Last weekend, REvil’s “Happy Blog” went offline for the second time in less than six months. Instead of the blog Tor service simply not responding to an HTTP request, the page instead displayed the default 404 error displayed by the nginx webserver. According to a REvil representative the ransomware-as-a-service (RaaS) organization’s Tor domain was “hijacked” using the private keys of the domain held by REvil’s previously public-face “Unknown” (who also operates as “UNKN”).

DarkOwl reviewed the group’s history and latest posts about the hijacking and determined that since returning, REvil’s reputation was in jeopardy and many darknet users and RaaS community members suspected the group had been compromised by the FBI.

“This Page Is Not Found”

Last weekend, Tor users anticipating to connect to the legendary Happy Blog hosted by the infamous REvil RaaS gang, received the default 04 error page for nginx webservers on Fedora, indicating the Tor onion services run by the REvil operation were compromised and corrupted instead of simply taken offline by disconnecting the servers from the network.

The page read:

"nginx error! The page you are looking for is not found. Website Administrator Something has triggered missing webpage on your website. This is the default 404 error page for nginx that is distributed with Fedora. It is located /usr/share/nginx/html/404.html You should customize this error page for your own site or edit the error_page directive in the nginx configuration file /etc/nginx/nginx.conf."

An Insider Job?

In a post titled, “У REvil угнали домены” [Translated: REvil’s domains were stolen”], REvil’s current spokesperson – the persona behind the moniker 0_neday on the darknet underground forum XSS – stated the server had compromised using UNKN’s (a.k.a. Unknown and REvil’s previous representative) private Tor service keys. “To be precise they deleted the path to my hidden service in the torrc file and raised their own so I would go there”.

0_neday went on to further state that the group presumed Unknown had “died” earlier in the summer, when the group went offline in mid-July shortly after the Kaseya supply chain attack successfully encrypted thousands of networks when its ransomware spread through a software auto-update.

There are a number of conflicting theories why REvil disappeared less than a month later.

REvil’s Mysterious Disappearance in July

REvil’s services mysteriously shutoff the Tuesday following a late “Friday phone-call” between US President Biden and Russian President Vladmir Putin, during which REvil and the global ransomware epidemic was reportedly a subject of their conversation. The information security community has theorized any number of reasons the services disappeared after this call:

a.   The US launched an offensive cyber campaign directly against REvil – possibly using sophisticated intelligence or USCYBERCOM resources – and brought the gang’s services offline.

b.   President Putin directed REvil to shut down their operations in response to the conversation he had directly with Biden, where Biden stated he would hold Russia responsible for aiding and abetting the threat actor’s actions on Russian soil.

c.    REvil was feeling the “heat” and international pressure after a series of high-profile attacks, some of which included US military targets. Perhaps the group’s operators voluntarily “took a break” from their ransomware operation.

d.   REvil leader, UNKN “exit scammed” emptying the gang and their affiliate’s cryptocurrency accounts and disabled their Tor services using their administrator privileges.

Reporting from the Washington Post suggested the US was not behind the July shutdown, as some had hypothesized, citing government sources. No “seizure banner” was evident when the Tor services went offline as has historically been the case when law enforcement take down darknet marketplaces. The FBI’s Director, Christopher Wray testified in front of Congress stating how they do not make decisions unilaterally but work directly with allies and other agencies on such matters. The FBI was strongly criticized for their delay in providing a universal decrpytor key for the REvil ransomware after the Kaseya attack they had allegedly obtained.

The FBI provided the key to Kaseya nineteen (19) days after their networks were compromised and a week after the REvil infrastructure went dark. The key was reportedly obtained through direct access to the servers of the REvil operation.

In mid-September, BitDefender announced they had developed a “free universal decrpytor” for the REvil/Sodin ransomware strain in circulation prior to July 13th. According to BitDefender’s blog and social media posts, the decrpytor was “created in collaboration with a trusted law enforcement partner.”

This announcement was the source of many a controversial discussion across darknet malware forums.

REvil’s Return in September

According to the DarkOwl Vision darknet data records, REvil’s Happy Blog returned after their summer hiatus the first week in September 2021. Shortly after the blog was back online, new victims were quickly announced.

Surprisingly, in early October, DarkOwl analysts observed the REvil team sharing a link to RAMP – another ransomware focused forum – announcing that REvil was active on the new Groove ransomware backed forum. RAMP, hosted on a Tor domain previously owned and operated by the Babuk RaaS gang, emerged after many darknet underground forums “banned” ransomware related discussions last summer.

This behavior was noteworthy as REvil had historically not shown any affiliation with other RaaS groups, making their endorsement of RAMP unusual to many in the darknet.

Complex Cast of Characters

Unknown/UNKN

Unknown/UNKN was the original spokesperson for the REvil gang when they first branded as Sodinokibi in early 2019. They spoke with measured cadence and subtle humor. One of their last posts was early July after the Kaseya attack, where they simply shared a video of a typical older, angry Russian gentleman.

The admin from XSS banned Unknown’s forum account on July 8th, the week in between the Kaseya attack and the REvil servers were shutdown in July. It’s unclear if the justification was retribution for ransomware (as the topic was banned from the forum at that time), or the admin knew something else was awry.

In May, Unknown announced they were going to leave XSS, have limited activity on their account on exploit.in, and move their discussions to “private.”

At the time of their account ban, Unknown had 0.0022 Bitcoin in escrow on XSS.

0_neday

0_neday emerged as a representative of REvil on XSS after users evilcore and Lockbitsupp challenged the origination of the REvil decryptor key released by Bitdefendor on the public forum. They created their account earlier this month on October 5, 2021, depositing a significant amount of Bitcoin (i.e. account value of 1 BTC in escrow or approximately $50,800 USD on 10/5/2021) to legitimize their status. On October 12th, 0_neday posted on evilcore’s XSS member profile, “my boss agreed to offer you a 10% discount” suggesting 0_neday is a front for someone much more authoritative in the REvil gang. This contrasts with a claim they made a few days later that only he and Unknown had private keys to the Tor onion service domains. As of 19 October, 0_neday indicated they were leaving the forum, signing their last post with

[Translated] “Good luck everyone, I’m off.” 

evilcore

evilcore is a relatively long-time user of XSS with registration on the forum in late 2018. They claim they have no connection to any ransomware gang, but vocal in criticizing the operations of the groups, especially most recently REvil. They posted a comment to 0_neday’s thread this week about REvil’s domains getting stolen suggesting the leak of the decryption key was intentional and the entire infrastructure was merged and not compromised by Unknown as indicated, with a bit of “told you so” attitude and stark warning for users not to get fooled.

[Translated] "Ahaha)))))

fuck, I told you that they merged the entire infrastructure))))) and you didn't believe. I'm not a competitor and I don't care, they just really leaked the keys! people don't get fooled." 

evilcore have been vocal against the legitimacy of REvil since they reappeared in September and the story that supposed a REvil developer “misclicked” accidently releasing the decryptor key. In a comment on a thread titled, “Атака вымогателей на больницу привела к гибели ребенка” [Translated: “The ransomware attack on the hospital led to the death of a child”], evilcore closes with [Translated: “where is UNKN?”] after claiming the FBI likely had control of REvil’s admin panel.

[Translated] "0_neday do the rebranding:) and I can bet on 5 bits, but the point is) the conversation was about backdoor keys, I gave evidence that the backdoor key had nothing to do with it, it started about fictional gspch misklik checkout and - there it was already clear that the FBI had taken the admin panel.

Where is UNKN going???" 

The controversial October 12 thread continued with bickering between directly between 0_neday and evilcore, with LockBit’s forum representative, LockBitSupp, and forum users, 1MG, and ev4ng3liya, chiming in including critiques of REvil’s desperation to draw in affiliates with a 90/10 percent split – unheard of in the RaaS industry. evilcore eventually even accused 0_neday of being FBI.

LockBitSupp

LockBitSupp is competitive RaaS gang, LockBit 2.0’s public representative on the XSS forum. This alias is also active for the same group on another darknet forum, exploit.in and highly critical of REvil, stating they had recruited many REvil affiliates due to their lousy partner programs (PP).  On exploit, they added lengthy posts with concerns that REvil had been compromised by the FBI and that the current REvil coders and affiliates needed to be checked to verify their allegiance to the RaaS industry:

[Translated] "In connection with the above, I propose to check the coders who are now allegedly running the REvil affiliate program, for example:

- so that they somehow showed the locker source codes through the same TeamViewer or AnyDesk and made a test build from the source, providing this build to the public for reverse and comparison with old builds;

- so that the coders show the history of correspondence with the former management;

- any other evidence that will allow us to verify the coders and show that they are not undercover FBI agents.

Verification can be entrusted to any independent and authoritative people on the forums, for example, those who do reviews of malware."

They concluded their post with the realization that if the FBI has infiltrated the REvil RaaS gang or their affiliates, that the damage to the advertisers was far less than the suffering caused to “our cozy and warm community.”

REvil brand trustworthiness continues to decline

In late September, darknet forum users began expressing concerns over REvil’s unpredictable and scandalous behavior. One exploit user, Signature, claimed they had evidence that REvil had installed a “cryptobackdoor” which allowed REvil operators to take over negotiations between their affiliates and their victims, usurping ransomware payments thereby scamming money from their affiliates. It’s unclear how long this backdoor existed – some researchers state the backdoor was present for months, but removed from the September codebase.

Signature had launched a previous dispute on the forum with REvil’s UNKN in May 2021, when they claimed they had been contracted to provide network access to REvil victims, Quanta and Apex, and was never paid their 7 Million USD for the work provided. The thread resulted in a gross airing of RaaS dirty laundry to the public with private chats from qTox shared on the forum thread.

Up until last weekend, REvil had been active on the same Tor v3 domain address for over 22 months, excluding their summer vacation and active in the ransomware market since April 2019. Most RaaS groups change addresses regularly and even rebrand with new logos and aliases to maintain their operational security.

EvilCorp RaaS gang’’s representative on the XSS forum suggested REvil should have rebranded a long time ago. In the most recent thread of the REvil domain hijacking, user Krypt0n, admittedly late to the conversation, stated it was stupid for REvil to return in September to the same Tor domain address with the same keys. They added there was no way for REvil to restore their reputation and status achieved by UNKN.

Despite the fact elite hacker forum members can easily spot law enforcement and rippers, REvil’s brand is renowned and other copycat services will likely emerge in their likeness. In November last year, DarkOwl detected a non-REvil related domain advertising they were the “REvil Team” and were offering to sell Managed.com’s website hosting company’s database.

The REvil imposters included a protonmail.com e-mail address for contacting them and the domain was online for barely a month.

DarkOwl will continue to monitor this situation as it develops.

Curious about something you’ve read? Contact us to learn how darknet data applies to your use case

DarkOwl has recently discovered a cyber-criminal group offering to hack hospitals located across the European Union (EU) to access and falsify vaccination records for willing buyers on the darknet.

In contrast to the paper-based vaccination cards that continue to be the standard across the United States, the EU recently launched a “Digital COVID Certificate” that features a mobile app for quickly verifying one’s COVID vaccination, PCR testing, or virus recovery status. The EU’s program features a QR code with a unique digital signature for each individual, to supposedly prevent falsification and facilitate free movement throughout 27 countries within the EU. Sixteen (16) non-EU countries have also been added to the digital passport scheme including Israel, Norway, Turkey, and Panama.

False digital vaccination records listed at $600 USD in bitcoin

Known simply as “xgroup,” the criminals behind this EU-centric fraud scheme claim to be able to access EU-based local hospital digital vaccination records on behalf of their darknet customers. All the process claims to require of the customer is that they submit their personal information (along with payment) so that it can then supposedly be added to their local hospital’s vaccination records database. This information is then theoretically accessible by the EU Digital Certificate application as each issuing body – such as a hospital, test center, or health authority – has its own digital signature key that communicates with the program.

Who is Xgroup?

Xgroup hosts a dedicated V3 hidden service on Tor where they advertise a range of “hacking services.” In addition to the COVID vaccination record hack, they claim to offer school grade alterations, social media account hacking, and financial debt clearing.

There is no proof of the legitimacy of xgroup’s skills. DarkOwl has captured mentions of their email address across various forums and services on Tor since July 2021, though it is unclear how long they were in operation before that. Our analysts also observed that in mid-July, xgroup were recruiting members with “social engineering skills,” and in late August they were raising donations for their next attack – including quotes from hacktivist organizations like Anonymous.

"Message for all the governments of the world. We recognize you as serious opponents, and do not expect our campaign to be completed in a short time frame. However, you will not prevail forever against the angry masses of the body politic. Your choice of methods, your hypocrisy, and the general artlessness of your organization have sounded its death knell. You have nowhere to hide because we are everywhere." - Xgroup (Sourced from DarkOwl Vision Darknet Data)

The group self-promotes their abilities to “hack social networks” and “destroy someones life” including creating financial and legal issues and spreading disinformation on social media.

Another COVID Scam?

DarkOwl has long observed scammers on darknet and continues to see fraudsters offer goods and services for sale, take a customer’s money, and then never deliver the purchased product. Thus it has not been surprising to see this same tactic being applied rampantly as it has throughout the pandemic, during which time we’ve seen a surge in COVID related scams for things like KN95 masks, coronavirus-infected blood, and black-market COVID vaccines

Xgroup’s fraud scheme is only applicable to European countries as the United States does not have nation-wide digital vaccine record system nor vaccination records stored at local hospitals. The scheme also explicitly refers to the EU Digital COVID Certificate program.

Given that this scheme targets EU-based customers, it is peculiar that the offer lists the address requirements using the US mailing address format and not European which require postcodes instead of zip codes, listed before the city or town, and house names and multi-lined street addresses.

This, along with the fact that the price listed in US Dollars, suggests this could very well be simply a scam originating from criminals located in the United States.

Risk to the EU Digital COVID Certification Program

The EU Digital COVID Certificate program and the idea of “digital vaccination passports” is cause of increasing controversy across the world with many claiming an invasion of health privacy, a threat to personal freedom, and opportunity for discrimination against those without ready access to vaccination centers and mobile smartphones. Similar digital vaccination records systems are in place across the US such as New York’s Excelsior Pass that queries the state’s centralized department of health records. California has a similar online portal for residents to verify their vaccination status with a QR code, called “Digital COVID-19 Vaccination Record.”

While any such digitally-based record system is susceptible to hackers or threat-actors, DarkOwl assesses the overall risk to the EU Digital COVID Certificate program is minimal. As ominous a threat as criminals offering to “hack local hospitals” may seem, we suspect there is a low probability that many darknet fraudsters are actively attempting to gain illicit access to local healthcare computer networks in order to deliver what has been advertised to their customers. In contrast, ransomware groups originating in the darknet pose a legitimate risk to hospitals and healthcare groups worldwide.

Curious about something you’ve read? Contact us to learn more about how darknet data applies to your use-case.

DarkOwl’s historical archive of darknet marketplace data provides a unique opportunity to look-back and compare the AlphaBay Market that was taken down by authorities in 2017 to the features associated with this newly launched marketplace, which shares the same name and is purportedly being ran by the same circle of people.

Lookback: AlphaBay Market and Operation Bayonet Takedown

During the summer of 2017, one of the most intriguing and well-orchestrated international law enforcement efforts in history converged to take down some of the most successful darknet markets to-date. One of these, AlphaBay Market, was the most prominent and popular darknet market since the Silk Road. At its height, AlphaBay’s daily sales ranged between $600,000 and $800,000 USD across 300,000 listings for illicit goods, offered by over 40,000 vendors and viewed by some 200,000 users.

Operation Bayonet, which would ultimately lead to the shutdown of several prominent marketplaces, began with Dutch police seizing another lesser-known market called Hansa Market. After compromising Hansa, authorities secretly operated the market for almost a month. While the Dutch focussed their efforts on Hansa, United States FBI operatives coordinated with international police to DDoS AlphaBay and seize its assets, enabling the Royal Thai Police to locate and arrest its administrator, Alexander Cazes (a.k.a. alpha02).

When AlphaBay became inaccessible as a result, thousands of its buyers and vendors flocked to the then law enforcement-ran Hansa market to continue their operations. Dutch police, operating servers across the Netherlands, Lithuania, and Germany, capitalized on the eight-fold surge of users visiting the market in the weeks following. The authorities used the time to gather information on high value targets and identified delivery addresses for sizable orders, passing along 10,000 international addresses of buyers to Europol.

In cooperation with the FBI, the Royal Thai Police took steps to organize the extradition of the 24-year old Canadian administrator back to the United States. However, after Cazes was held for exactly a week at the Narcotics Suppression Bureau in Bangkok, reports of his apparent suicide surfaced. Bangkok vowed to conduct an autopsy, while US authorities had no interest in verifying the legitimacy of the suspect’s death.

Alexander Cazes’ criminal indictment details how the US Justice Department successfully confiscated his and his wife’s assets, including bank accounts, personal and market cryptocurrency accounts, and luxurious personal possessions in Bangkok – all by supposedly linking his online personas to his real life through a haphazardly leaked email address, [email protected].

When authorities carried out the warrant and arrest in his apartment in Bangkok, his laptop was left unencrypted and the admin account for the market and server logged in. Authorities also simultaneously executed search warrants for the market’s server hardware located in Quebec, Canada.

AlphaBay Organization: Key Players

Cazes did not run AlphaBay singlehandedly. They worked closely with a “security administrator” and second in command known as DeSnake, or simply “DS” for short. According to our historical darknet records, DeSnake had connections in Russia although his true identity and location was not publicly known.

In 2016, an angry user of AlphaBay known as “Kinger” stated that alpha02 had left the market in late 2015, sold his stake to DeSnake, and DeSnake was supposedly acting as admin for its final two years. Kinger’s ominous threat suggested they knew his real life identity and his citizenship was actually Dutch.

“PS: DeSnake, if you read this, we know who you are and where you reside. We know you're a Dutch guy who acts like he's Russian. Should you attempt to exit scam with AlphaBay, rest assured your dox will be posted.” - user known as "Kinger"

There were also at least half a dozen moderators that helped administer the market and its discussion forum, moderated disputes between buyers and vendors, and promoted the market on Reddit (prior to the shutdown of the DNM subreddit). The indictment from 2017 listed them individually by their monikers and many have been arrested.

The authorities were not the only ones to identify and/or attempt to uncover the key players (aka staff) at AlphaBay Market. In the spring of 2017, the Alpha Organization paid an extortionist threatening to dox alpha02 and a couple of his moderators at least $45,000 USD, although the veracity of the information the extortionist had has not been verified.

More information about potential players of FBI interest can be found in historical DarkOwl records, including one that states that the FBI “publicized a list of AlphaBay identities that they had identified, including Trappy, DeSnake, Disc0, and several other members of the Alphabay ‘team.’ From owner (DS) all the way down to public relations manager, Trappy.” (Source: Document Archived in DarkOwl Vision)

As recently as last year, a California Court sentenced Brian Herrell, a Colorado native and AlphaBay moderator who operated under the moniker “Botah” to 11 years in prison for racketeering and for his connections to AlphaBay. Upon his initial arrest, reports suggested he faced up to 20 years for his involvement in the marketplace.

Prior to AlphaBay, Alexander Cazes had a reputable history on the darknet – specifically in the carding community. A senior member from the carding community Ranklez claimed he had evidence to suggest Cazes wasn’t alpha02. Ranklez and alpha02 had a history in the carding community as Ranklez sold alpha02 fullz for conducting identity theft.

For months after its shutdown, users across the darknet theorized whether all of it was an exit scam or something more elaborate and sinister. When AlphaBay’s Reddit moderator and public relations manager, Trappy was arrested, he claimed alpha02 and DeSnake were the same person. The whole saga was confusing and unsettling for many, including Cazes’ parents, who claimed the skill set of Cazes in real life (e.g. his company Canadian EBX, etc) was more in alignment with the qualities DeSnake portrayed than alpha02. (Source: DarkOwl Vision)

AlphaBay Market’s Official Return

In early August 2021, DeSnake resurfaced on Dread, the popular Reddit-like discussion forum on the darknet administrated and moderated by users, Hugbunter and Paris. Dread staff “vouched” for DeSnake to skeptical darknet users with DeSnake signing documents using their historical PGP key.

Interestingly, AlphaBay’s former moderator “Disc0” also chimed in, but using a lowercase “d” this time.

DeSnake promoted the return of the infamous AlphaBay marketplace with services hosted on both Tor and I2P – including detailed instructions and encouragement for users to explore the market on the peer-to-peer network instead of Tor, calling their Tor services “mirrors” of the main market on I2P.

The new AlphaBay market’s Tor service has been unstable since its launch, with frequent 503 errors, user registration issues, and login timeouts. The I2P eepsite also rarely successfully loads. After almost two months of operation, the market has a handful of vendors, with only a couple of hundred listings across drugs and fraud goods. DeSnake claims there have been 15,000 user accounts created, 450 vendors registered, and over 400 listings published as of the time of writing.

The service on Tor appears to be hosted alongside Dread services and features both the Dread waiting queue and clock-captcha for DDoS protection. The marketplace was offline last week, when Dread and its sister services were under heavy DDoS and inaccessible.

While disc0 vouched for DeSnake on Dread they are not Staff on the revived market or its associated forum, claiming they are retired from such work. The new AlphaBay appears to be moderated by the personas TheCypriot, tempest, and wxmaz. All of the moderators speak very formally with impeccable English and gush with unbridled passion about the need for a new concept of decentralized marketplaces, the complex tradeoffs and advantages of peer-to-peer networks, and a deep desire to establish a greater sense of community.  DeSnake’s posts are particularly “wordy” with extensive lengthy posts on Dread and the market’s About and FAQ section. They sign every post and reply officially with the phrase “Thank You.”

Like the historic AlphaBay, the market’s forum is located on the same domain as the market and has limited discussions. Most of the forum is marked private until the user formally introduces themselves in accordance with the rules outlined by DeSnake. There is a “Admin” account as was the case with the historical AlphaBay forum, and DeSnake also has their own personal account. DarkOwl believes this account may be maintained by DeSnake based on the observation that they leave a similar “Thank You.” at the end of every post.

Darknet Users Remain Hesitant and Skeptical

DarkOwl has been unable to assess how the larger darknet community (outside of Dread) feels about the new Alphabay Market. AlphaBay historically had a vocal and persistence presence on Darknet Market Avengers forum which unfortunately, has been offline for several weeks. There are no new threads mentioning AlphaBay’s return on The Hub.

Users on the Russian-speaking forum, XSS have been the most critical of DeSnake and AlphaBay. In a thread titled, “AlphaBay вернулся!” [Translated: “AlphaBay is back!”] users comments were generally critical of the legitimacy of the marketplace, with comical references like “Welcome to the FBI HQ” posts.

DeSnake joined the conversation, creating an account with his moniker on September 12, 2021 in attempts to mitigate the marketplace’s potential reputation damage. DeSnake repeatedly pointed to their vouches from Dread and old PGP key pasted to Ghostbin, paste site.

Unfortunately, DeSnake’s contributions written in a mixture of English and Russian backfired and senior members of XSS berated them for their lack of operational security and inability to properly understand the dynamics of the Russian language.

“Your brand is irrelevant, long forgotten, your missing period as you should know is a lifetime in these circles, your name means nothing, you actually start with negative trust and momentum rather than popping up with a completely new name and brand not linked to the dumpster fire that went down before. So your either dAFeDz, or you have fallen victim to a serious and advanced case of autism after getting your covid vaccination. Either way none of your weird over explanation means anything because before we get to any of that we have to deal with the mental retardation and poor judgment that lead you to relaunch like this. But since youre not who youre trying to be we can skip it" 

– XSS user’s reply to DeSnake directly on the AlphaBay is back thread

Even Reddit users on the surface web have mixed feedback. One user openly joked they would stick to purchasing their drugs on social media.

Drama Begins and Scammers Take Advantage

During this research, DarkOwl discovered a surface web domain that mirrors much of the information DeSnake shared on Dread, but with a Tor link to the market that is not in the mirrors.txt verified links list from AlphaBay. The surface web domain is likely setup specifically to direct users to a phishing site where their credential information can be stolen.

There is a Dread thread in the AlphaBay subdreadit stating that AlphaBay is not on Telegram or the surface web validating the theory this is likely a phishing domain. No information about the domain could be ascertained as it is protected by Cloudflare.

The links section on the surface web AlphaBay domain asserts that all the information on Dread is false, stating that DeSnake’s Dread account had been compromised by “mr_white.” The moniker mr_white belongs to the administrator and owner of the popular darknet marketplace, White House Market (WHM) themed after Breaking Bad’s main character, Mr. White.

Some users claim that mr_white and his team from WHM are to blame for last week’s DDoS while others speculate that HugBunter himself could be mr_white.

Is the “New” AlphaBay What it Claims to be? Observations from DarkOwl’s Analysts

While DarkOwl generally avoids engaging in or commenting on speculative darknet drama, there are several things about the re-emergence of AlphaBay and DeSnake that don’t add up. While DeSnake very well could be legitimate, the sheer fact the authorities confiscated the market’s servers and Cazes’s unencrypted laptop should bring significant suspicion whether this new darknet marketplace is legitimate, or simply another covert law enforcement operation.

For this reason, our analysts have shared some observations of note that potentially point to something larger transpiring than a simple relaunch of the former marketplace. Notably:

• Registration for the market and the forum seem unnecessarily complicated, including errors if the pin code started with ‘0’ and asking for the user’s “real name.” The concept of a real name is irrelevant in the darknet unless the administration is possibly trying to catch someone not in the “right-state-of-mind” slip-up and actually put their real name into that field.

• The DDoS protection and bot detection measures are excessive for a brand new marketplace. While navigating the domain manually, DarkOwl analysts regularly had to reset their Tor circuit and refresh their identity to simply view the vendor listings.

• The market includes an outrageous number of strict rules delineated as “global AlphaBay” versus rules specifically for “buyers” and “vendors.” There are no weapons allowed (where the previous AlphaBay had a weapons category), no Fentanyl sales allowed (where the previous AlphaBay had a ‘Fent and RCs’ category), no COVID-19 vaccine or cures can be offered, no ransomware sold or advertised, and no Commonwealth of Independent States (CIS) related countries activities allowed.

• The “About-Us” and Frequently Asked Questions (FAQ) sections are a laborious read with over 13,000 words combined – 8,200 for the FAQ section alone. Conversely, the original AlphaBay’s FAQ was a mere 277 words.

• The overt exclusion of CIS countries is peculiar, especially given that DeSnake and alpha02 were openly active in Russian carding communities. According to DarkOwl Vision’s archived documents, Russian speakers were present on the original AlphayBay forum and in interviews alpha02 spoke of how they “work with our Russian colleagues to enable each of us to enrich our base of vendors and buyers,” and clearly was not excluding users located in Russia.

• AlphaBay now only accepts the cryptocurrency Monero, and heavily promotes that users access it via I2P instead of Tor, calling their Tor services “mirrors” to the main I2P eepsite. DeSnake’s detailed instructions for installing I2P on Dread fail to mention the potential risks of peer discovery and de-anonymization through known techniques like Eclipse and Sybil attacks in conjunction with flood-fill takeovers. Interestingly, the last known Monero-I2P-centric market was Liberitas, which went offline in June 2019 after a very short stint on the I2P network.

• DarkOwl could not confirm any prior darknet experience from the moderators DeSnake has installed as Staff on the market and forum.

• The new AlphaBay Marketplace refuses donations. It is unheard of that a darknet service would decline and discourage donations. A fully-functional darknet marketplace will indeed provide sufficient financial resources in the future; yet refusing them from the start is unreal.

Additional language analysis reveals other questionable inconsistencies. For example, in the FAQ and About-Us, there are several mentions of DeSnake’s operational security (OPSEC) prowess and over-the-top digs at law enforcement, e.g. “dirty playing by LE with their parallel construction.” Interestingly, the phrase “parallel construction” has appeared many times in post-AlphayBay (2017) conversations on other English-speaking and Russian forums.

Given how security conscious DeSnake was previously, which they self-proclaimed as operating under the mindset of ‘the agencies are after me’,” it is unlikely that they would have been comfortable writing in such recognizable patterns and thereby potentially exposing speech and language nuances.

In a similar vein, DeSnake’s extensive writing samples include multiple instances where the “British” spellings of words like “honoured” and “minimised” are included similar to how alpha02 wrote in his interview with Joshua G in April 2015 on Deep Dot Web, but “decentralized” is still spelled with a “z.” While there are very few English-speaking historical writing samples from DeSnake, as they were most active on Russian-speaking forums like TCF and Evolution, an analysis of historical AlphaBay market records never included any British-English spellings such as these.

Furthermore, darknet users rarely draw so much attention to themselves. DeSnake has broken this mold with their dramatic return to the public eye that included interviews with the media and identity verification through a potentially compromised PGP key.

DarkOwl has assigned assets to monitoring and collecting data from the new AlphaBay Marketplace, leveraging our darknet intelligence capabilities, despite their increased crawler detection measures and ongoing server instability. Our analysts will continue to follow this market’s presence and reputation on the darknet, and provide further updates as this story unfolds.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case

DarkOwl’s unparalleled reach into the Darknet Illuminates Threat To IoT as Realized with Recent CCTV Attack on Prison Security System.

In recent years, the cybersecurity industry has repeatedly warned of an increase threat against Internet of Things (IoT) devices. With Ring doorbells, smart refrigerators, IP-enabled cameras and baby monitors, and wi-fi enabled programmable thermostats, the modern western home is a hacker’s playground with multiple attack vectors to choose from. Cybercriminals and hacktivists readily seize upon more lucrative and scalable victims, with cloud-based IoT servers regularly targeted and databases of IoT data exposed – like that of enterprise security camera system provider Verkada, which had 150,000 systems compromised back in the spring of this year during #OperationPanopticon.

Iranian-based cyber hacktivists, known as Edalat-e Ali, or “Ali’s Justice” elevated such vulnerabilities last month, compromising an Iranian prison system’s closed-circuit television (CCTV) to expose widespread abuse and inhumane prison conditions.

DarkOwl has also discovered that the tools to carry out such IoT exploitation campaigns are readily available for sale on the darknet.

Background: The Iranian hacktivists who compromised the CCTV networks

The Edalat-e Ali hacktivist’s Telegram channel, created on August 19th, launched their attack against the Evin Prison and a photo surfaced of the prison control room with their logo on the screens in their earliest posts. They claim to have “hundreds” of gigabytes of data. In less than two weeks, the Telegram channel has amassed over 30,000 followers and includes numerous leaked videos.

The description provided in their Telegram channel reads as follows:

ما تصمیم به بر ملا کردن جنایات رژیم گرفته و به سیستمهای زندان اوین حمله سایبری کردیم.جهان را از نقض بارز حقوق بشر در پشت دیوارهای زندان اوین مطلع کنید (ویدیو،عکس،پرونده های زندانیان سیاسی و مدارک مختلف از زندان).

زندانی سیاسی آزاد باید گردد!

«عدالت علی»

[Translated to English]

We decided to resolve the regime’s crimes and attacked Evin prison systems. Inform the world of obvious human rights violations behind the walls of Evin prison (video, photo, political prisoner records and various documents from prison).

Free political prisoner must be!

“Justice Ali.”

The group also leaked documents from the prison from early 2020, where Evin Prison officials expressed concern over potential foreign military attack. This leak suggests that Edaalate-Ali possibly accessed their internal data storage systems in addition to their CCTV security footage. (Source)

Darknet Tools of the Trade to Exploit IoT

Coincidentally, on the same day that the Edalat-e Ali group appeared on Telegram, a vendor known as “thedangeroustomato” posted an offer for a 2021 CCTV exploit on the new Canadian-centric darknet marketplace called “We The North.”

The CCTV exploit is available for a mere $10.50 USD and claims it is “skid-friendly” with the exploit delivered to the victim network via a malicious PDF and two python scripts.

According to DarkOwl Vision’s database, the vendor has very few listings and not much history using that moniker across other darknet forums and marketplaces.

DarkOwl assesses with medium confidence that the “We The North” darknet marketplace is likely a thematic spin-off of Canadian Headquarters, another Canadian-based darknet marketplace that reportedly “exit scammed” a few weeks ago, but has recently resurfaced on a new v3 Tor onion service. The new Canadian HQ market has a new user database (e.g. old credentials do not work) with a “Coming Soon” banner on the main shop front.

Cyber Threat Actors Will Continue to Target CCTV Vulnerabilities

DarkOwl has not confirmed whether this specific exploit was employed against the Iranian Evin Prison hack. However, the low cost to procure, ready availability of such tools via python scripts, and flurry of international news media covering the prison CCTV hack success, suggest further attacks against similar CCTV security systems are likely if not highly encouraged by darknet cyber criminals.

For example, darknet forum and chatroom members celebrated the Verkada attack against Tesla and Cloudflare earlier this year in March, 2021. A member of the DDoSSecrets Telegram group, known for releasing geopolitically controversial content on the darknet, claimed that APT-69420, known as “Arson Cats” were responsible for the IoT device breach and shared images from the victim devices in defiance against global mass surveillance. According to one chatroom, employees at Verkada supposedly revealed the use of the Verkada’s “Super Admin Tool” was widespread and a compromised admin credential could have been the origins of the device attack.

The U.S. Justice Department indicted 21-year-old Swiss-based female hacker Till Kottman with the crimes against Verkada shortly after the leaks appeared. According to open-source reports, her group, designated APT-69420 Arson Cats, is a small collective of “primarily queer hackers, not backed by any nation state, is motivated by the desire for fun, being gay and a better world.”

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case

To learn more about the technology habits of ransomware operators, DarkOwl analysts conducted a brief survey of content issued by RaaS groups over the last few years and collated mentions of any email domains they provided for victims to initiate contact with them. The data we analyzed included ransomware notes harvested from multiple darknet sources from 2016 through the first two quarters of 2021.

The chart below depicts the results of our findings, and demonstrates which email services were and/or are popular amongst ransomware gangs over the past several years.

Quick Takeaways

• Since 2019, ransomware criminal gangs prefer the Swiss-based Protonmail and German-based Tutanota encrypted e-mail services over other e-mail service providers. The data included in this analysis summed the domains mentioned across all service provider TLDs, e.g. .ch, .io, .pm, etc.

• E-mail service providers AOL and India.com were most popular in 2016 and 2017 but use of these providers have dropped off considerably in recent years.

• Google’s Gmail has experienced moderate, alibeit consistent use by many ransomware criminal groups.

Tutonata emerges as most popular email service in 2021 thus far

For the first half of 2021, Tutonata appears to be leading Protonmail in total email accounts mentioned across notes published in the first two Quarters of 2021. Both email services have been the subject of controversy over recent years, including last December when open source reporting indicated that the German government had been forcing Tutanota to setup backdoors, enabling law enforcement to monitor and read e-mails in plain text.

While the reason for the decline in Protonmail’s popularity can not be stated definitively, the fact that the service has been the subject of debate is likely a contributing factor. In 2019, some users across the darknet and Reddit began spreading rumors that ProtonMail was likely a law enforcement honeypot – citing how its Tor service redirects back to the surface web upon account creation. Theories that developers at MIT with oversight from the NSA, CIA, and DARPA assisted CERN with Protonmail’s source code and encryption development. Further arguments included how Protonmail stores email data and metadata in formats similar to those that Edward Snowden had stated the CIA requires. (Source)

This debate is heated and greatly divided with many stating the Privacy WatchDog Blog detailing how Protonmail is a honeypot is anti-Protonmail propaganda website, spreading FUD and baseless conspiracy theories. Additional reports suggest that the CIA for decades has utilized front-companies and technical organizations based in Switzerland to spy on European governments, adding fuel to the paranoia and conspiratorial chatter.

Future Predictions

While the trends for email address domains observed during the first two quarters of 2021 are consistent with preferences in recent years, this data analysis further predicts that the total number of email addresses from ransomware victim notes for 2021 will be likely less than totals observed from previous years.

We predict this due to the volume of ransomware groups utilizing alternative communication methods with their victims. DarkOwl has observed numerous links to Telegram accounts and real-time chats directly hosted Tor darknet onion services to conduct ransom payment negotiations in lieu of traditional e-mail based communications.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case

Since the beginning of July, information security researchers who have been keeping up with the darknet ransomware community have been anxiously awaiting the debut of AvosLocker’s official Tor service, which will be used as a forum for the ransomware-as-a-service (RaaS) group to communicate with the public about their victims. In early July, DarkOwl observed a v2 Tor onion service branded with AvosLocker’s name and brand logo – a purple bug with green-tipped antennae – stating that the reader’s (victim’s) network and hard drives had been “encrypted using AES-256 military grade encryption.”

The landing page (pictured below) included a simple form where victims with an “ID” could enter the darknet service to begin negotiations with the AvosLocker team on their ransom payment and status of their extorted data. An ID is only available to those who received a ransom note upon encryption of their computer networks.

The new onion service – collected by DarkOwl automated crawlers on the Tor anonymous network earlier this week – lists at least six victims consisting of a mixture of transportation and logistics corporations and legal firms across the globe.

Editors note: DarkOwl has intentionally chosen not to disclose the victims’ names and has sanitized all mentions of victims in the screen captures below included in this piece

DarkOwl also detected an AvosLocker affiliate registration and login portal on their original v2 Tor service. The registration form indicates AvosLocker issues invitation codes for access to the domain.

There is no mention of AvosLocker or their logo on the affiliate-related portal onion services (pictured below).

Returning back to AvosLocker’s debut of their new, branded onion service, it is worth noting that ransomware operators set up public PR-oriented blogs for any number of reasons:

1.     They are truly a brand-new ransomware operator conducting ransomware campaigns against victims, employing a unique ransomware encryption cipher, as well as other tactics, techniques and procedures (TTPs);

2.     They are an existing RaaS affiliate with enough profitable and successful operations to warrant their own victim shaming Tor service; or

3.    They are a seasoned ransomware operator who is intentionally attempting to obfuscate their operation’s identity by rebranding and changing aliases of key members.

The fact AvosLocker is operating as a RaaS gang employing the traditional “affiliate” model – as noted by the login portal above – means it is highly unlikely they are an affiliate of an existing RaaS group and more likely a rebranding of existing RaaS operator.

Accompanying this theory, DarkOwl analysts quickly observed that the AvosLocker’s new service has striking resemblance to other websites established on Tor, more specifically the infamous Doppelpaymer RaaS gang.

DarkOwl has no indication that AvosLocker is an affiliate of Doppelpaymer, or if it has merely copied the HTML/CSS templates employed by the Doppelpaymer group; it is not uncommon for hosts of Tor onion services to create websites that look and feel like previously published services.

In contrast to the AvosLocker’s service, the Doppelpaymer leaks service on Tor requires the visitor to solve a reCAPTCHA and enable Javascript for the domain to load properly.

Doppelpaymer has plenty of justification to rebrand their operations, but there is insufficient evidence at this time to confirm AvosLocker is their new brand. In December of 2020, the FBI issued a warning against the Doppelpaymer RaaS gang after a series of attacks last fall in Europe resulted in the death of healthcare patient in Germany. (Source)

The last victim posted on the Doppelpaymer leak service is dated back to May of 2021, and the last one before that was in February. This might suggest Doppelpaymer could be slowing down its operations to avoid additional scrutiny from the media and law enforcement.

Interested in learning more? Contact us to learn how darknet data applies to your use case

Late last week, DarkOwl analysts observed the REvil ransomware as a service (Raas) cyber-criminal organization publicly announce its latest victims of their ransomware operations on their darknet onion service, some of which have direct associations to western militaries and governments.

Previous assessments have suggested the targets selected by REvil and similar RaaS groups were completely random and indiscriminate. Without directly naming or shaming the companies who fell victim to REvil’s ransomware attack, DarkOwl endeavors to merely highlight the suspicious timing of these specific announcements – along with threatening language included in the release – and the lack of any mention, nor claim of responsibility attacks against global meat distributor, JBS SA attack during Memorial Day weekend; an attack that temporarily impacted meat supplies around the world and caught the attention of the U.S. White House and international authorities.

These latest victims highlight the increasingly vulnerability of supply-chain attacks against critical service providers and the potential impacts to national security in the U.S. and abroad.

REvil Threatens to Share Sensitive Victim Data to Foreign Military Agencies

REvil representatives continually maintain their financially-motivated and opportunistic stance with numerous darknet forum posts stating that they want no part in geopolitical affairs nor act on behalf of any government. In these latest victim announcements, REvil included sensitive military contract information and critical personally identifiable information (PII) of the victim’s employees, such as copies of employee passports, payroll statements, and national identification numbers, as “proof” of the legitimacy of the attack.

More sinisterly, they also acknowledge the sensitivity of the data they’ve stolen and stated they would not hesitate to share this information with other foreign military agencies of their choice, directly contradicting earlier positions of agnosticism in international government affairs or military operations.

Many sources have already confirmed the likelihood that REvil is a Russian-based cyber-criminal organization. The recent string of ransomware attacks by REvil, their affiliates and similar groups, suggest that these organizations are indeed directly targeting critical supply-chain targets with unique technological and critical infrastructure focus, instead of indiscriminately targeting victims for monetary gain.

It is also noteworthy to point out that there is no current consensus on how long RaaS operators like REvil can maintain unauthorized access to victim networks, during which time they would be able to extract data and conduct potentially cyber-espionage-like activity before making themselves known. In other words, the target’s networks are freely accessible to these criminals for an unknown period of time before they finally pull the plug on the operation by deploying a ransomware variant, which then locks down the network, notifies the victim, and begins the phase of extorting target by demanding a ransom.

One security researcher recently shared their analysis of the latest version of REvil’s source code, version 2.05, stating that persistence of the malware was maintained through creating a registry key under SOFTWARE\Microsoft\Windows\CurrentVersion\Run (on Windows machines), which allows the malware to run every time the user reboots their machine. Other ransomware analysis of victims of the Pysa/Mespinoza strain, detailed an 8 hour campaign, launched via a compromised RDP account, where threat actors moved laterally throughout the entire domain harvesting additional credentials and data wherever possible (Source). This, however, is unsurprising as it is well-known that REvil and other popular RaaS operators leverage stolen VPN, RDP, and user credentials where available – often actively sold and traded on the darknet – and readily prey on unpatched server-side software and remote working products like Citrix ADC.

What other kinds of companies are REvil and their affiliates considering as potential targets?

In an interview conducted earlier this year, REvil representative known simply as “Unknown/UNKN”, stated many of their affiliates had unprecedented access to national security assets (directly or indirectly) including, “a ballistic missile launch system, one to a U.S. Navy cruiser, a third to a nuclear power plant, and a fourth to a weapons factory.” The veracity of this extremely serious claim has not been verified by DarkOwl nor the interviewer who spoke directly with Unknown. Others skeptical of interviews with such unreliable threat actors note that this particular “Unknown” could have been an imposter, as alias hijacking is common in across darknet communities. 

However, supporting the ransomware group’s claims of their alarming access to such national entities are recent reports confirming that another ransomware victim is a company that manages the US fleet of military vehicles. While not presently determined to be directly attributed REvil, this incident is indicative that ransomware groups as a whole are indeed successfully compromising vendors supporting US and allied military efforts.

An Ever-Expanding and Continuous Operation

REvil fingerprints have also been recently detected in a new strain of ransomware known as Episilon Red, which information security researchers directly associate with a concerted attack on Microsoft Exchange mail servers. In late May, another new ransomware variant known as Prometheus setup a new Tor onion service claiming they were a “Group of REvil” in their ransom note and branding. Security researchers indicate that Prometheus, operating now for over a month, pens their ransom notes very similar to MountLocker and Medusalocker ransomware variants.

Despite the media attention the JBS SA attack garnered, REvil shows no sign of slowing down or scaling back their operations. In an interview conducted with Russian OSINT YouTube channel last week, they suggested they had previously limited themselves from conducting attacks against U.S. targets, although DarkOwl notes several of their victims over the past year included retail, health, legal, and agricultural companies with operations headquartered in the U.S.

The group’s spokesperson also showed no concern for being considered “terrorists” by the U.S. government or intelligence community, boasting their confidence in prosecution immunity, being sheltered by Moscow, who undoubtedly allows them to operate freely without legal consequence. They concluded their interview with the statement “We are not going anywhere, we are not going anywhere. We will work harder, harder, and harder.” (Source)

DarkOwl will continue to monitor this ongoing story and update as our analysts uncover information.

Breached data from ransomware attacks often wind up on the darknet. Contact us to see if your organization has been the victim of a cyber attack to gain insight into the full extent of your company’s darknet exposure.

JUMP TO A SECTION:

What is an Imageboard and Why is it called a Chan? 

Key Players

The Language of the Chans

Topic Boards and Types of Content

How Imageboards are Evolving on the Darknet

An Introduction to Imageboards of the Darknet

The darknet is replete with an extensive array of content, including onion services and communities that intelligence and investigative analysts have noted are home to cyber criminals, scammers, and threat actors. Typically, the most common hubs for these users are darknet marketplaces and blogs/forums. However, recently, our analysts have observed the increasing presence of a legitimate and growing segment of the darknet, comprised of a community of free-speech enthusiasts who utilize imageboards known as “chans.”

The rise of QAnon and the coordinated siege of the U.S. Capitol in January shined a spotlight on one wildly popular imageboard known as 8chan, bringing about significant coverage in mainstream media. In the wake of such recent events, we have observed an increase in imageboard hosting on the darknet, including many direct copies of the 8chan codebase that are serving as new safe havens for emerging, controversial chan boards. In fact, DarkOwl has identified over two dozen alternative chans on the darknet – not related to 4chan or 8chan – across numerous languages (Russian, Korean, Japanese, German, and English) that are currently online and active.

An imageboard is considered a type of bulletin-board-like forum that revolves around the posting of images, often alongside text and discussion. Imageboards are characterized by a community of users with non-identifiable usernames, usually simply “Anonymous” – that rely on a system of tripcodes instead of registration with credentials. A tripcode is the hashed result of a unique password that allows one’s identity to be recognized without storing any data about the user and entering a particular password will let one “sign” one’s posts, often necessary for moderators and staff, with the tripcode generated from that password. 4chan and 8chan (or 8kun) implemented secure tripcodes that are not reproducible across different imageboards and are more resistant to the hashed password getting hacked or cracked. The originating IP address of the user is known to the administrator of the imageboard, but the pseudo-anonymity of the forum structure led to its users calling themselves “anons.”

The very first imageboard was 2channel, (2ちゃんねる, 2chan, or 2ch) first launched over two decades ago by Hiroyuki Nishimura, a Japanese Internet entrepreneur and student based in the United States at the time. By hosting the board outside of Japan, Nishimura managed to circumvent Japanese internet censorship and grew the predominantly Japanese online community millions of daily users with a level of influence in society many described as comparable to that of traditional mass media like television, radio, and magazines. Nishimura named the imageboard 2channel after the physical channel older televisions would need to be turned to, to use auxiliary devices like 1990s video game consoles.

In 2003, not long after the success of 2channel, Christopher “moot” Poole (at the time age 15 years old) launched an English language counterpart to 2channel known simply as 4chan. Poole already had a history as an active participant on the comedy surface web bulletin board known as “Something Awful” which funneled users to 4chan and quickly increased its popularity, forming a whole new genre of internet subculture including the “Cult of Kek” (Pepe the Frog), the conversational meme factory, and resources for rare adult fandom like My Little Pony.

The pseudo-anonymity provided by 4chan also enabled discussions from a rather darker segment of society where disturbing fetishes and hate speech are not just authorized but glorified. Illegal content such as child pornography and gore increased the need for fairly strict moderation on the site by its hundreds of volunteer moderators stationed around the world; Poole and a part-time developer were the only official staff of the board. In 2014, 4chan was central to the Gamergate controversy, an online harassment campaign dedicated to directly targeting and doxing females because of anger regarding feminist or progressive ideals found at the time in the video game industry.

By this time, alternative imageboards known as “alt-chans” had emerged including Wizardchan whose userbase consisted of virgin men or “incels” (slang derived from “involuntary celibate”) who define themselves as unable to find a romantic or sexual partner despite desiring one and ultimately often despised the sheer existence of the entire female gender. To this day there is crossover in the users between imagebaords – Wizardchan’s users also post in threads on 4chan and vice versa.

Due to the increased moderation of content on 4chan, a prominent user and admin of Wizardchan known as Fredrick Brennen, using the pseduonym “Hotwheels” founded “infinitychan” (using a sideways “8” for infinity, or simply 8chan or 8ch), redesigning the codebase to include user-created and moderated boards on the channel. In 2013, Brennen advertised the new imageboard as a “free speech friendly alternative to 4chan” and 4chan’s eventual blanket censorship of all Gamergate related discussions significantly increased 8chan’s rapid success and popularity in the first years of its operation. 8chan quickly outgrew Brennen’s ability to host the volume of posts by its thousands of daily users and illegal content became increasing difficult to moderate. In late 2014, he partnered with Jim Watkins in the Philippines to host and help scale the platform, using Watkins data center company N.T. Technology while Brennen served as admin and the public face for the board. (Source)

8chan’s content became increasingly obscene and its users linked to several violent international hate crimes including the mass shooting at a Christchurch mosque in 2019, the Poway Synagogue shooting, and El Paso shooting at a Walmart targeting Hispanics shortly thereafter – with all three shooters posting racist and xenophobic manifestos on the imageboard within hours of the attacks. Around the same time, Brennen resigned as the imageboard’s admin and launched a campaign to get the site shutdown permanently with direct attacks against both Jim and Ron Watkins across social media and the mainstream news media. In late 2019, Watkins rebranded 8chan to 8kun after widespread public criticism of the site with support from Russian hosting providers affiliated with cybercriminal activity.

The imageboards mentioned above are considered the grandparent-chans creating the ‘foundational’ platforms for fast-paced discussions, fueling mob-like mentalities and are still widely popular underground online communities. Nevertheless, there are hundreds of “alt-chans”, many of which have a growing presence of users on the darknet, including not only a mirror of 2channel, but 16chan, nanochan, 64chan, Korchan, Kohlchan, and others. The surge in new imageboards and their use of the darknet is indicated by conversations that express how its users are increasingly concerned over the concerted ‘attack on free-speech’ that occurred in the wake of the January 6th riots and as well as members of the US Congress’s call for a repeal of Section 230 of the Communications Decency Act, which has historically protected the hosts of controversial social platforms from legal consequence. (Source)

The following lists the founders and critical players of the most popular and widely discussed imageboards in public media. Due to the nature of the content and its users and creators inherent desire for digital privacy many of the owners and administrators of imageboards are completely anonymous or known only by their pseudonyms.

Imageboards pride themselves on providing a platform to advocate free-speech and the purest freedom of expression and many users utilize the forums as an outlet for venting internal frustration, speaking on the boards in ways that they would never, ever speak in real life. In 2010, 4chan administrator, “moot” was called to testify in the trial of David Kernell, a 4chan user who was eventually convicted of hacking of Sarah Palin’s email during the 2008 Presidential election and leaking screenshots from her account on the imageboard. The administrator’s role in the trial turned from ordinary to awkward when moot was asked to define and explain the community’s lingo and terms that were used in the posts and comments included in the prosecution’s discovery. Terms he testified about included such vernacular as “b tard”, “troll”, “peeps”, “lurker” and OP (original poster).

In the last decade, the culture and language of the chans has only become even more exclusive and insular to its chan-community, preventing many new users and investigative analysts from engaging its users or even further parsing what they are reading in any given thread from darknet data collection systems. The influx of right-wing extremism and domestic terrorism observed with the popularization of QAnon on 8chan (or 8kun), increased the use of phrases specific to Q’s posts such as “Patriots”, “Trust the Plan”, “Great Awakening”, “WWG1WGA” (where we go one we go all), “Panic in DC”, “deep state”, and the idea of “sheep” or those who follow main stream media blindly.

Imageboard users go to great lengths to directly insult each other on the thread and openly attack anyone of non-Caucasian race or non-evangelical Christian religious beliefs. Most of the lingo is too obscene and vulgar to be mentioned here, but there are some standard key phrases used across all the imageboards that provides general context to many an anon’s post. Several of these have made it into urbandictionary.com, whose definitions were included directly where available.

based: A word used when you agree with something; or when you want to recognize someone for being themselves, i.e. courageous and unique or not caring what others think. Especially common in online political slang.

redpilled: A word used to describe when a left leaning liberal have shifted their beliefs into alignment with the right. The phrase was adapted from the movie, The Matrix, where Morpheus is offering to enlighten Neo to the Matrix: “You take the red pill, you stay in Wonderland, and I show you how deep the rabbit hole goes.”

shill: This word describes a person who is pretending to agree with a conspiracy and intentionally circulates false information or acts totally insane in an effort to discredit said conspiracy. Someone who shills could also be someone directly lying in a post to deceive or cause controversy.

larp: An acronym meaning “live action role play” – when whatever post has been stated is not real or intended for comedic or dramatic effect, as if it occurred in a play.

/b/tard: A derogatory insult to address users who are found in the /b/ section of the board or to insinuate that their post is random or nonsensical.

lurker: A person who ‘lurks’ or browses the board and never posts anything.

newfag: A newcomer to the imageboard who is considered a nuisance to the discussion. Often this person is trying too hard to fit in.

neckbeard: A word derived from conjoining of the words “neck” and “beard,” to denigrate a male user on the board as characterized by an inflated sense of self-worth and a powerful sense of entitlement, particularly to affection, subservience and sexual acts from women.

neet: A person considered a failure in life who is unemployed and lounges all day playing video games or watching anime. 

waifu: A word used in the manga sub-genre to describe a fictional female character that they love and would marry if they were real.

glow: If the word glow is associated with an insult or someone says, “you glow” that would intimate that you’ve been perceived as law enforcement or a government agent.

troll/trolling: As it relates to imageboards, trolling describes the deliberate act, (by a troll – noun or adjective), of making random unsolicited and/or controversial comments on various internet forums with the intent to provoke an emotional knee jerk reaction from unsuspecting readers to engage in a fight or argument.

Persistent topic boards are a characteristic of chan forums. From its inception, 4chan required an administrator to create all topical boards to guide its users’ discussion, leading to a sort of standard that has persisted to newer chans. Alternatively, 8chan infamously provided creative freedom to its users to launch and moderate its own topical boards – a backend board style adapted by several imageboard developers.

Nevertheless, there are some board topics that are persistent across all of the imageboards, including the alt-chans across the surface web and darknet. Such well-known and highly popular sub-boards include:

• /b/ – random: The sub-board /b/ was the first board Poole created on 4chan and it was the catchall for any random thread about any sort of content including cartoon pornography and debased memes.  It is considered community etiquette across most all imageboards to limit discussions that are specialties or the focus of other boards on the channel. Many imageboards recognize the power of /b/ to such an extent it is the only board available on its entire platform.

• /pol/ – politically incorrect: The /pol/ sub-board covers wide range of subjects, including politics, culture, social issues, religion, law, finance, and current events. It has become most well-known for its divisive content and hate speech with posts including neo-Nazism, white supremacy, and xenophobia. Nearly all imageboards online today have an active /pol/ board and some even include additional country specific politics, like /polru/ for Russian political discussions. Some non-English speaking alt-chans have created an /intpol/ sub-board instead of /pol/, which stands for international politics as many of the English-speaking /pol/ boards are heavily influenced with U.S.-focused political partisanship. Last year, 8kun renamed its /pol/ board to /pnd/ for politics, news, and debate much to the protest of its userbase.

• /a/ – anime: Given the imageboard’s roots in Japanese anime subculture, and 2channel’s founder being Japanese, most imageboards have a sub-board called /a/ dedicated to sharing and discussing anime. Many posts on this sub-board also includes a very specific sub-genre of animated pornography known as “hentai” short for hentai seiyoku translated as a “perverse” or bizarre sexual inclinations.

• /g/ – technology: The /g/ sub-board got its start on 4chan, and other imageboards have quickly adapted this topical board for “discussing computer hardware and software, programming, and general technology.” This channel often includes a wide-range of posts that might asking recommendations for which Linux distribution to install or pictures of users’ home technology setups.

  Last week, DarkOwl analysts observed a post on /g/ on how to successfully hack Apple’s recently released AirTags product with detailed instructions from a security researcher’s blog on the surface web, demonstrating how /g/ could be used to uncover security vulnerabilities.  Within minutes of the post appearance, /g/ moderators removed the thread validating user complaints of how heavily moderated 4chan can be and what attracts many users to imageboards hosted exclusively on the darknet with more relaxed moderation policies.

Most imageboards have a surface web domain address and accessible directly from the public Internet. Imageboards are considered pseudo-anonymous, since a user’s IP address is known and likely logged by the imageboard administrator, especially for users accessing the site directly on the surface web.  While many users access imageboards using a Virtual Private Network (VPN) proxy, 8chan utilized Tor off and on over the last five years to mirror its content, to provide additional anonymity to its users accessing the imageboard and to mitigate DDoS attacks against its Internet domains.

Other imageboards, including 2channel, have a persistent presence on the darknet providing its users additional layers of operational security. Some imageboards like endchan have mirrors across other alternative darknets including Oxen and Yddrasil for additional data redundancy and wider client support to its userbase.

Many imageboards are strictly accessed through the surface web have strict rules about what can and cannot be uploaded and its administrators comply with all law enforcement requests for information and readily handover logs. Others give moderators the power to disallow users posting from a Tor exit node, in the case where users access the surface web domain using the Tor Browser Bundle for anonymity.

Other darknet exclusive imageboards have more lenient rules and allow its users to post illegal content including violence, pornography, and gore. Gurochan, an imageboard that originated over a decade ago, recently returned online and predominantly includes threads with gore and necrophilia.

An Increasingly Evolving Darknet Threat

The imageboard community on the surface web is rapidly evolving and many services are migrating directly to or mirroring their content across the darknet(s). Knowing that 4chan is now heavily moderated and often called a law enforcement honeypot, and that many users of 8kun have disappeared with the failure of a real-life political “reckoning” for the alleged deep state cult at the heart of the QAnon conspiracy, the imageboard underground digital community is thriving as a safe haven for people to direct their shills and troll campaigns.

As previously mentioned, during the course of this content research, DarkOwl identified over two dozen alternative chans on the darknet – not related to 4chan or 8kun – across numerous languages (Russian, Korean, Japanese, German, and English) that are currently online and active. To support its Vision users in conducting their most effective and efficient investigative analysis we have also created a “Groups” filter using these domains, so Vision UI users can easily target their searches directly into these communities without direct or a-priori knowledge of the onion service addresses. Hopefully this post, with its primer on historical context and guide to imageboard community lingo, will help end users develop intelligent targeted queries to find content of interest.