Tor v2 Deprecation Shifts Darknet Landscape

DarkOwl has unprecedented coverage of data from prominent darknets including Tor (or The Onion Router), which is widely considered to be the most well-known and popular darknet. In order to maintain collecting content from darknets such as Tor, our engineers continually monitor technological changes and advances in hidden services networks. In doing so, we often have unique insight in to the shifting landscape of the dark web.

Tor project announces domain name scheme shift

Last summer, the Tor Project announced that in October it would be ending support for its legacy v2 domain naming scheme, and began encouraging darknet administrators to start migrating their hidden darknet websites – known as onion services – to the more secure v3 address scheme. For non-technical users of the Tor anonymous network, this seems inconsequential nor applicable to them, except Tor’s onion service addressing nomenclature – designated as v2 versus v3 – is the primary mechanism by which services hosted on the network are accessed.

Maintaining persistent access and knowledge of this darknet landscape is critical to provide continuous coverage of data from the dark web.

When the projected time of the cutover came in mid-October, Tor services were not immediately “shut off” and inaccessible as expected. Tor project removed v2 introduction points with Tor version 0.4.6, but the effects are only realized for relay operators that updated their node with the latest software version.

Within that month, Tor Project did update the Tor Browser to version 10.5.10 disabling v2 and rendering v2 onion services unavailable. However, DarkOwl discovered depreciated v2 onion services are still accessible with legacy browser client executables. Then, just this week, Tor Project released Tor Browser 11.0.1 which includes additional features like a blockchain explorer.

Now that v2 onion services are no longer supported by the Tor Project, DarkOwl estimates a decrease of 62% of known onion services across the Tor network.

Screen Shot 2021-10-16 at 4.28.55 PM.png

In the last year, many onion services providers on Tor have published both a v2 and v3 address, which replicates their website content on both address types to ease the transition and “mirror” the content accordingly, thereby minimizing content loss. Read below for more details on the evolution of the different onion service address types and why v3 addresses are preferred.

How Many Tor v3 Onions Have Emerged?

DarkOwl maintains one of the largest databases of Tor darknet content, including historical and “deep” darknet records. DarkOwl’s crawlers monitor the Tor network for mentions of Tor onion services and schedules new v3 addresses discovered for crawling and indexes the content into its searchable Vision SaaS platform for its clients to access.

Due to the nature of the network and its privacy focused topology, it is impossible to quantify the real number of services operating on the network at any given time. V2 onion descriptor information is stored in plain text in the hidden service directory (HSDir) and at one time, provided some indication of the volume of services available, but such information is not available for v3 services.

In fact, according to Tor Project metrics, there could be upwards of 600,000 v3 onion services active in the network, but that number is extrapolated from relays operating as onion-service directories.

A recent technical blog on v3 onion services suggests many of the v3 services are “barely used” – or setup to merely act as slave services for a malicious botnet.

In the last six weeks, DarkOwl’s Vision platform has observed an average of 104,095 active .onion services across both address schemes of which: 62% are v2 addresses and 38% are v3 addresses.

These numbers are determined by a daily snapshot of DarkOwl’s collection stack seeded by DarkOwl’s network intelligence gleaned by crawling the network 24/7 since 2016. These numbers are not reflective of the true total number of onion services active in the network on any given day.

DarkOwl analysts also noted that during the month of July 2021, when the option to create new v2 onion services was removed from the codebase by Tor Project, DarkOwl Vision witnessed a surge in new v3 addresses and identified 2963 new v3 onions in the last two weeks of July alone.

Figure 1: Average Number of Onion Services Online According to DarkOwl’s Database

Tor Users Respond

Most Tor onion service providers have embraced the network address deprecation and encouraged its visitors to add their new v3 address to their browser bookmarks.

Some darknet website administrators assumed the v2 onion services were inaccessible back in July and disabled all their v2 addresses when the Tor Project simply disabled the creation of new services in the 0.4.6. release last summer.

Figure 1 Tor Onion Service Provider’s Depreciation Announcement on I2P. Source DarkOwl Vision Document

Figure 2: Tor Onion Service Provider’s Depreciation Announcement on I2P. Source DarkOwl Vision Document

Other users are skeptical of the shift, especially those that firsthand experienced multiple concerted v3 onion service outages in January. All v3 onion services were offline for more than 3 hours at a time when the consensus health check failed, due to excessive traffic directed at the directory authorities – possibly due to uncontrolled DDoS between darknet markets.

According to the Tor Project, the implementation bug was fixed in the July 0.4.6 release to default to a “reasonably live” version of the consensus health when a “live” consensus is unavailable.

Figure 2 Source DarkOwl Vision Document about v3 domain outage due to consensus health

Figure 3: Source DarkOwl Vision Document about v3 onion service outage due to consensus health

History of Tor & Decentralized Network Security

The original purpose of the “The Onion Router” (Tor) protocol was to provide US government intelligence operatives in the field secure communications without compromising their digital or physical location. In 1996, the first “0th generation” onion router (OR) was setup as an experiment in encrypted network topography in a virtual environment on a single computer. Because it included export-restricted technology, the “1st Generation” Tor was developed and successful in its mission of providing a concealed internet for the US government for several years. By the year 2000, the “1st generation” Tor had reportedly served upwards of 5 million network accesses a day. In 2003, the “2nd Generation” Tor came along with network improvements, hence where the term “onion v2” originates. DarkOwl Vision Users Can Read More in DocID – f4dafdd81bd9dac95d017a84d4c39d1c71f7dd5f

In 2006, when the US Naval Research Laboratories handed over Tor to a group of volunteers at the Tor Project, the network’s purpose was to provide a decentralized, censorship resistant platform for users to communicate and share information.

The Tor platform quickly became a haven for criminal activity, facilitating anonymous communication across underground digital communities and forums, elaborate drug marketplaces, child pornography and human trafficking. Consequently, deanonymizing onion services hosting criminal content has been a focus of many three-letter acronyms government and law-enforcement (LE) agencies around the world. Academic researchers and computer network science experts have received numerous grants and government funding to extensively study deanonymization attack methodologies and many journal publications exist.

Over the years, DarkOwl has witnessed successful deanonymization through various techniques including rendezvous point circuits (a.k.a. the cookie attack), time-correlation attacks, distributed denial of service attacks, which often force a criminal onion service to a LE-controlled guard node, (a.k.a. sniper attack), and circuit fingerprinting attacks.

Tor Project states that v3 onion service addressing is secure against enumeration attacks as well as other attacks that aren’t related to keys.

  • An adversary who runs a relay on the Tor network can slowly learn a list of all the v2 onion services, via the v2 HSDir system.
  • An adversary who can factor 1024-bit RSA keys can impersonate a v2 onion service.
  • An adversary who can generate around 2^40 RSA keys can expect to generate two that correspond to the same onion address (a collision attack).

Earlier this year, German researchers published a TLS traffic analysis attack methodology, demonstrating 100% successful Tor onion service deanonymization in 12.5 days or less.

Tor v2 versus v3

Tor onion service addresses are intentionally not memorable, relying on a random string of non-mnemonic characters and numbers followed by the “.onion” top level domain (TLD). This string is automatically generated when the onion service is originally configured using a public key.

V3 onion service addresses are discernible by their lengthy 56-character address, e.g. Tor Project’s v3 address looks like: http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid[.]onion, where its v2 address is 16-characters: http://expyuzz4wqqyqhjn[.]onion.

The 16-character v2 address hashes represent an 80-bit number in base32 that contains the RSA public key of the onion service, where the v3 is 256-bit representation of its Elliptical Curve Cryptography (ECC) public key. Therefore, the onion service address is essentially a cryptographic representation of the originating domain’s information and a principal justification for network administrators encouraging exclusively using a more secure form of addressing.

The v3 address utilizes SHA3/ed25519/curve25519 cryptography which is considerably more secure than v2’s SHA1/DH/RSA1024 address encryption. The v2 addresses have been the standard for 15 years and the network overdue for a more secure mechanism to become standard.

The Tor Project announced it would be deprecating the v2 address format in July 2020 and outlined a specific timeline of the depreciation process, first removing the option to create new v2 onion services earlier this year and and releasing a new network client and browser in October that rendered v2 onion services inaccessible.

1. September 15th, 2020

0.4.4.x: Tor will start warning onion service operators and clients that v2 is deprecated and will be obsolete in version 0.4.6.

2. July 15th, 2021

0.4.6.x: Tor will no longer support v2 and support will be removed from the code base.

3. October 15th, 2021

Release Tor client stable versions for all supported series that will disable v2 entirely.

Tor Development Continues and v2 [WARN]

In July, Tor Browser began displaying a “deprecated soon” warning message every time a v2 onion service was accessed. Since mid-October, instead of the warning page, the Tor Browser client logs records numerous [WARN] messages when the client accesses a legacy v2 onion service, despite displaying the website contents in the browser.

Figure 3 Depreciation Warning Notification on all v2 Onion Services from July 2021 onward

Figure 4: Deprecation Warning Notification on all v2 Onion Services from July 2021 onward

According to the developer’s comments on the Tor Project’s Github, eliminating v2 from the Tor network involves:

o   Modifying HSDir to stop accepting or serving v2 descriptors

o   Introduction points will stop allowing introductions for v2.

o   Refusing the TAP connection from the service side for rendezvous points.

Figure 5: Tor Browser Application Logs Warning of Depreciated Onion Service Connection. Tested with TBB version 10.5.8.

These changes were scheduled to be released with version 0.3.5.x-final, but the actual release date of that update is unclear and no due date specified. Even though the introduction points no longer allow for v2 onion service address introductions, the effects of this will not actually be realized until every relay operator updates to the latest version of the Tor executable with these latest changes.

In early October, Tor Developer David Goulet edited Tor Project issue #40476 removing the 3rd bullet above stating:

“I decided to NOT remove the Rendezvous code path for TAP connections as it would create more complexity to the patch for which I'm trying to keep minimal.” - David Goulet, Tor Developer

Goulet merged the ticket with the disable SOCKS connections for v2 addresses in mid-October and closed the ticket.

Interestingly, in version tor-0.4.7.2-alpha, last modified less than a month ago, developer release notes focus on a new consensus method for v3 network congestion control and closes ticket #40476 by returning “bad hostname” for v2 onion service addresses.

Onion service v2 addresses are now not recognized anymore by tor meaning a bad hostname is returned when attempting to pass it on a SOCKS connection. No more deprecation log is emitted client side. Closes ticket 40476.

As of October 26th, Tor source code version 0.4.7.8 was available for download from the Tor Project and appears to incorporate all the changes mentioned above. One minor difference our analysts noted that the changelog states, “Send back the extended SOCKS error 0xF6 (Onion Service Invalid Address) for a v2 onion address” instead of “bad hostname.”

And v4 is already here

In 2019, rumors of a v4 onion service address emerged and many Tor onion service network administrators supposedly already mirror their content on v4 addresses.

The v4 onion services reportedly uses less CPU computational activity and subsequently less electricity to reduce e-pollution. There is allegedly also additional error handling, improved bootstrap reporting, and support for adaptive circuit padding to prevent time-based deanonymization attacks.

DarkOwl has not observed any v4 addresses in the network, nor has Tor Project released any documentation about v4 addresses for confirmation or analysis.


 Curious about something you’ve read? Contact us to learn how darknet data applies to your use case

Conti Responds to REvil Take Down

DarkOwl regularly monitors the services hosted by ransomware-as-a-service (RaaS) operators and recently discovered the Conti group posted public remarks about a recent Reuter’s article detailing US Government’s collective actions to take down the REvil ransomware group.

“Announcement. ReviLives.”

"Own opinion. As a team, we always look at the work of our colleagues in the art of pen-testing, corporate data security, information systems, and network security. We rejoice at their successes and support them in their hardships. 
Therefore, we would like to comment on yesterday's important announcement by the US law enforcement about the attack on the REvil group.   
We want to remark the following:   
First, an attack against some servers, which the US security attributes to REvil, is another reminder of what we all know: the unilateral, extraterritorial, and bandit-mugging behavior of the United States in world affairs.  
However, the fact that it became a norm does not presume that it should be treated like one. Unlike our dearest journalist friends from the Twitter brothel, who will sell their own mother for a bone from bankers or politicians, we have the guts to name things as they are. We have a conscience, as well as anonymity, while our skills allow us to say something that many "allied" governments are afraid of saying:   
With all the endless talks in your media about "ransomware-is-bad," we would like to point out the biggest ransomware group of all time: your Federal Government. There is no glory in this REvil attack. First, because REvil has been dead in any case, but secondly, because the United States government acted as a simple street mugger while kicking a dead body. Let's break it down point by point. There was an extraterritorial attack against some infrastructure in some countries.    
1. Is there a law, even an American one, even a local one in any county of any of the 50 states, that legitimize such indiscriminate offensive action? Is server hacking suddenly legal in the United States or in any of the US jurisdictions? If yes, please provide us with a link.   
2. Suppose there is such an outrageous law that allows you to hack servers in a foreign country. How legal is this from the point of view of the country whose servers were attacked? Infrastructure is not flying there in space or floating in neutral waters. It is a part of someone's sovereignty.   
3. The statement mentions a multinational operation but does not name specific countries that participated in the cyber strike. We seem to know why; see next point.   
4. Most countries, the US included, perceive critical cyber strikes against their territory as a casus belli. You think anybody will be fine if Taliban conducts a misfile strike against a place in Texas to "disrupt an operation" of what Afghanistan considered a "criminal" group?   
5. When the special forces arrive at a hostage scene, they at least make sure that there are hostages there (at least, this is how it used to be). How did you know who you were attacking? It could just be a reverse proxy on an unsuspecting host. How did you know who ELSE these servers are serving? How was the safety of other people's businesses, possibly people's lives, ensured?   
Just to be clear: these are all rhetorical questions. Of course.   
What happened with this attack is way more than REvil or information security. This attack is just an another drop in the ocean of blood, which started because of NSA, CIA, FBI, and another two hundred three-letter security institutions (because, you know, true democracy and liberty requires millions of people in uniform) never had to answer these questions.  
WMD in Iraq, which was "certainly there."Drone strikes on weddings because "these were terrorists."Airstrikes on hospitals and Red Cross convoys because "we thought these are hostile."Military raids within the foreign borders ended up with massacring allied soldiers.
The list is endless because those who are now enjoying the media fame from the REvil attack are vampires drunken and intoxicated by impunity and blood. 
And this is not the story about REvil, Afghanistan, or any other subject in the world because impunity does not know borders.   
No wonder, each day, we read in the news that the American police once again shot some unarmed African American, or a housewife, or a disabled person, or somebody brave enough to dared to protect their home and their family. This is your state, and it will treat you the way it drones unfortunate child-shepherd in the sands of the Maghreb or Arabia to ensure "the national security of America," so far from its shores.   
And we will be reminding you of this constantly. And yes, despites the popular opinion of the social media hobos, we can and WILL talk ethically as any other people. (Somebody, please put an Obama meme here).   
We wish the people of America to resume control over your country as soon as possible and expel these fat, degraded bankers and become again the great FREE nation that we remember and love. We wish our retired colleagues from REvil have a lot of fun with their honestly earned money.  
Sincerely yours, 
Conti's team"

Biden and Putin pictured meeting at the Geneva Summit on June 16, courtesy of Getty Images. Read more about how Biden called Putin the Friday before the first takedown of the REvil group in July.

Since Conti posted their letter to the public on October 22, 2021, the team have published announcements for 19 new ransomware victims including a medical billing company.

“Page Not Found”: REvil Darknet Services Offline After Attack Last Weekend

Last weekend, REvil’s “Happy Blog” went offline for the second time in less than six months. Instead of the blog Tor service simply not responding to an HTTP request, the page instead displayed the default 404 error displayed by the nginx webserver. According to a REvil representative the ransomware-as-a-service (RaaS) organization’s Tor domain was “hijacked” using the private keys of the domain held by REvil’s previously public-face “Unknown” (who also operates as “UNKN”).

DarkOwl reviewed the group’s history and latest posts about the hijacking and determined that since returning, REvil’s reputation was in jeopardy and many darknet users and RaaS community members suspected the group had been compromised by the FBI.

“This Page Is Not Found”

Last weekend, Tor users anticipating to connect to the legendary Happy Blog hosted by the infamous REvil RaaS gang, received the default 04 error page for nginx webservers on Fedora, indicating the Tor onion services run by the REvil operation were compromised and corrupted instead of simply taken offline by disconnecting the servers from the network.

The page read:

"nginx error! The page you are looking for is not found. Website Administrator Something has triggered missing webpage on your website. This is the default 404 error page for nginx that is distributed with Fedora. It is located /usr/share/nginx/html/404.html You should customize this error page for your own site or edit the error_page directive in the nginx configuration file /etc/nginx/nginx.conf."

An Insider Job?

In a post titled, “У REvil угнали домены” [Translated: REvil’s domains were stolen”], REvil’s current spokesperson – the persona behind the moniker 0_neday on the darknet underground forum XSS – stated the server had compromised using UNKN’s (a.k.a. Unknown and REvil’s previous representative) private Tor service keys. “To be precise they deleted the path to my hidden service in the torrc file and raised their own so I would go there”.

0_neday went on to further state that the group presumed Unknown had “died” earlier in the summer, when the group went offline in mid-July shortly after the Kaseya supply chain attack successfully encrypted thousands of networks when its ransomware spread through a software auto-update.

There are a number of conflicting theories why REvil disappeared less than a month later.

REvil’s Mysterious Disappearance in July

REvil’s services mysteriously shutoff the Tuesday following a late “Friday phone-call” between US President Biden and Russian President Vladmir Putin, during which REvil and the global ransomware epidemic was reportedly a subject of their conversation. The information security community has theorized any number of reasons the services disappeared after this call:

a.   The US launched an offensive cyber campaign directly against REvil – possibly using sophisticated intelligence or USCYBERCOM resources – and brought the gang’s services offline.

b.   President Putin directed REvil to shut down their operations in response to the conversation he had directly with Biden, where Biden stated he would hold Russia responsible for aiding and abetting the threat actor’s actions on Russian soil.

c.    REvil was feeling the “heat” and international pressure after a series of high-profile attacks, some of which included US military targets. Perhaps the group’s operators voluntarily “took a break” from their ransomware operation.

d.   REvil leader, UNKN “exit scammed” emptying the gang and their affiliate’s cryptocurrency accounts and disabled their Tor services using their administrator privileges.

Reporting from the Washington Post suggested the US was not behind the July shutdown, as some had hypothesized, citing government sources. No “seizure banner” was evident when the Tor services went offline as has historically been the case when law enforcement take down darknet marketplaces. The FBI’s Director, Christopher Wray testified in front of Congress stating how they do not make decisions unilaterally but work directly with allies and other agencies on such matters. The FBI was strongly criticized for their delay in providing a universal decrpytor key for the REvil ransomware after the Kaseya attack they had allegedly obtained.

“These are complex . . . decisions, designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world.”

— FBI Director Testimony

The FBI provided the key to Kaseya nineteen (19) days after their networks were compromised and a week after the REvil infrastructure went dark. The key was reportedly obtained through direct access to the servers of the REvil operation.

In mid-September, BitDefender announced they had developed a “free universal decrpytor” for the REvil/Sodin ransomware strain in circulation prior to July 13th. According to BitDefender’s blog and social media posts, the decrpytor was “created in collaboration with a trusted law enforcement partner.”

This announcement was the source of many a controversial discussion across darknet malware forums.

REvil’s Return in September

According to the DarkOwl Vision darknet data records, REvil’s Happy Blog returned after their summer hiatus the first week in September 2021. Shortly after the blog was back online, new victims were quickly announced.

Surprisingly, in early October, DarkOwl analysts observed the REvil team sharing a link to RAMP – another ransomware focused forum – announcing that REvil was active on the new Groove ransomware backed forum. RAMP, hosted on a Tor domain previously owned and operated by the Babuk RaaS gang, emerged after many darknet underground forums “banned” ransomware related discussions last summer.

This behavior was noteworthy as REvil had historically not shown any affiliation with other RaaS groups, making their endorsement of RAMP unusual to many in the darknet.

Complex Cast of Characters

Unknown/UNKN

Unknown/UNKN was the original spokesperson for the REvil gang when they first branded as Sodinokibi in early 2019. They spoke with measured cadence and subtle humor. One of their last posts was early July after the Kaseya attack, where they simply shared a video of a typical older, angry Russian gentleman.

The admin from XSS banned Unknown’s forum account on July 8th, the week in between the Kaseya attack and the REvil servers were shutdown in July. It’s unclear if the justification was retribution for ransomware (as the topic was banned from the forum at that time), or the admin knew something else was awry.

In May, Unknown announced they were going to leave XSS, have limited activity on their account on exploit.in, and move their discussions to “private.”

At the time of their account ban, Unknown had 0.0022 Bitcoin in escrow on XSS.

0_neday

0_neday emerged as a representative of REvil on XSS after users evilcore and Lockbitsupp challenged the origination of the REvil decryptor key released by Bitdefendor on the public forum. They created their account earlier this month on October 5, 2021, depositing a significant amount of Bitcoin (i.e. account value of 1 BTC in escrow or approximately $50,800 USD on 10/5/2021) to legitimize their status. On October 12th, 0_neday posted on evilcore’s XSS member profile, “my boss agreed to offer you a 10% discount” suggesting 0_neday is a front for someone much more authoritative in the REvil gang. This contrasts with a claim they made a few days later that only he and Unknown had private keys to the Tor onion service domains. As of 19 October, 0_neday indicated they were leaving the forum, signing their last post with

[Translated] “Good luck everyone, I’m off.” 

evilcore

evilcore is a relatively long-time user of XSS with registration on the forum in late 2018. They claim they have no connection to any ransomware gang, but vocal in criticizing the operations of the groups, especially most recently REvil. They posted a comment to 0_neday’s thread this week about REvil’s domains getting stolen suggesting the leak of the decryption key was intentional and the entire infrastructure was merged and not compromised by Unknown as indicated, with a bit of “told you so” attitude and stark warning for users not to get fooled.

[Translated] "Ahaha)))))
fuck, I told you that they merged the entire infrastructure))))) and you didn't believe. I'm not a competitor and I don't care, they just really leaked the keys! people don't get fooled." 

evilcore have been vocal against the legitimacy of REvil since they reappeared in September and the story that supposed a REvil developer “misclicked” accidently releasing the decryptor key. In a comment on a thread titled, “Атака вымогателей на больницу привела к гибели ребенка” [Translated: “The ransomware attack on the hospital led to the death of a child”], evilcore closes with [Translated: “where is UNKN?”] after claiming the FBI likely had control of REvil’s admin panel.

[Translated] "0_neday do the rebranding:) and I can bet on 5 bits, but the point is) the conversation was about backdoor keys, I gave evidence that the backdoor key had nothing to do with it, it started about fictional gspch misklik checkout and - there it was already clear that the FBI had taken the admin panel.
Where is UNKN going???" 

The controversial October 12 thread continued with bickering between directly between 0_neday and evilcore, with LockBit’s forum representative, LockBitSupp, and forum users, 1MG, and ev4ng3liya, chiming in including critiques of REvil’s desperation to draw in affiliates with a 90/10 percent split – unheard of in the RaaS industry. evilcore eventually even accused 0_neday of being FBI.

LockBitSupp

LockBitSupp is competitive RaaS gang, LockBit 2.0’s public representative on the XSS forum. This alias is also active for the same group on another darknet forum, exploit.in and highly critical of REvil, stating they had recruited many REvil affiliates due to their lousy partner programs (PP).  On exploit, they added lengthy posts with concerns that REvil had been compromised by the FBI and that the current REvil coders and affiliates needed to be checked to verify their allegiance to the RaaS industry:

[Translated] "In connection with the above, I propose to check the coders who are now allegedly running the REvil affiliate program, for example:
- so that they somehow showed the locker source codes through the same TeamViewer or AnyDesk and made a test build from the source, providing this build to the public for reverse and comparison with old builds;
- so that the coders show the history of correspondence with the former management;
- any other evidence that will allow us to verify the coders and show that they are not undercover FBI agents.
Verification can be entrusted to any independent and authoritative people on the forums, for example, those who do reviews of malware."

They concluded their post with the realization that if the FBI has infiltrated the REvil RaaS gang or their affiliates, that the damage to the advertisers was far less than the suffering caused to “our cozy and warm community.”

REvil brand trustworthiness continues to decline

In late September, darknet forum users began expressing concerns over REvil’s unpredictable and scandalous behavior. One exploit user, Signature, claimed they had evidence that REvil had installed a “cryptobackdoor” which allowed REvil operators to take over negotiations between their affiliates and their victims, usurping ransomware payments thereby scamming money from their affiliates. It’s unclear how long this backdoor existed – some researchers state the backdoor was present for months, but removed from the September codebase.

Signature had launched a previous dispute on the forum with REvil’s UNKN in May 2021, when they claimed they had been contracted to provide network access to REvil victims, Quanta and Apex, and was never paid their 7 Million USD for the work provided. The thread resulted in a gross airing of RaaS dirty laundry to the public with private chats from qTox shared on the forum thread.

Up until last weekend, REvil had been active on the same Tor v3 domain address for over 22 months, excluding their summer vacation and active in the ransomware market since April 2019. Most RaaS groups change addresses regularly and even rebrand with new logos and aliases to maintain their operational security.

EvilCorp RaaS gang’’s representative on the XSS forum suggested REvil should have rebranded a long time ago. In the most recent thread of the REvil domain hijacking, user Krypt0n, admittedly late to the conversation, stated it was stupid for REvil to return in September to the same Tor domain address with the same keys. They added there was no way for REvil to restore their reputation and status achieved by UNKN.

Despite the fact elite hacker forum members can easily spot law enforcement and rippers, REvil’s brand is renowned and other copycat services will likely emerge in their likeness. In November last year, DarkOwl detected a non-REvil related domain advertising they were the “REvil Team” and were offering to sell Managed.com’s website hosting company’s database.

The REvil imposters included a protonmail.com e-mail address for contacting them and the domain was online for barely a month.

DarkOwl will continue to monitor this situation as it develops.


Curious about something you’ve read? Contact us to learn how darknet data applies to your use case

BULLETIN: New COVID Vaccination Certificate Scam Targets European Hospitals

DarkOwl has recently discovered a cyber-criminal group offering to hack hospitals located across the European Union (EU) to access and falsify vaccination records for willing buyers on the darknet.

In contrast to the paper-based vaccination cards that continue to be the standard across the United States, the EU recently launched a “Digital COVID Certificate” that features a mobile app for quickly verifying one’s COVID vaccination, PCR testing, or virus recovery status. The EU’s program features a QR code with a unique digital signature for each individual, to supposedly prevent falsification and facilitate free movement throughout 27 countries within the EU. Sixteen (16) non-EU countries have also been added to the digital passport scheme including Israel, Norway, Turkey, and Panama.

vax2-1.png

False digital vaccination records listed at $600 USD in bitcoin

Known simply as “xgroup,” the criminals behind this EU-centric fraud scheme claim to be able to access EU-based local hospital digital vaccination records on behalf of their darknet customers. All the process claims to require of the customer is that they submit their personal information (along with payment) so that it can then supposedly be added to their local hospital’s vaccination records database. This information is then theoretically accessible by the EU Digital Certificate application as each issuing body – such as a hospital, test center, or health authority – has its own digital signature key that communicates with the program.

COVID-19 Vaccine Hospital Database Hacking from Tor

COVID-19 Vaccine Hospital Database Hacking from Tor

Who is Xgroup?

Xgroup hosts a dedicated V3 hidden service on Tor where they advertise a range of “hacking services.” In addition to the COVID vaccination record hack, they claim to offer school grade alterations, social media account hacking, and financial debt clearing.

There is no proof of the legitimacy of xgroup’s skills. DarkOwl has captured mentions of their email address across various forums and services on Tor since July 2021, though it is unclear how long they were in operation before that. Our analysts also observed that in mid-July, xgroup were recruiting members with “social engineering skills,” and in late August they were raising donations for their next attack – including quotes from hacktivist organizations like Anonymous.

"Message for all the governments of the world. We recognize you as serious opponents, and do not expect our campaign to be completed in a short time frame. However, you will not prevail forever against the angry masses of the body politic. Your choice of methods, your hypocrisy, and the general artlessness of your organization have sounded its death knell. You have nowhere to hide because we are everywhere." - Xgroup (Sourced from DarkOwl Vision Darknet Data)

The group self-promotes their abilities to “hack social networks” and “destroy someones life” including creating financial and legal issues and spreading disinformation on social media.

Source: DarkOwl Vision Document

Source: DarkOwl Vision Document

Another COVID Scam?

DarkOwl has long observed scammers on darknet and continues to see fraudsters offer goods and services for sale, take a customer’s money, and then never deliver the purchased product. Thus it has not been surprising to see this same tactic being applied rampantly as it has throughout the pandemic, during which time we’ve seen a surge in COVID related scams for things like KN95 masks, coronavirus-infected blood, and black-market COVID vaccines

Xgroup’s fraud scheme is only applicable to European countries as the United States does not have nation-wide digital vaccine record system nor vaccination records stored at local hospitals. The scheme also explicitly refers to the EU Digital COVID Certificate program.

Given that this scheme targets EU-based customers, it is peculiar that the offer lists the address requirements using the US mailing address format and not European which require postcodes instead of zip codes, listed before the city or town, and house names and multi-lined street addresses.

This, along with the fact that the price listed in US Dollars, suggests this could very well be simply a scam originating from criminals located in the United States.

Similar Identity and COVID Vaccine Scams Offered on the Darknet

Similar Identity and COVID Vaccine Scams Offered on the Darknet

Risk to the EU Digital COVID Certification Program

The EU Digital COVID Certificate program and the idea of “digital vaccination passports” is cause of increasing controversy across the world with many claiming an invasion of health privacy, a threat to personal freedom, and opportunity for discrimination against those without ready access to vaccination centers and mobile smartphones. Similar digital vaccination records systems are in place across the US such as New York’s Excelsior Pass that queries the state’s centralized department of health records. California has a similar online portal for residents to verify their vaccination status with a QR code, called “Digital COVID-19 Vaccination Record.”

While any such digitally-based record system is susceptible to hackers or threat-actors, DarkOwl assesses the overall risk to the EU Digital COVID Certificate program is minimal. As ominous a threat as criminals offering to “hack local hospitals” may seem, we suspect there is a low probability that many darknet fraudsters are actively attempting to gain illicit access to local healthcare computer networks in order to deliver what has been advertised to their customers. In contrast, ransomware groups originating in the darknet pose a legitimate risk to hospitals and healthcare groups worldwide.


Curious about something you’ve read? Contact us to learn more about how darknet data applies to your use-case.

AlphaBay Marketplace Returns

DarkOwl’s historical archive of darknet marketplace data provides a unique opportunity to look-back and compare the AlphaBay Market that was taken down by authorities in 2017 to the features associated with this newly launched marketplace, which shares the same name and is purportedly being ran by the same circle of people.

Lookback: AlphaBay Market and Operation Bayonet Takedown

During the summer of 2017, one of the most intriguing and well-orchestrated international law enforcement efforts in history converged to take down some of the most successful darknet markets to-date. One of these, AlphaBay Market, was the most prominent and popular darknet market since the Silk Road. At its height, AlphaBay’s daily sales ranged between $600,000 and $800,000 USD across 300,000 listings for illicit goods, offered by over 40,000 vendors and viewed by some 200,000 users.

Operation Bayonet, which would ultimately lead to the shutdown of several prominent marketplaces, began with Dutch police seizing another lesser-known market called Hansa Market. After compromising Hansa, authorities secretly operated the market for almost a month. While the Dutch focussed their efforts on Hansa, United States FBI operatives coordinated with international police to DDoS AlphaBay and seize its assets, enabling the Royal Thai Police to locate and arrest its administrator, Alexander Cazes (a.k.a. alpha02).

When AlphaBay became inaccessible as a result, thousands of its buyers and vendors flocked to the then law enforcement-ran Hansa market to continue their operations. Dutch police, operating servers across the Netherlands, Lithuania, and Germany, capitalized on the eight-fold surge of users visiting the market in the weeks following. The authorities used the time to gather information on high value targets and identified delivery addresses for sizable orders, passing along 10,000 international addresses of buyers to Europol.

Seizure Banner from AlphaBay’s Demise - July 2017

Seizure Banner from AlphaBay’s Demise – July 2017

In cooperation with the FBI, the Royal Thai Police took steps to organize the extradition of the 24-year old Canadian administrator back to the United States. However, after Cazes was held for exactly a week at the Narcotics Suppression Bureau in Bangkok, reports of his apparent suicide surfaced. Bangkok vowed to conduct an autopsy, while US authorities had no interest in verifying the legitimacy of the suspect’s death.

Alexander Cazes’ criminal indictment details how the US Justice Department successfully confiscated his and his wife’s assets, including bank accounts, personal and market cryptocurrency accounts, and luxurious personal possessions in Bangkok – all by supposedly linking his online personas to his real life through a haphazardly leaked email address, [email protected].

When authorities carried out the warrant and arrest in his apartment in Bangkok, his laptop was left unencrypted and the admin account for the market and server logged in. Authorities also simultaneously executed search warrants for the market’s server hardware located in Quebec, Canada.

Images captured from Cazes’ jail cell in Bangkok, (Source)

Images captured from Cazes’ jail cell in Bangkok, (Source)

AlphaBay Organization: Key Players

Cazes did not run AlphaBay singlehandedly. They worked closely with a “security administrator” and second in command known as DeSnake, or simply “DS” for short. According to our historical darknet records, DeSnake had connections in Russia although his true identity and location was not publicly known.

In 2016, an angry user of AlphaBay known as “Kinger” stated that alpha02 had left the market in late 2015, sold his stake to DeSnake, and DeSnake was supposedly acting as admin for its final two years. Kinger’s ominous threat suggested they knew his real life identity and his citizenship was actually Dutch.

“PS: DeSnake, if you read this, we know who you are and where you reside. We know you're a Dutch guy who acts like he's Russian. Should you attempt to exit scam with AlphaBay, rest assured your dox will be posted.” - user known as "Kinger"

There were also at least half a dozen moderators that helped administer the market and its discussion forum, moderated disputes between buyers and vendors, and promoted the market on Reddit (prior to the shutdown of the DNM subreddit). The indictment from 2017 listed them individually by their monikers and many have been arrested.

Screenshot from Cazes’ Indictment Detailing AlphaBay Organization’s Staff by Moniker

Screenshot from Cazes’ Indictment Detailing AlphaBay Organization’s Staff by Moniker

The authorities were not the only ones to identify and/or attempt to uncover the key players (aka staff) at AlphaBay Market. In the spring of 2017, the Alpha Organization paid an extortionist threatening to dox alpha02 and a couple of his moderators at least $45,000 USD, although the veracity of the information the extortionist had has not been verified.

More information about potential players of FBI interest can be found in historical DarkOwl records, including one that states that the FBI “publicized a list of AlphaBay identities that they had identified, including Trappy, DeSnake, Disc0, and several other members of the Alphabay ‘team.’ From owner (DS) all the way down to public relations manager, Trappy.(Source: Document Archived in DarkOwl Vision)

As recently as last year, a California Court sentenced Brian Herrell, a Colorado native and AlphaBay moderator who operated under the moniker “Botah” to 11 years in prison for racketeering and for his connections to AlphaBay. Upon his initial arrest, reports suggested he faced up to 20 years for his involvement in the marketplace.

Prior to AlphaBay, Alexander Cazes had a reputable history on the darknet – specifically in the carding community. A senior member from the carding community Ranklez claimed he had evidence to suggest Cazes wasn’t alpha02. Ranklez and alpha02 had a history in the carding community as Ranklez sold alpha02 fullz for conducting identity theft.

For months after its shutdown, users across the darknet theorized whether all of it was an exit scam or something more elaborate and sinister. When AlphaBay’s Reddit moderator and public relations manager, Trappy was arrested, he claimed alpha02 and DeSnake were the same person. The whole saga was confusing and unsettling for many, including Cazes’ parents, who claimed the skill set of Cazes in real life (e.g. his company Canadian EBX, etc) was more in alignment with the qualities DeSnake portrayed than alpha02. (Source: DarkOwl Vision)

AlphaBay Market’s Official Return

In early August 2021, DeSnake resurfaced on Dread, the popular Reddit-like discussion forum on the darknet administrated and moderated by users, Hugbunter and Paris. Dread staff “vouched” for DeSnake to skeptical darknet users with DeSnake signing documents using their historical PGP key.

Interestingly, AlphaBay’s former moderator “Disc0” also chimed in, but using a lowercase “d” this time.

Subdreadit for the Marketplace on the Darknet Forum, Dread - 2021

Subdreadit for the Marketplace on the Darknet Forum, Dread – 2021

DeSnake promoted the return of the infamous AlphaBay marketplace with services hosted on both Tor and I2P – including detailed instructions and encouragement for users to explore the market on the peer-to-peer network instead of Tor, calling their Tor services “mirrors” of the main market on I2P.

The new AlphaBay market’s Tor service has been unstable since its launch, with frequent 503 errors, user registration issues, and login timeouts. The I2P eepsite also rarely successfully loads. After almost two months of operation, the market has a handful of vendors, with only a couple of hundred listings across drugs and fraud goods. DeSnake claims there have been 15,000 user accounts created, 450 vendors registered, and over 400 listings published as of the time of writing.

The service on Tor appears to be hosted alongside Dread services and features both the Dread waiting queue and clock-captcha for DDoS protection. The marketplace was offline last week, when Dread and its sister services were under heavy DDoS and inaccessible.

Welcome/Home Page for AlphaBay Market - 2021

Welcome/Home Page for AlphaBay Market – 2021

Featured Listings on the Marketplace, Consisting primarily of Drugs and Fraud

Featured Listings on the Marketplace, Consisting primarily of Drugs and Fraud

While disc0 vouched for DeSnake on Dread they are not Staff on the revived market or its associated forum, claiming they are retired from such work. The new AlphaBay appears to be moderated by the personas TheCypriot, tempest, and wxmaz. All of the moderators speak very formally with impeccable English and gush with unbridled passion about the need for a new concept of decentralized marketplaces, the complex tradeoffs and advantages of peer-to-peer networks, and a deep desire to establish a greater sense of community.  DeSnake’s posts are particularly “wordy” with extensive lengthy posts on Dread and the market’s About and FAQ section. They sign every post and reply officially with the phrase “Thank You.”

Like the historic AlphaBay, the market’s forum is located on the same domain as the market and has limited discussions. Most of the forum is marked private until the user formally introduces themselves in accordance with the rules outlined by DeSnake. There is a “Admin” account as was the case with the historical AlphaBay forum, and DeSnake also has their own personal account. DarkOwl believes this account may be maintained by DeSnake based on the observation that they leave a similar “Thank You.” at the end of every post.

AlphaBay Forum Main Page - 2021

AlphaBay Forum Main Page – 2021

Darknet Users Remain Hesitant and Skeptical

DarkOwl has been unable to assess how the larger darknet community (outside of Dread) feels about the new Alphabay Market. AlphaBay historically had a vocal and persistence presence on Darknet Market Avengers forum which unfortunately, has been offline for several weeks. There are no new threads mentioning AlphaBay’s return on The Hub.

Users on the Russian-speaking forum, XSS have been the most critical of DeSnake and AlphaBay. In a thread titled, “AlphaBay вернулся!” [Translated: “AlphaBay is back!”] users comments were generally critical of the legitimacy of the marketplace, with comical references like “Welcome to the FBI HQ” posts.

DeSnake joined the conversation, creating an account with his moniker on September 12, 2021 in attempts to mitigate the marketplace’s potential reputation damage. DeSnake repeatedly pointed to their vouches from Dread and old PGP key pasted to Ghostbin, paste site.

Sample Post from DeSnake on XSS

Sample Post from DeSnake on XSS

Unfortunately, DeSnake’s contributions written in a mixture of English and Russian backfired and senior members of XSS berated them for their lack of operational security and inability to properly understand the dynamics of the Russian language.

“Your brand is irrelevant, long forgotten, your missing period as you should know is a lifetime in these circles, your name means nothing, you actually start with negative trust and momentum rather than popping up with a completely new name and brand not linked to the dumpster fire that went down before. So your either dAFeDz, or you have fallen victim to a serious and advanced case of autism after getting your covid vaccination. Either way none of your weird over explanation means anything because before we get to any of that we have to deal with the mental retardation and poor judgment that lead you to relaunch like this. But since youre not who youre trying to be we can skip it" 

– XSS user’s reply to DeSnake directly on the AlphaBay is back thread

Even Reddit users on the surface web have mixed feedback. One user openly joked they would stick to purchasing their drugs on social media.

Reddit Users Commenting on the Return of the Marketplace

Reddit Users Commenting on the Return of the Marketplace

Drama Begins and Scammers Take Advantage

During this research, DarkOwl discovered a surface web domain that mirrors much of the information DeSnake shared on Dread, but with a Tor link to the market that is not in the mirrors.txt verified links list from AlphaBay. The surface web domain is likely setup specifically to direct users to a phishing site where their credential information can be stolen.

There is a Dread thread in the AlphaBay subdreadit stating that AlphaBay is not on Telegram or the surface web validating the theory this is likely a phishing domain. No information about the domain could be ascertained as it is protected by Cloudflare.

Surface Web Phishing Marketing Website for the Marketplace

Surface Web Phishing Marketing Website for the Marketplace

The links section on the surface web AlphaBay domain asserts that all the information on Dread is false, stating that DeSnake’s Dread account had been compromised by “mr_white.” The moniker mr_white belongs to the administrator and owner of the popular darknet marketplace, White House Market (WHM) themed after Breaking Bad’s main character, Mr. White.

Some users claim that mr_white and his team from WHM are to blame for last week’s DDoS while others speculate that HugBunter himself could be mr_white.

Marketplace links on the Surface Web Domain with reference to mr_white

Marketplace links on the Surface Web Domain with reference to mr_white

Is the “New” AlphaBay What it Claims to be? Observations from DarkOwl’s Analysts

While DarkOwl generally avoids engaging in or commenting on speculative darknet drama, there are several things about the re-emergence of AlphaBay and DeSnake that don’t add up. While DeSnake very well could be legitimate, the sheer fact the authorities confiscated the market’s servers and Cazes’s unencrypted laptop should bring significant suspicion whether this new darknet marketplace is legitimate, or simply another covert law enforcement operation.

For this reason, our analysts have shared some observations of note that potentially point to something larger transpiring than a simple relaunch of the former marketplace. Notably:

  • Registration for the market and the forum seem unnecessarily complicated, including errors if the pin code started with ‘0’ and asking for the user’s “real name.” The concept of a real name is irrelevant in the darknet unless the administration is possibly trying to catch someone not in the “right-state-of-mind” slip-up and actually put their real name into that field.

  • The DDoS protection and bot detection measures are excessive for a brand new marketplace. While navigating the domain manually, DarkOwl analysts regularly had to reset their Tor circuit and refresh their identity to simply view the vendor listings.

  • The market includes an outrageous number of strict rules delineated as “global AlphaBay” versus rules specifically for “buyers” and “vendors.” There are no weapons allowed (where the previous AlphaBay had a weapons category), no Fentanyl sales allowed (where the previous AlphaBay had a ‘Fent and RCs’ category), no COVID-19 vaccine or cures can be offered, no ransomware sold or advertised, and no Commonwealth of Independent States (CIS) related countries activities allowed.

  • The “About-Us” and Frequently Asked Questions (FAQ) sections are a laborious read with over 13,000 words combined – 8,200 for the FAQ section alone. Conversely, the original AlphaBay’s FAQ was a mere 277 words.

  • The overt exclusion of CIS countries is peculiar, especially given that DeSnake and alpha02 were openly active in Russian carding communities. According to DarkOwl Vision’s archived documents, Russian speakers were present on the original AlphayBay forum and in interviews alpha02 spoke of how they “work with our Russian colleagues to enable each of us to enrich our base of vendors and buyers,” and clearly was not excluding users located in Russia.

  • AlphaBay now only accepts the cryptocurrency Monero, and heavily promotes that users access it via I2P instead of Tor, calling their Tor services “mirrors” to the main I2P eepsite. DeSnake’s detailed instructions for installing I2P on Dread fail to mention the potential risks of peer discovery and de-anonymization through known techniques like Eclipse and Sybil attacks in conjunction with flood-fill takeovers. Interestingly, the last known Monero-I2P-centric market was Liberitas, which went offline in June 2019 after a very short stint on the I2P network.

  • DarkOwl could not confirm any prior darknet experience from the moderators DeSnake has installed as Staff on the market and forum.

  • The new AlphaBay Marketplace refuses donations. It is unheard of that a darknet service would decline and discourage donations. A fully-functional darknet marketplace will indeed provide sufficient financial resources in the future; yet refusing them from the start is unreal.

DarkOwl Vision Archive of the 2017 version of AlphaBay's FAQ

DarkOwl Vision Archive of the 2017 version of AlphaBay’s FAQ

Additional language analysis reveals other questionable inconsistencies. For example, in the FAQ and About-Us, there are several mentions of DeSnake’s operational security (OPSEC) prowess and over-the-top digs at law enforcement, e.g. “dirty playing by LE with their parallel construction.” Interestingly, the phrase “parallel construction” has appeared many times in post-AlphayBay (2017) conversations on other English-speaking and Russian forums.

Given how security conscious DeSnake was previously, which they self-proclaimed as operating under the mindset of ‘the agencies are after me’,” it is unlikely that they would have been comfortable writing in such recognizable patterns and thereby potentially exposing speech and language nuances.

In a similar vein, DeSnake’s extensive writing samples include multiple instances where the “British” spellings of words like “honoured” and “minimised” are included similar to how alpha02 wrote in his interview with Joshua G in April 2015 on Deep Dot Web, but “decentralized” is still spelled with a “z.” While there are very few English-speaking historical writing samples from DeSnake, as they were most active on Russian-speaking forums like TCF and Evolution, an analysis of historical AlphaBay market records never included any British-English spellings such as these.

Furthermore, darknet users rarely draw so much attention to themselves. DeSnake has broken this mold with their dramatic return to the public eye that included interviews with the media and identity verification through a potentially compromised PGP key.

DarkOwl has assigned assets to monitoring and collecting data from the new AlphaBay Marketplace, despite their increased crawler detection measures and ongoing server instability. Our analysts will continue to follow this market’s presence and reputation on the darknet, and provide further updates as this story unfolds.


Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case

Darknet Threat To IoT Realized with Recent CCTV Attack on Prison Security System

DarkOwl’s unparalleled reach into the Darknet Illuminates Threat To IoT as Realized with Recent CCTV Attack on Prison Security System.

In recent years, the cybersecurity industry has repeatedly warned of an increase threat against Internet of Things (IoT) devices. With Ring doorbells, smart refrigerators, IP-enabled cameras and baby monitors, and wi-fi enabled programmable thermostats, the modern western home is a hacker’s playground with multiple attack vectors to choose from. Cybercriminals and hacktivists readily seize upon more lucrative and scalable victims, with cloud-based IoT servers regularly targeted and databases of IoT data exposed – like that of enterprise security camera system provider Verkada, which had 150,000 systems compromised back in the spring of this year during #OperationPanopticon.

Iranian-based cyber hacktivists, known as Edalat-e Ali, or “Ali’s Justice” elevated such vulnerabilities last month, compromising an Iranian prison system’s closed-circuit television (CCTV) to expose widespread abuse and inhumane prison conditions.

DarkOwl has also discovered that the tools to carry out such IoT exploitation campaigns are readily available for sale on the darknet.

Figure 1: Camera in Tesla Factory Compromised in #OperationPanopticon

Figure 1: Camera in Tesla Factory Compromised in #OperationPanopticon

Background: The Iranian hacktivists who compromised the CCTV networks

The Edalat-e Ali hacktivist’s Telegram channel, created on August 19th, launched their attack against the Evin Prison and a photo surfaced of the prison control room with their logo on the screens in their earliest posts. They claim to have “hundreds” of gigabytes of data. In less than two weeks, the Telegram channel has amassed over 30,000 followers and includes numerous leaked videos.

Figure 2: Evin Prison Control Room with Justice Ali's Logo on their Screens (Source)

Figure 2: Evin Prison Control Room with Justice Ali’s Logo on their Screens (Source)

QUICK FACTS

  • While the hackers call themselves, Edalat-e Ali, or Justice for Ali – some reports reference another Iranian hacker collective known as Tapandegan

  • Justice for Ali is a reference to the son-in-law of the Prophet Muhammad, who was an imam revered by Shia Muslims.

The description provided in their Telegram channel reads as follows:

Figure 3: Telegram Channel of the Iranian team that accessed Evin Prison's CCTV system (Source)

Figure 3: Telegram Channel of the Iranian team that accessed Evin Prison’s CCTV system (Source)

ما تصمیم به بر ملا کردن جنایات رژیم گرفته و به سیستمهای زندان اوین حمله سایبری کردیم.جهان را از نقض بارز حقوق بشر در پشت دیوارهای زندان اوین مطلع کنید (ویدیو،عکس،پرونده های زندانیان سیاسی و مدارک مختلف از زندان).

زندانی سیاسی آزاد باید گردد!

«عدالت علی»

[Translated to English]

We decided to resolve the regime’s crimes and attacked Evin prison systems. Inform the world of obvious human rights violations behind the walls of Evin prison (video, photo, political prisoner records and various documents from prison).

Free political prisoner must be!

“Justice Ali.”

The group also leaked documents from the prison from early 2020, where Evin Prison officials expressed concern over potential foreign military attack. This leak suggests that Edaalate-Ali possibly accessed their internal data storage systems in addition to their CCTV security footage. (Source)

Darknet Tools of the Trade to Exploit IoT

Coincidentally, on the same day that the Edalat-e Ali group appeared on Telegram, a vendor known as “thedangeroustomato” posted an offer for a 2021 CCTV exploit on the new Canadian-centric darknet marketplace called “We The North.”

The CCTV exploit is available for a mere $10.50 USD and claims it is “skid-friendly” with the exploit delivered to the victim network via a malicious PDF and two python scripts.

According to DarkOwl Vision’s database, the vendor has very few listings and not much history using that moniker across other darknet forums and marketplaces.

Figure 4: CCTV Exploit Listed on the Darknet Marketplace, We The North (Source: DarkOwl VIsion)

Figure 4: CCTV Exploit Listed on the Darknet Marketplace, We The North (Source: DarkOwl VIsion)

DarkOwl assesses with medium confidence that the “We The North” darknet marketplace is likely a thematic spin-off of Canadian Headquarters, another Canadian-based darknet marketplace that reportedly “exit scammed” a few weeks ago, but has recently resurfaced on a new v3 Tor onion service. The new Canadian HQ market has a new user database (e.g. old credentials do not work) with a “Coming Soon” banner on the main shop front.

Figure 5: Canadian Headquarters New Market Relaunch Post-Exit Scam

Figure 5: Canadian Headquarters New Market Relaunch Post-Exit Scam

Cyber Threat Actors Will Continue to Target CCTV Vulnerabilities

DarkOwl has not confirmed whether this specific exploit was employed against the Iranian Evin Prison hack. However, the low cost to procure, ready availability of such tools via python scripts, and flurry of international news media covering the prison CCTV hack success, suggest further attacks against similar CCTV security systems are likely if not highly encouraged by darknet cyber criminals.

For example, darknet forum and chatroom members celebrated the Verkada attack against Tesla and Cloudflare earlier this year in March, 2021. A member of the DDoSSecrets Telegram group, known for releasing geopolitically controversial content on the darknet, claimed that APT-69420, known as “Arson Cats” were responsible for the IoT device breach and shared images from the victim devices in defiance against global mass surveillance. According to one chatroom, employees at Verkada supposedly revealed the use of the Verkada’s “Super Admin Tool” was widespread and a compromised admin credential could have been the origins of the device attack.

The U.S. Justice Department indicted 21-year-old Swiss-based female hacker Till Kottman with the crimes against Verkada shortly after the leaks appeared. According to open-source reports, her group, designated APT-69420 Arson Cats, is a small collective of “primarily queer hackers, not backed by any nation state, is motivated by the desire for fun, being gay and a better world.”


Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case

Analysis of E-mail Domain Preferences by Ransomware Operators

To learn more about the technology habits of ransomware operators, DarkOwl analysts conducted a brief survey of content issued by RaaS groups over the last few years and collated mentions of any email domains they provided for victims to initiate contact with them. The data we analyzed included ransomware notes harvested from multiple darknet sources from 2016 through the first two quarters of 2021.

The chart below depicts the results of our findings, and demonstrates which email services were and/or are popular amongst ransomware gangs over the past several years.

Distribution of E-mail Domain Preferences by Ransomware Group by Calendar Year

Distribution of E-mail Domain Preferences by Ransomware Group by Calendar Year

Quick Takeaways

  • Since 2019, ransomware criminal gangs prefer the Swiss-based Protonmail and German-based Tutanota encrypted e-mail services over other e-mail service providers. The data included in this analysis summed the domains mentioned across all service provider TLDs, e.g. .ch, .io, .pm, etc.

  • E-mail service providers AOL and India.com were most popular in 2016 and 2017 but use of these providers have dropped off considerably in recent years.

  • Google’s Gmail has experienced moderate, alibeit consistent use by many ransomware criminal groups.

Tutonata emerges as most popular email service in 2021 thus far

For the first half of 2021, Tutonata appears to be leading Protonmail in total email accounts mentioned across notes published in the first two Quarters of 2021. Both email services have been the subject of controversy over recent years, including last December when open source reporting indicated that the German government had been forcing Tutanota to setup backdoors, enabling law enforcement to monitor and read e-mails in plain text.

While the reason for the decline in Protonmail’s popularity can not be stated definitively, the fact that the service has been the subject of debate is likely a contributing factor. In 2019, some users across the darknet and Reddit began spreading rumors that ProtonMail was likely a law enforcement honeypot – citing how its Tor service redirects back to the surface web upon account creation. Theories that developers at MIT with oversight from the NSA, CIA, and DARPA assisted CERN with Protonmail’s source code and encryption development. Further arguments included how Protonmail stores email data and metadata in formats similar to those that Edward Snowden had stated the CIA requires. (Source)

This debate is heated and greatly divided with many stating the Privacy WatchDog Blog detailing how Protonmail is a honeypot is anti-Protonmail propaganda website, spreading FUD and baseless conspiracy theories. Additional reports suggest that the CIA for decades has utilized front-companies and technical organizations based in Switzerland to spy on European governments, adding fuel to the paranoia and conspiratorial chatter.

Future Predictions

While the trends for email address domains observed during the first two quarters of 2021 are consistent with preferences in recent years, this data analysis further predicts that the total number of email addresses from ransomware victim notes for 2021 will be likely less than totals observed from previous years.

We predict this due to the volume of ransomware groups utilizing alternative communication methods with their victims. DarkOwl has observed numerous links to Telegram accounts and real-time chats directly hosted Tor darknet onion services to conduct ransom payment negotiations in lieu of traditional e-mail based communications.

 
Example conversation between ransomware gang and one of its victims on a chat service

Example conversation between ransomware gang and one of its victims on a chat service

 

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case

AvosLocker Debuts Service on Tor for Press Releases

Since the beginning of July, information security researchers who have been keeping up with the darknet ransomware community have been anxiously awaiting the debut of AvosLocker’s official Tor service, which will be used as a forum for the ransomware-as-a-service (RaaS) group to communicate with the public about their victims. In early July, DarkOwl observed a v2 Tor onion service branded with AvosLocker’s name and brand logo – a purple bug with green-tipped antennae – stating that the reader’s (victim’s) network and hard drives had been “encrypted using AES-256 military grade encryption.”

The landing page (pictured below) included a simple form where victims with an “ID” could enter the darknet service to begin negotiations with the AvosLocker team on their ransom payment and status of their extorted data. An ID is only available to those who received a ransom note upon encryption of their computer networks.

 
Figure 1: AvosLocker Victim Onion Service on the Tor anonymous network (captured July 8, 2021)

Figure 1: AvosLocker Victim Onion Service on the Tor anonymous network (captured July 8, 2021)

 

The new onion service – collected by DarkOwl automated crawlers on the Tor anonymous network earlier this week – lists at least six victims consisting of a mixture of transportation and logistics corporations and legal firms across the globe.

Editors note: DarkOwl has intentionally chosen not to disclose the victims’ names and has sanitized all mentions of victims in the screen captures below included in this piece

 
Figure 2: AvosLocker Press Release Onion Service on the Tor network (captured July 13, 2021)

Figure 2: AvosLocker Press Release Onion Service on the Tor network (captured July 13, 2021)

 

DarkOwl also detected an AvosLocker affiliate registration and login portal on their original v2 Tor service. The registration form indicates AvosLocker issues invitation codes for access to the domain.

There is no mention of AvosLocker or their logo on the affiliate-related portal onion services (pictured below).

 
Figure 3: AvosLocker Affiliate Login Portal on the Tor anonymous network (captured July 15, 2021)

Figure 3: AvosLocker Affiliate Login Portal on the Tor anonymous network (captured July 15, 2021)

 

Returning back to AvosLocker’s debut of their new, branded onion service, it is worth noting that ransomware operators set up public PR-oriented blogs for any number of reasons:

  1.     They are truly a brand-new ransomware operator conducting ransomware campaigns against victims, employing a unique ransomware encryption cipher, as well as other tactics, techniques and procedures (TTPs);

  2.     They are an existing RaaS affiliate with enough profitable and successful operations to warrant their own victim shaming Tor service; or

  3.    They are a seasoned ransomware operator who is intentionally attempting to obfuscate their operation’s identity by rebranding and changing aliases of key members.

The fact AvosLocker is operating as a RaaS gang employing the traditional “affiliate” model – as noted by the login portal above – means it is highly unlikely they are an affiliate of an existing RaaS group and more likely a rebranding of existing RaaS operator.

Accompanying this theory, DarkOwl analysts quickly observed that the AvosLocker’s new service has striking resemblance to other websites established on Tor, more specifically the infamous Doppelpaymer RaaS gang.

DarkOwl has no indication that AvosLocker is an affiliate of Doppelpaymer, or if it has merely copied the HTML/CSS templates employed by the Doppelpaymer group; it is not uncommon for hosts of Tor onion services to create websites that look and feel like previously published services.

In contrast to the AvosLocker’s service, the Doppelpaymer leaks service on Tor requires the visitor to solve a reCAPTCHA and enable Javascript for the domain to load properly.

 
Figure 4: DoppelPaymer Ransomware Leak Service on Tor anonymous network (captured July 2, 2021)

Figure 4: DoppelPaymer Ransomware Leak Service on Tor anonymous network (captured July 2, 2021)

 

Doppelpaymer has plenty of justification to rebrand their operations, but there is insufficient evidence at this time to confirm AvosLocker is their new brand. In December of 2020, the FBI issued a warning against the Doppelpaymer RaaS gang after a series of attacks last fall in Europe resulted in the death of healthcare patient in Germany. (Source)

The last victim posted on the Doppelpaymer leak service is dated back to May of 2021, and the last one before that was in February. This might suggest Doppelpaymer could be slowing down its operations to avoid additional scrutiny from the media and law enforcement.


Interested in learning more? Contact us to learn how darknet data applies to your use case

Round-up of the Latest Ransomware Gangs Operating on the Darknet

Ransomware as a service (RaaS) gangs readily use darknets like the Tor Project for coordinating their attacks. DarkOwl analysts frequently observe threat actors discussing vulnerabilities and attack vectors, contracting with initial access brokers (IABs) for exposed credentials and access, negotiating directly with victims for ransom payments, and publicly shaming victims through releasing information about attacks and selling/auctioning extorted data. Since the disappearance of Maze Cartel last year and DarkSide this year – shortly after the attack on Colonial Pipeline that crippled a U.S. fuel supply line – DarkOwl has observed many RaaS threat actors come and go, rebranding with nuanced differences. Affiliate programs also increase the presence of new RaaS partners operating similar global campaigns.

This round-up will introduce the new and emerging RaaS groups that DarkOwl has observed as actively operating on the darknet today.

LV Blog

Threat actors behind the LV ransomware appear to have deployed their own personalized version of the 2.03 source binaries developed by the infamous REvil/Sodinokibi ransomware group. The LV ransomware group appears to be targeting victims in France as indicated by their latest public announcements.

Pictured (above) RaaS Group: LV Blog

Pictured (above) RaaS Group: LV Blog

Arvin Club

Arvin Club, a group that touts the mantra “Born to Connect” [translated from Persian], launched their own services on Tor, with victim data and other well-known data leaks including RockYou2021 and the Compilation Of Many Breaches (or COMB).

Arvin Club’s Telegram Channel has been active much longer than their Tor onion service and is quite popular. The channel predominantly contains re-shares of other data leaks (including the information stolen from the Ministry of Intelligence of Iran), press reports of significant cyber attacks, and onion service URLs for popular ransomware groups.

On the 5th of July, Arvin Club announced a statement refuting rumors accusing them of cooperating with the Iranian government.

In the recent hacking case, we are accused of collaborating with the Iranian government. We do not accept this and deny it. We did not buy any data from anyone.

— Statement from Arvin Club [quote has been translated from Persian to English]
Pictured (above) RaaS Group: Arvin Club

Pictured (above) RaaS Group: Arvin Club

Xing

Xing is a self-claimed Chinese-language ransomware assessed to be an affiliate of the Avaddon/MountLocker ransomware family. Shortly after DarkSide hit Colonial, Xing hit another critical company to the pipeline industry, with an entry on its Tor service for Linestar Integrity Services, known for providing maintenance, compliance, auditing, and IT services to pipeline clients.

Interestingly, they refer to their victims as “participants” as if they had a choice in being targeted by the ransomware variant.

Pictured (above) RaaS Group: Xing

Pictured (above) RaaS Group: Xing

LockBit 2.0 – Reboot

Last summer, LockBit along with Sekhmet were allegedly key members of the Maze Cartel, e.g. ransomware affiliate program. LockBit 2.0 is a reboot of the original group’s activities with a new Tor onion service and call for “partners” keeping with the affiliate RaaS model of most darknet ransomware groups.

In their Conditions for Partners and Contacts press release they list “encryption speed and self-spread functions” as “unparalleled benefits of their ransomware software and include a list of software tests performed to back their claims.

Pictured (above) RaaS Group: LockBit 2.0

Pictured (above) RaaS Group: LockBit 2.0

Lorenz / SZ40

Lorenz’s Tor service features the tagline “Nothing personal, it’s strictly business” with an extensive list of victims in their short time of operation, launching back in April 2021. In late June, Dutch cybersecurity researchers at Tesorion released a decrypter that they were able to develop after extensive reverse engineering of this malware variant.

Pictured (above) RaaS Group: Lorenz

Pictured (above) RaaS Group: Lorenz

HiveLeaks

The Hive ransomware group appeared in June with little self-proclamation but instead jumping right into leaking victim data. Each victim post includes the date it was encrypted and the date when the data will be disclosed in the event of non-payment. They are credited with the security breach of software and data solutions provider, Altus Group, which took place in mid-June.

Pictured (above) RaaS Group: Hive

Pictured (above) RaaS Group: Hive

Prometheus

Prometheus arrived in early 2021 with claims that they were a “group of REvil.” DarkOwl analysts noticed this association had been removed from their domain in late June, perhaps due to the increased publicity REvil has received for attacks against Kaseya and JBS.

According to open-source reporting, the Prometheus ransomware variant has possible associations with the Thanos ransomware variant.

Pictured (above) RaaS Group: Prometheus

Pictured (above) RaaS Group: Prometheus

The image below is the logo for Prometheus ransomware in early June advertising their association with REvil. This designation has been removed from their Tor onion service.

rw-8.jpg

Grief

The Grief ransomware has marketing and branding down to it a tee, with its “Grief came to …” theme for its public shaming of victims. The ransomware group’s latest Tor service also include infographics to illustrate the financial and economic impacts of not paying ransomware.

Pictured (above) RaaS Group: Grief

Pictured (above) RaaS Group: Grief

Vice Society

Not much is known about the latest newcomer to the ransomware community, Vice Society. They do not have any partners listed on their Tor service which features the tagline, “With Love!” Known victims include more than one school district, suggesting they are not interested in very lucrative ransom payouts. Vice Society is assessed to be a possible spin-off of the Hello Kitty ransomware variant based on similarities in the techniques used for Linux system encryption.

Pictured (above) RaaS Group: Vice Society

Pictured (above) RaaS Group: Vice Society


 

Interested in learning more? Contact us to learn how darknet data applies to your use case

 

BULLETIN: Latest REvil Victims Suggest Ransomware Targeting is Less Indiscriminate Than Previously Thought

Late last week, DarkOwl analysts observed the REvil ransomware as a service (Raas) cyber-criminal organization publicly announce its latest victims of their ransomware operations on their darknet onion service, some of which have direct associations to western militaries and governments.

Previous assessments have suggested the targets selected by REvil and similar RaaS groups were completely random and indiscriminate. Without directly naming or shaming the companies who fell victim to REvil’s ransomware attack, DarkOwl endeavors to merely highlight the suspicious timing of these specific announcements – along with threatening language included in the release – and the lack of any mention, nor claim of responsibility attacks against global meat distributor, JBS SA attack during Memorial Day weekend; an attack that temporarily impacted meat supplies around the world and caught the attention of the U.S. White House and international authorities.

These latest victims highlight the increasingly vulnerability of supply-chain attacks against critical service providers and the potential impacts to national security in the U.S. and abroad.

REvil Threatens to Share Sensitive Victim Data to Foreign Military Agencies

REvil representatives continually maintain their financially-motivated and opportunistic stance with numerous darknet forum posts stating that they want no part in geopolitical affairs nor act on behalf of any government. In these latest victim announcements, REvil included sensitive military contract information and critical personally identifiable information (PII) of the victim’s employees, such as copies of employee passports, payroll statements, and national identification numbers, as “proof” of the legitimacy of the attack.

More sinisterly, they also acknowledge the sensitivity of the data they’ve stolen and stated they would not hesitate to share this information with other foreign military agencies of their choice, directly contradicting earlier positions of agnosticism in international government affairs or military operations.

Screen Shot 2021-06-07 at 6.01.03 PM.png

Many sources have already confirmed the likelihood that REvil is a Russian-based cyber-criminal organization. The recent string of ransomware attacks by REvil, their affiliates and similar groups, suggest that these organizations are indeed directly targeting critical supply-chain targets with unique technological and critical infrastructure focus, instead of indiscriminately targeting victims for monetary gain.

It is also noteworthy to point out that there is no current consensus on how long RaaS operators like REvil can maintain unauthorized access to victim networks, during which time they would be able to extract data and conduct potentially cyber-espionage-like activity before making themselves known. In other words, the target’s networks are freely accessible to these criminals for an unknown period of time before they finally pull the plug on the operation by deploying a ransomware variant, which then locks down the network, notifies the victim, and begins the phase of extorting target by demanding a ransom.

One security researcher recently shared their analysis of the latest version of REvil’s source code, version 2.05, stating that persistence of the malware was maintained through creating a registry key under SOFTWARE\Microsoft\Windows\CurrentVersion\Run (on Windows machines), which allows the malware to run every time the user reboots their machine. Other ransomware analysis of victims of the Pysa/Mespinoza strain, detailed an 8 hour campaign, launched via a compromised RDP account, where threat actors moved laterally throughout the entire domain harvesting additional credentials and data wherever possible (Source). This, however, is unsurprising as it is well-known that REvil and other popular RaaS operators leverage stolen VPN, RDP, and user credentials where available – often actively sold and traded on the darknet – and readily prey on unpatched server-side software and remote working products like Citrix ADC.

What other kinds of companies are REvil and their affiliates considering as potential targets?

In an interview conducted earlier this year, REvil representative known simply as “Unknown/UNKN”, stated many of their affiliates had unprecedented access to national security assets (directly or indirectly) including, “a ballistic missile launch system, one to a U.S. Navy cruiser, a third to a nuclear power plant, and a fourth to a weapons factory.” The veracity of this extremely serious claim has not been verified by DarkOwl nor the interviewer who spoke directly with Unknown. Others skeptical of interviews with such unreliable threat actors note that this particular “Unknown” could have been an imposter, as alias hijacking is common in across darknet communities. 

However, supporting the ransomware group’s claims of their alarming access to such national entities are recent reports confirming that another ransomware victim is a company that manages the US fleet of military vehicles. While not presently determined to be directly attributed REvil, this incident is indicative that ransomware groups as a whole are indeed successfully compromising vendors supporting US and allied military efforts.

An Ever-Expanding and Continuous Operation

REvil fingerprints have also been recently detected in a new strain of ransomware known as Episilon Red, which information security researchers directly associate with a concerted attack on Microsoft Exchange mail servers. In late May, another new ransomware variant known as Prometheus setup a new Tor onion service claiming they were a “Group of REvil” in their ransom note and branding. Security researchers indicate that Prometheus, operating now for over a month, pens their ransom notes very similar to MountLocker and Medusalocker ransomware variants.

Despite the media attention the JBS SA attack garnered, REvil shows no sign of slowing down or scaling back their operations. In an interview conducted with Russian OSINT YouTube channel last week, they suggested they had previously limited themselves from conducting attacks against U.S. targets, although DarkOwl notes several of their victims over the past year included retail, health, legal, and agricultural companies with operations headquartered in the U.S.

The group’s spokesperson also showed no concern for being considered “terrorists” by the U.S. government or intelligence community, boasting their confidence in prosecution immunity, being sheltered by Moscow, who undoubtedly allows them to operate freely without legal consequence. They concluded their interview with the statement “We are not going anywhere, we are not going anywhere. We will work harder, harder, and harder.” (Source)

DarkOwl will continue to monitor this ongoing story and update as our analysts uncover information.


Breached data from ransomware attacks often wind up on the darknet. Contact us to see if your organization has been the victim of a cyber attack to gain insight into the full extent of your company’s darknet exposure.

Copyright © 2022 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.