In light of disturbances in the darknet due to nationalistic fractures amongst ransomware and cybercriminal groups, DarkOwl analysts did a cursory review of activity across ransomware-as-a-service (RaaS) gangs since the invasion of Ukraine.
We reviewed the number of reported victims by RaaS groups and the location of the victims, and determined the following:
Conti and Lockbit 2.0 lead in total number of victims announced since the 24th of February, 2022.
Conti was offline for almost a week due to infrastructure leaks and fractures with their Ukrainian-aligned affiliates. Since March 1st, the group has resumed locking and leaking victims’ networks around the world.
Several key Tor services for well-known RaaS gangs, including Pay2Key, Blackbyte, Cuba, are online and active; however, they have not shared any victim’s data since the invasion on February 24th, 2022.
A new RaaS group called Pandora Gang hit multiple victims in a matter of days, including two victims from Japan.
STORMOUS ransomware has been heavily targeting Ukraine.
STORMOUS most recently attacked 4A Games (Ukraine) and EPIC Games (US).
Given the severity of the attacks against Nvidia and SAMSUNG, LAPSUS$ is now being categorized as a RaaS gang, even though they do not have an affiliate program that we are aware of.
US, Canada, UK, Czech Republic, and Germany have the highest volume of ransomware victims in the distribution of victims by location published in the last two weeks.
Many ransomware victims have direct connection to US and Western critical corporate/government operations and supply chains.
NOTE: The charts below do not take into consideration attacks by Russia against Ukraine networks in conjunction with HERMETIC WIPER attacks or leaks released by Free Civilian. The totals, as reported by the Ukraine government, would exceed that of those counted here for the US.
LAPSUS$ Group: Additional Findings
The cybercriminal group LAPSUS$ has ramped up their activities since the invasion – emboldened by their attacks against Nvidia and SAMSUNG.
They recently solicited experts in various specific industries for their next victim selection, possibly looking for insiders to assist. Telecommunications, software development/gaming, hosting, and call-centers were among the industries requested.
Over the weekend, LAPSUS$ also implied they were responsible for recent “cybersecurity incident” with Ubisoft.
DarkOwl will continue to monitor RaaS activity and update as new information becomes available.
Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case.
DarkOwl is aware that as of February 23rd, 2022 Ukraine’s digital infrastructure came under further significant DDoS attacks, with several government and financial websites under duress. Hours later Russia launched direct kinetic attacks against strategic targets around the country and ground forces crossed the border on multiple fronts. Ukraine’s critical infrastructure is under direct attack, martial law declared, and civilians are struggling to withdraw funds from ATMs. Our analysts will continue to update with key insights from the darknet as they become available.
Information related to January Ukrainian cyberattacks found on the darknet
In mid-January 2022, open-source and public news media reported that several Ukrainian government networks had been compromised during a series of cyberattacks the night of 13th-14th of January, including deployment of what security researchers have identified as the “WhisperGate” malware. Within hours of the attack, data described as originating from the Ukrainian government appeared on forums across the darknet and deep web.
DarkOwl observed a surge in Ukrainian government related leaked data in January, but has not uncovered conclusive evidence this data was stolen during the cyberattacks days before or merely released immediately after as part of a psychological intimidation campaign against the people of Ukraine.
Additional Ukrainian government and civilian data appeared on a Tor onion service called “Free Civilian,” that DarkOwl assesses to be possibly affiliated with a threat actor using the moniker “Vaticano” on Raid Forums. The user was banned from the well-known deep web forum late January 15th, by moderator Jimmy02, who stated:
“For one reason or another I have determined that this is a bad database, this could mean its a fake or just a shitty sample.”
Given increasing international tensions and the on-going cyberattacks against Ukraine, DarkOwl analysts compiled and reviewed Ukraine-related data on popular deep web forums and Tor hidden services shared in recent weeks. Most of the data “archives” consisted of raw text files, emails, spreadsheets, SQL databases, scanned photographs and PDF files containing various types of personally identifying information (PII).
While many of the leaked archives of data were created within a few hours of the attacks in mid-January, there are no indications they were directly obtained as a result of the attacks.
“Ukrainians! All your personal data was uploaded to the internet,” the message read. “All data on the computer is being destroyed. All information about you became public. Be afraid and expect the worst.”
Microsoft’s incident responders indicated the destructive malware campaign was designed to mimic extortion-based ransomware, by deleting critical files, locking down the systems, and loading a ransom note demanding $10,000 USD in Bitcoin. The ransom demand was for show and irrelevant to the attackers’ intentions.
The Security Services of Ukraine (SBU) reported they were investigating the matter closely together with the State Service of Special Communications and the Cyber Police and believed that over 70 organizations across Ukraine had been targeted by “special services of Russia” the night of the attacks on 13/14 January. While 10 organizations were subject to “unauthorized interference” no personal data had been compromised or leaked. (Source)
According to Microsoft, WhisperGate involved two stages: the first stage overwrites the master boot record (MBR) with a ransom note; and, the second stage downloads a data-corruption malware named Tbopbh.jpg that overwrites targeted files with a fixed number of 0xCC bytes. Incidentally, the malicious file was downloaded from a Discord server.
DarkOwl also noticed a cybersecurity researcher (@Petrovic082) using the hashtag #KillMBR on Twitter which they linked to potential malicious executables associated with the malware family. Users active on Chinese bulletin boards have since been closely analyzing the uploaded executables for reuse and virus detection. (Source)
Breaking news indicates Russia deployed a new hard disk wiper malware variant called HermeticWiper (KillDisk.NCV)across strategic cyber targets on the 23rd of February prior to the full-scale military invasion of Ukraine sovereign territory.
Analysis of Leaked Data Found in the Dark Web
On the 14th of January, the now-banned Raid Forums user known as Vaticano posted what appeared to be a user SQL database for the my.diia.gov.ua website. This leak surfaced within hours of the ransomware attack and website defacement on the DIIA server in Ukraine, although the raw user database from DIIA appears to have been created in late December.
Other users on Raid Forums doubted the veracity of the data posted by Vaticano, asking “where is the full data base?” calling it “bullshit and fake advertising,” “not true and old information,” or that the “data is identical to the old leak.”
In response to the criticism, Vaticano shared additional databases from their “archive” described as “medstar.sql” and “somefilesfromnotcatholic.zip” discussed below.
my.diia.gov.ua
According to the leaked data, a DIIA SQL database, users.sql, was generated via a PostgreSQL database dump, and dated 24 December 2021, 12:17:17 EST. A table, public.users, appears to contain email addresses, passwords, dates of birth, phone numbers, home addresses, passport numbers, ID card numbers, and foreigners’ document numbers. The SQL file is likely an excerpt of a larger database. DarkOwl found 103 email addresses for users of the service, with most consisting of accounts from personal email providers such as gmail.com and ukr.net.
medstar.sql
The website, medstar.ua is a commercial cloud-based ‘digital-medicine provider’ with telemedicine, prescription, medical imaging, and laboratory medical services in Ukraine.
The medstar.sql leaked database does not contain any header information to denote the name of the tables or date of extraction. However, the SQL table appears to be a registry of 669 medical appointments with the patient’s personal information, e.g. full name, date of birth, phone number, address, age, gender, and even photo with links to an external website domain: health.mia.software containing their image and scans. The doctor’s information is also included with each record, with 606 doctors affiliated with the territorial medical association of the Ministry of Internal Affairs. The appointments covered a range of specializations such as therapy, neurology, infectious diseases, etc.
The latest appointment date in the database was November 30, 2021, suggesting this file was likely created sometime in December before the new year.
somefilesfromnotcatholic.zip
The files contained in the archive somefilesfromnotcatholic.zip are all date/timestamped: January 15th 2022 / 12:48. The archive consists of five folders, each containing 20 subfolders spanning several years of various official letters, photographs, and applications for government services. One folder contained letters directed to the Ukrainian Ministry of Internal Affairs requesting the production of specific license plates for individuals. The data archive includes several Ukrainian citizens’ personal information such as phone numbers, email addresses, driver’s licenses, passports, and national identification information related to vehicle registration and driving. The latest data file in the archive was date/timestamped: November 15th, 2021/19:58.
Notably, the archive appears to be a sample of a larger dataset of vehicle data the threat actor has in their possession.
mail.minregion.gov.ua
Less than 18 hours later and on the original thread, Vaticano shared an archive of supposedly stolen emails from the Ukrainian Ministry of Community and Territories Development server, mail.minregion.gov.ua. The sample included 79 email messages (.msg files) with various correspondences between employees of the organization in November and December 2021. The messages appear to have originated with one email address, and the latest message was dated December 20th, 2021, 14:17:18 EET.
It’s unclear if this a subset of a larger volume of emails the threat actor has access to, or whether they only had access to one user’s mailbox within the organization. DarkOwl was able to extract 425 unique group and individual e-mail addresses from the archive shared.
diia_filestorage_db01.rar
Shortly before getting banned on Raid Forums, the user Vaticano shared yet another database on the original thread, labelled, diia_filestorage_db01.rar. The archive consists of 81JSON files with records containing unidentified applicant user information, e.g. full name, date of birth, passport number, phone number, email address, physical address, photo, and COVID vaccination and medical data privacy consent. The latest applicant record was dated October 22nd, 2021.
According to their website, DIIA is a mobile app developed by the Ministry of Digital Transformation of Ukraine and launched in 2020. It allows Ukrainian citizens to upload digital versions of their official documents in their smartphones, instead of carrying physical ones, for identification and verification purposes. It’s likely that this dataset is a sample of a larger set of files held by the threat actor. DarkOwl found 77 unique personal email addresses for Ukrainian citizens in the database, mentioned mostly from gmail.com and ukr.net.
Free Civilian
Within a week of Vaticano’s exile from Raid Forums, the Tor onion service “Free Civilian” appeared online offering to sell various databases from government organizations across Ukraine along with a personal statement detailing the drama between the admin of the Tor service and the moderators of Raid Forums, declaring the forum is no longer “theisland of freedom” anymore. (Source: DarkOwl Vision)
Additional data proofs on the Free Civilian onion service confirmed that the leaks Vaticano shared on Raid Forums were smaller samples of data from larger databases they had access to and were offering for sale on the darknet site.
On the Tor onion service, the size of the databases for sale were significantly larger than the samples shared on Raid Forums. The DIIA database size was 765 GB and offered for sale at $85K USD, with a price increase to $125K USD by early February. Another database, titled, “e-driver.hsc.gov.ua” database containing Ukrainian driver and vehicle information was listed at 431GB and offered for sale for $55K USD. The samples from Free Civilian correlated to the samples Vaticano provided in the somefilesnotcatholic.zip archive on Raid Forums.
Free Civilian lists several other databases for sale summarized below:
wanted.mvs.gov.ua – Ukraine’s government database of criminal records.
health.mia – Ministry of Internal Affairs servers hosting patient health data.
mtsbu_samples_db – Ukraine’s Motor (Transport) Insurance Bureau.
As of the date of publication, both the DIIA and e-driver.hsc.gov.ua databases were marked as sold.
More Ukraine Data Surfaces
Banning Vaticano did not stop Ukraine-related data from appearing on Raid Forums. Another user shared a sample called “PFU of Ukraine” which consists of a text file containing over 53,000 names of individuals in Ukraine and phone numbers.
DarkOwl uncovered 156 unique email addresses in the file. The domain pfu.gov.ua is associated with the Ukrainian government’s pension fund website.
Days after the PFU leak, a post titled, DTEK[UA] appeared with the offer to sell over 200 credentials exfiltrated from employees at a large energy investor in Ukraine. The post also stated the vulnerability used to extract the data was also available. The Raid Forums user has history on the forum authoring at least 46 posts. (Source: DarkOwl Vision)
A leak titled “Ukrainian Police Dox” also emerged containing a zip file of various PDFs with PII for officials dated October 2020.
There is no evidence to conclude any of the recently shared data was sourced during the mid-January cyberattacks.
The Ukrainian data leaks in January were not the first time Ukrainian government and citizen data has been exposed in the underground. Last year, DarkOwl captured numerous spreadsheets and database archives allegedly affiliated with Ukraine disseminated and discussed on a Telegram channel known for stolen data brokerage.
DarkOwl also follows the popular Telegram channel, DB Leaks (a.k.a. @d3atr0y3d)who shares posts in English and in Russian and uploads files believed to have been captured from compromised sites and servers around the world. Coincidentally, they shared the same DIIA archive shared by Vaticano on the 23rd of January, within days of the appearance of the Free Civilian Tor service. (Source: DarkOwl Vision)
Furthermore, in fall 2021, they uploaded several Ukraine-specific databases including a list of personnel assigned to the Special Operation Forces of Ukraine and Ukrainian candidates for local parliamentary elections. The figure below includes more examples of the types of data they shared.
The channel has also posted leaked databases from targets inside Russia, including the list of donors to the FSK, the non-profit, Anti-Corruption Foundation, setup by Alexei Navalny.
Interestingly, during the second half of 2021, several other Raid Forums users circulated information about Ukraine’s nuclear power plant, a spreadsheet of stolen and lost weapons in Ukraine, residents of Ukraine, and companies registered in Ukraine along with information pertaining to the country’s financial and economic activity. (Source: RaidForums)
Closer analysis revealed these archives were re-shares of various posts on the DB Leaks Telegram channel dropped earlier in 2021, perhaps by proxies of @d3atr0y3d or one of their associates (information support) at their request directly.
Who is Vaticano?
Vaticano, the Raid Forums user who caught the attention of DarkOwl analysts in mid-January, created their account on the deep web forum within hours of their first post and has no prior history on the forum. The Vaticano persona includes an avatar of the Pope surrounded by flames along with calls for the people of Ukraine to return to the Catholic Church.
Vaticano discouraged another user on the forum from leaking manuals for Polish Army logistical resources in an attempt to align with the original messaging of the website defacements in 2022 to blame Poland for the attack. (Source)
Another user on the forum tried to vouch for Vaticano commenting that they knew he was in Russia.
“Lolz guru, my friend knows this user. He is in Russia.”
Vaticano further attempted to cloud their origins in a comment after sharing the sample of minregion email server messages, requesting if anyone could “read their language”, referring to the Ukrainian text in the email messages from the compromised email accounts.
The Tox ID listed on the Free Civilian Tor service and potentially administrated by Vaticano, does not match the Tox ID included in the ransomware note deployed the night of the mid-January attack.
Polish “DIS” connection
The mid-January Ukrainian government website defacements included references to several controversial historical events between Ukraine and Poland. It mentioned Volyn, a part of Poland that Ukraine annexed in 1939 and the Organization for Ukrainian Nationalists (OUN), which was a far-right political group that operated in the region of Galicia –part of Poland before WWII.
Research suggests that such allusions were likely part of a Russian-originated false-flag operation to incriminate Poland for the January attacks. Polish journalists noticed that the Polish translation of the threatening message was a non-native speaker and likely produced using Google Translate.
Cyberattacks Continue
On the 14th-15th of February 2022, Ukraine’s Ministry of Defense, its Armed Services along with Privatbank, Oschadbank, and Monobank financial institutions, experienced severe DDoS attacks resulting in the organizations being taken offline. According to open-source reporting, many Privatbank users received fake text messages stating the bank’s cash machines were out of service, which caused additional stress on the bank’s network – with a surge of users checking their account balances at ATM locations around the country.
Last August, DarkOwl observed a senior and extremely active user on Raid Forums offer a database containing over 40 Million Privatbank users’ personal information including their name, date of birth, and phone number. This dataset could have easily been utilized to target Privatbank customers in this information operations campaign against Ukraine. (Source: DarkOwl Vision)
The date of the DDoS attack, while it could be insignificant, is exactly one month after the defacement and malware attacks in January. The malfeasance from the DDoS was not large enough to be categorized as a full cyberattack, but with geopolitical tensions rising to possibly the brink of war, the campaign was likely apart of a larger asymmetric psychological operation.
US Intelligence reporting of the second wave of cyber attacks in February assessed that Russia’s Main Intelligence arm, GRU was responsible.
Propaganda and Disinformation
The sheer volume of propaganda in open-source reporting renders correlating darknet findings against OSINT around the conflict challenging, if not impossible. Tor discussion forums known for historical propaganda circulation are surprisingly absent of any Ukraine-specific reporting in recent months while some users on Telegram shared fake photos of mushroom clouds inciting fear that Russia had used a nuclear weapon against eastern Ukraine.
One could interpret the lack of information as stemming from the possibility that the Russians did not have need in using typical darknet services for dissemination; the disinformation and misinformation campaigns are directly targeting other sources and platforms; or, it is already embedded within other news media sources. According to Reuter’s, Ukraine’s Deputy Secretary of the National Security and Defense Council, Serhiy Demedyuk, officially attributes the 13/14 January defacements to a cybercriminal group operating out of Belarus identified as UNC1151.
“This is a cyber-espionage group affiliated with the special services of the Republic of Belarus.”
Mandiant assesses that UNC1151, also identified as the “Ghostwriter” campaign, as responsible for direct espionage and obtaining confidential information for Belarusian dissidents, media entities, and journalists. Other research indicates that UNC1151 are potentially affiliated with Russia-supported anti-NATO disinformation campaigns that have been in circulation over recent years, replacing genuine articles on news sources with fake ones and spreading false quotes of political and military officials across Lithuania, Latvia, and Poland. However, direct attribution of UNC1151’s role in recent cyberattacks in Ukraine is indeterminate.
DarkOwl is monitoring the darknet as the conflict in Ukraine ripples throughout the European continent impactingthe global economyand stressing international partnerships and alliances.We anticipate a fluctuation in underground network and criminal activity across Tor and other anonymous networks in the near term. We also forecast the KillMBR/KillDisk destructive wiper malware and attack methodologies debuted in Russia’s asymmetric operations against Ukraine’s critical digital infrastructure to be widely adopted by other criminal gangs and nation-state sponsored cyber operatives in future campaigns.
Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case.
In order to curate interesting darknet data collection from sources across the deep web, Tor, I2P and other “darknets” our analysts regularly follow “darknet threat actors” that openly discuss and disseminate stolen critical corporate and personal data.
In December 2021, DarkOwl witnessed increased activity on the darknet regarding the cybercriminal gang known as LAPSUS$. The group appears to have preference for attacking Portuguese-speaking organizations using data extortion-style campaigns and leverage compromised AWS servers where possible. Thus far, LAPSUS$’s attacks seem to have little critical impact to the victim’s organizational operations, with seasoned darknet community members stating the group is “amateur.”
DarkOwl believes the cybercriminal group has potential to become a formidable darknet threat actor with the increasing frequency of attacks in recent weeks. The lethality and economic impact of the attacks against their victims have yet to be determined.
Vodafone Telecommunications in Portugal
Since last December, the darknet threat actor group known as LAPSUS$ has been actively targeting Portuguese speaking services across Latin America and Portugal including prominent media and telecommunications companies on both continents.
Most recently, between 7 and 8 February, Vodafone Portugal – a subsidiary of Vodafone Group in the UK – stated in a press release the company was subject to a “deliberate and malicious cyberattack with the aim of causing damage and disruption.” Open-source reports indicate the attack impacted Vodafone’s 4G/5G voice and SMS service as well as its television services, but no ransom was demanded. While there is limited information about the attack in the press, Vodafone persists no subscriber or sensitive customer data was accessed or stolen.
On the LAPSUS$ Telegram channel, the group posted Vodafone with the eyes emoji without directly claiming credit for the attack. When someone directly asked if they were responsible for the Vodafone outage affecting millions of mobile phone subscribers, they stated:
“The internal data of the systems were copied and deleted. 50 Tb of data is in our hands. Contact us if you want the data back”
The Brazilian government acknowledged their web services were offline and inaccessible to users for a short period of time without directly admitting it was LAPSUS$ who carried out the attack. The attack was like other ransomware/extortion-based attacks in the reported deletion of data; however, there was never a monetary ransom demand stated nor evidence of the group possessing the data or sharing compromised records on the darknet – despite cheers from their online supporters to release information on President Bolsarno’s vaccination status.
The group posted a statement on Telegram indicating that they had gained access to the Ministry of Health’s Amazon Web Services (AWS) and claimed they did not want to post evidence of their access because they still had access to the system despite the Ministry of Health restoring their services.
On Christmas Eve, the LAPSUS$ group attacked Claro and Embratel Telecommunications companies in Brazil reportedly stole over 10 PB (10,000 TB) of sensitive corporate information and SIM details for Claro customers across mass data storage systems such as: AWS, 2x Gitlab, SVN, x5 vCenter (MCK, CPQCLOUD, EOS, ODIN), Dell EMC storage, and Telecom/SS7.
The group shared screenshots detailing their level of access to the Claro network infrastructure and data on the dark web. We are still investigating how the group originally gained access to Embratel and Claro’s infrastructure. The group emphasized the extent of their access in the companies, highlighting they had access to over 1,500 virtual machines in use by Embratel and 23 unique hosts (IP addresses). From the screenshots, DarkOwl confirmed they used Windows Remote Desktop application to connect to many of the compromised computers within the Claro Network on their web browser. The screenshots included network management utilities for the network and their SIM network.
They also shared screenshots from a Powerpoint presentation they found on Claro’s network that detailed how law enforcement intercepts phone calls, SMS messages, and Claro customer network activity.
(Note: the images below have been blurred intentionally so as not to reveal PII)
It is unclear from the screenshots shared whether members of the LAPSUS$ group used their local machines or a virtual environment to carry out the attacks. Nevertheless, the desktop of the browser screenshot suggests the OS was Windows and the temperature was 4 degrees Celsius at 21:56 on December 25, 2021.
Applying some simple OSINT analysis using historical weather databases, we discovered São Paulo, Brazil did not have weather conditions at that date/timestamp, but London, United Kingdom experienced similar weather patterns. This either means that the LAPSUS$ Group includes members from around the world or their computing environments are set to the UK/GMT time zone.
Regardless of their physical location, the LAPSUS$ group has preference for attacking Portuguese-speaking organizations on both the South American and European continents. Representatives of the group speak English on their Telegram channel.
In early January, the group conducted similar defacements to the Ministry of Health in Brazil for Impresa, a major media outlet, parent to SIC and Expresso in Portugal. The group’s access to Expresso’s direct digital resources was extensive. During the attack LAPSUS$ members sent phishing SMS texts to Expresso’s subscribers, posted tweets from the news media’s verified Twitter account, and defaced its Twitter account, pasting to the top of the page the phrase:
“Lapsus$ is officially the new president of Portugal.” (Source)
Information security researchers have noted that the text on the defacement is ‘Brazilian’ Portuguese – instead of Portuguese from the European continent – increasingly the likelihood the threat actors are based out of Brazil. LAPSUS$ claimed in their defacement they had access to their cloud services at AWS.
[TRANSLATED]
The data will be leaked if the necessary amount is not paid. We have access to the ‘cloud’ panels (AWS). Among other types of devices, the contact for the ransom is below.
Note from our analysts: When we think of “exposed credentials” we generally think of e-mail or server authentication data, e.g. username, e-mail address and/or password. The darknet is also haven for other types of critical corporate data credentials, including developer AWS cloud account identifiers, such as: Keys and Secrets for S3 buckets and web services.
Image: Example AWS_SECRET credentials shared on the deep web (Source: DarkOwl Vision)
Barely a week after the attacks, LAPSUS$ announced on their Telegram channel their next victim had been Localiza Rent a Car SA. The attack appeared to be a DNS spoofing attack on their website, redirecting Localiza website visitors to a porn site instead.
According to open-source reporting, the company reported a “partial interruption” and there was no evidence any customer data or sensitive information was stolen. No ransom demand was made either.
Less than two weeks later, LAPSUS$ shared a Twitter post from Portugal-based Francisco Martins speaking of how the Grupo Cofina attack was against the company and not an attack on press freedom and another post referencing a popular Cofina journalist. LAPSUS$ never officially claimed responsibility for attacking the Portuguese media outlet that impacted multiple digital content platforms including: Correio da Manhã (Morning Mail), Sábado (Saturday) magazine, Jornal de Negócios (Business Journal), Diário desportivo Record and CMTV. (Source)
Technical specifics of the attack against Cofina are still murky, with little to no information coming directly from LAPSUS$. Security researchers note similarities in the “no ransom demand” style of ransomware, e.g. file corruption and extortion carried out by LAPSUS$, and the fact the group hit other major Portugal-based media companies merely weeks before.
Portugal’s Judicial Police (PJ) are actively investigating the incident and it is not proven LAPSUS$ carried out the attack. The group could be posting to their Telegram to infer their connection without proof and gain criminal credibility.
Image: Twitter Post Circulated on LAPSUS$ Telegram channel the day of Cofina attack. (Source)
[TRANSLATED]
“The Lapsus group just wanted to shut up Tânia Laranjo #Respect”
Additional Historical Evidence Surfaces
Using DarkOwl Vision, DarkOwl detected previous activity from the LAPSUS$ on the deep web and darknet including posts in July 2021 on RaidForums and other darknet forums claiming they had compromised networks and stolen data for the FIFA soccer games from EA. On those posts, they shared their PGP Key, signed the posts “LAPSUS$”, and logged into the forums using the pseudonym, 4c3.
Image: (Raid Forums, URL available upon request)
Posts from the group on another darknet forum last summer were shared in the English language detailing to EA that they found a Remote Code Execution (RCE) vulnerability in the “frostbite engine” and they had no intention to target console users. This is a typical approach to trying to extort a company for specific vulnerability, e.g. “malicious bug bounty.”
In August 2021, the LAPSUS$ group ended up leaking the EA/FIFA data they had stolen after their attempt at extorting the company for $28 Million USD had failed to materialize. (Source: Raid Forums)
Users on RaidForums indicated the 4c3 moniker for LAPSUS$ on the forum was also tied to a CryptBB staff member known as Cyberjagu who was also trying to sell the EA source code. 4c3 denied any connection. According to open-source reporting, analysts with Blackberry’s Research and Intelligence Division confirmed Cyberjagu is some sort of “intermediary” for the cybercriminal group behind the EA/FIFA attack.
Drama Between Doxbin & LAPSUS$
In early January, the “dox” of a potential LAPSUS$ member surfaced on the controversial deep web paste site known as “Doxbin” and has received over 7,000 views as of time of writing. The dox – intentionally not included here – suggested the LAPSUS$ member was actually a 16-year-old teenager residing in Kidlington, UK and regularly used the pseudonym(s) SigmA, wh1te, and Breachbase in the underground. The dox may have been leaked in retaliation after LAPSUS$ shared hacked internal docs from Doxbin on their Telegram channel on the 5th of January.
According to the LAPSUS$ Telegram channel and the LAPSUS$ Twitter, SigmA (@sigmaphoned/Alexander) might be a “high-ranking” member of the LAPSUS$ group. Since late January, many of the users on Telegram have been trying to reach SigmA, but he’s not responding to messages. The January dox suggested might be in the process of relocating to Spain with his family. (Source: DarkOwl Vision)
Image: Users in LAPSUS$ Telegram Channel inquire about SigmA’s whereabouts
A Preference for Monero Leads to a Telecommunications Phishing Campaign
Last summer, LAPSUS$ also posted a Monero address on a deep web forum discovered by DarkOwl Vision. The same address was also included in numerous scam/phishing reports from users with British mobile telecom providers, EE and Orange. In July, users from EE reported receiving an ominous message from LAPSUS$ demanding EE pay them “4 millions USD” after making normal iTunes purchases. Perplexing to users, the texts arrived from historical “iTunes messaging” phone numbers.
Ramesh Elaiyavalli has joined DarkOwl as its Chief Technology Officer, bringing a wealth of data science expertise and a zest for solving complex technical problems. We spoke to Ramesh to give our readers an opportunity to hear his unique thoughts and present a fresh perspective about the critical intersection between the darknet and big data.
One thing I’ve learned since joining DarkOwl is that the darknet, the deep web and all that encompasses the underground criminal ecosystem is constantly evolving, in size, shape, and color. Having automated crawlers deployed in the darknet since 2015, the team at DarkOwl knows firsthand the challenges of maintaining in-depth knowledge of this everchanging digital data landscape.
I’ve also noticed that some darknet-centric companies operate with a focused mission of threat intelligence and security awareness providing custom, highly tailored intelligence products to answer their customers’ cybersecurity questions. At DarkOwl we employ a more agnostic viewpoint, focusing on maintaining the largest set of commercially available darknet data with prudent consideration for the various “V’s” of Big Data philosophy, applying them to all data discovered across many different anonymous networks and deep web criminal communities.
While we have the in-house expertise to dig deep into the diverse anonymous data sources at our disposal, our products are designed to drive high-value business decisions through fast, frequent collection of accurate, and disparate data from a wide array of distributed data sources.
Big Data Forces Ingenious Architectures
The NIST Data Interoperability Framework defines “Big Data” as large amount of data in the networked, digitized, sensor-laden, information-driven world. The authors of that framework describe “Big Data” and “data science” as essentially buzzwords that are essentially composites of many other concepts across computational mathematics and network science.
Data can appear in “structured” and “unstructured” formats. According to IBM, not all data is created equal. Structured data is often quantitative, highly organized, and easily decipherable, while unstructured data is more often qualitative, and not easily processed and analyzed with conventional tools.
In the last decade the amount of unstructured data available to an individual has skyrocketed. Think about the amount of raw data a person consumes or generates on any given day, through mediums like SMS text messaging, watching, and/or creating YouTube videos, editing, and sharing digital photographs, interacting with dynamic web pages, and keeping up with the demands of social media.
The darknet and deep web is a vast source of data: structured, semi-structured and unstructured that forces an ingenious data architecture to collect, process, analyze, and distribute meaningful and targeted datasets to clients and users across diverse industry verticals such as FinTech, InsureTech, Identity Protection and Threat Intelligence providers. At DarkOwl we employ a modified model of “Big Data” often depicted by the “V’s” of Big Data.
Volume – DarkOwl endeavors to deliver petabytes of data processed in real time with crawlers operating across different anonymous networks, deep websites, and platforms. As of this week, our Vision system has collected and indexed over 278 million documents of darknet data across Tor, I2P, and Zeronet in the last year. Our entities system has uncovered and archived over 8 billion email addresses, 13 billion credit card numbers, 1.6 billion IP addresses, and over 261 million cryptocurrency addresses.
Velocity – DarkOwl’s resources are designed to provide fast and frequent data updates, such as collecting from real-time instant messaging sources and capturing live discussions between users on darknet forums. In the last 24 hours, our system crawled and indexed over 2.5 million new documents of data.
Veracity – DarkOwl collects the most accurate data available from legitimate and authentic sources discovered in the darknet, deep web, and high-risk surface web. DarkOwl scrapes darknet data without translation in its native language to avoid contextual loss from automated in-platform translation services.
Variety – The data DarkOwl discovers is disparate from diverse and distributed data sources such as Tor, I2P, Zeronet, FTP, publicly available chat platforms with instant or new real-time messaging. We collect everything from darknet marketplace listings for drugs and malware to user contributions to forums and Telegram channel messages.
Value – DarkOwl delivers its data in a variety of delivery mechanisms along with our expert insights to help drive high-value business decisions for our clients and stakeholders. Darknet raw data helps provides valuable evidence for qualitative investigations to quantitative risk calculations.
Voices – We added an additional “V” to the model to include the voices of the various personas and threat actors conducting criminal operations in the underground. Our Vision Lexicon helps users easily decipher and filter by marketplace, vendors, forums, threat actor pseudonyms, and ransomware-as-a-service (RaaS) operators.
Multi-Dimensional Darknet Data Collection Strategies
Before we can jump into the technological architectures available to deliver scalable Big Data, we should discuss the multi-dimensional facets of data collection from dark networks. There exists an unspoken spectrum of darknet data collection. On one end of the spectrum, there is a collection strategy focused on directing a small number of assets to facilitate incredibly deep and near-constant coverage of a relatively tiny segment of what is presently an unquantifiable data space. Defining this segment outside of publicly known, well-established sources of malicious activity without buying illegal data or compromising our integrity is tricky.
On the other end of the spectrum is a collections strategy focused on sending out a much larger number of assets to facilitate broader collection across many different sources to capture and characterize as much of this unquantified data space as possible. At DarkOwl we show preference for this end of the spectrum as it increases the variety and veracity of our Big Data model. We also dedicate collection resources to a smaller, select number of darknet services that require authentication, solving a captcha or puzzle, or is accessible by invitation only. We attempt to augment our broad-spectrum strategy by collecting from these sources at a greater depth and higher frequency than other sites.
I think it’s also important to add here a third dimension of time. Collecting data from a given source once without revisit or frequent updates is of considerably less value than data collected at a regular operational tempo. Likewise, DarkOwl also has a strict retention policy for documents from the darknet – much from sources no longer available or offline – in support of historical analysis and developing analytical trends over time. Many of the documents help characterize and track the evolution of voices of threat actors for law enforcement investigations and others feed risk calculations such as the original date compromised corporate credentials and company exposure on the deep web appeared.
Our data collection strategy endeavors to balance these three dimensions: breadth, depth, and time in our data collection strategy to ultimately maximize the “Vs” of Big Data with an emphasis on contributing to the value of our clients’ bottom line.
Big Data Delivery Mechanisms
Data warehouse – A data warehouse consists of mostly structured data. Think of it as a giant database that you can access via SQL. Here you can store names, SSNs, phone numbers, email addresses and so on – with very large volumes. Data warehouses are traditionally based on RDBMS technologies such as Oracle, DB2, Postgres etc., and they take a ton of resources to build and maintain, hence the drop in popularity over time. We do not have a data warehouse at DarkOwl.
Data lake – A data lake consists of a combination of structured AND unstructured data. Mostly unstructured data – as in medical transcriptions, court documents, audio, video, screen shots and so on. The structured data is mostly to tag and link the unstructured data. Data lakes are more popular now due to the ease of creating lakes. Data lakes are supported by cloud native vendors such as Amazon AWS, Google Cloud, Microsoft Azure, etc. At DarkOwl, we populate many of our customer’s data lakes. We can also stand up a custom data lake which contains a subset of our data that we give customers access to.
Data feeds – Data feeding describes the process of pushing parts of our Big Data over to the customer side. For example, we feed only credentials to some customers, or only credit cards to another, and in some cases, we provide a daily snapshot of everything we have visibility of directly to the customer for their own business use case. Feeds are technically accomplished by setting up a receiver on customer side – usually as a secure Amazon S3 bucket. We can also set up feeds into Azure or Google storage. Keep in mind, feeds are always this point in time forward. If customers need data from the past, we will charge separately for a one-time dump, also called “data hydration” or “seeding.”
Data streaming – To process data coming at us rapidly, we use open-source industry technologies such as Kafka at DarkOwl. Such services are mostly for internal use, but we could easily setup our customer as one of the subscribers to our data stream. This especially makes sense when the velocity of data is very high, which is often the case for darknet data. For example, take Tesla. Their car is a moving big data machine. Every turn, every camera is emitting massive amounts of data that cannot be pushed fast enough to a customer’s data lake via a data feed. In these high frequency data situations, we will allow customers to consume directly from our Kafka stream. We will obviously only explore this option if we trust the customer and they pay us lots of money.
At DarkOwl, we have a variety of customized solutions we can deploy quickly to satiate the needs of all our customers.
Final Thoughts
As you can see, the data science challenges of collecting, organizing, and delivering continuous relevant darknet Big Data are intellectually fascinating and absolutely exhilarating to undertake.
I look forward to augmenting and refining DarkOwl’s Big Data product line through implementing new technical solutions and expanding into novel, cutting-edge anonymous sources. Reach out to us directly as I look forward to having a conversation about how your company or organization could benefit from Darknet Big Data from DarkOwl.
The U.S. Department of State and three-letter agencies across the U.S. Intelligence Community – which staffs a mixture of darknet intelligence and open-source intelligence (OSINT) researchers across a variety of security sectors – have had increasing concern by reports of what the U.S. Government identifies officially as “anomalous health incidents” (AHIs). The news media has generally labeled these incidents as reports of “Havana Syndrome,” due to the fact that the location of the first reports originated from diplomats located at the U.S. embassy in Cuba in 2016, but continues today around the globe.
An interim intelligence report on the subjectwas recently released by the CIA after President Biden’s call for answers as to the cause of the incidents and Congress passed the HAVANA Act last fall to help compensate victims. The report, briefed by government officials to POLITICO in mid-January, has received criticism for its “preliminary” intelligence assessment, which concluded no U.S. foreign adversary nor specific directed energy weapon is likely behind the nearly 1,000 allegedly directed attacks against government personnel stationed in embassies around the world.
Given the lack of inter-agency coordination on the interim report, it’s unclear whether these findings signal a finale to USG’s overarching investigation. According to open source reporting, there are still several cases the CIA could not explain and CIA Director William Burns issued a statement suggesting the agency will continue to look into the matter.
“We have reason to believe the interim report does not even represent the consensus of the full CIA, instead reflecting the views of a subset of officials most interested in resolution and closure.” - Statement from CIA Director William Burns
Recognizing the uncertainty of the findings and widespread outrage from AHI victims, DarkOwl sought out to gather and assess data across the darknet and deep web to provide supplemental indication of the public sentiment regarding AHIs, as well as additional insights into the potential technological sources that may be targeting diplomats and intelligence officials.
According to DNS records, the WordPress blog domain cited (youarenotmybigbrother.blog) on the deep web is hosted on a server located at the IP address: 192.0.78.24/25, located in San Francisco, California.
DarkOwl reviewed the “Canadian” Global Research website for mentions of “Havana Syndrome” and surprisingly found no recent mentions of “Havana syndrome” or AHIs or any official neurological research, but instead found multiple re-shares of articles citing a study from the University of Edinburgh directly contradicting the State Department’s 2018 commissioned report from the University of Pennsylvania, peer reviewed and published by the Journal of the American Medical Association (JAMA).
The general lack of reporting related to Havana Syndrome on the Global Research website, including disinformation suggesting the incidents are caused directly by the USG or non-foreign directed energy sources, is significant and warrants further analytical review of other known Russian-sponsored propaganda websites.
Since the release of the interim CIA report last week, darknet and deep web users are aggressively re-sharing articles and podcasts “debunking” the idea of Havana Syndrome entirely as a mass psychogenic illness resulting from an internal U.S. government propaganda disinformation narrative to demonize Russia and destabilize to US-Cuba geopolitical relations.
Some deep web users hypothesize the remote possibility that US adversarial governments – such as Russia and China – use lower earth orbit satellites and even cellphone towers to direct nefarious RF signals attack targeted individuals.
In summer 2021, an anonymous user of the deep web imageboard known as 4chan, theorized that AHIs are caused by Russian space assets or US-based cell phone antennas that have been potentially converted into a microwave microphone to detect speech and inadvertently over-amplifies the signal causing brain damage. Other users of the same forum also imply that these attack vectors could be deployed by the US against their own personnel as part of some sort of covert operation.
On the subreddit /r/TargetedEnergyWeapons, Reddit users shared video from a 1985 CNN news report of a U.S. based RF directed energy weapon called the “Brain Bomb” that the U.S. government reportedly never pursued to discredit the USG.
4chan discussion about “Havana Syndrome” being caused by Russian-space listening devices (original thread removed by website since discovery)
Technical Materials Related to AHIs on the Darknet
The aforementioned blog highlights reports from the early 2000s that Putin supposedly outlawed the use of weapons of psychotronic influence with the intent to cause harm, despite the fact psychotronic weapons were specifically mentioned in open-source reporting of Russia’s advanced weapons state procurement plans outlined for 2011-2020.
“The development of weaponry based on new physics principles; direct-energy weapons, geophysical weapons, wave-energy weapons, genetic weapons, psychotronic weapons, etc., is part of the state arms procurement program for 2011-2020”
— Russian Defense Minister Anatoly Serdyukov after meeting with Putin in March 2012
Segment from declassified 1976 DIA report shared on the darknet
Another report shared across darknet and deep web users originated from the U.S. Army and dates back to December 13th, 2006 . The report was released through an official Freedom of Information Act request by a Mr. Donald Friedman of California, USA.
The document contains an unclassified addendum to another intelligence assessment, which was developed by the National Ground Intelligence Center (NGIC) and likely originated in the late nineties, based on the document number. The US Intelligence Community downgraded the report from SECRET//NOFORN and details the “Bioeffects of Select Nonlethal Weapons”.
Darknet users referencing this report generally used it as supporting evidence that the US military has extensive research on the effects of microwave radiation for battlefield and crowd control use. Like the March 1976 report, the NGIC intelligence reporting regarding the effects of directed pulsed radio-frequency correlate with the symptoms experienced by diplomats and intelligence personnel reporting AHIs.
The report also identifies that the associated technology is readily commercially available, but would need to be customized for intensity variability and targeted use.
US Army response to 2006 FOIA request dated, 13 December 2006.
Segment from the NGIC report detailing the technology’s biological influence on the subject.
The NGIC report further identifies auditory phenomenon experienced by subjects, e.g. “clicking, hissing, ticking, and buzzing” consistent with the 2018 JAMA report consolidating the findings from the University of Pennsylvania clinical study of AHI victims. These symptoms are near identical to symptoms connected with the “Frey Effect,” discussed extensively across chat platform users and Reddit discussion forum participants as well as research conducted by the Robert Lansing Institute.
“Ability to hear the “sounds” depends on high frequency hearing and low ambient noise. Pulsed RF/MW in the 2.4-10,000MHz range produces perceived noises that resemble sounds “such as a click, buzz, hiss, knock, or chirp”–just as diplomats report. ”
— Quote Correlating Diplomats’ Symptoms to the Frey Effect (Source: Robert Lansing Institute)
Segment from the NGIC report detailing the technology’s biological influence on the subject.
One darknet Tor service we identified has over 1,400 technical documents detailing numerous radio frequency (RF) and directed energy (DE) based technologies utilized for such subjects as: mind control, remote viewing, psychoacoustic effect, and electronic surveillance.
Much of the content includes academic research and intelligence agency and military documentation as well as biographies of key academic and intelligence researchers in paranormal studies and mind control related topics. The originating domain has not been online since November 2018, but all available content from the domain is archived in the DarkOwl Vision database of historical darknet records.
On another user on Tor posted a report as recently as late August 2021, describing US Navy sound-based non-lethal weapon program. According to the post, this program utilizes a recording of the target’s own voice, captured with a long-range microphone, that the system distorts by applying phase shifting and auditory track overlay and feedback.
The weapon, called the Acoustic Hailing and Disruption (AHAD) system, then transmits the high intensity auditory signal directly back to the target using a parametric speaker, disorienting them to the point of they are confused and cannot speak.
Darknet post detailing US and Russian non-lethal weapon technologies. (Source: DarkOwl Vision – DocID d75544cb73549b3db675562290debec678700692)
A darknet discussion forum user talks of Active Denial Systems (ADS) to cause a sensation of being on fire for crowd control. (Source: DarkOwl Vision – DocID 1b851c844c50ed2099adce8ba48e4963146dc6b3)
The same darknet service also highlights a similar technology called the 5P-42 Filin that has purpotedly been in production since 2019 by the Russian military. This technology allegedly uses a pulsed beam of light to disrupt a target’s vision and cause temporary nausea.
According to additional open-source reporting, the Filin, also known as the “Eagle Owl” in Russian, was originally manufactured for use on large naval warships and frigates by Russian state military contractor, Ruselectronics, and considered a “weapon of mass disorientation.”
A ground-based portable version of the same system is in development (if not already in production) for use by special forces in close-combat anti-terrorism operations.
Brochure detailing technical specifications of the Russian 5P-42 Filin Weapon System. (Source)
AHIs on the darknet and deep web: AHI technologies for sale and hobbyist experimentation
DarkOwl analysts also observed that EMF-based technologies and associated hardware could be purchased from darknet marketplaces and improvised using COTS products to conduct targeted rogue AHIs and human neurological experimentation.
During the course of our investigation, we also uncovered evidence of electromagnetic frequency generators, designed for jamming wideband telecommunications signals such as: GSM, LTE, and GPS for sale on darknet marketplaces for under $500 USD.
With the knowledge provided across other darknet and OSINT sources about ADSs, the device could be easily improvised and repurposed for a malicious objective. DarkOwl detected an advertisement for limited quantities of a military-grade frequency jammer in September 2020 for $1,200 USD.
The documents shared on that darknet domain includes specific frequencies and intensities of unique RF and DE waveforms to cause specific bioeffect and could be easily replicable by hobbyist electrical engineers with access to darknet and deep web content.
In one circumstance, a San Francisco-based Medium user known as “Jay” has purportedly been “targeted by DEW [directed energy weapons] for the last four years” and has since been researching directed energy extensively to better understand the threat. As of November 2018, he had concluded the frequency of the threat fell within the range of 18 and 50 GHZ conducting measurements with commercially off the shelf (COTS) Narda and Trifeld electromagnetic frequency (EMF) meters.
Other deep web sites also include posts with detailed step-by-step instructions for how to make “Home Made” Active Denial Systems using commercially-available 2.4GHz wavelengths using items readily available inside someone’s residence. The author implies the length of the 2.4GHz waveforms can remotely induce headaches, fevers, cataracts, or other chronic-fatigue symptoms in a human target.
“Home Made” Directed Energy Weapon described on the deep web (Source redacted for security purposes)
AHI conspiracy theories on the darknet and deep web
At the conclusion of our analysis, we determined that most of the content related to AHIs from underground darknet and deep web sources is driven by conspiracy theories. For example, in July 2021, one user on a Telegram channel postulated that “Havana syndrome” and “Monkeypox” were a concerted agenda to cover up adverse reactions from the COVID vaccination.
By and large, this type of fear, uncertainty, and doubt is widely circulated and quite popular across the deep web, in particular, “anti-vax” communities and clearly not remotely accurate, given AHIs were recorded well before the COVID-19 pandemic.
Long before reports of AHIs surfaced in public news media, the darknet and its associated underground communities housed a considerable population of anti-government advocates with deep rooted beliefs in a “deep-state” – including the notion that western governments sanction and/or actively conduct non-consensual psychological and neurological experiments on its populations.
Believers are equipped to evangelize other forum and chatroom members, armed with reports relating to government projects like Mk Ultra, NSA’s TEMPEST, and “Silent Talk” and detailed research pertaining to peripheral topics such as synthetic telepathy, active denial systems, and psychotronic influence. Many times, such users are quickly labeled “tin-foiled hats” and easily dismissed; however, DarkOwl analysts have witnessed their influence increase since the Guardian published information leaked by Edward Snowden and increased circulations of reports of AHIs outside of Cuba and China.
Some darknet discussion forum users assert they had been directly attacked with directed energy attacks in a similar fashion to AHIs of deployed State Department personnel. There is no way to confirm the veracity of such statements.
According to DNS records, the blog referenced above (gangstalkingmindcontrolcults.com) is hosted on a server at the IP address: 192.124.249.178 and is located in Menifee, California.
Conclusion
During the course of our research, our analysts identified a significant quantity of Havana Syndrome-related information across numerous sources in the underground. Much of this information is directly tied to anti-US propaganda, disinformation campaigns, and baseless conspiracy theories. However, there is also legitimate information on active denial directed energy weaponry circulating in a violence-inciting atmosphere on the deep and dark web, which can easily enable and embolden an ordinary person’s ability to successfully carry out sinister attacks using AHI technology.
Curious about something you’ve read? Interested to learn more? Contact us to learn how darknet data applies to your use case
After observing unusual darknet marketplace activity over the past few weeks, our analysts performed a retrospective investigation that uncovered a widescale shift of the active-marketplace spectrum. This investigation was prompted by the observation that, over the last two weeks, a number of prominent darknet marketplaces suddenly went offline without any indication of their return, or any explanation regarding the cause of their disappearance. Upon further analysis, data demonstrated that in late December, URLs for over 30% of the known darknet markets operating on Tor would not load. The volume of downed marketplaces prompted DarkOwl’s team to take a closer look, only to discover an underground community as perplexed as we were.
Was this the result of a coordinated marketplace Exit Scam?
Figure 1: Graph depicting the status of darknet markets over the last 9 weeks
In response to this sudden mass-closure of darknet markets, users on the popular discussion forum, Dread suggested that it was a concerted “Exit Scam.” So, what is an exit scam?
The darknet is home to many a scammer and darknet marketplaces have historically been a high-stake risk for buyers, who will often deposit cryptocurrency on the market “in escrow” to transact through the market with illicit goods’ vendors. Over the years, DarkOwl has witnessed several marketplaces shutdown without warning to their buyers or vendors and escape with several million dollars’ worth of their customers cryptocurrencies in the process. This can occur similarly with vendors who take their buyers funds for a good or service and never deliver. Either scenario is referred to as an “exit scam.”
More often, the darknet rumor mill across forums and discussion boards hints at the potential “exit scam” of a market a few weeks prior to its disappearance. For example, when Wall Street Market (WSM) shutdown in April 2019, it was believed that WSM admins had exit scammed their buyers and vendors with one moderator further attempting to extort the market’s users for 0.05 BTC or risk them leaking their known physical addresses of record from transacting on the market. Shortly after Germany’s criminal police unit, known as Bundeskriminalamt (BKA) announced they had seized the market, its digital infrastructure, and arrested at least three administrators in Germany.
Tracking the online/offline status of darknet markets per week
DarkOwl analysts compiled the following table, which tracks the status of each darknet marketplace in question over the course of the weeks during which the heightened activity occurred.
A market’s status is changed to CLOSED once the market has been OFFLINE for 3 to 4 weeks in a row or the administrator of the market has announced retirement or exit scam on a public discussion forum or Dread subdreadit.
Figure 2: Chart depicting the status of darknet markets over the last 9 weeks
Did persistent DDoS attacks lead to marketplace admin retirements?
Other theories around this shift in the market point to the potential scenario of administrator burnout and subsequent retirement after reportedly repeated DDoS attacks in recent months.
In the middle of December, Torrez Market officially stated their retirement with the market admin, known as mrBlonde, advising darknet users to “use common sense” and avoid using an “established market” stating that as the older the market gets, the more likely it will be to collapse.
Shortly before the new year, a DDoS attack appeared to have affected a handful of markets, including Cartel Market who posted they were experiencing outages which took the market without any official word from their administrator. Vendors on the market suggest they lost access to their accounts prior to the DDoS attack.
Around the same time Cannazon also suffered from DDoS attack and then posted they were “retiring” and not pulling an exit scam.
“Everyone knew this day would come. No market will be here forever. We are officially retiring.”
— Cannazon Team PGP Message
DDoS attacks prior to market shutdown have been analogous with the “canary-in-the-coal-mine” to a market seizure by an international law enforcement effort. Law enforcement could have easily taken over the Cannazon admins’ accounts and posted the PGP message on Dread. Nevertheless, there are some indications from the darknet community that a war between marketplaces has emerged in recent week with DDoS as the weapon of choice.
As of time of writing, users from World Market stated they were getting 502 errors and the market appeared to be under heavy DDoS attack. Two days ago, the market administrator, Lovelace posted a message directed at Dark0de claiming the competitor market team were using a circuit tool attack (DDoS) against World Market’s main mirror and ASAP Market. The comments included a lengthy post by DeSnake, the administrator of the recently revitalized AlphaBay Market.
Coincidentally, the URLS for the market called “Potluck Market” since mid-November, have been redirecting to World Market. Potluck market supposedly closed back in late 2020 after a scandal ensued when the market staff hired a known pedophile. Potluck staff member, Florida, shared how equally important verifying staff before hiring is to OpSec in a lengthy post on Dread shortly before the closure.
Late last week, Dark0de was also inaccessible and two weeks ago the market’s admin posted they too were under DDoS attack on their Dread subdreadit.
DarkFox market was offline for over 5 days for “maintenance” and many Dread users feared it too was exit scamming, but as of time of writing, the market appears back online and stable along with a new mirror equipped with “anti-DDoS filters.”
On a German discussion forum, one user posted that they believe Monopoly Market – offline since the end of 2021 had also exit scammed.
Users on Dread have been equally concerned with posts titled “RIP Monopoly” on their subdreadit. The moderator for the subdreadit, ShakyBeats, proposed locking down the board until word from the market administrator was heard. Another user indicated that the exit scam theory was weak considering a week before it went down the administrator launched an “update” to the market server software that updated critical dates of the vendor and buyer’s activities for orders on the market. The user theorized this would be lost effort if the administrator had planned to scam a week later.
Notably, after the DDoS attack that impacted Cartel, around the end of December, several markets including: ASAP, Yakuza, TOR2Door, Monopoly, Archetype, and TOR Market all went offline and seemingly headed to a “CLOSED” status. But this week, TOR2Door and TOR Market rallied back online.
Versus Market, a popular market throughout 2020 and offline since early November after enabling DDoS protection, also suddenly reappeared operational without any announcement of their return.
Four other markets: Quest, Hermes, Nemesis, and MGM Grand also appeared back online after being offline since early November. DarkOwl has no indication these market administrators are working together, but their appearance all at the same time is suspicious.
– DarkOwl Vision has knowledge of Nemesis market since fall of 2021, and their market launch page claims they have been operational since May 2021. The subdreadit for the market, /d/NemesisMarket has been banned for rules violations, suggesting this market may have been run by scammers.
– The Hermes subdreddit appeared on Dread a year ago with a post claiming they had 500 users registered from their market moderator, Stitch3s. There has been no new activity since the re-launch.
Final Thoughts
DarkOwl determined during this quick analysis that darknet markets are experiencing instability with many markets either under heavy DDoS and possibly on the verge of exit scam. DarkOwl believes Monopoly, Cartel, Yakuza, and Archtype are offline permanently and Torrez and Cannazon exited due to retirement.
While some suspect that it was a large-scale Exit Scam operation, others have hinted that it could be the by-product of an international law enforcement operation. Interestingly, at the end of last week, seven of the markets that were previously offline and had been assessed as closed permanently appeared from the ashes, only eliciting further skepticism around the markets and their credibility in general.
It’s unclear whether the DDoS activity against the markets that have recently disappeared is related to a law enforcement activity as the Justice Department has yet to post any seizure banners or make any official announcements. DarkOwl will continue to follow this closely and provide more information as it comes available.
Curious about something you’ve read? Interested to learn more? Contact us to learn how darknet data applies to your use case
Tor project announces domain name scheme shift
Last summer, the Tor Project announced that in October it would be ending support for its legacy v2 domain naming scheme, and began encouraging darknet administrators to start migrating their hidden darknet websites – known as onion services – to the more secure v3 address scheme. For non-technical users of the Tor anonymous network, this seems inconsequential nor applicable to them, except Tor’s onion service addressing nomenclature – designated as v2 versus v3 – is the primary mechanism by which services hosted on the network are accessed.
Maintaining persistent access and knowledge of this darknet landscape is critical to provide continuous coverage of data from the dark web.
When the projected time of the cutover came in mid-October, Tor services were not immediately “shut off” and inaccessible as expected. Tor project removed v2 introduction points with Tor version 0.4.6, but the effects are only realized for relay operators that updated their node with the latest software version.
Within that month, Tor Project did update the Tor Browser to version 10.5.10 disabling v2 and rendering v2 onion services unavailable. However, DarkOwl discovered depreciated v2 onion services are still accessible with legacy browser client executables. Then, just this week, Tor Project released Tor Browser 11.0.1 which includes additional features like a blockchain explorer.
Now that v2 onion services are no longer supported by the Tor Project, DarkOwl estimates a decrease of 62% of known onion services across the Tor network.
In the last year, many onion services providers on Tor have published both a v2 and v3 address, which replicates their website content on both address types to ease the transition and “mirror” the content accordingly, thereby minimizing content loss. Read below for more details on the evolution of the different onion service address types and why v3 addresses are preferred.
How Many Tor v3 Onions Have Emerged?
DarkOwl maintains one of the largest databases of Tor darknet content, including historical and “deep” darknet records. DarkOwl’s crawlers monitor the Tor network for mentions of Tor onion services and schedules new v3 addresses discovered for crawling and indexes the content into its searchable Vision SaaS platform for its clients to access.
Due to the nature of the network and its privacy focused topology, it is impossible to quantify the real number of services operating on the network at any given time. V2 onion descriptor information is stored in plain text in the hidden service directory (HSDir) and at one time, provided some indication of the volume of services available, but such information is not available for v3 services.
In fact, according to Tor Project metrics, there could be upwards of 600,000 v3 onion services active in the network, but that number is extrapolated from relays operating as onion-service directories.
In the last six weeks, DarkOwl’s Vision platform has observed an average of 104,095 active .onion services across both address schemes of which: 62% are v2 addresses and 38% are v3 addresses.
These numbers are determined by a daily snapshot of DarkOwl’s collection stack seeded by DarkOwl’s network intelligence gleaned by crawling the network 24/7 since 2016. These numbers are not reflective of the true total number of onion services active in the network on any given day.
DarkOwl analysts also noted that during the month of July 2021, when the option to create new v2 onion services was removed from the codebase by Tor Project, DarkOwl Vision witnessed a surge in new v3 addresses and identified 2963 new v3 onions in the last two weeks of July alone.
Figure 1: Average Number of Onion Services Online According to DarkOwl’s Database
Tor Users Respond
Most Tor onion service providers have embraced the network address deprecation and encouraged its visitors to add their new v3 address to their browser bookmarks.
Some darknet website administrators assumed the v2 onion services were inaccessible back in July and disabled all their v2 addresses when the Tor Project simply disabled the creation of new services in the 0.4.6. release last summer.
Figure 2: Tor Onion Service Provider’s Depreciation Announcement on I2P. Source DarkOwl Vision Document
Other users are skeptical of the shift, especially those that firsthand experienced multiple concerted v3 onion service outages in January. All v3 onion services were offline for more than 3 hours at a time when the consensus health check failed, due to excessive traffic directed at the directory authorities – possibly due to uncontrolled DDoS between darknet markets.
According to the Tor Project, the implementation bug was fixed in the July 0.4.6 release to default to a “reasonably live” version of the consensus health when a “live” consensus is unavailable.
Figure 3: Source DarkOwl Vision Document about v3 onion service outage due to consensus health
History of Tor & Decentralized Network Security
The original purpose of the “The Onion Router” (Tor) protocol was to provide US government intelligence operatives in the field secure communications without compromising their digital or physical location. In 1996, the first “0th generation” onion router (OR) was setup as an experiment in encrypted network topography in a virtual environment on a single computer. Because it included export-restricted technology, the “1st Generation” Tor was developed and successful in its mission of providing a concealed internet for the US government for several years. By the year 2000, the “1st generation” Tor had reportedly served upwards of 5 million network accesses a day. In 2003, the “2nd Generation” Tor came along with network improvements, hence where the term “onion v2” originates. DarkOwl Vision Users Can Read More in DocID – f4dafdd81bd9dac95d017a84d4c39d1c71f7dd5f
In 2006, when the US Naval Research Laboratories handed over Tor to a group of volunteers at the Tor Project, the network’s purpose was to provide a decentralized, censorship resistant platform for users to communicate and share information.
The Tor platform quickly became a haven for criminal activity, facilitating anonymous communication across underground digital communities and forums, elaborate drug marketplaces, child pornography and human trafficking. Consequently, deanonymizing onion services hosting criminal content has been a focus of many three-letter acronyms government and law-enforcement (LE) agencies around the world. Academic researchers and computer network science experts have received numerous grants and government funding to extensively study deanonymization attack methodologies and many journal publications exist.
Over the years, DarkOwl has witnessed successful deanonymization through various techniques including rendezvous point circuits (a.k.a. the cookie attack), time-correlation attacks, distributed denial of service attacks, which often force a criminal onion service to a LE-controlled guard node, (a.k.a. sniper attack), and circuit fingerprinting attacks.
Tor onion service addresses are intentionally not memorable, relying on a random string of non-mnemonic characters and numbers followed by the “.onion” top level domain (TLD). This string is automatically generated when the onion service is originally configured using a public key.
V3 onion service addresses are discernible by their lengthy 56-character address, e.g. Tor Project’s v3 address looks like: http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid[.]onion, where its v2 address is 16-characters: http://expyuzz4wqqyqhjn[.]onion.
The 16-character v2 address hashes represent an 80-bit number in base32 that contains the RSA public key of the onion service, where the v3 is 256-bit representation of its Elliptical Curve Cryptography (ECC) public key. Therefore, the onion service address is essentially a cryptographic representation of the originating domain’s information and a principal justification for network administrators encouraging exclusively using a more secure form of addressing.
The v3 address utilizes SHA3/ed25519/curve25519 cryptography which is considerably more secure than v2’s SHA1/DH/RSA1024 address encryption. The v2 addresses have been the standard for 15 years and the network overdue for a more secure mechanism to become standard.
0.4.4.x: Tor will start warning onion service operators and clients that v2 is deprecated and will be obsolete in version 0.4.6.
2. July 15th, 2021
0.4.6.x: Tor will no longer support v2 and support will be removed from the code base.
3. October 15th, 2021
Release Tor client stable versions for all supported series that will disable v2 entirely.
Tor Development Continues and v2 [WARN]
In July, Tor Browser began displaying a “deprecated soon” warning message every time a v2 onion service was accessed. Since mid-October, instead of the warning page, the Tor Browser client logs records numerous [WARN] messages when the client accesses a legacy v2 onion service, despite displaying the website contents in the browser.
Figure 4: Deprecation Warning Notification on all v2 Onion Services from July 2021 onward
According to the developer’s comments on the Tor Project’s Github, eliminating v2 from the Tor network involves:
o Modifying HSDir to stop accepting or serving v2 descriptors
o Introduction points will stop allowing introductions for v2.
o Refusing the TAP connection from the service side for rendezvous points.
Figure 5: Tor Browser Application Logs Warning of Depreciated Onion Service Connection. Tested with TBB version 10.5.8.
These changes were scheduled to be released with version 0.3.5.x-final, but the actual release date of that update is unclear and no due date specified. Even though the introduction points no longer allow for v2 onion service address introductions, the effects of this will not actually be realized until every relay operator updates to the latest version of the Tor executable with these latest changes.
In early October, Tor Developer David Goulet edited Tor Project issue #40476 removing the 3rd bullet above stating:
“I decided to NOT remove the Rendezvous code path for TAP connections as it would create more complexity to the patch for which I'm trying to keep minimal.” - David Goulet, Tor Developer
Goulet merged the ticket with the disable SOCKS connections for v2 addresses in mid-October and closed the ticket.
Interestingly, in version tor-0.4.7.2-alpha, last modified less than a month ago, developer release notes focus on a new consensus method for v3 network congestion control and closes ticket #40476 by returning “bad hostname” for v2 onion service addresses.
Onion service v2 addresses are now not recognized anymore by tor meaning a bad hostname is returned when attempting to pass it on a SOCKS connection. No more deprecation log is emitted client side. Closes ticket 40476.
As of October 26th, Tor source code version 0.4.7.8 was available for download from the Tor Project and appears to incorporate all the changes mentioned above. One minor difference our analysts noted that the changelog states, “Send back the extended SOCKS error 0xF6 (Onion Service Invalid Address) for a v2 onion address” instead of “bad hostname.”
And v4 is already here
In 2019, rumors of a v4 onion service address emerged and many Tor onion service network administrators supposedly already mirror their content on v4 addresses.
The v4 onion services reportedly uses less CPU computational activity and subsequently less electricity to reduce e-pollution. There is allegedly also additional error handling, improved bootstrap reporting, and support for adaptive circuit padding to prevent time-based deanonymization attacks.
DarkOwl has not observed any v4 addresses in the network, nor has Tor Project released any documentation about v4 addresses for confirmation or analysis.
Curious about something you’ve read? Contact us to learn how darknet data applies to your use case
As companies across all industries continue to prepare and bolster their security structure for 2022, DarkOwl analysts have performed a review of key darknet-oriented security events from the past year and summarized them in the list provided below.
For each summary, our analysts also provided a predictive forecast estimating whether the type of threat would continue in 2022. Each event is scored with either the assessment “likely to decline”, “likely to continue” or “likely to escalate.” Additional predictions are found at the end of the look-back analysis.
1. Ransomware Groups Lethality Increases Through Sophisticated Persistence and Detection Evasion
In 2021, ransomware-as-a-service (RaaS) gangs stepped up their operational playbook by utilizing backdoors to maintain persistent access to their victims – which allowed them to retain access both during an attack campaign and then potentially long after ransom payment was applied and decryption keys were released.
One of the most noteworthy examples of this is the widely known botnet Trickbot, which was weaponized and has since been assessed as the arsenal’s of Conti and Diavol RaaS gangs. Dubbed as “Trickboot,” this backdoor operative infects the UEFI/BIOS bootkit. DarkOwl archived their research and observations from the darknet in their WhitePaper titled: Establishing Footholds: A look at Ransomware-as-a-Service from 5,280 Feet earlier this year.
Korean researchers also published their discovery that malware could be installed on some solid-state drives (SSDs) in devices with “flex capacity”, a hidden area called over-provisioning for use by the device manufacturer for optimization. In December 2021, BleepingComputer highlighted that while the technology to conduct such attacks was readily available, there is no indication any such attacks are occurring in the wild – just yet.
THREAT STATUS: LIKELY TO ESCALATE
2. InsureTech Industry Booms In Attempt Underwrite Policies for Cyber Attacks Against Commercial Organizations
A decade ago, we had no construct of the concept of “Cyber Insurance”, nor ever thought such a policy would ever be required. Underwriters are now faced with the challenges of determining the security risks facing an organizations with little statistical data and actuary information to work from. Despite these challenges, the insurtech industry is booming in a race to quantify the risks an ever-evolving threat presents to their clients and themselves.
This year, we witnessed cyber insurer, CNA become a victim of ransomware after Russian criminals encrypted their network with the Phoenix Locker. CNA reportedly paid $30 Million USD to the criminals to gain access to their systems. Shortly after, REvil was spotted taunting their victims with their own cyber insurance policies in attempts leveraged them to pay higher ransoms.
THREAT STATUS: LIKELY TO CONTINUE
3. Critical Supply Chain Attacks Highlight Vulnerability of Software Dependent Systems
2021 was definitely the year of supply chain attacks. Between Kaseya, Accelion, and rounding out the year with log4Shell, cyber criminals uncovered how effective malicious software updates and unpatched dependent software vulnerabilities really were.
Luckily, developers appear to have won the race to patch an Apache log4j vulnerability, with CISA officially stating that other than an attack against the Belgium Ministry of Defence, most log4Shell type-attacks have had minimal impact, e.g. cryptomining, etc.
DarkOwl uncovered dozens of mentions of malicious Github repositories containing log4j-related exploits on darknet malware forums and discussion groups.
Unfortunately, vulnerabilities similar to the log4j attack vector – malicious remote code execution using the Java Directory Naming Interface – has been uncovered affecting the H2 Java SQL console as well.
THREAT STATUS: LIKELY TO ESCALATE
4. Data Brokers and Access as a Service Surge as Major Darknet Commodity
Data brokering has been a viable darknet commodity with offers for databases for sale regularly across darknet and deep web forums. During 2021, DarkOwl observed “access-as-a-service” develop as a major darknet commodity serving RaaS operators and organized cyber criminal groups. For example, some “initial access brokers” offered for auction a domain administrator credential for a potential multi-million dollar victim on some popular darknet forums. Such credentials sell quickly at upwards of $30,000 USD.
Other criminals offer subscription model data services with persistent access to sensitive and confidential intelligence for a monthly fee.
THREAT STATUS: LIKELY TO ESCALATE
5. Infamous REvil Gang Finally Shut Down, But Over a Dozen New RaaS Gangs Emerge Shortly After
In October, Tor sites for REvil went officially offline signaling an end to their operations after the FBI compromised the server backups for the notorious RaaS gang. DarkOwl witnessed and detailed darknet forum drama shortly after their disappearance.
Despite their departure from the RaaS scene, LockBit has stepped up to assimilate the surviving REvil affiliates and has increased their operations considerably.
DarkOwl has detected over a dozen new Raas groups emerge in the last 90 days including Sabbath, Cerber 2021, and Khosari.
THREAT STATUS: LIKELY TO CONTINUE
6. Attacks Against Healthcare Organizations by Cyber Criminals and RaaS Groups Despite Claims They Would Not Target Medical Industry
In the last year, attacks against HealthCare groups have increased exposing a significant volume of patient personally identifiable information (PII) in the dark web.
Hundreds of hospitals have been impacted by ransomware resulting in turning away patients who need critical care. It’s unclear how many deaths and/or preventable injuries have occurred as a result of ransomware and cyber criminal campaigns against medical institutions.
DarkOwl has observed several adjunct medical groups, optometry, pharmacy, and DNA diagnostics centers’ data for offer on darknet markets.
Previously, RaaS gangs had demonstrated some veil of morality claiming they would not target the medical industry.
THREAT STATUS: LIKELY TO ESCALATE
7. Unemployment and COVID Related Fraud Skyrocketed
In 2021, darknet fraudsters continued to exploit government subsistence programs for unemployment and small business funding. DarkOwl estimates the going rate for a detailed unemployment fraud method varies between $200 and $300 USD and offered specifically by state, suggesting that different state unemployment systems may require unique techniques for direct exploitation.
Further, DarkOwl uncovered that the darknet has numerous offers for COVID testing and vaccination related fraud such as negative PCR test results for testing and COVID vaccine certificates for as little as $150 USD.
THREAT STATUS: LIKELY TO DECLINE
8. Increase in Darknet Marketplaces Use of Alternative Cryptocurrencies
DarkOwl found that the total number of darknet marketplaces tripled by the end of the year and 86% of the active markets support Monero in addition to Bitcoin. In recent years, darknet criminals have been demanding currency alternatives to the traceable Bitcoin be available and Monero appears to be the leading contender in darknet marketplaces.
Many of the markets also accept Litecoin, but less-trusted coins are also seeing some acceptance. Global Dreams Market surprisingly accepts DogeCoin and Evil Corp Market began accepting Dash earlier this year.
Additionally, the infamous darknet marketplace, AlphaBay came back to life and re-surged use of I2P peer-to-peer network.
In early May 2021, Colonial Pipeline was forced to shutdown its pipeline after suffering a ransomware attack carried out by the RaaS organization known as DarkSide. The criminal gang successfully accessed Colonial’s networks simply using the credentials for an old VPN account that the group had discovered on the darknet. Colonial did not have multi-factor authentication (MFA) turned on for the account, which could have prevented the intrusion.
The shutdown caused shortages of fuel across the Southeastern United States and resulted in increased fuel prices and economic impact for months afterwards.
The ransomware attack highlighted how vulnerable critical infrastructure is and the immediate and pressing need to shore up critical utilities and telecommunications infrastructure networks from future attacks. Not only are the services rendered unusable for a significant amount of time, but the financial impacts ripple throughout the economy and destabilize the supply chain.
THREAT STATUS: LIKELY TO CONTINUE
10. 8kun Reputation Hit by Jan 6th Insurrection; Surge in Activity Across Alternate Darknet Imageboards
After the violent siege on the U.S. Capitol on January 6th did not result in former President Trump being declared winner of the 2020 U.S. Presidential Election, 8kun enthusiasts and Qanon followers from the murkier corners of the dark web were greatly disenchanted that Q’s predictions of a real-life political “reckoning” for the alleged deep state cult never were realized.
As a result, in 2021, 8kun (a.k.a. 8chan, led by Ron and Jim Watkins) became less popular in the darknet as many MAGA believers who frequented the dark web service left to return to their lives and the reality that Biden was officially U.S. President.
There was also plenty of fear at increased law enforcement surveillance on the board as they searched for alleged participants in the January 6th riots.
This fear also led to many ‘anons’ dispersing to other existing Imageboards on the darknet and the formation of new “chans” around the deep web. In the summer of 2021, DarkOwl identified over two dozen new Imageboards — not affiliated with 4chan or 8kun — many in non-English languages supporting the refugee. Over the year, board chatter focused around COVID-specific conspiracies and misinformation campaigns centered on vaccine safety and efficacy as well as international rules regarding quarantine, travel, and vaccine mandates.
THREAT STATUS: LIKELY TO CONTINUE
11. Iran and Israel Continue Shadow Cyber War
In the last year, DarkOwl has witnessed a surge in Iranian and Israeli-specific leaks on the darknet signally an escalation of the shadow cyber war between the two countries. Similarly, new ransomware groups, like Moses Staff — likely affiliated with Pay2Key and/or BlackShadow — attack critical targets in Israel without demanding ransom payment, suggesting the attack is politically, not financially motivated. In November, Israel’s Cyber Unit claimed responsibility for shutting down websites for BlackShadow after the cyber criminals leaked the user database from a popular LGBTQ+ dating app, Atraf, in Israel.
The two countries show no sign of slowing down their cyberattacks against each other and security researchers around the world fear their conflict will impact Western nations’ infrastructure at some point in the future.
THREAT STATUS: LIKELY TO ESCALATE
12. Tor Deprecation Changed The Shape, Volume, and Perceptions of the Darknet
Last October, users of the darknet braced themselves for the deprecation of the historical v2 “hidden” onion service expecting a concerted network shift to the more secure v3 onion service domain architecture. With many relays still operating versions of old Tor executables, that did not exclude routing v2 services, many domains we expected to disappear overnight persisted, weeks later. After the Tor Project released version 11.0.1 of the Tor Browser Bundle, all historical onion services were no longer accessible from the web browser. DarkOwl estimates this resulted in the disappearance of over 64,000 active domains.
In addition to Tor, privacy enthusiasts and long-time darknet users have been eagerly exploring other anonymous “dark” networks, including meshnets like Yggdrasil and web 3.0 networks like Peernet. We anticipate use of such networks to increase in the near future.
DarkOwl has unprecedented coverage of data from prominent darknets including Tor (or The Onion Router), which is widely considered to be the most well-known and popular darknet. In order to maintain collecting content from darknets such as Tor, our engineers continually monitor technological changes and advances in hidden services networks. In doing so, we often have unique insight in to the shifting landscape of the dark web.
Tor project announces domain name scheme shift
Last summer, the Tor Project announced that in October it would be ending support for its legacy v2 domain naming scheme, and began encouraging darknet administrators to start migrating their hidden darknet websites – known as onion services – to the more secure v3 address scheme. For non-technical users of the Tor anonymous network, this seems inconsequential nor applicable to them, except Tor’s onion service addressing nomenclature – designated as v2 versus v3 – is the primary mechanism by which services hosted on the network are accessed.
Maintaining persistent access and knowledge of this darknet landscape is critical to provide continuous coverage of data from the dark web.
When the projected time of the cutover came in mid-October, Tor services were not immediately “shut off” and inaccessible as expected. Tor project removed v2 introduction points with Tor version 0.4.6, but the effects are only realized for relay operators that updated their node with the latest software version.
Within that month, Tor Project did update the Tor Browser to version 10.5.10 disabling v2 and rendering v2 onion services unavailable. However, DarkOwl discovered depreciated v2 onion services are still accessible with legacy browser client executables. Then, just this week, Tor Project released Tor Browser 11.0.1 which includes additional features like a blockchain explorer.
Now that v2 onion services are no longer supported by the Tor Project, DarkOwl estimates a decrease of 62% of known onion services across the Tor network.
In the last year, many onion services providers on Tor have published both a v2 and v3 address, which replicates their website content on both address types to ease the transition and “mirror” the content accordingly, thereby minimizing content loss. Read below for more details on the evolution of the different onion service address types and why v3 addresses are preferred.
How Many Tor v3 Onions Have Emerged?
DarkOwl maintains one of the largest databases of Tor darknet content, including historical and “deep” darknet records. DarkOwl’s crawlers monitor the Tor network for mentions of Tor onion services and schedules new v3 addresses discovered for crawling and indexes the content into its searchable Vision SaaS platform for its clients to access.
Due to the nature of the network and its privacy focused topology, it is impossible to quantify the real number of services operating on the network at any given time. V2 onion descriptor information is stored in plain text in the hidden service directory (HSDir) and at one time, provided some indication of the volume of services available, but such information is not available for v3 services.
In fact, according to Tor Project metrics, there could be upwards of 600,000 v3 onion services active in the network, but that number is extrapolated from relays operating as onion-service directories.
In the last six weeks, DarkOwl’s Vision platform has observed an average of 104,095 active .onion services across both address schemes of which: 62% are v2 addresses and 38% are v3 addresses.
These numbers are determined by a daily snapshot of DarkOwl’s collection stack seeded by DarkOwl’s network intelligence gleaned by crawling the network 24/7 since 2016. These numbers are not reflective of the true total number of onion services active in the network on any given day.
DarkOwl analysts also noted that during the month of July 2021, when the option to create new v2 onion services was removed from the codebase by Tor Project, DarkOwl Vision witnessed a surge in new v3 addresses and identified 2963 new v3 onions in the last two weeks of July alone.
Figure 1: Average Number of Onion Services Online According to DarkOwl’s Database
Tor Users Respond
Most Tor onion service providers have embraced the network address deprecation and encouraged its visitors to add their new v3 address to their browser bookmarks.
Some darknet website administrators assumed the v2 onion services were inaccessible back in July and disabled all their v2 addresses when the Tor Project simply disabled the creation of new services in the 0.4.6. release last summer.
Figure 2: Tor Onion Service Provider’s Depreciation Announcement on I2P. Source DarkOwl Vision Document
Other users are skeptical of the shift, especially those that firsthand experienced multiple concerted v3 onion service outages in January. All v3 onion services were offline for more than 3 hours at a time when the consensus health check failed, due to excessive traffic directed at the directory authorities – possibly due to uncontrolled DDoS between darknet markets.
According to the Tor Project, the implementation bug was fixed in the July 0.4.6 release to default to a “reasonably live” version of the consensus health when a “live” consensus is unavailable.
Figure 3: Source DarkOwl Vision Document about v3 onion service outage due to consensus health
History of Tor & Decentralized Network Security
The original purpose of the “The Onion Router” (Tor) protocol was to provide US government intelligence operatives in the field secure communications without compromising their digital or physical location. In 1996, the first “0th generation” onion router (OR) was setup as an experiment in encrypted network topography in a virtual environment on a single computer. Because it included export-restricted technology, the “1st Generation” Tor was developed and successful in its mission of providing a concealed internet for the US government for several years. By the year 2000, the “1st generation” Tor had reportedly served upwards of 5 million network accesses a day. In 2003, the “2nd Generation” Tor came along with network improvements, hence where the term “onion v2” originates. DarkOwl Vision Users Can Read More in DocID – f4dafdd81bd9dac95d017a84d4c39d1c71f7dd5f
In 2006, when the US Naval Research Laboratories handed over Tor to a group of volunteers at the Tor Project, the network’s purpose was to provide a decentralized, censorship resistant platform for users to communicate and share information.
The Tor platform quickly became a haven for criminal activity, facilitating anonymous communication across underground digital communities and forums, elaborate drug marketplaces, child pornography and human trafficking. Consequently, deanonymizing onion services hosting criminal content has been a focus of many three-letter acronyms government and law-enforcement (LE) agencies around the world. Academic researchers and computer network science experts have received numerous grants and government funding to extensively study deanonymization attack methodologies and many journal publications exist.
Over the years, DarkOwl has witnessed successful deanonymization through various techniques including rendezvous point circuits (a.k.a. the cookie attack), time-correlation attacks, distributed denial of service attacks, which often force a criminal onion service to a LE-controlled guard node, (a.k.a. sniper attack), and circuit fingerprinting attacks.
Tor onion service addresses are intentionally not memorable, relying on a random string of non-mnemonic characters and numbers followed by the “.onion” top level domain (TLD). This string is automatically generated when the onion service is originally configured using a public key.
V3 onion service addresses are discernible by their lengthy 56-character address, e.g. Tor Project’s v3 address looks like: http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid[.]onion, where its v2 address is 16-characters: http://expyuzz4wqqyqhjn[.]onion.
The 16-character v2 address hashes represent an 80-bit number in base32 that contains the RSA public key of the onion service, where the v3 is 256-bit representation of its Elliptical Curve Cryptography (ECC) public key. Therefore, the onion service address is essentially a cryptographic representation of the originating domain’s information and a principal justification for network administrators encouraging exclusively using a more secure form of addressing.
The v3 address utilizes SHA3/ed25519/curve25519 cryptography which is considerably more secure than v2’s SHA1/DH/RSA1024 address encryption. The v2 addresses have been the standard for 15 years and the network overdue for a more secure mechanism to become standard.
0.4.4.x: Tor will start warning onion service operators and clients that v2 is deprecated and will be obsolete in version 0.4.6.
2. July 15th, 2021
0.4.6.x: Tor will no longer support v2 and support will be removed from the code base.
3. October 15th, 2021
Release Tor client stable versions for all supported series that will disable v2 entirely.
Tor Development Continues and v2 [WARN]
In July, Tor Browser began displaying a “deprecated soon” warning message every time a v2 onion service was accessed. Since mid-October, instead of the warning page, the Tor Browser client logs records numerous [WARN] messages when the client accesses a legacy v2 onion service, despite displaying the website contents in the browser.
Figure 4: Deprecation Warning Notification on all v2 Onion Services from July 2021 onward
According to the developer’s comments on the Tor Project’s Github, eliminating v2 from the Tor network involves:
o Modifying HSDir to stop accepting or serving v2 descriptors
o Introduction points will stop allowing introductions for v2.
o Refusing the TAP connection from the service side for rendezvous points.
Figure 5: Tor Browser Application Logs Warning of Depreciated Onion Service Connection. Tested with TBB version 10.5.8.
These changes were scheduled to be released with version 0.3.5.x-final, but the actual release date of that update is unclear and no due date specified. Even though the introduction points no longer allow for v2 onion service address introductions, the effects of this will not actually be realized until every relay operator updates to the latest version of the Tor executable with these latest changes.
In early October, Tor Developer David Goulet edited Tor Project issue #40476 removing the 3rd bullet above stating:
“I decided to NOT remove the Rendezvous code path for TAP connections as it would create more complexity to the patch for which I'm trying to keep minimal.” - David Goulet, Tor Developer
Goulet merged the ticket with the disable SOCKS connections for v2 addresses in mid-October and closed the ticket.
Interestingly, in version tor-0.4.7.2-alpha, last modified less than a month ago, developer release notes focus on a new consensus method for v3 network congestion control and closes ticket #40476 by returning “bad hostname” for v2 onion service addresses.
Onion service v2 addresses are now not recognized anymore by tor meaning a bad hostname is returned when attempting to pass it on a SOCKS connection. No more deprecation log is emitted client side. Closes ticket 40476.
As of October 26th, Tor source code version 0.4.7.8 was available for download from the Tor Project and appears to incorporate all the changes mentioned above. One minor difference our analysts noted that the changelog states, “Send back the extended SOCKS error 0xF6 (Onion Service Invalid Address) for a v2 onion address” instead of “bad hostname.”
And v4 is already here
In 2019, rumors of a v4 onion service address emerged and many Tor onion service network administrators supposedly already mirror their content on v4 addresses.
The v4 onion services reportedly uses less CPU computational activity and subsequently less electricity to reduce e-pollution. There is allegedly also additional error handling, improved bootstrap reporting, and support for adaptive circuit padding to prevent time-based deanonymization attacks.
DarkOwl has not observed any v4 addresses in the network, nor has Tor Project released any documentation about v4 addresses for confirmation or analysis.
Curious about something you’ve read? Contact us to learn how darknet data applies to your use case
DarkOwl regularly monitors the services hosted by ransomware-as-a-service (RaaS) operators and recently discovered the Conti group posted public remarks about a recent Reuter’s article detailing US Government’s collective actions to take down the REvil ransomware group.
“Announcement. ReviLives.”
"Own opinion. As a team, we always look at the work of our colleagues in the art of pen-testing, corporate data security, information systems, and network security. We rejoice at their successes and support them in their hardships.
Therefore, we would like to comment on yesterday's important announcement by the US law enforcement about the attack on the REvil group.
We want to remark the following:
First, an attack against some servers, which the US security attributes to REvil, is another reminder of what we all know: the unilateral, extraterritorial, and bandit-mugging behavior of the United States in world affairs.
However, the fact that it became a norm does not presume that it should be treated like one. Unlike our dearest journalist friends from the Twitter brothel, who will sell their own mother for a bone from bankers or politicians, we have the guts to name things as they are. We have a conscience, as well as anonymity, while our skills allow us to say something that many "allied" governments are afraid of saying:
With all the endless talks in your media about "ransomware-is-bad," we would like to point out the biggest ransomware group of all time: your Federal Government. There is no glory in this REvil attack. First, because REvil has been dead in any case, but secondly, because the United States government acted as a simple street mugger while kicking a dead body. Let's break it down point by point. There was an extraterritorial attack against some infrastructure in some countries.
1. Is there a law, even an American one, even a local one in any county of any of the 50 states, that legitimize such indiscriminate offensive action? Is server hacking suddenly legal in the United States or in any of the US jurisdictions? If yes, please provide us with a link.
2. Suppose there is such an outrageous law that allows you to hack servers in a foreign country. How legal is this from the point of view of the country whose servers were attacked? Infrastructure is not flying there in space or floating in neutral waters. It is a part of someone's sovereignty.
3. The statement mentions a multinational operation but does not name specific countries that participated in the cyber strike. We seem to know why; see next point.
4. Most countries, the US included, perceive critical cyber strikes against their territory as a casus belli. You think anybody will be fine if Taliban conducts a misfile strike against a place in Texas to "disrupt an operation" of what Afghanistan considered a "criminal" group?
5. When the special forces arrive at a hostage scene, they at least make sure that there are hostages there (at least, this is how it used to be). How did you know who you were attacking? It could just be a reverse proxy on an unsuspecting host. How did you know who ELSE these servers are serving? How was the safety of other people's businesses, possibly people's lives, ensured?
Just to be clear: these are all rhetorical questions. Of course.
What happened with this attack is way more than REvil or information security. This attack is just an another drop in the ocean of blood, which started because of NSA, CIA, FBI, and another two hundred three-letter security institutions (because, you know, true democracy and liberty requires millions of people in uniform) never had to answer these questions.
WMD in Iraq, which was "certainly there."Drone strikes on weddings because "these were terrorists."Airstrikes on hospitals and Red Cross convoys because "we thought these are hostile."Military raids within the foreign borders ended up with massacring allied soldiers.
The list is endless because those who are now enjoying the media fame from the REvil attack are vampires drunken and intoxicated by impunity and blood.
And this is not the story about REvil, Afghanistan, or any other subject in the world because impunity does not know borders.
No wonder, each day, we read in the news that the American police once again shot some unarmed African American, or a housewife, or a disabled person, or somebody brave enough to dared to protect their home and their family. This is your state, and it will treat you the way it drones unfortunate child-shepherd in the sands of the Maghreb or Arabia to ensure "the national security of America," so far from its shores.
And we will be reminding you of this constantly. And yes, despites the popular opinion of the social media hobos, we can and WILL talk ethically as any other people. (Somebody, please put an Obama meme here).
We wish the people of America to resume control over your country as soon as possible and expel these fat, degraded bankers and become again the great FREE nation that we remember and love. We wish our retired colleagues from REvil have a lot of fun with their honestly earned money.
Sincerely yours,
Conti's team"
Biden and Putin pictured meeting at the Geneva Summit on June 16, courtesy of Getty Images. Read more about how Biden called Putin the Friday before the first takedown of the REvil group in July.
Since Conti posted their letter to the public on October 22, 2021, the team have published announcements for 19 new ransomware victims including a medical billing company.
Last weekend, REvil’s “Happy Blog” went offline for the second time in less than six months. Instead of the blog Tor service simply not responding to an HTTP request, the page instead displayed the default 404 error displayed by the nginx webserver. According to a REvil representative the ransomware-as-a-service (RaaS) organization’s Tor domain was “hijacked” using the private keys of the domain held by REvil’s previously public-face “Unknown” (who also operates as “UNKN”).
DarkOwl reviewed the group’s history and latest posts about the hijacking and determined that since returning, REvil’s reputation was in jeopardy and many darknet users and RaaS community members suspected the group had been compromised by the FBI.
“This Page Is Not Found”
Last weekend, Tor users anticipating to connect to the legendary Happy Blog hosted by the infamous REvil RaaS gang, received the default 04 error page for nginx webservers on Fedora, indicating the Tor onion services run by the REvil operation were compromised and corrupted instead of simply taken offline by disconnecting the servers from the network.
The page read:
"nginx error! The page you are looking for is not found. Website Administrator Something has triggered missing webpage on your website. This is the default 404 error page for nginx that is distributed with Fedora. It is located /usr/share/nginx/html/404.html You should customize this error page for your own site or edit the error_page directive in the nginx configuration file /etc/nginx/nginx.conf."
An Insider Job?
In a post titled, “У REvil угнали домены” [Translated: REvil’s domains were stolen”], REvil’s current spokesperson – the persona behind the moniker 0_neday on the darknet underground forum XSS – stated the server had compromised using UNKN’s (a.k.a. Unknown and REvil’s previous representative) private Tor service keys. “To be precise they deleted the path to my hidden service in the torrc file and raised their own so I would go there”.
0_neday went on to further state that the group presumed Unknown had “died” earlier in the summer, when the group went offline in mid-July shortly after the Kaseya supply chain attack successfully encrypted thousands of networks when its ransomware spread through a software auto-update.
There are a number of conflicting theories why REvil disappeared less than a month later.
REvil’s Mysterious Disappearance in July
REvil’s services mysteriously shutoff the Tuesday following a late “Friday phone-call” between US President Biden and Russian President Vladmir Putin, during which REvil and the global ransomware epidemic was reportedly a subject of their conversation. The information security community has theorized any number of reasons the services disappeared after this call:
a. The US launched an offensive cyber campaign directly against REvil – possibly using sophisticated intelligence or USCYBERCOM resources – and brought the gang’s services offline.
b. President Putin directed REvil to shut down their operations in response to the conversation he had directly with Biden, where Biden stated he would hold Russia responsible for aiding and abetting the threat actor’s actions on Russian soil.
c. REvil was feeling the “heat” and international pressure after a series of high-profile attacks, some of which included US military targets. Perhaps the group’s operators voluntarily “took a break” from their ransomware operation.
d. REvil leader, UNKN “exit scammed” emptying the gang and their affiliate’s cryptocurrency accounts and disabled their Tor services using their administrator privileges.
Reporting from the Washington Post suggested the US was not behind the July shutdown, as some had hypothesized, citing government sources. No “seizure banner” was evident when the Tor services went offline as has historically been the case when law enforcement take down darknet marketplaces. The FBI’s Director, Christopher Wray testified in front of Congress stating how they do not make decisions unilaterally but work directly with allies and other agencies on such matters. The FBI was strongly criticized for their delay in providing a universal decrpytor key for the REvil ransomware after the Kaseya attack they had allegedly obtained.
“These are complex . . . decisions, designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world.”
— FBI Director Testimony
The FBI provided the key to Kaseya nineteen (19) days after their networks were compromised and a week after the REvil infrastructure went dark. The key was reportedly obtained through direct access to the servers of the REvil operation.
In mid-September, BitDefender announced they had developed a “free universal decrpytor” for the REvil/Sodin ransomware strain in circulation prior to July 13th. According to BitDefender’s blog and social media posts, the decrpytor was “created in collaboration with a trusted law enforcement partner.”
This announcement was the source of many a controversial discussion across darknet malware forums.
REvil’s Return in September
According to the DarkOwl Vision darknet data records, REvil’s Happy Blog returned after their summer hiatus the first week in September 2021. Shortly after the blog was back online, new victims were quickly announced.
Surprisingly, in early October, DarkOwl analysts observed the REvil team sharing a link to RAMP – another ransomware focused forum – announcing that REvil was active on the new Groove ransomware backed forum. RAMP, hosted on a Tor domain previously owned and operated by the Babuk RaaS gang, emerged after many darknet underground forums “banned” ransomware related discussions last summer.
This behavior was noteworthy as REvil had historically not shown any affiliation with other RaaS groups, making their endorsement of RAMP unusual to many in the darknet.
Complex Cast of Characters
Unknown/UNKN
Unknown/UNKN was the original spokesperson for the REvil gang when they first branded as Sodinokibi in early 2019. They spoke with measured cadence and subtle humor. One of their last posts was early July after the Kaseya attack, where they simply shared a video of a typical older, angry Russian gentleman.
The admin from XSS banned Unknown’s forum account on July 8th, the week in between the Kaseya attack and the REvil servers were shutdown in July. It’s unclear if the justification was retribution for ransomware (as the topic was banned from the forum at that time), or the admin knew something else was awry.
In May, Unknown announced they were going to leave XSS, have limited activity on their account on exploit.in, and move their discussions to “private.”
At the time of their account ban, Unknown had 0.0022 Bitcoin in escrow on XSS.
0_neday
0_neday emerged as a representative of REvil on XSS after users evilcore and Lockbitsupp challenged the origination of the REvil decryptor key released by Bitdefendor on the public forum. They created their account earlier this month on October 5, 2021, depositing a significant amount of Bitcoin (i.e. account value of 1 BTC in escrow or approximately $50,800 USD on 10/5/2021) to legitimize their status. On October 12th, 0_neday posted on evilcore’s XSS member profile, “my boss agreed to offer you a 10% discount” suggesting 0_neday is a front for someone much more authoritative in the REvil gang. This contrasts with a claim they made a few days later that only he and Unknown had private keys to the Tor onion service domains. As of 19 October, 0_neday indicated they were leaving the forum, signing their last post with
[Translated] “Good luck everyone, I’m off.”
evilcore
evilcore is a relatively long-time user of XSS with registration on the forum in late 2018. They claim they have no connection to any ransomware gang, but vocal in criticizing the operations of the groups, especially most recently REvil. They posted a comment to 0_neday’s thread this week about REvil’s domains getting stolen suggesting the leak of the decryption key was intentional and the entire infrastructure was merged and not compromised by Unknown as indicated, with a bit of “told you so” attitude and stark warning for users not to get fooled.
[Translated] "Ahaha)))))
fuck, I told you that they merged the entire infrastructure))))) and you didn't believe. I'm not a competitor and I don't care, they just really leaked the keys! people don't get fooled."
evilcore have been vocal against the legitimacy of REvil since they reappeared in September and the story that supposed a REvil developer “misclicked” accidently releasing the decryptor key. In a comment on a thread titled, “Атака вымогателей на больницу привела к гибели ребенка” [Translated: “The ransomware attack on the hospital led to the death of a child”], evilcore closes with [Translated: “where is UNKN?”] after claiming the FBI likely had control of REvil’s admin panel.
[Translated] "0_neday do the rebranding:) and I can bet on 5 bits, but the point is) the conversation was about backdoor keys, I gave evidence that the backdoor key had nothing to do with it, it started about fictional gspch misklik checkout and - there it was already clear that the FBI had taken the admin panel.
Where is UNKN going???"
The controversial October 12 thread continued with bickering between directly between 0_neday and evilcore, with LockBit’s forum representative, LockBitSupp, and forum users, 1MG, and ev4ng3liya, chiming in including critiques of REvil’s desperation to draw in affiliates with a 90/10 percent split – unheard of in the RaaS industry. evilcore eventually even accused 0_neday of being FBI.
LockBitSupp
LockBitSupp is competitive RaaS gang, LockBit 2.0’s public representative on the XSS forum. This alias is also active for the same group on another darknet forum, exploit.in and highly critical of REvil, stating they had recruited many REvil affiliates due to their lousy partner programs (PP). On exploit, they added lengthy posts with concerns that REvil had been compromised by the FBI and that the current REvil coders and affiliates needed to be checked to verify their allegiance to the RaaS industry:
[Translated] "In connection with the above, I propose to check the coders who are now allegedly running the REvil affiliate program, for example:
- so that they somehow showed the locker source codes through the same TeamViewer or AnyDesk and made a test build from the source, providing this build to the public for reverse and comparison with old builds;
- so that the coders show the history of correspondence with the former management;
- any other evidence that will allow us to verify the coders and show that they are not undercover FBI agents.
Verification can be entrusted to any independent and authoritative people on the forums, for example, those who do reviews of malware."
They concluded their post with the realization that if the FBI has infiltrated the REvil RaaS gang or their affiliates, that the damage to the advertisers was far less than the suffering caused to “our cozy and warm community.”
REvil brand trustworthiness continues to decline
In late September, darknet forum users began expressing concerns over REvil’s unpredictable and scandalous behavior. One exploit user, Signature, claimed they had evidence that REvil had installed a “cryptobackdoor” which allowed REvil operators to take over negotiations between their affiliates and their victims, usurping ransomware payments thereby scamming money from their affiliates. It’s unclear how long this backdoor existed – some researchers state the backdoor was present for months, but removed from the September codebase.
Signature had launched a previous dispute on the forum with REvil’s UNKN in May 2021, when they claimed they had been contracted to provide network access to REvil victims, Quanta and Apex, and was never paid their 7 Million USD for the work provided. The thread resulted in a gross airing of RaaS dirty laundry to the public with private chats from qTox shared on the forum thread.
Up until last weekend, REvil had been active on the same Tor v3 domain address for over 22 months, excluding their summer vacation and active in the ransomware market since April 2019. Most RaaS groups change addresses regularly and even rebrand with new logos and aliases to maintain their operational security.
EvilCorp RaaS gang’’s representative on the XSS forum suggested REvil should have rebranded a long time ago. In the most recent thread of the REvil domain hijacking, user Krypt0n, admittedly late to the conversation, stated it was stupid for REvil to return in September to the same Tor domain address with the same keys. They added there was no way for REvil to restore their reputation and status achieved by UNKN.
Despite the fact elite hacker forum members can easily spot law enforcement and rippers, REvil’s brand is renowned and other copycat services will likely emerge in their likeness. In November last year, DarkOwl detected a non-REvil related domain advertising they were the “REvil Team” and were offering to sell Managed.com’s website hosting company’s database.
The REvil imposters included a protonmail.com e-mail address for contacting them and the domain was online for barely a month.
DarkOwl will continue to monitor this situation as it develops.
Curious about something you’ve read? Contact us to learn how darknet data applies to your use case
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
