This is a continuation of our previous discussion (linked below) about how the global pandemic has created an incredible surge in COVID-19 related scams on the dark web. DarkOwl analysts have been tracking the developments in DarkOwl Vision and have consolidated a round-up of some interesting, concerning, and, in some cases, comfortingly human findings.

See Part 1 of our COVID scam coverage here

A COVID-19 Vaccine

The most recent pandemic related scam to surface on the dark web is a hidden service dedicated to the COVID-19 vaccine. According to a new Tor hidden service, appearing on the dark web the week of the 18th of March, Technology Minister Ofir Akunis confirmed Israeli scientists had developed the first vaccine for the novel coronavirus that was available to ship Worldwide via DHL. 1 packet supposedly includes 10 20ml vials of the COVID-19 vaccine for only $10 USD, payable by Bitcoin.

This is not the first “Israeli” based antidote offered on the dark web. DarkOwl Vision captured an advertisement posted by darknet user, buddrugtrade, back on March 1, 2020. The post suggesting that MIGAL, a research institute in Galilee, Israel, had created the vaccine against a strain of the coronavirus that they had available to sell. They also included N95 Masks on the same classified.

A similar offer for the vaccine appeared as recently as the end of March with a scammer offering vials of the vaccine for $115 USD. The advertisement suggests the owner only has 5 vials available to sell with hopefully more in the future.

Another scammer has a higher price in mind for the vaccine. On 29 March 2020, multiple pastes, titled, “COVID-19 TEST WAS SUCCESSFUL,” were observed around the dark web consisting of an offer for 10 vaccines for $100K in BTC. “Now is coming the real one” the offers reads, as if to suggest the previous offers were not effective or legitimate.

Multiple Offers for COVID-19 Blood Samples

DarkOwl continues to witness numerous scammers offering samples of the virus via blood samples and saliva. The most recent scammer’s listing, at 12:56 UTC, 31 March 2020, attempted to imbue legitimacy into their listing, stating that they were a “laboratory doctor in Spanish public health” who successfully obtained “24 blood samples and infected sputum of the new COVID-19.” This scammer offered 24 samples for $100 USD (less than $5 per sample) and concluded their classified with even more additional bioterrorism-related material: “I also have 10 liters of morphine and 13 vials of HIV-infected blood in my possession.”

Another advertisement, posted 10 days earlier, stated the seller’s father was infected with COVID-19 and while at the hospital he managed to collect one syringe filled with blood that he inserted into 10 bats. The offering price is only $32 USD for the sample; a minimal payment is required to answer any questions.

This price is considerably cheaper than the $1,000 USD offer for a blood sample and saliva observed on a darknet market in early March, but not as ominous or anarchy-inducing as an offer for the live virus by one known as drdeath41, “Great for the coworker you don’t like. Or spread it in the ghetto if you’re like that or maybe let it loose at the country club.” – Source DarkOwl Vision M5D: d87605d2f17f877991b35f8307de89a7

Offers for Test Kits and Thermometers

The lack of availability of COVID-19 test kits and shortage of ancillary personal protective equipment (PPE) and support equipment has one scammer offering test kits, infrared thermometers and masks. The advertisement did not include Bitcoin address or price, but provided a Texas, USA based Whatsapp for “Serious Inquiries Only”. Using DarkOwl Vision to pivot on the contact information, the phone number is also affiliated with numerous other offers across the dark web for drugs with the Surface web shop, worldglobalpharmacy.com and counterfeit items under the Telegram id: @drHades.

URL Redirects to Abuse

DarkOwl analysts reviewed various posts to forums and darknet paste sites to uncover many of the “Coronavirus” content simply redirects the reader to a possible-malware laden URL or prompt to submit a cryptocurrency payment in exchange for information.

This has become such an issue that many domain name service (DNS) providers have turned to denying domain registrations containing the words, “covid” or “corona” to combat the growing abuse.

Can a Darknet Pure Frequency Kill COVID-19?

On the 3rd of April, 2020 another unexpected advertised “cure” for the coronavirus appeared on the dark web. An anonymous user posted a link to a MP3 file in the paste titled, “Pure Frequency to Kill corona virus” along with a suggestion to listen to the frequency 3 to 6 times a day for maximum results.

Masks Are Still Readily Available

As we mentioned in our previous report, all types of masks are for sale on the dark web, including the N95 respirator type style in high demand. A Tor hidden service using “corona” in the V2 URL has “Aura 3M & Farstar medial N95 face Masks” available in packs of 10 for 80 EUROs.

DarkOwl Vision successfully captured a member of The Cyber Army Telegram group offering a N95 mask with certified expiry date on March 16, 2020.

Another clever advert submitted by “Tequila_Wolf,” redirects the reader to a legitimate external link referencing a 3D printing center’s website. The website, CD3D offers designs for 3D printing protective face shields, masks for a noninvasive ventilator, and hands-free door openers.

Using DarkOwl Vision’s history, Tequila_Wolf has a remarkable dark web presence (mentioned in 76K pages), consisting of shared news articles and geo-political commentary, much of which is COVID-19 specific.

Criminals Discuss Benefits of COVID-19

Dark web user, Loserdub, submitted an interesting perspective of the COVID-19 crisis commenting in an “illegalism” channel on popular darknet forum, Raddle, that they had found police presence minimal and shoplifting easier than ever.

Another user on the forum added they use a medical face mask to conceal their identity.

Anti-Malarial Drugs Now Available

Since US President, Donald Trump suggested anti-malarial drugs such as chloroquine and hydroxychloroquine may have potential use in fighting COVID- 19, scammers have also started offering these drugs for sale on the darknet. The same scammers offering virus test kits under the telegram moniker, @drhades, shares the same phone number as listed in the advertisement for chloroquine, with telegram identification: @oraclez. This is further evidence of an elaborate scamming network on the darknet looking to profit from the COVID-19 crisis.

Quantifying Potential Increase in Darknet Usage Due to COVID-19

DarkOwl analysts were asked by a third party to review potential quantitative approaches to trends in darknet use due to COVID-19 and associated global government-mandated shelter-in-place orders. Hypothesis is that with more of society confined to their homes there would be an increase in darkweb drug market use and purchases. Some darknet drug forums supported this theory with new users asking how to purchase drugs from markets and some forums experiencing what could have been interpreted as a “surge” in usage.

One such forum that has had a historical presence on the darknet is Darknet Market Avengers (DMA).

Another popular darknet forum, Dread, also suggested that Markets were experiencing a surge in usage with a thread posted by dread Mod, /u/DrHorrible, at the first of April. The moderator’s post also suggested that there were an increase in new market announcements for many markets that weren’t even online yet. After carefully reviewing market data in DarkOwl Vision, analysts determined that the markets only mad Vendor profiles public and not necessarily the users.

In many cases, even the market vendor profiles were encrypted and not easily captured by the engine autonomously. This prompted a review of forum data to see if there was any empirical evidence to support the theory of increased darknet use. This prompted a side-effort to collect hundreds of thousands of user registrations across many darknet drug-specific forums to see an exponential increase in registrations existed.

Unfortunately, the data captured from Darknet Market Avengers exhibited trends similar to the registrations recorded at Envoy, another drug-specific darknet forum. DarkOwl observed an average daily number of registrations in the last three months of about 225 new users. These numbers are consistent with the forum’s registration rate in 2019 and 2017. The forum also experienced a period of DDoS attacks in the first two weeks of October in 2019 and the first week of February in 2020 along with many other markets and forums on Tor.

These drops in registrations are evident visually as demonstrated by the monthly and weekly comparisons in the bar chart below. Unfortunately, DarkOwl did not observe data to support any assumption that darknet usage had increased in recent months, and if anything, merely confirms the darknet is conducting business as usually during the COVID-19 pandemic.

We will continue to watch as trends emerge and report back here.

Viruses on the darknet are nothing new. You can easily find vendors selling Bots, Password Crackers, Rootkits, Adware, Backdoor Access, Keyloggers, or any other form of Malware, Toolkits and Viruses (MTV) across a wide swath of forums and marketplaces. So, when you see the darknet exploding with discussions of a virus, one might not jump immediately to “infectious disease.”

However, the darknet is not all too far removed from mainstream society to ignore the pandemic we find ourselves facing. We’ve recently observed the emergence of coronavirus-related products, discussions, scams, and general hysteria across Tor, IRC, I2P, Telegram, and the like. Here are some examples of COVID-19 related ongoings amidst the recent outbreak.

“I sell my infected blood and saliva”

Thus far, we have come across at least one individual advertising the sale of live COVID-19. For $1,000, this enthusiastic vendor will allegedly ship you a biohazardous weapon in the form of their COVID-19 infected bodily fluids. Yikes. The only good news about this situation is that it is most certainly a scam.

Coronavirus vaccinations

Certain marketplaces and vendors are also claiming to have access to a vaccination for COVID-19. In the example below, a listing dated as having been posted last Saturday shows a vendor on Piazza (a darknet marketplace) offering to sell coronavirus vaccines AND antidotes to “serious buyers.”

Masks and hand-sanitizer

As eBay and Amazon conduct great efforts to scale-back sales of health and wellness products due to price gouging and fears of counterfeiting, the darknet is seeing a rise in listings for products in this category – including CDC-approved face masks.

Pricing for these masks has ranged considerably from what we’ve seen. The vendor in the screenshot below is selling a single mask for $342.00 (which was actually listed as at half-off its original price of $684.00 due to a promotion), while the vendor in the image above is selling 10 – 12 packs for around 30$.

There are also several listings for “stolen” masks. (It’s worth noting that this vendor also claims to have “african crafts and talismans with powers” for sale, and claims to be able to “blackmail anyone to do anything” for a price…so, probably not the most legit listing.)

Hand sanitizer has not appeared in the same measure, but given the amount of homemade recipes circulating the surface net, we imagine it is only a matter of time. We have found at least one listing for hand sanitizer, posted on Tor today (3/12/20).

Coronavirus themed forums, discussions and channels

Overall, it would appear that the darknet is reacting fairly similarly to the rest of the internet. There is a palpable amount of fear, uncertainty, panic….and those willing to capitalize on it.

Take this individual, for example, who is using the opportunity to tout his marijuana pills as a preventative step towards contracting the virus (pictured below).

With the extent of questions, ideas and conspiracy theories to be discussed, it is not surprise that various COVID-19 specific darknet forums have emerged as hubs for the community, including a dedicated subdread.

There are now also several Chinese coronavirus Telegram channels. While some seem to be just for general discussion, others appear to be tailored towards those under quarantine.

Considering that the Chinese government has reportedly been censoring terms related to COVID-19 on a WeChat, a popular chat app, it makes sense that Telegram has filled the gap to become a resource for open discussion about the COVID-19 pandemic.

Essentially, when it comes down it, what we’re seeing the most of, are people simply being human and wanting to talk about what’s going on.

What we’re watching for

As this global crisis continues to unfold, we’ll be keeping an eye on the darknet to see how the various severe social and economic measures being taken around the world to mitigate the spread of this virus, and to produce medical resources including testing kits and a vaccine, affect the darknet markets.

Will buyers continue to purchase items from marketplaces, without being sure of their country of origin? Will a potential scarcity in medical devices due to limited resources slow the production of the home-cooked drugs that most of these marketplaces are known for? We’re likely soon to find out, so be sure to check back for updates.

Quick Dive into recent trends in hackish data

DarkOwl continuously and autonomously exfiltrates darknet information 24/7. We then index, store, and score it according to how likely is this information to be interesting to criminals. Having this vantage point gives us unique insight into traffic and trends on the darknet, which we continually post about on our blog. One lens through which we can view our data to make theories – and sometimes even conclusions – about the reasons behind fluctuations in darknet traffic is a proprietary score that we call hackishness™ (algorithm pictured here).

In a nutshell, hackishness is a term DarkOwl uses to broadly describe the criminally relevance of any posting. The score runs from 0% to 100%, and is based upon a number of data points including context, recency, and the presence of nefarious material on the darknet page.  For example, a page with 100% hackishness might include PII, illegal goods or illicit information. On the other hand, a page with 0% hackishness might be something totally innocuous, such as a reprint of a news article.

Below is a graph representing the new, 95%-10% hackish posts found weekly in the DarkOwl Vision database from Mid-January to March 19, 2020. Upon observing the curious downward slope, followed by the sharp uptick in hackish content we collected in our database, I decided to take a closer look to see if we could determine why.

This graph shows that the amount of new darknet information was surprisingly stable from January 17, 2020 to February 27, 2020. The mean of this new weekly highly hackish data was 13,688 pages and the standard deviation was only 10.2.

But starting the week beginning 2/21/20, this darknet data tally fell by 13%, followed by a weekly drop of 27% the next week and 30% the week ending March 12, 2020. Interestingly, this trend downward began, the same week that global stock markets began to wobble. Just like global financial markets, the amount of new criminally interesting information was dropping precipitously.

Then, something different happened the week of March 13 to March 19, 2020. While global markets continued their decline, the number of new highly hackish data posts jumped to this year’s high. To see if we could provide an explanation for this sharp spike, we turned to what we call “Map the Dark” – which – among many other things – categorizes every piece of current and historical darknet content we find into 54 separate categories  

The graph below isolates the eight categories which account for what DarkOwl estimates was 92% of 10,832 new darknet posts from January 7, 2020 to March 19, 2020.

Breaking down these new results by category gives us some interesting insights into what may have caused this surge in hackish content.

Of these new posts, almost half (5,010) are related to Hosting. Why might that be? Likely this is due to the fact that on the evening of March 9, 2020, one of the most prominent darknet hosting platforms – Daniel’s hosting service – was hacked yet again. While darknet hosting sites go down periodically, the loss of Daniel’s has proven more problematic for those that operate on the darknet than others.

Thus, I theorize that the noticeable increase in hackish content categorized as Hosting likely derives from the nearly 800 users of Daniel’s hosting services adding new content to other hosting services as they migrated to other providers. This migration almost certainly accounts for most of the steep drop in darknet traffic observed in the middle of March and the rebound in the weeks following.

The second highest category is Directory, identified by content that contains link lists and darknet addresses for hidden services, and accounts for another 836 new posts. If we assume that the new content in the Hosting category and Directory category are related to the Daniel migration, that would account for 54% of the darknet change observed so far this year.

And what of the remaining 46% of the darknet changes observed since January? Actually, the second biggest jump in darknet posts were in Markets, at 1,969 new posts. Considering the timing, many of these could potentially have been Covid-19 related.

The remaining new posts include the Fraud, Counterfeit, and Scams categories. These 3 categories represent 8.3% of all the new hackish content, and represent that portion which are probably most closely related with new criminal activity designed to take advantage of the current Covid-19 panic. And lastly, the remaining portion of 368 new hackish darknet documents, or roughly 3% of the total, are linked to the Forum category, which the media focuses on far beyond its actual statistical weight.

Closing thoughts

Covid-19 related?

Much is being written continuously about the great daily changes that Covid-19 has wrought. When we set out to look at the reasoning behind the uptick in hackish content in our database, there was strong reason to believe that it may have been directly attributable to the pandemic. At this point in time, we cannot say for sure – in fact it would appear that that is not the case. Likely, the disintegration of Daniels’s hosting service has been much more impactful on darknet traffic than a few vendors attempting to sell surgical masks. But, as time passes from our collective mid-February realization that something monumental might be happening, more data has been collected and can analyzed to see if we are moving away from “normal” or back towards it.

Stay tuned for an upcoming analysis from our data team regarding the greater impact of Daniel’s Hosting take-down. Sign up to our newsletter to hear about it as soon as its published!

Overview

On the 31st of January, members of the dark web community began warning users of the imminent exit scam of Apollon cryptomarket. Apollon Market, established in March 2018, has developed into a market with credible reputation in recent months as other key longtime markets have disappeared or been seized by authorities.

After reviewing the archived market data captured by DarkOwl Vision, our analysts assess with high confidence that Apollon Market experienced a positively skewed distribution of activity driven by a surge of vendors appearing on the market in late 2019.

This evidence suggests that law enforcement efforts to curb criminal behavior on dark web markets through heavy DDoS and subsequent seizure increase vendor sales for those vendors who are highly mobile across marketplaces.

Furthermore, addictive psychoactive stimulants, such as methamphetamine and cocaine, appeared frequently in not only the top number of listings sold and offered, but also in revenue. This suggests a substantial rise in popularity on the dark web marketplaces for these goods (as compared to Baravalle, Lopez and Lee’s Mining the Dark Web).

Apollon Market is largely a drug market with self-advertised market data from their landing page, suggesting that drugs comprise over 75% of the goods on offer. DarkOwl Analysts reviewed these to uncover that many of the advertised listings are duplicative and some categorized incorrectly.

Despite this, on average, there are significantly more drugs offered than digital goods, but some vendors observed considerable larger revenue and return on investment in the digital goods market segment.

Quantitative Findings

• Since 2018, DarkOwl Vision archived 35,028 unique listings across 1761 vendor accounts on Apollon, comprised of a mixture of sales categories including drugs, digital goods, fraud, and malware.

• DarkOwl analysts assess the total value of the market is $10,986,561 USD based on total sales reported and the value of the listings offered at the current exchange rate from Bitcoin (BTC) to USD or Monero (XMR) to USD.

• The average revenue generated per vendor is $6,249 USD while the median revenue per vendor is $933.25 USD, suggesting that the distribution of the revenue across the market is heavily skewed, positively.

• Despite this positive skew, there appears to be an outlying segment of particularly high-revenue vendors with much higher reported revenue than the rest of the vendors in the market.

• This is supported by the fact the top 10 vendors in sales revenue amassed an estimated $1.6 Million USD in total sales, while 14% of all vendors reported no sales at any point during their tenure on the market. Some non-active vendor accounts could easily be used for test purposes or as a law enforcement honey pot. 

Countries of origin

Of the 35,028 unique listings, many do not specify the country of origin. Some merely state their location as “Worldwide,” suggesting that the vendor is potentially a network of suppliers around the world, the good can be delivered digitally, or the vendor is willing to assume the heightened risk of international shipping.

Of the 75% of listings that do provide a country of origin, 57% of the vendors claimed their goods or services originated within the USA, United Kingdom, Germany, and the Netherlands. 4.8% of them kept the country of origin generic as “Europe” and others specified generally unsuspecting locations such as the Pitcairn and Wallis and Futuna Islands in the South Pacific.

Listings

Drugs comprise the largest categorical segment of Apollon Market, with over 44,000 total listings, although some of these are duplicative [see Analyst’s Note below].

Of the drug listings, Cannabis, Stimulants, and Ecstasy comprise over 50% of those advertisements. A review of the total sales and revenue revealed that addictive, psychoactive stimulants were in the highest demand from this market, and the listing with the largest number of reported sales is Colombian Cocaine.

Based on current currency conversion rates for BTC to USD, the listing with the highest estimated revenue is a private “VIP” Digital Good offered by long-time dark web vendor, Gfellas, while the remaining 4 top revenue-generating listings were all drug related.

Analyst’s Note: Bear in mind that since the exit scam began, the market administration has been deactivating older listings, erroneously categorizing many advertisements across multiple categories, and manipulating vendor login data, prompting the need for a more rigorous review of the listing titles and descriptions using machine learning at a later time.   

Apollon Market’s Evolution over Time

In comparison to other dark web cryptomarkets’ longevity before exit scam or seizure, Apollon had a considerable run, trading for almost two years with minimal downtime. During the first few months, little activity occurred on the market, but the market showed considerable pickup in total number of vendors trading after other key markets went offline.

Market closures drive traffic

In July 2019, when Nightmare Market exit-scammed, DarkOwl observed that the total number of vendors on Apollon nearly doubled.

In October 2019, Berlusconi was seized by the Italian authorities, followed shortly by Cryptonia, which disappeared in late November 2019. After Berlusconi’s seizure, several vendors used their credibility from years of trading on those markets as imported feedback to drive a high volume of sales on Apollon.

Apollon experienced the largest number of new vendor registrations in December 2019, post Cryptonia, at 390 new vendors.

Key Vendors

The top ten vendors by total number of listings along with their corresponding number of total sales are provided in the chart below. The top ten vendors in volume of offers does not link with those grossing the highest revenue nor having the highest total number of sales.

The top 3 vendors in revenue comprise 6% of all the revenue of Apollon Market while the top 10 vendors accumulated over $1.6 Million USD in total sales. The top vendors with the highest revenue trafficked drugs, suggesting that dealing in drugs yields higher gross income on dark web markets than digital goods or fraud services, such as fake passports.

The first market vendors

Despite the fact the market’s reported established date is March 2018, 45 vendors appeared on the market on 10 July 2018. DarkOwl assumes during the first three months, the market was likely in a testing phase and did not have any active trading occurring. Of those vendors appearing on 10 July 2018, the vendors with the largest total sales, were Dr.White3, g0ldenboy, HeinekenExpress, usagear, stanovo1ONLY, SUDO, and NUTSPRACKER; however, none of these vendors appear in the top 20 revenue-generating vendors list at the time we conducted analysis.

Vendors with the highest revenue

Based on historical market data and the current vendor profiles, the vendor using the moniker magicblue migrated over to Apollon in mid-September 2019, shortly before the announcement of Berlusconi’s seizure by Italian authorities. The vendor brought with them significant positive feedback and credibility from their years trading on Berlusconi.  Shipping their orders from Germany, magicblue’s principle drug market is ecstasy and LSD. Their highest value listing on Apollon Market is 250g of A+++ MDMA “top quality” at $812 USD per order.

Conclusion

DarkOwl Analysts’ analytical survey into Apollon Market yielded insight into the evolution of the cryptomarket in vendor registrations and listings, countries of origin and shipping, and general revenue generating activity. At time of writing, the market value is at $10.9 Million USD (based on an exchange rate of 1 BTC = $10,222.7 USD, the value at time of analysis) with addictive, psychoactive stimulants as the most popular, highest revenue generating category of drugs offered on the market.

Overall, Apollon Market is positively skewed distribution of revenue with the surge in vendor registrations and activity after Nightmare, Berlusconi, and Cryptonia disappeared either due to exit scam or market seizure. Vendors brought with them credibility and positive customer feedback and immediately began trafficking their goods and earning revenue. Like the Greek mythological Hydra, concerted efforts by law enforcement to remove drug trafficking on the dark web merely strengthens the resolve of the community and drug vendors continue to be highly mobile and attain uninterrupted success on emerging markets.

Denver, CO – February 14, 2020 – DarkOwl LLC, a Denver-based darknet data provider, is proud to announce the roll-out of our new Vision User Interface (UI). The DarkOwl Vision platform continues to automatically, continuously, and anonymously collect, index, and rank darknet, deep web, and high-risk surface net data.

DarkOwl Director of Product, Sarah Prime noted, “We have many initiatives planned for 2020, and this is just the beginning; this new design makes it easier and more efficient to find threats and compromised data on the darknet. We’re excited to continue adding features to better serve our customers.”

Vision’s new UI improves simplicity of use and allows for more intuitive navigation of our darknet collection. Aligning with modern design principles, the enhanced UI also allows for improved monitoring by making it simpler to automate searches, one of our most heavily used features. By making other improvements such as allowing users to access all of their data from the first page and streamlining commonly used search tools such as Filters, our new UI makes our data more accessible and actionable than ever.

“I am very proud of our product and development teams for the work they have put in on this new release. Our new UI is even more intuitive, faster, and will provide a range of new tools to parse the larger amount of data we now collect and index from the dark net. This is a big step for DarkOwl’s customers.” said Mark Turnage, CEO of DarkOwl.

Media Contact: [email protected]

About DarkOwl DarkOwl was founded in 2016 with the mission of collecting the broadest dataset of darknet content available in the cyberdefense industry and making that data both accessible and valuable to its clients. By empowering its customers to have eyes on the darknet, DarkOwl enables organizations to fully understand their security posture, detect potential breaches, mitigate them quickly, and investigate even the furthest and most obscure reaches of the internet. .

In July of 2019, 7.5 TB worth of documents that were stolen from a Russian FSB contractor known as SyTech were published on the darknet by the hacker group 0v1ru$. Included in the documents is a project known as “HOPE,” which contains contents focused on how Russia intends to control the flow of information within and outside of their borders. While the notion and development of nation-wide intranets that exist in isolation from the global internet at the behest of nation-state authorities is nothing new (and in fact it has become increasingly common), it remains noteworthy – largely due to its association with politically oppressive regimes.

After discovering the leaked SyTech documents on DarkOwl Vision (pictured below), our analysts decided to take a closer look at project HOPE due to its relevancy to decentralized internets (including darknets). Upon conducting this analysis, DarkOwl researchers determined that Russia has been developing some of these plans as far back as 2012 and have concluded that it is very likely that HOPE was the foundation for Russia’s new Sovereign Internet Law, which was recently enacted on November 1st, 2019.

The SyTech leak

WHO IS SYTECH?

SyTech was a Russian Federal Security Service (a.k.a. the FSB, the successor agency to the KGB) contractor registered in Moscow that primarily focused on electronic and signals intelligence research. Publicly disclosed customers of the FSB include the national satellite communications operator JSC RT Komm.ru and the analytical center of the judicial department under the Supreme Court of Russia. Other non-public projects were commissioned by military unit no. 71330, which is believed to be part of the 16th Directorate of the FSB – who were accused of sending files with spyware to Ukrainian military and intelligence agencies in March 2015. Ironically, SyTech is also located in the same building the 16th Directorate of the KGB of the USSR previously occupied. Their 2018 public contract value was 40 million rubles, or $622,631 USD.

SYTECH HACKED

On July 13, 2019, SyTech suffered what BBC Russia called “possibly the largest data leak in the history of Russian intelligence services” when a group of hackers identified as 0v1ru$ gained access to an active directory server, stole 7.5TB of data, and defaced their webpage with a “yoba-face” (pictured to the right).

Though the image was first posted to 4chan in 2008, it is now most prominently associated with this breach, as evidenced by the spike on GoogleTrends on the date the hack was published. Analysis of screenshots posted by 0v1ru$ suggests that the tools used to gain access were ticketer.py, PSExec, and proxychains.

The leaked data includes 20 non-public IT projects ordered by Russian special services and departments. 0v1ru$ copied the data, deleted it from SyTech servers according to Twitter screenshots (pictured), and shared the documents with Digital Revolution, a separate (to our knowledge) hacking group who successfully breached Kvant Research Institute in 2018. Digital Revolution shared the documents with journalists, published screenshots of information on their Twitter – while mocking Russian officials – and the documents became widely available across the darknet.

In the aftermath of these events, 0v1ru$’s Twitter account was deleted, and there has been no word from them since the day of the hack. It is unknown if they deleted their Twitter account or if Twitter removed the account. Their motive is unclear, though it seems the group was small in membership. Digital Revolution published a written piece encouraging dissent against Russian authorities in the wake of these documents in early August 2019, and have been silent since. SyTech’s website has been offline since the defacement and no official statement regarding the hack or the future of SyTech was published. It is unclear if SyTech still exists, has been restructured, or dissolved after the leak.

There was no comment from the FSB, though BBC Russia reports no state secrets were leaked. Some have noted that this is another example of contractors being the weakest link in maintaining secrecy during research and development. 

PROJECT HOPE

Though media widely reported on the SyTech hack itself, very few individuals or media outlets have examined the contents of the leaked documents. The level of detail, total amount of information, and potentially compromising information is not apparent from reading currently published reports; in most cases, a brief summary of a handful of the 20 projects is provided, and often, these summaries are not in English. DarkOwl analysts have obtained these documents and conducted analysis to: 

1)    Examine the extent of leaked information – were only project summaries leaked, or entire proprietary technical plans?

2)   Examine the impact of leaked information – did this leak impact or result in any legal or social issues in the future?

3)   Examine the utility in analyzing leaked information – does the resources expended to acquire and analyze these documents produce actionable intel, open further lines of inquiry, or increase our knowledge base surrounding these issues?

To accomplish these goals, DarkOwl analysts examined one of the twenty leaked projects: надежда, or Nadezhda, which translates in English to HOPE.

It is apparant that HOPE’s main directive was to develop a method of disconnecting Russia from the global internet, while allowing information to still travel within Russia; in other words, they sought to develop their own nation-wide intranet. Purportedly, this would aid in protection from a foreign cyberattack – allowing Russian authorities to theoretically “unplug” Russia from the global internet to halt foreign attacks – if the technology developed via this project proved successful.

This work was carried out between April 1, 2013 and October 31, 2014 and was funded by Russia’s military unit no. 71330.

Once extracted, it was discovered that, unsurprisingly, the entire HOPE folder was in Russian. The folder contained 5 Microsoft Word documents, and a PowerPoint presentation. The bulk of the information from the documents was translated via Google Translate, though Russian translators assisted in the interpretation of potentially inaccurate or mistranslated words. One document in the leak indicates that it is likely all of these documents are components of a larger “Scientific and Technical Report” on the HOPE project, totaling 519 pages, 82 figures, 201 tables, 110 literature sources, and 7 appendices.

A CLOSER LOOK AT THE CONTENT OF THE DOCUMENTS

The SyTech developed PowerPoint presentation appears to be a summary of the research and development conducted during the HOPE project. It is likely this was created near the end of the project in 2014 and presented to military unit no. 71330. It summarizes the work completed by SyTech, but also names and summarizes the work done by other collaborators on the HOPE project. According to this, the collaborators of HOPE are:

• SyTech, who primarily focused on the visualization and analysis of cross-border routes for Internet traffic

• The RZNF Federal State Unitary Enterprise, who worked on a project codenamed “Nadezhda-T”, aimed at monitoring and filtering traffic

• Institute for Security and Information Analysis, responsible for compiling the work done on HOPE and testing it and training future users

The presentation also lists the sources of information they used, which are primarily in English and are publicly available. The results indicated success in achieving their research goals at a small scale but raises concerns about scalability.

The Word documents are components of a larger “Scientific and Technical Report” on the HOPE project, written at various stages in the project. One of the final documents suggest interim and final reports, thus there is some degree of overlap in the information included in these documents.

The first document is only 2 pages and seems to have been created at the genesis of the HOPE project. It was likely created in November or December of 2012 and states a generic goal of “studying the principles of cross border routing on the internet”. It also states goals of examining vulnerabilities in TCP and Border Gateway Protocol (BGP), routing traffic through trusted government nodes, and the storage and analysis of traffic through these nodes.

All other documents are components of the Scientific and Technical Report at various stages in development. Two of these documents are highly technical examinations of topics such as traffic routing tests, BGP tests, and development of special visualization software.

Of particular interest for this post is a 260-page document that indicates it is the final version of the Scientific and Technical Report. This appears to have been delivered to the customer at the same time the PowerPoint was created and delivered. It includes details such as:

• the required software and OS

• shared libraries

• server platforms

• the inclusion of government connections.

There is also some discussion of the use of deep packet inspection to analyze traffic, and criteria that may be used to filter and direct traffic. The report suggests that the research goals were met on a small scale; this includes the development of “state machines” provided to ISPs and includes diagrams of the machines and their functionality.

KEY TAKEAWAYS

These leaked documents show that SyTech and others were early in the development and testing phases of a project that was concerned with monitoring internet traffic, routing traffic based on state-developed criteria, and gaining control over internet access within the borders of Russia. In 2013-2014, when this project was underway, most work focused on what appears to be proof-of- concept/prototype development. To our knowledge, this was not tested on a larger scale, though the documents do indicate some concern over scalability. However, the PowerPoint indicated large-scale testing would be the responsibility of a non-SyTech body, thus, wouldn’t be included in these leaked project files. It should be noted that involvement of other agencies in the HOPE project has not been reported in media reports to date. 

Analysis of the technical documents suggest that control of internet traffic would be primarily accomplished by state sponsored BGP hijacking. A full analysis of this process is outside the scope of this post, but effectively, BGP hijacking uses the assumption that interconnected networks are telling the truth about which IP addresses they own to maliciously reroute internet traffic. In layman terms, it has been compared to changing out the exit signs on a stretch of freeway and rerouting traffic to incorrect exits, if no one were watching the freeway signs. BGP is managed by ISPs; considering the extensive research SyTech conducted into BGP traffic and the installation of technology at Russian ISPs, it is a strong possibility that BGP hijacking is the foundation for Russia’s plans to control the internet.

Since HOPE was carried out, there has been a great amount of reporting and concern surrounding the development of Russia’s nation-wide intranet. DarkOwl analysts believe it is likely that HOPE became the foundation for what is now known as Russia’s Sovereign Internet Law.

Russia’s Sovereign Internet Law

On November 1, 2019, Russia’s Sovereign Internet Law took effect, giving Russian government officials a higher degree of control over the nation’s internet access and content. Ostensibly, the law is aimed to protect the nation’s cybersecurity by allowing government officials to block access to content when an “emergency” has been declared.

POLICY CHANGES DUE TO ENACTMENT OF THE LAW

In practice, the law has the largest impact on internet service providers located in Russia. Under this law, ISPs are required to:

1.         Install equipment that routes Russian internet traffic through state-controlled servers in the country

2.         Install equipment capable of deep-packet inspection, which is capable of not only identifying the source of traffic but the filtration of content

The first requirement is aimed at creating a new DNS system that can filter traffic in a way that data sent between Russians reaches its destination while any traffic directed towards foreign computers is discarded. Theoretically, this allows for Russia to essentially “unplug” from the global internet while nation-wide Runet service is uninterrupted. This is purportedly to protect Russia in the event of foreign cyberattacks or sanctions that attempt to isolate the country’s internet presence; for example, when US Cyber Command cut off internet access to the infamous Kremlin-backed Internet Research Agency in efforts to defend the 2018 US Midterm Elections against foreign interference. Notably, this new DNS system is not expected to take effect until 2021.

The second requirement allows state regulators to filter traffic and block what it wants on a granular level; elements as small as individual social media and forum posts can be examined and blocked based on the content of the messaging. Deep packet inspection (DPI) technology is universally used by ISPs to prioritize traffic and block unwanted protocols; however, in this case, the traffic is not controlled by the ISPs but rather Russian communications regulator Roskomnadzor. The language surrounding this aspect of the law is, likely purposefully, vague; the law gives regulators full discretion to decide what constitutes a security threat or dissent that may harm the “stability, security, and integrity” of the internet. According to open source reporting, tests of Russian DPI technology will continue in the Urals region until the end of 2019.

PUBLIC RECEPTION OF THE LAW

The degree to which the Russian government can control the flow of information due to this law has drawn strong reactions from both the Russian populace and international community.

According to research conducted by the Russian state-sponsored pollster, VTsIOM, 52% of Russians indicated they were opposed to the sovereign internet bill and the internet should play a role in “uniting the whole world”, while only 23% believed the internet should be limited to the country’s borders. Rallies opposing the bill in Moscow, Voronezh, and Khabarovsk were “some of the biggest protests” in years, totaling over 15,000 people in Moscow alone (though police estimated only 6500 attendees). The law has often been referred to as a digital Iron Curtain, harkening back to the Cold War separation of the USSR and the West.

Outside of Russia, the law has been almost universally condemned. Ten human rights, media, and Internet freedom organizations released a joint statement criticizing the law and calling on President Putin to not sign it – though he did one week after publication of the statement. They and others suggest that the law does not satisfactorily define what constitutes security threats and appropriate responses and lends the government too much discretion in how these laws will be enforced. There are also no legal protections for internet users to prevent ISPs from accessing, collecting, and selling the information gleaned via DPI. Many view this new law as continuing the erosion of internet freedoms in Russia; Freedom House categorizes Russia as “Not Free” and argues internet freedom is continuing to decline because of this law and other policies. For instance, according to a report from the Agora International Human Rights Group, someone in Russia was imprisoned for their online activities every 8 days in 2017.

CRITICISMS OF THE LAW

Moving beyond criticisms based in human rights and social issues surrounding the law, numerous technical experts are skeptical that enforcement of the law is currently possible. Both the establishment of a nation-wide intranet and DPI inspection of all traffic faces numerous, possibly insurmountable, technical hurdles.

Many experts are quick to point out that the Russian development of their alternate DNS system is dissimilar to China’s Great Firewall; whereas China’s internet was developed via a small number of state-run network operators – with a goal of restricting access in mind – Russia’s internet has developed freely over the last 30 years. Undoing that development would be a monumental task; the more developed a country’s infrastructure, the more laborious the blackout procedure becomes. David Belson, the senior director of Internet Research and Analysis at Internet Society, told NPR:

“..there were dozens of existing internet exchange points in Russia, some of which have hundreds of participants… basically its challenging – if not impossible, I think – to completely isolate the Russian Internet.”

Twelve organizations oversee the root servers for the current DNS system; zero of these are located in Russia. Undoing those global network connections will be difficult, and this kind of regulatory model could risk damaging the reliability of internet connections in Russia. According to Sophos:

“Internet traffic isn’t like a pipe that can be turned on and off or diverted at will. It functions as a cooperative system in which Russian ISPs must peer traffic that is heading to other destinations in ways that belie simple concepts of internal and external, good and bad.”

Some predict that, if nation-wide separation from the global internet proves impossible, it will be more likely that specific regions within the country can be disconnected for short periods of time.

Previous attempts at using law to forbid a form of technology has failed; last year, Russia attempted to ban the messaging app Telegram for refusing to provide encryption keys to Russian authority, to practically no effect, other than simultaneously blocking access to allowed content. Experts also point out that the rhetoric surrounding this bill regards protection from foreign cyberattacks, yet the DPI requirement of the law only serves to increase control of internet within Russia. Law-abiding users will notice the change; the installation of DPI equipment across all ISPs in Russia has been compared to the crush of passengers trying to get on the Moscow metro at rush hour.

There is no consensus among experts what impact this law will have long-term; it may lead to the types of humans rights violations watchdogs are worried about, or it could cause no change at all. It is also uncertain how this law may impact Russian darknet activity, even among Russian darknet users (Figure 8). Activity may increase as users seek to circumvent the newly enacted law; it may decrease if the technology implemented is sophisticated enough to limit dark web activity. Theoretically, BGP hijacking could manipulate and control entry relay node traffic which would destroy the anonymity provided by Tor for Russian users.

Russia has a sizable presence on the dark web and is the most common foreign language in DarkOwl’s database; DarkOwl will continue to monitor this activity for any changes or modifications of dark web use.

Final takeaways: Project HOPE, Russia’s new restrictive law, and the internet as a human rights issue

CONCLUSIONS REGARDING THE LEAKED PROJECT HOPE DOCUMENTS

Upon revisiting the questions we sought to answer during our analysis of the leaked documents, we were able to come to several conclusions:

1.         Examine the extent of leaked information – were only project summaries leaked, or entire proprietary technical plans? 

Hackers leaked extensive documentation surrounding the HOPE project on the dark web. The leak included project summaries, supporting technical documents, test results, and the final customer product. It is clear there was much more leaked than what was reported via most media sources and raises numerous questions over what is contained in the leaks of other projects from SyTech.

2.         Examine the impact of leaked information – did this leak impact or result in any legal or social issues in the future?

Although it cannot be directly linked, the preponderance of evidence suggests that HOPE was a precursor to the Russia Sovereign Internet Law. The stated goals and methods discussed in HOPE directly reflect the realities of the Sovereign Internet Law. Though the official response minimized the impact of these leaks, the documents demonstrate a clear connection to future legal and social developments. 

3.         Examine the utility in analyzing leaked information – does the resources expended to acquire and analyze these documents produce actionable intel, open further lines of inquiry, or increase our knowledge base surrounding these issues? 

The examination of these documents provided insights unavailable in any other report or analysis of the SyTech hack. Considering the information obtained and that HOPE likely resulted in a divisive law, future research should be conducted on the other leaked documents in efforts to predict other future policy or technological development.

THE INTERNET AS A HUMAN RIGHTS ISSUE

The United Nations Human Rights Council (UNHRC) has consistently stressed the importance of taking a human rights based approach to internet access. In June of 2016, the UNHRC passed resolution A/HRC/38/L.20, addressing “the promotion, protection, and enjoyment of human rights on the internet.” The resolution affirms that the “same rights people have offline must be protected online,” and outlines the perceived importance of internet access to the human rights protections of the citizens of member nations. 

Press coverage of the initiative reported that, despite passing with consensus, Russia and China opposed this resolution and sought to remove language relating to the “human-rights based approach” to internet access. This is relatively unsurprising; China’s “Great Firewall” stratagem to internet censorship is well-documented by academics, human rights watchdogs, and western media. Furthermore, the notion of free access and usage of the internet has been under attack by various nation-states, as reports of government-backed nationwide internet outages, social media blackouts during military conflict, the criminalization of dissent, and the murder of bloggers and journalists have only increased in the public eye since the passing of this resolution. 

The UNHRC further demonstrated this commitment to internet freedom in July of 2018 when they reaffirmed the internet protection resolution – with no States formally dissociating from the language in the resolution. However, the emphasis on protecting human rights online as well as offline is minimized in this resolution, and the United States no longer is listed as a participating State.

Further developments have shown no signs of Russia slowing down in their pursuit of state-controlled internet, often hiding behind a veil of curbing cybercrime. Other nations such as Iran have followed suit and have begun exercising control over internet access.

WILL THESE NEW RESTRICTIONS LEAD TO AN INCREASE IN DARK WEB USERSHIP?

In name, the Russian Sovereign Internet Law is already in effect. However, the social impact from this law will not be felt until later, and it is uncertain how this law will alter the amount and type of activity on the dark web, if at all.

Fundamental changes in the structure of the internet don’t occur overnight, or over just a few years – research, development, and implementation of this technology took nearly a decade via the HOPE project, and still isn’t close to completion. If we want to see what is coming next, it may be best to look at similar projects that are being researched now rather than wait for their deployment.

An introductory overview of Nation-State Actors on the dark web

One defining characteristic of the dark web is its association with criminal activity. In general, it is known as a haven for drug and gun dealers, hackers, pornographers, scam artists and other criminals. But, this stereotype may at times be oversimplified. While there are some objectively clear cut parameters of criminality, there also is a grey area comprised of politically motivated operatives who may or may not be committing crimes as commonly defined, but are nevertheless acting to influence and further an agenda of their own making. These groups, including Nation-State Actors – state-sponsored hackers with a cyber warfare mission – are worth examining in their own right.

Why Nation-States turn to the dark web

The dark web provides an anonymous environment in which anyone can operate.  Of importance and relevance to Nation-States, a number of key objectives can be carried out under this cloak of anonymity. Nation-State Cyber Actors will utilize the dark web to conduct intelligence collection and source development, government and corporate espionage, exploit development and testing, disinformation operations for geopolitical influence, infrastructure disruption, and financial gain.

• Intelligence and Espionage — The early beginnings of cyber-based information operations were conducted by the US government’s National Security Agency (NSA) and China’s People’s Liberation Army (PLA). While the NSA used information operations for covert intelligence collection from foreign adversaries, China is well known for its extensive espionage and intellectual property theft activities with much success. This includes surveillance of its own citizens and their use of the dark web to attempt to circumvent state controls.

• Infrastructure Disruption — Nation-State-funded cyber campaigns against other Nation-States has become wide-spread, principally targeting networks containing sensitive government or corporate information and strategic plans. In late 2015, Russia demonstrated how kinetic attacks conducted against critical infrastructure (e.g., telecommunications, utilities, etc.) and information outlets could cripple a Nation-State, with hacks against Ukraine during on-going conflicts over Crimea. Additional cyber-based attempts to infiltrate key US utilities infrastructure has been detected and reported by the US Department of Homeland Security and multiple cybersecurity researchers.

• Activism and Propaganda — Whether it is religious differences in the Middle East or ideological differences in the South China Sea, political activism and propaganda have been an effective weapon of Nation-States for decades. Given society’s shift to persistent digital communications, cyber has become a preferred medium for this type of activity. Nation-States, both large and small, have used cyber activity to do everything from promoting their agendas, to propping up proxy states both in the dark web and across social media platforms.

• Exploit Acquisition and Development – Many blackhat exploits are discussed in dark web forums and encrypted chats, as frequently observed on DarkOwl Vision. System vulnerabilities are detailed and shared for all types of critical operating systems and unix distributions. The dark web provides a valuable resource for researching and testing source code anonymously.

• Profitability – Countries facing extreme US and UN economic sanctions are turning to the dark web for financial gain. In recent years, North Korea has been successful in launching nation-wide banking system hacks across east Asia.

What Nation-State Actors are significant in the dark web

Over the past several years, DarkOwl researchers have noted that Nation-States are increasingly using the dark web as an information-based battlefield for a variety of key intelligence and cyber military campaigns. In the era of digital information operations, the United States, Russia and China are the primary Nation-State actors discussed in mass media and open source reporting. While it is true the United States, Russia and China still clearly lead in cyber-focused financial resources and manpower, there has been a significant rise of less well known Nation-States due to the release of advanced exploits leaked in recent years and available reverse engineering.

Analysis: Estimating the most powerful Nation-State Actors on the dark web (by country)

Background on global cyber warfare climate:

Modern cyber warfare has a much older pedigree than one would suspect originating from influence warfare and propaganda campaigns during WW1. Information Operations and Influence Warfare is a concept used widely since the world wars where Americans and the British effectively used propaganda to influence attitudes around the world. Influence warfare has been used ever since both covertly and overtly to influence geo-political events and populations. A most recent example is Russia’s troll farm setup by the Internet Research Agency to influence US citizens during the 2016 Presidential election. Information Operations in the digital sphere has been well-formulated and established by the US government in military field manuals and standard operating procedures.

The making of a cyber superpower: Money, Manpower, Skill and Influence

DarkOwl has undertaken an estimation of the relative power of Nation-States in the darknet, along the axis defined above. Of the four variables used by our analysts to determine the extent of a Nation-State’s cyber power — Money, International Influence, Manpower and Skill — the US, Russia and China lead in all four categories. All three countries have significant capital at their disposal, as well as the academic infrastructure backing cyber related research and a formidable presence on the economic world stage.

Evaluating an additional 16 key Nation-States against these same four variables provides insight into their presence on the dark web and preferential use of cyber as a weapon. However, the release of cyber tools previously belonging exclusively to the NSA and the CIA have offered formerly less-powerful nations the ability to reframe themselves as power players and gain influence that was previously unattainable to them.

NOTE: a review of all the countries individually can be found at the end of this post in the Annex section.

A changing landscape: A look at the new tools that Nation-States are using on the dark web

Shadow Brokers & the release of Vault 7/8

In the summer of 2016, the mysterious hacking group Shadow Brokers began releasing multiple sets of “ops disks” (toolkits) used by the US National Security Agency that they had nefariously collected using persistent access since 2013. The unprecedented data gave insight into the inner workings of the most sophisticated hacking organization in the world, NSA’s Tailored Access Operations (TAO). The disks included UNITEDRAKE’s “fully extensible remote collection system” also mentioned in data released by Edward Snowden, infamous NSA whistleblower still in exile in Russia. Pronounced “United Rake,” this customizable malware supports espionage and mass surveillance with such abilities as capturing IP camera and microphone output, log keyboard input, access external drive data. This toolset also provides the unique capability to disguise the origin of the attack, effectively projecting attribution onto another country or hacking group.

Wikileaks followed shortly thereafter with releases of CIA’s infamous Vault 7 and 8, which included one of the largest collection of confidential documents to ever slip out of the CIA. The Vault 7 release discussed the Remote Device Branch’s project UMBRAGE group sophisticated false flag operations as well Weeping Angel, where IoT devices, such as smart televisions are exploited for use as spyware.

The most notable leak from the CIA Vault 8 was HIVE, a multi-platform CIA malware suite with its associated control software. The project provides hidden customizable “implants” for Windows, MikroTik (used in internet routers), Sun Solaris, and Linux platforms. HIVE also included a comprehensive Listening Post (LP) and Command and Control (C2) infrastructure to communicate with these implants that have been extensively studied and now in the arsenal of various international hacking groups of all skill levels ranging from amateur script kiddies to advanced cyber Nation-State Actors.

How the release of these tools are leveling and redefining the Nation State Actor playing field

The leaked source code for these NSA and CIA cyber tools are readily available and discussed in dark web communities. Dark Web enthusiasts on YouTube have posted downloadable videos walking their viewers through the specifics of these advanced exploits. While the US, China, and Russia continue to develop new even more sophisticated cyber weapons, other Nation-States with an emerging cyber capability can now – as a result of these leaks – have the resources and the knowledge to attack other nation’s network infrastructure and conceal the origin of the attack, further complicating the global nation station cyber environment.

The availability of such tools brings into question much of the cybersecurity’s reporting around Nation-State attack attribution. For example, in early October of this year, Microsoft reported that they had witnessed ‘significant’ activity throughout the summer against current and former US government officials, journalists covering global politics and prominent Iranians living outside of Iran. The group Microsoft is calling “Phosophorous” made more than 2700 attempts to identify consumer accounts that could prove potential entry attack vectors. The group, believed to be from Iran, indiscriminately attacked both personal and work email addresses and attacks also included attempts at infiltrating President Trump’s reelection campaign.

Recently, NSA revealed that Russian hackers from the infamous “Turla group” co-opted Iranian tools and conducted numerous attacks across industries in dozens of countries in recent months. Leveraging Iranian developed malware, Nautilus and Neuron, in combination with one of its own toolkits, called Snake, Turla obtained access to targets by scouring their networks for backdoors that had been inserted by Iranian hackers. Again, further confusion to attack attribution.

Detection of Nation-State Actors on the Dark Web

As one would suspect, Nation-State Actors are not immediately apparent on the dark web. When a Nation-State launches an operational attack on an entity, or steals critical information, it has little need or desire to put that data up for sale or otherwise dump it across anonymous networks. Likewise, governments will not announce intelligence collection or law enforcement gathering activities unless for the sole purpose of psychological diversion.

After spending the last five years archiving dark web anonymous services and interacting with the dark web community, DarkOwl analysts have identified a number of Nation-State Actors “fingerprints.” We see dark web these fingerprints as both indications and motivators associated with nation state actors use of anonymous networks.

Dark web Nation-State Actors have some key fingerprints that correlate to their motivating uses for the dark web.

a)    Nation-State Actors use the dark web to purchase and steal cyber exploits

Nation-State Actors obtain open source cyber exploits from underground markets in order to perform reverse engineering – often to successfully construct software to counter any attack where such exploit is used against a government or critical network. A key identifier of a Nation-State Actor posing as an exploit buyer is the availability of a significant budget and financial resources to acquire the goods on offer. Regular dark web users regularly discuss ‘tells’ for detecting law enforcement and/or intelligence agents on the network.

b)    Nation-State Actors obtain credentials on hostile governments and other entities of geo-political or military interest.

For example, the dark web is replete with US *.gov email addresses that could be exploited for brute force network intrusion or targeted phishing campaigns. As of the time of this publication, DarkOwl Vision detected over 550,000 dark web pages with credentials including a .gov email address.

Iran also has a significant government footprint of leaked credentials and network information, but it cannot be readily discerned whether this information was leaked by another Nation-State Actor or a team of vigilante hackers. For example, the hacker IranDokht is likely affiliated with a recent deep web paste by user slntar that included several dozen Government of Iran website admin panels for malicious targeting.

c)     Elaborate spear-phishing campaigns are not only utilized by criminals targeting corporate networks, but Nation-State Actors employ these as well for their political and militaristic agendas.

Recent reporting suggests that North Korea has successfully used phishing for obtaining access to numerous academic research organizations and critical US think tanks, using China’s model for technological advancement via digital espionage. During Operation STOLEN PENCIL, North Korea targeted Stanford University’s nuclear programs, proliferation, and polices group. Operation infrastructure overlapped with other campaigns conducted by North Korea. One of the IP addresses used in this campaign, (157.7.184.15) also hosted the domain bigwnet[.]com, which was used as the command-and-control infrastructure for the malware “BabyShark”.

Earlier this year, DarkOwl detected an Iran-based IP address (5.160.246.99) was associated with a list of UK-government domains, specifically Her Majesty’s Revenue & Customs (HMRC) in a targeted phishing campaign.

d)    Nation-State Actors have used the dark web to conduct kinetic attacks against opponent’s Infrastructure.

In 2017, Iran conducted cyber attacks against safety systems at Saudi Arabia’s Aramco, one of the largest oil producer in the world. Hackers used the Triton malware to alter one of these facility’s safety controllers, which resulted in the controller shutting down an unspecified industrial process. In 2015, Russia successfully demonstrated shutting down Ukrainian power grids during political protests. Russia is also believed to be behind a number of attacks against Irish energy networks, possibly a testing ground for exploit development planned to use against more formidable opponents.

A recent release from the US CYBERCOM suggested that the US had successfully planted covert malware in Russia’s electrical power grid to kinetically interrupt Russia’s infrastructure in the event of a future attack, e.g. 2020 Presidential election in response to Russia accessing key nuclear safety systems in 2018.

In the summer of 2019, shortly before Black Hat 2019, Microsoft has reported in April that its Threat Intelligence Center discovered a targeted attack against IoT devices including: a voice-over-IP (VOIP) phone, a printer and a video decoder. The attack hit multiple locations, using the devices as soft access points into wider corporate networks. Two of the three devices still carried factory security settings, the software on the third hadn’t been updated. Microsoft attributed the attack to a Russian group it calls Strontium, an alternate name for the group, Fancy Bear. Cyber security researchers have identified this group as APT28. A week ago, the same state-sponsored hacking group was linked to the hacking of the secure email accounts of researchers investigating crimes alleged to have been committed by the Russian state. Fancy Bear / APT28, Fancy Bear also key to ioT hacking (according to Microsoft).

e)    Nation-States use the dark web to gain political influence by doxing political opponents.

According to the Mueller report, Guccifer 2.0’s successfully breached the DNC during the 2016 campaign and the information gained was carefully released to influence the US election. Numerous doxes of various key international figures on Tor’s DoxBin. doxbwurbe475dm5i[.]onion. Also, President Trump has been extensively doxed with numerous examples from dark web services Cebolla and DoxBin.

f)      Dark Web Propaganda.

The effective use of propaganda is a key feature of a successful information operations effort. Malicious information about a political or military opponent can be leaked at critical times to influence the outcome and public opinion. The dark web contains numerous examples where government data from nations has been leaked to hidden forums and paste sites for political gain and international influence.

Similarly, the Guardian reported that it was a Saudi-cybersecurity unit that had been ordered to ‘hack’ its computer networks due the Guardian’s critical reporting of the KSA’s overt murder of Washington Post journalist, Jamal Khashoggi.

g)     One of the most basic fingerprints of the Nation-State actors on the dark web is intelligence collection.

It a widely known “secret” that key HUMINT (human intelligence) collection is conducted by Israel’s Mossad and the US CIA in dark web forums, chatrooms and internet relay chats. Agents are regularly called out and teased for their overt presence in some popular dark web rooms.

Critical US defense technology has been released on the dark web and available for intelligence collection and reverse engineering by foreign adversaries. For example, last year, US military specifications for the MQ-9 Reaper Drone appeared on the dark web for sale and was widely proliferated. Sensitive information involving the MQ-9 Reaper drone and other military documents were stolen from a US Air Force captain’s computer.

Open source reporting reveled that Israel’s Whatsapp intelligence collection tool, Peagsus, had been deployed in 45 different countries for mobile phone collection and even sold to Saudi Arabia for monitoring potential dissidents in the country in a more covert means of intelligence collection. A recent hack of Russia’s contractor, SyTech discussed an effort to de-anonymize Tor, potentially revealing the true identifies of visitors to and hosts of hidden services on the dark network.

Editor’s note: We’d like to be clear that policing and legitimate law enforcement activity in the dark web has been intentionally compartmentalized from Nation-State Actors on the dark web in this report. We have not assumed they work independently of each other; law enforcement is a critical branch of government infrastructures and more integrally involved with smaller countries with limited resources. We have however specifically chosen not to discuss ‘fingerprints’ left by law enforcement on the dark web. Law enforcement have a well-known presence on the dark web hosting honey pot hidden services such as fake markets and forums, as well as posing as dark web drug vendors on popular crypto-markets to catch criminals purchasing illegal lethal drugs such as fentanyl. There are numerous open source examples where concerted international law enforcement efforts have been conducted to take down markets and pedophilia communities.

Nation-State Proxies and Cyber Terrorism

With this ever-changing threat landscape on the dark web Nation-States are turning to proxies and levering the terrorist segment of the dark web for launching attacks and avoiding attribution. Instead of utilizing a room full of cyber-soldiers in China targeting a room full of hackers at Fort Meade (NSA) on the dark web, some Nation-States choose to leverage private “contractors” to conduct information operations on their behalf.

Russia has the most extensive collection of cyber mercenaries and private contractors for their Nation-State agenda. In late October, open-source reports from the UK suggested the National Cyber Security Centre uncovered that the Turla Group, a cyber criminal group protected by the Russia government, had hijacked an alleged state-backed Iranian hacking group, known as OilRig or APT34, and subsequently carried out attacks on 35 countries. In July, the hacking team was actively targeting US political groups, using the code string ‘TrumpTower’ which coupled with the intelligence above could infer they could be linked to the alleged Iranian Phosophorous group.

Russia’s contractors are also active inside Tor as well. Earlier this year, hackers, hiding under the name ov1Ru$ breached a Russian intelligence contractor, SyTech revealing a number of secretive programs targeting Tor anonymity programs. Posing as a malicious exit node in the Tor anonymous network, the contractor’s program called Nautilus-S was specifically setup to deanonymize Tor traffic. The contractor, working closely with the Russian Air Force service and the FSB 71330, also had a another program in 2010 called Nautilus that harvested social media data from users of Facebook, Twitter, LinkedIn and others.

Perhaps Russia is attempting to model its behavior after the United States National Security Agency’s relationship with its commercial contractors. For example, Booz Allen Hamiliton (BAH) has an integral alliance with the intelligence community with hundreds if not thousands of intelligence and cybersecurity specialists working alongside the NSA. Significant intelligence leaks from the NSA in recent history were facilitated by contractors such as Edward Snowden and Reality Winner, both had sensitive compartmented information access and active on behalf of the US government during their tenures with BAH. NSA and other critical intelligence community organizations will continue to solicit the support of contractors outside of the agency in order to fulfil their over national threat intelligence objectives.

Terrorists as quasi-Nation-State Actors, and the changing use of technology in the dark web

Global terrorism, often fueled financially and politically by certain Nation-States, have an everchanging  and often reactive footprint on the dark web – reactive to the geopolitical events and policies, as well as changing technology. Many large scale extremist organizations such as ISIS, al-Qaeda, and Lebanese Hezbolla have declared themselves “Nation-States” in their own right, replete with military resources such as cyber armies and tactical hacking teams eager to fulfil their agendas. In the west, there is widely conflicting open source reporting as to the true activities of such quasi-Nation-States within the dark web.

A few years ago, ISIS was assessed to be extensively using anonymous networks to obscure the location and identities of its members and recruits. There were also a number of easily accessible hidden services advertising Daesh-affiliated content – ISIS’s Arabic language acronym – including recruitment and terrorist propaganda material. However, DarkOwl assesses with medium confidence that dark anonymous networks such as Tor will have limited future use in overt terrorist recruitment and propaganda dissemination, but instead terrorists are demonstrating a preference for encrypted mobile applications such as Whatsapp and Telegram for organizational coordination and communication.

Last year, the Wilson Center’s Professor Gabriel Weinmann published an extensive report, detailing the reasons why terrorists will continue using the dark web and associated encryption communication protocols and technology.

[Excerpt from the report below]

1. Terrorists use the dark web to hide: Extensive monitoring of the surface web by social media companies and security officials has resulted in a faster rate of removal of extremist content from social media platforms. Correlated with this is an increased use by terrorist networks of the dark web for communication, radicalization and planning attacks.

2. Terrorists use the dark web for recruitment: While initial contact can be made on surface web platforms, further instructions are often given on end-to-end encryption applications such as Telegram on how to access jihadist affiliated websites on the dark web.

Despite this, DarkOwl continues to observe some terrorist groups, such as Jaish-e-Mohammed use the dark web to actively recruit female fighters after seeing ISIS success using jihadi-brides as fighters in Iraq and Syria.

[Excerpt from the report continued below]

3. Terrorists use the dark web as a reservoir of propaganda: The removal of extremist and terrorist content from the surface web increases the risk that material of terrorist organizations may be lost. Much of this content later resurfaces on the dark web.

4. Terrorists use virtual crypto-currencies to evade detection and to fundraise: Terrorists, like criminals, use cryptocurrency because it provides the same form of anonymity in the financial setting as encryption does for communication systems.

According to a dark web news outlet, at the end of 2017, researchers witnessed a surge in ISIS fundraising, specifically donations-devoted sites encouraging Bitcoin donations, confirming that ISIS cyber terrorist have awareness of the risks of financial transactions monitoring. At this time, there is no indication in DarkOwl’s database that ISIS related terrorists are intentionally washing coins to evade investigative BlockChain analysis.

There are current very limited easily discoverable ISIS or formalize terrorist group hidden services on the dark web. DarkOwl has some cataloged content from when ISIS was more active on Tor anonymous network. An example is the “Cyber Kahilafah,” an effective hacking arm of the Islamic State, who in 2016 were extremely active on the dark web posting ISIS associated content such as videos and propaganda educational material. Some dark web forums suggested these were a state-run honeypot by Western governments. Note the crawl date of content listed in Darkowl Vision result below.

Due to extensive efforts by international alliances in the “war against terrorism” there are a few terrorist groups with the infrastructure and organizational strength to coordinate widely via anonymous networks.  In 2016, the international vigilante hacker group Anonymous conducted attacks against suspected members of ISIS across the dark web posting contact information for its members (email addresses social media accounts) and surface websites of its supporters, specifically Nasher Islamic State (@nashirislamicstateEN). Anonymous attacks against ISIS continued into 2019 with more Daesh/ISIS member’s social media and personal information shared across multiple deep web paste services.

Such independent targeting of terrorist on the dark web continues, with content posted as recently as late September 2019 detailing the possibly geolocation coordinates of suspected ISIS leader, Abu Bakr al-Baghdadi. The dark web post closed with “ENJOY CIA” as if such information could then be used for operational targeting by the US intelligence community. Abu Bakr al-Baghdadi was killed in a US-led Special Forces operation exactly a month after the dark web posting. The coordinates pasted to the dark web do not correlate to Idlib, the location of the ISIS leader’s compound and  subsequent death by US security forces.

With on-going conflicts against terrorism in countries such as Syria, Iraq, Afghanistan, Yemen, and the Gaza Strip, the number of “splintered” groups is growing, especially with recent calculated attacks Turkey conducted against Kurds along the Syrian-Turkey border. There exists various imagery on Tor including videos of beheadings and executions conducted in Yemen by ISIS soldiers.

Such conflicts have caused most ISIS affiliated terrorists to shift to encrypted communication protocols such as WhatsApp and Telegram. A deep web post from July, 2019 also hinted that ISIS recruitment was even occurring in private Discord channels; Discord is a proprietary VoIP communications platform favored by the video gaming community and deep web criminals.

After Facebook acquired the popular mobile app, WhatsApp, a concerted movement to the mobile Telegram application occurred. ISIS on Telegram is growing in popularity with regular videos, pictures, links, and propaganda content despite community perception that Telegram is strict on child pornography and terrorist content posts.

A Discussion Worth Continuing

Nation-State and Nation-State-sponsored threat cyber actors are resourceful, employing a mix of open source and dark web assets to complete their key information operations missions. Cyber combatants, state-sponsored proxies, and teams of mercenaries utilize the dark web to conduct intelligence collection and source development, government and corporate espionage, cyber exploit development and testing, disinformation operations for geopolitical influence, infrastructure disruption, and financial gain. While unique Nation-State ‘fingerprints’ are identifiable in some dark web use cases, the public release of cyber weapons previously belonging exclusively to the NSA and the CIA have offered formerly less-powerful nations the ability to reframe themselves as power players, gain influence that was previously unattainable to them, and obfuscate the origin of their cyber attack, further befuddling attribution for cybersecurity researchers.

Global terrorism, frequently fueled financially and politically by specific Nation-States, have an unpredictable and often reactive footprint on the dark web – reactive to the geopolitical events and policies, as well as changing technology. Terrorists’ adaptability has them shifting away from the dark web to end-to-end encrypted proprietary protocols such as Whatsapp and Telegram where they can recruit, strategize, and disseminate propaganda anonymously.

As Nation-State Actors, cyber-proxies and terrorist organizations continue to evolve in the use of the dark web and anonymizing technologies, the cybersecurity community must be vigilant to continue the conversation on intelligent identification and adaptive tracking of their everchanging tactics, techniques, and communication preferences.

Annex

DarkOwl has compiled the following analysis to help contextualize the power ranking of select nation’s cyber capabilities.

UNITED STATES

The US is plentiful in manpower, skill, finances, and international influence. The total number of cyber-soldiers employed by the US is well into the tens possibly hundreds of thousands with the recent decoupling of US Cyber Command (CYBERCOM) from the NSA and standing up its affiliated Department of Defense (DoD) branches, such as Army Cyber (ARCYBER) and Navy’s FCC (Fleet Cyber Command). The US also leads in technical skill development and international influence spearheading numerous global cyber initiatives both in the dark and surface webs. This week, the public learned that the US has solicited assistance from Montenegro, deploying an elite cyber team to collaborate and coordinate with in order to predict Russia’s imminent influence on the US’s 2020 presidential election.

CHINA

China extensively uses the deep web for espionage and intelligence collection activities. While China blocks the use of Tor to its citizens, the government regularly employs the technology’s anonymity for its sophisticated PLA Unit 61398 to target US military defense technology and intellectual property. China is also clever enough to identify the key military defense industrial contractors for targeted network attacks to collect designs, documents, and administrative details of critical export-controlled technology.  This summer, China-based hackers were discovered steering a large-scale cellular espionage campaign targeting 10 different mobile carriers around the world. The access realized could be leveraged to launch a future large-scale attack against cellular phone and data infrastructure. The elaborate campaign could have been orchestrated in retaliation for the on-going global 5G arms races and the US’s crackdown on China’s telecommunications provider, Huawei, restricting its 5G development activities in the West.

Since 2015, state-sponsored cyber PLA unit 78020 has also been involved in large-scale military, political, and economic cyber espionage in the resource-rich South China Sea area. The elaborate espionage campaign involves an intricate domain network of resources including IP addresses situated in the Denver, Colorado area according to an in-depth intelligence report published by Threat Connect, Inc.

RUSSIA

As apparent from numerous media and FBI inditements in recent years, Russia’s government and intelligence services have deeply penetrated the dark web conducting numerous large scale Nation-State campaigns against targets all over the world. Attacks regularly include the US and its western allies in what could be perceived as an all out cyber war, demonstrating a wide array of advanced technical cyber capabilities. Researchers at the Department of Defense Cyber Strategy struggle to quantify the exact number of cyber specialists available for Russian cyber campaigns, but there are reports of a number of elite dedicated operational hacking units, including 26165 and its sister unit 74455 affiliated with the hack against the Democratic National Convention and the GRU’s elaborate hacking campaign to influence the US election. Russia is also infamous for its use of cyber proxies, hiring advanced non-government affiliated cyber criminal organizations to conduct APT attacks on their behalf.

ISRAEL

Israel is a highly secretive and influential Nation-State Actor. Unit 8200, Israel’s elite cyber spy organization is comparable to NSA with a more focused and calculated operational agenda. Unit 8200 is augmented by a number of other highly technological units with the Israeli Defense Force (IDF). Conflicting source reporting eludes to a potential dedicated Israeli Cyber Command, but those capabilities may have been distributed amongst the IDF’s various telecommunications divisions at present. Former Unit 8200 personnel have also been hired by Israeli cyber corporations to implement Israel-sponsored covert activities in dark web operations that require more legal freedom and less international scrutiny.

GERMANY

Germany, the UK, and France all have sophisticated cyber capabilities. Germany has recently established its own Cyber and Information Space Command (CIR) with over 13,000 personnel assigned to ward off network intrusion attacks and disinformation campaigns. Germany law enforcement also leads in state-level dark web footprint actively participating in taking down several prominent cryptomarkets and drug vendors in recent years. (Source)

UNITED KINGDOM

Recent reporting that hackers from the United Kingdom infiltrated Russia’s Turla Group highlights the sophistication of the UK’s capabilities. GHCQ has doubled its capabilities from 2014, delivering full-spectrum capabilities from tactical to high end counter-state offensive cyber operations. https://www.cbronline.com/news/uk-cyber-warfare-gchq. With the UK’s NHS  as a principle victim to WannaCry in 2017, the UK is positioned to not only defend itself from future attacks but counter-attack when needed.

UKRAINE

Ukraine was originally not considered a prominent Nation-State Actor worth including in our analysis. In the past, Ukraine’s cyber capabilities centered around organized crime and the dark web carding community. Given the most recent media reports featuring Ukrainian government and businessmen of interest and their influence in US election politics, Ukraine’s “influence” on the international stage is notable. This “influence,” coupled with Ukraine’s persistent war with Russia over the annexation of Crimea, including defending against Russian cyber attack against Ukraine’s electricity infrastructure, places Ukraine in the top 10 Nation-State Actors in the cyber domain.  Consideration for Ukraine at the last minute also demonstrates how rapidly and drastically conditions can change in this environment.

FRANCE

In early 2019, France published its new French Military Cyber Strategy consisting of two separate documents: the Ministerial Policy for Defensive Cyber Warfare (hereafter the Ministerial Policy) and the Public Elements for the Military Cyber Warfare Doctrine (hereafter the Public Elements). France has significant influence in the EU and NATO organizations making up for what it lacks in human capital for the cause. (Source)

IRAN

Iran leads in Middle Eastern countries (other than Israel) as a major Nation-State cyber actor. Iran’s Cyber Army has been a formidable threat for over a decade targeting a variety of western defense and commercial networks. After the United States successfully infiltrated and shutdown their nuclear centrifuge system via the Stuxnet virus, Iran invested heavily into developing the skills and resources to hold their own on the international cyber stage. They also operate heavily in a ‘proxy’ configuration, where they collaborate with other smaller Nation-States to share technology and resources. It is assessed that any Nation-State-level cyber attack from Iran could be conducted with the aid of countries such as North Korea, Syria, and Yemen.

Iran has also been known to collude with terrorist organizations such as Hezbollah and private hacking groups. By training private hackers and rogue terrorists, possibly without clear direction and operational boundaries, Iran could be key in orchestrating the next global cyber-war.

NORTH KOREA

North Korea has claimed responsibility for a number of large-scale attacks against international baking infrastructure in response to international economic sanctions levied against them for their resistance in ceasing their nuclear programs. According to open source intelligence reporting, North Korean hackers have successfully deployed a new ATM malware, called ATMDTrack that records and steals banking data from cards inserted in vulnerable ATMs in India. ATMDTrack is assessed to be a component of a much larger DTrack malware family that involves not only command and control remote access trojan (RAT) software, but keylogging, retrieving browser history, gathering host IP addresses, information about available networks and active connections, listing all running processes, and listing all files on all available disk volumes of the victim machine.

INDIA

In 2018, India established the National Technical Research Organisation as the main agency for protecting national critical infrastructure and to handle all the cybersecurity incidents in critical sectors of the country. Aside from cyber attacks from Pakistan, India faces attacks from other key malicious Nation-State Actors, as mentioned above with North Korea’s attacks of India’s banking infrastructure. Recent conflicts in Kashmir increase need for a defensive posture from vigilante hackers supporting the Kashmiri people.

CANADA

In 2018, Canada passed comprehensive legislature to empower Canada’s Communications Security Establishment (CSE) for effective offensive cyber operations. The sweeping Bill C-59 positions the CSE (the Canadian NSA) to take a more “active cyber” posture as opposed to its previous defensive and reactive position. The legislation calls for the CSE to “carry out activities on or through the global information infrastructure to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defense or security.” Canada will not stand alone in the world stage in cyber, but have the resources and parliamentary backing to influence, protect and defend Canadian infrastructure from Nation-State attacks.

UPDATES:

(8/7/19 1:45pm MST): We’ve now learned that Homeland Security has sent a letter to 8chan owner Jim Watkins demanding he come before Congress and answer questions on the site’s extremist content. Read more.

(8/7/19 11:30am MST): One of 8chan’s admins published a tweet denying that 8chan is behind the creation of their ZeroNet bunker.

If @CodeMonkeyZ is being truthful, then someone else is responsible for preparing the 8chan ZeroNet bunker on their behalf. We will continue to investigate and update here as we find out more information.

ORIGINAL ARTICLE:

For a long time now, 8chan has known that their days as part of the mainstream internet (or “surface web”) were numbered. In this case, it took an unstable individual publishing a “manifesto” on their site to force an action to migrate to the dark web. The manifesto in question advocated for violence, eugenics, and mass-murder on one of their boards. While the 8chan platform is known for its forums seeped in hate, racism, sexism, offensive humor, and just general derision, this appeared to be the tipping point. There was bound to be something posted by one of their users that crossed a line, which is how 8chan found themselves setting up a potentially permanent camp on the dark web.

For those unfamiliar with the website, 8chan is an online forum that is essentially a mixture of 4chan and Reddit, and is known for its hands-off policy when it comes to moderating user content. This laissez-faire approach is at the heart of the platform. The website itself came about when a frustrated user of 4chan, Fredrick Brennan (known as Hotwheels), felt that 4chan moderators were overstepping rights to free speech by removing content.

Knowing this, it makes some sense that people with perhaps unpopular or fringe viewpoints would find a safe haven in 8chan. And, to their benefit, the administrators behind the divisive platform have arguably done their due diligence in ensuring its survival.

“Welcome to the semi-official 8chan emergency bunker”

Traditionally, 8chan has operated on the surface web (8chan.net), while also maintaining a mirror .onion site on the popular darknet, Tor. However, DarkOwl Vision has records of a third 8chan hub that has existed since at least early April. This version of 8chan – nearly identical to its counterparts – is hosted on ZeroNet, a slightly lesser known dark web that is similar to Tor.

While many recent reports in the press are indicating that 8chan scrambled for a new place to land, this is only somewhat true. ZeroNet is a lesser known darknet, yes, but painting 8chan moderators as shocked or unprepared for this type of event would be inaccurate. It appears they anticipated something of this nature happening for several months.

Self-described as an “emergency-bunker,” the 8chan “zite” was all-but inactive until this past weekend. Records from DarkOwl Vision indicate little to no user activity when it was first collected into Vision’s dataset. Meaning, this zite was put in place truly to serve as a back-up hub for 8chan. The administrators foresaw an end to the site on the mainstream internet.

The takeaway here is that 8chan administrators anticipated losing network stability and set up a version of their chan board on ZeroNet, a peer-to-peer decentralized anonymous network that very few people are – or were – familiar with. In the last 48 hours alone, the volume of users or “seeds” on the ZeroNet 8chan zite has skyrocketed with thousands of posts.

The popular boards, “Politically Incorrect (/pol/) and Noob dig (/QResearch/) include several posts about the recent El Paso shooter’s manifesto and activities. Further discussions cover attempts to censor “free speech” and the fact that taking down 8chan’s service will have little to no impact on gun violence in the US.

One user pointed out the manifesto was posted to the popular social media app Instagram prior to 8chan, spreading the conspiracy that this was all an effort to justify shutting down 8chan’s boards.

Some anonymous users have expressed concern over the security of ZeroNet, and the potential that this new platform could be a government honeypot collecting user’s IP addresses and VPN services-a similar tactic used by law enforcement in previous hidden service takedowns on Tor.

How 8chan scrambled to stay online and found its new home on the dark web

While the details of how 8chan lost its footing on the surface web and Tor are still emerging, we do know a few things for sure. 8chan used CloudFlare’s services to protect it from DDOS attack, until over this past weekend Cloudflare chose to terminate its security services for 8chan servers, calling it a “cesspool of hate.”

On Sunday, 8chan creator Frederick Brennan, who no longer runs the forum, called for 8chan to be shut down. 

What comes next is less clear. It is confirmed that after losing CloudFlare, 8chan then shifted to BitMitigate security protection services, who also provide DDOS protection to White Supremacist news outlet The Daily Stormer. Reports have widely indicated that BitMitigate also dumped 8chan of its own volition, though it is unclear if that is accurate. It appears that instead of deciding to drop the controversial forum, BitMitigate may have been blacklisted by its service providers and “de-platformed” for hosting 8chan. Evidence of this is supported by reports that at sometime this weekend, all sites hosted on BitMitigate were offline.

Shortly after discontinuation of its security services, 8chan suffered outages from its 8chan.net surface website and of its Tor hidden service site due to large scale DDOS attacks targeting the servers.

As of Tuesday afternoon, 8chan’s Tor hidden services had been restored and was back online.

Is the 8chan culture the culture of the dark web?

Decentralized internets or “darknets” (or “dark webs”) have long been infamously characterized as hubs for the darker side of society. Some of the most popular examples of this are the abundance of dark web market places selling drugs, hitmen for hire, child pornography, human trafficking operations, etc. However, defenders of the merits of dark webs often market the right to free speech and unregulated communication as a vital function of society, with the dark web being a tool to achieve these ends.

That being said, it would be remiss to not acknowledge that “free-speech” forums seemingly come with a heavy load of potentially dangerous baggage. 8chan is not the only type of discussion board where hate speech and political ideology is proliferated. 4chan, Oniichan, and 2chan contain similar types of posts, and many dark web chat rooms and underground internet relay chats also support the congregation of radical nationalistic personas.

We will continue to monitor the dark web as the situation develops. For more information on the darknet and ZeroNet, contact us today.

As Dream Market staff mentioned prior to their shutdown, a new market was on the horizon. On Friday, former official Dream moderator, waterchain, announced the opening of Saṃsāra, based on the source code of the infamous Dream Market. Saṃsāra is a term from eastern religious philosophy. Ironically it refers to the eternal cycle of birth, suffering, death, and rebirth.

The official market announcement is received with skepticism. Many questioning its legitimacy and a number of inconsistencies with the story behind the return of the market.

The new Saṃsāra market layout is strikingly similar to Dream, yet includes several new security elements. Admins refer to a new “anti-phishing feature” as the first of its kind that purports to completely defeat man-in-the middle attacks along with the option for a user to login with their PGP key or two factor authentication(2FA) for additional security. Once in the market, the source code is identical to the original Dream Market with the addition of a News and Community section that allows for interaction with Admins on market features. There is no mention of a traditional separate market forum like Dream supported.

Even with a new market theme, logos, and user interface on top of Dream Market source code, within hours of the announcement, many users uncovered bugs across the cryptomarket, including issues with saving public PGP keys, which forced users to employ 2FA for additional profile security.

The new market administrator dismissed community concerns over the lack of presence by SpeedSteppers. Further, dismissing questions about why the new onion address as advertised for weeks on Dream Market is not listed as a valid mirror for Saṃsāra. He instead attempted to encourage people to “forget the past” and “move on” insisting numerous times that he was a former official Dream moderator, as if to validate everything he said on the forum as legitimate.

• Others quickly noticed that waterchain’s new PGP key was created in June with only 2096 bits instead of the more secure 4096 bit key of the former legitimate waterchain. The moderator claims they lost his key in a corrupted Tails configuration. It does appear suspicious that they would choose to rebuild his key with less security, considering he is now essentially running a market instead of moderating it.

• The market does not support Monero transactions, which is possibly a more secure and less traceable cryptocurrency than Bitcoin. There is a discussion along with member vote on the integrating XMR available through July 18th in the new Community section of the market.

• All of the market mirrors use Tor’s legacy V2 hidden service domains instead of V3. Dream Market issued several v3 mirrors earlier this year when suffering from heavy DDoS attacks.

Even with these concerns, vendors are taking advantage of the limited offer of 0.025 BTC vendor bonds and over 400 market listings, consisting of mostly drugs, were online and ready for purchase within the market’s first day.

On a technical note, a few more inconsistencies appear. First, when requesting /server-status/ on the Saṃsāra url, we find what looks like a status page for another darkweb forum, Torum. Second, the HTTP-Headers also appear to leak IP addresses pointing at both a host in The Netherlands and the United States.

In recent days, user waterchain has been banned on Dread forum for rule violations.

Only time will tell how long this market will be reliably online before the DDoS attacks against Saṃsāra begin.  Remember to check back here for updates as more information emerges.

Keeping current and making sense of recent news surrounding Darknet Marketplaces is a challenge for even the most active and engaged Tor enthusiasts. In this blog, DarkOwl analysts dive into the latest dark web market exit scams, the recent, widespread law enforcement operations and their impact, and how cryptomarkets will continue to be a significant segment of darknet hidden services available to underground and would-be criminals.

Below is a timeline of the primary events leading up to, and resulting from the recent turbulence surrounding many darknet marketplaces.

April, 2019

Dream Market Announces Closure & Never Returns

In late March 2019, Dream Market, one of the oldest cryptomarkets announced that it would be ceasing its current operations on 30 April 2019. The announcement was made by the developer and admin, known as Speedsteppers. The statement also mentioned an eventual re-branding as a new Tor hidden service and address. For over a year, Dream Market had suffered from extraordinary DDoS attacks resulting in over 600+ mirror links circulating around the dark web for the marketplace.

In early April, Europol confirmed a significant multi-national darknet drug operation resulting in 61 arrests and the confiscation of 50 dark web accounts used for illegal activity. Along with the agents from the Federal Bureau of Investigation (FBI), U.S. Drug Enforcement Agency (DEA), and Canadian Police, Europol law enforcement officers executed 65 search warrants, seized almost 300 kg of drugs, 51 firearms, and over €6.2 million Euros ($6.95 million USD) of cryptocurrency, cash, and gold. Given Dream Market’s prominence in the dark web community, it is a reasonable assumption that some, if not many, of these arrests were vendors active on Dream. Although there is no mention of Dream Market in the Europol report, it’s well known the market place has been a target for law enforcement for some time.  Further, the aforementioned new Dream Market onion addresses have had no activity. 

Immediately after the announcement, rumors circulated across popular dark web forums about the Dream Market closure being led by law enforcement or an inside exit scam. In April, many users had issues withdrawing money from their Dream Market wallets. Some moderators scammed vendors via support ticket notification, informing the vendor that funds withdrawal can be restored only after the vendor supplies their password and last used bitcoin address.

DarkOwl covered the details of Dream’s less than graceful shutdown in “Insider Report: Darknet reacts to Dream Market announcement.”

While it’s unknown whether or not law enforcement infiltrated Dream Market’s servers directly, two independent cyber security researchers circulated detailed analysis revealing some very specific details regarding Dream Market’s admin, SpeedSteppers, de-anonymizing him as Mark DeCarlo based on the domain registrations for several surface websites, one specifically shared in 2018 with Dream users contained a link to a clearnet forum called deepwebnetwork.com. [Source1, Source2]

On a hidden service popular with “doxxers”, an anonymous hacker briefly posted an IP address for Dream Market. When accessed directly using the leaked IP address, the Dream Market login screen is available along with familiar Tor network addresses listed on the left sidebar of the page.

Figure 1 Direct Access to Dream Market via Leaked IP Address

Given the report on SpeedStepper was published in January, the weird behavior of moderators trying to scam vendors, along with an inactive URL for “Dream’s Partner” it would not be surprising if law enforcement infiltrated Dream Market months ago and operated it similar to the shutdowns of Alphabay and Hansa as led by the Dutch National Police in the summer of 2017.

Figure 2 Source: Dread Forum on Tor (/post/52f54402d99bd51d4b74)

Wall Street Market Exit Scams Then BKA Announces Seizure

As one would expect, Wall Street Market (WSM) surged in popularity almost immediately after Dream’s announced shutdown. Most every social platform recommended vendors and potential buyers move to WSM and/or Empire to conduct their online market business.

Figure 3 Dread users discuss WSM as the Dream alternative for trading.

In late April, peaking at an estimated 5,400 vendors, 1.15 million customers, and well over $10 million in cryptocurrency, WSM admins conducted a classic darknet “exit scam.” The estimated market value is totaled somewhere between $11 and $15 million USD. The three admins diverted these funds into their own crypto accounts while claiming the market was in “maintenance mode.” All the while unaware that law enforcement was secretly monitoring their accounts.

In the midst of the exit scam, one of the site’s moderators, Med3l1n, clearly angry over the exit scam, began blackmailing WSM vendors and buyers, asking for 0.05 bitcoin (at the time ~$286 USD). They threatened to disclose to law enforcement the identities of WSM vendors and buyers which made the mistake of sharing various personal details in support tickets in an unencrypted form.

It is unclear if these extortion attempts succeeded, but days later, Med3l1n also published an IP address for a server located in the Netherlands and login credentials for the WSM backend on a popular darknet forum knownas Dread. Further, they invited nefarious actors to take down the market.

The IP address is in the same network range of another IP address that leaked from the Wall Street Market backend two years ago. Although the authorities discovered the address of the server in other ways, according to public affidavits.

Within days, Med3l1n, identified as Marcos Paulo De Oliveira-Annibale, 29, of Sao Paulo, Brazil, was arrested by German authorities along with the three market administrators, all from Germany:  

• Tibo LOUSEE (coder420), 23-year-old from Kleve, Germany;

• Jonathan KALLA (kronos), 31-year-old from Wurzburg, Germany;

• Klaus-Martin FROST (theone), 29-year-old from Stuttgart, Germany.

All three face charges in both Germany and the United States after a series of missteps in their operational security led authorities to their IP and physical addresses. The market seizure and arrests were a culmination of a two-year investigation involving agents from the DEA, the FBI, the U.S. Internal Revenue Service, the U.S. Homeland Security Investigations, the U.S. Postal Inspection Service, the U.S. Department of Justice, the Dutch National Police (Politie), Europol, and Eurojust.

During the investigation, authorities discovered the admins also operated darknet marketplace, German Plaza Market (“GPM”), which launched sometime in early 2015 and shut down due to an “exit scam” in approximately May 2016. Agents successfully correlated wallet addresses for GPM with those of WSM in the investigation connecting the administrators.

Law enforcement obtained one of the administrator’s home IP address, correlated to and registered in the name of the suspect’s mother, through a cooperating VPN provider he used. The IP address was used to access certain administrator-only components of the WSM server infrastructure. KALLA later admitted that he was the administrator for WSM known as “Kronos.”

As a point of technical interest, the complaint filed with the US District Court in California included a footnote that the US Postal Service was responsible for the blockchain transaction analysis for FROST, and “de-mixed” the flow of transactions to ascertain that the monies from two different wallets ultimately paid FROST’s account [Source]. Researchers from Korea University published a paper in May 2018 outlined a de-mixing algorithm that could identify the relationships between the input and output addresses of the popular dark web mixing service called Helix with a 99.14% accuracy rate [Source].

Another administrator accessed the market IP address to connect to the WSM infrastructure using a device called a UMTS-stick7. This device is a USB-powered modem for remotely connecting to the internet. This UMTS-stick was registered to a suspected fictitious name, and the BKA executed multiple surveillance measures to electronically locate the specific UMTS-stick. The UMTS-stick was active at a residence of LOUSEE in Kleve, Northrhine-Westphalia (Germany), and at a local information technology company, where LOUSEE was employed as a computer programmer. LOUSEE was in possession of the UMTS-stick of interest upon arrest.

The PGP public key for “TheOne” is the same as the PGP public key for another moniker on Hansa Market, “dudebuy”. Interpol and Dutch police shutdown Hansa darknet market in July 2017, as part of Operation Bayonet. A financial transaction connected to another crypto-wallet used by FROST was linked to “dudebuy”. Investigators identified a wallet used by FROST that subsequently received Bitcoin from a wallet used by WSM for paying commissions to administrators. Records obtained from the Bitcoin Payment Processing Company revealed buyer information (connected to Hansa Market, seized in 2017) for a Bitcoin transaction as “Martin Frost,” using the email address [email protected]. A second link connecting FROST to the administration of WSM is based on additional Bitcoin tracing analysis.

May, 2019

Finnish Customs Seizes Valhalla (Silkkitie)

During the same week reports of WSM’s collapse surfaced, Europol released an official statement that Finnish customs (Tulli) in close cooperation with the French National Police (La Police Nationale Française)seized Valhalla, also known as, Silkkitie sometime earlier in the year. The report did not mention many specifics, other than Finnish federal authorities have the entire Valhalla server and its contents, along with a significant drug confiscation. DarkOwl Vision indicates the marketplace went offline sometime in early March.

The May 3rd Europol report stated:

“After the Silkkitie (Valhalla) site was shut down by the authorities, some of the Finnish narcotics traders moved their activities to other illegal trade sites in the Tor network, such as Wall Street Market”

..suggesting the potential for international law enforcement’s concerted attempts to funnel users to a targeted market for takedown.

Valhalla marketplace was one of the oldest markets on the dark web, listing over 30,000 products by some statistics. Its activity started in October 2013 as a Finnish-only site called Silkkkitie.

FBI Targets Deep Dot Web

On the 6th of May, two DeepDotWeb (DDW) administrators were arrested facing charges of kickbacks by earning millions in commission by referring users to specific darknet marketplaces. The seizure of DeepDotWeb alarmed the dark web community as it did not host any illicit content directly, but instead provided paying users with indexed and catalogued access to dark net market hidden service URLs – complete with ratings and reviews. DDW admins received money for registrations using the referral addresses hyperlinked. Authorities claim that DDW administrators made millions of dollars using this criminally innovative ‘picks and shovels’ approach to illegal online trading. Coincidently, while DDW was being shutdown, popular dark web community forum, Dread experienced heavy DDoS attacks and was unable to support logins for over a week, causing many to suspect it too had been compromised. DarkOwl analysts speculate that Dread’s DDoS was intentional to prevent vendors and buyers to coordinate on interrupted sales and illegal trading.

Figure 4 Source: https://www.europol.europa.eu/newsroom/news/deepdotweb-shut-down-administrators-suspected-of-receiving-millions-of-kickbacks-illegal-dark-web-proceeds

CGMC Disappears Overnight

On or about May 10th, 2019 Cannabis Growers & Merchants Co-op(CGMC), silently disappeared without notice. At first, users claimed the market had completed an exit scam as they had lost the ability to withdraw funds, contact support, and initiate the process for a refund. It was later determined that the admins, Marko and Rory, felt pressure from the WSM and DDW seizures that it was time to gracefully leave the business. On the night of the self-shutdown, admins cancelled all pending orders and returned funds to the customer, released all escrow and cash to the vendors. Days after the shutdown, a signed PGP message from Rory asked for the community’s positive vibes for their services and customers joked about seeing them stroll on the beaches of Seychelles.

Users across other darknet communities scrambled to find their favorite vendors as this was all about the same time Dread was under DDoS and inaccessible for coordination. Many darknet vendors reposted their PGP signatures and offered to continue to serve customers without the markets, trading directly with their previous customers via encrypted communications.

One CGMC vendor shared:

The sellers are in the same situation, but I can confirm:
1. All the escrow was released and cashed (the money went to my wallet)
2. Pending orders the money was returned to the customer
3. All orders from Monday to Thursday are sent
I do not think it’s an exit scam, I think it’s a problem with the website and they’re working on fixing it.
If the market were to close Marko would have warned. Let’s wait a few days to see what happens.
If the situation is not fixed open store in another market. Please, if any of my clients reads this message, verify that the PGP is authentic.

June 2019

Libertas Moved to I2P Then Shutdown due to Inactivity

In late May, Libertas, a Monero-only marketplace, moved its hidden service marketplace from the Tor network to the peer-to-peer-based I2P network, citing “flaws in the Tor network” as justification. They also referenced an unconfirmed Tor vulnerability that international authorities have used to reveal hidden service’s real-world IP address. Libertas provided detailed instructions for its users to successfully setup I2P within Tor Browser to access this faster and hopefully more secure version of its marketplace.

Libertas has historically been one of the most unique cryptomarkets in the dark web, being one of the first ever to only accept Monero instead of Bitcoin like other marketplaces. In their market announcement over a year ago, Libertas admins suggested that Monero was the “only real way to make anonymous transactions online” including the many ways they ensured the security of the servers supporting Libertas darknet market.

Figure 5 Libertas Original Welcome Message on their Market Forum

On June 19th, less than a month of operating on I2P, Libertas admins announced they were shutting down until further notice, due to the lack of use of I2P. They reaffirmed their belief that all Tor network-based hidden services which are allowed to operate are law enforcement sting operations.  

Other Tor users have discussed migrating to I2P and encouraged other marketplaces to do so in forums and discussion boards, suggesting that Tor is neither safe nor robust enough from DDoS attacks to host large-scale crime-focused services. Unfortunately, the complexity of setting up I2P has discouraged its broad-based use on scales comparable to the Tor network.

Today: What Market Places Are Still Operational?

Empire Market

Despite its legacy and familiar user interface dedicated to the late Alex Cazes from AlphaBay, Empire recently has been under heavy DDoS causing it to surge in mirror link generation to mitigate. DarkOwl has knowledge of 135 unique V2 and V3 addresses for the cryptomarket, but believes that over 30% of those could be phishing addresses. In recent weeks, Empire forums have been bombarded by hundreds of complaints that account wallets have been consistently scammed, even after verifying links as legit. RapTOR directory services alleges that Empire has indeed exit scammed and any working links will lead to currency loss.  The dark web community is contentious over the lack of support from staff and instability of the market.

Empire’s head moderator se7en claims most of the complaints are from customers using “phishing” market links instead of verified ones, but the tune is all too familiar to the behavior of other markets. Empire recently added two-factor authentication (2FA) as an additional security protocol, but a former Empire-mod posted a detailed paste on how easy the 2FA is bypassed, stating “the end user is always the weakest link to a system,” in a recent report by DarkNetLive.

Tochka / Point

With recent market confiscations, Tochka (Point) could now be considered one of the oldest operational darknet cryptomarkets as it started in early 2015 emphasizing a “community-like” culture with classified advertisements and low vendor registration requirements.

Unfortunately, in early June, many users reported that the marketplace was a complete scam with numerous orders, wallets, and accounts deleted in recent weeks. Comments on a forum suggested that the Tochka had suffered a server crash in early June resulting in the loss of several transactional records and to contact the moderators active on Dread for assistance. Unfortunately, this week, Dread has also been under heavy DDoS and users are unable to submit complaints or receive technical support.

Other dark web markets worth mentioning

• Genesis – Javascript required market with increasing popularity due to recent news coverage. Online and active.

• Dark Market – Appeared in May 2019 with admins Sassy & Dark. Now accepts Monero and primarily trades in digital goods (over 1000 listings).

• Luna – Marketplace that required wallet registration for non-vendors and offered Monero and “locktime” to secure transactions. Offline as of early June.

• Core – Offline in mid-June after heavy DDoS attack.

• Cryptonia – Typical dark web cryptomarket experiencing heavy DDoS in recent weeks. Admins pride themselves on their market manifesto that states their movement will never be corrupted by greed. Online and active.

• Berlusconi – Recently added Multi-Sig wallets and states that they will no longer offer weapons & explosives by the end of June.

• Nightmare – Experiences regular periods of heavy DDoS. Recently redesigned and returned with new UI and “dark mode.” One of the largest active markets with 65,000+ users, 3,000+ vendors and more than 50,000 listings.

• Rapture – Rumored to have been built on the source code leaked from Trade Route. Many users thought Rapture exit scammed in late 2018, but returned recently stating they were under heavy DDoS. Offline as of time of writing.

• Agartha – Similar design to the Agora Reloaded Market that exit scammed. Online and active with no complaints.

• Apollon – Typical dark web cryptomarket operating since 2018. Possibly connected to former RAMP shop. Surge of users (over 40,000) due to Dream announcement.

• Enterprise – Brand New as of June 2019. Operational but very few listings.

• Deep Mart – Appeared in early 2019. Believed to be a scam market based on reviews.

• The Majestic Garden – In May, TMG moved to only V3 Tor URLs and registration is closed due to surge of registrations after Dream announcement. Online and serving customers.

• Nirvana Market – Brand new market as of June 2019.

• Canazon – Features primarily drug vendors. Operational since 2018. Online and active.

• Silk Road 3.1 – Operational and now accepts Monero. Online and active.

• UnderMarket 2.0 – Market featuring counterfeiting and fraud items. Javascript required for some portions of the market. Online and operational.

• The French Connection – One of the oldest operating markets (over 5 years). Does not ship to the US. Online and active.

• Yellow Brick Road – Invite-only market by vendors. Online and operational.

Since 2019, DarkOwl Vision has knowledge of and successfully crawled over 3,000 dark web cryptomarket addresses — over 1800 of them in the month of June due to heavy DDoS mitigation. Libertas administrators expressed legitimate concerns about Tor’s vulnerabilities to DDoS and host IP address exposure, apparent by the crippling DDoS attacks on many of the markets and critical community forums like Dread market.

While many of the historically active markets have voluntarily closed their doors, it is evident by the introduction of multiple markets in recent months, along with the surge of customer and vendor registrations well exceeding thousands of users, that the criminal darknet market community will not be deterred by international law enforcement operations and will resort to direct encrypted communications with their suppliers if necessary.

Update (7/2/2019)

After allegedly negotiating with would-be DDoS attackers, it would appear that Dread market is back online…for now. Check back here for continued updates as our analysts uncover more information. 

The market segment of the dark web is the most volatile and dynamic of all types of hidden services available. The status of any of the markets mentioned in this report can change without any notice. This report only covered the status of English-speaking marketplaces and a follow-up report covering non-English cryptomarkets, such as Russia’s MEGA, will be published in the near future. Please continue to check back for updates.