The eighth series of the popular, BAFTA-nominated TV show ‘Hunted’ came to a dramatic end this month.
Hunted is a gripping reality series that pits volunteer civilian ‘fugitives’ against a professional team of ‘Hunters’ – comprising former intelligence officers, police detectives, and cyber analysts – who employ real-world investigative techniques to try track them down within 28 days.
The TV show regularly attracts over 2 million viewers per episode.
In this series, the Hunters were able to catch 13 out the 14 original fugitives within the time frame. This the most successful capture record in history of the show.
Copyright Shine TV/ Channel 4
In the programme, the ‘fugitives’ must try to evade simulated capture by Hunters who leverage an impressive arsenal of capabilities: CCTV networks, ANPR systems, mobile phone tracking, financial surveillance, OSINT and behavioural profiling.
The Hunters establish pattern-of-life analysis, exploit OPSEC failures, conduct tactical ground operations, and demonstrate how modern surveillance infrastructure creates a near-inescapable digital dragnet.
OSINT specialist and DarkOwl super-user Daisy Hickman appearing in Series 8 (copyright Shine TV/Channel 4)
The show illustrates the investigative challenges of resource allocation, intelligence fusion, and the cat-and-mouse dynamics between human behaviour and technical collection, while exposing how difficult it truly is to disappear in a modern surveillance state.
In this series, DarkOwl was selected as one of the handful of intelligence tools (and the sole Darknet technology) to assist the Hunters in their London HQ.
Daisy Hickman – an OSINT specialist Hunter who holds a MSc in Forensic Investigation – commented on her experience with DarkOwl (in capacity as a DarkOwl super-user during the show):
“DarkOwl proved critical to our time-sensitive fugitive operations, and the easy to use interface and comprehensive data was an invaluable part of our OSINT analysis.”
By continuously indexing high-value darknet websites, fora, marketplaces, chans, leak databases, Telegram channels and beyond, DarkOwl reconciles underground activities and personas with real-world events and people for all levels of intelligence analyst.
DarkOwl was pleased to support Hunted, not least as it provided a good opportunity to showcase the power of DARKINT techniques for fast paced criminal investigations.
Watch the latest series of Shine TV/Channel 4’s Hunted, and find out more about DarkOwl Vision.
In anticipation of the year’s busiest shopping day, scammers employ a variety of deceptive tactics designed to exploit eager shoppers, continually adapting their schemes to stay ahead of detection.
From fake online stores advertising bogus discounts to scammers sending fraudulent delivery notifications during the busy shopping season, consumers face plenty of risks to watch out for. The rise of deceptive scams during the holidays highlights the many tactics fraudsters use to exploit consumers and dampen the festive spirit. The following provides an overview of prevalent scams and guidance on how consumers can protect themselves during their shopping activities.
Fake Online Stores
One of the most common scams cybercriminals will establish are fake shopping sites that mimic real sites of well-known retailers. These deceptive websites often imitate legitimate domain names and lure unsuspecting shoppers with seemingly irresistible discounts. To enhance their credibility, they frequently run fake social media ads that direct victims to counterfeit pages, adding a false sense of legitimacy to the scam.
Once shoppers enter their personal information and check out, scammers receive the personal data, which usually involves banking details. These scams can lead to financial loss and identity theft, which can affect people more severely during the holiday season.
How to Protect Yourself:
Double check website URLS.
Visit retailers’ official websites, rather than clicking an unaffiliated link.
If possible, use secure payment methods that offer fraud protection.
Phishing Emails and Texts Offering “Exclusive Deals”
With the rise in online shopping, promotional emails are utilized by most stores to promote their Black Friday sales. Darktrace’s global analyst team revealed that Christmas-themed phishing attacks for Black Friday and Cyber Monday “deals” soar throughout the month of November (over 600%!).
To capitalize on this, one method used by cybercriminals is sending phishing emails promoting “exclusive offers” or “limited-time flash sales”. The emails typically contain links to malicious sites that steal personal information and can infect your device with malware. These emails can also lead to fake stores, as mentioned above. An additional example includes emails claiming a user’s account is “locked or disabled”.
How To Protect Yourself:
Ensure the sender has a trusted email address, showing the correct domain.
Trust your instincts if the message seems “off” and possibly written by AI.
Do not give any personal information via email, the majority of retailers would not require this information via email correspondence.
Online Order and Delivery Scams via Text Messaging
In recent years scammers have begun sending fake text messages that claim to be from carriers like UPS, FedEx, and USPS stating there is an issue with deliveries. These messages include a fake tracking link that if clicked puts your data at risk. The links may prompt you to a site to enter your personal data or could install malware onto your phone or computer.
With most holiday shopping being online, these types of scams may increase throughout the holiday season. According to the FCC “If you receive suspicious email, text or phone messages, go to the delivery carrier’s website directly or use the retailer’s tracking tools to verify”. Carriers also offer advice and protocols on their websites with things to look out for and ways they legitimately contact individuals.
How To Protect Yourself:
If there is any doubt of validity contact the company directly.
Verify independently, this can be done by going to the carrier’s website.
Do not reply or click on any links.
Fraudulent Charity Appeals
Traditionally, the Tuesday following Black Friday is known as Giving Tuesday, when non-profits and charities intensify their outreach efforts to meet seasonal fundraising goals. When donating during the holiday season, it’s important to exercise caution before giving to any charity online. Just as scammers create fake online stores, they also design fraudulent charity websites that imitate legitimate organizations to steal money and collect personal information.
Additionally, scammers may reach out through unsolicited phone calls, using high-pressure tactics to push victims into making quick donations. They often refuse to provide clear or detailed information and may insist on unconventional payment methods, such as gift cards or wire transfers.
How To Protect Yourself:
Prior to donating, research the charity.
Donate directly through the charity or organizations website.
Don’t let scammers rush you in to donating.
Conclusion
According to the Federal Trade Commission (FTC), shopping fraud ranked as the second most prevalent form of fraud in 2024, with consumers losing more than $12.5 billion. Within this category, online shopping issues represented the second most commonly reported type of fraud. The report from the FTC claims the overall number of scams has remained relatively stable, but more individuals are becoming victims. This indicates that scams are evolving and becoming increasingly difficult to recognize.
If you fall victim to a scam, remember to protect your finances, contact your bank or credit company, and monitor financial accounts for further suspicious activity. The most important thing for victims to remember is that scams can happen to anyone — and there’s no shame in taking extra precautions. The best defense against Black Friday scams is to stay alert and verify retailers before interacting or making a purchase. By following these steps and keeping this advice in mind, you’ll set yourself up for a safe and successful Black Friday, ensuring your holiday gifts bring only joy this season.
Curious to learn how DarkOwl can help? Contact us.
Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.
An Indicator of Attack (IoA) is a behavioral pattern or activity that reveals a cyberattack is in progress or about to occur. IoAs focus on detecting an attacker’s intent and methods in real time, enabling organizations to identify and stop malicious actions before they cause major harm.
Rather than relying on evidence of past breaches, IoAs highlight the attacker’s tactics, techniques, and procedures (TTPs) as they unfold, providing early warning of active or emerging threats.
IoA vs IoC
It’s important to distinguish IoAs from indicators of compromise (IoCs). IoAs focus on the behaviors and tactics that suggest an attack is currently in progress or about to occur, while indicators of compromise tell you that a compromise has already happened. Both are crucial for a comprehensive cybersecurity strategy.
DarkOwl and IoAs
Examples of IoAs in the Darknet that DarkOwl Monitors
Malware and exploit kits: Advertisements for or discussion of high-quality malware designed to evade detection or exploits that can be used in an attack.
Tools for malicious activity: Evidence of groups using specific tools to disable security software, like an EDR (endpoint detection and response) killer, to facilitate an attack.
TTPs: Discussion and sharing of attack techniques on darknet forums, which indicates active development and use of new methods.
How DarkOwl Helps Identify IoAs
Entity API: This tool helps identify and contextualize entities like IP addresses and domains within the collected darknet data, which is crucial for correlating indicators and assessing threats in real-time. With Entity API, users can quickly and efficiently identify, monitor, and target particular threats in the darknet that are relevant to their particular needs and use-cases.
Vision platform: This platform collects and indexes vast amounts of darknet data, allowing for the identification of potential attacks in progress by searching for relevant keywords and patterns. Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search darknet data.
Threat intelligence: By monitoring forums, marketplaces, and other sources, DarkOwl can identify the latest threats and attack methods being discussed and sold on the darknet. With 227,500 pages of darknet content scraped and indexed every hour, DarkOwl’s collection database is continuously expanding.
DarkOwl helps detect both through its darknet intelligence by identifying attacker tactics, techniques, and procedures (TTPs). Examples include advertisements for malware or exploit kits, discussions of attacks on darknet forums, or the use of tools, all of which indicate a potential or ongoing attack.
Product Highlight: Actor Explore
In today’s digitally driven world, the landscape of cyber threats is ever-evolving and increasingly sophisticated. As businesses and individuals become more dependent on technology, the need to protect sensitive data and critical infrastructure from cyber attacks has never been more critical.
One effective approach to enhancing cybersecurity is to track and monitor cyber threat actors. The actors that are responsible for conducting attacks; individuals or groups with malicious intent, often targeting organizations, governments, or individuals. Understanding why they are operating, what they hope to achieve and what methodologies they are using can assist analysts in protecting infrastructure and predicting future activities. Identifying and monitoring the tactics, techniques, and procedures (TTPs) of cyber threat actors, is also an important step to gain insights into actor’s strategies. This information can be invaluable in understanding how attacks are executed and identifying potential vulnerabilities in an organization’s defense.
With DarkOwl’s Actor Explore users can review analyst curated insights into active threat actor groups on the darknet and wider. We explore the motivations behind the groups, the tools they have used and searchable attributes to pivot on within DarkOwl Vision. Tracking available information about threat actors such as their motivations, TTPs, victims and activities can provide valuable intelligence which allows analysts to predict behavior and take proactive steps to protect their organizations.
Product Highlight: DarkSonar API
With cyberattacks increasingly on the rise, organizations need better intelligence to safeguard themselves, employees and customers from incidents such as data breaches and ransomware attacks. This rise in illicit cyber activity only increases the need to protect against and determine the likelihood of these attacks. The darknet contains data critical to understanding criminal behavior and security risk, and companies need an understanding of their exposure on the darknet to determine risk and take mitigating actions.
DarkSonar, a relative risk rating based on darknet intelligence, measures an organization’s credential exposure on the darknet. DarkSonar enables companies to model risk, understand their weaknesses and anticipate potential cyber incidents. In turn, organizations are able to take mitigating actions to protect themselves from loss of data, profits, and brand reputation.
DarkSonar in the Wild
General Motors
In April 2022, General Motors disclosed that it suffered a credential stuffing attack. The attackers accessed customers’ personally identifiable information (PII)and redeemed reward points for gift cards.
Takeaway: DarkSonar’s email exposure signal detected an abnormal increase in plaintext and hashed credentials in the months leading up to the attack.
Colonial Pipeline
In late April 2021, hackers gained entry into the networks of Colonial Pipeline Co. The hack took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password, according to a cybersecurity consultant who responded to the attack. The virtual private network account was no longer in use at the time of the attack but could still be used to access Colonial’s network, he said.
Takeaway: DarkSonar detects plain text credentials available on the darknet.
FujiFilm
In early June 2021, Fujifilm’s company servers were infected by Ransomware. While they have never released the specific details, it is believed to be the Qbot Ransomware. Qbot is typically initiated by phishing.
Takeaway: DarkSonar detected an increase in email exposure which can be used as part of a phishing attack.
With recent global events, you’ve likely come across articles, conversations, or opinion pieces about Discord. As of 2024, the instant messaging platform boasts over 150 million monthly users. Once known primarily as a communication tool for gamers, Discord has evolved into a hub for a wide range of communities—from book clubs and fandoms to casual chat groups with friends and family.
What sets Discord apart from traditional social media is its unique structure: no public feeds, no traditional advertising, and a focus on private, curated spaces.
As more attention turns to corners of the internet that might be unfamiliar to the mainstream, this blog aims to shed light on Discord’s ecosystem and answer some of the questions you may be asking yourself.
What Is Discord?
Discord was established in 2015 as a social platform for people with similar interests to share voice notes, videos, and texts with one another. The app originally targeted gamers, offering superior voice chats and customizable server options. Individuals were able to live chat with other Discord users while playing their favorite games and build communities solely focused on their hobbies.
The app received an influx of users not connected to the gaming community in the late 2010’s and during COVID-19. The pandemic led many people to Discord, where they built virtual communities for a myriad of topics ranging from musician fan groups to book clubs. The features that originally appealed to the gaming community were also applicable for establishing virtual classrooms and information sharing among groups.
Discord offers both private and public servers. Public servers work similarly to other social platforms; it allows users to chat with any public server that they would like. Most public servers are monitored by moderators who have the power to remove or edit information shared in the server. Private servers offer users more secrecy, are typically invite only, and offer users an exclusive forum for group chats. Whoever sets up the server has admin rights, which allows them to add/remove members, ban content/words, and add additional admin members.
Is Discord Dangerous?
Discord can be used safely but as with any social media app, there are bad actors and users can be susceptible to harmful behavior.
Cybercriminals employ a range of tactics to deceive Discord users into installing malware—often referred to as a Discord virus—which can have serious consequences for their devices and data. Beyond technical threats, users may also encounter harmful behavior such as the sharing of explicit content or experiences of bullying and harassment within the platform. The platform has also been used in the past to share classified information as well as manifestos related to violent extremism.
The major concerns with Discord are:
Discord Scams & Viruses– A majority of Discord scams involve deceiving users into “clicking links, scanning QR codes, or logging in to off-site locations” so bad actors can spread malicious software. Research states that the most common type of malware in Discord is Remote Access Trojan (RAT), which hackers distribute using malicious links. Discord’s security team does have tools to filter malicious files but can sometimes miss ones when they initially hit the platform.
Risk to Children/Teens– To protect children, the app has an age requirement of 13 though people believe it is easy to bypass their verification process. The risk of exposure to NSFW (not suitable for work) content is hard to mitigate when children have their own accounts. Users may post sexually explicit imagery or videos in public servers without warning.
Cyberbullying/Harassment – Because many individuals using Discord to connect with communities, there are frequent conversations that occur between strangers. Cyberbullying includes sending, posting, or sharing negative, harmful, false, or mean content about someone else. In a 2024 transparency report released by Discord, they claim to have taken some form of action against 92K accounts, which included disabling over 19k for some form of harassment and bullying.
How to Protect Yourself
Some risks on Discord are similar to those found across the open web. However, both cybersecurity experts and Discord itself offer practical steps that users can take to stay safe and protect their accounts from malicious activity.
Key safety tips:
Always enable two-factor authentication (2FA) to add an extra layer of security to your account.
Block and report suspicious users to help keep the community safe.
Stay alert for scams: Discord recommends avoiding links from unknown senders and never downloading code or files you don’t recognize.
Control who can message you: Adjust your privacy settings to limit direct messages to friends or members of shared servers. You can also enable filters to reduce spam and unwanted messages.
Conclusion
While Discord offers a fun and dynamic way to connect with friends, communities, and shared interests, it’s important to stay mindful of your safety online. By taking a few simple precautions like managing your privacy settings and being cautious with unknown links or users, you can enjoy everything the platform has to offer without putting yourself at risk. Staying aware of potential threats ensures you can make the most of your experience without compromising your safety.
Check out our field-tested guide to cyber hygiene here.
With increasing regularity, the media is filled with reports of mass shootings, assassinations, political violence, and other forms of targeted violence. While targeted violence is nothing new, our fractured society does appear to be experiencing these events more frequently as time goes on.
One of the ways in which law enforcement, security professionals, and healthcare professionals have sought to combat and prevent these acts of violence is through the practice of threat assessment. A systematic process, built over decades, which seeks to identify and prevent targeted violence through assessment of behavior and managing risk.
However, in an increasingly digital age the sheer volume of data that is available to these professionals is ever growing. Whether monitoring social media for any mentions of credible threats or reviewing large volumes of emails in response to a triggering event or reviewing messaging apps it can be impossible to identify which individuals actually pose a threat and the best way to assist them. This does not even take into consideration the issue of identifying who the real person is behind sometimes anonymous online personas.
This study focuses on high-volume threatening communication within far-right Telegram channels. The far-right is understood here as an umbrella term encompassing a diverse range of ideologies, movements, and political actors situated at the extreme end of the right-wing spectrum. While diverse, these groups usually share some characteristics: nationalism, racism, xenophobia, anti-democratic tendencies, or strong state advocacy (Mudde, 2000). All far-right ideologies, view human inequality as natural and even desirable (Mudde, 2019). Translating definitions of ideology to the online sphere is challenging, since information about individuals or groups is often limited to their digital expressions. As Conway (Conway, 2020) observes, the contemporary online far-right is best understood as a decentralized “scene,” “milieu,” or “ecology” — a fluid and rapidly shifting network of individuals, groups, movements, political parties, and media outlets that overlap and interact in complex ways.
Many of the far-right channels identified by DarkOwl remain active on the platform, which has allowed us to collect a substantial amount of data from the communications within the channels selected for this analysis.
Using a dataset collected from active far-right Telegram channels, DarkOwl and Mind Intelligence Labs sought to examine whether combining AI tools with manual analysis of text-based content from far-right Telegram channels could enhance the identification of threats and deepen understanding of their nature to support threat assessors.
The far-right Telegram channels analyzed in this study contain a high volume of threatening communication, making it challenging to determine which threats are more credible than others. Our analysis shows that most threats are explicit and directed at specific targets. Operationally detailed threats are also common, indicating a normalization of violent rhetoric and a potential for mobilization within these online communities.
What is Threat Assessment
Threat assessment is the process of identifying if individuals may be at risk for engaging in targeted violence and managing that risk to prevent violence from occurring. Assessments are conducted based on an individual’s observable behavior and therefore require a review of how an individual is acting, what they are saying both online and in the “real world,” as well as communications of intent and contextual stressors.
Both the FBI and the Secret Service provide guidance for how to conduct threat assessment, highlighting that it is not just about identifying an initial risk, but ongoing management to prevent any risk that may be posed over time as an individual’s situation changes.
Key components of threat assessment include:
Identify – Detect behaviors or statements that a person may be moving towards violence. This can include direct threats, planning behaviors, or having a grievance. Bystanders such as friends or family members are often those that report concerning behaviors, but it can also be detectable through online communications that can be tracked.
Assess – Collect and assess information about the person, what motivates them, what accesses do they have, and what opportunities for violence do they have. Have they shared a specific threat and is this credible and or viable? This can include a review of their online communications as well as interviews with colleagues or family members, and even the subject themselves.
Manage – A very important aspect of threat assessment is the ongoing management of the risk. This requires developing tailored strategies to reduce the threat. Options can include mental health support, social services, law enforcement involvement, safety planning, and ongoing monitoring and follow up on the subject.
Threats made online differ from those expressed in person since digital platforms provide anonymity, lower inhibitions, and offer wide reach. As noted in the FBI’s Making Prevention a Reality guide (2019), perceived anonymity can reduce typical social restraints, allowing individuals to voice hostility or intimidation they might not display in face-to-face settings. Yet, detecting and evaluating threats that are posted online is important to prevent violence.
Assessing threats in a high-volume environment poses substantial challenges. The sheer number of online communications makes it difficult to distinguish which threats are credible and require further analysis. The FBI emphasizes that not every threatening message indicates a genuine intent to harm. The goal of assessing concerning communications is to determine whether a message is an expression of anger or frustration or a behavioral indicator of movement toward violence. An assessment helps decide which communications warrant deeper investigation or management intervention.
When assessing threats online, several factors must be considered — particularly the specificity, credibility, and intent behind the communication.
A threat is considered specific if it contains concrete information such as who will carry out the act, the intended target, when and where it will occur, and how it is supposed to happen. Specific details — such as the mention of weapons, timing, or location — increase the level of concern because they demonstrate planning or forethought.
Credibility relates to the source of the threat and its feasibility. Analysts evaluate whether the source is reliable or directly connected to the individual of concern, whether similar threats have been made before, and whether there is a consistent pattern of behavior. The assessment also considers how viable the threat is: does the individual have the means, access, or capability to act on their words?
Determining intent involves examining signs of motivation, planning, or commitment to carry out an attack. Indicators may include expressions of grievance, fixation on a target, or evidence of preparation. Establishing intent can be particularly challenging in online environments, where individuals may exaggerate or use violent rhetoric without a genuine plan to act.
Telegram
The messaging app Telegram was founded in 2013 by Pavel Durov who previously founded the popular Russian social media app VK. Telegram has approximately 950 million registered users worldwide. Although a messaging app, Telegram operates more like a social media platform. Users register using a telephone number but can use any display name they want. Users can message each other directly, but the platform also has the concept of channels and groups where mass communication can occur.
In a channel, multiple users can communicate with each other, acting as a chat function you are able to see the username and their comments. Other channels operate more of a broadcast system where only the admins can share messages. Users are able to join channels and are notified of any comments. As well as operating as a communications platform, some of these channels are also used as markets, buying and selling goods such as drugs, counterfeit items and personally identifiable information (PII).
Over the years, Telegram has been used by a wide range of criminal communities. This includes terrorist activity, hacktivism, ransomware, hacking, CSAM, drugs, and the distribution of stolen data. In recent years, it has also become a hub for extremist rhetoric, with groups such as Terrorgram using the platform to promote their views and incite violence among followers. As Telegram’s role in criminal and extremist ecosystems has expanded, Telegram threat intelligence has become increasingly important for analysts and investigators seeking to monitor channels, identify threat actors, and connect Telegram-linked activity to broader online threat environments. At the same time, many other groups – often right-wing – have emerged on the platform, each with different ideological angles and audiences.
Telegram has long been criticized by law enforcement and security analysts for hosting extremist content, CSAM material, and other illicit content. It is renowned for not cooperating with law enforcement. In August 2024 Durov was arrested in Paris for not taking steps to curb the criminal use of Telegram. Since that time, the platform has taken some steps to remove channels reportedly conducting criminal activity, but there does not appear to have been any consistency to this activity.
Methodology
Using DarkOwl’s collection of Telegram channels, analysts identified and reviewed a variety of far-right channels and selected those that had some of the most concerning content from a variety of right-wing movements. Concerning content was defined as those that included mentions of extremist views, violence or appeared to be attacking groups or individuals. Although we classified the channels as far-right, they had a range of ideologies within that belief system, some were explicitly pro-Trump, some were composed almost exclusively of J6 rioters, some were conspiracy theory heavy, others were racist and xenophobic, etc.
Since our focus was on analyzing threatening language, we selected channels that were not overly image based. However, we acknowledge that images and memes constitute an important component of threat analysis. We also prioritized channels that were highly active and had a substantial number of members.
Below is a list of the channels selected and dates for which we had collected data that was analyzed as part of this project.
About the Data
A total of 190,535 messages written by 11,068 individuals was collected from the listed channels. To identify threatening and violent communication within this dataset, we used a set of threat detection tools developed by Mind Intelligence Lab. The tools are based on a machine learning model designed to automatically detect violent threats (Lundmark et al, 2024). Of the 190,535 messages collected, 5% (9,442) contained threatening or violent content. Nearly 4% of the users had posted at least one violent threat. These figures illustrate the exceptionally high volume of threatening communication, which poses significant challenges for threat assessors and law enforcement in determining the severity and credibility of individual threats.
Assessing Threatening and Violent Communication
To better understand the nature of threatening and violent communication, we conducted a qualitative content analysis of a random sample of 749 threatful messages that were automatically identifed using Mind Intelligence Labs tools. Each threat was annotated according to five analytical categories:
Explicit Target – The message clearly identifies a specific person, group, institution, or location as the target of harm. Example: “I’m going to make sure Senator James pays for this.”
Operational Details – The author provides information on how violence should be executed (e.g., weapon type, method). Example: “I’m getting my AR-15 to shut them up.”
Explicit Date or Time – A concrete date or timeframe is given for when the act will occur. Example: “You’ll all see what happens on July 4th.”
Research on the Target – The writer indicates surveillance, investigation, or personal knowledge about the target. Example: “I know her schedule — she always leaves work at 6 p.m.”
General Threatening or Hateful Language – Non-specific expressions of hostility, hate, or implied violence. Example: “People like them deserve to suffer.”
Findings
The purpose of our analysis was to examine the extent to which the identified threats contained identifiable targets, operational details, or explicit temporal markers—features that are often indicative of intent, planning, and potential capability. Our findings revealed that 93% of the threats (697 cases) explicitly mentioned a specific target, indicating a strong focus on particular individuals, groups, or institutions. More than 41% of the threats (308 cases) included operational details or descriptions of how the act should be carried out, suggesting a degree of planning and tactical consideration. Only a small fraction, 0.3% (2 cases), contained an explicit date or time for the intended act, indicating that while detailed, most threats did not include a defined timeline for execution. When a timeframe was given, it was vague — for example, “next week” or “by tomorrow.” None of the threats contained information about research conducted on the target.
Nearly 40% of the analyzed threats contained general threatening or hateful language, reflecting a broad spectrum of hostility rather than concrete plans for violence. This category included dehumanizing expressions, where individuals or groups were referred to as “monkeys”, “cockroaches”, or other derogatory terms that strip them of human qualities. Such language serves to justify or normalize aggression by framing the target as less than human — a well-documented precursor to acceptance of violence in both extremist and hate-based contexts.
In addition to dehumanization, many threats expressed violent fantasies or wishes, such as hoping that harm, punishment, or death would befall a specific person or group.
These findings indicate that even when no actionable plans are present, generalized hate and dehumanizing rhetoric can reflect underlying attitudes relevant to risk assessment. Such expressions may foster or normalize an environment in which violence is encouraged, justified, or perceived as acceptable, making this form of language an important factor to consider in both threat assessment and ongoing monitoring of threats.
Explicit Targets
Almost all threats (93%) had a explicit target. More than half of the threats (58%) were directed toward unspecified groups or individuals (they/them, he/she or you). These general expressions of aggression often use dehumanizing language and reflect a diffuse sense of grievance rather than a specific intent to harm. However, even non-specific threats serve an important function since they normalize violent discourse and reinforce group identity.
Explicitly racialized threats are highly prevalent. Black people (12%), immigrants (7%), Jews (4%), and Muslims/Arabs (3%) together constitute over one-quarter of all the analyzed threats. This pattern is consistent with far-right narratives centered on nationalism, racism, xenophobia, antisemitism, and anti-Muslim sentiment.
Threats against women (5%) and LGBTQ+ individuals (3%) reflect the intersection of misogyny and anti-LGBTQ+ within far-right telegram channels. Although less frequent, government officials (3%), politicians (1%), law enforcement (2%), and political opponents (2%) represent an important category of threats directed toward institutions of authority. These messages often frame violence as legitimate resistance against a disfunctional or corrupt state. Even though these threats form a smaller proportion of the total, they are of particular concern due to their potential to inspire real-world attacks on public officials or infrastructure.
A small part of the threats targets pedophiles (1%) and “race traitors” (1%). Threats against alleged pedophiles are often framed as a defense of children or morality, providing a pseudo-legitimizing rationale for violence. In contrast, attacks on so-called “race traitors” reflect that a perceived ideological disloyalty within the in-group is punished rhetorically or violently.
Operational Details
More than 41% of the threats included details on how the act should be carried out. References to specific methods offer valuable insight into how far-right actors imagine and express violence. The threats ranged from fantasies of large-scale attacks to symbolic punishments. While many of them may not reflect an immediate ability to act, the repeated calls for violence help to incite and encourage further violent behavior.
Shooting (31%) is the most frequently mentioned method, underscoring the centrality of firearms in far-right violent imagination. Guns are often presented as tools of justice or resistance, reflecting a broader cultural fascination with militarization and armed self-defense. References to specific weapons (e.g., “AR-15,” “rifle,” “sniper”) are common, and their frequency indicates potential access or aspiration toward weapon use.
Hanging (18%) and execution (10%) threats are notable for their symbolic weight. These methods are often framed as public punishment for perceived “traitors,” political opponents, or minority groups. Such imagery mirrors historical lynching narratives and functioning both as intimidation and as a performative assertion of dominance.
Beating (13%) and torture or inflicting pain (8%) represent more personal and intimate forms of violence. These threats often emphasize suffering and humiliation rather than efficiency, indicating a sadistic dimension.
Threats involving burning (5%) and explosives (4%) are less common. Burning is often directed toward symbolic targets such as religious buildings or refugee centers, while explosive threats are associated with aspirations toward large-scale attacks. Although these references are relatively rare, they reflect higher levels of operational imagination and thus represent elevated threat potential.
A smaller part of threats involves stabbing (3%), poisoning (2%), or other forms of methods (2%) such as being hit by vehicles, attacked by animals, drowned, or starved. These methods indicate creative variability in violent expression and sometimes suggest opportunistic or improvised violence.
Mentions of prison or arrest (3%) and deportation (1%) demonstrate how far-right actors also employ state-like punitive language. Such threats often frame violence as an extension of “justice” or legitimate punishment, blurring the line between vigilante violence and imagined authority.
Conclusion
Overall, the threat landscape on far-right Telegram channels is dominated by broadly directed, racially motivated, and ideologically charged hostility. The combination of generalized incitement and specific identity-based targeting suggests a dual function of such communication: maintaining a shared sense of grievance and providing moral justification for violence. Although explicit threats against named individuals are relatively rare, the pervasive use of dehumanizing and violent language toward entire social groups constitutes a persistent incitement environment.
The dominance of operational methods such as shooting, hanging, and beating in the threats shows two key aspects of far-right violent language: it is both militarized and ritualized. Firearms represent strength and control, while hanging and execution reflect ideas of punishment and revenge. Together, they express a worldview that portrays violence as justified and even necessary.
Although many threats lack clear plans for action, their impact should not be overlooked. They normalize violent attitudes, define who is seen as a legitimate target, and create a shared language that can encourage real-world violence.
The mix of modern weapons and old forms of punishment shows how far-right communities combine past and present ideas of violence into a single story of resistance, revenge, and exclusion.
Recommendations
Monitor high-threat environments: Continuous monitoring of far-right online spaces is essential to detect emerging risks and shifts in rhetoric.
Identify targeted groups and trends: Mapping which individuals or groups are being targeted, and how these patterns evolve over time, helps in understanding broader threat dynamics.
Assess credibility carefully: Determining whether a threat is credible is challenging when analysis is limited to digital communication. Online expressions may range from symbolic aggression to genuine intent.
Address incitement and inspiration: Even when individuals do not act directly, exposure to violent rhetoric and extremist narratives can inspire others to commit acts of violence. Efforts should therefore focus not only on explicit threats but also on messages that glorify or encourage violence.
Lundmark, L., Kaati, L. & Shrestha, A. (2024). Visions of Violence: Threatful Communication in Incel Communities. In: 2024 IEEE International Conference on Big Data (BigData): pp. 2772-2778.
Mudde, C. (2000). ‘The Ideology of the Extreme Right’, Oxford University Press.
Mudde, C. (2019). ‘The Far Right Today’, John Wiley & Sons.
Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
On September 26, Medusa’s dark web site claimed to have exfiltrated 834.4 gigabytes of data and are demanding $1.2 million for interested buyers to download it. To support their claims, the group uploaded 20 screenshots showing alleged internal data. In one exposed directory, the information appeared to be connected to HR folders that contained personnel records. Medusa ransomware is a known aggressive group that has compromised over 300 organizations between 2021 and 2024. The group typically gains access through social engineering such as phishing emails, exploiting vulnerabilities, or purchasing stolen credentials. Once the group acquires data, they use a double extortion method to gain ransom. Read full article.
2. US seizes $15 billion in crypto from ‘pig butchering’ kingpin – Bleeping Computer
The Department of Justice (DOJ) has seized $15 billion worth of Bitcoin from the Cambodian Prince Group, a criminal organization known for orchestrating large-scale cryptocurrency scams, primarily involving romance baiting and ‘pig butchering’ schemes. Unsealed court documents revealed the group operates over 100 shell and holding companies across 30 countries, which have been extorting countless victims since 2015. Additionally, the group runs automated call centers that were run by employees who were allegedly forced to work due to the threat of violence. The DOJ called the centers, “violent forced labor camps”. Article here.
3. New Rust-Based Malware “ChaosBot” Uses Discord Channels to Control Victims’ PCs – Bleeping Computer
Discord user, chaos_00019, has implemented the malware ChaosBot to gain access to other user’s systems and networks. According to researchers, “ChatBot is noteworthy for its abuse of Discord for command-and-control (C2)”. The malware was observed using phishing messages that contained a malicious Windows shortcut file, after opening the file, a PowerShell command is executed to download and execute ChaosBot. A decoy PDF concealed as legitimate correspondence from the State Bank of Vietnam is displayed as a distraction mechanism. Read more here.
4. ShinyHunters launches Salesforce data leak site to extort 39 victims – Bleeping Computer
“Scattered Lapsus$ Hunters” has launched a new data leak site extorting 39 companies that were impacted by the Salesforce breaches. The companies extorted in the link include Disney/Hulu, FedEx, Google, McDonald’s and more. A separate entry on the site requested that Salesforce pay a ransom to prevent impacted customers (approximately 1 billion records containing personal information) from being released. Salesforce has released a statement claiming, “Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support.” Read here.
5. Active Exploits Hit Dassault and XWiki — CISA Confirms Critical Flaws Under Attack – The Hacker News
On October 28, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed three new vulnerabilities that have impacted Dassault Systèmes DELMIA Apriso and XWiki. The vulnerabilities CVE-2025-6204, CVE-2025-6205, and CVE-2025-24893 allow threat actors to execute arbitrary code and gain access to applications. Both CVE-2025-6204 and CVE-2025-6205 affect versions of DELMIA Apriso dating back to 2020. Combining these vulnerabilities allow creation of accounts that obtain elevated privileges and deposit executable files into a web-served directory, resulting in complete compromise of the application. Starting in March, CVE-2025-24893 impacted XWiki by using a two-stage attack chain that delivers a cryptocurrency miner. Learn more.
6. Have I Been Pwned: Prosper data breach impacts 17.6 million accounts – Bleeping Computer
In September, Prosper, a peer-to-peer lending marketplace, announced a breach had been detected with hackers gaining access to customer accounts and funds. Have I Been Pwned announced that 17.6 million unique email addresses had been affected by the incident. The companies statement claimed that “confidential, proprietary, and personal information, including Social Security Numbers, was obtained”. The company is also going to offer free credit monitoring while they determine what data was affected. Information on how the data was obtained and ways the company is combatting future leaks have not been discussed. Read full article.
7. Researchers Identify PassiveNeuron APT Using Neursite and NeuralExecutor Malware – The Hacker News
The malware campaign dubbed, PassiveNeuron, was first flagged using different methods in November 2024 for targeting government, financial, and industrial organizations located in Asia, Africa, and Latin America. One incident showed that the threat actors were able to gain initial access through remote command on a compromised machine running Windows Servers through Microsoft SQL. The exact method is unknown, but it is possible the attackers are either brute-forcing the administration account password or leveraging an SQL injection flaw in an application running on the server. Read full article.
8. BatShadow Group Uses New Go-Based ‘Vampire Bot’ Malware to Hunt Job Seekers – The Hacker News
BatShadow, a Vietnamese threat actor, has leveraged a new social engineering tactic that delivers a malware called, Vampire Bot, to job seekers and digital marketing professionals. Posed as recruiters, the attackers distribute malicious files disguised as job descriptions and corporate documents. Victims who click the link in the lure PDF to “preview” the job description are taken to a landing page that displays a fake error saying the browser is unsupported, through multiple attempts the error message eventually triggering an automatic ZIP download containing the supposed job description and a malicious executable named Marriott_Marketing_Job_Description.pdf.exe (the file mimics a PDF by inserting extra spaces between “.pdf” and “.exe”). Learn more.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
This Halloween, the scariest thing might be what’s tucked inside the candy bar, a lure that looks harmless but hands an attacker the keys to your digital life.
Phishing and social-engineering attacks are the “tricks” that become catastrophic when the dark web supplies ready-made toolkits and AI-generated messages to amplify them. The result: low-effort, high-impact scams that can ruin reputations and drain bank accounts.
This Halloween we explore the “scary tricks” cyber criminals are using to successfully trick you into clicking on phishing emails and other attack types, and what you can do to avoid this activity.
Phishing & Social Engineering: Why They’re Halloween-Worthy
Phishing and the wider family of social-engineering attacks (spear-phishing, smishing, vishing, “quishing” via QR codes, and voicemail impersonation) remain one of the simplest ways to get real access to real systems. For that reason, they remain one of the top cyber-attack vectors in 2025. Phishing and social engineering attacks have been responsible for some of the largest breaches so far this year, such as Salesforce and Allianz.
Researchers have highlighted that the large majority of successful cyber-attacks usually include a human element and are not purely technological vulnerabilities.
But two trends are supercharging phishing today:
Automation and commoditization — phishing kits and “phishing-as-a-service” lower the technical bar for attackers. These are readily available software people can purchase to conduct attacks meaning they do not need to have the technical skills to conduct the attack.
AI-augmented social engineering — generative models craft extremely convincing lures at scale. That combination turns the old “spray-and-pray” email into a professional, targeted, and scalable crime machine. Not to mention the creation of believable videos, images and voices which can be used to conduct vishing and other attacks.
The Dark Web Connection: Toolkits and Kits for Sale
The dark web and underground communities are where the tools, templates and services live, both marketplaces and forums offer software for sale as well as how to tutorials on how to conduct these attacks. Telegram also shared this information via marketplace channels. Below are some of the things being sold.
Security researchers have indicated that the availability of ready-to-use phishing kits on the dark web rose by ~50% from 2021 to 2025, highlighting that this is a trend that is only increasing.
Phishing Kits
Pre-built fake pages, sending scripts and hosting/configuration guides. Research and reporting show fully fledged kits are routinely sold for pocket change, some reports find kits advertised for as little as ~$25 while others are open source, making it trivial for novices to impersonate banks, delivery services, or SaaS providers. The below image from a dark web forum shows users sharing a list of openly available phishing kits claiming they are the best kits to use in 2025.
Phishing-as-a-Service & Automation Platforms
Another offering which is provided on dark web sites, is providing the service on the behalf of an actor. This means the actor doesn’t not need to take any action but can pay someone else to conduct the attack. The below image from Telegram shows a threat actor offering hacking services including phishing kits.
More advanced offerings include campaign dashboards, SMTP pools, deliverability testing and analytics (some newer tools even pair generative AI with mailing infrastructure). The below images show an advertisement for a phishing related AI model as well as the site to purchase the software. The “SpamGPT” toolkit—AI-powered spam-as-a-service sold on underground forums for around US $5,000.
Stolen Contact Lists & Harvested Credentials
While we have previously shared the sale of human organs, this Halloween the harvesting of credentials can be even more scary with wide ranging ramifications. Harvested credentials and victim lists, often sold in bulk, let attackers skip reconnaissance and target previously compromised users.
These data leaks, with credentials and sometimes a lot more information can be really useful to threat actors when conducting social engineering attacks. This can make phishing attacks seem much more believable as they have accurate and real information in them.
These tools lower the barrier to entry, enabling less-skilled attackers to launch large campaigns. They are readily available on the dark web and adjacent sites like Telegram. This means that the number of attacks being conducted can and will increase as individuals need less skills to conduct them. But it is likely that AI develops that the attacks themselves will become more sophisticated and complex. A scary thought!
How Phishing Campaigns Actually Play Out (The Attack Chain)
Figure 5: Phishing Campaign Cycle
Attackers will start with the reconnaissance phase, conducting research usually through open channels or stolen data to find information about the intended targets. Then they create the bait – using a phishing kit or AI they will create a message that they think will hook the target and bypass spam filters. They use the information they found during the reconnaissance phase to make it as believable as possible.
Next comes the delivery phase. Depending on what they are trying to achieve there are multiple delivery methods that can be used such as email, SMS, QR codes and even phone calls. In some cases, actors will use multiple channels as part of their attacks to increase the success rate.
The Exploit phase requires input from the victim to be successful. A victim will click on a link or provide credentials to a phishing site or inadvertently install malware on their computer. These credentials are then used by the attackers to conduct further attacks. But the information can be monetized further by selling the stolen information or access to other actors on the dark web – continuing the cycle of phishing attacks.
New Scary Technologies: AI + Phishing = Mass-Targeting on Steroids
Generative AI has already begun to improve the quality, personalization, and scale of phishing. Platforms and toolkits that combine text generation with campaign automation create highly convincing lures that are difficult for users (and sometimes filters) to distinguish from real messages.
A new class of underground offerings — some reported under names like “SpamGPT” — pair natural language generation with mailing infrastructure and analytics, effectively giving attackers a polished marketing stack for phishing.
The net effect: phishing no longer requires good writing skills or deep technical know-how. It requires money (often small) and an account on an underground marketplace. That democratization of attack capabilities is why credential theft and phishing success rates have jumped in recent reporting.
How to Stop Being Tricked
For Organizations
Multi-factor authentication (MFA) everywhere — reduces the value of stolen passwords even if credentials leak. (Use phishing-resistant MFA like hardware keys where possible.)
Email protections + DMARC/DKIM/SPF + advanced detection — deploy and tune anti-phishing gateways, URL detonation, and link rewriting. Train filters to use behavior signals (login geography, device fingerprinting).
Phishing simulations + continuous user training — recurring, contextual training that adapts to current phishing themes reduces click rates. Combine simulated attacks with coaching, not just shame.
Dark-web monitoring & rapid credential-remediation — monitor for leaked credentials or company data; have a playbook to force resets and contain exposed accounts.
Least privilege + segmentation + strong logging — limit how far a single compromised account can go; log and monitor anomalous account activity for fast detection.
For Individuals (Easy Wins)
Use a password manager and unique passwords for every site.
Turn on MFA (preferably an authenticator app or hardware key).
Hover before you click — inspect links, check sender addresses for subtle typos, and don’t enter credentials after arriving at a link from an email.
Treat SMS and phone callbacks as suspicious for requests about credentials or money; verify independently.
If you click or think you’re compromised — change passwords from a known-good device, enable MFA, run a full malware scan, and notify your employer or bank.
Conclusion
Phishing and social engineering are the silent spooks in the house: they don’t break doors in—they get invited. And when the dark-web toolkit makes it easy, the threats multiply. This Halloween, treat your security like locking the door and checking the candy.
Phishing is deceptively simple, but the underground economy and fast-moving AI technology have turned it into an industrialized threat. The good news: many countermeasures are straightforward and inexpensive (MFA, password hygiene, basic email controls). Don’t take a bite of the candy unless you’re sure it’s your friend handing it. Treat yourself to security hygiene; don’t let the attacker trick you with something sweet.
In an increasingly hostile cyber landscape, organizations need visibility into the tactics and techniques used by threat actors. The MITRE ATT&CK Framework has become the gold standard for understanding adversary behavior, providing a structured taxonomy of real-world attack patterns.
While no single platform can address every category within this comprehensive framework, DarkOwl delivers exceptional coverage of critical, high-impact darknet sources, empowering organizations worldwide to anticipate, prevent, and respond to cyber attacks with greater confidence.
Understanding the MITRE ATT&CK Coverage Gap
The MITRE ATT&CK Framework encompasses hundreds of techniques across dozens of categories. The Darknet is establishing itself as a critical early-warning system for reconnaissance, credential compromise, and data exfiltration threats. By providing transparent and flexible navigation of darknet data, DarkOwl maximizes detection capabilities across its core categories, offering organizations unprecedented insight into emerging threats before they impact their systems.
DarkOwl’s MITRE ATT&CK Coverage: Breakdown Per Technique
Gather Victim Host Information
DarkOwl continuously scans stealerlogs, breaches, and darknet channels and fora to identify corporate IPs, credentials, and sensitive host exposures targeting your organization or those in your supply chain. This reconnaissance capability allows you to understand what information about your infrastructure is circulating in criminal marketplaces. Early visibility into compromised host data enables rapid remediation before attackers launch exploitation attempts.
Gather Victim Network Information
Threat actors extensively target networks before striking. DarkOwl monitors high-fidelity darknet sources for corporate network exposures, including IP leaks, asset names, trade secrets, tools, and databases. By surfacing these exposures early, your organization gains the critical advantage of knowing what network vulnerabilities and assets have been discovered by adversaries.
Gather Victim Identity Information
Personal and corporate identity information is among the most valuable commodities in underground marketplaces. DarkOwl detects when your employees’ and contractors’ emails, passwords, sessions, and devices appear in stealerlogs and breach databases. Reset credentials and block fraudulent access before it materializes.
Search Closed Sources
DarkOwl maintains a proprietary database of historic darknet content spanning years of darknet fourm posts, marketplace listings and ransomware site chatter. This institutional knowledge allows your organization to understand not just current threats, but historical patterns that may indicate ongoing targeting. Access to this closed-source intelligence significantly accelerates threat investigation and attribution.
Search Open Websites and Domains
Criminal and terrorist activity thrives across Telegram, Discord, and dark web list sites where threat actors openly advertise services and share stolen data. DarkOwl scans high-fidelity OSINT sources to identify when your organization is being discussed, targeted, or compromised. This open-source monitoring complements traditional security tools by capturing threats in spaces where defenders traditionally have limited visibility.
Compromise Accounts
Credential theft is the foundation of modern cyber attacks, and DarkOwl detects compromised social media, email, cloud, and personal accounts from your staff and supply chain partners.
Compromise Infrastructure
Infrastructure compromise—including domains, servers, and networks—represents a severe threat to organizational continuity. DarkOwl detects when your infrastructure appears in leaked files and darknet chatter, while also maintaining actor profiles highlighting the hardware, software, and CVEs commonly exploited by specific threat groups. This combination of compromise detection and threat actor intelligence enables targeted defensive hardening.
Supply Chain Compromise
Third-party relationships create indirect attack surfaces that many organizations overlook. DarkOwl identifies when contractors, suppliers, and vendors have compromised accounts and infrastructure, providing visibility into supply chain vulnerabilities that could be leveraged to reach your organization. Understanding these indirect exposures allows you to assess risk and implement compensating controls across your extended ecosystem.
Account Manipulation
Account takeover (ATO) represents a critical threat vector that DarkOwl actively monitors across all cloud and system accounts, including those from former contractors or suppliers. By collecting stealer logs and highlighting device and OS exposures, DarkOwl alerts your team to anomalous account activity before it escalates into a full-scale compromise. Rapid detection of account manipulation enables swift incident response and evidence preservation.
Modify Authentication Process
Multi-factor authentication is a cornerstone of modern security, yet DarkOwl discovers MFA redirect URLs in stealerlogs exposing authentication mechanisms. By publishing comprehensive stealer data organized by device, DarkOwl provides your security team with concrete evidence of authentication modifications and potential bypass techniques used by attackers.
Persistent Account Manipulation
Sophisticated attackers maintain long-term persistence through continuous account manipulation, particularly targeting supply chain vendors. DarkOwl monitors stealerlogs to identify ongoing account misuse within your supply chain, alerting to persistent threats that might otherwise remain hidden. Early detection of persistent manipulation prevents attackers from establishing a sustainable foothold within your ecosystem.
Access Token Manipulation: Token Impersonation and Theft
Modern applications rely on tokens for authentication, making token theft an attractive target for adversaries. DarkOwl monitors darknet Initial Access Broker advertisements and sales activity to detect when tokens from your organization enter criminal circulation. This intelligence on token compromise allows your team to invalidate affected tokens and audit token-based access before unauthorized actions occur.
Brute Force: Password Guessing
While brute force attacks are blunt instruments, they remain effective when attackers possess compromised password lists. DarkOwl detects compromised passwords of staff and supply chain partners circulating on darknet breach sites, indicating that your organization faces elevated risk of password-guessing attacks. Proactive password resets based on DarkOwl’s compromise intelligence significantly reduces the success rate of these attacks.
Reversible Encryption
Weak password hashing algorithms create reversible encryption risks, allowing attackers to crack stored passwords at scale. DarkOwl automatically surfaces hashed passwords from corporate domain exposures in historic breach files, highlighting those with weak algorithms subject to reversal by threat actors. This capability allows your team to identify and remediate weak hashing implementations before attackers exploit them.
Unsecured Credentials
Credentials often leak beyond your network perimeter, appearing in messenger apps and across distributed networks like TOR, I2P, and Zeronet. DarkOwl collects these widely-scattered credential exposures to demonstrate the full scope of your credential compromise landscape. Understanding where your credentials have been exposed enables comprehensive remediation across all affected platforms and services.
Internal Spear phishing
Executive and supplier credentials are prized targets for internal phishing campaigns. DarkOwl continuously monitors darknet sources to detect when your executives’ and partners’ credentials are newly shared by threat actors.
Browser Session Hijacking
Stealer logs inherently capture browser sessions, creating direct risks of session hijacking attacks. DarkOwl actively monitors and collects stealer log data containing compromised corporate and personal browser sessions, providing visibility into hijacking risks before attackers exploit them. This intelligence enables your team to invalidate compromised sessions and investigate the scope of browser-based compromise.
Exfiltration Over Web Service
Data exfiltration frequently occurs across web services where attackers blend malicious activity with legitimate traffic. DarkOwl detects when your corporate data appears on darknet services including Telegram, TOR sites, ransomware platforms, and underground forums. Rapid detection of exfiltration allows your incident response team to contain the breach, quantify the exposure, and implement targeted notifications.
External Defacement
Attackers often publicize breaches through external defacement to maximize damage and reputation impact. DarkOwl monitors for keyword/signpost mentions of your company and alleged stolen data across TOR, I2P, file repositories, and paste sites throughout the darknet. This continuous monitoring ensures your security team detects external defacement threats before they escalate into widespread public disclosure or regulatory complications.
Financial Theft
Cryptocurrency plays an increasingly central role in attacks, making financial theft tracking essential for investigation and attribution. DarkOwl allows your organization to validate illicit activity by linking it to specific crypto wallet IDs involved in attacks. This capability supports forensic analysis, law enforcement cooperation, and the tracking and tracing of cryptocurrency flows used to fund future attacks.
The DarkOwl Advantage: Deep Darknet Intelligence for Modern Threats
DarkOwl doesn’t attempt to be a universal MITRE ATT&CK solution. Instead, it excels at what matters most: providing transparent, flexible navigation of darknet data to deliver unprecedented visibility into how adversaries gather intelligence, compromise credentials, and exfiltrate data. By mastering these critical categories, DarkOwl gives organizations the early warning and actionable intelligence needed to transform defense from reactive to proactive.
In today’s threat landscape, organizations need platforms that go deep rather than wide. DarkOwl’s specialized focus on darknet reconnaissance and threat actor activity provides exactly this—strategic depth where it matters most. For security teams committed to staying ahead of emerging threats, DarkOwl represents the specialized intelligence layer that bridges the gap between your internal detection systems and the criminal activity planning your compromise.
Prepare for attacks before they begin. Detect compromise before it escalates. Respond with confidence backed by darknet intelligence. That’s the DarkOwl advantage in the MITRE ATT&CK era.
For specific details on how DarkOwl meets MITRE ATT&CK framework, contact us.
As we wrap up Q3, we’re excited to share a major expansion to our investigative capabilities within Vision UI—introducing a powerful new module designed specifically for darknet marketplace research. This release reflects our continued commitment to delivering actionable intelligence with precision and depth.
Enhanced Marketplace Research
DarkOwl has made substantial updates to the way we capture and store data collected from product listings on darknet marketplaces.Darknet marketplace listings now include up to 26 content fields—including listing titles, categories, vendors, shipping information, prices and payment options, reviews, refund policies, and many more. Access our full listing collection through our new Markets module in Vision UI, or Markets endpoint options in Vision API.
Figure 1: An example of a market listing collected from Abacus market, prior to its shutdown in July 2025
Aggregated Result Set Summaries
Search by product name, vendor, or even a market name—and see aggregated information and visualizations about your result set. This view provides:
A timeline of new listings
A map of Shipping Sources by volume
Metrics of total and top markets
Metrics of total and top vendors
Figure 2: Aggregated information for a product search ‘Xanax’.
Additional Features in our Markets module
Specialized search operators/filters: Search listings by Keyword, Vendor, Market, Category, Price, or other market-specific option.
Additional date options: Search listings or sort results by when the listing was First Seen or Last Changed on the market.
Figure 3: The Markets module provides customized searching and retrieval for product listings. Listings are also available in the All Sources general search, which provides a uniform experience across all data types within DarkOwl Vision.
Figure 4: Additional filtering options in this module include Price, Shipping Source, and Shipping Destination.
Marketplace Research in Vision API
We’ve launched three new endpoints for programmatic access to our enhanced darknet marketplace data. These endpoints provide optimized searching, filtering, and formatting specific to market listing content:
The Markets Search endpoint for an optimized experience and market-specific parameters.
The Markets Summary endpoint provides aggregate information about your search result set.
The Listing Detail endpoint retrieves all information from a single market listing.
You can continue to find market listing results using our Search API endpoint, which have been enhanced with vendor, price, shipping information, as well as a reference to pull the full listing content from the Listing Detail endpoint if desired.
Other Vision UI Updates
We’ve made several search experience upgrades, which streamline and improve search workflows in Vision UI:
Source Domains Filter: The input field has been redesigned for a cleaner, more intuitive experience, making it easier to include or exclude source domains in your searches.
Chat Channel Filters: Our chatfilters now support exclusion, allowing you to refine result sets by removing specific channels.
Search Block Expansion: Chat types are now available as search block types—ideal for monitoring high-interest sources.
Figure 5: The new Source Domains filter provides easier ways to filter to or exclude specific domain sources.
Leaks of Interest Collected
When your search results are from data leaks, users can review additional information curated by DarkOwl analysts, giving you enrichment on the data leak. The descriptions below are all available in our Leak Explore UI feature, or Leak Context API endpoint.
USA fullz info cc x200
A post on LeakBase, a hacking forum, on January 28, 2025, linked to the file: ggjtv.txt. According to the post, there are 200 lines of full USA credit cards. Data exposed includes names, email addresses, CVV, physical addresses, expiration dates, dates of birth, Social Security Numbers, phone numbers, passwords, mobile numbers, and credit card numbers.
etsy.com
Data purported to be from Etsy was posted on BreachForums, a hacking forum, on December 5, 2024. According to the post, the leak consists of 3,600 rows of data, containing 3,535 unique Social Security numbers, 1,915 email addresses, and 32 email domains. Data exposed includes customer information, email addresses, physical addresses, genders, dates of birth, SSNs, phone numbers, mobile numbers, user identification number (UID), company names, and product data. The threat actor noted the leak contained additional files of parsed and deduplicated SSN, emails and email domains from the raw leak data, noting the files that contained emails and email domains had free email services removed from them. While the victim data is listed as Etsy, the post indicates the company exploited by the MOVEit vulnerability was Delta Dental.
3.9M Allianz Life 2025.19.08 Sample
Data purported to be from Allianze Life, obtained via Salesforce, was posted on scattered lapsus$ hunters, a Telegram channel, on August 19, 2025. According to the post, the leaked data include Salesforce’s “Accounts” and “Contacts” tables and contains a total of 3.9 million sensitive records, though only 2.8 million were publicly posted. Data exposed includes customer and partner data, names, addresses, dates of birth, and professional information. The Threat Actor indicated that the full leaked database was posted for sale for $10,000 US, with a final sale of $9,000 for the complete database completed on August 21, 2025 by Season via a BitCoin transaction. According to media reports, Allianz Life confirmed a third-party CRM platform was accessed by a threat actor on July 16, 2025. The Threat Actor group is a combination of Scattered Spider, ShinyHunters and Lapsus$. Telegram channels associated to the group are quickly banned, with backup channels being regularly created to repost content associated to their recent activities.
Serasa Experian 2.9 GB
Data purported to be from Serasa Experian was posted on LeakBase, a hacking forum, on September 10, 2022. According to the post, a hacker known as JBR initially posted the file that affected 223 million users. Data exposed includes names, genders, dates of birth, and CPF (Cadastro de Pessoas Físicas) numbers. The dataset includes static identifiers such as CPF numbers and dates of birth. Consequently, the age of the leak does not lessen the potential impact of the exposed data. A February 2023 post on BreachForums from a user named “TheBlob” explained that the original breach was carried out by a Brazilian hacker known as “JustBr” (or “JBR”), who initially advertised the data on the now-defunct forum, RaidForums. The complete database was reportedly sold for $30,000, while portions, which consisted of 40 parts, were available for $755 each.
Curious how these features and data can make your job easier? Get in touch!
Command-and-control (C2) frameworks are used by both red teams and cybercriminals. They provide a wide range of functionality and capabilities that make post-exploitation tactics easier and more effective. In simple terms, a C2 acts as a central server that connects to, communicates with, and manages compromised systems. It establishes persistence and allows the operator to control dozens of infected machines from one central environment.
There are many reasons why C2 frameworks are popular among attackers and red teams. Most frameworks offer operators powerful capabilities such as privilege escalation, network pivoting, scanning, and data exfiltration. They are so useful, in fact, that cybersecurity companies have developed their own commercial C2 products for ethical red-team engagements. Cobalt Strike is often regarded as the industry leader for production-grade post-exploitation operations due to its broad set of easy-to-use features, making engagements accessible even to less technically skilled operators. Open-source options are also widely available, with frameworks like Covenant, Sliver, Metasploit, and many others freely downloadable from GitHub.
Regardless of the framework, stealth is the most critical factor for both ethical red teams and cybercriminals. Security Operations Centers (SOCs) constantly monitor traffic and look for suspicious packets moving through the network. No matter how polished a C2 product may appear, it is useless if detected and blocked. In addition to internal monitoring, dedicated threat-hunting teams at Microsoft, Google, Meta, Cisco, CrowdStrike, IBM, and others search for malicious infrastructure outside their own networks as well.
Security Through Obscurity
Offensive security operators understand the importance of obfuscating traffic and minimizing detection. Great effort is made to ensure payloads are covertly delivered, network traffic is routed inconspicuously, and C2 frameworks are hidden behind innocent-looking websites. This constant need for concealment has led to several tactics, techniques, and procedures (TTPs) that blue teams, SOCs, and organizational leaders should be aware of.
“Small Sieve,” for example, uses the Telegram bot API to communicate over HTTPS and relay commands to and from malicious C2 servers. To defenders, this HTTPS-encrypted traffic moving through the organization’s network may appear normal. Since Telegram is not considered a malicious service, such traffic could easily be overlooked by blue teams and SOC analysts.
Throughout 2021, a suspected Iranian-backed threat group known as “Oil Rig” conducted an operation called “Outer Space” targeting Israeli organizations. To conceal their malicious traffic, they compromised an Israeli human resources server and repurposed it as a dedicated C2. Subsequent operations appeared to originate from this trusted source.
This technique is not limited to concealing C2 servers. When a stage-one payload needs to download additional malware, threat actors often host stage-two payloads on trusted platforms that are less likely to raise alarms. Saint Bear, a Russian threat actor active against Ukraine and Georgia as early as 2021, frequently used Discord’s content delivery network for hosting malicious files. To defenders, this traffic appeared to come from Discord, making it harder for intrusion detection systems to flag as suspicious.
DarkOwl Vision: Threat Intelligence on C2
The popularity and awareness of these C2 techniques have expanded beyond nation-state actors and advanced attackers. Using the DarkOwl Vision platform, we can observe multiple discussions emphasizing the importance of stealth in C2 operations.
Source: DarkOwl Vision
One user highlights the software’s ability to “function covertly, employing stealthy techniques to avoid detection… and [avoid detection from] network security monitoring tools”.
The following example describes another piece of malware that uses Telegram as its command-and-control platform for communication with infected machines. Again, the author boasts of the software’s “low detection rates due to its advanced obfuscation techniques”.
Source: DarkOwl Vision
Conclusion: Cyber Cat and Mouse
For cyber defenders and blue teams, it is critical to understand these TTPs. In some cases, an SOC analyst may identify something suspicious within an otherwise benign Telegram packet. In others, endpoint detection and response platforms can be tuned to better recognize this malicious traffic. More importantly, the cybersecurity community must accept that these TTPs will continue to evolve into more sophisticated methods. Just as blue teams grow comfortable detecting one technique, red teams adopt the next lesser-known approach that has yet to be widely publicized.
Resources such as attack.mitre.org are invaluable for fingerprinting and understanding the TTPs that a company, organization, or industry might face during an incident. After an attack, investigators and cyber experts often publish their findings, which can help future targets prepare to identify and thwart similar threats.
In this blog, we explained how powerful C2 frameworks can be in maintaining stealthy operations for both red teams and cybercriminals. We highlighted examples where advanced persistent threats (APTs) leverage trusted applications and networks to conceal post-exploitation activity. The dark web remains a rich source of intelligence, where forums and discussion boards provide valuable insight into evolving trends and shared techniques. Ultimately, staying ahead in this cyber cat-and-mouse game requires defenders to remain adaptive, vigilant, and continuously informed.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
