On July 9th 2020, the hackers behind the infamous and malicious Maze ransomware-as- a-service (RaaS) malware released a press statement on their Tor hidden service outlining new terms and conditions for their operations in light of the economic crisis and global pandemic.

The press announcement further included instructions for their latest ransomware victims, including five key points outlining a post-hack timeline for victim negotiations and subsequent data publications. The announcement listed their intended victims – alleging they had already been compromised – and now are seeking payment from them before releasing their data to the public. These victims include large corporations such as Xerox and LG ELECTRONICS.

The hackers stated they will publish notice of successful hacks along with the victim’s name within three days of the attack. The victim organization must start communication within the 72-hour period post hack. The list of organizations they publicly announced as their targets included in the following screenshot:

If successful negotiations do not occur within ten days, Maze claims that all of the organization’s ransomed data will subsequently be released to the public. This is contrary to the REvil hacker’s approach of auctioning or selling the compromised data (as opposed to releasing it for free). The Maze hackers also allude to “no more delays of a month or two” suggesting some compromised organizations were possibly using stall tactics to delay publicizing the attack.

Presumably as a means of further intimidating their victims, the Maze hackers also state that upon data release for reach of their victims, they will also be contacting their victim’s partners, clients, and regulators to increase the impact of their attack and damage to the reputation of the compromised organization and company value.

The hackers included a closing statement on how they are proud of their reputation and that ironically, “honesty is their revenue” along with a list of a dozen organizations they are extorting that would soon have their data published.

DarkOwl analysts noted that the language used in the hackers’ press release lacked proper grammar confirming English is likely not the hackers’ first language. The hackers also elaborated how the victim’s inability to connect to the Maze website chat or negotiate due to fear is their own fault — even stating they are not “physiologists” (probably intending here to state psychologists) and are unable to understand their victim’s behavior patterns.

NOTE: DarkOwl has chosen to include the names of the most recent victims in this blog at present due to the fact that they are publicly available.

For more information about Maze and other RaaS sold or traded on the darknet, contact us to setup a trial using Vision to monitor and alert you if your company is being targeted or mentioned on the darknet.

DarkOwl has investigated threats to cloud-based platforms and applications discussed on the darknet in order to identify threat actors that are specifically targeting cloud environments. Our investigation includes a broad range of cloud environments; from compromising personal iCloud accounts to hacking large-scale infrastructures such as Microsoft Azure and Amazon Web Services (AWS).

Attack Methodology

Understanding the attack vector against cloud-based platforms is the first step to understanding where to start the darknet research. Fortunately, there are many discussions across the information security community on technical approaches to penetrating a cloud-based network for malicious intention.

As with any information network, one of the simplest ways to gain access is through targeted social engineering and/or credential compromise. Social engineering AWS/Azure network users through the use of fabricated emails, calls or social media is a proven approach to obtaining user credentials. If a user has API keys for accessing the platform, general phishing techniques can be easily employed to gain access to the user’s computer and other accounts, where the attacker could then pull the API keys for said AWS user. One hacker emphasized the importance of learning as much as you can about a target organization in social engineering, highlighting that AWS is no exception. Threat actors target information such as AWS account ids, Amazon Resource Names (ARNs), IP addresses, Role Names, and other related AWS information in order to start an attack on the network [ref].

Some hackers have successfully employed sending SMS text messages to targeted network users. The SMS includes a malicious link that “appears to be a legitimate platform notification” for password reset, and in the process, the authentication credentials are captured.  Amazon includes a number of user-friendly URLs for accessing the AWS console or AWS SSO user panels. The following URLs could be adapted for targeted phishing or once the target name is identified the threat actor could attempt to brute force the legitimate links:

IAM User Sign-In Link (name):    https://name.signin.aws.amazon.com/console

IAM User Sign-In Link (account id):    https://accountid.signin.aws.amazon.com/console

AWS SSO Start Page:      https://name.awsapps.com/start

Other malicious threat actors, such as the hacker behind the RouteX Malware, have successfully accessed cloud accounts through the reuse of compromised account usernames and passwords and automated “credential-stuffing.”

Despite repeated warnings from the infosec community, it is well known that most people still continue to reuse passwords, jeopardizing the security of their cloud-based platform accounts. (Source: a136a0a1fb206b55f06084f100ab4cbc)

Methodology – API Keys

Some cloud services, like AWS, utilize API keys to allow technical users to connect and control cloud servers without a username and password. These are random, yet unique, strings of numbers and letters that allow the user to connect to the server. API keys are an easy starting point for compromising an AWS instance and the darknet contains thousands of such mentions. Telegram group MrChecker.net sells AWS keys for as cheap as 15 USD, while other hackers post stolen keys to darknet paste sites for future use. (Source: cbe876388ac06e2caddc6c69f516a310)

Some developers have accidentally committed their AWS EC2 access keys to file sharing websites like GitHub. According to open source reporting, clever threat actors are employing bots to persistently scan GitHub to find unprotected AWS access keys. 

One open-sourced tool widely disclosed was the Python script TruffleHog. In recent months, GitHub user, Crypto-Breaker, committed an entire repository called “My Arsenal of AWS Security Tools” that could easily be adapted for exploitation of AWS buckets. Some AWS users have argued that Amazon now actively searches GitHub for compromised committed secret keys, shutting down the potentially compromised account and notifying the user automatically before a large AWS bill could be accumulated by a malicious threat actor.

Attack Methodology – Third Party Software and Web Applications

One security researcher discussed in detail the exploitation of Server-Side Request Forgeries (SSRF) to conduct privilege escalation. A SSRF is an arbitrary web request from a compromised server to a target network. Making arbitrary requests against the target IP, e.g. replacing http(s):// with file://, can yield invaluable information like session keys and AWS container credentials. The IAM credentials can also be harvested through HTTP requests to a server’s meta_data URL and gain access to the same temporary credentials that the application uses. For example the URL:

will return a JSON object that contains an AWS access key ID, secret access key, and session token, which allows whoever made that request access to the AWS environment.

Coupling these techniques with tools like boto3, a python script for interacting with the AWS API, further malicious calls can be performed, including defacing the domain of the S3 website [source]. The Telegram channel, exploithub, discusses SSRF’s against Azure as well as other critical vulnerabilities in cloud-based platforms.

Attack Methodology – Malicious Injection

AWS and Azure both are vulnerable to CSV injection techniques to compromise cloud-based servers. Ready-Hacker-One includes Cross-site request forgery (CSRF) and CSV injection payloads in their “Everythingpayloads” GitHub (Source: f78043b645a4e1ce2c66e3aaf4783748) while Rhino Security details the features of the vulnerabilities in AWS and Azure in multiple open source reports. For example, the following command will download an executable from a remote server using PowerShell and then run it on the target user’s computer. The external web server is served over HTTP and automatically redirects to my malicious .exe file, because due to Azure’s validation, forward and backward slashes break this vulnerability [source].

Darknet forum user, Everest_RR, started a thread discussing how CSRF exploitation could produce credentials and a starting point for server-attack through over 100 Jenkins plug-ins (Figure 7). Plugin developers failed to enforce POST requests that prevent attacks using the CSRF token. These third-party plug-ins interact with most popular cloud-based architectures such as Twitter, AWS, VMware and Azure.

Azure Vulnerabilities on the Darknet

Hackers frequently discuss vulnerabilities on the darknet for various platforms. A recent Azure vulnerability, CVE-2019-1306, “Azure DevOps and Team Foundation Server Remote Code Execution Vulnerability” was explicitly posted to a hacker forum on the darknet by the user known by the moniker, PresidentXS. An attacker successfully exploiting this vulnerability allows for malicious code execution on an ADO service account.

Earlier this year, Russian hackers on the darknet forum Dublikat discussed Azure Stack vulnerabilities documented in CVE-2019-1234 (Source: d25c98cc06300c5a8e3dcbd1a6ebf606). Such discussion threads in DarkOwl Vision are useful for reviewing comments, exploring applications, and use cases for the vulnerability specifically.

In 2018, a user on a popular darknet security forum, Torum, expressed interest in attacking an online web server located on the Azure platform. The purpose of the forum thread was less to discuss the attack vector, but more for the solicitation of assistance in the venture. The user, badass888, listed a number of “illegal sports betting” software websites that they wanted to replicate, but the threat actor needed to hack Azure’s cloud platform to gain access to the website databases and source code. It is unclear from the comments whether the hacker managed to find help, but malicious intent is present.

Google Cloud

Google’s Cloud service “Google Drive” is also regularly targeted by threat actors on the darknet. One Russian forum user, “KeyBox,” recently offered an unlimited “Google Drive” monthly service that is cheaper than Google’s data storage plans. Their services are available on keybox.pp.ua and further discounts are on offer.

Это супер выгодно – по подписке 1000 Gb дискового пространства стоит около 1000 руб в месяц, а здесь вы платите один раз и получаете Безлимитный Google Drive.

Translation: This is super profitable – by subscribing 1000 Gb of disk space costs about 1000 rubles per month, but here you pay once and get Unlimited Google Drive.

CloudFlare

Another popular topic on the darknet is how to bypass “CloudFlare” website content delivery networks.

Cloudflare acts as an intermediary between a client and a server, often using a reverse proxy to mirror and cache websites. Cloudflare was established to track malicious cybercriminal behavior and prevent criminals from the originating server’s content.

 According to one darknet user, “CloudFlare is a big pain to us hackers.” Torigon user xData_ recently posted an informative thread on multiple CloudFlare bypass methods. The thread details tools for different platforms as well has host discovery methods, including SSL vulnerabilities and subdomains pointing back to the main host IP.

There are numerous tools readily available for bypassing CloudFlare protections. Most of the software is hosted on GitHub repositories and APIs. The Censys API is regularly referenced by threat actors to expose target IP address through the SSL certificate data. For example, once a list of potential origin servers (IPv4 hosts) has been obtained, some scripts will call each one of them and compute the similarity of the response with the response sent by the original domain, using a structural similarity function designed on purpose for comparing websites similar to the Levenshtein distance calculation.

Another extremely popular resource and regularly referenced cloudflare bypass  is “CloudFail” created by the hacker m0rtem. CloudFail is considered a “tactical reconnaissance tool” for target data collection. The script uses Tor to mask all requests and conducts misconfigured DNS scans with DNSDumpster.com. After the crimeflare.com database is also scanned for subdomains, the subdomains are brute forced. CloudFail is capable of attacking upwards of 2,500 subdomains at one time.

The subdomain discovery methods discussed in xData_’s thread are in full use as captured by multiple DarkOwl Vision results. There are several hundred examples like the figures below where the subdomain IP has been identified along with the CloudFlare protection flag (off or on). Another threat actor did a similar subdomain analysis of the social media platform Snapchat in late 2019. (Source: 42995a33628e79b929ee7708999f0ebc). Most results with the format: <<Subdomain IP Cloudflare>>, do not list an author; however, in November 2019, PostNL’s subdomains were exploited by a user with the moniker, ProxyManiac. This threat actor also identified some 300+ websites hosted on Bulletproof Hosting in another deep web data dump. (Source: 813aacb2d453e10ed8d0c2a2c9e63426)

iCloud

Personal Apple iCloud accounts are a popular target among darknet hackers. For example, one of the most popular questions observed by DarkOwl analysts active in underground chatrooms is “How do I hack my girlfriend’s iphone?”.  Torigon user, Roxy, recently posted a link to an iCloud bypass utility for accessing personal iCloud accounts. The software is advertised to work on iPhone models 5s to X. (Source: e456dc53f7840f85609783e97038156a)

Most Russian forums include service advertisements; like the August 2017 offer below by scriptseller2018. This advertisement detailed the steps for exploiting an Apple ID and iCloud account all packaged together and included in a script the hacker was selling on the forum (Source: bee9c6a7875239502c5e3115fdab144e)

Abuse of Cloud Resources

While not a direct threat to cloud subscribers, abuse of cloud resources is a concern for cloud providers, particularly for providers that offer IaaS (Infrastructure as a Service) and PaaS (Platform as a Service) models. The most prevalent way this occurs on the darknet is through the sale and usage of dedicated cloud servers, often referred to as “dedics”. There are many examples of users on the darknet that are offering these services.

One notable example is user extremalspeed, who posts advertisements for his services on Russian hacking forums such as Exploit.in and UFOLabs. Deep web forums such as Raidforums are also riddled with similar advertisements.

Organizations are not the only ones taking advantage of cloud computing; from cracking passwords and encryption keys to hosting exploits and stolen data, hackers are no longer limited to using their own hardware for malicious purposes. There are many tutorials posted to the darknet that describe how to take advantage of free credits offered by cloud providers. User therigbys, of now defunct “KICKASS” forum, notes that there are specific advantages to using Alibaba cloud for spamming purposes – “You can use the credit to own servers, they have quality IP, you can use to spam with little red flags.” Cloud providers are also being used to host phishing sites; Exploit.in forum member the-one expressed plans to host Office 365 phishing pages on Azure.

Selling Access to Personal Cloud Services

Some hackers sell access to their personal cloud of data dumps, such as DrDastan on Raidforums. This type of service is usually advertised as a subscription service and the seller usually claims to regularly post updates with fresh data.

Selling Access to Compromised Servers and Accounts

In recent years, hackers have made many headlines for selling access to an organization’s compromised servers and servers hosted on the cloud are no exception. The following two examples are from hacker forum Exploit.in. In the first example, threat actor Buffer is selling access to an education institute’s platform, which he claims gets 35 million visits per day. In the second example, threat actor onfrich is selling access to Azure server panels of a hospitality company.

In 2019, a user on deep web crime forum, sinister.ly using the moniker, momxia, posted an offer for Google Accounts with $100 USD credit.

The advertisement included multiple methods to contact them, along with a surface web link to their online store. According to their Selly Store located on the surface web, the Google cloud accounts were available for sale at the price of $6.00 USD. As of time of writing, the seller’s website indicated they were out of stock.

See this research featured in the newly released IBM’ X-Force Cloud Threat Landscape Report 2020

Curious to learn more about our darknet data? Have any questions for our analysts? Contact us.

Since first leaking highly-sensitive personal information pertaining to Lady Gaga, the threat actor group has since targeted Sherwood Food Distributors and Donald Trump. Our team has been monitoring the situation closely and will continue to update here as new developments arise.

UPDATES (LATEST JUNE 2, 2020)

REvil Hackers Begin Auctioning Compromised Data

While US cities degenerate into destructive police protests and rioting, the REvil hackers show no sign of slowing, adding more victims to their darknet website in recent days. They also introduced an “auction” feature to their website, with Canadian agriculture company Agromart Group’s data as their first lot, starting bids at $50,000 USD.

SODINOKIBI USED AGAINST AGROMART GROUP

Agromart Group is a Canadian agriculture company with offices in Ontario. The Happy Blog post for Agromart suggests the hack of the group of several companies (including Scotland Agromart Ltd.) likely occurred on or around 26 May 2020. The hackers state they have corporate documents and accounts with over 22,000 files and 3 databases. There are several accounting spreadsheets included in the screenshots included as evidence of the legitimacy of the attack. The spreadsheet appears to consist of a list of Agromart’s customers and their orders. There was also a document labeled “Personal Net Worth Statement” with details of an employee’s personal financial information. It’s unclear whether or not this attack has or will impact Canada’s farming industry.

Early Tuesday morning, the hackers debuted an “auction” section of their darknet blog featuring Agromart, indicating a divergence from the Russian Jokerbuzz darknet auction hidden service mentioned in the Grubman Shire announcement. The minimum deposit in Monero (XMR) is $5,000 USD with a suggested starting price for the files and databases of $50,000 USD. The auction’s “blitz” price is $100,000 USD and will last only a week. The hackers also included links to purchase the Monero cryptocurrency, preferring Monero to Bitcoin transactions.

TELECOMMUNICATIONS AND ENERGY FIRMS NOT IMMUNE

Hackers also posted links to South African telecommunications and mobile phone provider, Telkom, as well as British energy reporting and accounting company, Elexon. The announcement for Telkom’s hack was brief while the hackers included a link to “sample” files from Elexon’s corporate network and multiple screenshots. One included a renewal application form for CFC’s Cyber Private Enterprise, suggesting the company held an insurance policy for such a cyber attack.

According to their public website, Elexon admitted the attack on their internal networks occurred on 14 May 2020 and there was no risk to the public or loss of customer-level data.

Several Law Firms Added in Recent Days

The REvil hackers also debuted hacks from additional US law firms: Indiana-based Wartman Law Firm and Fraser Wheeler and Courtney LLP in Louisiana. The post for Wartman indicates there are several hundred folders of customer and client data compromised and the law office has a week to respond with payment. The hackers state the Fraser Wheeler and Courtney data leak is over 50 GB with a repurchase price of $100,000 USD.

As of this update, DarkOwl has observed 41 data leaks posted to the REvil / Sodinokibi ransomware hackers “Happy Blog.” The post numbering system is up to 76, and we assess there are a large number of corporate victims either not yet mentioned or paid the ransom and avoided public inclusion to the darknet blog.

Given the volume and frequency of new postings, the threatening language used on recent public announcements and the latest introduction of the “auction” feature to their website, it is evident the hackers are feeling more emboldened and confident in the success of their extortion endeavors.

DarkOwl also discovered that a previous victim’s data, the National Eating Disorders Association (NEDA) archived by DarkOwl Vision in late March yet since removed from the Happy Blog, has recently appeared on a darknet marketplace not previously assessed to have affiliation with the REvil hackers.

A vendor using the moniker, “eternos” registered to ASEAN market in early May and the listing for the NEDA association’s database appeared shortly thereafter for as little as $99 USD. There is no intelligence to suggest “eternos” is associated with the REvil hackers, as the database could have been collected by an independent darknet group from links shared earlier on REvil’s Happy Blog or harvested from the NEDA network completely independent of the REvil ransomware attack of the organization.

New Targets Announced over Memorial Day Weekend

While the US celebrated Memorial Day weekend, the REvil/Sodinokibi hackers continued to target corporations around the globe. On Monday, May 26, 2020, the hackers announced another new victim, a law firm called Vierra Magen Marcus LLP. The hackers posted then announced their next new target, Titan Entertainment, late Tuesday, May 27, 2020. Since DarkOwl Vision’s first capture of the “Happy Blog” V3 hidden service in late February 2020, we know of at least 32 victims of the Sodinokibi ransomware since the website launched, an average of 2.6 successful infections worth public disclosure per week.

VIERRA MAGEN MARCUS LLP

Vierra Magen Marcus LLP is another California-based intellectual property law firm with an extensive client lists across “Technology, Science, and Growth Enterprises.” The hackers refer to their extorted archive including 1.2 terabytes of documents including patents, non-disclosure agreements, and conflict resolution legal documents.

TITAN ENTERTAINMENT

Late Tuesday, the hackers added another Victim, Titan Entertainment, based out of London, UK with only the URL for the company’s website and the text, “download- Will be soon…” The screen capture provided by the hackers appears to include a list of servers from the company and their associated backups along with internal IP addresses of the compromised systems. As of time of writing, the website URL for Titan Entertainment listed on the Happy Blog is unresponsive.

FARO Technologies, a Leading 3D Printing/Manufacturing Company, is Latest Victim of REvil Hackers’ Ransomware Attacks

UPDATE: As of May 27th, Happy Blog no longer contains the post discussed below, suggesting FARO may have paid the ransom demands.

On May 20th, sometime between 11:31 MST and 2:38 MST, the hacking group known as REvil posted an announcement to the darknet forum Happy Blog stating that they had identified and compromised a new target, FARO Technologies. The hackers stated that FARO Technologies has 24 hours to pay their ransom demands, or they would leak 1.5 TBs of FARO’s data to the public. It is unclear how files REvil has total.

This announcement comes as the hackers continue to target the high-profile law firm Grubman Shire Meiselas & Sacks – and leak highly sensitive data pertaining to their celebrity clientele.

Per their website, FARO is the world’s most trusted source for 3D measurement, imaging and realization technology. The company develops and manufactures leading edge solutions that enable high-precision 3D capture, measurement and analysis across a variety of industries including manufacturing, construction, engineering and public safety. 

Sometime after making this initial announcement, REvil updated their post to state they were giving FARO Technologies an additional 20 hours due to “a minor technical issue.” Then, in a subsequent post, they stated the following:

“FARO Technologies has exactly 3 hours, after which we will publish a link to the data here. FARO Technologies, if you do not know where to find the instructions, contact your employee [redacted]. He has already visited website, seen the instructions and knows what to do.”

On May 21st, REvil published the below announcement claiming that FARO had failed to meet their ransom demands, including a link to the data files. It is unclear what measures each party took to remediate this situation, though it appears that at some point, FARO’s parent company became involved. To our knowledge, REvil has never stated how much money they have demanded of their hostage.

Items of note in the file-tree shared as a preview of what will allegedly be included in the 1.5 TB data drop include: IT audits, forensic information pertaining to public safety, global research and development files, legal records, and user data. 

REvil Announces Next Target will be Madonna and Claims They’ve had Offers for Buyers for Trump Data

May 18: Just before 7:00PM UTC, DarkOwl Analysts observed an update to Happy Blog with the following announcement. In it, REvil states that Madonna is their next target, and that they will be auctioning off her personal files on the 25th of May. There is no reference to the ongoing ransomware attack they have conducted on Grubman Shire Meiselas & Sacks (GSM), indicating the hackers may be pivoting their approach to making a profit off of selling the personal data of high net worth individuals (instead of just attempting to exploit GSM with ransomware payments).

The hackers are starting the bidding for Madonna’s confidential data at $1 Million dollars.

The hackers also stated that they have far more information pertaining to Donald Trump than was released in their initial drop, and that they have received several offers from buyers who want the full extent of the information REvil has “accumulated” over time.

In the second press release they published, they address the fact that they have been accused of “bluffing,” maintaining that the full extent of the information they have on Trump is damaging and will lead to public disgrace and financial loss.

REvil also outlines how they do not plan to cease their ongoing Ransomware attack, but do plan on profiting from the money they can make from selling individual client data – regardless of whether GSM has paid their ransom demands.

ORIGINAL POST:

Hollywood Law Firm Hacked; Personal Data of High Profile Individuals Exposed

On May 11, 2020, lawyers for the Hollywood elite, Grubman Shire Meiselas & Sacks (GSM) confirmed publicly they were in the midst of a cyber ransomware attack, with hackers holding hostage some 756 GB of sensitive client data, contracts, and personal information harvested from their main website server, www.gsmlaw.com, which remains offline.

The hackers, believed to be from Eastern Europe, demanded a ransom of $21 Million USD putting the law firm and their clients in a precarious position during already stressful times due to the COVID-19 pandemic.

Despite where the owners of the law firm are in negotiation with the hackers and whether or not the FBI has become directly involved, the hackers have already started publishing data from the ransomed servers on the darknet. DarkOwl analysts discovered a Tor hidden service the hackers maintain called “Happy Blog.” It was there that they announced their hack of the GSM hack in early May, and continues to be where the group routinely publishes updates. The hackers’ announcement lists many of GSM’s exclusive clients such as: Madonna, Facebook, Elton John, Barbara Streisand, and Lady Gaga along with 9 inactive, but prepared links for separate data leaks.

The underground website also includes screen captures of over 176 folders listed on the compromised server and what appears to be signed contracts and agreements from Christina Aguilera in 2013 and Madonna’s World Tour 2019/20. There are numerous other famous actors and musicians from Hollywood mentioned.

Lady Gaga Data Exposed

DarkOwl analysts also discovered the first of the 9 data leaks had been released at 2:00pm UTC on Thursday, May 14, 2020 and included over 2 GB of data related to entertainer, Lady Gaga, due to release a new album at the end of the month. Along with the data leak, the hackers updated the website to state, “we public the first part of the data because the time is up” (confirming that English is not their native language).

A review of the data revealed there exists over 3,000 files across 350 folders which includes but is not limited to: W9 forms, expense reports, producer agreements, certificates of engagements, and confidentiality agreements over the last decade. Of particular concern is the folder listed, “Gaga Medical Confidentiality Agreements” that most likely includes some of the most personally identifiable information for the mega entertainer, such as her social security number.

The Next High Profile Individual Data-Drop: Donald Trump

On May 14, 2020, the hackers responded even more seriously, doubling the ransom in a new message stating, “The ransom is now [doubled to] $42,000,000 … The next person we’ll be publishing is Donald Trump. There’s an election going on, and we found a ton of dirty laundry on time.” According to PageSix, the hackers added, “Mr Trump, if you want to stay president, poke a sharp stick at the guys, otherwise you may forget this ambition forever. And to you voters, we can let you know that after such a publication, you certainly don’t want to see him as president … The deadline is one week.”

DarkOwl Analysts have confirmed that the second drop did contain information pertaining to Donald Trump. While he was not a client of GSMs, there were leaks of associates of his that reference him, as well as leaked correspondences between GSM and other clients in which either Trump or Trump’s Entertainment holding company were mentioned.

Since Trump was not a client of GSM, the second REvil drop is not like Lady Gaga’s, and his personal files were not made public in any way. Regardless, DarkOwl analysts are currently in the process of reviewing the leaked correspondences for items of note. This blog will be updated accordingly as we do so.

REvil Announces New Target: Sherwood Food Distributors, LLC

UPDATE: As of (approximately) May 20th, Happy Blog no longer contains the post discussed below, suggesting Sherwood may have paid the ransom demands.

The same group of hackers who just released highly sensitive data relating to Lady Gaga as a part of their ongoing extortion attempt of Grubman, Shire, Meiselas and Sacks have posted on the darknet that they are holding another company for ransom – Sherwood Food and Harvest Distributors. The threat actors posted a notice about their new target around 3pm MST 5/15.

This notice contained a link to download a portion of Sherwood’s proprietary files as “previews” which they plan on releasing one at a time (8 in total). The first link to leaked information contains roughly 2,300 files. These files contain highly sensitive data including cash-flow analysis, sub-distributor info, detailed insurance information, proprietary vendor information – including for that of Kroger, Albertsons, Sprouts – scanned drivers license images for drivers in their distribution networks, etc. The threat actors also posted a conversation they had with Coveware, a leading ransomware mitigation company, dating back to at least May 3rd.

This shows Sherwood has been aware of and dealing with this attack for over a week, and had not made this information public. While the threat actors only posted Coveware’s side of the conversation, it is clear that Coveware attempted to negotiate by acting as a middleman between Sherwood, their board, and the attackers. Also of note is that Grubman, the law firm, also utilized Coveware’s services, which is worth keeping in mind considering these are two supposedly unrelated companies/targets.

Who are these Hackers?

According to open source reporting, the hackers responsible for the ransomware are reportedly known as REvil or Sodinokibi, who infamously attacked foreign exchange company, Travelex late last year with similar ransomware. Travelex paid the hackers $2.3 Million of the $6 Million USD in ransom demanded.

There are several mentions of the ransomware developers across English and Russian speaking darknet forums and marketplaces.

• The hackers sponsored a hacking competition worth $15,000 on darknet forum, XSS in January 2020, according to multiple sources.

• In April 2020, BleepingComputer and numerous darknet news sources also confirmed the ransomware hackers would from now on only accept Monero for their ransoms, as they believed, quite confidently that Bitcoin was traceable by law enforcement.

• The hackers are believed to have also authored GandCrab, a popular ransomware as a service (RaaS) that circulated the internet from January 2018 until May 2019, when the hackers suddenly announced they were shutting down their operations.

The Sodinokibi ransomware authors and their associates have been widely distributing the ransomware through infected Javascript on WordPress websites. Upon installation on the victim machine, it deletes all Shadow Volume Copies, disables the Startup repair in Windows and then begins encrypting all the files on the system hard drive.

Once the malware completes its encryption process, Sodinokibi modifies the desktop wallpaper, adding a ransom note, which contains instructions about the decryption process. The ransom note also includes instructions on how to make the payment to have the files decrypted, including unique keys and links to the payment site (likely Monero).

Reception to REvil’s latest antics have not been great. Members of XSS forum have expressed displeasure to how much attention this has brought them, posting:

DarkOwl Analysts continue to dig into this hacking group to see what we can uncover. Stay tuned for updates as we will continue to update this blog with new findings.

As most of the world shelters in place due to the COVID-19 pandemic, Zoom – the video conferencing tool we’re all very familiar with by now – has witnessed an extraordinary surge in use. Employees are on calls in Zoom for hours a day conducting meetings with their coworkers. Families and friends, unable to meet in person, connect on Zoom for virtual happy hours, weekends and holidays. In the first quarter of 2020, Zoom Video Communications added 2.22 million monthly active users, contributing to what is rapidly approaching a total of 13 million monthly users.

Given the fact hackers were and have also been on lockdown in their homes, it is no surprise that less than a month after most of the U.S. went under quarantine, compromised Zoom accounts appeared for sale on criminal forums in the deep web and darknet. In late March, news headlines declaring that there has “Zoom Breach” quickly began appearing en masse. As a result, we decided to take a closer look at what we’re calling the “Zoom Situation” (more on that below), and in this blog will outline how in a matter of months, this convenient, free video conferencing software became a major public information security concern.

One item that we want to note upfront is that Zoom – as in, the company – was not breached. To our knowledge, no hacker gained access to their user database or broke into their servers in any way. As analysts, we take care to differentiate between “breaches,” “leaks,” “credential compilations,” etc., because they mean very different things in relation to the cybersecurity posture of the targeted organization.

Zoom is only as insecure as your password reuse habits

The latest offers for Zoom accounts across darknet forums and marketplaces speak less to the security of Zoom’s software and more to the continued reuse of usernames and password combinations across commercial applications. In other words, the greatest and most important takeaway from this situation is that it would have been entirely avoided if Zoom users weren’t reusing passwords they’ve used elsewhere.

There’s nothing particularly special about Zoom’s conferencing security. The platform itself relies on the standard transport layer security (TLS) 1.2 protocol, which replaced the depreciated Secure Sockets Layer (SSL) over HTTPS, and encrypts chats using the Advanced Encryption Standard (AES) 256-bit block cipher. However, in spite of this fairly basic framework, there is no indication that the 500K accounts offered for sale were collected from exploiting a vulnerability within the Zoom application.

Instead, DarkOwl assesses with high confidence that the hackers selling this data have instead used a method called “credential stuffing” to test Zoom login authentication against publicly available username and password combinations. So, if your email address and password were exposed in another breach, even from years back, and you used that same email/password to log into Zoom, you would now be a part of what others are referring to as the Zoom Breach.

By running old, leaked credentials through a credential-stuffing validation tool, hackers managed to find and confirm the logins for 3.8% of Zoom’s registered members in historical data breaches. Anyone using a tool like this could target any organization they wanted to.

One such tool called SNIPR (pictured) is a leading credential-stuffing toolkit supporting multiple attack surfaces including web requests (http/s) and IMAP-based email accounts without the need for any command-line or shell programming from the user.

Because of the increased worldwide use of Zoom due to the pandemic, Zoom became a target of interest for (presumably) bored hackers, resulting in a list of 500K verified Zoom accounts being offered for sale on the darknet service, POPBUY Market for 10,000 USD in BTC ($50 USD per account). It is unclear from the vendor’s listing on the market who is behind the offer or if it is legitimate.

Another listing for Zoom account data appeared on deep web hacking forum, nulled.to, at a much cheaper price than the darknet marketplace above. This advertisement pointed to the hacker’s “Shoppy” account that offers each account for as little as 0.25 USD and included an external link to a sample file with some of the compromised data. The paste included 91 records with the username, password, Zoom URL (with password), Numerical HostKey, Real Name of User, and account type.

Our analysts confirmed the sample “hacked accounts” in the offer include email address and password combinations indexed in Vision from previous data breach collections confirming the hackers likely verified the accounts using credential stuffing.

DarkOwl assesses the significantly reduced price to the darknet market is the result of Zoom advising users to change their passwords and the account data being virtually useless to the buyer.

The monikers used by the hacker offering these accounts is sufiyan.755 and MuratSarsilmaz. This moniker has “junior member” status on Surface Web forum, LeakZone and no darknet documents in DarkOwl Vision.

The hacker’s Shoppy account also lists very few other offerings, suggesting this is a beginner hacker entering the market.

Zoom may be in the clear in this case, but historically does not seem concerned about user privacy

Zoom is sharing your data with Facebook

In March 2020, open source reporting confirmed that Zoom has been making money by sharing personal user data with Facebook in return for subsequent advertisement revenue. A new, resulting lawsuit states that Zoom, “failed to properly safeguard personal information” of its users. The lawsuit follows a MotherBoard report that verified how the Zoom iOS app for Apple smartphones was sharing information with Facebook about its users without their consent.

Data that Zoom shared with Facebook included:

• a flag when the user opens the app,

• details on the user’s device such as the model

• the time zone and city they are connecting from

• the phone carrier they are using

• a unique advertiser identifier created by the user’s device which companies can use to target a user with advertisements in the future.

This sharing of data with Facebook was not included in the application’s Terms and Conditions, which is the foundation for the lawsuit. Most anonymous and privacy conscious internet users avoid video conferencing software like Zoom and prefer encrypted applications like qTox (pictured) or Signal, or will simply forgo video chatting all together.

They’ve allowed Zoom-bombing to thrive

The science of Zoom-bombing is as simple as BASH. Before the pandemic, some Zoom users complained of random people connecting to their Zoom conference meeting rooms without saying anything. Other hosts even received Zoom’s alert email “participants are waiting” at all hours of the night, which appears to have been reconnaissance for testing what has morphed into the pandemic Zoom-bomb.

Since quarantine, many conferences have been subjected to the Zoom-bomb where hackers enter the conference then subject the unwilling participants to an array of shocking and often illegal content. The frequency of this has resulted in now widespread use of password protected conferences and hosts approval required for participants entering after the meeting has started.

How does this happen? Largely, this can be attributed to Zoom’s overly simple URL identifier for meetings connects an array of 9 numbers at the end of the address to the user’s meeting identification: https://zoom.us/j/<string of 9 random numbers>. DarkOwl analysts shared that this simple string of 11-numbers could be auto-generated in a loop inside a BASH shell script or any popular scripting language that then tests the URL with the UNIX curl or wget command. Confirmed accounts could then be targeted by manually “bombing” the conference call with malicious audio and imagery.

Some open source reports suggest that many of the trolls behind the majority of the Zoom-bombings are anti-semitic hackers targeting Jews during online meetings by flooding conferences with imagery of swastikas and Nazi soldiers. There’s a lot of evidence that suggests that is true, however a number of hackers have targeted many other non-faith-based and academic conferences, as well as individuals.

To make the situation more complicated, adding passwords requirements to Zoom meetings soon might not be enough – though we do strongly recommend this as an initial step. For example, last week, hackers on popular darknet cybersecurity forum Torum mentioned a resourceful tool called the ZWarDial code, developed by KCSec. According to Brian Krebs, this code apparently leverages the BASH script idea and automates the Zoom-bomb without need for the user account or password. This intelligence suggests that hackers are already evolving their tactics and techniques to Zoom’s security implementation.

Hackers might be attempting to disable Zoom accounts in the future

DarkOwl Vision also captured a snippet of Powershell source code for a function called “Disable-ZoomAccount” which includes logic to check if a user exists on Zoom, via a User Principle Name (UPN), in this case an email address, and if the legitimate user is “active” then the source code changes the ZoomUserStatus to “deactivate.” The function writes to a log if it was successful or if manual intervention is required for disabling the account before closing. The purpose of the function or how it will be used in the wild was not identified in the deep web document.

Zoom is rapidly patching security issues

Zoom has responded quickly to criticism of their video conferencing platform. This is perhaps in response to the fact that in late March and early April 2020, New York City school districts – as well as Elon Musk’s Space X operation – publicly stated they would no longer be using Zoom software due to ongoing security concerns.

The digital conferencing platform has also responded with an in-depth security audit and released multiple security updates to the software. Security updates include support for more complex password requirements for meeting passwords, the random meeting identification has increased from 9 digits to 11, and password protection for shared cloud recordings of meetings is on by default.

To prevent unauthorized and un-attributable malicious access, there is no longer the option to “Join Before Host” and all participants require a Zoom account to participate in a Zoom conference call. Zoom had also temporarily disabled third-party support for file-sharing services such as Box and OneDrive; as of late last week’s security updates, this feature was available again.

Takeaways and advice

When it comes to Zoom, there are still steps that you can take right now to add an additional measure of security to yourself and your organization:

• What happened with Zoom could happen with any internet-based application. So, remind your employees, family and friends to chose unique passwords and email address combinations on every commercial application.

• Adding password protection to Zoom meetings is the first step to mitigating unauthorized access to the user’s conference room.

We can’t emphasize this enough: what happened to Zoom (and Zoom-users) can happen to any internet-based application at any time. It only takes one hacker with access to old, breached/leaked credential data and a credential-stuffing tool to target an organization of their choosing. As such, with the current level of dependency on remote working and virtual video conferences, DarkOwl encourages all to be vigilant while using any platforms that require user account registration:

• Set-up accounts on such software with unique (if not disposable) email addresses, using complex passwords not used anywhere else

• Apply any and all additional security options available, such as password-protection for the meeting and limiting access to stored shared recorded meetings.

If you are considering abandoning Zoom altogether, TechRepublic recently posted a list of alternative video conferencing applications.

Thanks for reading our blog! Contact us if you want to know more about this issue or discuss how DarkOwl can help mitigate your account information appearing on the darknet.

In response to the worldwide phenomena that is Netflix’s wildly successful Tiger King docu-series, many viewers now understandably have questions about where and how the sale of exotic animals takes place. That is, other than in back-alley handshakes between Joe Exotic and Doc Antle. Having observed sales of exotic animals on the darknet in the past, we decided put together this briefing on how darknet vendors market and sell animals and animal parts in underground markets.

We were also interested to see if there has been an uptick in this type of listing, or an uptick in the demand for these types of purchases as a response to the Netflix series. The conclusion we came to is both good and bad – depending on your stance on exotic wildlife and animal sales. From what we can tell, while there hasn’t been a noticeable surge in the actual exchange of wild animals (or animal goods such as ivory), there is still a thriving marketplace that shows no sign of slowing.

Read on to see some real-life vendor listings on the darknet, including advertisements for the sale of Black Cougar cubs, Jaguar cubs, baby Gorillas, and many more. Note: DarkOwl does not endorse nor support these vendors, sales, or listings in any way. DarkOwl has historically partnered with organizations such as the Global Emancipation Network and Kruger Park to eradicate human and animal exploitation.

Lions, Tigers, and Bears, Oh My

Long before Netflix’s Tiger King became one of the most popular series on television, DarkOwl analysts reaffirmed the existence of an elaborate black market on the darknet driven by the exotic wildlife and animal poaching industry. The following findings from DarkOwl Vision introduce some of the darknet’s leading vendors in the darknet wildlife trade community, along with their sources.

According to a 2017 report published by INTERPOL, the darknet, specifically Tor anonymous network, has been a source for illegal wildlife trade since 2015, likely even earlier as inferred by some open source blogs discussing animal endangerment. Using DarkOwl Vision, queries including exotic wildlife market keywords quickly revealed a number of interesting results across darknet markets and forums. One vendor in particular, “ivoryking” (a.k.a africanivoryking) has the largest darknet presence in the database, with over 150 documents in DarkOwl Vision advertising African ivory and exotic pets including lion and cheetah cubs, Nile crocodiles, leopards, and baby gorillas across multiple authenticated hidden services.

Many other offers are less commercialized and contain something akin to a local classified advertisement for the exotic animals trade as the user, “busuloveline” posted on the deep web offering foxes, cheetahs, and tigers. Another thread, posted late last year on an Italian darknet forum, listed a number of different types of “exotic pets” for sale and included a Surface web gmail account for contact. The disturbing part of this listing was that not only “dog meat” was included, but the advertiser also differentiated the items available from a “Bear – Complete” and “Bear paws.” Neither listing included prices for the animals.

During the summer of 2019, on The Majestic Garden (TMG) forum, a member known by the moniker “SmallFryHoolagin” initiated a lengthy discussion with an offer for exotic pets, suggesting this is a new business trade they were interested in starting. In their post, SmallFryHoolagin stated that they would only offer to sell to the TMG community and was looking for animal recommendations.

Responses included everything from “is this a joke?” to the desire for exotic serval cats and Komodo dragons. Many replies alluded to keen interest in toads (e.g. bufo alavarius species) that are often exploited for their hallucinatory effects from the 5-MeO-DMT molecule on their skin.

The popular thread garnered over 5,000 views in the forum and the comments are insightful regarding trends in the market demand on the darknet.

Other darknet exotic animal enthusiasts merely discuss the implications of trying to sell these types of items without getting arrested, like SmallFryHoolagin, sussing out whether or not the industry is profitable and open for business. This type of data could be used as an investigatory thread for future exotic animal trading on the darknet.

In at least one instance, Fossil Realm has publicly stated that their darknet marketplace listings provided more than 60% in profit, and that all of these transactions were done using Bitcoin (BTC). (pictured below)

Another darknet Rhino horn vendor claims they source their products from South Africa and are attempting to create a sustainable market by working with the breeder to allow for horn regrowth between harvesting sessions.

Exotic animals sourced around the Canadian border

Based on our research, Canada appears to be a popular source for animal goods including, exotic tusks. For example, one darknet vendor – who recently advertised their trade operation on the controversial darknet market Open Bazaar – stated that their products ship from Alberta (pictured below).

Another deep web classified forum for exotic animals, Prety Exotics (pictured right and above) modeled a marketing approach reminiscent of Fossil Realms’ and included their surface web domain and shopfront in their darknet listing. At the time of publication, Prety Exotics lists their company location as being in Maplewood, Minnesota, which is on the Canadian border.

Despite international law enforcement efforts to track down and stop the trafficking of exotic and endangered species, the darknet wildlife trade industry persists, leveraging the anonymity of the network. Meanwhile, many poachers have shifted to trading these animals openly on platforms like eBay and Facebook.

DarkOwl will continue to monitor this and similar topics of interest to our clients. Stay tuned for future content from our analysts and darknet researchers.

On March 10th 2020, hackers targeted one of the most prominent anonymous website hosting providers on the darknet, Daniel Winzen, subsequently knocking over 7,500 hidden services across Tor offline. DarkOwl analysts, who regularly monitor the darknet directly, observed this event occur via DarkOwl’s Vision platform and have spent recent days reviewing what happened to quantify the impact to the darknet.

Editors note: the following report contains explicit language and references sensitive material.

Who is Daniel Winzen?

Daniel Winzen, also known as “DanWin” or @daniel, has been a major player in the darknet community for at least the last five years. The German 20-something-year old has long provided hosting and directory services as well as e-mail and communication mediums like Jabber+XMPP and a PHP-based anonymous chat built on the LE code-based chat platform across Tor and I2p.

Winzen has been applauded by some for consistently providing the technical services he has, while others have criticized him for facilitating the distribution of illegal content from scammers and pedophiles.

Target: Daniel’s Chat SQL Database

Around 01:00 UTC in the early hours of March 10th 2020, members present in Daniel’s Chat were surprised to see their super admin, @daniel online. Since the last attack against Daniel’s Hosting services in November 2018, @daniel rarely visited the chatroom, blaming member-infighting and a busy work schedule. It took no time to notice that the topic for the chatroom had been modified to “ALL YOUR BASE ARE BELONG TO US. ALL SHALL BOW BEFORE ME OR FACE MY WRAITH” [sic] and @daniel was not actually commanding his account in the chatroom.

A guest account, using the moniker @null was rapidly promoted to an administrator role, who kicked staff and members out of the chatroom and promoted another guest account with the moniker, @Pickle. The new admin, @null, had little to say, but did post an all-caps declaration positioning themselves “king” and demanding everyone “bow” to them.  

Then, at 02:51 UTC, a chat user named @Dolly emerged without “entering,” stating that the hackers stole @daniel’s chat password and that the server itself had not been compromised. @Dolly also said, “Doesn’t look like you can delete @Syntax” suggesting that @Dolly was likely an alternate account for the chatroom’s controversial super administrator, @Syntax. She also confirmed that @daniel was not logged in as he was not usually awake this early to do so.

@Dolly’s arrival prompted dialogue between the hacker @null and chatroom users, while @Syntax expressed less interest in fighting and was more interested in discussing the “reasoning” behind the hack.

At one point, @Dolly commends the alleged responsible parties by saying“I’m kinda in awe as to what you did.”

For the next hour, @Syntax along with various guests and transient members chatted about random subjects ranging from EU and German laws around pedophilia to the 19th Amendment, while random trolls entered and continued to attack only @Syntax directly. One chat member and presumed online boyfriend of @Syntax, known by the moniker @Fuggles, joined the chat and had little to say.

One guest to the chatroom suggested the hack was organized by @Syntax to breakup with @Fuggles, while another long-time user and former staff of Daniel’s Chat, known as @meerkat simply hypothesized that the hacker @null and @Syntax were one and the same person – essentially alleging that this was orchestrated from the inside.

By 04:00 UTC, the hacker kicked @Syntax and all guests using variations of her nickname from the room. Less than 10 minutes later, @null stated Daniel’s Chat was the last site left on Daniel’s Hosting. This suggests that while everyone was conversing, the hacker/s were busy deleting the web services hosted on Daniel’s servers by elevating the privileges of @daniel’s admin account. We find this to be at least partially true as it appears that the hackers targeted Daniel’s databases via the chatroom and not the web server content, like raw HTML and CSS files.

At 04:31 UTC, Daniel’s account simply announced, “pwned.” At 04:32 UTC, the chatroom returned displaying the message, “Fatal error: No connection to database!”- suggesting the hack was complete and the chat database was no longer online. 

The method and the justification

Less than 5 minutes after the chatroom went offline, a single post appeared on the drama and spam-filled Tor hidden service, DeepPaste, with the hackers blaming staff pedophiles and Syntax directly for the attack against Daniel’s services. The hackers also included a link to another external hidden service on Tor with a list of all the filters from the admin panel in the anonymous chatroom. It is rumored staff moderators used the extensive list of filters, consisting of mostly keywords and URLs linked to illegal subject matter, for auto-kicking guests posting banned content. 

The reason for posting this – along with their final statement – is unknown and the service containing the filters is no longer online.

A couple of hours after the hack, user @meerkat posted to another Le-Chat on Tor that he had confirmed with Daniel via his friend Adriane that his administrator password had been simply brute forced. Given @daniel’s limited involvement, he expressed skepticism the chatroom would ever return.

The Hacker @null and the Accomplice @Pickle

Little is known about @null or @Pickle in the Daniel’s Chat community, as the nicknames were not previously registered as members on the chat. While @null entertained questions from @Dolly/@Syntax about how the attack was conducted, @Pickle made only three statements over the last 30 minutes that the chat was online.

Using Vision, DarkOwl analysts uncovered lengthy history for both monikers (null and Pickle) in the underground community known as Kiwi Farms.

Kiwi Farms, formerly known as CWCki, has been on the surface web since 2013 and archived by DarkOwl on Tor since October 2017. It was set up by a Joshua “Null” Moon as an exclusive image board for trolling and harassing an autistic transgender web comic artist, but has since involved into a dedicated discussion board for “lolcows” including stalking and doxing of public and internet figures.

The content on Kiwi Farms is consistent with typical chanboard-like discussions. There are reoccurring anti-pedophilia threads and general disdain for FBI honey-pots. There are very few technology or hacking focused threads on the Kiwi Farms forum.

In November 2019, darknet hackers targeted Kiwi Farms leaking their member and conversations database on the popular forum, RaidForums, possibly giving the staff and members of the community at Kiwi Farms justification for a cyber-based retaliation.

Despite the leak in 2019, the evidence connecting Kiwi Farms to the hack of Daniel’s earlier this year is extremely weak and circumstantial. Kiwi Farms has over 50,000 registered users and several prominent members include “Pickle” in the moniker, e.g. long-time member “Pickle Inspector,” but DarkOwl analysts were unable to connect these, nor their administrator “Null”, to the hackers of Winzen’s services.

Unfortunately, “null” is also a common moniker observed in recent years on popular darknet cybersecurity forum, Torum. In late 2018, “null” posted a course on social engineering, written as CURSE OF ENG.SOCL.

The thread was not well-received, nor did the member “null” post that frequently, having less than a dozen posts on the forum since their registration in September 2018.

Did GhostSec send a warning a week prior?

On March 3rd 2020, a guest by the name of @Sebastian entered Daniel’s Chat and stated “GhostSec is watching you,” adding that they had taken control of discord servers of Daniel’s – servers that members in the chat didn’t know he even had.

Shortly before getting kicked from the room, @Sebastian posted a fingerprint and claimed Daniel was compromised while accessing child pornographic content called, Tiny Voices. Sebastian is also the moniker and name of the leader of the anti-pedophilia hacking group formerly known as Ghost Security (#GhostSec). Sebastian Dante Alexander, who uses the Twitter handle, @SebastianDant13, is a vigilante hacker known for tracking and de-anonymizing criminals who harm children.

An organized hacking collective like GhostSec definitely has the capabilities and motivation to take down Winzen’s servers, especially if there was questionable content hosted and shared, but the group has not published any declaration or claim of responsibility for the hack, like they have with other groups and individuals they’ve targeted in the past.   

Daniel’s response

As soon as Daniel was alerted to the hack, he posted a notification to his main website confirming what was suspected. The hackers deleted all databases related to his hosting platform and all users should consider their data leaked and passwords compromised. 

He further stated the remaining 390GB of data from the websites he hosted would only be available until the 25th of March and recommended his customers use Freedom Hosting Reloaded or OneHost as he had no intention of restarting his hosting project.

Daniel followed up with an update on March 11th 2020, giving users more details on archiving what was left of their website data. Winzen referred to the flood of messages encouraging him to keep going with the hosting service, but Daniel stated that keeping his servers clean from scammers took time from development and projects he enjoyed. He left the option open, months down the road, but not until he found time to improve the current platform.

No database backups

Speaking of server setup, strangely, Winzen did not maintain any archives of the SQL databases he hosted as evident by data loss, nor were backups of the deleted databases available when he was hacked previously in late 2018. Many darknet users have expressed increasing skepticism that Daniel was not as committed to his darknet projects as he would have liked everyone to believe. After the most recent database breach, one anonymous user suggested that @null’s reference to the chatroom being a honey-pot was legitimate, adding suspicion over a server upgrade or move occurring only weeks before the most recent attack occurred.

Those who suspect that Daniel’s chatroom was actually a honey pot surmise that Daniel didn’t maintain backups of his data because they were being monitored (and probably managed) by international or German law officials. This was supported by the fact that a change in rule regarding sharing any pornographic content occurred in 2018, around the same time that Daniel was hacked and their databases disappeared.

There have been numerous pastes circulated around the darknet in the last year claiming many of the members, including @Syntax were Law Enforcement.

Daniel’s link list is lost

While the takedown of Daniel’s Chat and Hosting have received significant attention, another item that was compromised during this time was Daniel’s Onion Link List.

Winzen maintained a seed list of Tor hidden services, along with a status indicator and topical classifier that was helpful for those exploring the darknet regularly. This list of links was referred to by hundreds of other sites across Tor.

Now, Daniel’s Onion link list returns a 504 Gateway Time-Out error.

DarkOwl analytical look

After the last hack in November 2018, it took Winzen almost two months to re-deploy his hosting services. On January 6th 2019, Winzen posted a happy new year and hosting message indicating his hosting services were back online.

By January 10th, 2019, a mixture of over 1,400 darknet domains and subdomains appeared operational. This initial count of domains was determined by not only the domain name themselves, but careful review of the content of sites hosted by Winzen prior to and after the November 2018 hack.

Notably, DarkOwl Vision data shows an increase of over 7,600 domains affiliated with the hosting provider over the course of the 2019 calendar year.

In DarkOwl’s quantitative Map The Dark internal reports, domains are topically tagged as being associated with Daniel’s hosting if, 1. The domain URL was discovered on the public “List of Hosted Sites” on Daniel’s hosting or if, 2. The website contained the phrase “Site Hosted by Daniel’s Hosting,” as has been observed with most newly published darknet hidden services. As of March 9th 2020, DarkOwl had observed 9,006 domains or sub-domains affiliated with Daniel’s hosting, 7,555 of which were recorded as online during the first two weeks of March 2020.

On March 15th 2020, Winzen once again updated his landing page to state that all hidden services were offline to make migration of his user’s hidden service URL at a different darknet hosting provider. By April 1st 2020, DarkOwl had identified approximately 1,200 hidden services topically tagged to Daniel’s hosting as back (or still) online.

DarkOwl analysts observed that many of the 1,200 hidden services consist of active sub-domains on Winzen’s historical V2 onion URL (tt3j2x4k5ycaa5zt[.]onion). Most of the subdomains on the V2 onion URL first came online in June 2017, and have been consistently active to date. Many of these include offensive keywords, such as, pedohosting.tt3j2x4k5ycaa5zt[.]onion, and nazism.tt3j2x4k5ycaa5zt[.]onion. These are just a few examples of several dozen others that include similarly banned topics and offensive keywords.

These V2 domains simply re-direct to the V3 Tor landing page, and have never had web content available to publicly collect. Nevertheless, several of these subdomains contain illicit keywords that suggest Winzen might have been complicit with hosting illegal content, despite his rules and policies against such.

Interestingly, there are also another 43 subdomains starting with the string “password” and an additional 23 with the phrase “freedomhosting” or “freedomhostingnode” suggesting at one point, Winzen collaborated with long-time controversial darknet hosting provider, Freedom Hosting. Are these the “nodes” GhostSec was referring to on March 3rd?

Currently, the V2 URL redirects to Daniel Hosting’s V3 URL, which Winzen adopted after the November 2018 hack – presumably for enhanced security. Both domains have been referenced for his SMTP email domain by Winzen on his contact page. The Bitcoin addresses listed on Winzen’s surface web mirror, danwin1210.me, and the Tor hidden service are different, but both have had numerous transactions since the hack occurred on March 10th, 2020.

The darknet will carry on

Despite Winzen’s encouragement for his users to migrate their existing hidden services and URLs to other darknet hosting provider, most of the services didn’t bother or adopted new URLs. DarkOwl analysts reviewed over 5,000 URLs associated with Daniel’s Hosting since the first of the year, to find less than two dozen had migrated and retained its URL as of early April 2020.

A long-time darknet Twitter-like social network called Atlayo (atlayofke5rqhsma[.]onion) is back online and operating using its previous URL, and it has long been rumored that Daniel was once a key moderator and administrator for this service.

Security concerns over the once popular PHP-based LE-Chat platforms has more users migrating to IRC over Tor proxy, while those with hosting resources are offering up their web servers for hosting content in the interim. Users capable of web development have set up even more hidden services than they had while relying on Winzen alone, and clones of Daniel’s home website are being advertised to ostensibly create a sense of familiarity and security.

One such example, OnionCommunity, online since the fall of 2019, has revamped with a layout shockingly similar to Winzen’s. In addition to a chat (IRC), online link list and test, OnionCommunity also advertises social media, market and cloud services that are in development.

While it took several weeks for users of Daniel’s services to recover what data was available and scrambled to figure out where to congregate and how to communicate, the community seems more resolved than ever to continue with or without Daniel’s support and the darknet itself continued to grow throughout the second-half of March, while Winzen was offline.

In fact, since March 11th 2020, DarkOwl has observed an average growth of 387 new domains per day across the entire darknet.

Stay tuned for more updates as we continue to track darknet trends and post updates on our blog.

This is a continuation of our previous discussion (linked below) about how the global pandemic has created an incredible surge in COVID-19 related scams on the dark web. DarkOwl analysts have been tracking the developments in DarkOwl Vision and have consolidated a round-up of some interesting, concerning, and, in some cases, comfortingly human findings.

See Part 1 of our COVID scam coverage here

A COVID-19 Vaccine

The most recent pandemic related scam to surface on the dark web is a hidden service dedicated to the COVID-19 vaccine. According to a new Tor hidden service, appearing on the dark web the week of the 18th of March, Technology Minister Ofir Akunis confirmed Israeli scientists had developed the first vaccine for the novel coronavirus that was available to ship Worldwide via DHL. 1 packet supposedly includes 10 20ml vials of the COVID-19 vaccine for only $10 USD, payable by Bitcoin.

This is not the first “Israeli” based antidote offered on the dark web. DarkOwl Vision captured an advertisement posted by darknet user, buddrugtrade, back on March 1, 2020. The post suggesting that MIGAL, a research institute in Galilee, Israel, had created the vaccine against a strain of the coronavirus that they had available to sell. They also included N95 Masks on the same classified.

A similar offer for the vaccine appeared as recently as the end of March with a scammer offering vials of the vaccine for $115 USD. The advertisement suggests the owner only has 5 vials available to sell with hopefully more in the future.

Another scammer has a higher price in mind for the vaccine. On 29 March 2020, multiple pastes, titled, “COVID-19 TEST WAS SUCCESSFUL,” were observed around the dark web consisting of an offer for 10 vaccines for $100K in BTC. “Now is coming the real one” the offers reads, as if to suggest the previous offers were not effective or legitimate.

Multiple Offers for COVID-19 Blood Samples

DarkOwl continues to witness numerous scammers offering samples of the virus via blood samples and saliva. The most recent scammer’s listing, at 12:56 UTC, 31 March 2020, attempted to imbue legitimacy into their listing, stating that they were a “laboratory doctor in Spanish public health” who successfully obtained “24 blood samples and infected sputum of the new COVID-19.” This scammer offered 24 samples for $100 USD (less than $5 per sample) and concluded their classified with even more additional bioterrorism-related material: “I also have 10 liters of morphine and 13 vials of HIV-infected blood in my possession.”

Another advertisement, posted 10 days earlier, stated the seller’s father was infected with COVID-19 and while at the hospital he managed to collect one syringe filled with blood that he inserted into 10 bats. The offering price is only $32 USD for the sample; a minimal payment is required to answer any questions.

This price is considerably cheaper than the $1,000 USD offer for a blood sample and saliva observed on a darknet market in early March, but not as ominous or anarchy-inducing as an offer for the live virus by one known as drdeath41, “Great for the coworker you don’t like. Or spread it in the ghetto if you’re like that or maybe let it loose at the country club.” – Source DarkOwl Vision M5D: d87605d2f17f877991b35f8307de89a7

Offers for Test Kits and Thermometers

The lack of availability of COVID-19 test kits and shortage of ancillary personal protective equipment (PPE) and support equipment has one scammer offering test kits, infrared thermometers and masks. The advertisement did not include Bitcoin address or price, but provided a Texas, USA based Whatsapp for “Serious Inquiries Only”. Using DarkOwl Vision to pivot on the contact information, the phone number is also affiliated with numerous other offers across the dark web for drugs with the Surface web shop, worldglobalpharmacy.com and counterfeit items under the Telegram id: @drHades.

URL Redirects to Abuse

DarkOwl analysts reviewed various posts to forums and darknet paste sites to uncover many of the “Coronavirus” content simply redirects the reader to a possible-malware laden URL or prompt to submit a cryptocurrency payment in exchange for information.

This has become such an issue that many domain name service (DNS) providers have turned to denying domain registrations containing the words, “covid” or “corona” to combat the growing abuse.

Can a Darknet Pure Frequency Kill COVID-19?

On the 3rd of April, 2020 another unexpected advertised “cure” for the coronavirus appeared on the dark web. An anonymous user posted a link to a MP3 file in the paste titled, “Pure Frequency to Kill corona virus” along with a suggestion to listen to the frequency 3 to 6 times a day for maximum results.

Masks Are Still Readily Available

As we mentioned in our previous report, all types of masks are for sale on the dark web, including the N95 respirator type style in high demand. A Tor hidden service using “corona” in the V2 URL has “Aura 3M & Farstar medial N95 face Masks” available in packs of 10 for 80 EUROs.

DarkOwl Vision successfully captured a member of The Cyber Army Telegram group offering a N95 mask with certified expiry date on March 16, 2020.

Another clever advert submitted by “Tequila_Wolf,” redirects the reader to a legitimate external link referencing a 3D printing center’s website. The website, CD3D offers designs for 3D printing protective face shields, masks for a noninvasive ventilator, and hands-free door openers.

Using DarkOwl Vision’s history, Tequila_Wolf has a remarkable dark web presence (mentioned in 76K pages), consisting of shared news articles and geo-political commentary, much of which is COVID-19 specific.

Criminals Discuss Benefits of COVID-19

Dark web user, Loserdub, submitted an interesting perspective of the COVID-19 crisis commenting in an “illegalism” channel on popular darknet forum, Raddle, that they had found police presence minimal and shoplifting easier than ever.

Another user on the forum added they use a medical face mask to conceal their identity.

Anti-Malarial Drugs Now Available

Since US President, Donald Trump suggested anti-malarial drugs such as chloroquine and hydroxychloroquine may have potential use in fighting COVID- 19, scammers have also started offering these drugs for sale on the darknet. The same scammers offering virus test kits under the telegram moniker, @drhades, shares the same phone number as listed in the advertisement for chloroquine, with telegram identification: @oraclez. This is further evidence of an elaborate scamming network on the darknet looking to profit from the COVID-19 crisis.

Quantifying Potential Increase in Darknet Usage Due to COVID-19

DarkOwl analysts were asked by a third party to review potential quantitative approaches to trends in darknet use due to COVID-19 and associated global government-mandated shelter-in-place orders. Hypothesis is that with more of society confined to their homes there would be an increase in darkweb drug market use and purchases. Some darknet drug forums supported this theory with new users asking how to purchase drugs from markets and some forums experiencing what could have been interpreted as a “surge” in usage.

One such forum that has had a historical presence on the darknet is Darknet Market Avengers (DMA).

Another popular darknet forum, Dread, also suggested that Markets were experiencing a surge in usage with a thread posted by dread Mod, /u/DrHorrible, at the first of April. The moderator’s post also suggested that there were an increase in new market announcements for many markets that weren’t even online yet. After carefully reviewing market data in DarkOwl Vision, analysts determined that the markets only mad Vendor profiles public and not necessarily the users.

In many cases, even the market vendor profiles were encrypted and not easily captured by the engine autonomously. This prompted a review of forum data to see if there was any empirical evidence to support the theory of increased darknet use. This prompted a side-effort to collect hundreds of thousands of user registrations across many darknet drug-specific forums to see an exponential increase in registrations existed.

Unfortunately, the data captured from Darknet Market Avengers exhibited trends similar to the registrations recorded at Envoy, another drug-specific darknet forum. DarkOwl observed an average daily number of registrations in the last three months of about 225 new users. These numbers are consistent with the forum’s registration rate in 2019 and 2017. The forum also experienced a period of DDoS attacks in the first two weeks of October in 2019 and the first week of February in 2020 along with many other markets and forums on Tor.

These drops in registrations are evident visually as demonstrated by the monthly and weekly comparisons in the bar chart below. Unfortunately, DarkOwl did not observe data to support any assumption that darknet usage had increased in recent months, and if anything, merely confirms the darknet is conducting business as usually during the COVID-19 pandemic.

We will continue to watch as trends emerge and report back here.

Viruses on the darknet are nothing new. You can easily find vendors selling Bots, Password Crackers, Rootkits, Adware, Backdoor Access, Keyloggers, or any other form of Malware, Toolkits and Viruses (MTV) across a wide swath of forums and marketplaces. So, when you see the darknet exploding with discussions of a virus, one might not jump immediately to “infectious disease.”

However, the darknet is not all too far removed from mainstream society to ignore the pandemic we find ourselves facing. We’ve recently observed the emergence of coronavirus-related products, discussions, scams, and general hysteria across Tor, IRC, I2P, Telegram, and the like. Here are some examples of COVID-19 related ongoings amidst the recent outbreak.

“I sell my infected blood and saliva”

Thus far, we have come across at least one individual advertising the sale of live COVID-19. For $1,000, this enthusiastic vendor will allegedly ship you a biohazardous weapon in the form of their COVID-19 infected bodily fluids. Yikes. The only good news about this situation is that it is most certainly a scam.

Coronavirus vaccinations

Certain marketplaces and vendors are also claiming to have access to a vaccination for COVID-19. In the example below, a listing dated as having been posted last Saturday shows a vendor on Piazza (a darknet marketplace) offering to sell coronavirus vaccines AND antidotes to “serious buyers.”

Masks and hand-sanitizer

As eBay and Amazon conduct great efforts to scale-back sales of health and wellness products due to price gouging and fears of counterfeiting, the darknet is seeing a rise in listings for products in this category – including CDC-approved face masks.

Pricing for these masks has ranged considerably from what we’ve seen. The vendor in the screenshot below is selling a single mask for $342.00 (which was actually listed as at half-off its original price of $684.00 due to a promotion), while the vendor in the image above is selling 10 – 12 packs for around 30$.

There are also several listings for “stolen” masks. (It’s worth noting that this vendor also claims to have “african crafts and talismans with powers” for sale, and claims to be able to “blackmail anyone to do anything” for a price…so, probably not the most legit listing.)

Hand sanitizer has not appeared in the same measure, but given the amount of homemade recipes circulating the surface net, we imagine it is only a matter of time. We have found at least one listing for hand sanitizer, posted on Tor today (3/12/20).

Coronavirus themed forums, discussions and channels

Overall, it would appear that the darknet is reacting fairly similarly to the rest of the internet. There is a palpable amount of fear, uncertainty, panic….and those willing to capitalize on it.

Take this individual, for example, who is using the opportunity to tout his marijuana pills as a preventative step towards contracting the virus (pictured below).

With the extent of questions, ideas and conspiracy theories to be discussed, it is not surprise that various COVID-19 specific darknet forums have emerged as hubs for the community, including a dedicated subdread.

There are now also several Chinese coronavirus Telegram channels. While some seem to be just for general discussion, others appear to be tailored towards those under quarantine.

Considering that the Chinese government has reportedly been censoring terms related to COVID-19 on a WeChat, a popular chat app, it makes sense that Telegram has filled the gap to become a resource for open discussion about the COVID-19 pandemic.

Essentially, when it comes down it, what we’re seeing the most of, are people simply being human and wanting to talk about what’s going on.

What we’re watching for

As this global crisis continues to unfold, we’ll be keeping an eye on the darknet to see how the various severe social and economic measures being taken around the world to mitigate the spread of this virus, and to produce medical resources including testing kits and a vaccine, affect the darknet markets.

Will buyers continue to purchase items from marketplaces, without being sure of their country of origin? Will a potential scarcity in medical devices due to limited resources slow the production of the home-cooked drugs that most of these marketplaces are known for? We’re likely soon to find out, so be sure to check back for updates.

Quick Dive into recent trends in hackish data

DarkOwl continuously and autonomously exfiltrates darknet information 24/7. We then index, store, and score it according to how likely is this information to be interesting to criminals. Having this vantage point gives us unique insight into traffic and trends on the darknet, which we continually post about on our blog. One lens through which we can view our data to make theories – and sometimes even conclusions – about the reasons behind fluctuations in darknet traffic is a proprietary score that we call hackishness™ (algorithm pictured here).

In a nutshell, hackishness is a term DarkOwl uses to broadly describe the criminally relevance of any posting. The score runs from 0% to 100%, and is based upon a number of data points including context, recency, and the presence of nefarious material on the darknet page.  For example, a page with 100% hackishness might include PII, illegal goods or illicit information. On the other hand, a page with 0% hackishness might be something totally innocuous, such as a reprint of a news article.

Below is a graph representing the new, 95%-10% hackish posts found weekly in the DarkOwl Vision database from Mid-January to March 19, 2020. Upon observing the curious downward slope, followed by the sharp uptick in hackish content we collected in our database, I decided to take a closer look to see if we could determine why.

This graph shows that the amount of new darknet information was surprisingly stable from January 17, 2020 to February 27, 2020. The mean of this new weekly highly hackish data was 13,688 pages and the standard deviation was only 10.2.

But starting the week beginning 2/21/20, this darknet data tally fell by 13%, followed by a weekly drop of 27% the next week and 30% the week ending March 12, 2020. Interestingly, this trend downward began, the same week that global stock markets began to wobble. Just like global financial markets, the amount of new criminally interesting information was dropping precipitously.

Then, something different happened the week of March 13 to March 19, 2020. While global markets continued their decline, the number of new highly hackish data posts jumped to this year’s high. To see if we could provide an explanation for this sharp spike, we turned to what we call “Map the Dark” – which – among many other things – categorizes every piece of current and historical darknet content we find into 54 separate categories  

The graph below isolates the eight categories which account for what DarkOwl estimates was 92% of 10,832 new darknet posts from January 7, 2020 to March 19, 2020.

Breaking down these new results by category gives us some interesting insights into what may have caused this surge in hackish content.

Of these new posts, almost half (5,010) are related to Hosting. Why might that be? Likely this is due to the fact that on the evening of March 9, 2020, one of the most prominent darknet hosting platforms – Daniel’s hosting service – was hacked yet again. While darknet hosting sites go down periodically, the loss of Daniel’s has proven more problematic for those that operate on the darknet than others.

Thus, I theorize that the noticeable increase in hackish content categorized as Hosting likely derives from the nearly 800 users of Daniel’s hosting services adding new content to other hosting services as they migrated to other providers. This migration almost certainly accounts for most of the steep drop in darknet traffic observed in the middle of March and the rebound in the weeks following.

The second highest category is Directory, identified by content that contains link lists and darknet addresses for hidden services, and accounts for another 836 new posts. If we assume that the new content in the Hosting category and Directory category are related to the Daniel migration, that would account for 54% of the darknet change observed so far this year.

And what of the remaining 46% of the darknet changes observed since January? Actually, the second biggest jump in darknet posts were in Markets, at 1,969 new posts. Considering the timing, many of these could potentially have been Covid-19 related.

The remaining new posts include the Fraud, Counterfeit, and Scams categories. These 3 categories represent 8.3% of all the new hackish content, and represent that portion which are probably most closely related with new criminal activity designed to take advantage of the current Covid-19 panic. And lastly, the remaining portion of 368 new hackish darknet documents, or roughly 3% of the total, are linked to the Forum category, which the media focuses on far beyond its actual statistical weight.

Closing thoughts

Covid-19 related?

Much is being written continuously about the great daily changes that Covid-19 has wrought. When we set out to look at the reasoning behind the uptick in hackish content in our database, there was strong reason to believe that it may have been directly attributable to the pandemic. At this point in time, we cannot say for sure – in fact it would appear that that is not the case. Likely, the disintegration of Daniels’s hosting service has been much more impactful on darknet traffic than a few vendors attempting to sell surgical masks. But, as time passes from our collective mid-February realization that something monumental might be happening, more data has been collected and can analyzed to see if we are moving away from “normal” or back towards it.

Stay tuned for an upcoming analysis from our data team regarding the greater impact of Daniel’s Hosting take-down. Sign up to our newsletter to hear about it as soon as its published!

Overview

On the 31st of January, members of the dark web community began warning users of the imminent exit scam of Apollon cryptomarket. Apollon Market, established in March 2018, has developed into a market with credible reputation in recent months as other key longtime markets have disappeared or been seized by authorities.

After reviewing the archived market data captured by DarkOwl Vision, our analysts assess with high confidence that Apollon Market experienced a positively skewed distribution of activity driven by a surge of vendors appearing on the market in late 2019.

This evidence suggests that law enforcement efforts to curb criminal behavior on dark web markets through heavy DDoS and subsequent seizure increase vendor sales for those vendors who are highly mobile across marketplaces.

Furthermore, addictive psychoactive stimulants, such as methamphetamine and cocaine, appeared frequently in not only the top number of listings sold and offered, but also in revenue. This suggests a substantial rise in popularity on the dark web marketplaces for these goods (as compared to Baravalle, Lopez and Lee’s Mining the Dark Web).

Apollon Market is largely a drug market with self-advertised market data from their landing page, suggesting that drugs comprise over 75% of the goods on offer. DarkOwl Analysts reviewed these to uncover that many of the advertised listings are duplicative and some categorized incorrectly.

Despite this, on average, there are significantly more drugs offered than digital goods, but some vendors observed considerable larger revenue and return on investment in the digital goods market segment.

Quantitative Findings

• Since 2018, DarkOwl Vision archived 35,028 unique listings across 1761 vendor accounts on Apollon, comprised of a mixture of sales categories including drugs, digital goods, fraud, and malware.

• DarkOwl analysts assess the total value of the market is $10,986,561 USD based on total sales reported and the value of the listings offered at the current exchange rate from Bitcoin (BTC) to USD or Monero (XMR) to USD.

• The average revenue generated per vendor is $6,249 USD while the median revenue per vendor is $933.25 USD, suggesting that the distribution of the revenue across the market is heavily skewed, positively.

• Despite this positive skew, there appears to be an outlying segment of particularly high-revenue vendors with much higher reported revenue than the rest of the vendors in the market.

• This is supported by the fact the top 10 vendors in sales revenue amassed an estimated $1.6 Million USD in total sales, while 14% of all vendors reported no sales at any point during their tenure on the market. Some non-active vendor accounts could easily be used for test purposes or as a law enforcement honey pot. 

Countries of origin

Of the 35,028 unique listings, many do not specify the country of origin. Some merely state their location as “Worldwide,” suggesting that the vendor is potentially a network of suppliers around the world, the good can be delivered digitally, or the vendor is willing to assume the heightened risk of international shipping.

Of the 75% of listings that do provide a country of origin, 57% of the vendors claimed their goods or services originated within the USA, United Kingdom, Germany, and the Netherlands. 4.8% of them kept the country of origin generic as “Europe” and others specified generally unsuspecting locations such as the Pitcairn and Wallis and Futuna Islands in the South Pacific.

Listings

Drugs comprise the largest categorical segment of Apollon Market, with over 44,000 total listings, although some of these are duplicative [see Analyst’s Note below].

Of the drug listings, Cannabis, Stimulants, and Ecstasy comprise over 50% of those advertisements. A review of the total sales and revenue revealed that addictive, psychoactive stimulants were in the highest demand from this market, and the listing with the largest number of reported sales is Colombian Cocaine.

Based on current currency conversion rates for BTC to USD, the listing with the highest estimated revenue is a private “VIP” Digital Good offered by long-time dark web vendor, Gfellas, while the remaining 4 top revenue-generating listings were all drug related.

Analyst’s Note: Bear in mind that since the exit scam began, the market administration has been deactivating older listings, erroneously categorizing many advertisements across multiple categories, and manipulating vendor login data, prompting the need for a more rigorous review of the listing titles and descriptions using machine learning at a later time.   

Apollon Market’s Evolution over Time

In comparison to other dark web cryptomarkets’ longevity before exit scam or seizure, Apollon had a considerable run, trading for almost two years with minimal downtime. During the first few months, little activity occurred on the market, but the market showed considerable pickup in total number of vendors trading after other key markets went offline.

Market closures drive traffic

In July 2019, when Nightmare Market exit-scammed, DarkOwl observed that the total number of vendors on Apollon nearly doubled.

In October 2019, Berlusconi was seized by the Italian authorities, followed shortly by Cryptonia, which disappeared in late November 2019. After Berlusconi’s seizure, several vendors used their credibility from years of trading on those markets as imported feedback to drive a high volume of sales on Apollon.

Apollon experienced the largest number of new vendor registrations in December 2019, post Cryptonia, at 390 new vendors.

Key Vendors

The top ten vendors by total number of listings along with their corresponding number of total sales are provided in the chart below. The top ten vendors in volume of offers does not link with those grossing the highest revenue nor having the highest total number of sales.

The top 3 vendors in revenue comprise 6% of all the revenue of Apollon Market while the top 10 vendors accumulated over $1.6 Million USD in total sales. The top vendors with the highest revenue trafficked drugs, suggesting that dealing in drugs yields higher gross income on dark web markets than digital goods or fraud services, such as fake passports.

The first market vendors

Despite the fact the market’s reported established date is March 2018, 45 vendors appeared on the market on 10 July 2018. DarkOwl assumes during the first three months, the market was likely in a testing phase and did not have any active trading occurring. Of those vendors appearing on 10 July 2018, the vendors with the largest total sales, were Dr.White3, g0ldenboy, HeinekenExpress, usagear, stanovo1ONLY, SUDO, and NUTSPRACKER; however, none of these vendors appear in the top 20 revenue-generating vendors list at the time we conducted analysis.

Vendors with the highest revenue

Based on historical market data and the current vendor profiles, the vendor using the moniker magicblue migrated over to Apollon in mid-September 2019, shortly before the announcement of Berlusconi’s seizure by Italian authorities. The vendor brought with them significant positive feedback and credibility from their years trading on Berlusconi.  Shipping their orders from Germany, magicblue’s principle drug market is ecstasy and LSD. Their highest value listing on Apollon Market is 250g of A+++ MDMA “top quality” at $812 USD per order.

Conclusion

DarkOwl Analysts’ analytical survey into Apollon Market yielded insight into the evolution of the cryptomarket in vendor registrations and listings, countries of origin and shipping, and general revenue generating activity. At time of writing, the market value is at $10.9 Million USD (based on an exchange rate of 1 BTC = $10,222.7 USD, the value at time of analysis) with addictive, psychoactive stimulants as the most popular, highest revenue generating category of drugs offered on the market.

Overall, Apollon Market is positively skewed distribution of revenue with the surge in vendor registrations and activity after Nightmare, Berlusconi, and Cryptonia disappeared either due to exit scam or market seizure. Vendors brought with them credibility and positive customer feedback and immediately began trafficking their goods and earning revenue. Like the Greek mythological Hydra, concerted efforts by law enforcement to remove drug trafficking on the dark web merely strengthens the resolve of the community and drug vendors continue to be highly mobile and attain uninterrupted success on emerging markets.