As Dream Market staff mentioned prior to their shutdown, a new market was on the horizon. On Friday, former official Dream moderator, waterchain, announced the opening of Saṃsāra, based on the source code of the infamous Dream Market. Saṃsāra is a term from eastern religious philosophy. Ironically it refers to the eternal cycle of birth, suffering, death, and rebirth.

The official market announcement is received with skepticism. Many questioning its legitimacy and a number of inconsistencies with the story behind the return of the market.

The new Saṃsāra market layout is strikingly similar to Dream, yet includes several new security elements. Admins refer to a new “anti-phishing feature” as the first of its kind that purports to completely defeat man-in-the middle attacks along with the option for a user to login with their PGP key or two factor authentication(2FA) for additional security. Once in the market, the source code is identical to the original Dream Market with the addition of a News and Community section that allows for interaction with Admins on market features. There is no mention of a traditional separate market forum like Dream supported.

Even with a new market theme, logos, and user interface on top of Dream Market source code, within hours of the announcement, many users uncovered bugs across the cryptomarket, including issues with saving public PGP keys, which forced users to employ 2FA for additional profile security.

The new market administrator dismissed community concerns over the lack of presence by SpeedSteppers. Further, dismissing questions about why the new onion address as advertised for weeks on Dream Market is not listed as a valid mirror for Saṃsāra. He instead attempted to encourage people to “forget the past” and “move on” insisting numerous times that he was a former official Dream moderator, as if to validate everything he said on the forum as legitimate.

• Others quickly noticed that waterchain’s new PGP key was created in June with only 2096 bits instead of the more secure 4096 bit key of the former legitimate waterchain. The moderator claims they lost his key in a corrupted Tails configuration. It does appear suspicious that they would choose to rebuild his key with less security, considering he is now essentially running a market instead of moderating it.

• The market does not support Monero transactions, which is possibly a more secure and less traceable cryptocurrency than Bitcoin. There is a discussion along with member vote on the integrating XMR available through July 18th in the new Community section of the market.

• All of the market mirrors use Tor’s legacy V2 hidden service domains instead of V3. Dream Market issued several v3 mirrors earlier this year when suffering from heavy DDoS attacks.

Even with these concerns, vendors are taking advantage of the limited offer of 0.025 BTC vendor bonds and over 400 market listings, consisting of mostly drugs, were online and ready for purchase within the market’s first day.

On a technical note, a few more inconsistencies appear. First, when requesting /server-status/ on the Saṃsāra url, we find what looks like a status page for another darkweb forum, Torum. Second, the HTTP-Headers also appear to leak IP addresses pointing at both a host in The Netherlands and the United States.

In recent days, user waterchain has been banned on Dread forum for rule violations.

Only time will tell how long this market will be reliably online before the DDoS attacks against Saṃsāra begin.  Remember to check back here for updates as more information emerges.

Keeping current and making sense of recent news surrounding Darknet Marketplaces is a challenge for even the most active and engaged Tor enthusiasts. In this blog, DarkOwl analysts dive into the latest dark web market exit scams, the recent, widespread law enforcement operations and their impact, and how cryptomarkets will continue to be a significant segment of darknet hidden services available to underground and would-be criminals.

Below is a timeline of the primary events leading up to, and resulting from the recent turbulence surrounding many darknet marketplaces.

April, 2019

Dream Market Announces Closure & Never Returns

In late March 2019, Dream Market, one of the oldest cryptomarkets announced that it would be ceasing its current operations on 30 April 2019. The announcement was made by the developer and admin, known as Speedsteppers. The statement also mentioned an eventual re-branding as a new Tor hidden service and address. For over a year, Dream Market had suffered from extraordinary DDoS attacks resulting in over 600+ mirror links circulating around the dark web for the marketplace.

In early April, Europol confirmed a significant multi-national darknet drug operation resulting in 61 arrests and the confiscation of 50 dark web accounts used for illegal activity. Along with the agents from the Federal Bureau of Investigation (FBI), U.S. Drug Enforcement Agency (DEA), and Canadian Police, Europol law enforcement officers executed 65 search warrants, seized almost 300 kg of drugs, 51 firearms, and over €6.2 million Euros ($6.95 million USD) of cryptocurrency, cash, and gold. Given Dream Market’s prominence in the dark web community, it is a reasonable assumption that some, if not many, of these arrests were vendors active on Dream. Although there is no mention of Dream Market in the Europol report, it’s well known the market place has been a target for law enforcement for some time.  Further, the aforementioned new Dream Market onion addresses have had no activity. 

Immediately after the announcement, rumors circulated across popular dark web forums about the Dream Market closure being led by law enforcement or an inside exit scam. In April, many users had issues withdrawing money from their Dream Market wallets. Some moderators scammed vendors via support ticket notification, informing the vendor that funds withdrawal can be restored only after the vendor supplies their password and last used bitcoin address.

DarkOwl covered the details of Dream’s less than graceful shutdown in “Insider Report: Darknet reacts to Dream Market announcement.”

While it’s unknown whether or not law enforcement infiltrated Dream Market’s servers directly, two independent cyber security researchers circulated detailed analysis revealing some very specific details regarding Dream Market’s admin, SpeedSteppers, de-anonymizing him as Mark DeCarlo based on the domain registrations for several surface websites, one specifically shared in 2018 with Dream users contained a link to a clearnet forum called deepwebnetwork.com. [Source1, Source2]

On a hidden service popular with “doxxers”, an anonymous hacker briefly posted an IP address for Dream Market. When accessed directly using the leaked IP address, the Dream Market login screen is available along with familiar Tor network addresses listed on the left sidebar of the page.

Figure 1 Direct Access to Dream Market via Leaked IP Address

Given the report on SpeedStepper was published in January, the weird behavior of moderators trying to scam vendors, along with an inactive URL for “Dream’s Partner” it would not be surprising if law enforcement infiltrated Dream Market months ago and operated it similar to the shutdowns of Alphabay and Hansa as led by the Dutch National Police in the summer of 2017.

Figure 2 Source: Dread Forum on Tor (/post/52f54402d99bd51d4b74)

Wall Street Market Exit Scams Then BKA Announces Seizure

As one would expect, Wall Street Market (WSM) surged in popularity almost immediately after Dream’s announced shutdown. Most every social platform recommended vendors and potential buyers move to WSM and/or Empire to conduct their online market business.

Figure 3 Dread users discuss WSM as the Dream alternative for trading.

In late April, peaking at an estimated 5,400 vendors, 1.15 million customers, and well over $10 million in cryptocurrency, WSM admins conducted a classic darknet “exit scam.” The estimated market value is totaled somewhere between $11 and $15 million USD. The three admins diverted these funds into their own crypto accounts while claiming the market was in “maintenance mode.” All the while unaware that law enforcement was secretly monitoring their accounts.

In the midst of the exit scam, one of the site’s moderators, Med3l1n, clearly angry over the exit scam, began blackmailing WSM vendors and buyers, asking for 0.05 bitcoin (at the time ~$286 USD). They threatened to disclose to law enforcement the identities of WSM vendors and buyers which made the mistake of sharing various personal details in support tickets in an unencrypted form.

It is unclear if these extortion attempts succeeded, but days later, Med3l1n also published an IP address for a server located in the Netherlands and login credentials for the WSM backend on a popular darknet forum knownas Dread. Further, they invited nefarious actors to take down the market.

The IP address is in the same network range of another IP address that leaked from the Wall Street Market backend two years ago. Although the authorities discovered the address of the server in other ways, according to public affidavits.

Within days, Med3l1n, identified as Marcos Paulo De Oliveira-Annibale, 29, of Sao Paulo, Brazil, was arrested by German authorities along with the three market administrators, all from Germany:  

• Tibo LOUSEE (coder420), 23-year-old from Kleve, Germany;

• Jonathan KALLA (kronos), 31-year-old from Wurzburg, Germany;

• Klaus-Martin FROST (theone), 29-year-old from Stuttgart, Germany.

All three face charges in both Germany and the United States after a series of missteps in their operational security led authorities to their IP and physical addresses. The market seizure and arrests were a culmination of a two-year investigation involving agents from the DEA, the FBI, the U.S. Internal Revenue Service, the U.S. Homeland Security Investigations, the U.S. Postal Inspection Service, the U.S. Department of Justice, the Dutch National Police (Politie), Europol, and Eurojust.

During the investigation, authorities discovered the admins also operated darknet marketplace, German Plaza Market (“GPM”), which launched sometime in early 2015 and shut down due to an “exit scam” in approximately May 2016. Agents successfully correlated wallet addresses for GPM with those of WSM in the investigation connecting the administrators.

Law enforcement obtained one of the administrator’s home IP address, correlated to and registered in the name of the suspect’s mother, through a cooperating VPN provider he used. The IP address was used to access certain administrator-only components of the WSM server infrastructure. KALLA later admitted that he was the administrator for WSM known as “Kronos.”

As a point of technical interest, the complaint filed with the US District Court in California included a footnote that the US Postal Service was responsible for the blockchain transaction analysis for FROST, and “de-mixed” the flow of transactions to ascertain that the monies from two different wallets ultimately paid FROST’s account [Source]. Researchers from Korea University published a paper in May 2018 outlined a de-mixing algorithm that could identify the relationships between the input and output addresses of the popular dark web mixing service called Helix with a 99.14% accuracy rate [Source].

Another administrator accessed the market IP address to connect to the WSM infrastructure using a device called a UMTS-stick7. This device is a USB-powered modem for remotely connecting to the internet. This UMTS-stick was registered to a suspected fictitious name, and the BKA executed multiple surveillance measures to electronically locate the specific UMTS-stick. The UMTS-stick was active at a residence of LOUSEE in Kleve, Northrhine-Westphalia (Germany), and at a local information technology company, where LOUSEE was employed as a computer programmer. LOUSEE was in possession of the UMTS-stick of interest upon arrest.

The PGP public key for “TheOne” is the same as the PGP public key for another moniker on Hansa Market, “dudebuy”. Interpol and Dutch police shutdown Hansa darknet market in July 2017, as part of Operation Bayonet. A financial transaction connected to another crypto-wallet used by FROST was linked to “dudebuy”. Investigators identified a wallet used by FROST that subsequently received Bitcoin from a wallet used by WSM for paying commissions to administrators. Records obtained from the Bitcoin Payment Processing Company revealed buyer information (connected to Hansa Market, seized in 2017) for a Bitcoin transaction as “Martin Frost,” using the email address [email protected]. A second link connecting FROST to the administration of WSM is based on additional Bitcoin tracing analysis.

May, 2019

Finnish Customs Seizes Valhalla (Silkkitie)

During the same week reports of WSM’s collapse surfaced, Europol released an official statement that Finnish customs (Tulli) in close cooperation with the French National Police (La Police Nationale Française)seized Valhalla, also known as, Silkkitie sometime earlier in the year. The report did not mention many specifics, other than Finnish federal authorities have the entire Valhalla server and its contents, along with a significant drug confiscation. DarkOwl Vision indicates the marketplace went offline sometime in early March.

The May 3rd Europol report stated:

“After the Silkkitie (Valhalla) site was shut down by the authorities, some of the Finnish narcotics traders moved their activities to other illegal trade sites in the Tor network, such as Wall Street Market”

..suggesting the potential for international law enforcement’s concerted attempts to funnel users to a targeted market for takedown.

Valhalla marketplace was one of the oldest markets on the dark web, listing over 30,000 products by some statistics. Its activity started in October 2013 as a Finnish-only site called Silkkkitie.

FBI Targets Deep Dot Web

On the 6th of May, two DeepDotWeb (DDW) administrators were arrested facing charges of kickbacks by earning millions in commission by referring users to specific darknet marketplaces. The seizure of DeepDotWeb alarmed the dark web community as it did not host any illicit content directly, but instead provided paying users with indexed and catalogued access to dark net market hidden service URLs – complete with ratings and reviews. DDW admins received money for registrations using the referral addresses hyperlinked. Authorities claim that DDW administrators made millions of dollars using this criminally innovative ‘picks and shovels’ approach to illegal online trading. Coincidently, while DDW was being shutdown, popular dark web community forum, Dread experienced heavy DDoS attacks and was unable to support logins for over a week, causing many to suspect it too had been compromised. DarkOwl analysts speculate that Dread’s DDoS was intentional to prevent vendors and buyers to coordinate on interrupted sales and illegal trading.

Figure 4 Source: https://www.europol.europa.eu/newsroom/news/deepdotweb-shut-down-administrators-suspected-of-receiving-millions-of-kickbacks-illegal-dark-web-proceeds

CGMC Disappears Overnight

On or about May 10th, 2019 Cannabis Growers & Merchants Co-op(CGMC), silently disappeared without notice. At first, users claimed the market had completed an exit scam as they had lost the ability to withdraw funds, contact support, and initiate the process for a refund. It was later determined that the admins, Marko and Rory, felt pressure from the WSM and DDW seizures that it was time to gracefully leave the business. On the night of the self-shutdown, admins cancelled all pending orders and returned funds to the customer, released all escrow and cash to the vendors. Days after the shutdown, a signed PGP message from Rory asked for the community’s positive vibes for their services and customers joked about seeing them stroll on the beaches of Seychelles.

Users across other darknet communities scrambled to find their favorite vendors as this was all about the same time Dread was under DDoS and inaccessible for coordination. Many darknet vendors reposted their PGP signatures and offered to continue to serve customers without the markets, trading directly with their previous customers via encrypted communications.

One CGMC vendor shared:

The sellers are in the same situation, but I can confirm:
1. All the escrow was released and cashed (the money went to my wallet)
2. Pending orders the money was returned to the customer
3. All orders from Monday to Thursday are sent
I do not think it’s an exit scam, I think it’s a problem with the website and they’re working on fixing it.
If the market were to close Marko would have warned. Let’s wait a few days to see what happens.
If the situation is not fixed open store in another market. Please, if any of my clients reads this message, verify that the PGP is authentic.

June 2019

Libertas Moved to I2P Then Shutdown due to Inactivity

In late May, Libertas, a Monero-only marketplace, moved its hidden service marketplace from the Tor network to the peer-to-peer-based I2P network, citing “flaws in the Tor network” as justification. They also referenced an unconfirmed Tor vulnerability that international authorities have used to reveal hidden service’s real-world IP address. Libertas provided detailed instructions for its users to successfully setup I2P within Tor Browser to access this faster and hopefully more secure version of its marketplace.

Libertas has historically been one of the most unique cryptomarkets in the dark web, being one of the first ever to only accept Monero instead of Bitcoin like other marketplaces. In their market announcement over a year ago, Libertas admins suggested that Monero was the “only real way to make anonymous transactions online” including the many ways they ensured the security of the servers supporting Libertas darknet market.

Figure 5 Libertas Original Welcome Message on their Market Forum

On June 19th, less than a month of operating on I2P, Libertas admins announced they were shutting down until further notice, due to the lack of use of I2P. They reaffirmed their belief that all Tor network-based hidden services which are allowed to operate are law enforcement sting operations.  

Other Tor users have discussed migrating to I2P and encouraged other marketplaces to do so in forums and discussion boards, suggesting that Tor is neither safe nor robust enough from DDoS attacks to host large-scale crime-focused services. Unfortunately, the complexity of setting up I2P has discouraged its broad-based use on scales comparable to the Tor network.

Today: What Market Places Are Still Operational?

Empire Market

Despite its legacy and familiar user interface dedicated to the late Alex Cazes from AlphaBay, Empire recently has been under heavy DDoS causing it to surge in mirror link generation to mitigate. DarkOwl has knowledge of 135 unique V2 and V3 addresses for the cryptomarket, but believes that over 30% of those could be phishing addresses. In recent weeks, Empire forums have been bombarded by hundreds of complaints that account wallets have been consistently scammed, even after verifying links as legit. RapTOR directory services alleges that Empire has indeed exit scammed and any working links will lead to currency loss.  The dark web community is contentious over the lack of support from staff and instability of the market.

Empire’s head moderator se7en claims most of the complaints are from customers using “phishing” market links instead of verified ones, but the tune is all too familiar to the behavior of other markets. Empire recently added two-factor authentication (2FA) as an additional security protocol, but a former Empire-mod posted a detailed paste on how easy the 2FA is bypassed, stating “the end user is always the weakest link to a system,” in a recent report by DarkNetLive.

Tochka / Point

With recent market confiscations, Tochka (Point) could now be considered one of the oldest operational darknet cryptomarkets as it started in early 2015 emphasizing a “community-like” culture with classified advertisements and low vendor registration requirements.

Unfortunately, in early June, many users reported that the marketplace was a complete scam with numerous orders, wallets, and accounts deleted in recent weeks. Comments on a forum suggested that the Tochka had suffered a server crash in early June resulting in the loss of several transactional records and to contact the moderators active on Dread for assistance. Unfortunately, this week, Dread has also been under heavy DDoS and users are unable to submit complaints or receive technical support.

Other dark web markets worth mentioning

• Genesis – Javascript required market with increasing popularity due to recent news coverage. Online and active.

• Dark Market – Appeared in May 2019 with admins Sassy & Dark. Now accepts Monero and primarily trades in digital goods (over 1000 listings).

• Luna – Marketplace that required wallet registration for non-vendors and offered Monero and “locktime” to secure transactions. Offline as of early June.

• Core – Offline in mid-June after heavy DDoS attack.

• Cryptonia – Typical dark web cryptomarket experiencing heavy DDoS in recent weeks. Admins pride themselves on their market manifesto that states their movement will never be corrupted by greed. Online and active.

• Berlusconi – Recently added Multi-Sig wallets and states that they will no longer offer weapons & explosives by the end of June.

• Nightmare – Experiences regular periods of heavy DDoS. Recently redesigned and returned with new UI and “dark mode.” One of the largest active markets with 65,000+ users, 3,000+ vendors and more than 50,000 listings.

• Rapture – Rumored to have been built on the source code leaked from Trade Route. Many users thought Rapture exit scammed in late 2018, but returned recently stating they were under heavy DDoS. Offline as of time of writing.

• Agartha – Similar design to the Agora Reloaded Market that exit scammed. Online and active with no complaints.

• Apollon – Typical dark web cryptomarket operating since 2018. Possibly connected to former RAMP shop. Surge of users (over 40,000) due to Dream announcement.

• Enterprise – Brand New as of June 2019. Operational but very few listings.

• Deep Mart – Appeared in early 2019. Believed to be a scam market based on reviews.

• The Majestic Garden – In May, TMG moved to only V3 Tor URLs and registration is closed due to surge of registrations after Dream announcement. Online and serving customers.

• Nirvana Market – Brand new market as of June 2019.

• Canazon – Features primarily drug vendors. Operational since 2018. Online and active.

• Silk Road 3.1 – Operational and now accepts Monero. Online and active.

• UnderMarket 2.0 – Market featuring counterfeiting and fraud items. Javascript required for some portions of the market. Online and operational.

• The French Connection – One of the oldest operating markets (over 5 years). Does not ship to the US. Online and active.

• Yellow Brick Road – Invite-only market by vendors. Online and operational.

Since 2019, DarkOwl Vision has knowledge of and successfully crawled over 3,000 dark web cryptomarket addresses — over 1800 of them in the month of June due to heavy DDoS mitigation. Libertas administrators expressed legitimate concerns about Tor’s vulnerabilities to DDoS and host IP address exposure, apparent by the crippling DDoS attacks on many of the markets and critical community forums like Dread market.

While many of the historically active markets have voluntarily closed their doors, it is evident by the introduction of multiple markets in recent months, along with the surge of customer and vendor registrations well exceeding thousands of users, that the criminal darknet market community will not be deterred by international law enforcement operations and will resort to direct encrypted communications with their suppliers if necessary.

Update (7/2/2019)

After allegedly negotiating with would-be DDoS attackers, it would appear that Dread market is back online…for now. Check back here for continued updates as our analysts uncover more information. 

The market segment of the dark web is the most volatile and dynamic of all types of hidden services available. The status of any of the markets mentioned in this report can change without any notice. This report only covered the status of English-speaking marketplaces and a follow-up report covering non-English cryptomarkets, such as Russia’s MEGA, will be published in the near future. Please continue to check back for updates.

Dream Market — one of the largest and most active remaining darknet marketplaces — has announced that it is officially shuttering its doors in its current location. The notification, which can be found on every page in the marketplace, indicates it will be transferring its services to a new URL and partner company at the end of April.

This news announcement comes just weeks after Dream Market has been weathering heavy DDoS attacks, leaving many of its domains unserviceable for intermittent periods.

Notification on Dream Market about migrating services to a new URL at the end of April 2019.

Dream Market has been around since 2013, making it one of the darknet’s longest lasting marketplaces and a leading go-to in the community for illicit sales. The news about the migration has been a topic of many discussions on the darknet, including on Dread, a darknet forum dedicated to security and harm reduction for darknet marketplace purchases.

User “waterchain”, a moderator for Dread’s Dream Market sub forum and alleged member of Dream Market’s team, posted a statement regarding the migration. The statement claims that it was prompted by DDoS attacks “on the Tor browser side” and an alleged extortion attempt.  

“Official” statement by an alleged Dream Market team member on the darknet forum Dread. (Image via DarkOwl Vision)

Vendors and buyers alike feel displaced after this announcement as they try to figure out their exit plans. Earlier this week, the Drug Enforcement Agency (DEA) published a press release about shutting down 50 darknet accounts that were used for illicit activities under operation SaboTor (Sabotage Tor).

This, and the timing of Dream Market’s closure, has led some darknet market consumers to believe that Dream Market has been compromised by law enforcement.

Dread user expressing concern regarding the timing of Dream Market’s closure and Operation SaboTor. (Image via DarkOwl Vision)

Some members are hopeful that Dream Market is simply experiencing technical difficulties and still plan to use their new market once it’s back online, while other vendors have already transitioned to other markets.

Dream Market vendor UPactive advertises listings on two other popular markets. (Image via DarkOwl Vision)

Some newer, less active markets have tried to capitalize on this opportunity by offering incentives for vendors to transition to their marketplace. One such market is Cryptonia Market, which has offered incentives for former Dream Market vendors to switchover to their marketplace.

A post from Cryptonia Market, offering fee waivers and other incentives to verified Dream Market vendors. (Image via DarkOwl Vision)

While moderators of Dread’s Dream Market sub forum have tried to assure the public that the market was not compromised, there hasn’t been an announcement signed with Dream Market’s official PGP key. This, and the fact that the official Dream Market forum is offline, leaves some users skeptical.

Update:

On the forum DNM Avengers, user rockemsockem45 pointed out that the date format used in the shutdown message is different than previous messages by admin and staff, further adding to the suspicion that the market has been compromised.

DNM Avengers user rockemsockem45 posts about the inconsistency of the date format used in the shutdown message.

Also, starting earlier this week, multiple vendors have claimed that Dream Market’s support staff are attempting to scam vendors. According to Dread user Terrysukstock, the scam starts by disabling the vendor’s ability to withdraw funds from their account. The vendor is notified via support ticket that fund withdrawal will be restored after the vendor verifies their identity by supplying their password and most recently used bitcoin address.

If the vendor supplies the password, Dream’s support staff changes the password and removes their PGP key, making the vendor’s account inaccessible. Terrysukstock, a vendor with over 34,000 reviews and an average rating of 4.8/5 on Dream Market, claims he followed these instructions and lost over 5 bitcoin.

Vendor Terrysukstock posts about falling victim to Dream Market’s support staff scam. (Image via DarkOwl Vision)

Several vendors have supported Terrysukstock’s experience. Vendor GreentreeCA’s posted his support ticket to Dread to provide evidence of the scam.

The support ticket that Vendor GreentreeCA received, providing evidence of the scam.

Meanwhile, Dread’s Dream Market subforum moderator Waterchain has announced retirement due to “corrupted” moderators that have allegedly locked him out of his account.

Retirement message by former Dream Market moderator Waterchain. (Image via DarkOwl Vision)

No official message has been forthcoming from Dream Market’s team regarding the scam allegations.

Note: This story is developing. DarkOwl will continue to monitor developments and post updates here, so remember to check back!

Curious about something you’ve read on our blog? Want to learn more? Please reach out. We’re more than happy to have a conversation.

In our previous Russian darknet focused blog post, we discussed some of the tools and techniques the Russians were discussing and using in offensive cyber operations against US and international organizations. Russian criminals are also notorious for selling malicious software, e.g. digital goods, on darknet marketplaces that could be used in an attack against government and corporate networks and infrastructure, e-mail lists for phishing, along with a myriad of illegal drugs and counterfeit.  

A Historical Look Back

RAMP Landing Page (image sourced from Google images search)

Russia’s presence on the Tor network is most well-known for the historical darknet forum & marketplace, RAMP — Russian Anonymous Marketplace — which was reportedly seized last July after a surprising effort by the Russian Ministry of Internal Affairs-which historically has turned a blind eye to online crimes.

Coincidentally, the RAMP marketplace, active since September 2012, shut down around the same time as international authorities conducted Operation Bayonet, shutting down key centralized Tor marketplaces Alphabay and Hansa, amid concerns about possible law-enforcement’s use of denial of service attacks to expose the real IP address of the marketplace.

What Happened to the RAMP Community?

Similar to the after effects of shutting down AlphaBay and Hansa, the RAMP marketplace closure caused little disturbance to the Russian segment of darknet cryptomarkets. RAMP vendors successfully shifted to other key marketplaces while a hidden service called Consortium attempted to create an “ex-RAMP Verified Vendor Community” specifically for reconnecting with known verified RAMP vendors. DarkOwl Vision has successfully archived over 9,000 results from Consortium’s hidden service domains. Consortium was formed in late 2017 shortly after the RAMP marketplace closure, and active through May 2018. The Consortium hidden service featured 15,000 users, including more than 100 verified RAMP dealers who confirmed their identity with a PGP key. This archive provides an excellent investigative referential database for prominent darknet vendors and their aliases.

Hydra

When RAMP disappeared, legendary Russian marketplace, Hydra witnessed an increase in user registrations and vendor activity while and near clone of RAMP, called MEGA surfaced only earlier this year.

Hydra has been an active darknet marketplace catering to the Russian Tor community since the Silk Road days. It resurfaced with a new Tor URL in the summer of 2016, less two years after law enforcement claimed it had arrested and charged the 26 year old market admin and Hungarian resident in November 2014 as part of Operation Onymous. Hydra is a centralized marketplace featuring many individual vendor-shops similar to RAMP with offerings including drugs, digital goods, and even mobile phone SIM cards.

Hydra prefers serious Russian drug vendors, only allowing sellers who are willing to pay “rent” for their shops and requiring a monthly payment of over $100 USD for use of the service. This reduces the likelihood of vendors who are actually scammers or law enforcement utilizing the site for entrapment and exploitation.

Offers of Mobile SIM and Debit Cards on Hydra (http://hydra23qk4ar6ycs[.]onion)

MEGA

MEGA has a wide range of illicit drug offerings in their market catalog including items ranging from marijuana to opiates with delivery across the Eastern Slavic language countries of Russia, Ukraine, and Belarus. Similar to other anonymous centralized markets, MEGA also supports vendors selling digital goods such as databases, carding and counterfeit related products, and ready to use hacking software. MEGA features a hidden service layout very similar to RAMP, with over 200 links to unique vendor shops from the landing page and many of the same drug vendors that once traded on RAMP also advertise on MEGA.

For example, one drug vendor on MEGA who uses the moniker, Aeroflot openly states in their MEGA vendor profile that they were also active on RAMP. Cross referencing the nickname against DarkOwl Vision revealed that Aeroflot also has their own personal vendor Tor hidden service where they offer popular drugs such as amphetamines, hashish, and psychedelic mushrooms directly without the marketplace interface. The Aeroflot vendor shop was first indexed by DarkOwl Vision in January 2018.

Surprisingly, there is little information on the surface web about Russia’s MEGA marketplace, as most open source darknet cryptomarket reporting features Hydra instead.  Despite this, MEGA also has a Clearnet proxy of their site via the website URL http://www.mega2web.com.

Both MEGA and Hydra hidden services emphasize trusted vendor-buyer relationships before the market will facilitate the crypto-transaction and goods exchange. For example, on Hydra, before an order from the buyer is processed, the vendor and buyer must communicate and trust each other. The market even offers a “transaction chat” platform to communicate securely about the order. The classical process for browsing, selecting, and ordering a product on the platform are used to communicate to the vendor that you intend to buy from them, referred to on Hydra as a “reservation.” The vendor’s confirmation and order approval are required before payment for the item is disbursed and shipping commences. This approach theoretically reduces the likelihood of scamming and law enforcement operations.

Hydra’s formidable return after such a large-scale joint-international law enforcement effort seizure and vendors trading on the RAMP clone-MEGA reinforces theories that shutting down darknet markets only yield a mild, temporary deterrent effect on the affected darknet community and does not have near the impact the media conveys. This supports arguments from social scientists, Décary-Hétu and Giommoni in October 2016 after analytical review of the effectiveness of police crackdowns on cryptomarkets where they stated:

Police crackdowns, as is the case for traditional drug markets, are not effective measures to lower the volume of sales on online illicit drug markets. Cryptomarket participants have been shown to have a minimal reaction, or one that is temporary, to overtly large shows of force and to have the ability to adapt through displacement techniques.

Darknet Forums that Include Marketplace Features

There are a number of Russian-specific forums and bulletin boards across the Darknet.  DarknetMarkets.co advertises Russia’s Wayaway forum as one of the oldest darknet marketplace, available since 2009, while the Tor hidden service title translates to “First Drug Forum.” Unlike centralized markets, Wayaway presents contents in a bulletin board layout with a range of topics, mostly drug-trafficking in nature, such as Shipping in Russia, Trade with CIS (Commonwealth of Independent States) Countries, Jobs, and Laboratory, where questions regarding home-based personal drug manufacturing are answered.  Hydra is listed as a Wayaway Partner on the forum’s footer along with Hydra logos, market links, and various digital advertising scattered across the forum. Wayaway serves also a gateway to Russian darknet drug vendors with a large section of the forum dedicated to connecting site visitors with individual drug vendors (i.e. “Trusted Stores in Russia”) including customer feedback and a question and answer section on transacting and shipping related concerns.

Wayaway topics have thousands of views and hundreds of comments indicating the forum serves as a high-volume resource for the Russian Tor community. Many of the most active users on Wayaway also trade in other drug and illegal goods forums on Tor.

RuTor

Another popular Russian forum and marketplace on Tor is RuTor. RuTor has been an active Tor hidden service since 2015 and has quickly established itself as a reliable information resource for Russian hacking, darknet education, and project collaboration. RuTor’s landing page has several distracting advertisements at the top of the site similar to the previously popular RAMP marketplace.

Utilizing a bulletin board format similar to Wayaway, RuTor has established sections for Vendor Shop Fronts, Security, and News. The cryptomarket portion of RuTor is tightly controlled by the site administrator who must be contacted before submitting a deposit in a user’s market wallet.  Most centralized marketplaces have an automated system for all market crypto-wallet deposits and withdrawals. RuTor has extensive threads covering cybersecurity related news, corporate data breaches, and technical tips and techniques for network infiltration and tracking.

Runion

“Protecting the interests and rights of your paranoia” is another key Russian darknet forum, Runion, or the Russian Onion Union. Runion does not have the marketplace focus, but instead covers a wide range of darknet criminal specific topics such as Operational Security, Cryptocurrencies, Weapons, Finance and Law, Breaking and entering, Psychology, Hacking as well as Substances and Health. Example threads include in-depth technical conversations around potential Telegram hacking techniques, Dismantling and Shooting an RPG-22, and modifying smartphones for increased telecommunications security.

Administered by one who goes by Zed, Runion lists over 69,000 members, almost 20,000 topics, and over 300,000 messages posted on their forum since 2012. The nickname Zed is active across other hidden services, specifically moderating other well-known Tor carding forums.

Intelligent Hidden Services

The Russian darknet marketplaces and forums featured in this article have had a persistent Tor presence for several years and many include intelligent bot-detection code to prevent automation collection of their content. Captchas, formally known as Completely Automated Public Turing test to tell Computers and Humans Apart, are often present on many of the hidden services to detect if the website user is human or not. DarkOwl Vision’s authenticated crawl routine specifically targets services containing high value intelligence with such authentication protocols. In order to successfully view the content of a hidden service that includes such bot-detection methods with Professional Tools, search the domain along with the search pod, “GROUPS->AUTHENTICATED SITES” to reduce result noise.

On January 9, the KickAss Forum went offline. On Twitter, user @bitsdigit initially reported that the site was seized by law enforcement, but then said the seizure was not a legitimate notice (remarking that “something is very fishy”) and warned others to stay clear. Though the URL in the initial @bitsdigit reporting correlates to an older KickAss hidden service URL, DarkOwl confirmed the two most recent onion v3 KickAss URLs are indeed down, but do not display the Seized Hidden Service Banner.

On January 7, KickAss moderators started the thread, “KICKASS TOR VERSION 3 URLS”, announcing deactivation of the old v2 hidden service addresses and new v3 URLs would be circulating “for security reasons” – perhaps due to recent publicity relating to forum member TheDarkOverlord. Shortly after, the login page for KickAss changed to PRIVATE, with instructions for members to message a Jabber address using Off-The-Record (OTR) for continued access.

Screenshots from DarkOwl Vision from January 2019, listing new KickAss URLs.

Screenshot from DarkOwl Vision from January 2019, with Jabber contact.

However, according to historical records of the forum in DarkOwl Vision, the [email protected] Jabber account from a few days ago does not match Jabber accounts KickAss moderators have ever mentioned. Additionally, an announcement thread from November 2018, captured by DarkOwl Vision, stated that KickAss staff only uses OMEMO for end-to-end encryption, as OTR is not “save” [sic] anymore.

Screenshot from DarkOwl Vision from November 2018, mentioning that Kickass staff only use OMEMO, not OTR.

Given the abrupt private state of the forum days before it disappeared and use of OTR instead of OMEMO, it seems likely Law Enforcement has seized the KickAss forum, and the Jabber account with OTR was a phishing attempt to garner information about its active members. In the past, Law Enforcement have taken over hidden services and impersonated its moderators in attempt to get information about the sites’ members. Dutch police studied the logs of the real admins of Hansa for weeks and even operated the illegal marketplace, throwing the darknet community into chaos in 2017.

One thing that is consistent on the darknet is that hidden services come and go. On Thursday, members of Torum, another popular Tor-based cybersecurity forum, discuss the disappearance of KickAss and the importance of making the most of what’s online while it’s online.

Screenshot of Torum discussion about the KickAss forum disappearance.

DarkOwl will continue to follow this story and report updates as they are available.

This Week, 6,500 Hidden Services were Ousted from the Darknet

The name Daniel Winzen may not mean much to the ordinary internet user, but on the darknet @daniel is the legendary nickname for the individual  known for offering free anonymous web hosting, chat, e-mail, and XMPP/Jabber services on Tor for the last 5 years and perhaps longer. He started out humbly – installing a small number of Tor-based hidden services, or websites, on a Raspberry PI 2 – but over the years expanded his presence to hosting upwards of 7,000 hidden services per month for darknet users across Tor and I2P. That is, until last week.

Shortly after 10:00pm UTC on the 15th of November 2018, Daniel Winzen’s server was breached, databases accessed, and accounts deleted, including the root, or administrator account, rendering his services unusable. In less than three hours, the intruders deleted SQL databases for his chat, onion-link list, and hit counter. Hackers initially accessed the main phpMyAdmin and adminer panels using the correct hosting management password, inferring the password may have been harvested via phishing attempt or the server was accessed by someone with access to Daniel’s credentials. Daniel’s popular GitHub account also experienced a failed login for his popular software repository on November 9th, which has not been determined as related as of yet.

Daniel’s updates on his portal indicates that this hack was a “database only” breach.

According to updates posted to his surface net and darknet portal, Winzen is thoroughly investigating all potential vulnerabilities in his server before restoring services. He has also listed concern over a 0-day exploit, released exactly one day before the attack, in the imap_open() function of PHP that he has since patched.

30% of Online Domains Disappeared Overnight

Over 30% of the operational and active hidden services across Tor and I2P disappeared with the hack of Daniel’s Hosting Services and over 6-Million documents archived in DarkOwl Vision are no longer available on the darknet.

DarkOwl quantified the impact to the size of the darknet, specifically Tor, using its internal “Map the Dark” reporting, which includes statistics from darknet websites indexed over the previous 24-hour period. Our data substantiates the hosting provider’s offline status, with a delta of 4,887 domains going offline between the 15th and 16th of November. DarkOwl has indexed the archives of 5,300 domains from early November and has assessed them to be services that were formerly hosted on Daniel’s server.

Daniel’s previous online-link list advertised that he hosted over 1,500 private hidden services whose domain URLs are unknown at this time. DarkOwl’s estimated total number of domains hosted by Daniel are consistent with the 6,500 offline domains quoted by Daniel on his server portal.

• 657 of the hidden services have only title “Site Hosted by Daniel’s Hosting Service” and contain no meaningful content worth mentioning. Darknet hidden service domain could have been used for something other than serving web content.  

• Over 4,900 of the hacked domains are in English and 54 are Russian-language hidden services. Two of the oldest hidden services are interestingly in the Portuguese language.

• 457 of the hidden services contain content related to hacking and/or malware development, while 136 include drug-specific keywords.

• 304 of the hidden services have been classified as forums and 148 of them are chatrooms.

• 109 of the hidden services contain counterfeit related content while 54 specifically mention carding-specific information.

• Over 20 of the hidden services contain content including weapons & explosive related keywords.

Daniel’s hosting service, chatroom and online-link list have served as a pillar for the darknet community for years. For example, his online-link list is referenced by nearly 500 other hidden services, making it the second most commonly referred to directory listing (behind Fresh Onions) and providing a foundational starting point for new users navigating Tor.

Given that his services were provided free of charge and generally reliable against attack, there are mixed theories as to who could have wanted to destroy this mainstay of the anonymous online community.

Are Russian Hackers Responsible?

In recent weeks, Russian hackers on a website called www.antichat.com, outlined the technical details of exploiting PHP’s imap_open() function to extract password hashes for privileged accounts, as an alternative to brute force mining. Then, on Thursday (the same day as the attack), antichat.com forum staff member “Big Bear” posted a MEGA.nz link including a PDF, titled, “[RCE] 0-day в imap/c-client на примере PHP” (in English: [RCE] 0-day in imap / c-client using the example of PHP) detailing the imap_open exploit. The same post identifies the authors by the nicknames crlf and Twost, the latter of whom is also known as “Aleksandr.”

The Anti Child-Exploitation Community

Daniel’s darknet notoriety increased in 2016 when he ported Lucky Eddy’s perl-CGI LE-Chat script into PHP with mySQL or PostgreSQL backend, optimizing the environment for Tor and decreasing the darknet community’s reliance on Javascript, thus allowing for image sharing inside a chat platform (which is not available via XMPP and IRC) without potentially compromising posters’ identities. As a result, Daniel’s LE-Chat code became a popular platform for the darknet pedophilia community, and the home for many well-known Child Pornography sharing chatrooms such as Tabooless, Camp Fire, and Child Priori.

Individual “pedo-hunters” and anti-pedophilia groups have called for hacking Daniel’s services using large-scale distributed denial of service (DDoS) campaigns, specifically because it was rumored that the principal administrator and some key staff members were active in pedophilia-specific chats.

A Potential Law Enforcement Operation

Daniel’s Chat quietly resurfaced this past Saturday with a clean install and backup from early 2017, accompanied by a flurry of confusion over the assignments of administrator, moderators, and members. Without the comforting presence of the  “regular” member database and credentials, users had no way to verify that anyone was who they said they were. Many legitimately feared that popular nicknames of members and staff had been spoofed by trolls trying to capture access to the members-only chat. One user on the darknet social media site Galaxy3 stated that @daniel re-installed the chat and that it “sounded like him,” although with a caveat that everyone should be cautious.

At the same time, others theorized the extreme possibility that @daniel had actually been arrested and the take-down was led by international law enforcement or the German police. Daniel’s hidden services experienced extreme DDoS in the weeks preceding the hack, similar to other law enforcement-led darknet seizure operations.

Anti-Syntax Club or an Inside Job

For over a year, the nickname Syntax has been referenced with either extreme love or extreme hate. Hundreds of trolls have posted across forums and paste sites about how this purportedly 17-year-old female teenager is responsible for taking down a number of pedophilia chatrooms and community leaders in recent years. Since early this fall, there has been an increase in the number of anti-Syntax trolls repeatedly calling for attacks against Daniel’s services, more specifically Syntax and her ally ChatTor, since she was promoted to Super Moderator of Daniel’s popular and drama-filled chatroom during the summer and accused of abusing the position.

Other members have suggested the remote possibility the attack on Daniel’s was led by Syntax and ChatTor so that they could take administrative control of the chatroom, although a recent image capture from ChatTor states that it was simply about being at the right place at the right time.

International media recently highlighted the perils of Russian government sponsored cyber espionage operations against US elections in 2016, and the potential risks to the upcoming US midterm election this week.

With increasing concern over the validity of the US election process, DarkOwl analysts decided a review of Russia’s footprint across the darknet could provide insight on how operations on this scale are conducted.

By the Numbers

Russia-based anonymous websites comprise over 36% of the DARKINT™ collected by DarkOwl. DarkOwl has successfully indexed over 300 million pages across anonymous and deep web networks in the Eastern Slavic language of Russian. Russian hacking and carding forums accessible from the surface web account for 92% of the deep web content in DarkOwl’s Vision. 

There are significantly more Russian hidden services in Tor than sites on i2p or Zeronet, suggesting Russian darknet users prefer Tor over i2p. Russian-language eepsites account for only 10% of the i2p content archived in DarkOwl Vision. Russian activity on the anonymous network, Zeronet is negligible.

What we know the Russians have been involved in…

Enter “Russian hacking” into any surface web search engine and you will undoubtedly receive millions of results about Russia’s malicious cyber operations ranging to undermining the US democratic election process through to targeting of the US utility grid. Most recent indictments highlighted charges against seven Russian intelligence officers with hacking anti-doping agencies who used sophisticated equipment to target the organizations’ wireless (wi-fi) network. (Source)

TargetTechnique2014-2016 Hacks Against US Utilities (Link)Compromised Network Credentials via Simply Email Phishing2016 Election DNC (Guccifer) (Link)Vulnerability with DNC’s Software Provider, NGP VANUS State Voter Registration (Link)Structured Query Language (SQL) InjectionWorld Anti-Doping Agencies (WADA) (Link)Wireless Network SniffingUS Thinktanks (Hudson Institute/ International Republican Institute) (Link)Domain Phishing

When you dig into the shadows of forums and chatrooms accessible only via the darknet, only security researchers and law enforcement are actively chatting and posting about vulnerabilities to critical US systems and infrastructure. In order to discover clues about what the Russians might be up to, one would need the keywords associated with the technical specifics of the tools and techniques required to carry out such sophisticated operations.  

Reports regarding the recent Word Anti-Doping Agencies (WADA) hacks stated the Russians employed a wireless network sniffing device installed in the back of the operatives’s car for access to the WADA networks . The hackers also used a mixture of malware including Gamefish, X-tunnel, and Chopstick code, the majority of which have been seen before and used on other Russian-linked cyberattacks. (Source)

Figure 1: Russian GRU mobile Wi-Fi attack (Courtesy of Dutch Ministry of Defense)

Figure 2: Russian forum discusses how to use such a device to intercept passwords for wi-fi networks

(DarkOwl Vision Doc ID: 536bb1af90f7d52b28430510685c1b51)

As evident by recent attacks against US thinktanks, the Hudson Institute and the International Republican Institute, the Russians are well known for their employment of targeted spear-phishing campaigns based upon a thorough reconnaissance and well-orchestrated intelligence collection operation prior to any network subversion. Spear-phishing is a type of hacking based on social engineering, similar to email phishing, but directed towards a specific individual or entity within a network or organization. A leaked NSA document revealed how offensive cyber officers from Russia in 2016 sent election officials emails with a MS Word attachment that was infected with a trojan of a Visual Basic script that would launch a program opening communications back to the hackers’ IP address.

Figure 3: Detailed Tactics, Techniques and Procedures Used by the Russians to Target US Election Officials in 2016 (courtesy of The Intercept) (Read more)

The sheer volume of compromised email credentials posted for sale in Russian marketplaces and shared on authenticated hacking forums is alarming. 103 .gov email results in DarkOwl Vision contain the phrase “election” in their domain address (*@election*.gov) and could provide a valid starting point for any of the specific state election servers.

Figure 4: Advertisement of database with 458 Million Emails and Passwords for Sale in DarkOwl Vision

In the voter registration system hack in 2016, threat actors utilized simple whitehat vulnerability tools such as Acunetix, network discovery and exploitation kits like DirBuster, SQLMap, and SQLSentinel. Russian speaking hacker, Rasputin, infamously employed a proprietary-developed SQL injection exploit to successfully breach and harvest credentials from U.S. Election Assistance Commission (EAC) servers including accounts with administrative privileges. (Source)

Figure 5: Acunetix Web Vulnerability Scanner in Action

Figure 6: Discussion of how to use SQLMap against a target network on a Russian forum

(DarkOwl Vision Doc ID: 53e19c5fbe5c7d9c6e625e668d660617)

For the past few years, millions of US voter registration data with full names, address, and voting data have appeared on offer for sale on darknet hacking forums and marketplaces. DarkOwl has observed data from over 30 states ranging from $250 to $5000 USD per state including: Colorado, Ohio, Connecticut, Florida, Michigan, North Carolina, New York, Pennsylvania, Rhode Island, Washington, Kansas, Wyoming, Oklahoma, Maryland, Arkansas, Nevada, Montana, Louisiana, Delaware, Iowa, Utah, Oregon, South Carolina, Wisconsin, Georgia, New Mexico, Minnesota, Kentucky, Idaho, Tennessee, South Dakota, Mississippi, West Virginia, Alabama, Alaska, and Texas.

Figure 7: Deep Web Forum post with Content of Arkansas’s Voter Registration Database

(DarkOwl Vision Doc ID: 6e235a3bab7e4e3f293fb2f0f57c6cae)

Many of the posted state databases are older, i.e. Alabama and Alaska’s voter registration information is from 2015; however, many of these databases were on offer back on the infamous Alphabay darknet marketplace in 2016 as well.

Figure 8: A recent offer for several US State’s Voter Lists for sale as archived by DarkOwl Vision

(DarkOwl Vision Doc ID: cfae62df845b99fc173c42bd3b529303)

In recent weeks, comments from the vendor suggests that the voting records hacker has setup persistent access to the states’ databases, posting, “Besides data is refreshed each Monday of every week, once you request the data from me you will receive the freshest possible data from that state.” The fact this data is on the darknet is no surprise, as it is publicly available, open source information. It is a surprise anyone would actually pay for access to the information they could easily obtain themselves. Links to some of the state’s databases have appeared on some darknet forums as is, without any access payment required.  

The hacker on the forum identifies themselves as a white male software engineer from the United Kingdom and “apathetic human-being” with other information that could be easily pivoted to the surface web. There is no indication he is affiliated with Russian government sponsored hackers.

Russia-affiliated threat actors and hackers, whether lone wolf or operatives of a major government-led cyber offensive, have more than sufficient tools and resources across the deep web and darknet to successfully exploit and profit from network and/or server vulnerabilities. Utilizing commercially available penetration testing resources and exploits circulated and sold on the darknet, hackers regularly infiltrate networks while completely evading detection or knowledge of the system’s administrators. Next time we will review some of the Russia-specific marketplaces and forums where these attack techniques are planned and coordinated.

Curious about something you’ve read on our blog? Want to learn more? Please reach out. We’re more than happy to have a conversation.

This week we relaunch our “Into the Darknet” blog series that will not only provide a better understanding of the darknet’s history, users, uses and purpose, but will also take an in-depth look at other hot topics in DARKINT, cybersecurity, including malware, toolkits, viruses, cryptocurrency, marketplaces and OPSEC.

In this post, we take a high-level look at malware, toolkits and viruses (MTV), as they are some of the most commonly discussed, released and exchanged tools on the darknet.

Our analysts have adopted the term “MTV” to refer generally to a collection of malware, toolkits and viruses that are used to test, penetrate, exploit or compromise personal or commercial information systems and data. Common systems where MTV could be employed include desktop computers, laptops, servers, network devices, routers, firewalls, printers, WiFi adapters, tablets and smartphones.

WHAT IS MTV?

MTV is, and includes, any type of software code used either for good (information assurance) or bad (malicious) purposes, such as: Bots, Password Crackers, Rootkits, Adware, Backdoor Access, Keyloggers, Ransomware and Remote Access Trojans.

The average hacker will have some or all of these handy in his or her arsenal of tools to use against targeted information systems and will often utilize a variety of MTV in a full-fledged attack, depending on the intent of the operation.

Both penetration testing and risk analysis activities, like those conducted by the DarkOwl Cybersecurity teams, utilize these MTV tools for preventative purposes, to detect security holes which could lead to a compromised network. For example, THC Hydra (an open-source password cracking tool) can be used to test the strength of users’ passwords on private or commercial networks.

Malicious hackers, cyber spies and cyber criminals, however, can easily use this same code to exploit user accounts with weak credentials.

A brief History of MTV

The first example of malware debuted in the early 1980’s as a software video game piggyback, displaying the now-infamous Elk Cloner poem and corrupting the Apple boot sector. 

In the late 1990’s and early 2000’s, both the MTV market and the hacker community exploded with the propagation of the internet, aggressive social engineering tactics and the exploitation of spam emails for malware distribution.

By the mid-to-late 2000’s, malware like Conficker and Sinowal demonstrated how aggressively a virus can spread, and remote command and control, enabled via clandestine communication and package concealment was born.

As antivirus companies grew to counter these emerging threats, the hacker community accepted the challenge and created even more sophisticated and difficult to detect MTV.

Accessing valuable protected information

As society has become more dependent on online activity, our digital footprints, or online presences, have expanded. A lucrative market for the trade in this information existing on the darknet, with high value placed on personally identifiable information (PII), among other bits of data.

Malicious hackers and cyber criminals require a variety of MTV tools, such as network discovery tools, password crackers and backdoor access programs, in order to gain unauthorized access to key systems containing this valuable data.

These attackers establish a persistent presence via advanced persistent threats (APT) and remote access tools (RAT) to evade detection – and mitigate any IT security measures in place there to stop them.

Once connections are established and secured, hackers launch automated data mining programs to harvest valuable information, like PII, and send it to a remote server for final dissemination or leverage. 

TheDarkOverlord has resurfaced on Kickass Forum

TheDarkOverLord announces that they are officially back in business (Source)

TheDarkOverlord, one of the threat actors that DarkOwl analysts routinely monitor, has apparently resurfaced last week. In a recent series of posts, an entity claiming to be TheDarkOverlord is advertising a database of personal health information as well as user information taken from an unnamed gaming site – both of which are being offered for sale to willing buyers.

TheDarkOverlord is a hacker – or potentially a collection of personas – who regularly targets the healthcare industry, leaking thousands to millions of patient records.

TheDarkOverlord claims to have hacked “several medical practices”

In the post (pictured below), TheDarkOverlord advertises that they have over 67,000 patient records for sale, stolen from medical and dental practices in California, Missouri, and New York.

The forum listing advertises that these databases include personal and health information including full names, physical addresses, phone numbers, DOBs, driver’s license numbers, SSNs, medical histories, and much more. A specific price point was not provided; rather, the prices are “negotiable.” Interested buyers were instructed to send TheDarkOverlord an encrypted message using the forum’s private messaging system.

TheDarkOverlord also states that they’d be willing to entertain higher offers for data that “no one else will have,” giving the potential transaction a level of exclusivity that will likely attract a certain type of buyer and grab even more public interest.

Screenshot of TheDarkOverlord posting about medical records on Kickass Forum

Screenshot of TheDarkOverlord posting about medical records on Kickass Forum (as displayed in DarkOwl Vision)

Also for sale: a stolen database from a gaming website

On the same day, TheDarkOverlord posted a listing on the same Kickass Forum’s marketplace for 131,000 records from an “unnamed gaming website.” As advertised, these records include users’ email addresses, passwords, DOBs, IP addresses, and much more.

So far, it would appear that TheDarkOverlord is taking serious inquiries only. For example, in the comment section for the post below, someone asked for the name of the gaming website in questions, and TheDarkOverlord responded that they would like “proof of funds and intent to purchase” before disclosing any additional information.

Screenshot of TheDarkOverlord posting about gaming user info on Kickass Forum

Screenshot of TheDarkOverlord posting about gaming user info on Kickass Forum (as displayed in DarkOwl Vision)

Both postings on Kickass Forum remain live at time of publication. DarkOwl analysts will continue to track TheDarkOverlord and post updates here.

News broke out mid-August that Princess Evolution, a revamped form of the infamous Princess Locker ransomware that was first seen several years ago, is back with a fresh toolkit (see this article for example).

News coverage at the time suggested that the Princess Evolution ransomware had only recently surfaced. However, after further digging into the “newly uncovered” iteration of the ransomware, DarkOwl analysts discovered that Princess Evolution has actually been offered on darknet marketplaces dating as far back as this past April.  

What is the Princess Ransomware? 

Princess Evolution is a form of ransomware that encrypts most files on the infiltrated computer system and holds them hostage until the targeted user pays enough money to regain access to them. During the encryption process, the ransomware changes affected file extensions to a randomly generated string of characters.

To notify the targeted party that their files have been compromised, users are notified via a ransom note telling them that their files are locked, followed by instructions on where and how to pay the ransom sum. As of August 8 2018, users were instructed to pay the amount of 0.12 bitcoin (equivalent to US$773 as of that date). The malicious software is currently being advertised on 0day forum as RaaS (ransomware as a service) and is soliciting associates to help spread the malware to unsuspecting victims.

Screen capture of a DarkOwl Vision result – scraped in April of this Year – that depicts the ransomware Princess Evolution being sold on a darknet marketplace.

A similar posting on 0day forum; responses haven’t slowed down since the original post earlier this year.

Interested members are instructed to leave their Jabber ID as a thread comment or to send it in a private message to the 0day account “PR1NCESS.”  Our analysts calculate that there have been over one hundred comments from individuals interested in joining the campaign since the original post scraped by DarkOwl Vision in April.

Images: (Above, Right) Profiles of PR1NCESS on Codex and Kickass forums.

What is 0day?

0day is a popular darknet carding and hacking forum first established in 2015. Users are required to register an account before accessing any content on the forum. Additionally, once registered, user accounts must go through an activation process to receive full access to the forum.

The forum’s main purpose is to act as a marketplace for buyers and sellers of illicit goods, such as stolen credit cards, hacked accounts for legitimate websites, malwares and exploits, as well as other services. Some prolific sellers also advertise their own websites in the message boards.

The below image shows just a sample of the items offered for sale on 0day, as captured in DarkOwl Vision.

Example of items being sold on the 0day forum.

So, what should you do if you find yourself infected with the Princess Evolution ransomware? We recommend that you refer this article, which has a great step-by-step guide for regaining control of your computer and your files: https://www.pcrisk.com/removal-guides/10531-princess-ransomware. And, as always, organizations should continue to be proactive against ransomware threats by adhering to security best practices and actively educating all of their employees on their internal security plan.