DarkOwl has recently discovered a cyber-criminal group offering to hack hospitals located across the European Union (EU) to access and falsify vaccination records for willing buyers on the darknet.

In contrast to the paper-based vaccination cards that continue to be the standard across the United States, the EU recently launched a “Digital COVID Certificate” that features a mobile app for quickly verifying one’s COVID vaccination, PCR testing, or virus recovery status. The EU’s program features a QR code with a unique digital signature for each individual, to supposedly prevent falsification and facilitate free movement throughout 27 countries within the EU. Sixteen (16) non-EU countries have also been added to the digital passport scheme including Israel, Norway, Turkey, and Panama.

False digital vaccination records listed at $600 USD in bitcoin

Known simply as “xgroup,” the criminals behind this EU-centric fraud scheme claim to be able to access EU-based local hospital digital vaccination records on behalf of their darknet customers. All the process claims to require of the customer is that they submit their personal information (along with payment) so that it can then supposedly be added to their local hospital’s vaccination records database. This information is then theoretically accessible by the EU Digital Certificate application as each issuing body – such as a hospital, test center, or health authority – has its own digital signature key that communicates with the program.

Who is Xgroup?

Xgroup hosts a dedicated V3 hidden service on Tor where they advertise a range of “hacking services.” In addition to the COVID vaccination record hack, they claim to offer school grade alterations, social media account hacking, and financial debt clearing.

There is no proof of the legitimacy of xgroup’s skills. DarkOwl has captured mentions of their email address across various forums and services on Tor since July 2021, though it is unclear how long they were in operation before that. Our analysts also observed that in mid-July, xgroup were recruiting members with “social engineering skills,” and in late August they were raising donations for their next attack – including quotes from hacktivist organizations like Anonymous.

"Message for all the governments of the world. We recognize you as serious opponents, and do not expect our campaign to be completed in a short time frame. However, you will not prevail forever against the angry masses of the body politic. Your choice of methods, your hypocrisy, and the general artlessness of your organization have sounded its death knell. You have nowhere to hide because we are everywhere." - Xgroup (Sourced from DarkOwl Vision Darknet Data)

The group self-promotes their abilities to “hack social networks” and “destroy someones life” including creating financial and legal issues and spreading disinformation on social media.

Another COVID Scam?

DarkOwl has long observed scammers on darknet and continues to see fraudsters offer goods and services for sale, take a customer’s money, and then never deliver the purchased product. Thus it has not been surprising to see this same tactic being applied rampantly as it has throughout the pandemic, during which time we’ve seen a surge in COVID related scams for things like KN95 masks, coronavirus-infected blood, and black-market COVID vaccines

Xgroup’s fraud scheme is only applicable to European countries as the United States does not have nation-wide digital vaccine record system nor vaccination records stored at local hospitals. The scheme also explicitly refers to the EU Digital COVID Certificate program.

Given that this scheme targets EU-based customers, it is peculiar that the offer lists the address requirements using the US mailing address format and not European which require postcodes instead of zip codes, listed before the city or town, and house names and multi-lined street addresses.

This, along with the fact that the price listed in US Dollars, suggests this could very well be simply a scam originating from criminals located in the United States.

Risk to the EU Digital COVID Certification Program

The EU Digital COVID Certificate program and the idea of “digital vaccination passports” is cause of increasing controversy across the world with many claiming an invasion of health privacy, a threat to personal freedom, and opportunity for discrimination against those without ready access to vaccination centers and mobile smartphones. Similar digital vaccination records systems are in place across the US such as New York’s Excelsior Pass that queries the state’s centralized department of health records. California has a similar online portal for residents to verify their vaccination status with a QR code, called “Digital COVID-19 Vaccination Record.”

While any such digitally-based record system is susceptible to hackers or threat-actors, DarkOwl assesses the overall risk to the EU Digital COVID Certificate program is minimal. As ominous a threat as criminals offering to “hack local hospitals” may seem, we suspect there is a low probability that many darknet fraudsters are actively attempting to gain illicit access to local healthcare computer networks in order to deliver what has been advertised to their customers. In contrast, ransomware groups originating in the darknet pose a legitimate risk to hospitals and healthcare groups worldwide.

Curious about something you’ve read? Contact us to learn more about how darknet data applies to your use-case.

DarkOwl’s historical archive of darknet marketplace data provides a unique opportunity to look-back and compare the AlphaBay Market that was taken down by authorities in 2017 to the features associated with this newly launched marketplace, which shares the same name and is purportedly being ran by the same circle of people.

Lookback: AlphaBay Market and Operation Bayonet Takedown

During the summer of 2017, one of the most intriguing and well-orchestrated international law enforcement efforts in history converged to take down some of the most successful darknet markets to-date. One of these, AlphaBay Market, was the most prominent and popular darknet market since the Silk Road. At its height, AlphaBay’s daily sales ranged between $600,000 and $800,000 USD across 300,000 listings for illicit goods, offered by over 40,000 vendors and viewed by some 200,000 users.

Operation Bayonet, which would ultimately lead to the shutdown of several prominent marketplaces, began with Dutch police seizing another lesser-known market called Hansa Market. After compromising Hansa, authorities secretly operated the market for almost a month. While the Dutch focussed their efforts on Hansa, United States FBI operatives coordinated with international police to DDoS AlphaBay and seize its assets, enabling the Royal Thai Police to locate and arrest its administrator, Alexander Cazes (a.k.a. alpha02).

When AlphaBay became inaccessible as a result, thousands of its buyers and vendors flocked to the then law enforcement-ran Hansa market to continue their operations. Dutch police, operating servers across the Netherlands, Lithuania, and Germany, capitalized on the eight-fold surge of users visiting the market in the weeks following. The authorities used the time to gather information on high value targets and identified delivery addresses for sizable orders, passing along 10,000 international addresses of buyers to Europol.

In cooperation with the FBI, the Royal Thai Police took steps to organize the extradition of the 24-year old Canadian administrator back to the United States. However, after Cazes was held for exactly a week at the Narcotics Suppression Bureau in Bangkok, reports of his apparent suicide surfaced. Bangkok vowed to conduct an autopsy, while US authorities had no interest in verifying the legitimacy of the suspect’s death.

Alexander Cazes’ criminal indictment details how the US Justice Department successfully confiscated his and his wife’s assets, including bank accounts, personal and market cryptocurrency accounts, and luxurious personal possessions in Bangkok – all by supposedly linking his online personas to his real life through a haphazardly leaked email address, [email protected].

When authorities carried out the warrant and arrest in his apartment in Bangkok, his laptop was left unencrypted and the admin account for the market and server logged in. Authorities also simultaneously executed search warrants for the market’s server hardware located in Quebec, Canada.

AlphaBay Organization: Key Players

Cazes did not run AlphaBay singlehandedly. They worked closely with a “security administrator” and second in command known as DeSnake, or simply “DS” for short. According to our historical darknet records, DeSnake had connections in Russia although his true identity and location was not publicly known.

In 2016, an angry user of AlphaBay known as “Kinger” stated that alpha02 had left the market in late 2015, sold his stake to DeSnake, and DeSnake was supposedly acting as admin for its final two years. Kinger’s ominous threat suggested they knew his real life identity and his citizenship was actually Dutch.

“PS: DeSnake, if you read this, we know who you are and where you reside. We know you're a Dutch guy who acts like he's Russian. Should you attempt to exit scam with AlphaBay, rest assured your dox will be posted.” - user known as "Kinger"

There were also at least half a dozen moderators that helped administer the market and its discussion forum, moderated disputes between buyers and vendors, and promoted the market on Reddit (prior to the shutdown of the DNM subreddit). The indictment from 2017 listed them individually by their monikers and many have been arrested.

The authorities were not the only ones to identify and/or attempt to uncover the key players (aka staff) at AlphaBay Market. In the spring of 2017, the Alpha Organization paid an extortionist threatening to dox alpha02 and a couple of his moderators at least $45,000 USD, although the veracity of the information the extortionist had has not been verified.

More information about potential players of FBI interest can be found in historical DarkOwl records, including one that states that the FBI “publicized a list of AlphaBay identities that they had identified, including Trappy, DeSnake, Disc0, and several other members of the Alphabay ‘team.’ From owner (DS) all the way down to public relations manager, Trappy.” (Source: Document Archived in DarkOwl Vision)

As recently as last year, a California Court sentenced Brian Herrell, a Colorado native and AlphaBay moderator who operated under the moniker “Botah” to 11 years in prison for racketeering and for his connections to AlphaBay. Upon his initial arrest, reports suggested he faced up to 20 years for his involvement in the marketplace.

Prior to AlphaBay, Alexander Cazes had a reputable history on the darknet – specifically in the carding community. A senior member from the carding community Ranklez claimed he had evidence to suggest Cazes wasn’t alpha02. Ranklez and alpha02 had a history in the carding community as Ranklez sold alpha02 fullz for conducting identity theft.

For months after its shutdown, users across the darknet theorized whether all of it was an exit scam or something more elaborate and sinister. When AlphaBay’s Reddit moderator and public relations manager, Trappy was arrested, he claimed alpha02 and DeSnake were the same person. The whole saga was confusing and unsettling for many, including Cazes’ parents, who claimed the skill set of Cazes in real life (e.g. his company Canadian EBX, etc) was more in alignment with the qualities DeSnake portrayed than alpha02. (Source: DarkOwl Vision)

AlphaBay Market’s Official Return

In early August 2021, DeSnake resurfaced on Dread, the popular Reddit-like discussion forum on the darknet administrated and moderated by users, Hugbunter and Paris. Dread staff “vouched” for DeSnake to skeptical darknet users with DeSnake signing documents using their historical PGP key.

Interestingly, AlphaBay’s former moderator “Disc0” also chimed in, but using a lowercase “d” this time.

DeSnake promoted the return of the infamous AlphaBay marketplace with services hosted on both Tor and I2P – including detailed instructions and encouragement for users to explore the market on the peer-to-peer network instead of Tor, calling their Tor services “mirrors” of the main market on I2P.

The new AlphaBay market’s Tor service has been unstable since its launch, with frequent 503 errors, user registration issues, and login timeouts. The I2P eepsite also rarely successfully loads. After almost two months of operation, the market has a handful of vendors, with only a couple of hundred listings across drugs and fraud goods. DeSnake claims there have been 15,000 user accounts created, 450 vendors registered, and over 400 listings published as of the time of writing.

The service on Tor appears to be hosted alongside Dread services and features both the Dread waiting queue and clock-captcha for DDoS protection. The marketplace was offline last week, when Dread and its sister services were under heavy DDoS and inaccessible.

While disc0 vouched for DeSnake on Dread they are not Staff on the revived market or its associated forum, claiming they are retired from such work. The new AlphaBay appears to be moderated by the personas TheCypriot, tempest, and wxmaz. All of the moderators speak very formally with impeccable English and gush with unbridled passion about the need for a new concept of decentralized marketplaces, the complex tradeoffs and advantages of peer-to-peer networks, and a deep desire to establish a greater sense of community.  DeSnake’s posts are particularly “wordy” with extensive lengthy posts on Dread and the market’s About and FAQ section. They sign every post and reply officially with the phrase “Thank You.”

Like the historic AlphaBay, the market’s forum is located on the same domain as the market and has limited discussions. Most of the forum is marked private until the user formally introduces themselves in accordance with the rules outlined by DeSnake. There is a “Admin” account as was the case with the historical AlphaBay forum, and DeSnake also has their own personal account. DarkOwl believes this account may be maintained by DeSnake based on the observation that they leave a similar “Thank You.” at the end of every post.

Darknet Users Remain Hesitant and Skeptical

DarkOwl has been unable to assess how the larger darknet community (outside of Dread) feels about the new Alphabay Market. AlphaBay historically had a vocal and persistence presence on Darknet Market Avengers forum which unfortunately, has been offline for several weeks. There are no new threads mentioning AlphaBay’s return on The Hub.

Users on the Russian-speaking forum, XSS have been the most critical of DeSnake and AlphaBay. In a thread titled, “AlphaBay вернулся!” [Translated: “AlphaBay is back!”] users comments were generally critical of the legitimacy of the marketplace, with comical references like “Welcome to the FBI HQ” posts.

DeSnake joined the conversation, creating an account with his moniker on September 12, 2021 in attempts to mitigate the marketplace’s potential reputation damage. DeSnake repeatedly pointed to their vouches from Dread and old PGP key pasted to Ghostbin, paste site.

Unfortunately, DeSnake’s contributions written in a mixture of English and Russian backfired and senior members of XSS berated them for their lack of operational security and inability to properly understand the dynamics of the Russian language.

“Your brand is irrelevant, long forgotten, your missing period as you should know is a lifetime in these circles, your name means nothing, you actually start with negative trust and momentum rather than popping up with a completely new name and brand not linked to the dumpster fire that went down before. So your either dAFeDz, or you have fallen victim to a serious and advanced case of autism after getting your covid vaccination. Either way none of your weird over explanation means anything because before we get to any of that we have to deal with the mental retardation and poor judgment that lead you to relaunch like this. But since youre not who youre trying to be we can skip it" 

– XSS user’s reply to DeSnake directly on the AlphaBay is back thread

Even Reddit users on the surface web have mixed feedback. One user openly joked they would stick to purchasing their drugs on social media.

Drama Begins and Scammers Take Advantage

During this research, DarkOwl discovered a surface web domain that mirrors much of the information DeSnake shared on Dread, but with a Tor link to the market that is not in the mirrors.txt verified links list from AlphaBay. The surface web domain is likely setup specifically to direct users to a phishing site where their credential information can be stolen.

There is a Dread thread in the AlphaBay subdreadit stating that AlphaBay is not on Telegram or the surface web validating the theory this is likely a phishing domain. No information about the domain could be ascertained as it is protected by Cloudflare.

The links section on the surface web AlphaBay domain asserts that all the information on Dread is false, stating that DeSnake’s Dread account had been compromised by “mr_white.” The moniker mr_white belongs to the administrator and owner of the popular darknet marketplace, White House Market (WHM) themed after Breaking Bad’s main character, Mr. White.

Some users claim that mr_white and his team from WHM are to blame for last week’s DDoS while others speculate that HugBunter himself could be mr_white.

Is the “New” AlphaBay What it Claims to be? Observations from DarkOwl’s Analysts

While DarkOwl generally avoids engaging in or commenting on speculative darknet drama, there are several things about the re-emergence of AlphaBay and DeSnake that don’t add up. While DeSnake very well could be legitimate, the sheer fact the authorities confiscated the market’s servers and Cazes’s unencrypted laptop should bring significant suspicion whether this new darknet marketplace is legitimate, or simply another covert law enforcement operation.

For this reason, our analysts have shared some observations of note that potentially point to something larger transpiring than a simple relaunch of the former marketplace. Notably:

• Registration for the market and the forum seem unnecessarily complicated, including errors if the pin code started with ‘0’ and asking for the user’s “real name.” The concept of a real name is irrelevant in the darknet unless the administration is possibly trying to catch someone not in the “right-state-of-mind” slip-up and actually put their real name into that field.

• The DDoS protection and bot detection measures are excessive for a brand new marketplace. While navigating the domain manually, DarkOwl analysts regularly had to reset their Tor circuit and refresh their identity to simply view the vendor listings.

• The market includes an outrageous number of strict rules delineated as “global AlphaBay” versus rules specifically for “buyers” and “vendors.” There are no weapons allowed (where the previous AlphaBay had a weapons category), no Fentanyl sales allowed (where the previous AlphaBay had a ‘Fent and RCs’ category), no COVID-19 vaccine or cures can be offered, no ransomware sold or advertised, and no Commonwealth of Independent States (CIS) related countries activities allowed.

• The “About-Us” and Frequently Asked Questions (FAQ) sections are a laborious read with over 13,000 words combined – 8,200 for the FAQ section alone. Conversely, the original AlphaBay’s FAQ was a mere 277 words.

• The overt exclusion of CIS countries is peculiar, especially given that DeSnake and alpha02 were openly active in Russian carding communities. According to DarkOwl Vision’s archived documents, Russian speakers were present on the original AlphayBay forum and in interviews alpha02 spoke of how they “work with our Russian colleagues to enable each of us to enrich our base of vendors and buyers,” and clearly was not excluding users located in Russia.

• AlphaBay now only accepts the cryptocurrency Monero, and heavily promotes that users access it via I2P instead of Tor, calling their Tor services “mirrors” to the main I2P eepsite. DeSnake’s detailed instructions for installing I2P on Dread fail to mention the potential risks of peer discovery and de-anonymization through known techniques like Eclipse and Sybil attacks in conjunction with flood-fill takeovers. Interestingly, the last known Monero-I2P-centric market was Liberitas, which went offline in June 2019 after a very short stint on the I2P network.

• DarkOwl could not confirm any prior darknet experience from the moderators DeSnake has installed as Staff on the market and forum.

• The new AlphaBay Marketplace refuses donations. It is unheard of that a darknet service would decline and discourage donations. A fully-functional darknet marketplace will indeed provide sufficient financial resources in the future; yet refusing them from the start is unreal.

Additional language analysis reveals other questionable inconsistencies. For example, in the FAQ and About-Us, there are several mentions of DeSnake’s operational security (OPSEC) prowess and over-the-top digs at law enforcement, e.g. “dirty playing by LE with their parallel construction.” Interestingly, the phrase “parallel construction” has appeared many times in post-AlphayBay (2017) conversations on other English-speaking and Russian forums.

Given how security conscious DeSnake was previously, which they self-proclaimed as operating under the mindset of ‘the agencies are after me’,” it is unlikely that they would have been comfortable writing in such recognizable patterns and thereby potentially exposing speech and language nuances.

In a similar vein, DeSnake’s extensive writing samples include multiple instances where the “British” spellings of words like “honoured” and “minimised” are included similar to how alpha02 wrote in his interview with Joshua G in April 2015 on Deep Dot Web, but “decentralized” is still spelled with a “z.” While there are very few English-speaking historical writing samples from DeSnake, as they were most active on Russian-speaking forums like TCF and Evolution, an analysis of historical AlphaBay market records never included any British-English spellings such as these.

Furthermore, darknet users rarely draw so much attention to themselves. DeSnake has broken this mold with their dramatic return to the public eye that included interviews with the media and identity verification through a potentially compromised PGP key.

DarkOwl has assigned assets to monitoring and collecting data from the new AlphaBay Marketplace, leveraging our darknet intelligence capabilities, despite their increased crawler detection measures and ongoing server instability. Our analysts will continue to follow this market’s presence and reputation on the darknet, and provide further updates as this story unfolds.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case

DarkOwl’s unparalleled reach into the Darknet Illuminates Threat To IoT as Realized with Recent CCTV Attack on Prison Security System.

In recent years, the cybersecurity industry has repeatedly warned of an increase threat against Internet of Things (IoT) devices. With Ring doorbells, smart refrigerators, IP-enabled cameras and baby monitors, and wi-fi enabled programmable thermostats, the modern western home is a hacker’s playground with multiple attack vectors to choose from. Cybercriminals and hacktivists readily seize upon more lucrative and scalable victims, with cloud-based IoT servers regularly targeted and databases of IoT data exposed – like that of enterprise security camera system provider Verkada, which had 150,000 systems compromised back in the spring of this year during #OperationPanopticon.

Iranian-based cyber hacktivists, known as Edalat-e Ali, or “Ali’s Justice” elevated such vulnerabilities last month, compromising an Iranian prison system’s closed-circuit television (CCTV) to expose widespread abuse and inhumane prison conditions.

DarkOwl has also discovered that the tools to carry out such IoT exploitation campaigns are readily available for sale on the darknet.

Background: The Iranian hacktivists who compromised the CCTV networks

The Edalat-e Ali hacktivist’s Telegram channel, created on August 19th, launched their attack against the Evin Prison and a photo surfaced of the prison control room with their logo on the screens in their earliest posts. They claim to have “hundreds” of gigabytes of data. In less than two weeks, the Telegram channel has amassed over 30,000 followers and includes numerous leaked videos.

The description provided in their Telegram channel reads as follows:

ما تصمیم به بر ملا کردن جنایات رژیم گرفته و به سیستمهای زندان اوین حمله سایبری کردیم.جهان را از نقض بارز حقوق بشر در پشت دیوارهای زندان اوین مطلع کنید (ویدیو،عکس،پرونده های زندانیان سیاسی و مدارک مختلف از زندان).

زندانی سیاسی آزاد باید گردد!

«عدالت علی»

[Translated to English]

We decided to resolve the regime’s crimes and attacked Evin prison systems. Inform the world of obvious human rights violations behind the walls of Evin prison (video, photo, political prisoner records and various documents from prison).

Free political prisoner must be!

“Justice Ali.”

The group also leaked documents from the prison from early 2020, where Evin Prison officials expressed concern over potential foreign military attack. This leak suggests that Edaalate-Ali possibly accessed their internal data storage systems in addition to their CCTV security footage. (Source)

Darknet Tools of the Trade to Exploit IoT

Coincidentally, on the same day that the Edalat-e Ali group appeared on Telegram, a vendor known as “thedangeroustomato” posted an offer for a 2021 CCTV exploit on the new Canadian-centric darknet marketplace called “We The North.”

The CCTV exploit is available for a mere $10.50 USD and claims it is “skid-friendly” with the exploit delivered to the victim network via a malicious PDF and two python scripts.

According to DarkOwl Vision’s database, the vendor has very few listings and not much history using that moniker across other darknet forums and marketplaces.

DarkOwl assesses with medium confidence that the “We The North” darknet marketplace is likely a thematic spin-off of Canadian Headquarters, another Canadian-based darknet marketplace that reportedly “exit scammed” a few weeks ago, but has recently resurfaced on a new v3 Tor onion service. The new Canadian HQ market has a new user database (e.g. old credentials do not work) with a “Coming Soon” banner on the main shop front.

Cyber Threat Actors Will Continue to Target CCTV Vulnerabilities

DarkOwl has not confirmed whether this specific exploit was employed against the Iranian Evin Prison hack. However, the low cost to procure, ready availability of such tools via python scripts, and flurry of international news media covering the prison CCTV hack success, suggest further attacks against similar CCTV security systems are likely if not highly encouraged by darknet cyber criminals.

For example, darknet forum and chatroom members celebrated the Verkada attack against Tesla and Cloudflare earlier this year in March, 2021. A member of the DDoSSecrets Telegram group, known for releasing geopolitically controversial content on the darknet, claimed that APT-69420, known as “Arson Cats” were responsible for the IoT device breach and shared images from the victim devices in defiance against global mass surveillance. According to one chatroom, employees at Verkada supposedly revealed the use of the Verkada’s “Super Admin Tool” was widespread and a compromised admin credential could have been the origins of the device attack.

The U.S. Justice Department indicted 21-year-old Swiss-based female hacker Till Kottman with the crimes against Verkada shortly after the leaks appeared. According to open-source reports, her group, designated APT-69420 Arson Cats, is a small collective of “primarily queer hackers, not backed by any nation state, is motivated by the desire for fun, being gay and a better world.”

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case

To learn more about the technology habits of ransomware operators, DarkOwl analysts conducted a brief survey of content issued by RaaS groups over the last few years and collated mentions of any email domains they provided for victims to initiate contact with them. The data we analyzed included ransomware notes harvested from multiple darknet sources from 2016 through the first two quarters of 2021.

The chart below depicts the results of our findings, and demonstrates which email services were and/or are popular amongst ransomware gangs over the past several years.

Quick Takeaways

• Since 2019, ransomware criminal gangs prefer the Swiss-based Protonmail and German-based Tutanota encrypted e-mail services over other e-mail service providers. The data included in this analysis summed the domains mentioned across all service provider TLDs, e.g. .ch, .io, .pm, etc.

• E-mail service providers AOL and India.com were most popular in 2016 and 2017 but use of these providers have dropped off considerably in recent years.

• Google’s Gmail has experienced moderate, alibeit consistent use by many ransomware criminal groups.

Tutonata emerges as most popular email service in 2021 thus far

For the first half of 2021, Tutonata appears to be leading Protonmail in total email accounts mentioned across notes published in the first two Quarters of 2021. Both email services have been the subject of controversy over recent years, including last December when open source reporting indicated that the German government had been forcing Tutanota to setup backdoors, enabling law enforcement to monitor and read e-mails in plain text.

While the reason for the decline in Protonmail’s popularity can not be stated definitively, the fact that the service has been the subject of debate is likely a contributing factor. In 2019, some users across the darknet and Reddit began spreading rumors that ProtonMail was likely a law enforcement honeypot – citing how its Tor service redirects back to the surface web upon account creation. Theories that developers at MIT with oversight from the NSA, CIA, and DARPA assisted CERN with Protonmail’s source code and encryption development. Further arguments included how Protonmail stores email data and metadata in formats similar to those that Edward Snowden had stated the CIA requires. (Source)

This debate is heated and greatly divided with many stating the Privacy WatchDog Blog detailing how Protonmail is a honeypot is anti-Protonmail propaganda website, spreading FUD and baseless conspiracy theories. Additional reports suggest that the CIA for decades has utilized front-companies and technical organizations based in Switzerland to spy on European governments, adding fuel to the paranoia and conspiratorial chatter.

Future Predictions

While the trends for email address domains observed during the first two quarters of 2021 are consistent with preferences in recent years, this data analysis further predicts that the total number of email addresses from ransomware victim notes for 2021 will be likely less than totals observed from previous years.

We predict this due to the volume of ransomware groups utilizing alternative communication methods with their victims. DarkOwl has observed numerous links to Telegram accounts and real-time chats directly hosted Tor darknet onion services to conduct ransom payment negotiations in lieu of traditional e-mail based communications.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case

Since the beginning of July, information security researchers who have been keeping up with the darknet ransomware community have been anxiously awaiting the debut of AvosLocker’s official Tor service, which will be used as a forum for the ransomware-as-a-service (RaaS) group to communicate with the public about their victims. In early July, DarkOwl observed a v2 Tor onion service branded with AvosLocker’s name and brand logo – a purple bug with green-tipped antennae – stating that the reader’s (victim’s) network and hard drives had been “encrypted using AES-256 military grade encryption.”

The landing page (pictured below) included a simple form where victims with an “ID” could enter the darknet service to begin negotiations with the AvosLocker team on their ransom payment and status of their extorted data. An ID is only available to those who received a ransom note upon encryption of their computer networks.

The new onion service – collected by DarkOwl automated crawlers on the Tor anonymous network earlier this week – lists at least six victims consisting of a mixture of transportation and logistics corporations and legal firms across the globe.

Editors note: DarkOwl has intentionally chosen not to disclose the victims’ names and has sanitized all mentions of victims in the screen captures below included in this piece

DarkOwl also detected an AvosLocker affiliate registration and login portal on their original v2 Tor service. The registration form indicates AvosLocker issues invitation codes for access to the domain.

There is no mention of AvosLocker or their logo on the affiliate-related portal onion services (pictured below).

Returning back to AvosLocker’s debut of their new, branded onion service, it is worth noting that ransomware operators set up public PR-oriented blogs for any number of reasons:

1.     They are truly a brand-new ransomware operator conducting ransomware campaigns against victims, employing a unique ransomware encryption cipher, as well as other tactics, techniques and procedures (TTPs);

2.     They are an existing RaaS affiliate with enough profitable and successful operations to warrant their own victim shaming Tor service; or

3.    They are a seasoned ransomware operator who is intentionally attempting to obfuscate their operation’s identity by rebranding and changing aliases of key members.

The fact AvosLocker is operating as a RaaS gang employing the traditional “affiliate” model – as noted by the login portal above – means it is highly unlikely they are an affiliate of an existing RaaS group and more likely a rebranding of existing RaaS operator.

Accompanying this theory, DarkOwl analysts quickly observed that the AvosLocker’s new service has striking resemblance to other websites established on Tor, more specifically the infamous Doppelpaymer RaaS gang.

DarkOwl has no indication that AvosLocker is an affiliate of Doppelpaymer, or if it has merely copied the HTML/CSS templates employed by the Doppelpaymer group; it is not uncommon for hosts of Tor onion services to create websites that look and feel like previously published services.

In contrast to the AvosLocker’s service, the Doppelpaymer leaks service on Tor requires the visitor to solve a reCAPTCHA and enable Javascript for the domain to load properly.

Doppelpaymer has plenty of justification to rebrand their operations, but there is insufficient evidence at this time to confirm AvosLocker is their new brand. In December of 2020, the FBI issued a warning against the Doppelpaymer RaaS gang after a series of attacks last fall in Europe resulted in the death of healthcare patient in Germany. (Source)

The last victim posted on the Doppelpaymer leak service is dated back to May of 2021, and the last one before that was in February. This might suggest Doppelpaymer could be slowing down its operations to avoid additional scrutiny from the media and law enforcement.

Interested in learning more? Contact us to learn how darknet data applies to your use case

Late last week, DarkOwl analysts observed the REvil ransomware as a service (Raas) cyber-criminal organization publicly announce its latest victims of their ransomware operations on their darknet onion service, some of which have direct associations to western militaries and governments.

Previous assessments have suggested the targets selected by REvil and similar RaaS groups were completely random and indiscriminate. Without directly naming or shaming the companies who fell victim to REvil’s ransomware attack, DarkOwl endeavors to merely highlight the suspicious timing of these specific announcements – along with threatening language included in the release – and the lack of any mention, nor claim of responsibility attacks against global meat distributor, JBS SA attack during Memorial Day weekend; an attack that temporarily impacted meat supplies around the world and caught the attention of the U.S. White House and international authorities.

These latest victims highlight the increasingly vulnerability of supply-chain attacks against critical service providers and the potential impacts to national security in the U.S. and abroad.

REvil Threatens to Share Sensitive Victim Data to Foreign Military Agencies

REvil representatives continually maintain their financially-motivated and opportunistic stance with numerous darknet forum posts stating that they want no part in geopolitical affairs nor act on behalf of any government. In these latest victim announcements, REvil included sensitive military contract information and critical personally identifiable information (PII) of the victim’s employees, such as copies of employee passports, payroll statements, and national identification numbers, as “proof” of the legitimacy of the attack.

More sinisterly, they also acknowledge the sensitivity of the data they’ve stolen and stated they would not hesitate to share this information with other foreign military agencies of their choice, directly contradicting earlier positions of agnosticism in international government affairs or military operations.

Many sources have already confirmed the likelihood that REvil is a Russian-based cyber-criminal organization. The recent string of ransomware attacks by REvil, their affiliates and similar groups, suggest that these organizations are indeed directly targeting critical supply-chain targets with unique technological and critical infrastructure focus, instead of indiscriminately targeting victims for monetary gain.

It is also noteworthy to point out that there is no current consensus on how long RaaS operators like REvil can maintain unauthorized access to victim networks, during which time they would be able to extract data and conduct potentially cyber-espionage-like activity before making themselves known. In other words, the target’s networks are freely accessible to these criminals for an unknown period of time before they finally pull the plug on the operation by deploying a ransomware variant, which then locks down the network, notifies the victim, and begins the phase of extorting target by demanding a ransom.

One security researcher recently shared their analysis of the latest version of REvil’s source code, version 2.05, stating that persistence of the malware was maintained through creating a registry key under SOFTWARE\Microsoft\Windows\CurrentVersion\Run (on Windows machines), which allows the malware to run every time the user reboots their machine. Other ransomware analysis of victims of the Pysa/Mespinoza strain, detailed an 8 hour campaign, launched via a compromised RDP account, where threat actors moved laterally throughout the entire domain harvesting additional credentials and data wherever possible (Source). This, however, is unsurprising as it is well-known that REvil and other popular RaaS operators leverage stolen VPN, RDP, and user credentials where available – often actively sold and traded on the darknet – and readily prey on unpatched server-side software and remote working products like Citrix ADC.

What other kinds of companies are REvil and their affiliates considering as potential targets?

In an interview conducted earlier this year, REvil representative known simply as “Unknown/UNKN”, stated many of their affiliates had unprecedented access to national security assets (directly or indirectly) including, “a ballistic missile launch system, one to a U.S. Navy cruiser, a third to a nuclear power plant, and a fourth to a weapons factory.” The veracity of this extremely serious claim has not been verified by DarkOwl nor the interviewer who spoke directly with Unknown. Others skeptical of interviews with such unreliable threat actors note that this particular “Unknown” could have been an imposter, as alias hijacking is common in across darknet communities. 

However, supporting the ransomware group’s claims of their alarming access to such national entities are recent reports confirming that another ransomware victim is a company that manages the US fleet of military vehicles. While not presently determined to be directly attributed REvil, this incident is indicative that ransomware groups as a whole are indeed successfully compromising vendors supporting US and allied military efforts.

An Ever-Expanding and Continuous Operation

REvil fingerprints have also been recently detected in a new strain of ransomware known as Episilon Red, which information security researchers directly associate with a concerted attack on Microsoft Exchange mail servers. In late May, another new ransomware variant known as Prometheus setup a new Tor onion service claiming they were a “Group of REvil” in their ransom note and branding. Security researchers indicate that Prometheus, operating now for over a month, pens their ransom notes very similar to MountLocker and Medusalocker ransomware variants.

Despite the media attention the JBS SA attack garnered, REvil shows no sign of slowing down or scaling back their operations. In an interview conducted with Russian OSINT YouTube channel last week, they suggested they had previously limited themselves from conducting attacks against U.S. targets, although DarkOwl notes several of their victims over the past year included retail, health, legal, and agricultural companies with operations headquartered in the U.S.

The group’s spokesperson also showed no concern for being considered “terrorists” by the U.S. government or intelligence community, boasting their confidence in prosecution immunity, being sheltered by Moscow, who undoubtedly allows them to operate freely without legal consequence. They concluded their interview with the statement “We are not going anywhere, we are not going anywhere. We will work harder, harder, and harder.” (Source)

DarkOwl will continue to monitor this ongoing story and update as our analysts uncover information.

Breached data from ransomware attacks often wind up on the darknet. Contact us to see if your organization has been the victim of a cyber attack to gain insight into the full extent of your company’s darknet exposure.

JUMP TO A SECTION:

What is an Imageboard and Why is it called a Chan? 

Key Players

The Language of the Chans

Topic Boards and Types of Content

How Imageboards are Evolving on the Darknet

An Introduction to Imageboards of the Darknet

The darknet is replete with an extensive array of content, including onion services and communities that intelligence and investigative analysts have noted are home to cyber criminals, scammers, and threat actors. Typically, the most common hubs for these users are darknet marketplaces and blogs/forums. However, recently, our analysts have observed the increasing presence of a legitimate and growing segment of the darknet, comprised of a community of free-speech enthusiasts who utilize imageboards known as “chans.”

The rise of QAnon and the coordinated siege of the U.S. Capitol in January shined a spotlight on one wildly popular imageboard known as 8chan, bringing about significant coverage in mainstream media. In the wake of such recent events, we have observed an increase in imageboard hosting on the darknet, including many direct copies of the 8chan codebase that are serving as new safe havens for emerging, controversial chan boards. In fact, DarkOwl has identified over two dozen alternative chans on the darknet – not related to 4chan or 8chan – across numerous languages (Russian, Korean, Japanese, German, and English) that are currently online and active.

An imageboard is considered a type of bulletin-board-like forum that revolves around the posting of images, often alongside text and discussion. Imageboards are characterized by a community of users with non-identifiable usernames, usually simply “Anonymous” – that rely on a system of tripcodes instead of registration with credentials. A tripcode is the hashed result of a unique password that allows one’s identity to be recognized without storing any data about the user and entering a particular password will let one “sign” one’s posts, often necessary for moderators and staff, with the tripcode generated from that password. 4chan and 8chan (or 8kun) implemented secure tripcodes that are not reproducible across different imageboards and are more resistant to the hashed password getting hacked or cracked. The originating IP address of the user is known to the administrator of the imageboard, but the pseudo-anonymity of the forum structure led to its users calling themselves “anons.”

The very first imageboard was 2channel, (2ちゃんねる, 2chan, or 2ch) first launched over two decades ago by Hiroyuki Nishimura, a Japanese Internet entrepreneur and student based in the United States at the time. By hosting the board outside of Japan, Nishimura managed to circumvent Japanese internet censorship and grew the predominantly Japanese online community millions of daily users with a level of influence in society many described as comparable to that of traditional mass media like television, radio, and magazines. Nishimura named the imageboard 2channel after the physical channel older televisions would need to be turned to, to use auxiliary devices like 1990s video game consoles.

In 2003, not long after the success of 2channel, Christopher “moot” Poole (at the time age 15 years old) launched an English language counterpart to 2channel known simply as 4chan. Poole already had a history as an active participant on the comedy surface web bulletin board known as “Something Awful” which funneled users to 4chan and quickly increased its popularity, forming a whole new genre of internet subculture including the “Cult of Kek” (Pepe the Frog), the conversational meme factory, and resources for rare adult fandom like My Little Pony.

The pseudo-anonymity provided by 4chan also enabled discussions from a rather darker segment of society where disturbing fetishes and hate speech are not just authorized but glorified. Illegal content such as child pornography and gore increased the need for fairly strict moderation on the site by its hundreds of volunteer moderators stationed around the world; Poole and a part-time developer were the only official staff of the board. In 2014, 4chan was central to the Gamergate controversy, an online harassment campaign dedicated to directly targeting and doxing females because of anger regarding feminist or progressive ideals found at the time in the video game industry.

By this time, alternative imageboards known as “alt-chans” had emerged including Wizardchan whose userbase consisted of virgin men or “incels” (slang derived from “involuntary celibate”) who define themselves as unable to find a romantic or sexual partner despite desiring one and ultimately often despised the sheer existence of the entire female gender. To this day there is crossover in the users between imagebaords – Wizardchan’s users also post in threads on 4chan and vice versa.

Due to the increased moderation of content on 4chan, a prominent user and admin of Wizardchan known as Fredrick Brennen, using the pseduonym “Hotwheels” founded “infinitychan” (using a sideways “8” for infinity, or simply 8chan or 8ch), redesigning the codebase to include user-created and moderated boards on the channel. In 2013, Brennen advertised the new imageboard as a “free speech friendly alternative to 4chan” and 4chan’s eventual blanket censorship of all Gamergate related discussions significantly increased 8chan’s rapid success and popularity in the first years of its operation. 8chan quickly outgrew Brennen’s ability to host the volume of posts by its thousands of daily users and illegal content became increasing difficult to moderate. In late 2014, he partnered with Jim Watkins in the Philippines to host and help scale the platform, using Watkins data center company N.T. Technology while Brennen served as admin and the public face for the board. (Source)

8chan’s content became increasingly obscene and its users linked to several violent international hate crimes including the mass shooting at a Christchurch mosque in 2019, the Poway Synagogue shooting, and El Paso shooting at a Walmart targeting Hispanics shortly thereafter – with all three shooters posting racist and xenophobic manifestos on the imageboard within hours of the attacks. Around the same time, Brennen resigned as the imageboard’s admin and launched a campaign to get the site shutdown permanently with direct attacks against both Jim and Ron Watkins across social media and the mainstream news media. In late 2019, Watkins rebranded 8chan to 8kun after widespread public criticism of the site with support from Russian hosting providers affiliated with cybercriminal activity.

The imageboards mentioned above are considered the grandparent-chans creating the ‘foundational’ platforms for fast-paced discussions, fueling mob-like mentalities and are still widely popular underground online communities. Nevertheless, there are hundreds of “alt-chans”, many of which have a growing presence of users on the darknet, including not only a mirror of 2channel, but 16chan, nanochan, 64chan, Korchan, Kohlchan, and others. The surge in new imageboards and their use of the darknet is indicated by conversations that express how its users are increasingly concerned over the concerted ‘attack on free-speech’ that occurred in the wake of the January 6th riots and as well as members of the US Congress’s call for a repeal of Section 230 of the Communications Decency Act, which has historically protected the hosts of controversial social platforms from legal consequence. (Source)

The following lists the founders and critical players of the most popular and widely discussed imageboards in public media. Due to the nature of the content and its users and creators inherent desire for digital privacy many of the owners and administrators of imageboards are completely anonymous or known only by their pseudonyms.

Imageboards pride themselves on providing a platform to advocate free-speech and the purest freedom of expression and many users utilize the forums as an outlet for venting internal frustration, speaking on the boards in ways that they would never, ever speak in real life. In 2010, 4chan administrator, “moot” was called to testify in the trial of David Kernell, a 4chan user who was eventually convicted of hacking of Sarah Palin’s email during the 2008 Presidential election and leaking screenshots from her account on the imageboard. The administrator’s role in the trial turned from ordinary to awkward when moot was asked to define and explain the community’s lingo and terms that were used in the posts and comments included in the prosecution’s discovery. Terms he testified about included such vernacular as “b tard”, “troll”, “peeps”, “lurker” and OP (original poster).

In the last decade, the culture and language of the chans has only become even more exclusive and insular to its chan-community, preventing many new users and investigative analysts from engaging its users or even further parsing what they are reading in any given thread from darknet data collection systems. The influx of right-wing extremism and domestic terrorism observed with the popularization of QAnon on 8chan (or 8kun), increased the use of phrases specific to Q’s posts such as “Patriots”, “Trust the Plan”, “Great Awakening”, “WWG1WGA” (where we go one we go all), “Panic in DC”, “deep state”, and the idea of “sheep” or those who follow main stream media blindly.

Imageboard users go to great lengths to directly insult each other on the thread and openly attack anyone of non-Caucasian race or non-evangelical Christian religious beliefs. Most of the lingo is too obscene and vulgar to be mentioned here, but there are some standard key phrases used across all the imageboards that provides general context to many an anon’s post. Several of these have made it into urbandictionary.com, whose definitions were included directly where available.

based: A word used when you agree with something; or when you want to recognize someone for being themselves, i.e. courageous and unique or not caring what others think. Especially common in online political slang.

redpilled: A word used to describe when a left leaning liberal have shifted their beliefs into alignment with the right. The phrase was adapted from the movie, The Matrix, where Morpheus is offering to enlighten Neo to the Matrix: “You take the red pill, you stay in Wonderland, and I show you how deep the rabbit hole goes.”

shill: This word describes a person who is pretending to agree with a conspiracy and intentionally circulates false information or acts totally insane in an effort to discredit said conspiracy. Someone who shills could also be someone directly lying in a post to deceive or cause controversy.

larp: An acronym meaning “live action role play” – when whatever post has been stated is not real or intended for comedic or dramatic effect, as if it occurred in a play.

/b/tard: A derogatory insult to address users who are found in the /b/ section of the board or to insinuate that their post is random or nonsensical.

lurker: A person who ‘lurks’ or browses the board and never posts anything.

newfag: A newcomer to the imageboard who is considered a nuisance to the discussion. Often this person is trying too hard to fit in.

neckbeard: A word derived from conjoining of the words “neck” and “beard,” to denigrate a male user on the board as characterized by an inflated sense of self-worth and a powerful sense of entitlement, particularly to affection, subservience and sexual acts from women.

neet: A person considered a failure in life who is unemployed and lounges all day playing video games or watching anime. 

waifu: A word used in the manga sub-genre to describe a fictional female character that they love and would marry if they were real.

glow: If the word glow is associated with an insult or someone says, “you glow” that would intimate that you’ve been perceived as law enforcement or a government agent.

troll/trolling: As it relates to imageboards, trolling describes the deliberate act, (by a troll – noun or adjective), of making random unsolicited and/or controversial comments on various internet forums with the intent to provoke an emotional knee jerk reaction from unsuspecting readers to engage in a fight or argument.

Persistent topic boards are a characteristic of chan forums. From its inception, 4chan required an administrator to create all topical boards to guide its users’ discussion, leading to a sort of standard that has persisted to newer chans. Alternatively, 8chan infamously provided creative freedom to its users to launch and moderate its own topical boards – a backend board style adapted by several imageboard developers.

Nevertheless, there are some board topics that are persistent across all of the imageboards, including the alt-chans across the surface web and darknet. Such well-known and highly popular sub-boards include:

• /b/ – random: The sub-board /b/ was the first board Poole created on 4chan and it was the catchall for any random thread about any sort of content including cartoon pornography and debased memes.  It is considered community etiquette across most all imageboards to limit discussions that are specialties or the focus of other boards on the channel. Many imageboards recognize the power of /b/ to such an extent it is the only board available on its entire platform.

• /pol/ – politically incorrect: The /pol/ sub-board covers wide range of subjects, including politics, culture, social issues, religion, law, finance, and current events. It has become most well-known for its divisive content and hate speech with posts including neo-Nazism, white supremacy, and xenophobia. Nearly all imageboards online today have an active /pol/ board and some even include additional country specific politics, like /polru/ for Russian political discussions. Some non-English speaking alt-chans have created an /intpol/ sub-board instead of /pol/, which stands for international politics as many of the English-speaking /pol/ boards are heavily influenced with U.S.-focused political partisanship. Last year, 8kun renamed its /pol/ board to /pnd/ for politics, news, and debate much to the protest of its userbase.

• /a/ – anime: Given the imageboard’s roots in Japanese anime subculture, and 2channel’s founder being Japanese, most imageboards have a sub-board called /a/ dedicated to sharing and discussing anime. Many posts on this sub-board also includes a very specific sub-genre of animated pornography known as “hentai” short for hentai seiyoku translated as a “perverse” or bizarre sexual inclinations.

• /g/ – technology: The /g/ sub-board got its start on 4chan, and other imageboards have quickly adapted this topical board for “discussing computer hardware and software, programming, and general technology.” This channel often includes a wide-range of posts that might asking recommendations for which Linux distribution to install or pictures of users’ home technology setups.

  Last week, DarkOwl analysts observed a post on /g/ on how to successfully hack Apple’s recently released AirTags product with detailed instructions from a security researcher’s blog on the surface web, demonstrating how /g/ could be used to uncover security vulnerabilities.  Within minutes of the post appearance, /g/ moderators removed the thread validating user complaints of how heavily moderated 4chan can be and what attracts many users to imageboards hosted exclusively on the darknet with more relaxed moderation policies.

Most imageboards have a surface web domain address and accessible directly from the public Internet. Imageboards are considered pseudo-anonymous, since a user’s IP address is known and likely logged by the imageboard administrator, especially for users accessing the site directly on the surface web.  While many users access imageboards using a Virtual Private Network (VPN) proxy, 8chan utilized Tor off and on over the last five years to mirror its content, to provide additional anonymity to its users accessing the imageboard and to mitigate DDoS attacks against its Internet domains.

Other imageboards, including 2channel, have a persistent presence on the darknet providing its users additional layers of operational security. Some imageboards like endchan have mirrors across other alternative darknets including Oxen and Yddrasil for additional data redundancy and wider client support to its userbase.

Many imageboards are strictly accessed through the surface web have strict rules about what can and cannot be uploaded and its administrators comply with all law enforcement requests for information and readily handover logs. Others give moderators the power to disallow users posting from a Tor exit node, in the case where users access the surface web domain using the Tor Browser Bundle for anonymity.

Other darknet exclusive imageboards have more lenient rules and allow its users to post illegal content including violence, pornography, and gore. Gurochan, an imageboard that originated over a decade ago, recently returned online and predominantly includes threads with gore and necrophilia.

An Increasingly Evolving Darknet Threat

The imageboard community on the surface web is rapidly evolving and many services are migrating directly to or mirroring their content across the darknet(s). Knowing that 4chan is now heavily moderated and often called a law enforcement honeypot, and that many users of 8kun have disappeared with the failure of a real-life political “reckoning” for the alleged deep state cult at the heart of the QAnon conspiracy, the imageboard underground digital community is thriving as a safe haven for people to direct their shills and troll campaigns.

As previously mentioned, during the course of this content research, DarkOwl identified over two dozen alternative chans on the darknet – not related to 4chan or 8kun – across numerous languages (Russian, Korean, Japanese, German, and English) that are currently online and active. To support its Vision users in conducting their most effective and efficient investigative analysis we have also created a “Groups” filter using these domains, so Vision UI users can easily target their searches directly into these communities without direct or a-priori knowledge of the onion service addresses. Hopefully this post, with its primer on historical context and guide to imageboard community lingo, will help end users develop intelligent targeted queries to find content of interest.

In the year plus since the COVID-19 pandemic took hold, DarkOwl analysts have continued to observe widespread coronavirus-related scams on the darknet. From bootlegged PPE, to “COVID infected blood,” to fake vaccination cards, there appears to be no shortage of individuals willing to take advantage of this global crisis to pursue their goals, be it to spread disinformation or simply to make money.  

To gain insight into potential threat actors aiming to defraud individuals and corporations alike, DarkOwl turned to the darknet to take a closer look. In doing so, we identified scammers purportedly selling COVID-19 vaccines, vaccination passports and cardstock records of vaccination as issued by the the Center for Disease Control (CDC). DarkOwl has also observed a number of disinformation campaigns related to the efficacy and legitimacy of the COVID-19 vaccine across major deep web and darknet discussion boards creating additional conflict and polarization across forum users.

Vaccination Cards for Sale on the Darknet

In the past few months, DarkOwl has noted a number of scammers offering vaccination record cards for sale, priced around $150 USD on average.

One vendor, known only as as “darknetdeals” also offers negative COVID-19 PCR tests for sale for those needing negative COVID-19 tests for travel and work.

Users on deep web discussion boards discuss their surprise regarding the nature of the vaccination record cards issued in the U.S. and the generic grey cardstock it was printed on, along with handwritten name and dates of the first and second doses, for vaccines with multi-dose administration. DarkOwl has not engaged the threat actor nor purchased a card to verify whether this is a legitimate offer or scam, but the opportunity could appeal to anti-vaxxers who desire to travel and dine-in restaurants without receiving the vaccine.  

Other offers have also surfaced on Telegram with “coronavirus certificates” and vaccine passports available for purchase. The price was not disclosed on the channel.

Vaccinated individuals across the US have shared post-vaccine selfies with the CDC-stamped paper card issued by their vaccination provider proudly in hand across social media. Scammers could not only utilize the photo of the card to create fake cards for sale on the darknet, but steal the personalized information such as full name and date of birth for identity theft and fraud.

Vaccine Doses Still for Sale on Darknet Markets

DarkOwl continues to see several COVID-19 vaccines offered for sale across darknet marketplaces and classified-like paste sites. In recent months, there has been a surge in vaccines on offer, including Russia’s Sputnik vaccine developed by Gamaleya. On one new darknet market alone, there are 5 different vendors offering vaccines ranging in price from $40 to $888 USD per dose. Pfizer vaccines tend to be more expensive than the other vaccines on offer.

DarkOwl had observed offers for COVID-19 vaccines on other darknet markets back in December, with prices ranging from $500 to $4000 USD. One vendor received feedback stating that they purchased five vials of the Pfizer vaccine for $2000 USD and it was packaged in a shipping container the size of a pizza box along with dry ice to maintain the significantly cold temperature requirement. It was unclear whether these were intended to be single doses or multi-dose spread out by 21 days, as suggested by the manufacturer.

While these could theoretically be ‘stolen’ vaccines, it is more likely they are counterfeit vaccines with vials of unknown and possibly lethal substances. Last week, open sources reported that authorities had discovered fake coronavirus vaccines containing distilled water were administered to at least 80 patients in a clinic in Mexico, while a darknet scammer was arrested in Poland for selling vaccines that actually contained an anti-wrinkle agent. Luckily, the Polish doses do not appeared to have been administered to anyone.

Other offers for vaccines are clearly scams without any intention to deliver a single vial.

One vendor on a market known for its promotion of “rippers” (a.k.a. scammers), stated they had the “most-effective” “Pfitzer” vaccine for sale for $500 USD. The contact information associated with the vendor has only emerged on the darknet in recent weeks and is also connected with offers for various pharmaceuticals including ecstasy and Adderall.

Some scammers have established darknet onion services with elaborate backstories of their accessibility to COVID-19 vaccines and medicines. One domain is supposedly setup by Wuhan Institute of Virology Lab Scientists and Doctors who have medicine exclusive to China to treat COVID-19 and vaccines that the Chinese government is keeping secret from the rest of the world. They are not ‘selling’ the vaccines and medicines but shipping them after Bitcoin donation is received. They also refuse to respond to ‘long emails’ and ‘investigative questions,’ and their written text includes a number of typos. (Quoted below)

Disinformation Persistent Across Boards and Chans

If fake vaccines filled with unknown substances do not undermine the public’s confidence in vaccine distribution, there is plenty of disinformation rampant across the political threads on darknet and deep web discussion boards to stoke collective fears and personal anxieties. A recent thread on one discussion board included links to the original Moderna patent with skepticism and a link to a controversial article suggesting the mRNA vaccines cause cancer.

Others suggest the vaccine impacts fertility, stating how they now have lowered sperm counts since taking the vaccine. Some users call out other users for “shilling” a term from the urban dictionary that in conspiracy terms refers to a person who is intentionally circulating false information or acts totally insane in an effort to discredit a conspiracy – revealing an active information war is at play on the boards.

The fabricated conspiracies on such forums are particularly imaginative and controversial. For example, another post on a forum insinuated that the entire narrative around the dangers of mRNA vaccines was intentionally developed to shift people to prefer vaccines that are indeed gene therapy experiments instead.

Based on our observations, vaccine resistance is not limited to the United States. One user on Telegram expressed outrage over how a certificate of vaccination was required to receive services from a hair salon in Demark as of April 2021. The post was written with a tone of desperation including the sentence “We need help” at the end, signaling this is becoming a global issue of controversy and potential social uprising.

Vaccine Data on the Darknet

Critics of the CDC’s vaccination records on easily obtainable grey cardstock and the ease at which they are counterfeited is justification for a digital vaccine passport program. Developers have not delayed as there are now numerous vaccine passport apps available across the widely used mobile app stores. Even New York has announced a new vaccine status program for mobile phones after partnering with IBM to develop a scannable barcode, similar to the QR codes used by airlines for boarding.

Since last year, the International Air Transport Association (IATA) has been working on an app called Travel Pass for use across their 290 airline participants for laboratories and healthcare providers to send PCR test results and vaccination records for flyers to present for compliant air travel. (Source)

The U.S. CDC’s website emphasizes the importance of their centralized Immunization Information System (IIS) which includes a repository of all vaccinations records for each state and according to their website, COVID-19 vaccine providers are required to report detailed information about each vaccination given at the county and state level. Personal information for vaccination recipients includes full name, date of birth, residential address, sex, race and ethnicity in addition to the vaccine’s production information from the manufacture such as expiration date, dose and lot numbers for tracing which vaccination was administered.

The CDC’s COVID-19 specific IIS includes a number of different digital information systems for tracking and managing COVID-19 vaccine data:

• VAMS: vaccination administration management system available for vaccination providers use – contracted by the CDC for development by Deloitte Consulting.

• IZ Gateway: the immunization gateway, a central cloud storage system to enable IISs, federal agencies, and private partners to connect and share immunization information.

• VaxText: second dose reminder system that vaccine recipients can enroll with to receive SMS text message reminders for their next vaccination date based on the vaccine they received.

• VTrks: vaccine ordering system which includes vaccines for each provider along with associated shipping information.

• VaccineFinder: vaccine provider lookup system to provide the contact information for vaccine providers, hours of operation, and types of vaccines available.

Many COVID vaccine clinics have decided against the CDC endorsed VAMS administration system and instead procured commercial application alternatives such as PrepMod for mass vaccine scheduling and data administration. DarkOwl has observed some darknet users complaining about having issues using PrepMod’s system effectively and some states are considering abandoning the PreMod product for systemic design issues and persistent bugs.

Given the frequency and ease at which cybercriminals are compromising commercial database systems and regularly selling or leaking millions of records of customer authentication data and financial information on the darknet, vaccination record data sets are at risk of compromise.

Large scale databases of personally identifiable data associated with the vaccine distribution, like the CDC’s IZ Gateway and VaxText systems or any number of commercial and government vaccine passport apps in circulation, will be a prominent target for darknet cyber exploitation enthusiasts in the coming months, if they are not already attempting to gain unauthoritzed access to such systems around the globe.

Related Read: COVID Scams on the Darknet Part 1

Risk is a word regularly used across information security circles and CISO agendas. And, in light of the recent surge of indiscriminate organizational ransomware attacks, companies are aggressively attempting to identify and mitigate any cybersecurity risk that could lead to potentially extensive financial and reputation damage, especially from a high profile cybersecurity attack or data breach. Meanwhile, individual persons also struggle to know how concerned they should be in mitigating their own personal risk to when, not if, their sensitive personal information appears on the deep web and darknet.

In this blog, DarkOwl analysts dig into the domain of risk, taking a closer look at the threats corporations and individuals face, how risk is calculated and mitigated.  Underground digital communities within hidden and anonymous networks are an integral role in identifying the threats at play, and DarkOwl works alongside its partners to help provide the critical monitoring of potential markers of risk using its darknet search platform.

What is risk and what is the darknet’s role in risk calculations?

Risk is traditionally thought as a multiplier of likelihood and severity, or consequence of outcome; however, in cybersecurity the definition is expanded for consideration of intention or threat. For example, in a personal risk scenario, one’s leaked credentials (e.g. usernames, e-mail addresses and passwords) might appear in commercial data breach leaks which poses one degree of risk, but the minute those same credentials appear in conjunction with direct malicious intent to cause financial or direct harm, then their personal risk increases dramatically; DarkOwl has observed similar specific targeting frequently in the darknet. The same would be true for the intention of an attack against a corporation or government organization, but this is understandably much harder to quantify.

The U.S. Department of Homeland Security (DHS) defines risk as the “potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences” such that: likelihood is defined as “the chance of something happening, whether defined, measured or estimated objectively or subjectively, or in terms of general descriptors (such as rare, unlikely, likely, almost certain), frequencies, or probabilities” and consequence is given as “the effect of an event, incident, or occurrence, including human consequence, economic consequence, mission consequence, psychological consequence.”

The DHS risk assessment model is more simplify defined as a function of three variables: threat, vulnerability, and consequences with full recognition “these values are not equal” as stated by DHS Secretary Chertoff in 2005. “For example, some infrastructure is quite vulnerable, but the consequences of an attack are relatively small; other infrastructure may be much less vulnerable, but the consequences of a successful attack are very high, even catastrophic.”

In organizational risk calculations, threat includes anything that can cause harm to the organization and that could expand to include threats from natural disaster (wildfire, hurricanes, and earthquakes) or even a significant hardware / backup failure that triggers a disruption in services or production and not necessarily exclusive to cybersecurity attacks by external malicious entities.

There are numerous interpretations, philosophies, and variations on this formula and luckily organizations are given extreme flexibility in conducting internal risk assessments by applying risk models of varying degrees of detail and complexity of threat identification and vulnerabilities – of which cybersecurity has become increasingly critical.

Threat calculations are often tied to scenarios with likelihoods of occurrence that involve an adversary’s intent, capability, and targeting. When we look at the darknet’s role in risk and threat vectors, especially when considering the risk to a company’s brand or stakeholders, malicious threat actors who conduct operations in the underground (e.g. cybercriminal organizations, nation state actors and proxies, and cyber opportunists) proactively hunt for and attempt to exploit sensitive data for personal financial gain by whatever means possible, often manipulating unpatched vulnerabilities and crafting new exploits in the wild.

DarkOwl analysts also regularly witness critical corporate and personal information actively shared across various underground digital communities in the darknet and deep web and have categorized the types of vulnerable data at risk accordingly, delineating corporate and individual personal risk, with careful consideration that these two are intricately interrelated due to the fact humans are one of many risks corporate organizations must consider when calculating their cybersecurity risk. The region where corporate and individual risk overlap is of most critical consideration as well as the extent and volume of readily available information for threat actors to launch their attacks.

Likewise, the more accumulated data a threat actor has access to for an individual or a corporation increases the risk accordingly.

Corporate Risk and The Darknet

The possibility of a cybersecurity attack against a corporation feeds a number of different corporate risk calculations: the loss of customer data presents a significant risk to a company’s brand, reputation and stakeholders; there’s moderate risk for loss of sales due to counterfeit goods offered on the darknet and direct reputational attacks on discussion forums and social media; there is direct risk via the executives and key leadership of an organization for business e-mail compromise (BEC) phishing attacks or financial extortion through physical threat to executive’s family; and, there is risk to attack via third (and fourth) party vendors and suppliers.

The consequences of an attack against a corporation can include:

1. Unauthorized access to a corporate network

2. Misuse of information by an authorized user

3. Loss of access to corporate data (via deletion or encryption)

4. Disruption of service or productivity

5. Reputational loss and damage to brand or corporate image

The risk of unintentional data compromise

As nearly every security researcher and infosec professional would agree, the volume of organizational data leaks via unauthorized network intrusion attacks over the last twelve to eighteen months is troubling. Identity Force identified over 74 organizations across every industry segment that suffered network intrusion attacks in 2020 resulting in public reporting of sensitive PII leaked for malicious use on the deep web and darknet. From April through December 2020, DarkOwl observed 144 victim companies and non-profit organizations mentioned by the REvil ransomware criminal gang on their darknet data leak onion service, Happy Blog, such that the “real” volume of compromised corporate information and customer authentication data in circulation from 2020 is likely significantly higher.

While large commercial data leaks receive press coverage, with phrases like “millions of records of user data exposed” there is an unknown number of organizations that have likely secretly dealt with a critical cybersecurity incident without ever disclosing the breach to their customers or users due to the consequences of reduced consumer confidence.

Extortion as a service is an increasingly successful sector of the underground criminal ecosystem and involves stealing sensitive personal or corporate information and then leveraging unauthorized access to this information to force the victim to pay, essentially blackmailing the victim, in exchange for quasi protection of their data. Threat actors utilize hacking forums and discussion boards across the deep web and darknet to explore potential vulnerabilities, sometimes expressing interest in specific industries, companies, and individuals, then finally sharing or selling the sensitive information they have stolen – resulting in significant reputational and/or financial loss for the victim organization.

Lately, darknet onion services that are hosted by cybercriminal gangs have been a key repository for the stolen and extorted data collected from victim networks via ransomware attacks.

DarkOwl has documented over two dozen unique ransomware-specific onion services for public release of information about their victims if the demanded ransom is not paid. Some ransomware groups even mock their victims using terms like “Wall of Shame” to taunt companies who attempt to avoid public disclosure of their compromise and sensitive data leak. Brian Krebs reported that the REvil ransomware gang started e-mailing customers of its victims to increase the pressure on the victim organization to pay the demanded ransom.

Notably, a reader of Kreb’s report commented on the optics around the fact they had received the notification e-mail from the criminals three months after the victim’s third-party let their customers know about the attack at the end of December 2020.

Counterfeiting risk is brand risk

The darknet is home to a lesser-known segment of corporate brand risk with offers of counterfeit goods on darknet markets. DarkOwl has historical captures of illegal ticket sales for the MLB and NFL and counterfeit sports memorabilia for sale on darknet markets as well as offers for more luxury brands such Rolex and Gucci counterfeit merchandise for sale. The sale of counterfeit physical goods is a persistent and viable market in the underground economy.  

Executives and key leaderships are critical targets

Some criminals utilize traditional open-source intelligence (OSINT) techniques to uncover the names, e-mail addresses and family relationships of an organization’s executives and key leadership to conduct pointed phishing campaigns via e-mail, SMS or traditional in-person and telephone-based social engineering to gain malicious access to a corporate victim’s network.

Popularly targeted executives include Facebook’s Mark Zuckerberg, Amazon’s Jeff Bezos and Twitter’s Jack Dorsey who often appear on the darknet in public “dox,” (defined both as a verb and noun) to publicly name or publish private information about that person — or the personal information published — especially as a way of punishing the person or getting revenge. The emergence of such ‘dox’ across anonymous networks and criminal communication platforms increases the overall risk to a company and those individuals as the threat, i.e. intention for attack increases significantly with the mention alone.

Vendors and other third parties increase risk

As witnessed by the massive SolarWinds supply chain attack last year, nation state actors and cybercriminals are increasingly sophisticated and opportunistic seeking to exploit third and fourth party suppliers and vendors to cause harm against the victim organization. Third parties include any unit an organization works with including but not limited to vendors, such as suppliers and manufacturers, partners, affiliates, distributors, resellers, and agents. Third parties may have access to information such as: corporate sensitive data, financial data, contract terms and pricing, strategic planning data, intellectual property, credential data, personally identifiable information (PII) of customers and employees and protected health information (PHI) and can unknowingly contribute to a threat actor gaining unauthorized access to a corporate network. Today, organizations should consider investing in a comprehensive third party risk management program as discussed extensively in a recent report by Upguard.

While it is not always overtly clear who or what organization a threat actor may be intending as their next target, monitoring the darknet and deep web for mentions of a company’s name, along with names of its executives and key leadership, and network information such as domains, e-mail and IP addresses can be a helpful marker for quantifying the potential threat or intent of harm against an organization. DarkOwl’s DARKINT Exposure Scores are one of many potential quantifiable metrics a corporation can use to measure and understand a company’s business risk. Scores can also be utilized for self-risk assessments, as well as brand monitoring and vendor risk management.

Last summer, DarkOwl evaluated an assortment of industry sectors using its DARKINT Exposure Scoring system across hundreds of companies, classified as small, medium, and large for mentions of their website and email domains. Not surprisingly, Colleges & Universities had the largest scores and Insurance and Hospital & Health industries followed closely behind.

The Software Development sector had the smallest percentage of companies with no exposure, i.e. a greater volume of compromise and the industries covering Hospitals & Healthcare and Grocery Stores had the highest percentage of companies with no exposure. The raw data of which companies were included in the research and statistical analysis of the research are available for discussion upon request.

Individual Risk and the Darknet

With the most recent news of Facebook’s exposure of over 530 Million user’s e-mail addresses and phone numbers, it seems as though nearly everyone has some extent of their personal information exposed and often actively traded and sold in the underground. Threats to individual personal risk appearing on the deep web and darknet are more actually extensive than account credentials alone. DarkOwl has observed several criminals specialize in trade of other critical PII such as national identification numbers, mailing and billing addresses, dates of birth, social media profiles, and even more concerning financial data like bank account numbers and credit and debit card numbers along with their card verification values (CVVs), expiration dates and security personal pin codes.

Individuals are at risk of social engineering

Personal individual risk increases with the extent of the information exposed, where and how it has been distributed. Cybercriminals are increasingly creative in their techniques to gain access to this illicit information with astute social engineering and mass phishing campaigns. Criminals actively seek to obtain an individual’s sensitive personal information necessary for a financial institution’s security verification process such as one’s mother’s maiden name, historical personal residence and billing addresses and answers to key security questions, sometimes obtained through links to phishing website or “fake” copies of popular commercial websites with username and password login form fields, sent through “SMS bomb” or spam e-mail phishing attacks. A popular technique —  both discussed openly with methods traded in underground forums —  is sending out fake mobile phone notifications. Spammers text delivery notices via SMS with a link to a phishing URL (often a shortened URL, e.g. “bit.ly”) for companies like DHL or UPS that are designed to harvest the victim’s mobile IP address, IMEI number, mobile phone model and software version along with sensitive personal information input by the victim in search for the non-existent package. The Federal Trade Commission (FTC) issued advisories early last year on how to recognize a widely distributed FedEx scam via SMS text message and in February researchers reported that over 10,000 Microsoft users were affected with a FedEx phishing campaign that was not detected by Exchange Online Protection (EOP) or Microsoft Defender for Office 365.

The risk of password reuse and credential stuffing

Credential stuffing is a widespread technique utilized by cybercriminals to test if historically exposed e-mail addresses and password combinations are valid logins across multiple commercial websites. For example, many victims exposed by the MyFitnessPal data breach may have changed the password on their compromised personal account, thinking innocently they had successfully protected themselves; however, the victim continued to use the same compromised e-mail address and password combination from MyFitnessPal to login to shop on Nike’s website for fitness related equipment.

Opportunistic cyber criminals automate the testing of large ‘combo lists’ containing compromised e-mail addresses and passwords against commercial websites and once a successful authentication occurs readily steals the PII and financial information, often saved, on the e-commerce shopping platform’s user profile. Last week, the largest combination list of all time known as COMB or Compilation of Many Breaches, consisting of over 3.2 billion e-mail addresses and cleartext passwords from data breaches going back as far as 2012 were shared on a darknet hacker forum.

Circling back to the overlap between individual and corporate risk, credential stuffing using malicious software and botnets affects not only the individuals but also the commercial organizations whose user accounts are surreptitiously accessed, as many immediately assume access was achieved due to vulnerabilities with the commercial service provider’s technical configuration instead of a simple credential stuffing technique conducted en masse. The uncertainty potentially erodes consumer and stakeholder confidence warranting that commercial agencies consider credential stuffing in their internal security frameworks and corporate risk assessments as well.

The risk of identity theft and financial fraud

While a personal e-mail address or password leak is easily mitigated by using complex passwords and password managers, the greatest threat to an individual is financial fraud and/or personal identity theft. 

Aggregated compromised personal data about an individual, referred by underground actors as “fullz,” and sometimes augmented with data gathered via criminals who have conducted attacks against insurance, mortgage, and credit agencies, is assumed to be used in some attempt to defraud a program for monetary gain or personal identity theft with very strong likelihood as witnessed with large scale pandemic unemployment assistance fraud conducted over the last year.

Individual risk calculations

Ultimately, what does the fact any of your personally identifiable information is on the darknet really mean? Your level of concern is directly correlated to your individual risk and calculating individual risk using information exposed on the darknet is measured by not only the location of and volume of credentials and PII exposed, but also a factor of time – that is, how long the information has been available and the likelihood of exploitation by a malicious actor. Of course, this likelihood of occurrence increases immediately once there is direct intent and targeting of the person either individually or in conjunction with a campaign against a corporation, regardless of what types or volume of personal data is already accessible.

• E-mail address and password leaks: Individual risk increases slightly with the website where the credentials have been used, i.e. banking application or health portal. Individuals can mitigate risk by using unique, complex passwords and password managers.

• Personal financial data like credit and debit cards: Individual risk is higher if the card is still in use. Most banks have fraud prevention and do not hold the cardholder responsible for illegal purchases with stolen credit and debit card data.

• Identity verification information: Individual risk increases with the more sensitive data accessible to a threat actor. For example, if a bank account number along with the full name of the account holder, their physical residential addresses, and other key identity verification information such as their mother’s maiden name, the name of their first dog, and secondary school mascot is obtained, then a threat actor has enough information to impersonate them and take control of the account. Compromise can be mitigated by visiting the bank in person with a form of identification (passport or driver’s license), closing down the compromised account, and opening a new one.

Only an individual can ascertain the degree of personal cybersecurity risk they are comfortable with, given the types of information they have shared publicly and the value they place on their personal information, their individual brand, and digital reputation. In a hyper-connected society that is increasingly reliant on networked digital information systems to function, everyone’s exposure and subsequent risk is increasing to some extent. For some individuals, this risk is gradual and others exponential.

It’s Risky Business Regardless

Threats posed to individuals and corporations from the darknet where sensitive corporate or personal information is leaked by cybercriminals is diverse. Criminals employ increasingly sophisticated social engineering and technical attack vectors to pilfer information that could lead to full identity theft for an individual or corporate extortion with multi-billion ransom demands. 

Whats more, threat attack vectors and vulnerabilities are rapidly evolving. With the now global acceptance of Bitcoin and companies like Tesla accepting Bitcoin payments to purchase their vehicles, soon cryptocurrency addresses for individuals and companies will have to be considered in this model and protected accordingly, if they are not already being targeted for middleman attacks. The deep web, anonymous networks, and various chat platforms will continue to be home for trading these commodities of data and DarkOwl will continue to assist its clients and partners to help provide the most comprehensive darknet database necessary for critical monitoring of potential markers of cybersecurity risk to corporations and individuals.