and see the transaction go through and see the discussion and never understand who I am and who Anusha is. And if you add in cryptocurrency on top of that, we could pay each other in an anonymous fashion. As a result, the darknet has become a haven for criminal elements.  

At the bottom of that page, you’ll see Tor, I2P, Zeronet. Everything in red is data that we at DarkOwl collect from. We also collect from certain deep websites and some surface websites which enrich our darknet data. Increasingly, especially with the Ukraine-Russia war, these direct messaging platforms, such as Telegram and IRC are becoming destination points for criminals to operate in and we collect data from those as well.  

Kathy: Mark, before you move on, an attendee would like to know, how big is the darknet?  

Mark: I wish I had an answer to that question. We don’t know how big it is. We do know that Tor was the original darknet. It is now one of many darknets. The Tor project actually publishes data on users, number of users, numbers of connections to the Tor network, and number of sites.  

Year on year, it continues to grow significantly. There are a number of sites like I2P, Zeronet, Freenet, and these other new sites that have grown. We don’t know how large it is. We have been told that DarkOwl has the largest commercially available archive of darknet data that’s available. I couldn’t prove that to you because I don’t know what the denominator is. But we know that the darknet is growing in terms of both customer usage and transactions that take place.  

Very briefly, this is the kind of data that we collect. The data that most people are familiar with is at the bottom of this slide. We hold somewhere around 9 billion email addresses that we’ve collected over the years, 1.8 billion IP addresses. Those are oftentimes IP addresses or networks that are being targeted. A range of credit cards, crypto addresses, and so on. It’s a big database that we have, and it’s updated continuously and has been since we stood the company up five years ago. Then we make our data available by a number of APIs as well as a user interface for the analyst community as well. But to give you a sense, just in the last 24 hours we’ve indexed and put into our database 1.3 million documents. That gives you a sense of the scale of the type of documents that we’re dealing with.  

More relevant to this conversation, though, is the next slide, which is, what are we seeing in the darknet that is relevant to the issue around API security? And the answer is a lot. We’re seeing that threat actors in the darknet are discussing stolen API secrets, keys, they’re trading the session tokens, and they’re openly discussed in these closed communities. This is a hot topic for the criminal elements in these communities. There are man in the middle attacks, there are injection methods being discussed and actually traded. Anusha and I would get into one of these forums, we’re both criminal actors, and we would discuss how I mounted a successful attack using this method. And she’ll say, can I buy that method from you or can I borrow it? Let me try it on a target that I’m thinking about. We see that ongoing. JWT authentication bypass methods are oftentimes discussed in detail. That’s been a real wake up call for me personally, seeing how creative criminals are being in these methods that they’re developing. Tools are shared.  

Interestingly enough, and not particularly relevant, but the DDoS services are sold. API DDoS services are sold for cheap. One of the things we’re seeing broadly in the darknet across all sorts of threat actors is the migration of threat actors to actually selling out their services and renting them out on a monthly basis. This is just an example. We’ve seen Kubernetes targeted especially. It’s a distributed environment, so there are some vulnerabilities that the threat actors are using. Then hacking courses on and on and on.  

These are some screenshots of some of the discussions that we have seen in the darknet. In the upper left you’ll see this discussion around leaking API keys. In the middle of the slide, you’ll see Russian threat actors describing API keys as well as the secret keys and making the secret keys available. I think those were stolen. In the lower right. I love this. You know, we figure out a way to withdraw funds using API keys without access to the account itself and on and on and on. If you get onto our platform and search for any of these terms, you’re going to find quite a lot of discussion among the threat actors and the criminal gangs around this. And you’ll see data brokers actually selling keys. Selling actual access to networks. The conclusion is that Darknet is rife with discussion around the very threats that Corsha is targeting and that was set up to respond to. Anytime you see this kind of activity, any time you kind of see this discussion going on in the darknet, you know you’re on to something. So your customers made some smart choices here in new shows.  

Anusha: We appreciate that, Mark. I will say it is very interesting to see all of the discussion and the activity around Kubernetes. I think that might be even a fun double click into another session to do, because it is turning into a foundational layer of most organizations transforming their application ecosystems. It would be fantastic if we could get ahead of that.  

Mark: I’d actually like to talk to the founders back at Google. It was right around 2014, if I’m correct, about Kubernetes, and ask them whether they ever had a conversation around security right at the outset. Because most people, most developers won’t. And it’s not a criticism. It’s that just most developers won’t do it. They’re thinking about how to build a scalable environment for whatever their mission is. They’re not thinking about how five or six or seven or eight years down the road, somebody’s going to be trying to attack that environment.  

Kathy: We’ve actually had a few questions come in. One of our attendees would like to know: what specifically can be done from a security perspective to prevent an API attack?  

Anusha: Some of it is obviously having good hygiene around primary credentials. Having policies in place for things like rotation. Certainly using a platform like Corsha as a layered defense so that you have a way to uniquely identify and control each API client. Is a very sound approach to a lot of this activity that we are seeing on the darknet. Other things like making sure that API access is least privileged, so having notions of authorization in there. Just like when you have a given user, you give them roles, and not all users have access to the same information and services on the system, APIs and API clients have to be dealt with the same way. And having ways to revoke secrets and revoke access are very important. It’s about drawing a lot of those parallels that we have with human identity and access management but into the world of APIs. 

Kathy: Thank you. We also have a question of: how can security or engineering teams get better visibility into how their API secrets are being used? 

Mark: One way to do that is to use a platform like DarkOwl’s platform to actually monitor the environment on an active basis. Oftentimes, you will see threat actors discussing targets by name or by IP range or by other things. Look in the upper left hand side of this slide, right there  is a discussion around a very specific key from a very specific 

My point is, any time you’re thinking about security more broadly, there are a number of hygiene elements that have to go into place. One of those hygiene elements is monitoring this environment where criminals are actually plotting attacks in a wide variety of different contexts, not only in the API environment. We see active threats, active exploits under way. We see targets being identified and threat actors saying, all right, that’s great, I’m going to hit them. You have to have some eyes on that environment.  

Kathy: Thank you. We did have one more question come in, and that is, what should a team do today if an API secret is compromised?  

Anusha: That is where having a good platform for observability in place is really important because you want to know where that API secret could have been leveraged right and have the ability to quickly revoke and rotate it. It’s both understanding impact of the leakage or the stolen credential and then mitigation strategy of how to revoke it, how to rotate it, with obviously a little downtime as possible. I think for observability using a platform like DarkOwl is really helpful because you can see the extent to which it may have been leaked or compromised as well.  

Mark: Thank you, Anusha. It’s a pleasure doing this. Let’s do another one in the future once we find more threats.

Anusha: Absolutely. That would be fun. Thanks so much for the time. And thanks to everyone for listening in.   


About Corsha:
Corsha is on a mission to simplify API security and allow enterprises, developers, and DevSecOps teams to embrace modernization, complex deployments, and hybrid environments with confidence. Our core technology is dual use, designed for widespread adoption, and easy to configure and deploy to both commercial and government customers. Corsha has a strong engineering team with deep expertise in distributed ledgers, cryptography, security principles, orchestration technologies, and software design. Contact Corsha.

About DarkOwl:
DarkOwl uses machine learning to automatically, continuously, and anonymously collect, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. Our platform collects and stores data in near realtime, allowing darknet sites that frequently change location and availability, be queried in a safe and secure manner without having to access the darknet itself. DarkOwl offers a variety of options to access their data. 

To get in touch with DarkOwl, contact us here.

Arms, Drugs, and Human Trafficking on the Darknet

November 09, 2022

After reporting on their discovery of multiple marketplaces on the darknet claiming to be affiliated with various organized crime organizations, our analysts decided to take a closer look to identify potential connections and overlap between the spheres of arms, drugs, and human trafficking on the darknet. 

To further examine this topic, our analysts conducted an extensive survey of vendors trading on the darknet in weapons, drugs, and human trafficking. In doing so, DarkOwl analysts uncovered a confluence between the three economies, indicating a possible interrelationship between the supply routes moving drugs, weapons, and people around the world.

Weapons for Sale

Using the darknet, deep web, and high-risk surface web data, DarkOwl analysts discovered multiple arms-centric marketplaces, vendor shops, and other classified-style advertisements for the sale of illegal firearms on the darknet.

DarkOwl discovered arms for sale on darknet onion services hosted on the Tor anonymous network in English, Russian, German, and Chinese Mandarin. A few sites offer mostly similar weapons found in gun stores or gun re-sellers found around the United States. Other sites advertise military-grade weapons that are typically not available to civilians, including anti-tank guided munitions (ATGMs), e.g. Javelins, AT-4s, and NLAWs, and rocket propelled grenades (RPGs).

Darknet weapons dealers from BMG (Black Market Guns) advertise that the weapons have not been used, arrive in the original manufacturer’s factory condition, and originate from NATO stockpiles. Some of the photos of the weapons on offer include visible serial numbers and others are stock photos sourced online. Most darknet services offer worldwide shipping with some exceptions to Russia due to their strict import controls.  

Figures 1 and 2: Screenshots from Black Market Guns (Source: Tor Browser Anonymous Network)

A study by Rand Corporation found that weapons sold on the darknet are typically weapons that were already in the black market or weapons that were legally owned and then redirected to the darknet. According to the same study, the US was the most common country supplying markets. Europe was cited as the largest market for darknet-purchased firearms.

Figure 3: Cache of Weapons Seized by US Department of Justice (Source)
Figure 4: Weapons for sale on Empire (Source: Tor Browser Anonymous Network)
Figure 5: Weapons for sale on FREEGUN (Source: Tor Browser Anonymous Network)

Our analysts also found listings small arms for sale on darknet and deep web services similar to those seized by law enforcement from individuals charged with conspiring to traffic narcotics and firearms.

On average, DarkOwl analysts found that the prices of firearms for sale on the darknet were the same or lower than what the same products cost on surface web sites. However, in most cases darknet traded weapons were not significantly lower than prices advertised in the surface web.

For example, a “Bushmaster AR15 Tactical Package Semi Auto Rifle” from Empire Market costs $769 USD compared to $1,800 USD on a surface website.

A “Springfield 1911 Ronin Caliber 10 mm” handgun goes for $800 USD on FREEGUN darknet marketplace and for slightly more ($899 USD) on a surface web commerce website.

Figure 6: Springfield 1911 Ronin Offer (Source: FREEGUN, Tor Anonymous Network)

Purchasing a gun online in the United States is not illegal. However, laws and regulations vary from state to state with most requiring a background check as well as other licenses to purchase more deadly weapons, especially fully automatic and semi-automatic rifles like AR-15s. Gun regulations in other parts of the world, such as the European Union, are stricter, resulting in limited access. Therefore, depending on where you are, who you are, and what legal processes you have gone through it is quite possible to purchase a weapon legally on the darknet. However, it is rational to assume that weapons are sold on the darknet for the purpose of circumventing the processes required for legal purchase. 

For example, FREEGUN advertises that they work directly with smugglers and offers worldwide shipping with the exceptions of North Korea, Sudan, Tunisia, Algeria, Egypt, Iran, Iraq, Syria, and Paraguay. 

“We work with smugglers from Europe, Asia and USA. They will deliver firearms to your house or drop the package at specific place.”

They also mention their stealth practices to avoid detection, including that pistols are taken apart and hidden in power tools. 

Figure 7: Screenshot from FREEGUN FAQ (Source: Tor Anonymous Network)

Countries geographically close to the United States likely do not need to purchase firearms on the darknet and can rely on direct smuggling across the border. For example, it is estimated between 70% and 90% of guns recovered at crime scenes in Mexico can be followed back to the US drug cartels who smuggle them across the border. Annually about half a million weapons from the US illegally enter Mexico. Many of them are military-grade weapons and land in the hands of drug cartels.

In other areas of the world, like Europe, there is more reliance on weapons purchases via the darknet; one underground marketplace advertised itself specifically as a provider of guns to the European Union. 

The legitimacy of arms for sale on the darknet is widely debated by darknet communities. As is typical on the darknet, many state that any listings of weapons for sale on Tor are scams. 

Drug Trafficking

Arguably, the most well-known source of revenue for organized crime is drug trafficking. DarkOwl analysts have previously released a report detailing the presence of alleged cartel-affiliated marketplaces on the darknet and detailed some of their product offerings including sophisticated concealed shipping.  

Drug trafficking is exclusive to the darknet. The marketing and sale of illicit substances occurs on the surface web, encrypted and non-encrypted chat platforms, via social media direct messages, in addition to the darknet. Online purchases of drugs are often delivered to a mailbox or a “dead drop” location, or sellers utilize mail services or international trade networks.

Encrypted communications networks can serve as a work-around to traditional darknet marketplaces and facilitate single-vendor trade or “direct deals” by interfacing with users directly. Utilizing direct deals via encrypted chats give both buyer and seller more privacy, especially from law enforcement which has become more adept at infiltrating and shutting down darknet marketplaces dedicated to illicit drugs.  

According to UNODC, most of the drugs sold in the darknet ship from North America and Europe. The most common country of origin or country of shipment from greatest to least were listed as the United States, the United Kingdom, Germany, the Netherlands, Australia, and Canada.

Darknet Vendors’ Trafficking Methods  

It is common for darknet vendors to talk about their delivery and stealth methods to reassure customers that their purchases will be delivered as advertised and not seized by the authorities. However, vendors and marketplaces must balance revealing enough information about their concealment techniques to gain their customers’ trust while not exposing their methods and routes resulting in law enforcement interdiction.

Some sites will simply sate that their stealth precautions are robust and therefore good for the buyers but – but do not publicly more details. Others promise that they use the “best equipment” for the “highest stealth and security possible” – or reassure customers that they are experts in some other manner.

A weapons vendor on the darknet commerce site Empire Market advertises that all items are sent with a tracking code, and offer major shipping providers like DHL, UPS, FEDEX, and postal mail as shipping options the buyer can choose from. The market suggests that small orders are shipped inside of magazines or binders, while large orders are shipped in boxes with labels made to look like eBay or Amazon packages. Rifles are often disassembled and then are shipped inside larger appliances, and customers will receive instructions separately detailing how to assemble their weapon.

Another listing from a drug vendor found on DarkOwl Vision claims that the packages they send are “untraceable” and “the most discreet.” This vendor claims to take precautions such as vacuum sealing the package, that they are all alcohol cleaned, dog proof, and x ray proof.

Human Trafficking

Some of the darker illicit goods and services able to flourish on the darknet due to its anonymity and privacy-centric nature include pornography, such as child sexual abuse material (CSAM), human trafficking, and the exploitation of humans both online and in the physical world. Criminals and traffickers have increasingly turned to the online cybersphere to exploit victims. Social media platforms can be used to identify possible victims, target them, recruit them, and then to advertise their exploitation services. The internet and darknet can be used to broadcast live acts of exploitation for distribution to a wider audience. While distributing CSAM material is not human trafficking, the production of CSAM is usually the result of trafficking children for exploitation. CSAM material is available on the darknet and in darknet-adjacent platforms.  

Using the internet, traffickers can physically exploit the victim in one location but operate in multiple places at once and across borders. These are labeled as “cyber flows” and “are often characterized by victims held and coerced into video performances, allowing the perpetrators to connect with potential clients living abroad. This type of trafficking has been identified in several countries and typically relies on the availability of video equipment and digital recording devices to broadcast victims’ exploitation.”

This is the type of exploitation and human trafficking commonly seen on the darknet. For example, many times listings for human trafficking victims on the darknet will be advertised as “escort services,” “child escort services,” “rentals,” “kid rentals,” and more.

Figure 8: Screenshot from a dark web site (Source: DarkOwl Vision)

Drug Trafficking and Weapons – Connections to Organized Crime and the Darknet

Connections between drug trafficking and arms trafficking are well documented. The relationship between drugs and weapons is corroborated by both research from the government and other non-profit organizations. This same relationship is also seen on the darknet.

A darknet marketplace claiming to be affiliated with CJNG discovered by DarkOwl analysts offers drugs for sale. CJNG is one of the strongest cartels currently operating in Mexico, and would require weapons to maintain their drug trafficking routes and control. 

In January of 2022 the Justice Department arrested four defendants in connection with an investigation targeting a domestic firearm trafficking organization that supplied weapons and ammunition to the Cártel Jalisco Nueva Generación.

Furthermore, the indictment alleges that a “Whittier man led the gun trafficking organization that used narcotics proceeds to purchase assault rifles, hundreds of thousands of rounds of assault rifle ammunition, and numerous machine gun parts and accessories – some of which were smuggled into Mexico, mostly since the beginning of the COVID-19 pandemic.” There is evidence suggesting that organized crime groups such as the CJNG are trading high-powered weapons for drugs with other organized crime groups operating in Colombia.

The flow of weapons from the United States to organized crime groups (as the indictment above indicates) such as CJNG can then be leveraged by criminal groups to trade for drugs in Colombia, which will travel to Mexico and the United States. Thus, weapons from the United States typically end up in Mexico and Colombia and Colombian drugs find their way back to the United States.

The Relationship Between Drugs, Weapons, and Human Trafficking on the Darknet  

While there is a long history of connections between drugs and weapons, DarkOwl analysts were curious if a similar relationship could be observed between weapons and human trafficking, and drugs and human trafficking.  By performing a keyword and language correlation analysis across drugs, weapons, and human trafficking related advertisements in DarkOwl Vision, our analysts discovered at least 7 unique vendors who are involved in human trafficking are also involved in drug trafficking activities.  

Running a similar correlative analysis with 78 aggregated terms for weapons, analysts found that although it is common for weapons and human trafficking to be advertised in the same posts or forums, but not as many vendors dealt in both weapons and humans.

Nevertheless, vendors were identified that offered human trafficking services and other darknet services, such as hitman and hacking for hire. While the content is intentionally redacted for public distribution, the Telegram channels offering the services are the same. DarkOwl analysts also considered the very real probability that the threat actor offering these services is a scammer.

Figures 9 and 10: Screenshots from dark web sites (Source: DarkOwl Vision)

During our analysis, a rare case stood out where one vendor was identified as associated with all three: human, weapons, and drugs trafficking. Although the contact is redacted for this publication, the Wickr ID is the same.

Figures 11 and 12: Screenshots from dark web sites (Source: DarkOwl Vision)
Figure 13: Screenshot from dark web sites (Source: DarkOwl Vision)

Final Thoughts

The darknet cannot show the full extent of the complicated relationship between arms, drugs, and human trafficking. However, using DarkOwl Vision to explore these relationships offers a snapshot into both the physical and digital realms of illicit goods and exploitation that often accompany each other. Looking at arms, drugs, and human trafficking online ties into the very real-world implications of these practices.

Regardless, if some of the darknet marketplaces or vendors mentioned above are scams or law enforcement “honey pots,” the fact that many vendors who advertise arms, drugs, and human trafficking show up in at least two out of the three demonstrates the intertwined markets and perhaps victims and economies, and that the illicit markets of the darknet in many ways mirrors the real world.


Curious how darknet data can be applied to your use case? Contact us.

[Webinar Transcription] Countering Illegal Trade on Darknet Marketplaces

November 08, 2022

Or watch on YouTube.

David Alley of DarkOwl FZE and Ivan Kravstov of Social Links dive into the topic of harnessing OSINT to expose illegal trade on the darknet. They outline the black-market landscape of the darknet and showcase a range of methods for fighting illegal trade and approach the topic of darknet marketplaces from different angles. In this webinar, they cover:

  • The nature of the dark web and how it is accessed by users
  • The functional make-up of darknet marketplaces
  • User deanonymization methods
  • Advanced darknet data extraction and analysis techniques

Attendees learn how to break through the perceived anonymity of the dark web and crypto transactions to identify criminal actors and track illegal trade and illicit activity.

For those that would rather read the presentation, we have transcribed it below.

NOTE: Some content has been edited for length and clarity


Ivan: Greetings everyone, today we will be hosting a joint webinar with David Alley of DarkOwl FZE and the topic will be countering illegal trade on darknet marketplaces or more broadly dark web research in general. 

David could you tell us a bit about DarkOwl?  

David Alley: Absolutely. It’s really great to be here and thank you to everyone for joining from all around the world. I know that we always fight the various time zones to get everyone here, so a special thanks to the Social Links team for hosting this webinar. They’ve been super helpful in getting this excellent presentation together for us.  

A little bit about DarkOwl – we are American company, and our headquarters is in Denver, Colorado also known as the Mile High City. We originally started off as a cybersecurity company with a focus on penetration testing. And at that time we would do research on the darknet to see if we could find credentials to help with our pentesting work. We were really successful at that, we had a very high rate of penetrations for the pentests. We said, “why don’t we change this and actually go into being just a pure darknet company only?” That was really the birth of DarkOwl. Since then we’ve had a lot of great team members with us at DarkOwl and we’ve built a very good collection capability for us to go onto the darknet and pull out that data that is really difficult to get to.  

We have a great collections team that does all of this hard work and makes it much easier for our partners like Social Links to do the next part. Which is, that once they’ve looked at that data, to make sense of it and decide what does is it mean? And how do we use it? And how do we fight crime that is emanating from the darknet? 

We have a couple of claims to fame. The one we use the most is that we have the largest commercially available darknet data lake in the world. And that’s just because we have been doing it for longer than everyone else. We’ve had some very special team members over the years that have had a very unique access and understanding of the Tor Network. At one point we actually had the co-founder of Tor on our team and so it’s a really unique company. We are highly niche and highly skilled and that’s why great companies like Social Links and ours like to work together because we are complimentary. We work a lot with OSINT analysts as well, but we also provide APIs and Datafeeds for partners and that’s how we work with Social Links. I think you’re going to be pretty amazed at what the team has to show you today. I’m always impressed with what they’re able to come up with; they have a superior team. Leveraging great data from DarkOwl with great analysts from Social Links you’ll always be happy with the results. I’ll turn it back over to you Ivan. 

Ivan:  Thank you very much for the introduction David. A bit about us: the company was founded in 2015 we have 80 + employees at the moment with HQ in the US and EU offices in the Netherlands and the R&D office in Riga, Latvia. What we do is provide software for data-driven investigations. You can see that we have a good rating on Gartner Peer Insights and that we have received a number of 
industrial awards in the past years. 

Here we have a very brief slide about the average pricing of various goods on the dark web. Ranging from stolen credit cards to out of the box ransomware Trojans.  

A concept that I’m sure everybody is familiar with is that there is a division into what is known as the clear web or the surface web, something which is indexed by conventional search engines, then there is the deep web which can include many different things that are not [indexed by conventional search engines] and that it takes a bit more effort to find and then there is a space commonly known as the dark web which include the Tor Network but also additional ones such as I2P, Freenet, and Zeronet.  

The general principal of Tor browser network is that the traffic goes from the user through several nodes and then reaches a specific server at the end. The current total Tor network bandwidth is 400 gigabytes per second.

One of the technologies that is also utilized quite often within the platforms of communication is PGP encryption. The basic concept being that the user sends an encrypted message that can only be accessed and read with the use of a private key held by the recipient.  

Now here we can see the boost of darknet marketplaces revenue from 2011 with the first precedent being the Silk Road up to 2020 [revenue] which is quite substantial.  

The products and services available on those marketplaces range from drugs to tutorials, forgery, various kinds of illicit services, malware hosting, and fraud. The majority of those being drugs. 

The general principle of how a marketplace works is that a buyer exchanges currency for any kind of specific cryptocurrency accepted by the marketplace. Which is predominantly Bitcoin at this moment but there is a shift towards alternative ones such as Monero or Z cash. The buyer then transfers the 
Bitcoin into markets account and makes a purchase. The crypto is  held in the market’s ESCROW account until the order is finalized with the market taking a commission. After the finalization of the deal the vendor is paid. Then the vendor may move the Bitcoin from the market account and potentially exchange it. 

Here we see an infographic of types of entities receiving Bitcoin from dark web sources which can be KYC and for exchanges enforcing KYC or exchanges more liberal with their KYC processes. Those can also be mixing services and other entity types.  

David, if you could tell us about DarkOwl’s differentiation?  

David: Absolutely. As we’ve seen here we’re talking a lot about the crypto piece. And I want to talk about how DarkOwl differentiates itself and helps you with this. It is because we are able to go into these markets that we’re talking about today and were able to pull that data out for you. A lot of the Blockchain tools that you’ll be familiar with will allow you to see various wallets as they’re being tumbled and where they’ve been mixed or how they’re being exploited. But what they have difficulty doing is tying wallets to a very specific illegal activity. And that’s one of the main things that makes us different for these types of investigations. We are continuously out there crawling these darknet sites and these markets that we are in. Someone asked a question: how do we differ from our competitors? It’s just a real question of scale and scope. Many of them are in about 400 sites and we’re collecting from over 95,000 sites and about another 20,000 to 30,000 mirrors every day. It’s this massive amount of unmatched darknet content discovery that we’ve got and inside of that content is where all of these cryptocurrency wallets are which can be tied to illegal activity. You want to buy your MDMA in London? Here you go – use this bitcoin wallet or this Monero wallet.

I second the comments that we’re seeing a shift from Bitcoin into some of the other coins out there. We’ll even pick up coins in our collection that are not even on the chain yet. They’re brand-new wallets that are being used. We’re seeing that shift away from the traditional way of using the same wallet over and over to now criminals will create a new wallet put it up on the site for their drugs or their CSAM material or whatever it is they’re trying sell and have the payments into the air before the Blockchain tools can even detect them. You’ll see coins get recycled and because of our unique archival capability it goes back to almost 9 year’s worth of data. You can also do those deep investigations into darknet transactions that happened years ago. All of that together gives you the content that makes investigations very strong and that combined with the ability to do leak analysis as you can see from our Social Links partners is a very powerful tool. To give you an idea of what we actually have in the collection, it’s about the numbers. 

It is a lot of Tor. Tor is the largest of the darknets. We also have a very large collection of from I2P and from ZeroNet. Those are the three major darknets that we collect on. And there’s some very technical reasons behind that. We also are having a lot of success picking up cryptocurrency transactions off of Telegram channels. As we know Telegram is very popular with a lot of different hacking groups and black hat hacking groups. It’s easier to use than a darknet channel. We see that a lot of hackers are also gamers, and they use Discord for communications. We see some in paste as well. What should really be focused on [in this slide] is the lower right-hand corner. That’s 347 million cryptocurrency wallets pulled out of our darknet collection. It’s a pretty big number, and every time I see a cryptocurrency wallet on a darknet site it’s always doing something bad. I’d say it’s a 99.9% probability that if you’re using Social Links and you pull out a cryptocurrency wallet from the darknet data, you’ve already done one of the hardest steps which is identifying some form of suspicious activity. I’ll turn it back over to our Social Links partners to take you through the rest of the demo.  

Ivan: It may make sense to note that with Telegram and Discord channels there is indeed substantial overlap. Much more substantial obviously then with the traditional mainstream social media platforms. Telegram and Discord aren’t really called social media, but they have a significant social networking element. Telegram especially in the past few years. It is about cybercrime groups but also apart from that it could just be local, regional, or even macro-regional drug vendors. It could be people engaged with child grooming, especially on Discord, or extremist groups as we previously covered in one of our webinars with a German expert on extremism research. Now we will go into the actual examples that we have. 

First we should dedicate a few minutes to talk about the method of dark web research. In this case that would mean focused on researching an individual. It makes sense to use all of this in conjunction.  

From the username we can get the specific platform within this interface where the vendor or forum member is present. That can also give us insights into their stated or observed affiliations. Those are the payment methods, the posts and threads and the products. From the posts and threads you can examine the topics discussed in the details which can also tell you more about what exactly they are doing, what kind of merchandise they are dealing in, what kind of categories, and if they have a specific focus. As well as the speech patterns of the idioms and idiosyncrasies used by the individual and the shipping locations. And of course, the products also tell us more about the proper categories and sometimes product cards can contain contact details within them. Objects within this schema such as the speech patterns, the stated shipping locations of the products, the affiliations, and the specific platform can point us to assumptions about a certain region or macro-region.  

For example, there is a higher probability of a vendor or a forum member on an Eastern European marketplace to be from somewhere in Eastern Europe. Payment methods can be different as well as various types of e-money, but here we’ll focus more on cryptocurrency addresses. A transaction derived from an address can tell us about the interactions it has with other addresses for groups of those. And it can tell us about the services that they are using such as mixers or exchanges. A mixing service may also have theoretically some kind of interactions in some kind of partnership program for a specific marketplace. They can also be mentioned in various reports or forums. All of those can possibly lead us to digital breadcrumbs, and that in conjunction with the assessment of the presence of the user in other forums and marketplaces and the way their personality may be reflected in their online behavior and the kinds of merchandise that they are dealing in and the kind of payment methods that they’re using is all part of an attempt to create a digital profile of an individual.  

Now here we will start with the first example where we will go from an alias. We will run our first transform search for users under this alias. Here we can see some details in the properties, one of those being the side name Tochka Market. “Tochka” is a Russian word standing for point or place. We search for the products related to this vendor and we also extract their PGP open key which is quite often used by vendors. Next, we will use the products and extract the locations they are to be shipped to and from. 

We can see here that those are mostly recreational drugs shipped to the United States. From a PGP open key it is sometimes possible for us to go to the email address. Not in a hundred percent of cases, which can also be said about some of the other methods that we will be applying here. Here we see a Gmail and from that we can further try to see if there are any social media profiles and any accounts connected to that email address. There is also the possibility to get reviews if it’s a Gmail account. We can see that there are accounts within Facebook, Firefox, Gravatar, Pinterest, Samsung, and Twitter connected to the email and we see several profiles within Gravatar, LinkedIn, and Skype from which we can extract additional details. In reviews we also see a cannabis dispensary seemingly located in the United States and a bar in Cameroon which matches with the location that we see here within the LinkedIn account [redacted account name] connected to the Gmail address. There is also a post promoting the sale of marijuana on a surface web source stated by the account holder to be safe and secure. Now here we can use some of the Maltego functionality to go into more data about that specific domain. The WHOIS data gives us the name of [redacted name] as a registrant and the company name [redacted company name]. [Redacted names] are both something that we have seen within the social media footprint derived from the email address. Now of course an analyst won’t be as lucky as in this instance in 100% of cases, but this is real data related to a real individual. It is possible because people do tend to make mistakes.  

Now we will go through another alias. This [alias] gives us 4 accounts with the same username and it’s something that vendors to do to maintain a commercial reputation with the customer base. Now we can ask for specific platforms. We can see the Dread forum, the Hub forum, the Apollon market, and the Wall Street Market. Now we also see a single PGP key used by three out of four of those accounts and we will further ask for the posts and products. We can see that there is a certain focus on Europe. In this instance the goods are more likely shipped from Europe to locations worldwide. The principles of working with the posts are  similar to the way a user of Social Links Pro or a SOC tool in general can work with social graphs. The graphs of social interactions within the digital space. From each of those we go into the thread. From the thread we can go to the other posts within it, and the other users that have been participating in those conversations.  

This is just at stage of gathering data and an analyst working on a real case will of course face the necessity to analyze this communication in depth. That’s why there’s a capability here to download the content within those posts and save the text content as a text archive. Now here we see a Proton mail account- [redacted email address] so they seem to be more conscious about their digital footprint and security, but potentially we can try to search for this alias in the social media platforms available. Here we’ll try with an Eastern European platform because [redacted name] [the alias] is obviously a reference to the famous assault rifle. Here we got an account with just the cat as a picture under the name [redacted name] and while it’s not something that we will state and something that we will accuse this person of, it could be a coincidence or it could not be a coincidence. The account is not very informative, is closed, and has a profile picture of a cat. So here we are less lucky than in the first example. In some instances it’s even more obscure. Here we see an individual with the alias [redacted name] focusing on the European Union. They have two email addresses and a statement in the product description that there is a possibility to contact the vendor on Discord. We see that there is a Discord account connected to their Proton mail address, and also a Skype account which states the location as Germany. This is all on the level of analyzing people and individuals or small groups of people, because several individuals can be behind one username.  

This can also be done on a macro level. We can take several capital cities or countries within a certain macro region such as Asia-pacific or Latin America and run a search into the full spectrum of dark web sources available to us to see which products are shipped to and from those locations. Here we see that some countries have more activity within the spectrum of available sources, some countries have less, and we can potentially look for vendors that are focused on two or three specific countries at once. We can also see which marketplaces are more active within a given region. Here and in Latin America Tochka market is quite active. Additionally the Apollon and Nightmare markets and then several other ones have much less activity.  

Now of course it makes sense to talk a bit about the cryptocurrency aspect within dark web research. Several of those graphs are something that we’ve shared previously in some of our previous webinars. The methods can be split into two sets: passive intelligence and direct engagement. Passive intelligence may include open-source and social media intelligence, the traditional following the money approach, and the enrichment of the initial entered data that the analyst or potentially a victim of a crime may have. Direct engagement is something that implies using custom digital avatars for social engineering and also in the case of enterprises, or state organizations, offensive security procedures or threat intelligence. Some of those methods are more customary to certain kinds of professionals, analysts, and organizations than others but in the end as is the case with any kind of investigation it is all about connecting the dots, the seemingly not connected entities in a broad sense that word. 

Here is a small reflection of the situation within the Bitcoin ecosystem. There are a number of addresses here, some of those belonging to militant extremist groups such as the Palestinian Al-Qassam Brigades or Hay’at Tahrir al-Sham the fellowship operating in Syria. Some of those belong to dark web vendors such as Ross Ulbricht of the founder of Silk Road. Alexandre Cazes founder of Alphabay, or the administration of the Wall Street Market that exit scammed in 2019. Some of those were because of law enforcement, some of those were ransomware groups, and some of those were to legitimate exchanges. 

A way to perform this attribution to be 100% certain that a specific address belongs to a specific individual or a group is to run searches into the social media and dark web space and also into data that is provided by vendors such as DarkOwl And I must say that DarkOwl provides fascinating amounts of information of fascinating depth, and a number of these were done with the help of DarkOwl as well. Social Links is focused specifically on the Tor Network while DarkOwl, as David has mentioned, also pulls data from other sources such as I2P and Zeronet. Once you get this kind of entity you can further run the transform to get to the details and then examine the contents of those entities. The source of the networks and the date and time are also stated within the properties. 

Here we have another simple example of building a timeline with the timestamps from within the transactions related to a specific address and the timestamps of the mentions of that address on a dark web forum. 

All of this above is related to the situation around the exit scam performed by the Wall Street Market administration. You can see that all of the transactions and all of posts take place in the second half of April 2019.  

If we talk about profiling, there been there are a number of quite famous cases that have been solved by law enforcement and by analysts within those types of organizations related to de-anonymizing an owner or a senior administrator of a dark web marketplace. There is the famous Ross Ulbricht who was using the alias Dread Pirate Roberts and a clear web alias Altoid which was the key thing that led the American law enforcement towards then. We can gather the different data from the full spectrum of sources or potentially we could very carefully try to profile the individual based on the way they interact with the customers, the way they interact with vendors, the way they behave online within the platform. Or we can try to profile those people in retrospect to see what is common between the individuals who have been involved in such activities that have been uncovered historically. We can see that the portrait of the criminal has changed over time to this day in 2022. All of those –Mr. Ross Ulbricht, Mr. Gal Vallerius and Mr. Alexandre Cazes are educated individuals in different fields. For instance, Mr. Cazes has a degree in computer science. They tend to share certain views such as being Libertarian. Libertarianism was something very much associated with the motives of the founder of Silk Road, but similar motives can be speculated about other members of that community. In the case of Mr. Alexandre Cazes, the key input was an email address that was a source of messages to newcomers within the Alphabay Marketplace which was 10 times the size of Silk Road at its peak. The support emails were to new vendors and new members.  

Here we can try an example of enriching that identifier to build this graph from scratch. This can be done with the help of something called a machine within Maltego which can automate those queries under a specific logic.  

Here at this moment it gives us an IP address from a leaked database, it gives us an account on Gravatar –[redacted account name] an account on Skype, and a number of email addresses with similar passwords. And also a number of additional database records that contain the email in the string. The IP address is further resolved into a Canadian netblock and that is resolved to an autonomous system number. Now we can try to do the same with the second email that we have here. This is giving us two Skype accounts and two additional IP addresses. Of course, we can run a search into the data lake of DarkOwl. From which we will try to extract additional details. Here this gives us the family name, it gives us the name of another individual, and a number of IP addresses and phone numbers. The IP address issue may be just a minor technical problem on the side of Social Links with integrating this, but you get the point. This gathering and structuring process is something that is done in retrospect, so this person has already been uncovered, already been arrested, and already committed suicide while in jail. But I think it’s  obvious how beneficial industrial automated tools such as DarkOwl and Social Links can be in researching such individuals and investigating and doing criminal intelligence within those types of sources.  

With Oxymonster, the alias that belonged to Mr. Gal Vallerius an Israeli-French individual, the initial input point that investigators had was this vanity Bitcoin address for which they traced output, a number of outgoing transactions to a number of addresses all leading to an account on a peer-to-peer platform [redacted address][.]com under the username Vallerius. That is exactly what we were talking about when we said speech patterns and idioms and idiosyncrasies. The investigators further compared the speech of Mr. Gal Vallerius on Instagram and Twitter accounts that are no longer in existence but we do have a Foursquare profile here with that of the user Oxymonster and there was a certain match in the patterns. Now here we can extract additional things from the DarkOwl entities that we have as well.  

In another example with an email of Mr. Ross Ulbricht which was found from one of the posts on the Bitcointalk forum which was initially found a by matching the username Altoid with the first-ever mention of the Silk Road marketplace on [redacted address].org. We can also try to use those transforms to see what is connected to those identifiers.  

Here we go to what is more commonly associated with Social Links. Social Media intelligence is our strongest side so far even though we’ve diversified the sources that we have and the methods available for them in the standard procedure of mapping out the digital footprint of an individual. If we return to the initial logical schema of those processes it is a necessity not just to focus on the user account or on the group or on the marketplace within the Tor Network or any of the other darknets. The process of investigation and analysis will take the analyst, if they’re lucky of course, into other kinds of domains which may include conventional social media. 

There is another instance for a potential use of OSINT tools in a similar scenario, but it would make sense to use in the case of the Berlusconi Market and their administrator John Kohler Racino . The way that they were uncovered was something far more in line with the traditional work of law enforcement. They were eventually closed down as a result of the operation by the Italian Guardia de Finanza, but it was the result of operatives having ordered number of goods from the marketplace as part of an experiment and having noted that they all came from the same post station from within a small town in Italy. Here we see an example of what can potentially be found from the usernames and the accounts under the usernames that were operated by Mr. Lucino. There are two of them: one that had presence in the Dread forum and was involved in discussions around the Berlusconi Marketplace and another one on several marketplaces including Berlusconi, two of those sharing a single PGP open key with the pattern of the goods being shipped from Italy worldwide. There is some output from the Social Links identity search engine that also gives us a number of email addresses and IP addresses. Operations such as this can be advanced with the use of DarkOwl. 

That is all of my part so far with the functional demonstration of the capabilities.

Another topic which we haven’t really focused on today but which is quite relevant here is the usage of those kinds of tools and the exploration and the research by professionals in the field of corporate security. The cases that we’ve shown now –they’re somewhat more in the domain of law enforcement work and criminal intelligence analysts, but the monitoring of sources, aggregating leaked databases, data breaches, are also a topic relevant to the practice within the corporate sector.  

How we use those tools to detect human trafficking is a very good question and there is an organization that we have done a webinar with previously called the Anti-Human Trafficking Intelligence Initiative with very brilliant people working in that area. They have a solution of their own that works by a slightly different principal than Social Links and DarkOwl, but yes such solutions do exist and such practices do exist and they have been successful uncovering numerous instances of human trafficking and the distribution of CSAM.  

David: Absolutely. Ivan, I just want to jump in and congratulate you on a really excellent presentation. As far as the human trafficking pieces, we are seeing a growth in the kind of communications and coordination that happens on the darknet for human trafficking and even more broadly for the CSAM types of materials. I would like to talk about one of the other questions that has been brought up, and it talks about the companies that have been involved in ransomware incident response. The amount of chatter that we see happening on the darknet for the different ransomware gangs has increased exponentially over the last two years, and we’ve tried to focus on it for quite some time. We’ve really seen how well they have taken their software to market. You can see that ransomware as a service programs have been proliferating widely through  markets on the darknet. As far as identifying specific ransomware families, I think we have about 30 or 40 of them that we’ve already curated. Including what cipher they are using, when we first saw them appear on the darknet, and you can use it to gather some of the pricing data that you need.  

Ivan: Thank you for that David. One thing that is easy to see even from this simple graph which is just a reflection of the current state of affairs in the cryptocurrency industry and specifically in the Bitcoin ecosystem is that it is very Wild West-esque at the moment. [There is] the obvious pattern of large a number of interactions with people involved in terrorism and ransomware and the trades in illicit goods in the dark web space and human trafficking and CSAM as well, although those two categories are not reflected here. The people at the Anti-human Trafficking Intelligence Initiative know much more about that topic. Interacting with legitimate exchanges such as Binance, Gemini, and Coinbase.  

David: There’s a question from Andrew and it says: do DarkOwl and Social Links have the tech to crawl the deep and dark web? Almost all of our collection is technical-automated. There is a combination of techniques that you use to gain access, but then you cannot collect at scale just using human beings so it’s a combination of both. We use both for this kind of collection. Then there was one question about risk management targeted profiling and Customs control. Absolutely, specifically for the for the drugs portion…most of drug shipments that we see happening on the darknet are international transactions. The largest shipper of drugs worldwide is the United States Postal Service because it takes a federal warrant to get into a box being shipped. We see some law enforcement agencies do controlled buys. They use these tools to identify who the vendors are, how do you enter and interact with them, and it’s about the speed – how do you get ahead of this and then do controlled buys. When it comes into your country you will figure out which one of your Customs agents is taking bribes from people to let those packages in. It’s both useful for looking at criminal activity and also from an internal counter-intelligence perspective. 

Ivan: Thank you David and thank you for visiting we are always glad to see you here.

David:  Andrew we don’t leave you hanging out there I see your question, you’ve asked how they might go seize the ransomware payments. I don’t have any direct knowledge of how that happened, but most of these payments have to go through some form of exchange to move the money around and they likely had access to one of those exchanges that could tell them. Because remember there are some exchanges that are working with and cooperating with law enforcement and international law enforcement agencies and if they get a valid warrant from a law enforcement agency to block the transaction, they can do that. Just like it would work in the international Swift system for blocking bank transactions through the Federal Reserve Bank of New York. I would imagine that probably something like that is how it was done.  

Ivan: Yes, I actually think there was an Eastern European mixing service there.  

This is it on our part for today thank you everybody very much for participating and we hope that you will contact us to talk with us further about how our solutions can be implemented into your business processes. We will be very glad to see you and will be expecting you on our further webinars that are to come. David thank you for co-hosting.  


About Social Links

Corsha is on a mission to simplify API security and allow enterprises, developers, and DevSecOps teams to embrace modernization, complex deployments, and hybrid environments with confidence. Our core technology is dual use, designed for widespread adoption, and easy to configure and deploy to both commercial and government customers. Corsha has a strong engineering team with deep expertise in distributed ledgers, cryptography, security principles, orchestration technologies, and software design.

Contact Social Links.

About DarkOwl

DarkOwl uses machine learning to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and secure manner without having to access the darknet itself. DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. Our passion, our focus, and our expertise is the darknet.


Interested in how darknet data applies to your use case? Contact us.

DarkOwl Continues to Build Meaningful Relationships at OsmosisCon

October 28, 2022

Last week, DarkOwl participated in OsmosisCon, an Open Source Intelligence Skills-building Conference, in Tampa, FL. The annual, training-oriented event is comprised of workshops and classes to earn Continuing Education Credits (CEUs) lead by industry leaders focusing on the latest in OSINT and SOCMINT tools. In addition, the exhibiting companies provide real world examples of industry standard products and services, allowing attendees to either advance their own research or find a solution for their company.

The networking and consulting opportunities at OsmosisCon are incredibly valuable for anyone in the OSINT space – whether you participate in the pre-event workshops and presentations, speak during the networking events or via the virtual conference platform. Sessions this year covered a wide range of OSINT topics, including artificial intelligence threats, identifying unknown users on social media, foreign searching practices, countering sex trafficking, OSINT methodology, digital data, and more.

The Osmosis Institute’s mission is “to educate and train cyber intelligence investigators, researchers, reporters, and analysts on OSINT and SOCMINT techniques and best practices.” Their statement continues to say, “to that end, we seek to foster professional growth in our community. We strive to inform professionals on how to protect personal privacy data and abide by national and international laws and ethics standards.” OsmosisCon allows them to put this mission into practice and in its 8th year has continued to grow and bring hundreds of cyber intelligence analysts together.

Representing DarkOwl at OsmosisCon was Steve O’Rourke, Account Executive, and Damian Hoffman, Product Engineer and Data Analyst, based out of DarkOwl’s headquarters in Denver. 

DarkOwl was one of the first to present at the conference, in what was described as a highly-attended well received session. Damian’s presentation, “Finding Actionable Intelligence in Dark Web Data for OSINT Investigations,” focused on how the dark web is an essential source of information for OSINT investigations across a wide variety of use cases. His talk reviewed some of the considerations that should be taken when using dark web data, how the data can provide value for investigators, and offered DarkOwl’s perspective on the techniques and tools needed to maximize the utility of dark web data.

“This is my second year attending OsmosisCon and we find it to have a great balance between training and education, networking and getting feedback on our product. It is also nice to see so many clients present! I know many attendees share the same sentiment when I say that I am excited for next year’s event in New Orleans and to see this conference continue to grow in attendee turn out and presence,” shared Steve.

DarkOwl looks forward to OsmosisCon 2023 and hope to see both familiar and new faces in New Orleans!

DarkOwl looks forward to continuing their presence at OsmosisCon. You can see what conferences we will be attending coming up and request time to chat with us.

Popular Cybersecurity Threats & Topics Being Discussed on the Darknet

October 27, 2022

To round out Cybersecurity Awareness Month, we’ve gathered some of the hottest cybersecurity topics being discussed amongst actors on the darknet and deep web.

Cybersecurity awareness month has been enlightening for consumers and businesses alike. Many information security professionals and vendors have shared many guides this October on topics like multi-factor authentication, zero-trust, and other cyber resilience measures to hopefully help soften the impact of a significant corporate cybersecurity incident. The adage, ‘it’s not a matter of if you will be breached, but when…” might feel more and more realizable as the list of ransomware and corporate network attack victims continue to grow.

So, before the month’s end – in the spirit of spreading collective awareness – our analysts took a closer look some of the most popular cybersecurity threats and threat actor attack vectors discussed on the darknet.

Ransoming – Linux

There’s no question that ransomware continues to be one of the most popular threats utilized against commercial organizations, especially small and medium sized businesses that lack the enterprise-level information security budgets. Threat actors are increasingly interested in exploiting Linux-based systems and servers, and, lately, DarkOwl analysts have directly witnessed an increase in technical conversations related to the subject. Lockbit was one of the first ransomware strains to specifically target virtual Linux-based VMware ESXi servers, encrypting the vCenter infrastructure and virtual machines (VMs). Other ransomware gangs like BlackBasta have followed suit using SSH vulnerabilities and compromised credentials to deliver the ransomware to the server.

Figure 1 – Source: MalwareBytes

While many corporations run Windows or Mac client machines, Linux servers are the predominant server of choice for backend operations in enterprise commercial systems, hosting critical intellectual property and sensitive data. The type of data available in a ransomware campaign involving Linux servers attracts ransomware groups for the higher probability of ransom payment and the potential exploitation of sensitive information for cyber espionage.

Go Phish – Attackers continue to target marketing tech such as Google Adwords

Phishing is still a widely utilized and prominent attack vector discussed on the darknet for gaining unauthorized access corporate networks. Threat actors discuss phishing methods, offer “MASTERCLASSES” on the subject for sale in decentralized marketplaces, and regularly advertise phishing email templates for major commercial entities like Google, Apple, and Microsoft.

Some commonly discussed phishing methods are designed to target corporations’ social media accounts held by marketing departments. Others intentionally leverage social media relationships like employees’ LinkedIn connections to trick the victim into clicking on a document shared by a ‘friend.’

Figure 2 – Source: Tor Anonymous Network

In the example below, threat actors directly leverage Google ADSENSE Adwords for serving up phishing URLs. These are deployed to unsuspecting victims who inadvertently select the malicious URL because it appears at the top of their search. 

[ORIGINAL POST]
“Ответы: 1
Форум: Поиск партнеров,инвесторов, поставщиков
КУПЛЮ Настройка рекламы Google ADSENSE
Ищу профессионала, кто создаст рекламу по продаже ПРАВ,ВУ в гугле адс.
Способ оплаты:
1. Фиксированная оплата за настройку и пропуск рекламы в гугле.
2. % от продаж ( при блоке рекламы, вы сами запускаете новую рекламу) – Хороший выхлоп.
P/S. Писать строго, кто разбирается в данной теме по…”
[TRANSLATED]
“Answers: 1
Forum: Search for partners, investors, suppliers
BUY Google ADSENSE Ad Settings
I am looking for a professional who will create an advertisement for the sale of rights, WU in Google ads.
Payment method:
1. Fixed payment for setting up and skipping ads in Google.
2. % of sales (with an ad block, you launch a new ad yourself) is a good exhaust.
P/S. Write strictly to those who understand this topic by…”
Source: DarkOwl Vision

These elaborate phishing campaigns frequently result in successful corporate email compromise and occur daily. What’s more, they are getting increasingly sophisticated with targeted spear-phishing methods employed.

Phishing via SMS, (a.k.a smishing) has increased in popularity.

One example of a successful smishing campaign we’ve seen discussed on the darknet has been a fake emergency ‘smishing’ text from executives sent to employees in the organization, designed to not only confirm the phone number of the employee, but potentially drop malware via a follow-up malicious link.

DarkOwl IT provided the example to the right, which depicts an attempted smish of a DarkOwl employee using an executive’s identity.

Server Vulnerabilities – Microsoft Exchange

Like the Linux server ransomware strains, darknet threat actors active seek server-specific vulnerabilities for potential exploitation and server data compromise. DarkOwl analysts have lost count of the number of Microsoft Exchange-related compromised organizational data leaks that surfaced by hacktivists participating in the Ukraine-Russia cyberwar. Over a dozen exchange vulnerabilities added to the NVD in 2022 and even more in 2021, provide threat actors plenty of opportunity for remote code execution (RCE), privilege escalation, file read-write access and arbitrary file deletion on a compromised Exchange server.

Most of the RCE vulnerabilities include malware delivery via PowerShell. Microsoft security advisories strongly suggest that Exchange Server customers disable remote PowerShell access for non-administrative privileged users in their organizations.

While ProxyNotShell is getting lots of recent attention, some of the Exchange vulnerabilities DarkOwl has captured discussed do not always require authentication to execute malicious code. Proof of concept code is also often referenced on darknet discussion forums and Telegram channels, making the vulnerabilities even easier for less adept cybercriminals.

Several of the large database leaks observed by DarkOwl because of a successful Exchange server attack are dumps of every email and attachment from every inbox on the compromised on-prem server. These vulnerabilities do not apply to Microsoft Online or Microsoft 365 cloud mail services.

Server Vulnerabilities – Atlassian Confluence

Another server vulnerability that is being discussed in darknet discussion forums is a remote code execution vulnerability that affects Confluence Server and Data Center (described as CVE-2022-26134 by the NVD).

As of this summer, the vulnerability has reportedly been patched by Atlassian with the release of versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1; however, the vulnerability is still explored by cyber criminals.  

In fact, multiple threat actors – with varying motivations and intentions – have expressed specific interest in Confluence-related security vulnerabilities. Another, tagged 26138, involved a hardcoded password for the user account, disabledsystemuser. Threat actors believed to be likely associated with nation state actors and users with specialties in cryptomining have indicated this vulnerability allows for production environments to be compromised, new administrator accounts created, and malicious access to corporate networks granted.The ransomware gang, AvosLocker targeted vulnerable Confluence servers with their command and control at scale earlier this summer.


As attack vectors continue to evolve, having eyes on the darknet is critical for any company looking to establish a comprehensive cybersecurity posture. To learn more about how the darknet applies to your use case, request a time to chat with one of our team members.

Darknet Cyber Actor Spotlight: Bjorka

October 19, 2022

DarkOwl analysts regularly follow threat actors on the darknet who openly discuss cyberattacks and disseminate stolen information such as critical corporate or personal data. Such analysis helps DarkOwl’s collection team direct crawlers and technical resources to potentially actionable and high-value content for the Vision platform and its clients.

Bjorka Terrorizes the Indonesian Government

In the last two months, a cyber threat actor known by the alias Bjorka has been terrorizing the Indonesian government by targeting vulnerable systems and doxing key officials. After compromising their targets, Bjorka has been leaking sensitive databases from key Indonesian-specific organizations, such as Indonesia’s central mobile telecommunications provider. They’re also released data from servers storing correspondences from the Indonesian President.

DarkOwl analysts have observed that the threat actor has become increasingly embolden in their attacks against Indonesia. They have expanded their operations, stirred up real-life darknet drama by claiming that “the wrong hacker was arrested,” and have repeatedly put out calls for cyberwar against the Indonesian government. 

Trolling Indonesia Government Causes Deep Web Forum Chaos

The actor known as Bjorka joined Breach Forums in early August 2022, and immediately gained attention from the forum community. They contributed to the underground forum – known for circulating commercial and government data leaks – by sharing databases containing millions of private personally identifying information (PII) from WattPad and Tokopedia commercial websites. Both sites were reportedly compromised in 2020. 

Bjorka subsequently engaged in more activity on the forum that indicates they were targeting Indonesian entities. This includes:

  • A post containing a database of 26 Million records of personal data exfiltrated from the Telkom Indonesia provider, IndiHome, which they uploaded and made available free of charge.
  • Posts offering for the sale of a Ministry of Communications and Information Technology (KOMINFO) database of over 1.3 Billion Indonesian SIM card registration records and an Indonesian Citizen database stolen from the General Elections Commission.
  • Post sharing a controversial archive containing a collection of “secret” letters sent on behalf of President Joko Widodo (Jowoki) by the Indonesia government’s State Intelligence Agency – Badan Intelijen Negara (BIN).

In addition to database leaks and doxxes, Bjorka has revealed controversial political information related to investigations inside Indonesia, which prompt social unrest. For example, Bjorka identified Muchdi Purwopranjono – an Indonesian politician, former major general in the Kopassus, and head of the BIN – as responsible for the murder of a prominent human rights activist, Munir Said Thalib in September 2004.

Bjorka has also showed particular interest in Ferdy Sambo and the Brigadir J murder case; Ferdy Sambo, former head of the police Propam Division, and Inspector General of Police, is one of four suspects accused of shooting of Brigadir J in July 2022.

On Telegram, Bjorka highlighted another Indonesian official, Tito Karnavian, and Ferdy Sambo’s supervisor, as a person of interest and that Tito knew all about Brigadir J’s murder.

Figure 1: Source Breach Forums, Tor Anonymous Network

The cyberattacks against ministries across the Indonesian government, including the “President’s Letters” as they’re commonly called, caused Bjorka’s popularity in the Indonesian hacking community to skyrocket. Many referred to Bjorka as the “Indonesian Spartacus”. The influx of non-English speaking forum members prompted the site’s administrator, pompompurin to post a notice demanding the new users behave themselves and post messages in English. The forum – as of time of writing – sits at over 172,000 member accounts, a user growth of nearly 3x the number of users DarkOwl observed in July.  

In late September, Bjorka also shared a personal plea for the new Indonesian forum members to follow the rules.

“FOR EVERYONE WHO COMES FROM INDONESIA AND CAME HERE BECAUSE OF ME, PLEASE FOLLOW THE BF RULES 
BECAUSE ALL THE STAFF AT BF ARE TIRED OF A BUNCH OF IDIOTS FROM INDONESIA WHO DON’T FOLLOW THE RULES.
USE ENGLISH BECAUSE BF IS AN INTERNATIONAL FORUM, SO STOP USING YOUR LOCAL LANGUAGE.”
– Quotes Directly From Bjorka on the deep web site Breach Forums

The influx of Indonesian-based forum members brought with it general criticism and negative sentiment regarding the Indonesian government, especially the Ministry of Information. 

“With all of the Indonesian crap taking place in here, I wouldn’t be surprised that Indonesian intelligence are joining here in sheer numbers”
“The reason why most Indonesians supported Bjorka … because they are clowns, literally an entire circus, their ministry of information and technology is literally a graduate of agriculture”
“Their security is honestly a joke at this point”
“I’m from Indonesia but I signed up not to be able to meet Bjorka but to learn to break into a database and share even though it’s my own country’s database, I’m doing this to fight a stupid government just because of one case they can be like children who can only cry and can only cry corrupt people’s money rather than the people’s interests. Sorry for the long post, greetings from Indonesia.”
– Posts from other forum users regarding Indonesia and Bjorka 
Figure 2: Source Breach Forums, Tor Anonymous Network

Some Leaks Confirmed As Valid

Many leaks that surface on darknet forums like Breach Forums are met with skepticism of their legitimacy. Even breaches like Paytm, which appeared earlier this summer have had information security researchers respond – after the fact – that the information contained in the leaked database is fabricated, likely from other leaked open sources.

In mid-September, the Head of the National Cyber and Encryption Agency (BSSN) in Indonesia publicly stated that President Joko Widodo’s documents and letters as well as ministers’ personal data, were valid although with the surge of additional leaks during September, there have been numerous denials from Indonesian government officials of the legitimacy of the leaks, antagonizing and frustrating many threat actors on the forum. According to open-source news reporting, the Indonesian Ministry of Communications had also launched an investigation into the IndiHome data leak.

Who is Bjorka?

While Bjorka recently gained notoriety for their activity on Breach Forums, it’s no surprise DarkOwl discovered they were also active on the forum’s predecessor, Raid Forums. A user with the same moniker joined RaidForums in November 2020 and their profile includes a muted version of the same avatar image. According to DarkOwl Vision archives of RaidForums, in April 2021, they promoted their digital data project, leaks[.]sh, as a leaked database search engine built on ElasticSearch using commercial and government leaks shared by the forum administrator Omnipotent and other data brokers on Raid Forums. They also maintain the Surface Web domain bjork[.]ai.

Bjorka claims their physical location is Warsaw, Poland on their Breach Forums account profile and social media accounts related to the threat actor continue the Polish-connection narrative, claiming ties to a “smart old man in Warsaw” who experienced Indonesia’s injustice in 1965. This is likely reference to September 1965, when the Indonesia Army carried out mass killings and imprisonment of members of the Communist Party of Indonesia, Gerwani women, ethnic Javanese, and ethnic Chinese.

While little is recorded about the 1965-66 political killings in East Java there is research covered in the Journal of Genocide Research covering how the military influenced civilian perceptions and created divisions between the political left and right. The threat actor continued that their friend could not be tracked down.

“yea don’t try to track him down from the foreign ministry. because you won’t find anything. he is no longer recognized by Indonesia as a citizen because of the 1965 policy. even though he is a very smart old man” – Source Twitter (@bjorkanism)

According to social media in mid-September, the Bjorka “team” possibly expanded to include another darknet forum member known as strovian after the threat actor posted threads to Breach Forums in September calling Indonesian intelligence, BIN “stupid.”

 Figure 3: Source Breach Forums, Tor Anonymous Network

The threat actor strovian – active on Breach Forums since April 2022 – has targeted servers in Indonesia and offered multiple databases for sale. The strovian cybercriminal appears to have exfiltrated databases detailing the identities of Indonesian police officers (POLRI DB) and Indonesian customs officers (DIRJEN BEA CUKAI). They also offered a BIN intelligence database for sale stolen in 2020 from a Foreign Affair Intelligences Deputy. strovian offered a similar Police Database on RaidForums in February 2022, prior to its seizure and shutdown.

Some conspiracy theorists suggest the Bjorka team and the attacks against KOMINFO originated with the Indonesian government, “like ISIS was created by the US Government” as a societal distraction from other geo-political agendas and corrupt initiatives or formed as a justification for state budget increases. 

Recent social media posts across Twitter, YouTube, and TikTok – many from accounts using the infamous Anonymous Legion Guy Fawkes mask – suggest that the Bjorka hacker is neither a name nor a person, but instead is a nation-wide hacking “movement” and represents social justice for the Indonesian people.

A dark, ominous, “Anonymous” styled video released on YouTube in September openly declared ‘cyberwar’ with the Indonesian government on behalf of the Bjorka cause. 

Figure 4: Source hxxxs://www.youtube.com/watch?v=1CTKtorlnf4  
[TRANSLATED IMAGE]
“The name Bjorka represents the Indonesian people.” 
Figure 5: Source YouTube Link REDACTED
[TRANSLATED IMAGE]
“with this we will declare a cyber war with the Indonesian government.”

There are multiple mentions by Bjorka directly that they are a result of ‘monsters’ and Indonesia’s five-pillared state philosophical principle called, Pancasila, which translates to “the five bases.”

The threat actor claims Pancasila was not proven and not completely implemented in Indonesia. The nation emblem of the country incorporates the Pancasila ideals, and any criticism of the philosophy is forbidden by law, possibly resulting in criminal charges. 

Figure 6: Source Wikipedia
[TRANSLATING IMAGE]
“- Belief in the one and only God. 
– Just and civilized humanity.
– The unity of Indonesia.
– Democracy guided by the inner wisdom in the unanimity arising out of deliberations amongst representatives.
– Social justice for all of the people of Indonesia.”

Critics of Pancasila are often angry that the philosophy does not include the right to atheism, i.e. the rejection of any theistic belief, but it is extremely unclear what Bjorka really believes regarding Pancasila and how it’s impacted them so deeply.

Bjorka claims the “country is in a bad situation with rising fuel prices” and political corruption. One of their more recent social media posts predicts they will target hacking public citizens debts and “forfeit all online loan applications and delete all data.” 

Figure 7: Source Twitter, October 4, 2022

Bjorka Mocks Indonesian Government

In mid-September 2022, Bjorka shared a post titled, “THE INDONESIAN GOVERNMENT IS LOOKING FOR ME?” citing reports that the Indonesian government had formed a ‘special team’ to hunt the cybercriminal down.

Bjorka alleged that the State Intelligence Agency (BIN) and the National Police had incorrectly identified and arrested a young man as the Bjorka hacker using Instagram account (@volt_anonym), but the real Bjorka on active on the forum claiming this was all false information and they were very much free from jail. 

Figure 8: Breach Forums, Source: Tor Anonymous Network

Bjorka stated they had direct insider knowledge from a friend at the palace of the President, and that the President was soon going to dismiss the Minister of  Communications and Information Technology. They encouraged the President to hire someone “tech savvy” instead of political partisans or military officers.  

On social media, the actor claimed they did not want to harm the citizens of Indonesia, and that their intent was to expose security vulnerabilities and weaknesses in Indonesia’s networks. They followed by posting the personal information (dox) of several high-ranking Indonesian government officials on their Telegram account. The data set included phone numbers, email addresses, full names, gender, NIK (identity number), KK (family card), physical addresses, and vaccine numbers.

After releasing the data, Bjorka teased officials directly on social media who dismissed their leaks as unimportant. 

“How are you, Mr. @Mohmaffudmd? Are you still sure that no important data has been leaked?”
– Source: Twitter

On the birthday of the KOMINFO Minister, Johnny G. Plate, Bjorka posted “Happy Birthday” along with a detailed dox of the minister’s personal information. Much of information had already been uploaded on another popular doxing deep web site in August. Bjorka followed with sharp words for the minister on social media:

“This is a new era to show differently. Nothing will change if fools are still given immense power. The supreme leader in technology should be assigned to someone who understands, not a politician and not someone from the armed forces. Because they are just people – stupid people.”
– Source: Twitter

At the end of the month of September, the threat actor initiated a thread titled, “NATIONAL CYBER AND CRYPTO AGENCY OF INDONESIA” and included a CNN Indonesia news article reporting that the BSSN had increased its budget directly because of their data leaks. They included in the post, the name and photograph of the head of the agency along with a detailed dox and images of his identification cards.

According to open sources all the hacktivism against Indonesia by Bjorka has resulted in changes in government policy. Indonesia enacted its first personal data protection bill at the end of September. The bill imposes sanctions and criminal charges on organizations that fail to safely secure personal data. Individuals are also able to claim compensation for data breaches.

Bjorka Started Something That Shows No Signs of Slowing Down

During the month of September, Bjorka posted several high-profile leaks mentioned earlier, but their verdant followers and other darknet cybercriminals targeting Indonesia have leaked dozens more databases and sensitive data such as: Indonesia’s car registration databases, citizenship databases from the Ministry of Social Affairs, an Indonesian tollway operator, and government social assistance systems. Bjorka’s efforts indeed appears to have launched a concerted movement against Indonesia and what its citizens jokingly call an “open-source country.” (See REFERENCE – Sample of Indonesia-Related Data Leaks at end of document)

A twist to the Bjorka movement narrative is a thread titled, “66 GB Indonesia Department of Communication and Information Technology” shared by a Breach Forum user named, toshikana on September 13th. The forum user, who joined in July 2022, refers to something called “Operation Garden of the Gods” they and one other threat actor carried out with the intention to: 

“improve the Quality of the Department but not limited to: Education, Cybersecurity, Consistency, Human Resources, On Target Budget Utilization and Good Communication since the name of your Department is Department of Communication and Information Technology but the fact is that You always fail to Communicate.”
– Post from user toshikana

The post also includes the data leak links for the KOMINFO database that Bjorka had shared earlier and then continues with an epilogue referring to the “General” and states their Group – which includes the General – was offered a large sum of money in August to target the Department of Foreign Affairs but they sent warning emails to the Minister Prabowo because they are not supporting any kind of “Revolution.” 

toshikana implies that someone knowledgeable of this underground community and its members sought out to finance the cyber operation and sow chaos in Indonesia. 

“With the permission of the General, we will securely store the rest Data classified as Confidential/Secret/Top Secret in our server until we see a significant change from you, we will not sell, share or use this. I’m sure we all agree that something that is promised to be safe, in the future it must remain safe and so is Confidential Data, it must remain Confidential, even if it is old Data or Data belonging to Poor People, isn’t that right Plate? what about you Semmy? Dedy? BSSN? and the Department of Health?
What we both will never breach/leak: anything related to Civilians/Poor People, Department of Foreign Affairs, Department of Defense and the Indonesian Military…. you’re welcome.
Also since our Group was offered a large sum of Money from a dozen People over Jabber to breach the system of the Indonesian Department of Foreign Affairs and Defense and sell the data to them, on Aug 25, 2022 one of our Lieutenants had sent a warning Email along with the evidence to the two Departments, also had sent an Email to Minister Prabowo about the huge potential of Cyber Espionage, but my sixth sense tells me that our Email was not read or it was read but only considered as a joke, with tremendous interest from them, you may have to pay attention to this one and don’t let your eyes closed.”
– Source: DarkOwl Vision

The surge in Indonesia-specific activity by other cyber actors might have prompted Bjorka to share personal information about themselves with their online community. Last week, Bjorka revealed their gender on Telegram, claiming they were “just a girl hiding behind a computer” living happily in Poland and they will “disappear for a while” due to so many issues in Indonesia. They also dismissed any suggestion that Bjorka was a ‘team.’ 

Perhaps posts stating strovian had joined their efforts and drama-filled threads from toshikana, might all have been simply a psychological operation, a possible diversion for the Indonesian government and intelligence teams’ digital investigators, or an attempt to emphasize that Bjorka is much larger than one person and is movement inspiring a social revolution in Indonesia. 

Figure 9: Source Telegram

As of October 13th, Bjorka’s Telegram channels had all been shut down by Telegram staff and Bjorka quoted administrators stating, “even private channels can also be taken down.” Bjorka’s Twitter account (@bjorkanism) was also suspended due to “rules violations” which they contest stating staff from both platforms are simply actioning requests submitted by the Indonesian government.  They included an ominous threat against Twitter if their account is suspended again. 

“I will promise to delete twitter from play store if he suspends me again.”
– Source Twitter

Figure: Sample Indonesia-Related Leaks

DarkOwl Sources

DarkOwl is an open-source intelligence (OSINT) platform that aggregates information from various underground sources to discern actionable and meaningful intelligence that can be utilized across multiple industry sectors including commercial applications, law enforcement, and national security initiatives. 

Remembering the subtle differentiations between data, information, and intelligence, DarkOwl’s key sources of raw data are described here.


This investigative research relies on a wide body of all-source intelligence, including sources such as the surface web, deep web and darknet. This information was gathered via numerous investigative platforms, including DarkOwl Vision product offerings. To learn more about DarkOwl’s product suite, contact us.

[Webinar Transcription] Cowbell x DarkOwl: Into the Dark with a Flashlight

October 14, 2022

Or, Watch on YouTube

DarkOwl’s Chief Business Officer, Alison Halland, the Director of Strategic Alliances at Cowbell, Jessica Newman, and Cowbell’s Director of Risk Engineering, Manu Singh, sit down and discuss the building blocks of the darknet and organizational risk, what darknet data exposure means for small to medium sized businesses, how Cowbell uses DarkOwl’s darknet data to generate a dark intelligence scores for each of their policyholders. They also dive into the value-add of a Cowbell policy to their policyholders provided by Cowbell’s free reports from their risk engineering team utilizing DarkOwl’s darknet data to assess and mitigate cyber risk to businesses.

For those that would rather read the presentation, we have transcribed it below.

NOTE: Some content has been edited for length and clarity


Jessica: I want to welcome you all. We are really excited to have you on behalf of Cowbell and DarkOwl. We are here today to talk about the dark web, which is hopefully an interesting and fun topic of conversation. From what we hear, everyone typically perks up when the dark web is mentioned. It’s a topic that gets a lot of questions and a lot of interest. Our intention today is to arm you with enough information about the dark web and about how Cowbell uses the dark web to feel comfortable talking about the dark web with your customers.

Quickly I will introduce myself, my name is Jessica. It’s great meeting you and being with you today. I run point on our cybersecurity partnerships here at Cowbell… I’m going to let our panelists introduce themselves. We’re really excited to offer their expertise to you all today. Alison do you want to start by introducing yourself?

Alison: Absolutely. I’m Alison Halland with DarkOwl, and we’re based in Denver Colorado. I’ve been with the company for over 6 years and we are Cowbell’s darknet partner. We provide our darknet data to Cowbell and it’s been a great partnership. I’m excited to be here talking to all of you and hopefully you can walk away with a little more information about what the darknet is and how it can be helpful as you talk to your clients looking at getting policies.

Manu: Thanks Alison, thanks Jessica. Glad to be here today. I’m Manu Singh, and I’m the Director of Risk Engineering here at Cowbell. My team assists our policy holders through our continuous risk assessment process. That includes understanding our Cowbell cyber platform, our Cowbell factors, understanding how our AI and machine learning scans are used to develop insights and recommendations, as well as some of the data that we add off the dark web thanks to the assistance of DarkOwl. My team— ultimately our goal is to reduce the frequency and severity of data breaches and cyber incidents for our policy holders. We certainly do that by generating our dark web data reports, and again that is with the assistance of the data that DarkOwl is providing for us.

Jessica: Awesome. I want to kick things off. We’re going to have this be as interactive as possible so please feel free to ask questions, utilize that chat, if questions come up we want to make sure that we’re answering them. I want to kick things off with a question for those of you who are joining us today: I want to understand if the dark web is a topic is of interest to your customers today. Is this something that comes up a lot or do you see [the dark web] as an angle that you can use when you’re selling cyber insurance? There’s a question up there now: How confident are you at discussing the dark web with customers? Do you feel very confident, neutral, or that this is totally new to me? I’ll give you a second to place your vote…. there are some results showing that people are pretty neutral. This is actually really good news. My hope was that you don’t feel very confident in discussing dark web and that you’ll leave today feeling much more so. That gives us a really good place to start from.

Alison I’m going to kick it over to you if you can give our audience a quick overview of what is the dark web. I think having that basic understanding of what it is and what happens there will help us understand how we can then talk to customers about it.

Alison: Excellent. So as Jessica said let’s step back and define the darknet so that you all are all operating under the same kind of information. At this point in time it’s a buzz word that we’ve all heard, especially if you’re paying attention to media or newspapers. It usually comes along with an image of someone in a black hooded sweatshirt with all sorts of code in the background. I want to unravel that a little bit and talk through exactly what the darknet is.  

We at DarkOwl consider the surface web to be anything that’s indexed by a search engine. Think about when you open up Google, you put in a search term, you hit enter. All of those results are by definition the surface web. They are indexed and you can click on them. And interestingly despite hundreds of thousands of results coming up on Google that only represents about 5% of the internet. Hence the iceberg analogy this is the tiny piece that is above the surface of the water.

The deep web makes up essentially the other 95%. The deep web is nothing scary or dangerous. In fact, I guarantee that everyone on this call was on the deep web today or yesterday. The deep web is content that sits behind a username and a password –or content that is not indexed by a search engine. What I mean by that is if I go into Google, I might not be able to pull up the deeds on all the houses in Denver within the search engine. But if I go to denver.gov I can find that information. Or, for instance, I logged into my bank website this morning and I paid my water bill. That is deep web content – I can get there with a username and password but all of you can’t access my bank account. That is where the majority of the internet resides. There’s so much that sits behind usernames and passwords.

The darknet, where DarkOwl specializes, sits below both of those. It is an undefined and hard to quantify space, but, in comparison to the deep web and the surface web it is much, much smaller in volume. The reason it’s important and significant is that by definition the darknet allows you to remain anonymous. That is the darknets defining feature. If you want to nerd out over it, the darknet was actually developed by the US Naval Research Laboratory in the 90s to allow folks serving to remain anonymous. As we all know, what does anonymity bring? It brings an opportunity to do things without being found. Hence the illegal activity that happens on the darknet. But I want to be very clear that the darknet in itself is not a bad thing. It is not illegal to go onto the darknet. You do need to download special software. Some of you may have been on Tor.

The key takeaways here are: for the darknet you have to download special software, its kind of a pain get onto it, however, it is not illegal, and anyone is able to access it, and the defining feature is that you are able to remain anonymous when interacting on the darknet. And the best way to visualize this –and you all will know what generation I was born in by my analogy- when you used to watch the Price is Right you’d have that show with the little ship that would go down through all the slots. That’s essentially what’s happening on the darknet with your IP address. The ability to track someone back to an IP address is almost impossible on the darknet whereas if I go to Cowbell.com, Cowbell has an awesome marketing team, they most likely know where I came from, what my IP address was, what pages I looked at, and how long I stayed there. Those same tracking metrics do not exist on the darknet.

Why do we care about the darknet? Why is it something that we are all on the phone to talk about? The takeaways here are usage on the dark web. I go interchangeably between dark web and darknet – we use them interchangeably at DarkOwl. But there was an 80% increase in usage over the last 3 years. Millions of users are connecting through the Tor browser, which is the best-known darknet out there. This is a very lively and active community of folks. It may not be as big in quantity compared to the deep web or the surface web, but there’s a lot of activity going on there. That’s why we are all focused on it, and that’s why we DarkOwl are in business.

Obviously all of you are in the insurance space –so why is it important to understand what DarkOwl does and what darknets exist out there? The kind of stuff you are going to see on the darknet is exposed credentials, you are going to see IP addresses, you are going to see people buying and selling social security numbers, people trading gift cards, people posting ransomware, and people selling services to conduct malicious activity against organizations. You name it and it is being transacted on the darknet.

As a company, whether you are tiny or humongous, you need to understand what that looks like for your own organization. Jessica and Manu and I think a lot about: how can this data be helpful for our respective clients? And the best way to think of it is as an exposure vector. Most people on the darknet are there because they are doing something illegal and taking advantage of the ability to remain anonymous. If you as an organization have content on the darknet, whether it is emails or trade secrets or anything – that is a concern. That is why we’re all on this call today. We’re going to get into how Cowbell uses that information and what you can all leverage to help inform your clients why it is important for them to understand their darknet presence.

Jessica: You can see here the quantity of data that DarkOwl has, DarkOwl being Cowbells partner for dark web intelligence. What we want to impress upon our customers is that with Cowbell, it’s not just a cyber insurance policy that you are getting. You’re getting all the intelligence that Cowbell has from our partners as well. And DarkOwl is the crème de la crème of dark web intelligence. This is a value-add that’s above and beyond what other cyber insurance carriers might offer. And that’s a huge piece of information to keep in mind when talking to customers. The dark web is not just one place, it’s several different places. Many of you may have heard of platforms like Telegram or Discord. These are encrypted chat spaces that DarkOwl collects information from as well.

Alison, quick question for you: most people think to themselves, I am a small business, my information is probably not on there, and if it is on there what can someone really do with it? Can you speak to the amount of exposure you see for small businesses? Let’s say a bad actor has access to an email address, what could they even do with it?

Alison: Right. We get that question quite a lot. The answer is contrary to what most folks think. The vast majority of attacks, whether it’s ransomware attacks or cyber incidents, are targeted at small and medium businesses. Part of that is because that’s an easier feeding ground. A lot of those small to medium businesses don’t have the tech staff or the budget to have cybersecurity tools in place. Yes, you read in the front of the Wall Street Journal that a Fortune 500 company experienced a huge breach. But the ones you don’t necessarily hear about are all the small and medium businesses that are getting targeted day-in and day-out. The risks can be higher for those small and medium businesses… An IBM is going to be able to weather that storm whereas a small or medium business – they could not in a position to deal with a huge ransomware attack. The first question you ask Jessica – it absolutely is important for anyone whether you are a business of two people or two billion.

And the second question is what can they do with an email address? Quite frankly they can do a lot. They can find their way into that organization. A lot of content we see on the darknet will have passwords associated with it. Think about a hacker that has stolen information. And a small to medium business’ employee uses that same password for their Spotify account that they do internally for work. Because of password re-usage, that hacker can access the internal systems of the small to medium business and take down information. The business could be vulnerable to social engineering. We see a lot of executives targeted at small to medium-sized businesses. There are many vectors present on the darknet that threat actors could use to get into the organization from a technological standpoint or to social engineer their way in.

Jessica: That’s the perfect segway over to Manu which is the “so what?” What does Cowbell do with this data? How do we understand at what level of risk a company faces when it comes to dark web exposure? Manu, if you wouldn’t mind, give us an understanding of how Cowbell uses this data and what is available to customers above and beyond what they see in their dashboard? In their Cowbell portal on the platform.

Manu: Absolutely. The way we look at it, DarkOwl’s data is directly aggravated from forums off the dark web. This is valuable data to Cowbell since we’ve created a dark intelligence score for each one of our policyholders in the form of a Cowbell factor. This score helps us determine what the level of risk is associated with the organization’s exposure on the dark web. If we determine that there is organizational data exposed on the dark web, we’re able to quickly identify the number of documents exposed, and then we notify those Cowbell policyholders to potentially take action through our own platform. Now how does that really affect Cowbell factors, and what we can do for our insurers?

Our dark intelligence telefactor is impacted directly by the number of exposed data points that have surfaced on the dark web. The more exposed documents we identify and the more credentials or passwords that are leaked are associated as a high-risk. The severity of those exposed data points is categorized by low, medium, high, or very high. For example, if we identify that there’s 50 documents exposed on the darkweb for a particular insurer and 25 of those documents were considered hack-worthy data, then we may categorize that as a medium-sized risk. If we go down to 20 exposed documents with only 5 that were considered hack-worthy data than that may be considered a low risk. Versus something where we might find 5,000 documents on a particular insurer and they have 250 documents that are considered hack-worthy data. That would be in either the high or very high category as well. At that point  we identify that risk for our insurer on our Cowbell cyber platform. From there they can go ahead and request additional details, such as what’s behind those documents and what’s actually been exposed. That’s what tends to happen with policy holders. They reach out to the risk engineering team and then from there we create a report for them.

Jessica: So if I want to understand what’s behind the score, you’re saying that I can reach out to the risk engineering team and receive a report. What does that report have in it? Can you show us an example?

Manu: Absolutely, I have one right here… this is a sample report. For full disclosure this is not any actual data on a policy holder or any actual dark web information on a policy holder. This is all make-believe. With DarkOwl’s data, we organize that data into a report that is consumable by IT professionals, by security professionals, and a report that makes sense for management teams and the C-suite as well. We want everyone to be able to look at this report and say: I get it, I see what the risks are, I see what the exposure is.

Our risk manager has done a great job of aggregating that data into a report that’s consumable by all. On the top you’ll see that summary of findings found through the help of DarkOwl’s platform. It will quickly summarize where this data was exposed. This report says the data was exposed in the MGM 2022 breach as well as the leading data source where all types of information was exposed. In this one it highlights the PII that may have been exposed such as date of birth, email addresses, names, actual physical addresses. This was happening for over 142 million records from the MGM breach in 2022. From there the report goes into some of the categories that we have found. The total number of exposed documents that have surfaced on the dark web for this particular insurer will be listed.

We have 555 exposed documents. From there it goes into how many of those are actually exposed credentials with passwords listed whether is plain text passwords, so that would be the actual password, versus something that’s hashed which would be more of a coded password and more difficult for a bad actor to take advantage of. It has listed 5 there. And then 5 is the total number of exposed passwords. This is passwords without a credential associated with it. This will also list out the most recent data that was listed, so you may find data that was listed in 2021, 2020, 2019. This data is as of this year so that makes it even more crucial for an organization to understand that this is a direct exposure, this is a recent breach, and this could be a recent password that an employee is using.

Down here we have a couple of charts. It will tell you the amount of passwords and some of the other data that is exposed such as email, names, phones, and physical address which is conveyed here for a policy holder.

Scrolling down we get into the recommendations that we want some of our policy holders to follow if they do have data exposure, such as what you can do next and how you can mitigate some of the exposure. We have listed some of the best practices and security controls policyholders can apply.

Everything from applying multi-factor authentication to those email accounts that may be exposed, to changing those passwords, creating robust password policies, requiring employees to have alphanumeric passwords, and passwords of at least 10 to 12 characters. That’s the standard right now. With special characters included. Training your employees to identify phishing attempts, having good email hygiene, and not clicking on links if you don’t know who the sender is are what we recommend to our policy holders to apply if they do have any exposure.

Jessica: I want to note that somebody in the chat asked: Is it hard to remove your information if it is on the dark web? Alison thanks for answering it [in the chat function]. In fact, it is impossible to erase information once it is on the dark web. There are two things to keep in mind here. Number one is this set of recommendations. If a customer is highly exposed, however, they are acting on some of these recommendations the exposure will go down with time. The more time that passes the lesser the importance of the exposure, such as if they are old passwords or passwords that are no longer in use or if there’s multi-factor authentication enabled. That’s going to disable a bad actor from using this information to do anything bad.

Manu: And the answer is yes. It is hard to remove that data. We can’t simply call the bad guys and say “hey look can you please delete my data off the dark web?,” they just won’t do it. Once it’s on the dark web it’s most likely on there for good. It’s going to be bought and sold. It’s going to be reposted on other forums for bad actors to buy, for actors to attempt to deploy phishing attempts against, to employ brute force attempts against, so it will always be on there. What the organization should do at that point is mitigate. Be proactive in your approach. Apply best practices. These are some of the recommendations that we initially want the insurer to take advantage of and quickly apply within their environment.

Going onto the next page this will be the actual raw data that we notice from DarkOwl’s aggregation. We’ll list out the email that was leaked and posted on the dark web. It will be the company email most likely. From there we’ll also post whether any password was leaked. In this case the password was leaked. The answer could be yes, no, or could be a hashed password. From there we want to give the policyholders the date that it was published on the dark web. We think that’s important because the more relevant data for the bad actor to take advantage of and to use to compromise your organization will be the most recent data that was posted. We tend to see that with credentials that they get from the current year – those passwords may still be current. Employees may still be using those passwords to login to those accounts. Threat actors take quick advantage of that. Then we’ll list out the data source as well just so the policy holder can understand: was I compromised, or was this from a third party where my data might have been sitting somewhere and the bad actors had access to it that way? If there are any of other types of information included –so email addresses and passwords for this one –you can see some of these emails have a lot more PII associated with them, such as email addresses, names, titles, their LinkedIn IDs, and where they’re living.

Alison: That context that Manu just went over is extremely valuable and I don’t want that to be lost in the details. There are other darknet providers who might be able to say yes, that company has exposure on the darknet. But then it’s end of sentence. And you don’t get the context. Being able to share with that client that these exact email addresses with these exact passwords were a part of this breach is so much more powerful. Think about the mitigation if you are a small-medium sized business and this report comes back and there’s three email addresses on it and three of those employees are no longer with the company and left 4 years ago. You’re not concerned. Or, you come back and this report has 5 email addresses listed on it and every one of those employees was attending a conference last week together – that’s going to be a very different mitigation strategy for that business than the former. The context and the fact that Cowbell can pass that on to you to pass onto the policy holder… is extremely important because it allows them to act on it versus “well there’s information out there, good luck.”

Jessica: Alison when you say valuable, I want to press upon that. A lot of DarkOwl’s customers are cybersecurity companies. They might charge thousands of dollars to a customer per year to provide this in-depth information. Manu, do our customers have to pay for this report?

Manu: No, this is a value-add for being a Cowbell policy holder. It’s one of the many value-adds that we bring to our policy holders, and it’s one of the most frequently requested value-adds that we provide. If you notice that you had an exposure on the dark web, within the same day or within 24 hours we can turn around a report and get it over to your risk managers and your security folks. There’s no added cost associated with utilizing this service.

Alison: I would leverage that highly. When we were prepping for the webinar, Jessica was asking me how I would position it if I was in all of your shoes. I think about comparing different car insurances. If you make that analogy over to cyber insurance, this is the equivalent of getting free oil changes and engine checks. This is a huge value-add especially for small-medium businesses that may not have an IT staff who can be looking on the darknet. I think it’s a freebee that they can take advantage of.

Jessica: Absolutely. Manu, can you answer for us: what are some of the most common questions or trends that you get from customers about the dark web? Is there a common misconception, myth, or concern that your team fields most often?

Manu: The number one question we get after an organization realizes that their data was on the dark web is: “have we suffered a data breach or a cyberattack?” In most cases that we’ve seen the answer is no, it’s just the circumstances – it tends to be that the compromise happened at a third party, and they were storing your data in some capacity and threat actors gained access to it and they posted it on the dark web. Sometimes a bad actor will even mention the data source that they aggregated the data from. There are some cases where it could be direct exposure to your organization, and this indicates a breach. But what we tend to see is that it’s most likely a third-party breach and your data has been posted on the darknet. I would say the next question that we receive often is: “how can I reduce my risk?” and “this data is out there, what do I do?” and “how do I make sure that I don’t get hacked, how do I make sure that I don’t become a target?” It goes back to being proactive to applying those recommendations that we spoke about. Between MFA, email security, training your employees, and having strong passwords –all of that is very important. Those are probably the top two questions we get from policy holders once they notice that they have had some exposure.

Jessica: Manu this question (from the chat) is going to come to you. Do we also use this data as we underwrite and determine premium rates for prospective customers, and if so, is there a way to get a sample of some exposure for clients in advance as we help them consider the value of a Cowbell policy?

Manu: It is factored into the underwriting process if there is exposure on the dark web, however, we do give policyholders a chance to let us know what they are doing to be proactive to reduce their risk. Once underwriting understands [what they are doing to reduce risk] we get comfortable enough with the risk to move forward in the underwriting process.

Alison: Can they share it with their prospective clients?

Manu: Yes. We can certainly provide that data to prospective clients as well.

Jessica: So a broker could reach out in advance and understand what the exposure is so that they can guide that client potentially into a Cowbell policy or elsewhere?

Manu: Yes. As far as sending the actual data over we wouldn’t do that. We would just let them know if there is exposure and the amount of documents we’ve noticed as hack worthy data on the dark web. Then the actual data that is exposed would be shared with the policyholder or the potential client.

Jessica: So the dark web report that you shared is a post-buying experience for the policy holder.  Any final comments? Alison and Manu thank you so much for being here. Do you have any closing thoughts for the audience?

Alison: We’re here and as you can tell we are doing a ton of work in the background and by “we” I mean Cowbell and DarkOwl to try and make this a much more robust policy than some other folks out there so don’t be afraid to come to us, ask questions, and if you have any personal interest in learning more about the darknet, there’s a lot on our website at DarkOwl. We’re just here to help.

Manu: Thanks Alison and I would say that if there’s exposure on the dark web and if you don’t know what to do –come to us, ask, go on the platform and see if there is any indication. And if there is exposure as us to generate a report for you. Again, it’s a value-add for our policy holders so certainly take advantage of it. This helps in several ways. It will help reduce the organization’s chance of suffering a cyber incident related to that exposed data. It also helps underwriters better understand your security posture, and then they can more accurately rate your organization as a safer risk, and that includes during the renewal process as well.

The organization can show Cowbell that they have been proactive, that they have reached out, that they have mitigated against some of these exposures, and they can show us that they are in a strong place for a renewal. Take advantage of the value-add from DarkOwl and Cowbell; it only helps reduce your risk and make your organization a stronger cybersecurity organization.

Jessica: Thank you. Hopefully we’ve given you some things to think about today that you can turn around today, tomorrow, the next, and directly relay to your customers as to why Cowbell… is different in the market than other carriers. We’re using data sources that are absolutely the best in class to help define risk and rate risk. Beyond that we have Manu and his team who are here to help you, guide you, and provide extra information and context throughout the entire lifecycle of a policy.


Cowbell is the leading provider of cyber insurance for small and medium-sized enterprises (SMEs) and the pioneer of Adaptive Cyber Insurance. Cowbell delivers standalone cyber coverage tailored to the unique needs of each business. Our innovative approach relies on AI for continuous risk assessment and continuous underwriting while delivering policyholders a closed-loop approach to risk management with risk prevention, risk mitigation, incident preparedness and response services. To learn more, visit: https://cowbell.insure/

DarkOwl uses machine learning to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and secure manner without having to access the darknet itself. DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. Our passion, our focus, and our expertise is the darknet.

Interested in how darknet data applies to your use case? Contact us.

Cybersecurity Awareness: Darknet Investigator Best Practices

October 11, 2022

In honor of October’s Cybersecurity Awareness Month – a period of time designated by the President of the United States to heighten situational awareness – the DarkOwl team compiled a list of best practices for information security professionals and investigators tasked with conducting open-source intelligence (OSINT) and DARKINT™ investigations. 

The fundamental rule of thumb in conducting any online cyber investigation is that the deeper you get into underground networks such as the darknet, the more vigilant your operational security and certainty in the technologies employed for anonymity. To remain safe while conducting dark and deep web operations, here are some guidelines and recommendations from our analysts.

1. Separate Your Technologies

Never utilize your work or home computers, or networks for that matter, for conducting dark web investigations. Even if you think you are being secure using Tor Browser Bundle or a VPN, there is elevated risk of inadvertent exposure to malware, threats, and viruses once you leave the Surface Web.

The same is true for social media investigations as well. Many threat actors that use personas on social media will include malicious links in social posts that are designed to log your IP address or expose your identity and location. A recent threat intelligence report indicates that some nation state sponsored malware can be triggered simply by hovering over the hyperlink.

2. Keep Darknet Identity Separate from IRL

Similarly, never use your personal, work, or school email address to sign up for or register accounts on any services on the darknet or deep web. Although you might think the address is non-attributable, if the username is remotely connected to your real-life identity, such as using your favorite sports team or hobbies, a threat actor can easily use the information to divulge your real identity or directly target you.

Likewise, never re-use an email address you used for an investigation with any personal or work-related website registrations or mailing lists, even if you believe it is non-attributable.  

3. Layer Your Proxies

The Tor Browser provides layers of security protection through a series of network relays, obfuscating both the client and server IP addresses for every TCP/IP handshake. When conducting OSINT and darknet investigations that involve moving in and out of the Tor network, use one, or more, reliable paid virtual private network (VPN) services that offer additional features like double obfuscation and privacy policies like no server logging of user connection data. One could also adopt more extreme measures like live distros like Tails which wipes out every session’s data including the RAM, or Whonix which by design prevents IP address leakage.

4. Use Burner Phones and Email Addresses Where Possible

Non-attributable burner phones are more and more difficult to acquire, but increasingly necessary for building out investigative personas and joining sensitive networks and channels on chat platforms like Telegram. Underground forums and marketplaces also sometimes require a Telegram account or a valid email address for registration.

Overall, it is best to use temporary email address services, non-US based free email providers, or Tor email providers for account registrations. Some example temporary, anonymous, and secure email providers include Guerrilla, Protonmail, and AnonAddy.

5. Encrypt Everything Everywhere

Not using encryption on your darknet investigative platform, especially if you’re downloading and storing potentially sensitive data, is akin to storing things in a fireproof safe in real life without using the lock. The safe is there, turning the dial is the simple extra step for ensuring the safe’s contents are secure. End-to-end and OpenPGP encryption for emails and files are always better than storing on the disk directly.

Likewise, open-source Linux utilities like CryFS are readily available to encrypt your data. CryFS uses an AES-256-GCM algorithm plus a user-defined password to access configuration data for decrypting the hard disk. Others advocate for GostCrypt, a fork of Truecrypt, which uses the GOST 28147-89 algorithm and its more advanced cousin, Grasshopper for securing the data.

6. Trust No One

Despite the urban legends in circulation, such as – there are more law enforcement and information security researchers on the darknet than criminals – there is not a single individual or persona in the darknet that you can completely trust. Maintain your persona, capture whatever information and digital evidence you need quickly, and burn aliases and assets whenever necessary to not generate a lengthy digital paper trail.

Nearly every underground criminal community includes social engineering experts who thrive on the thrill of hunting down members of marketplaces, forums, and chats.  Humans will continue to be the weakest link in cybersecurity, as threat specialists at Zerofox contend social engineering will continue to be the primary initial access vector for the foreseeable future. The LAPSUS$ gang are some of the most sophisticated social engineering cyber criminals in the darknet and continue to exploit enterprise victims using social engineering methods.

DarkOwl Vision’s UI helps OSINT analysts, darknet analysts, and darknet investigators gather critical data safely by bearing the brunt of these security risks. Vision provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information.


For more information visit: https://www.darkowl.com/products/vision-app/ or contact us: https://www.darkowl.com/contact-us/

Cybersecurity Awareness Month: Featured & Upcoming Content

October 7, 2022

In light of Cybersecurity Awareness month, DarkOwl is committed to sharing resources from our researchers and analysts that touch on safety best-practices and key trends in the global cybersphere based directly on insights from the darknet.

Be the first to know as we release new research by entering your email below!

Featured Content

WHITEPAPER

Tensions Between China & Taiwan Realized on the Darknet

In this report, DarkOwl researchers provide insights and analysis from the darknet on how tensions between China and Taiwan are impacting the cyber underground.

Read the report

PRESENTATION

Industrial Control Systems and Operational Technology Threats on the Darknet

DarkOwl participated in this presentation in conjunction with Hybrid COE to bring awareness around ICS/OT threat vectors that continue to emerge and circulate on the darknet.

View the slide deck

Upcoming Content This Month

BLOG

Cybersecurity Awareness: Darknet Investigator Best Practices

DarkOwl analysts outline a compilation of best practices for conducting OSINT and DARKINT investigations. Curious what we mean by DarkInt? Check out this 101 guide. This is now live!

BLOG

Cyber Group Spotlight: Bjorka

Learn more about the threat actor Bjorka who is causing terror to the Indonesian government. Check out previous Cyber Group Spotlight on SiegedSec in the meantime. This now live!

EVENT

DarkOwl @ OSMOSISCON in Tampa, FL

DarkOwl Product Engineer Damian Hoffmann will present “Finding Actionable intelligence in Dark Web Data for OSINT investigations” to attendees at this year’s OSMOSISCON, October 16 – 18.

Attending OSMOSISCON? Schedule a time meet with a DarkOwl team member here. Read our synopsis here.

EVENT

DarkOwl @ DarkWeb Conference in Hyderabad, India

David Alley, CEO for DarkOwl FZE will be attending and speaking at this conference on October 18th, focusing on Combating Cyber Warfare and Cyber Terrorism using the Darkweb.

Attending this conference? Schedule time to meet David here.

DATASHEET

Dark Web Monitoring

DarkOwl is an open-source intelligence (OSINT) platform that aggregates information from various underground sources. Monitor for information critical to your organization, clients, and customers to discern actionable and meaningful intelligence from things like cyber breaches and ransomware attacks. Check out our new datasheet.

BLOG

Top Mentions of Cybersecurity Awareness on the Darknet

This piece will examine what threat actors on the darknet are discussing regarding cybersecurity awareness and related topics. This is now live!


Curious to see how darknet data can improve your cybersecurity situation awareness? Contact us.

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.