Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
1. Iranian Cyber Espionage Group Targets Financial and Government Sectors in Middle East – The Hacker News
Iranian cyber actors have run a campaign for the past year targeting various entities in the already conflict-laden Middle East. Victims include Jordan, Kuwait, Oman, Iraq, Israel, and Saudi Arabia. Tools used in the 8-month long campaign include custom web shells and backdoors, indicating an elevated level of sophistication. Read full article.
2. Boeing Breached by Ransomware, LockBit Gang Claims – Dark Reading
Threat group LockBit claimed to have infiltrated Boeing’s systems using a zero-day. Boeing appeared on the LockBit leak site at the end of October 2023, but they offered no proof of data or material belonging to Boeing. Article here.
3. General Electric, DARPA Hack Claims Raise National Security Concerns – Dark Reading
Notorious actor “IntelBroker” published their purported access into General Electric (GE) and the Defense Advanced Research Projects Agency (DARPA), claiming credentials, military and other sensitive data was for sale. GE confirmed an incident occurred, but didn’t provide additional details. IntelBroker claims to have access to GE’s development environment. Read more.
4. Researchers Expose Prolific Puma’s Underground Link Shortening Service – The Hacker News
Prolific Puma is distributing phishing services, malware, and other scams via link shortening services. They have registered tens of thousands of unique domain names since the spring of 2022 and are consistently abusing DNS infrastructure in their efforts. They have not been observed advertising these services on underground markets as of yet. There is also no indication as to where Prolific Puma operates from or what language they speak. Read here.
5. Ardent Health Hospitals Disrupted After Ransomware Attack – Dark Reading
30 hospitals in the Ardent Health Services system have been hit by a ransomware attack, resulting in all emergency services being redirected. While Ardent is headquartered in Tennessee, the impact has been felt throughout six states. Learn more.
6. Cybercriminals Using Telekopye Telegram Bot to Craft Phishing Scams on a Grand Scale – The Hacker News
A new bot, Telekopye, has emerged on Telegram. Actors are using it in seller, buyer, and refund scams. The criminal group known as the “Neanderthals” has pioneered the use, tricking innocent users to enter payment details to buy goods and/or services via emails or SMS that do not exist. The groups ensure use of VPN, proxy, and TOR technologies to remain anonymous. Read full article.
7. Meet the Unique New “Hacking” Group: AlphaLock – Bleeping Computer
Russian cyber group AlphaLock debuted on Telegram this week, advertising various services such as “training pentesters.” This is often code for ransomware operations, with Russian groups using this language as they don’t want to be seen as malcious ransomware actors. The group also offers customized online courses, directed to be used for training the future, and then using said newly trained actors to establish a marketplace on DDW forum XSS where they sell the pentesting services. Read full article.
8. Russian-speaking threat actor “farnetwork” linked to 5 ransomware gangs – Bleeping Computer
Russian-speaking actor “farnetwork” contributed to the Nokoyawa RaaS operation as a project leader and recruiter, and contributed to the development of JSWORM, Nefilim, Karma, and Nemty ransomware variants. The actor recruited for the various gangs, and actively speaks to analysts from various intelligence firms to promote their work. Their online aliases include: farnetworkl, jsworm, jingo, razvrat, piparkuka, farnetworkit. Learn more.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
As the holiday season approaches and kids and young adults spend more time online, there is never too much to do to ensure they remain safe. In this webinar, DarkOwl and Mr. Bill Wacker share how a close family member of his was exploited online.
As the leader in dark web intelligence, DarkOwl constantly sees:
Solicitation of minors and children, asking for pictures, personal information, and more
Blackmailing the youth, threatening to extort them or reveal personal information about them or their families if they don’t comply with the requests of the actor
Malicious actors posing as a younger individual in the hopes of luring children to meetup in person in order to carry out abduction or kidnapping operations
Mr. Wacker details his personal story about the family member who went through this, how he helped them, and what you and your family can do to keep children safe in an ever connected world that preys on them.
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Bill: My name is Bill Wacker, I live in the Cleveland Ohio area and my daughter was affected by an almost child abduction. I wanted to talk about it because I don’t want this to happen to anyone else and would love to try to figure out ways to prevent this. If we can save one kid, that’s the goal for today and to inform everyone that it can be you, I know people say “not my kid, no way,” but it could be your kid, for sure.
Steph: I’m Steph Sample. I have 18 years of experience in various roles of cybersecurity. I started off focusing on the Iranian states as well as their allies in the cyber world, their cyber program, their developments, and then moved into all things criminal because the criminal world, as you’re about to find out, never ceases to stop, is always malicious, is always active, and we can do a little bit more and learn a little bit more to share with partners in the criminal world. So Bill again, cannot thank you enough for being here today. This is such an absolutely amazing story. So I think let’s jump right in so that we can educate our audience and share your incredible story that has a happy ending.
Let’s do that. So Bill, how was your family member approached? Can you please name specifically what social media platform? I think that’s important.
Bill: So it was Instagram. My daughter was involved. She’s always been a kid that didn’t have friends perse. She’s always struggled with her peer group. She’s never had trouble finding friends that are, you know, younger or hanging out with adults. It’s always bothered me and my inner mother. We’d catch her just talking to people here and there, and we just did our best to monitor it. But one day I was taking her back to her mom’s, and my partner at the time said, hey, I noticed something on Madeline’s phone that she was showing people and I would look at it if I were you. So I did. So we were driving home and not being a very good driver, I decided to look at the texting and Instagram exchange, and it only took a about three sentences for me to know that this was very serious, and I literally just did a U-turn and went right to the police station. I can tell you that the content… it was so awful. Use your imagination about the worst possible thing you could read from a sexual perspective, a sick sexual perspective. And think about it being said to a 12 year old kid.
Steph: That’s really important perspective. Because let’s be serious, the online world, whether it’s social media, gaming platforms, all of it is used and in a good way can help kids find people if they don’t relate at school, if they don’t have their peer group, that’s why they gravitate towards it. But then there’s these incidents and that’s absolutely atrocious.
Okay, so you had the observation – great vigilance on your on your partner’s part and getting involved. Did you approach your daughter about it? Did you message with the app?
Bill: Well, so she was with me in the car, literally. I asked her for the phone and she looked at me like, why? Because she knew something was up. And I said, I’ve heard that there’s some stuff on your phone that’s alarming, and I have to look at it. And I said, just please give it to me. Literally once I saw it, it’s the first couple sentences, it was off to the police station and getting them involved ASAP. I didn’t read everything, but what the police told me is it went down like a dialog. As they looked at the exchange, the next step was that this person wanted to meet her at a place called Crocker Park. It’s the largest shopping area in the Cleveland metro area, and it’s also a large child trafficking hotspot, which I didn’t know either until the police told us. It’s because of its location, proximity to the highway. It’s an outdoor mall. So the next step was he was trying to coerce her to meeting somewhere at Crocker. And I can’t, four years later, I still can’t believe it was that close. And it was just, it was a miracle we caught it. It really was.
The police got very involved, but they never caught him. They got an IP address. They worked on it for about four months, it just never worked out. We also had some visibility with the event with local channel 19. Tiffany Tucker was the anchor. She was a marvelous. She was so helpful, very involved, wanted to help out, wanted to bring the message to people in Cleveland. She’s fantastic. It’s a happy ending because nothing happened to her. But, you know, there’s trauma for her, there’s trauma for us. But we got over it. It’s. We’re just very lucky. I just want to make sure everybody knows that could happen to them. They’re tricky. They’re clever. They’re master psychologists. They know what they’re doing. You just got to be vigilant. And it will probably make your kids angry, but it just doesn’t matter. It’s a messed up world, as you’ll show later with some of the things that you’re going to bring up as slides.
Steph: So about how long, if you can give a ballpark, did the actors start speaking to your family member versus when you discovered it? Can you estimate?
Bill: Keep in mind, it’s like four years ago and I didn’t have the ability to go track the messaging, but I would say it was about a two month process.
Steph: It’s not that long, not a long time. And let’s be clear to your daughter was under 13, so she was a pre-teen, right? And you’re exactly right. That’s how these actors work. They know to go for younger, you know, the cognitive functions aren’t there. The social and the IQ not quite there. They’re just not developed. They [cyber actors] know what they’re doing.
So do you think that your daughter would have gone to meet in person?
Bill: Yes, absolutely. Well, let me take a step back. I mean, she’s 12 years old. But she would have had to figure out a way to get there. But she would have, because she’s very clever and she would have gotten what she wanted somehow. I’m just thankful that it never came to that. But yeah, I think she would have tried to figure out a way to meet.
Steph: You said that the location that the actor chose, the outdoor mall, is commonly used for child and human trafficking operations. Do you feel that there’s more awareness surrounding this venue now in your area, or would you like to call further attention to these which exist in every city?
Bill: I think that is a great question, and I don’t, I think the answer is probably no. People tend to forget these stories pretty quickly, unfortunately. I mean, with everything like gun control, everything it’s like goes away. We have so much coming at us. But yeah, I think it needs to definitely be brought up more. I don’t know how a mall like that would feel about putting fliers or signs up to, you know, if you feel like you’re in danger, call this number. That type of thing or text this if you feel like you’re being approached or I don’t know what to do.
Steph: That’s a really great point because airports have that, right. Let’s be serious. They’re usually in the restrooms or they’re in lounges, you know, a human trafficking number. Here’s something to call. Here’s a sign you can take.
So you mentioned that you you went to the police, which is great. Got the authorities involved. And you went to media, which I think is also great for calling attention. Do you have any recommendations as far as software monitoring for younger kids? I know there’s a privacy discussion, but look at what’s happening. Do you have suggestions on parental controls and monitoring?
Bill: I don’t at this point because we did have those tools and I guess we didn’t… I think the tool is only as effective as how you implement it or use it. And I’ll take the blame. I mean, she’s only with me a couple of days a week because we are divorced, but yeah, we just didn’t catch it and still have trauma. I beat myself up about it still, but we were able to catch her. But yeah, we did.
Steph: This is not to to beat yourself up over. This is important to reflect, to teach lessons. Because Bill, four years ago tech and social media weren’t what they are now. Let’s be serious. You know, there were issues. Of course we’re seeing that. But it evolves so much. And these kids, we just talked about how clever, how resilient, how intelligent they are. But, you know, parents have to try to stay one step ahead. And that’s impossible. So this is the point of this webinar, why we’re sharing what we want to educate.
How about her school Bill? We didn’t touch on that. Did you talk to her school afterwards? Did you share this news with other kids? How’s the school doing in this role?
Bill: School really didn’t do much. We told them, we notified them, but we really got nothing else out of them. I know the police were very frustrated that they just couldn’t find the perpetrator because the police that read the messages – you could just see the rage in their face, like when they read the whole thing. But no, we didn’t really get much out of the school. I think there’s talks at Westlake all the time about this. So not say that Westlake is not educated because they certainly have parent led discussions to prevent this from happening. But as far as this particular incident, I think there’s also a lot of shame, embarrassment, maybe from both parents and not telling many people outside law enforcement, you know, outside a particular close group of friends.
Steph: See, that’s another issue that we need to fix with public education because parents are not omnipresent. They can’t be everywhere. Neither is law enforcement. Neither are schools. Again, this is not a finger pointing exercise. It just goes to show with how quickly tech moves and how available it is, especially to kids. You know, we have to try to stay on top of it. We have to share our notes. We have to share our groups and share our resources because no one can do this alone, no one at all. So what would you hope the takeaway message is? Now having spoken to the media, law enforcement, the venue, schools, what do you want to tell our audience as far as how to address this in the future? Monitor their current kids activity. What are your thoughts there?
Bill: So I would sit down with your kid and and just have a just discussion about it. I would try to get educated as much as you can about what’s out there, what people are doing, and just have a discussion and just say, hey, have you ever had anything like this happen? Have you been approached? You’re the parents, parents know their kids better than anyone. And when something like this happens, make sure your kids are aware of it. Make sure your family is aware of it and your friends are aware of it. I don’t think there’s any silver bullet, right answer, I just think it’s really awareness. I think it’s trying to be involved as much as you can with your child, and then knowing that something might be off. You don’t know what it is, but you sense something’s off and you act upon that. That’s what happened here. That’s what saved us, is that something just seemed awry, off. And it’s you know, the analogy I use is everybody has a, you know, a pet. You know, when your pet’s sick, you just know something’s off with them. It doesn’t matter what. And I think the same is with your kid. You know something’s bothering them, on their mind if you have a good relationship. But it’s also embarrassing for them and scary for them. So I think the other thing is you have to make sure that whatever you tell them, whatever is going on, you’re a parent. We love you. We want to protect you. We want to help you. There’s nothing to be embarrassed about. These things happen. These people know what they’re doing. They’re psychopaths, sick people. And that’s all I can do. The biggest thing, Steph, is I wish I had better answers, but it’s just, it can happen to any of us. It can happen to any parent. It doesn’t matter.
I was hoping just to build a little bit more awareness, and I’m more than welcome to talk to anybody on this call if they want to just talk to me one on one, I’m more than happy. You can give them my contact information. But yeah, I just want to save a kid and prevent this from happening. It’s so awful for the family. It’s just it’s still tough to talk about four years later.
Steph: I believe it, I believe it, and that’s why we have to be thankful that you are here. You know, we talk to our kids about everything, right? There’s nothing else we haven’t done. So you have sex, drugs, alcohol, smoking. Now we have active shooter drills in schools. Right. So maybe there is something to be said there that we could get cyber drills in schools. It’s got to maybe start to be part of the curriculum because these kids have devices sometimes before they’re even out of the womb. They have social media accounts. And again, that’s not malicious activity on the part of the parents or family members, but they don’t know what they’re setting their kids up for. And you’re so right that awareness and education is the most essential part. So on that I have some slides I’d like to share.
Kathy: Before we move on, there’s a question for Bill. Now that your daughter is 16, how is your relationship about privacy and transparency between you, your co-parent and your daughter?
Bill: That’s a good question. I mean, obviously she’s 17, she’s a teenager. And communication can be tough. But I think she learned. We constantly talk to her about it because she’s still not socially mature for a 17 year old. So we have to be very, very careful about monitoring her still. And like I said, I’m only with her a couple of days a week, so it’s harder. And unfortunately it’s on her mom and mom’s busy as heck too, so it’s just really having the constant conversations. Fortunately, I don’t think fortunately is the best word to use, but she almost was taken and she got a second chance. Most kids don’t. And so it’s just keeping her aware, monitoring her very closely with my son who’s 12, the same age when it happened. It’s not a non-issue. It’s like he doesn’t have anything to do with this stuff. He’s got his circle of friends. That’s all he cares about. But he’s still, you know, aware and remembers what happened. I hope that answers the question.
Steph: So I pulled this news article up. Bill, you and I have discussed this before. This happened in Atlanta. It sounds a little bit similar in that it was the targeting of an underage girl.
The difference on this one, being in the huge part is that this individual was part of the parents social network approved, right? So they were friends on Facebook. They knew each other from a religious gathering. They thought that they knew what this guy was all about. And in reality, he was combing the parents accounts, the pictures of their daughter, her locations, to attempt to sell her online. There’s a dark web market. Obviously, we are DarkOwl – we know the dark web very well. The market is called slave market. It sells children from all over the world. It is not just the United States. So this is an example. Bill, you know, you talked about how when we see this, we have some headlines and then they go away. And you’re right because this was earlier in the summer of 2023. It was June. This little girl was also saved. She’s fine too. Happy ending like you Bill, her mom speaking out to the Atlanta press. But I think it’s more important to draw attention to that. And with that, I want to segue.
So again, DarkOwl, we comb telegram, discord. We are on the dark web. This is what we see and deal with all day. This is not easy subject matter.
My top screenshot is this individual who’s offering how to get kids social media accounts and sell them on telegram. Why? Because kids, even if you’re not going to physically go after them, right? Attempt to kidnaping, attempt to procure them, if you will. Kids social media is easy to steal their PII (personal identifiable information), passwords, credentials, because kids don’t have job histories, credit scores, all the complications that adults do. So this telegram channel is talking about how kids accounts are clean, and to steal an identity or start a criminal ring. That is what this actor is doing. He’s going after children.
You can see the middle one, which is again from the summer of 2023. We’ve got a child slave market. This is an offering on a dark web site. This is absolutely live. This was only a few months back. This is still happening.
And then we have a May 2023 article about certain tech marketplaces, platforms, all of it that are unfortunately criminals misusing to recruit, trap, approach and then attempt to buy and sell children, whether that’s kidnaping or another way. We’re not saying this is the tech giant’s fault. It’s just that this is happening everywhere, on every platform to kids as young as seven, eight, when they can start typing.
The final data and slide that I have here, which I thought was also really pertinent. Again, not going after physically attacking children or kidnaping them or taking them. This is a different dark market advertisement. Again, from 2023, you can see that the children’s social security numbers and dates of birth are available.
Fools in the cyber criminal world means that it’s a record with complete information. It means it’s the highest chance that you have to steal someone’s information. So these fools are going to have not only what the actor is listing, they will have locations, metadata, coordinates where they attend school, what sports they play, anything that can really help provide a complete picture for children for that identity theft. You can also see that they specified the dates of birth for these children are 1999 to 2020, again targeting those younger ages, those people who do not have the fully developed cognitive skills, who aren’t going to be able to understand that somebody online messaging them might not be who they say they are. And the final part of that post is you can also see that the guardians information, whether parent or other family member, other legal guardian is there, further allowing for a criminal actor to potentially impersonate a guardian and do further harm to that child or other children.
These are just some of the examples that we pulled. Again, we wanted to keep this focused on Bill and his family and the educational part of this, but we have to share how essential it is to protect your children online. Yes, everybody wants to share pictures and vacations and milestones. That is what unites us as human beings. We get it. But there is a dark, nefarious side to this. And unfortunately, criminal actors have really caught on how to quickly and efficiently and effectively make money off of innocent children or innocent families and do further harm. So I thought these were really important recent examples to share. Bill, anything else on these examples that you wanted to add? Did they approach her with any of this, or use any terms that you’d like to share as well? Lingo is important too.
Bill: No, I wish I knew. I just reading that and the other examples. It’s just horrendous. I just am speechless about the stuff that’s out there. I had no idea. I think it’s awareness. Like you said, technology has changed a lot in four years. Things change so quickly. So then it’s like you have to educate yourself on, well, all right, so this has changed. What am I going to do now? Keep pace I guess. I wish I knew what the answer was in terms of how to stop these people and how to find them. That would be, I would hope, our next breakthrough. I really thought we’d find that other person. We did not, I was surprised, actually.
Steph: It’s interesting that the actor wasn’t found because, you know that a lot of time and effort was spent on that. But it also goes to show that using location hiding software obfuscation techniques and then disposable infrastructure. Right now that we have cloud IP addresses, they’re ephemeral, you can change them. So these actors really do know that. And it’s terrifying how quickly they can disappear. We know they’re going somewhere else, we know they’re re-appearing elsewhere. So all right we’re going to try to get some schools and educations involved. We’re going to keep talking to the media. We’re always going to go to our respected law enforcement. Let them know. I think that vocabulary is one way that we can do this. You know, there are definite repeated terms that criminal actors will use. After we publish this, let’s have it in writing for people so that they can copy paste, put them into their parenting software, implement them live right. And then we can kind of keep a running list and also gain feedback from the audience. Undoubtedly, there are parents and cyber professionals in our audience who are going to watch this. So let’s keep that a growing task and list, which also facilitates continued conversation. We don’t want this to fall apart, fall away. We want to keep it visual.
Kathy: Bill, someone would like to know what was the response from Instagram. Did you get a chance to speak to them about the problem?
Bill: That’s a great question. I know we alerted them. I know the police took care of that. It made them aware of the problem. I can find out what Instagram went back and said. I know that they they did some things on their end, and I know the police were involved to try to figure out how to find them. That’s really all I know about what Instagram did. I kind of took my hands off it and let the police just do their job, as much as I wanted to take over.
Steph: That had to be hard to sit back and let someone else take action on this. But again, they were probably well versed, you know, so that had to be really difficult. And I think that’s a good point to share. There’s nothing about this process that’s going to be easy. It’s uncomfortable. It’s terrifying. It’s traumatic. So let’s focus on that too. And just really, you know, talk to your families about it, talk to mental health professionals too.
Kathy: Did the police have a cyber unit or only traditional investigation?
Bill: That’s a good question, too. Traditional investigation.
Steph: I want to highlight that should the FBI ever become involved, because these are definite cases for the FBI and your local law enforcement. But the FBI has a cybercrime not only unit and specialist, but they also have a reporting forum. You can use the hotline, you can use an anonymous email address. And I think that’s also important to share too. So that can be another thing that we provide in our follow up resources is not only your local law enforcement, but the FBI as well. Because if we have more eyes on this problem, we have just a little bit more monitoring and a movement towards a solution.
Kathy: I’m sure it may be difficult to have the data to confirm, but how often are these bad actors caught on the dark web in these instances?
Steph: I will be honest, not enough. I, in my almost two decade long career, know I’ve seen more ransomware, DDoS, more of the technical actors that are taking down, say, your critical infrastructure and I am not seeing enough attention given to nationally or internationally human trafficking efforts, kidnaping efforts that happen frequently online. And one thing I should highlight there, too, is the actors are also smart, right? So they are moving from the more common public forums on the dark web. They’re moving more towards one on one communications. So like in Bill’s instance, of course, it was private messaging on Instagram. What we’re seeing is a general trend is that they will advertise those keywords like you just saw in those slides I had. They will say children, they will say slave market, etcetera , etcetera. But there’s no further context or detail, and they entice people to message them directly, which of course hinders law enforcement operations. You can’t get into private messaging. So no, data’s not perfect. Maybe we can get some input from law enforcement too as we continue to drive awareness, but they are not being taken offline as quickly or as as needed.
Bill: And why is that? I was just going to say. Why do you think that? What do you think? What needs to be done to, in your opinion, to find these perpetrators or what other steps can we do? Because like you said, it’s hard to get them. We didn’t get the guy for my daughter. I know that dark web is very mean with Tor and everything is really hard, but I don’t know what your suggestions are.
Steph: It’s unfortunate that technology is is neutral, right? Technology is only good or bad, depending on whose hands it’s in. And like you said, it’s unfortunate that you didn’t catch yours. But like I detailed, they’re using all these hidden softwares, all of these obfuscation techniques, again, not just for human trafficking but criminal operations writ large. And that is unfortunately a really dark and nefarious side of technology, that if somebody is very sharp and knows what they’re doing, you can’t nab them, you can’t remove them. So I think all we can honestly do as hard or as ineffective as it might sound, because we’re people of action is continue talking about it, raising awareness, giving lingo, headbutting into your kid’s life. Right? Like, hey, who are you talking to? Who is that? Do you know that’s who that is? You’re not going to meet them in person, are you? Do it. There’s a really common thing in cyber where we do tabletop drills. So we do. All right. You got a DDoS attack. How do you bring your system back online? Go. Okay, you’ve got ransomware. Same situation. And unfortunately, it sounds like we’re just going to have to keep doing this with kids. Again, I think that curriculum in schools could be a good place to start. Do an impersonation in school off this, a person approached me online. He said this. He said that he asked for pictures and just try at age appropriate levels to make your kids aware in addition to parents, teachers and community members.
Kathy: Does DarkOwl help with detection of these issues?
Steph: Oh, my gosh, we certainly do. I mean, one of the numerous reasons I’m absolutely privileged to work here, not only do we contribute to criminal operations and stuff, but we also donate our platform to anti-human trafficking efforts. We have all of our coworkers who generally work nights and weekends to do that, because our executives feel it’s important. We at the analyst level feel it’s essential. I mean, look at what we just talked about, so we contribute to it. We will pass a tip information, we also love to share with other members of the cyber community. It takes everybody for the more technical criminals to be identified. We have partners that we would go to and say, what can you tell me about this IP address? Can you geo it? What can you do here? What can you tell me about this handle? Are they using a ProtonMail, an anonymous mail? Are they using Gmail? Do we have a chance to track it? Are they on any other platform aside from Instagram? Can you give me their handles on steam, Twitch, any gaming situations, right. So DarkOwl is definitely in the fight and that’s one of the reasons I’m just so unbelievably happy to be here and privileged to be speaking about this.
Kathy: Steph, you touched upon it a little bit, but interested in how this takes place in our public education curriculum. Back in the day, we were teaching Stranger Danger, and the participant is wondering if, you know, are we bringing these critical dangers from social media into the school setting?
Steph: You know, I don’t have kids in a school setting or a system. I don’t want to speak writ large to that. I’m sure that there are various areas of the country that are trying to take the don’t talk to strangers, don’t go into a white van, don’t take candy from strangers. I am sure that those efforts at certain levels are occurring, but what we need is a national, united one, right? We need a formal mandate to have this curriculum and have these teaching incidents in schools as well as, you know, a church, a mosque, a synagogue. Maybe you could touch on those community places on weekends or nights. Boy Scouts, Girl Scouts, I mean, the opportunities for education are endless. I don’t know of anyone that’s doing them minus individual grassroot efforts, but let’s build on it. That’s the point of this.
Bill: Going to the schools I mean, doing a national mandate. I don’t even know how to get started with that. But a local school, would you do a presentation, say to a school to talk?
Steph: Absolutely. We have parents here at DarkOwl who are definitely well versed and unfortunately are going to probably see these slides and lose a little bit of sleep. But yeah, I think starting at schools petitioning, you know, politicians to change the curriculum, implement these things, these are all potential ideas that we have. And whatever the community comes up with to add to and make them more robust, we’re all ears. Absolutely.
Kathy: In the dark web are there only sightings of individuals partaking in human trafficking? Or have you also seen movements by bigger criminal networks?
Steph: Oh, there are entire networks. There are absolutely networks. Generally speaking, what happens is much like every criminal conglomerate, they are set up like a business. So your lower level affiliates who maybe have that knack for speaking to younger children and attracting them, are sent out to recruit them. But then, you know, it’s horrible to say, but I have to say, you know, those lower level associates essentially have numbers that they have to hit. They have to get five kids a month, ten kids a month, right? Or else they face repercussions. So that’s the desperation into the criminal chain. One thing I’d really like to highlight is that internationally, because again, this is not just a United States problem. People from war zones are unfortunately horribly targeted, and that is generally by criminal networks. So they will say, okay, for $5,000, I will get you out of X war zone. Okay, here’s your passport. Here are your documents. Meet me at this location and we will transport you out. That is obviously not legitimate. It’s a huge criminal conglomerate. And I want to say that the money from human trafficking is only part of the criminal supply chain. The money that they pay for humans, children, women, boys, you name it, you know, they get that money from, say, online operations like ransomware, selling weapons in some cases. We’ve seen that in the Middle East and Africa. The funds from drugs, the funds from IEDs. Right. I mean, I spent two years in Afghanistan and was former military, and we’ve seen this criminal supply chain, and it is not any different than human trafficking is just another cog in that wheel. It is definitely networks, but it starts small with one individual going after their target and then it builds up.
Kathy: This may seem a little strange, but would you recommend that children say they are 18 on social media when they fill out the birthday sections? Would that make a difference or deter potential predators? If there are accounts that they’re older than they are, or would that be more harmful?
Steph: I would like Bill to take this one too. My input on that to start is that I don’t think they should misrepresent any ages because, listen, young women 20, 25, 18 are still victims of human trafficking. Very much so. It might change the way that they are approached, but I don’t think it’s going to deter them. Again, those actors have mandates and numbers to hit. And I don’t think that saying you’re 18 or 19, if you’re 13 or 14 is going to make a difference. Bill, how about you?
Bill: I don’t think it matters whatsoever. I think they don’t care, as Steph said. I mean, you know, you see signs everywhere about abduction in college bars. There’s signs everywhere that give a text code that if you feel like you’re in danger. But no, I don’t think it matters what age they have on Instagram. I mean, face it, my daughter should never have had this happen based on our age in the first place. I don’t think it matters at all.
Kathy: We hear that TikTok is being used very actively for targeting children. Do we have monitoring as part of this?
Steph: I can’t with with TikTok, I absolutely cannot – from where the data flows through to all of the dangers that have been identified to the types of media that’s on there. That is a personal choice. I scream at my nieces and nephews and brothers and sisters-in-law to get off TikTok. But that is a personal choice. And so that would have to be monitoring on the part of the parents guardians, etcetera, etcetera.
Bill: But what do you say to them to get them off? It’s like everybody. I’ve never used it. What do you say to them to prevent them? I mean, they’re kids. The peer pressure is intense just to share videos and such. It’s just that’s a tough one.
Steph: That’s a very tough one. DarkOwl does not work on TikTok as of right now. That would be part of social media, which we don’t really cover. So I would love to collaborate and have ideas as far as TikTok and how to protect its users, but that’s a that’s a really big conversation that’s happening in places. Right? I think there were a couple of efforts to block TikTok. They’ve gone back and forth. You know, obviously there’s some privacy issues there. Citizens would be up in arms. That is a very hard question, but it needs to be discussed. Absolutely.
Kathy: And our last question, Bill, kind of leads in a little bit to the peer pressure and the support. Thank you for your courage to share your story. How did your daughter’s friends react and support her and support themselves? Curious of the support?
Bill: It’s a great question because they didn’t know. They didn’t. We didn’t tell them. I’d say primarily because she really, at that time especially, did not have many friends, her age group. We definitely talked to my ex-wife’s closest friends. I know that they knew about it so they could talk to their kids privately. But yeah, it was a very private issue. It was very traumatic for her. It’s just having those conversations like organically as opposed to doing a big broadcast about it just because of the nature of it. She didn’t really have any friends to discuss it with. Just to be frank.
Steph: Bill, how about your you know, you mentioned your ex-wife’s friends in that community. And how about just the adults in your community? The adults at the school, were they more interested in paying attention after they found out what happened? The ones that you shared it with.
Bill: I don’t know because they’re not my friend group anymore. I would say knowing the women, I know they would have cared greatly and did everything they can to make sure that their kids and then their friends with their kids. I mean, they’re all good people. Everybody was horrified by it.
Steph: Yeah, and I think you’ve made a lot of new friends and garnered a lot of interest on this, Bill. So again, cannot thank you enough. Thank you for sharing your story.
Bill: I appreciate that. I hope I’ve answered all the questions. Well, I guess it’s four years ago and I feel kind of inept as I’m answering some of these questions because some of the details are kind of, it’s been a while and it’s kind of like blocked it off and now comes all roaring back. But I’m glad to do it just because I just want to help anybody I can. And I know you and Kathy, and Dustin’s mission is the same, so I’m more than happy to do this anytime and help anybody I can. If anybody ever wants to talk to me about it, just please let me know.
Steph: I’m going to wrap with, just thank you to everyone, Bill and the audience included. We are very much open to, you know, please contact us on LinkedIn, emails or anything. We want to continue this conversation. We want to have a follow up. And thank you for your time on a difficult subject for sure, but the holidays are coming up. This is why we timed it this way. When kids are off school and on their devices, let’s all just open our eyes a little bit more. So thank you all so much.
In preparation for the upcoming Black Friday and Cyber Monday events, DarkOwl analysts wanted to identify how this was being addressed on the dark web and if there were any emerging scams in relation to the years biggest sales. Analysts used DarkOwl Vision to determine mentions of either Black Friday or Cyber Monday on authenticated forums like XSS, Exploit, carding forums, carding stores, marketplaces, and Telegram channels.
Black Friday and Cyber Monday advertisements on the dark web are expected in the weeks leading up to the holiday, however, DarkOwl analysts also predict an increase in various types of e-commerce fraud during the same time period due to the high volume of consumers taking advantage of November’s deals. In this blog, we first take a quick look at some of the “Black Friday” dark web deals followed by an overview of various types of fraud typically perpetrated against e-commerce companies like Amazon, Ebay, and Shopify.
Black Friday Discounts on the Dark Web
At this time of year most of us expect a rise in the commercials we see advertising the latest technologies, gifts and household goods with deals associated with them culminating in Black Friday deals. The dark web is no different with vendors and marketplaces using Black Friday discounts to entice consumers to buy their goods.
On the well-known Russian language credit card fraud forum WWH Club, dark web vendors are advertising discounts for hacked accounts associated with a wide range of companies from fintech, crypto exchanges, rental property platforms and more. They claim that everyone has discounts for Black Friday and that they will give big discounts although they don’t stipulate what the discounts are. These type of Black Friday discounts are common across other credit card fraud forums and marketplaces like: Carding Store, Ascarding, Shadowcarder, and others.
The carding forum, Shadowcarders, also have Black Friday deals, providing up to a 50% discount for credit card databases in several jurisdictions. The vendor shares the data has a 96% validity rate and includes the following PII (personal identifiable information): names (first/last), addresses, and phone numbers.
DarkOwl analysts identified another Black Friday “deal” on a darknet marketplace called Kingdom Marketplace. The product listing provides some more details than the previously mentioned advertisements. The post states that the vendor is selling verified PayPal accounts, but also offers methodologies and tutorials to teach a prospective threat actor how to engage in this sort of fraud. These types of offers are commonly observed across various darknet and deep web marketplaces.
The dark web economy is known to be reliant on reputation and reviews, as this is one of the only recourses that consumers have against the rampant scams and exits. Although it is clear that threat actors also seek to entice potential customers with discounts and deals just as the mainstream stores do.
E-Commerce Fraud
More and more these days, consumers will conduct their shopping online rather than venturing into busy stores. In recent years this has led to the advent of Cyber Monday for customers to take advantage of online deals. But as more of us move to online shopping, online fraud also continues to rise.
E-Commerce fraud comes in various different forms. Some of the most common methodologies DarkOwl have observed on the dark web are the selling of refunding tutorials/methodologies, hacked accounts, stealer logs, credit card information with fullz, as well as gift card fraud, and the sale of verified seller stores from sites like Shopify and Ebay.
Refund fraud is one of the most prevalent types of fraud as it does not take a high degree of technical sophistication to successfully defraud the target. Refund fraud is “the act of abusing a return or refund process for monetary gain. There are many types of return fraud, but most commonly, it consists of obtaining an item from a store (through purchase or theft), and then defrauding the store by returning it for a refund.” This is also a common money laundering tactic.
Refunding services and refunding methodologies are very common on various Telegram channels as well as marketplaces and forums like Kingdom Marketplace, Abacus Market, XSS, Exploit, Cracked, and Nulled.
DarkOwl analysts discovered a Telegram user known as Bam or Amazon God that both sells refunding services as well as methodologies and mentorship for a consulting fee.
Figure 1: Screenshot of Amazon fraudster’s Telegram bio
In the below image, this user advertises Amazon refunding for various domain locations, including amazon.com/.ca/.co.uk/.nl/.de/.pl/.be (United States, Canada, United Kingdom, Netherlands, Denmark, Poland, Belgium).
The user also provides evidence of the methodologies that they use as well as success rates and the period of time that it will take for the refund to be returned.
Figure 2: Screenshot of Amazon God’s Amazon Refunding Advertisement including screenshots showing the process
E-Commerce Vendors Targeted
DarkOwl analysts discovered a user advertising hacked Amazon Prime accounts that are allegedly valid for one year and include a warranty. These sorts of advertisements are commonly seen across Telegram fraud channels. Amazon Prime accounts offer a large number of services which can be used by actors to conduct ongoing fraud, as the account is not associated with their personal information. This can include purchasing goods as well as streaming services.
eBay is another e-commerce vendor that is commonly targeted by fraudsters on Telegram as well as darknet and deep web forums and marketplaces.
The following screenshot is from a Telegram fraud channel showing eBay gift cards being sold at significantly discounted rates, 89 USD for a 200 USD gift card.
In another post mentioning eBay on a Telegram fraud group chat, DarkOwl analysts discovered a user advertising hacked accounts with logs and additional PII like SSN and bank accounts, for eBay, PayPal, and Skype.
A user is looking to sell counterfeit gold through a verified eBay seller posted across multiple darknet forums seeking a partner to sell his counterfeit goods as he had had issues setting his own accounts as they had been shut down by eBay. DarkOwl analysts discovered the below post on the well-known hacking forum, Breach Forums.
One of the more unique fraud offerings was discovered on the famous Russian hacking forum, Exploit. A user posted on the site in both Russian and English, advertising claiming to offer a Shopify vendor investigative service. The poster indicated that they would be able to provide details of the store including their customer information and revenue. It is likely that this information is provide so threat actors can target the most profitable store. The poster is charging $5k for this service.
Furthermore, DarkOwl analysts identified a user claiming to sell well reviewed Shopify stores with sales over 100K Euros for 3,000 USD on the well-known Russian hacking forum, XSS:
Conclusion
Dark web vendors see the value of discounting their products for Black Friday in much the same way that legitimate stores do, multiple advertisements have been identified across our monitored marketplaces which would indicate that these deals are popular and successful. We expect to see an increase in these advertisements in the lead up and proceeding the Thanksgiving holiday.
As consumers also endeavour to take advantage of Black Friday and Cyber Monday deals from legitimate stores they should be vigilant to the ever increasing e-commerce fraud which can take a variety of forms.
Curious how your security posture can benefit from darknet data? Contact us.
Disclaimer: DarkOwl does not endorse nor support these vendors, sales, or listings in any way. DarkOwl has historically partnered with organizations such as the Global Emancipation Network and Kruger Park to eradicate human and animal exploitation.
It’s always a difficult topic to research, but calling attention to the online dark web forums, markets, and Telegram operations that sell and harm animals is an absolute necessity to give a voice to innocent creatures and draw legal attention to this cause. Like many things, animal sales have been augmented by the ease and speed of technology and the perceived anonymity of the dark web.
DarkOwl observed recent trends concerning the online sales of animals and animal products in 2021, including sales of reptiles and bears; offering objects made from less-common animal materials such as ivory or exotic fur; and a steady interest in dog fights.
In this blog, we aim to cover the latest identified trends in nefarious animal activity on the dark web and adjacent platforms to call awareness to these practices as well as the efforts to stop the harm of innocent animals. We have provided a list of online links and resources to contribute to the effort at the end of this blog.
Actors Attempt to Hide
Selling any live creature online could and should attract law enforcement and animal rights groups’ attention. For instance, dog fighting is illegal in all but five countries worldwide; there are constant efforts to break up dog fighting rings, the sales of dogs themselves. Selling rare materials from endangered animals, such as ivory which is often procured from animal poachers, can result in fines and other legal action. However, actors who participate in these kinds of sales and events know how to watch the vocabulary and keywords they use in posts for advertising and selling.
Animal abusers know law enforcement officials and animal rights groups are monitoring deep and dark web forums and marketplaces to identify any information in the hopes of shutting down illegal animal activity. Usually, advertisements for anything surrounding animals are vague and only offer a preview of the kind of animal for sale, or the kind of activity they are advertising, forcing logins and other processes so vetting can take place before interested parties can gain access, in hopes of rooting out investigators and validating user interest:
Figures 1 and 2: Conversations about animal abuses on the darknet found in DarkOwl Vision
Exotic Animals for Sale
The exotic animal and wildlife trade is another sphere of illicit trade found on the darknet. Illegal wildlife trafficking is estimated to be the third largest illegal business in the world after drugs and weapons.The following findings from DarkOwl Vision introduce some of the darknet’s leading vendors in the darknet wildlife trade community, along with their sources.
“The Dark Jungle” is an onion site that considers itself “…the dark web’s premier classified site” and offers turtles, snakes, as well as animal products such as fur jackets for sale. It has been around so long that it migrated from a V2 onion site, with only 16 characters to the V3 onion site, with 56 characters.
Figure 3: The Dark Jungle homepage
Darknet adjacent sites such as Telegram have been used to advertise sites, including clear net sites which offer exotic animals for sale. Bears are a feature of this June 2023 post on Telegram offering a link to a website where they can be purchased. DarkOwl will not publish this in order to not drive traffic to this website:
Dog Fighting
Unfortunately, dog fighting has long been a popular pastime, especially in places such as the Philippines. As of 2023 it is still legal in Russia, Japan, Honduras, Afghanistan, and Albania. Even in nations with criminal laws against this activity and fines, many people still choose to engage in dog fighting, and use anonymous platforms to organize and conduct these events.
The dark web combines its darker side, with actors soliciting drugs for “fight dogs” to improve their performance in fights, combining the underground markets of narcotics and illegal animal activities:
Dog fighting activity continues to gain traction and spread to other geographical areas – Iran and China also have dog fighting rings and sales on Telegram. DarkOwl will not publish the content of the channels. However, below we show some examples of the channel information.
A Persian dog fighting channel, offering the sale of “war dogs”:
Figure 4: Source: Telegram
This Russian channel discusses the history of dog fighting in Moscow, and how it has evolved as a sport with an avid fanbase:
Figure 5: Source: Telegram
People from backgrounds of all kinds participate in horrific activities involving dogs. Not long ago, news broke of a United States Pentagon official leading a dog fighting ring. It’s not just famous people from movies, TV, and sports industries. Politicians and governing officials also get involved as we can see in the example below from Telegram:
Ear Cropping
Ear cropping is the practice of surgically altering or removing ears from dogs. This practice is legal for certain species in some countries, including the US, for hygiene reasons. However, in other countries such as the UK, the practice is totally illegal. The RSPCA reports that they are seeing an increase in ear cropping in the UK due to celebrities and influencers “glamorizing” the look. DarkOwl analysts have identified mentions of this practice on the dark web and adjacent sites.
DarkOwl analysts identified an onion site which offers ear cropping videos and examples as of October 2023. It is unclear where these were taken and if it was in a country where the practice is legal, but it highlights there are individuals who wish to view this type of activity.
Deception Methods
As animal rights activists use technology to combat these activities, online operations turn to methods used to fool those who legitimately sell animals, such as bringing children or other family members when they go to purchase. On the below Telegram channel, users discuss how some people use children or other family members to hide that their animal purchases are actually for fighting:
Online Efforts to Combat Animal Abuse
There are also many petitions and people identifying harmful practices, such as puppy farming, on these platforms. They combine their efforts on other social media sites, such as Facebook, in order to spread the word about harm to animals and enlist civilian and government efforts to inflict harsher penalties. Below, a Facebook post identifying Irish puppy farmers is posted.
An Australian also comments on the commonality of puppy farming, and shares a resource for potential pet parents to avoid buying from breeders:
Final Thoughts
Previously, DarkOwl predicted that like many other activities, animal trading and sales of exotic animals and exotic animal materials could move to darknet-adjacent platforms such as Telegram. The trends we see now, in the fall of 2023, confirm this move continues to these platforms, and also includes some social media platforms such as TikTok and Reddit. An upside to this trend is that some of these platforms can be easily monitored and tracked, reducing these horrible activities and hopefully bringing about the arrests of those involved. Additionally, social media sites are more likely to respond to takedown requests, while little action can be taken against dark web sites.
Despite activist efforts, these online activities continue and unless there is intervention from law enforcement and animal groups, these activities will unfortunately continue.
If you’d like to contribute to the effort to stop the animal activities described in this blog, or learn more about general efforts to save animals, please see:
Despite claiming a mostly isolated status for the past four decades since the 1979 revolution, Iran manages to send personnel and/or weapons to many major conflicts around the Middle East region, quietly participating in and shaping world events while also giving themselves the plausible deniability of doing so. Additionally, their cyber capabilities have quickly grown and improved, meaning they are able to also act in the digital realm, yet obfuscate these activities as well. As Iran trains guerrilla fighters, trains and funds militias that actively attack western military bases and personnel in the Middle East region, and couples their physical activities with digital aggression, they must be closely monitored and observed to properly understand their growing capabilities and levels of involvement in various conflicts.
Iranian ground activity in Iraq was observed at the beginning of the US invasion in 2003, where coalition forces routinely encountered Iranian influence and weapons. Despite the formal end of coalition efforts in Iraq, Iran has had and maintains a proxy-presence in multiple Middle East conflicts, including active foot soldiers in Yemen, Syria, Lebanon, and other Middle Eastern states and present-day conflicts. Iran has recently sent fighters and weapons to Belarus to support Russian aggression in Ukraine, expanding their operations and support to a European conflict.
Iran’s activity supporting various militant groups with weapons, funds, cyber operations and personnel in and outside conflict is nothing new for them, which is why analysts are exploring their role, if any, in the current conflict between Israel and Hamas. Dating back to the Lebanese civil war in the 1970’s, Iran saw an opportunity to simultaneously support fellow Shiites and oppose Israel. Iran funded the Shiites and offered formal training to the guerilla groups, which cemented themselves as Hezbollah. Iran continued to fund, train, and arm Hezbollah throughout conflicts in the 1980s, such as the Southern Lebanon War; the 1990s, facilitating various kidnappings, suicide bombing attacks, and direct military battles along the Israeli border. In the 2000s, Hezbollah established Unit 3800 to target coalition forces in Iraq. During the 2010s, Hezbollah and IRGC forces protected and supported dictator Bashar al-Assad in Syria.
Possible support methods will vary in this latest conflict depending on other major military powers’ possible involvement, drone and other remote weapons use, and digital augmentation of physical attacks, including possible cyber warfare. This blog explores Iran’s recent activity, security posture, and response to the conflict between Hamas and Israel.
For many years Iran has consistently publicized controversial opinions to further its authoritarian views and leadership in the world using its state-controlled media:
Anti-Western ideas are advertised with galvanizing calls for participants to rise and join forces to remove Western ideology, culture, and personnel from the Middle East region. The current conflict is no different, hybrid physical and cyber components are being utilized that Iran hypes up and pushes to maintain activity to further its goals of regaining international status on the world stage and coming back to global-power status, versus the isolated stance it has sustained since the 1979 revolution.
Prior to the October 7, 2023, attack on Israel, multiple news outlets claimed contingents of Hamas fighters trained at Iranian facilities in September 2023. Considering that Hamas went notably quiet in the months leading up to the attack, with reduced Telegram/online activity, and leading Intelligence agencies reportedly lacking insight into the coming attacks, these claims are difficult to substantiate, but merit observation.
Hezbollah
Lebanese based Hezbollah, which means “the party of Allah,” is a Shiite political party and militant group. The group took advantage of the Lebanese civil war to position themselves in power in the area.
Political party: حزب
Allah: الله
Hezbollah is anti-Western influence and anti-Israel:
The Iranian theocracy took to supporting Hezbollah in the 1980s, nurturing them from a low-level, poorly organized militia into the regional powerhouse they are today with a healthy annual budget. While the exact amount is unknown, estimates from global governments put the operating budget in the hundreds of millions of dollars. The size of Hezbollah is also a rough estimate at 30,000 people, but this is impossible to confirm. They vow to expel western influence from the Middle East region, and use improvised explosive devices (IEDs), guerrilla tactics, and other asymmetric warfare in their physical operations. Hezbollah also provides Iran with plausible cover to deny their involvement in any operations Iran doesn’t want to publicly claim.
Considering the ties to Iran, it is no surprise that as Iranian cyber capabilities grew, so too did Hezbollah’s. Like so many other groups during times of conflict, Hezbollah also adopted cyber capabilities to augment their physical and psychological operations. Dating back to 2006, Hezbollah launched cyber-attacks against multiple countries who supported Israel during the 34-day war. In 2015, Hezbollah conducted operation “Volatile Cedar” which targeted Israeli defense sector websites and assets.
Currently, they have numerous Telegram channels in various languages which promulgate Iranian and Syrian state narratives and propaganda:
In this current conflict, Hezbollah has physically attacked Israeli defenses and equipment on the Israel/Lebanon border. They have also established Telegram channels specifically for this conflict to show war videos, events, and document them as events unfold, which DarkOwl are actively monitoring:
Kata’ib Hezbollah
Kata’ib Hezbollah, or “The Brigades” of Hezbollah, is the branch of Hezbollah that specifically operates in Iraq, with limited activity also observed in Syria. They are funded, supported, and trained by Iran as well as Lebanese Hezbollah. They have involved themselves in the Israel-Hamas conflict by declaring war on U.S. entities in Iraq and attacking them as retribution for U.S. support to Israel:
Badr Organization
The Badr Organization, a Shiite entity also funded and trained by Iran, is another group active in Iraq. Much like Kata’ib Hezbollah, they entered the public threats realm by criticizing US support for Israel, and threatened US entities in the region:
Houthis
Ansarullah, “Partisans of Allah” are better known as the Houthis, the name of the tribe from which they emerged in Yemen:
Partisans/supporters: أَنْصَار
Allah: الله
Both the Government of Iran and militant group Hezbollah are arms, training, and financial providers/supporters of the Houthis, a Shiite party of fighters who target western forces, Jewish residents of the Middle East, and other Middle Eastern nation states, such as Saudi Arabia and the United Arab Emirates.
Iran’s Houthi support is measurably less than the support it provides to Hezbollah. Much like Iran, the Houthis rely on irregular, guerrilla warfare tactics to remain elusive and unpredictable, yet effective. The Houthis are based in Yemen and have furthered proxy efforts, launching attacks against Saudi Arabia and other Gulf states from war-torn Yemen. These proxy groups are also involved in the latest Middle East conflict, both physically with weapons, claiming drone and missile attacks as well as digitally, galvanizing support for Palestine and Islam on Telegram and other chat platforms:
Telegram channels that follow the conflict have also recounted training, drills, and other Houthi activity, bringing the group into the media of war coverage:
A Yemeni political figure demonstrates how the Houthis also turned to Telegram, and are engaging international parties in the current Middle East conflict:
In addition to the more infamous Iranian proxy groups, other splinter supporters and lesser-known groups have emerged in both the digital/physical realms and espoused their support for Hezbollah, Hamas, and/or general pro-Palestinian efforts. Accessibility and connectivity make it easy for anyone with a device and connection anywhere in the world to jump into the fray of conflict and espouse their opinions. As this conflict rages on, more groups are expected to emerge. Their actual ties to bodies like the Governments of Iran, Syria, and other groups with an interest in the Middle East region will require diligent research and vetting.
Conclusion
Despite its self-described global isolation, which Iran claims is the fault of the US and the UK, Iran constantly involves itself in regional events in the Middle East, whether by funding/training/arming its many proxy groups, conducting offensive cyber attacks, or both. Considering its decades long history of involvement, Iran will stay enmeshed in the current Israel-Hamas conflict by arming Hezbollah and Hamas with drones and missiles to use, and propagating pro-Islamic, anti-Western and anti-Israeli messages on Telegram and other social media platforms, and bolstering support for eradicating the Middle East region of western influence in general.
DarkOwl plans to cover Iranian cyber and physical efforts, including Telegram and dark web activities, Government of Iran domestic and civilian targeting during recent civic strife, using technology to track Iranian dissidents, the state of Iran’s cyber program, state sponsored and criminal, and more in-depth Iranian material in 2024. Make sure to register for our weekly newsletter to get the latest.
Curious how darknet data applies to your use case? Contact us.
Mark Turnage, CEO and Co-Founder of DarkOwl, and Wasim Khaled, CEO and Co-Founder of Blackbird.AI, sat down for a fireside chat to discuss emerging trends with darknet adjacent sites, such as Telegram and Discord, and narrative attacks. Their interview is transcribed below.
Today, Blackbird.AI, the leader in AI-driven Narrative and Risk Intelligence announced a partnership with DarkOwl, the leading provider of Darknet Data, to enable organizations to identify narrative attacks across the dark web. This expands Blackbird.AI’s comprehensive visibility of narrative attacks that today include social media, news, forums, podcasts, and more. The full press release can be found here.
Interview with Mark and Wasim
Mainstream apps like Discord and Telegram are gaining popularity among hackers. Why do you think they are migrating away from the dark web?
Wasim: Narrative attacks are now part of many cyberattacks. Mainstream apps like Discord and Telegram are gaining popularity among hackers because increased law enforcement monitoring has pressured dark web hacker forums. These apps make it easier for hackers to coordinate because apps like Discord and Telegram offer more moderate anonymity but increased accessibility compared to the difficulty of accessing the dark web. It’s also effortless for narratives to proliferate across channels and groups with little friction.
Mark: As Wasim said, there has been a considerable uptick in recent years of marketplaces and forums being “disrupted” and taken down by law enforcement activities on the dark web. For example, Breached Forums, Monopoly Market, and Genesis were taken down just this year. This has led to a lot of mistrust by users on these forums who believe that they are being watched or that their infrastructure is unsafe. So they are looking for other means of communication. Platforms like Telegram are utilized for marketplaces and forums like the dark web, using public channels but also allowing users to have private messaging, giving them more security and anonymity. Platforms like Telegram are much more accessible to users, easily accessed from your phone, and for some users, this is better than configuring your TOR browser, etc. Telegram also traditionally has not cooperated with law enforcement. Using dark web adjacent sites can also give the appearance of legitimacy, as legitimate users can often use these. Groups like left and right-wing extremists use these channels and surface web forums. Also, groups like the Taliban are active on these sites.
The dark web allowed anonymity but was difficult to access. How do Telegram and Discord offer hackers more moderate anonymity but increased accessibility?
Wasim: The dark web allowed anonymity but was difficult to access. Telegram and Discord offer hackers more moderate anonymity, but the improved accessibility of mainstream apps makes them attractive alternatives.
Mark: While the dark web continues to be an area where criminals congregate to sell goods and discuss illicit activities, we are seeing other platforms emerge as also being used by these groups. Many of these chat platforms and networks include legitimate channels and communities and could even be casually considered a form of ‘social media.’ Despite this, DarkOwl refers to chat platforms such as IRC, Telegram, and qTox that have considerable use by darknet cyber criminals as ‘darknet adjacent’ for their role in persisting illicit goods trade, fraudulent activities, and cybercrime.
What are some examples of narrative attacks and disinformation that can spread about companies?
Wasim: Examples of narrative attacks and disinformation aimed at companies include spreading misleading or outright false information about harmful products, leadership misconduct, unethical business practices, or other damaging claims.
Mark: Regarding nation-state examples, with the emergence of the Russian invasion of Ukraine, messaging apps have become an essential means of communication between militant groups and sharing information/disinformation with wider groups of people. Wagner, the Russian PMC group, also uses Telegram. These sites have a much larger reach than the traditional dark web sites.
How can narrative attacks and disinformation about a company’s products be harmful?
Wasim: False claims about product defects, safety issues, or performance can erode consumer trust. This may discourage purchases. Correcting false claims is difficult if disinformation has spread widely online or in the media. Lost revenue and reputational damage can result. Narrative attacks and disinformation targeting a company’s products can inflict significant harm by eroding consumer trust and tarnishing brand reputation. Misleading or polarizing information quickly goes viral in today’s hyper-connected world, leading to a cascade of negative effects such as plummeting sales, increased customer churn, and even regulatory scrutiny. The long-term impact can be even more damaging because once a narrative takes hold, it can be tough to change, causing lasting harm to market share and growth prospects. In the worst-case scenario, a successful disinformation campaign can trigger a crisis of confidence among stakeholders, ranging from customers and employees to investors, severely undermining the company’s competitive standing and even jeopardizing its existence.
Mark: I would add that due to all those examples, disinformation can even lead to legal action against a company in some cases. On the darknet, we see disinformation-as-a-service frequently. It is definitely on the rise. Threat actors trade social media accounts and their influencers – accounts sold in bulk that could be easily leveraged for disinformation or misinformation campaigns by a foreign government or agency with malicious intentions. There are several examples the DarkOwl team has found where a threat actor group offers for a fee to erase news, website pages, results from search engines, YouTube videos, and negative comments on forums and create posts, reviews, and news to positively or negatively affect a company.
How do narrative attacks target politicians, thought leaders, and company leadership?
Wasim: Conspiracy theories and false and inaccurate narratives about executives can undermine their credibility and leadership. False claims about illegal or unethical actions by leaders can also trigger costly investigations or lawsuits, while share prices may fall due to uncertainty. The company may have to spend significant resources defending and communicating the truth.
Mark: The darknet is a known playground for disinformation campaigns, and its users are wise to detect disinformation, especially across anonymous image boards where several controversial groups like QAnon participate. The team wrote a blog a while back where one anonymous user on endchan advised, “Don’t be fooled by disinformation. They almost always use truth but wrap it in disinformation,” noting the prevalence of outrageous conspiracy theories historically across the internet.
This interview continues diving into narrative attacks on the Blackbird blog here.
About BlackBird.AI
Blackbird.AI helps organizations detect and respond to threats that cause reputational and financial harm. Powered by their AI-Driven Narrative & Risk Intelligence Constellation Platform, organizations can proactively understand risks and threats to their reputation in real-time. Blackbird.AI was founded by a team of experts from artificial intelligence, and national security, with a mission to defend authenticity and fight narrative manipulation. Recognized by Forrester as a “Top Threat Intelligence Company,” Blackbird.AI’s technology is used by many of the world’s largest organizations for strategic decision-making.
Introducing DarkOwl’s new addition to our Vision UI platform, Actor Explore
November 08, 2023
Introduction
In today’s digitally driven world, the landscape of cyber threats is ever-evolving and increasingly sophisticated. As businesses and individuals become more dependent on technology, the need to protect sensitive data and critical infrastructure from cyber attacks has never been more critical.
One effective approach to enhancing cybersecurity is to track and monitor cyber threat actors. The actors that are responsible for conducting attacks; individuals or groups with malicious intent, often targeting organizations, governments, or individuals. Understanding why they are operating, what they hope to achieve and what methodologies they are using can assist analysts in protecting infrastructure and predicting future activities.
Why Are Threat Actors Important
Motivations for conducting these attacks can vary greatly from financially motivated to espionage threats to geo-political events, just to name a few. It is important to understand the motivation of threat actors as this can help identify what they are trying to achieve and what threats they might pose to certain organizations, industries or even countries.
Identifying and monitoring the tactics, techniques, and procedures (TTPs) of cyber threat actors, is also an important step to gain insights into actor’s strategies. This information can be invaluable in understanding how attacks are executed and identifying potential vulnerabilities in an organization’s defense.
Attribution is the process of determining who is the real individuals behind an attack. Knowing who is responsible for an attack not only helps with law enforcement efforts but also serves as a deterrent. When malicious actors know that they can be identified and held accountable for their actions, they may think twice before engaging in criminal activities. However true attribution is not always needed, knowing what activities a group are conducting and who their victims are can help us to understand what will happen next and learn for future attacks.
Actor Explore
Today, DarkOwl has launched Actor Explore, which will allow users to review analyst curated insights into active threat actor groups on the darknet and wider. We explore the motivations behind the groups, the tools they have used and searchable attributes to pivot on within DarkOwl Vision. Here we explore three of these groups available in Actor Explore and the motivations, methodologies and TTPs that the groups use.
Anonymous Sudan
Anonymous Sudan are a hacktivist group who are very active on Telegram, running their own channel which regularly publishes details of the attacks that they are undertaking and re-posting information from affiliated groups such as Killnet.
They appear to be politically and religiously motivated, targeting countries or organizations they perceive to be anti-Muslim or pro-western. However, security researchers have hypothesized that they group is backed by Russia given their links to pro-Russian groups their way of operating and the financial backing they appear to have.
Figure 1: DarkOwl Actor Explore result for Anonymous Sudan
The group emerged in early 2023, when they began to conduct Denial of Service (DDOS) attacks against organizations in Sweden and Denmark. DDOS appears to be the main method of attack that they have adopted, often evidencing their success by posting images of the downtime of their victims’ websites.
The group’s current Telegram channel was created in September 2023, when they claimed that their original channel had been banned by Telegram. In response to this they attacked the Telegram website and caused issues and downtime for Telegram users. The attacks appeared to continue throughout the month.
Later that month the group targeted a number of US companies, including Netflix and Hulu which it stated was a response to US interference in Sudanese internal affairs.
Figure 2: Anonymous Sudan Telegram channel
In response to the Hamas incursion into Israel, Anonymous Sudan pledged their support to Palestine and announced that they were attacking “some critical endpoints in the alert systems of Israel, which may affect the Iron Dome.” The post was made in English and Arabic, previously several posts have been in English and Russian. The group went on to target the Jerusalem Post, as well as “western” news outlets who it claimed were sharing fake news such as the New York Post, the Washington Post, and the Daily Mail. At the time of writing the attacks have predominantly been aimed at US corporations.
Figure 3: Anonymous Sudan Telegram channel
This group has shown capabilities that allow them to take high profile websites offline for varying periods of time. While they appear to be politically motivated and claim to be from Sudan, researchers have cast doubt on this highlighting why it is important to understand the motivations of a group, what activities they are conducting and how they are operating and who with. DarkOwl continues to track the activities of this group.
0XCee
Figure 4: Telegram ID for 0xCee
0XCee is an Initial access broker (IAB) who is active on Telegram. They use a bot on the Telegram channel in order to verify a user who wishes to join their channel is not a bot. This is a level of sophistication that most Telegram channel administrators do not exhibit.
The user is active on several telegram channels where they have participated in chats and shared information. DarkOwl analysts have been able to identify the user profile for the individual as well as their private channel used for selling access, building identifying information allows analysts to monitor the activity of threat actors.
Some of these channels have been used to advertise the access that the actors have, they provide specifics about the pricing as well as details of how many times they are willing to sell the access.
DarkOwl analysts have seen other Telegram users claim that some of the data that was purchased was old data and that they were not happy that they did not have the access that was advertised. 0xCee refused to provide any refunds on the data and insisted that it was used incorrectly. Reputation is very important in darknet markets, as most purchases are made on faith. Therefore, understanding these interactions can help analysts to make an assessment about the risk posed when an IAB advertises access to an organization.
APT Groups
Advances persistent threats (APT) are considered to be highly sophisticated threat actors, who usually operate over a prolonged period of time. The motivations of an APT can often dictate how they operate, with those committed to espionage trying to hide their activities, while those that are seeking to obtain intellectual property may be less concerned and those which are financially motived may publicize their activities through ransomware attacks such as the Lazarus group which was widely reported to be responsible for the WannaCry ransomware attacks in 2017.
While APT groups are difficult to track, generally identified via the TTPs they use rather than communications on darknet forums or platforms such as Telegram, it is possible to identify common signatures that they adopt which can assist with attribution. Identifying commonalities among victims can also assist analysts in identifying the origin of an APT as well as what their possible motivations are, this can also be assessed by reviewing what information has been accessed or exfiltrated.
DarkOwl analysts track the tools utilized by APT groups as well as details of victims and CVE’s and the dark web footprint of actors. Using open-source intelligence as well as our darknet collections details relating to these groups are tracked to assist analysts with their attribution efforts.
Figure 5: Screenshot of APT10 Threat Actor Group Profile in Actor Explore
Conclusion
True attribution is very difficult to achieve, and some Cyber Threat Intelligence Analysts would argue that it is not important. However, tracking available information about threat actors such as their motivations, TTPs, victims and activities can provide valuable intelligence which allows analysts to predict behavior and take proactive steps to protect their organizations.
DarkOwl sees the benefit of this information and have therefore created Actor Explore to provide our users with intelligence relating to threat actors active on the darknet, and the wider threat actor community. This latest feature is designed to empower security professionals, researchers, and organizations with analyst curated information about threat actors, enhancing their ability to understand and combat cybersecurity threats effectively.
Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
1. North Korea Poses as Meta to Deploy Complex Backdoor at Aerospace Org – Dark Reading
Threat actor group Lazarus has crafted a new backdoor used in operations targeting the aerospace industry. “Lightless Can” is a RAT, and Lazarus members are spreading it by impersonating Meta recruiters on LinkedIn. The actors pass “coding challenges” which are “for a job interview”, so victims download to both their company and personal devices, spreading the malware. Read full article.
2. Magecart Campaign Hijacks 404 Pages to Steal Data – Dark Reading
Magecart is inserting malicious code into HTML pages of various websites, with a focus on food and retail industries. Magecart is an umbrella term; the collective is comprised of several different criminal actor groups who employ skimming and custom malware to steal PII and financial information form ecommerce websites. One of Magecart’s skimmers, Kritec, successfully impersonated third party vendors like Google Tag in the spring of 2023. Article here.
3. US energy firm shares how Akira ransomware hacked its systems – Bleeping Computer
Akira actors first used stolen VPN credentials from a third-party contractor’s account to access internal BHI networks. This same account was used to conduct continued recon of the internal network. It took the actors just over a week (nine days) to take 767,000 files/690 GB of data. Exposed data included full names, SSNs, DOBs, and more PII of BHI customers. Read more.
The Ukrainian Cyber Alliance (UCA) used CVE-2023-22515, which involves Confluence, to escalate privileges and access Trigona’s confluence server. They gained insight into the infrastructure and published Trigona’s support documents, exfilled the developer environment and information pertaining to Trigona’s crypto payments, as well as the back-end of Trigona’s chat service and blog/leak site details. After collecting all the information, UCA defaced and deleted Trigona’s site. Read here.
Israeli hacking collective Predatory Sparrow recently reemerged after taking time off from digital operations. This group, who has historically targeted Iran, posted in Persian in their Telegram channel on Monday, October 16, asking if their followers were “…following what is happening in Gaza.” They also shared a link to Iranian Mehr News Agency, which was down at the time. Learn more.
6. KillNet Claims DDoS Attack Against Royal Family Website – Dark Reading
KillNet caused the UK Royal Family’s website to be unavailable for 90 minutes on Sunday, October 1. KillMilk, the leader of KillNet, called the incident “an attack on pedophiles” – a reference to Prince Andrew’s ongoing scandal. Fueling the fire, Britain’s King Charles had recently condemned the Russian invasion of Ukraine in a public speech, and KillNet attempts to exact retribution on those who speak out against Russian actions. Read full article.
7. ALPHV ransomware gang claims attack on Florida circuit court – Bleeping Computer
ALPHV ransomware gang claimed responsibility for an early October attack against northwestern Florida courts. The attack possibly revealed social security numbers and other personal information of the court employees, as well as judges themselves. ALPHV also claims to have a network map of the court’s online systems, which likely includes credentials, leading to further network infiltration and possible lateral movement. Read full article.
8. BianLian extortion group claims recent Air Canada breach – Bleeping Computer
Ransomware group BianLian successfully breached Air Canada with their ransomware, claiming 210 GB of data. Air Canada acknowledged an incident in September 2023, but said that the stolen information was limited. BianLian shared screenshots on their ransomware page indicating that the employee data was only a part of what they stole, and that they also had technical information, such as an SQL database. Learn more.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
As the digital landscape continues to evolve, so do the threats that target it. Staying ahead of cyber adversaries requires a deep understanding of the latest trends and innovations in the cybersecurity space.
In this webinar, DarkOwl CEO, Mark Turnage and Socialgist CRO, Justin Wyman explore a variety of critical topics shaping the cybersecurity landscape:
Key VC Raises in Cybersecurity: Capturing Industry Attention
Understanding the Major Players: Who’s Raising the Stakes
Harnessing Security Solutions: How Organizations Protect Their Assets
Addressing the Talent Gap: Scaling with Data Aggregators and Services
Pioneering the Use of AI: How do LLMs and AI Come into Play
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Kathy: Thank you for joining us for today’s webinar exploring emerging trends in cybersecurity. Before we get our topics, begin our topics today, I’d like to turn it over briefly to Mark and Justin to give a brief introduction of themselves and their companies.
Justin: Hi, guys. Nice to meet you. Wyman, Socialgist is the name of my company. I’m the Chief Revenue Officer. We are a provider of open source intelligence. We’ve been doing so for the last 22 years, and I’m excited to be here.
Mark: Hi, I’m Mark Turnage. I’m the CEO and Co-Founder of DarkOwl. We are a company that specializes in the darknet, and specifically in extracting data from the darknet and providing it to our clients and working with partners like Socialgist to provide a broad view of open source intelligence, including that of the darknet.
Kathy: Great. Thank you both. Prior to diving into our topics today, Justin and Mark wanted to take a moment to comment on the Israeli and Hamas conflict happening presently.
Mark: I’m happy to comment. You know, when the conflict broke out on October the 7th, we immediately started looking at content in DarkOwl’s database that was relevant to the conflict, either pro-Israeli, pro-Palestinian, pro-Hamas, and we pretty rapidly triangulated on about 400 Telegram channels that are actively covering the conflict. And we’ve been monitoring those channels throughout, directly ourselves and generating some content which is available on our website, and also supplying that to our clients. And it gives them a different perspective than what you see on the front page of many of the newspapers. I will comment, we published a blog very early in the conflict that noticed that amongst the most prominent Pro-Hamas Telegram channels, they went quiet for several weeks before the attack. Unusually quiet. We don’t have an explanation other than they were distracted, they were planning, they were getting ready, or they had been told to go offline. But we did detect that in the lead up to the attack, there was considerably less activity on those Telegram channels than was normally the case.
Justin: I would say when you see such a horrible thing, it’s really hard to process, especially because in the space that Mark and I occupy, Israel is a big component of it. Technology companies and cybersecurity are founded in Israel all the time. Some of the leaders in the space. So it gave an extra personal feel, if that’s even possible. When you see these types of things, when you know the people that are directly impacted by it at a different level. And then I thought it was it was comforting to see that we could in some way help with our information, help the helpers, essentially. And Mark, I got to say, I thought the Dark Owl content was fantastic. To help show examples of how OSINT intelligence can help prepare for these types of things and deal with them frankly.
Kathy: Thank you both. Now we will begin with our first topic.
Key Raises in Cybersecurity: Capturing Industry Attention
Justin: So let me talk at a high level. What is happening? If you look at VC and cybersecurity over the last couple of years, it’s declining, which normally I think would be a bad thing if you didn’t realize it was declining from a peak bubble that happened during the pandemic. So you can say things are down 30% from last year, which is down another 30% from last year. It really, honestly, to me just seems to be returned back to normal. You see a lot of companies having some very specific raises, we’ll get into and you’ll see some combinations, you’ll see some coverage. But I think that the cybersecurity industry should feel that there’s been a correction that was due because you’re in a bubble. But now we are in a place where things are normally operating. The space is growing and investment is happening as well.
Mark: Yeah, I’ll just echo Justin. The investment into the cyberspace, go back say three years was just red hot. It was at levels that I didn’t think were sustainable. And oftentimes at evaluations that I didn’t think were justified. What has happened as the economy has gone through a fair amount of turmoil over the last year and a half is that those valuations have reset, and the level of investment is what I would normally expect in a pretty healthy sector that is still growing. Overall funding is down. I think it’s down 30% year on year. Valuations are down. The interesting thing is that companies that are still growing and companies that are profitable are still getting healthy inbound investment. Just yesterday, by the way, Censys announced a $50 million dollars raise, a small company out of Israel raised $4 million. I mean the raises come in regularly. They’re not at the valuations that we saw, say 2 or 3 years ago, but they are still happening. And they are particularly happening with very healthy companies.
The other trend, by the way that I’ll mention is any time you have an economic reset, which is what we’re experiencing right now, it forces consolidation in the market. You know, scale matters, size matters, sophistication matters. Go-to-market strategies and the ability to reach your market matters. So whereas before a small startup could have raised successive rounds of value, of money, of capital at ever increasing valuations against, you know, maybe skinny performance – those days are gone and they’re likely to be an acquisition candidate for for another company. And we’re seeing this – large companies are pretty active in the M&A market right now as a result.
Kathy: Based on that, a question has come in. What changes do you foresee over the next coming year?
Justin: Let me start with one of the public markets because that leads things. So in the public markets, you’ll see a lot of leading cybersecurity companies up double digits this year, more than the S&P 500. CrowdStrike is a good example. They’re up 70% year to date. As an example, Tesla is only up 80%. Apple’s only up 36%. So that’s not market forces. That’s industry forces of the problem with cybersecurity is growing so rapidly. The things I think you’ll see over the next year would be companies that have a growth plan, getting more funding and moving into new markets. I saw that already with OSINT Combine. There’s a company with a very good Australian presence going to the North American market. Full disclosure, they’re friends of my company and DarkOwl – so maybe we’re a bit biased there.
You’ll see some people getting acquired by PE firms, which is an idea of, again, operational excellence that might be a different component than things, say, in a bubble where instead of doing a PE acquisition, you would raise a bunch of money and see if you could sell and market your way out of it. The other thing I’ve noticed that I think will come is more legitimacy and standardization. Frost and Sullivan has created industry coverage for the first time on a lot of these companies. You’ll see certification tracks coming out of industry organizations like Osmosis. So I see it as a big step forward in the maturity of this space. There’s always startups, there’s always guys in the middle, and there’s always the big guys, and you want to have enough of them to create an ecosystem where you can ultimately meet the consumer need.
Mark: I couldn’t agree more. The way I would have described the cyber security industry two years ago was an awkward teenager. And it’s moving to young adulthood. It’s maturing. It’s growing up. It’s actually starting to understand what its own limitations are and what it can and cannot do. And I would just echo Justin and say, over the next year, we’re going to continue to see consolidation – more and more mergers, more acquisitions. It has always amazed me, just as an aside, that the largest cybersecurity companies in the world still only measure their revenues in single digit billion dollars. Those are the largest. And then it falls off pretty quickly from there. And given the size and importance of the problem, this is an industry that is ripe for what you just identified, Justin, which is growing up, consolidating, becoming more professional, working against known certifications and known standards. And by the way, known regulations because the regulators have arrived.
Justin: Mark, that McKinsey report we’re referencing before about just how breaches are supposed to go up 300% from 2015 to 2025 also noted that to your point about revenue, that the vendors in the space right now make up a 10th of what they think the overall revenue is going to be in the next ten years. So yeah, teenager growing up is a great analogy, meaning there’s just so much. There’s some stability being built in, but there’s still so much more to grow up.
Understanding the Major Players: Who’s Raising the Stakes
Mark: Well, I think in the world of threat intelligence broadly, there are a couple of very large players – Recorded Future comes to mind, Flashpoint comes to mind, Intel 471. There are a bunch of these players. Interestingly enough, every single one of those has been acquired over the last 3, 4 or 5 years by large private equity firms that have, as a strategy, explicitly what Justin was talking about, grow these companies up, make them larger, make them professionalize their operations, give them global scale and global reach. And then below that you’ve got a whole range of companies and these are small- to mid-size. Some of them are just start-ups who are looking at problems from a different angle. And there has been a lot of activity, both in terms of fundraising into those companies as well as acquisition. I mean, one that comes to mind is Maltego. Maltego was acquired by a private equity firm at the beginning of this year, and that’s a well known, well established platform that is used across the industry by a number of different companies and users. And in my view, that was a really smart purchase by the private equity firm. What else is going on Justin that you’re seeing?
Justin: A company I recently became familiar with at a conference was Fivecast. They raised 20 million. They were an Australian based company looking to really expand their sales and marketing into North America. They feel their perception, not mine or based on conversations, that they feel they have their product completeness to the point where it’s time to go see if they can compete against the bigger guys in the space. Now Cobwebs, another huge player in the space, just joined Chainlink. Those are other things I’m seeing.
Another one we were talking about, Mark, is Palo Alto Networks buying Dig this morning as a sign of just a major player adding in a feature capability. So, you know, this is following the the classic playbook – where you watch Oracle and Salesforce go after each other and then add on competing bolts. Again, another idea that you have a very well established market that you can operate. If you have operational excellence, you can really succeed.
Mark: Another example of that, by the way, is Proofpoint yesterday announced the purchase of Tessian and we’ll come on to it. Tessian is an AI provider that will significantly enhance Proofpoint’s products. And so you’re starting to see that happen at a pace that I have long predicted. But really I think this economic climate has accelerated.
Harnessing Security Solutions: How Organizations Protect Their Assets
Justin: I’ll start as I always do, with a little bit of data. Fraud is still massive. The biggest issue that every organization is dealing with – it’s coming from social media, it’s coming from internally. I talked a little about this McKinsey report, but again, I’ll say it again because it’s such a massive number. They think that breaches damage is going to increase 300% by 2025. The other one that I looked at was a survey of mid-sized companies suggests that threat volumes will almost double from 2021 to 2022. So that’s 100% growth in one year.
What they’re doing to protect their assets – my concern is with their employees. So I’d love to hear your thought on this, Mark.
Mark: Just a small data point from DarkOwl – we track where visitors to our site go and what pages they dwell on. The most common feature across our website is our fraud webpage and content on fraud. That speaks to the nature of the problem.
I’ll just say two things. One is we are all excited as an industry about AI. We’re excited about new tools, about new capabilities that exist. So are the threat actors. They’re using all of the same tools, all of the same capabilities to actually scale and professionalize their own operations. But, you know, going back to your point, Justin, the biggest threat to many companies is their own employees continues to be their own employees, whether that’s actual outright fraud or just mistakes that employees make that open up the company to potential potential attack and fraudulent attacks.
Justin: I believe that was the logic behind the Tessian acquisition is just the amount of people that have exposed their companies by literally emailing the wrong person. That seems to be a problem that should be quickly solved through some proper technology application.
Mark: I mean, I’m amazed. I’m actually amazed. Look, I mean, CEOs are are susceptible to this as well. And in fact, I mean, go to any OSINT training seminar and they’ll tell you the most vulnerable people or the easiest to attack are the C-suite, because they’re the ones who are the sloppiest or the least attentive to to security. That continues to be the case, but it permeates the entire organization.
Justin: The other thing I’ve heard is that key figures, usually execs, because there’s so much information, that they’re much more easy to manipulate. Voice manipulation takes a lot of samples of data. So the bigger the sample, the easier it is to manipulate the voice is the other thing I would talk about. And then the last one I noticed was people just kind of really trying to do the best they can to understand their supply chains. If employees are people accidentally sending information out. Supply chains are people sending information in, and these are business partners that you rely on your suppliers. So it’s very easy. Those are very weak points in a system to kind of create havoc if you’re not prepared.
Mark: There’s absolutely no question. The pandemic taught us that supply chains matter and supply chain vulnerability is mission critical. And to to Kathy’s question of how organizations protect their assets, it’s not only protecting your own assets, but protecting those critical assets of your vendors who are critical to the provision of your product or your services as an organization, which is why you’re starting to see these third party and vendor risk management companies come into their own in terms of their level of maturity, because especially very large, complex organizations need to pay attention to their supply chains.
Addressing the Talent Gap: Scaling with Data Aggregators and Services
Mark: The interesting thing about the talent gap is that the cybersecurity industry for years has complained about lack of talent. I think the statistic I continually hear is something like half a million unfilled cybersecurity jobs worldwide. And that number has held pretty steady for the last number of years. We’re in an environment, though, where many of the companies in our sector are actually laying people off. So how do you square those two contradictory statistics? Well, one way to square them is exactly what Justin said earlier, which is many of the companies that are laying people off were hiring at a clip that was unsustainable just as recently as 2 or 3 years ago. So you’re coming back to a sort of a more normal track. My sense is that there is still plenty of demand in the marketplace for people who have cybersecurity experience, whether it’s developers or product people or otherwise. But yes, there is a gap and I think AI is going to help fill that gap. What do you think about that, Justin?
Justin: I absolutely do. Let’s talk about the two things like data aggregators and services. Start with services because Mark and I have a data aggregation stake in this fight. But on the services component, when I work in the space, what is interesting to me is the people come from all different backgrounds military, private, etcetera. There’s no “you don’t go to school to become a cybersecurity expert.” So that’s a very big problem. But it’s a problem that is being solved, I think. When we were all at OsmosisCon, which is a association of these professionals, they’re creating certifications. They’ve created a conference so people can come and share tips and tricks. And that’s just one of many. So I think it’ll get easier and easier to bring people into the space and give them the certifications that show them that they’re qualified, because right now it really is due to the nature of the sensitivity of the issues and how people come. It’s like, who do you know that you can trust? Which makes sense in the beginning. But over time, you have to figure out how to scale your business. So I see a lot of services being created to help with that.
Then on the data aggregation side. As a data provider technology provider in this space, it’s amazing to me how big the problem is, right? These people are searching for needles in haystacks and the haystacks are growing, and so the only way you can solve them is through aggregation. And that’s basically at any point in the value chain. So if you’re creating a piece of software that allows analysts to hunt for threat actors, well, you’re probably going to use data from many different sources because the haystack is too big for you to do it yourself. Then if you’re actually looking and searching and doing the analysis on top of the data, these tools will allow you to search more efficiently. If you go back to Mark’s Telegram example about things going silent before an attack, as these technologies get better, you know you won’t have to go, “Huh? Why are these silent?” These things will go, hey, there’s an interesting activity here. The volume of these things has really dropped off. Why? And that’s a way that people will be able to not only look in the haystack more broadly, but faster, have things suggested to them. So I think ultimately the space will be fine. Again, I can’t stress this enough, we are coming off a bubble, and that generally means people aren’t behaving how they should behave. And so to correct that, you have to lay some people off. But now that we’ve had this baseline, people go back to building their businesses most based off of the value they provide in the market. And as we’ve shown, the value is only growing, meaning the threats are only increasing dramatically.
Kathy: Based on that, we’ve had a question come in: We have seen a lot of layoffs in the space recently. And can you address how this does affect the talent gap?
Justin: Positive half glass full spin would be – when you have layoffs in an industry where it’s growing, it’s because those people are in a place where they weren’t effective. They weren’t doing the things that needed to be done to keep the business on its goals. So when you take an experienced person and you separate them from a business that no longer needs them in a growing space, they should be deployed in a better space where they are more impactful. Right. This is the efficiency of markets happening. So I think these gaps will take the people that were places where they weren’t as useful and put them in places where they will be much more useful and create a world where they’ll be, again, more coverage.
Mark: Not to disregard the dislocation that necessarily occurs when that when that happens, if you’re the individual who’s affected, it can be quite difficult. But I agree with Justin that on aggregate we’re not seeing employment in the cyberspace decline. It still continues to increase.
Pioneering the Use of AI: How do LLMs and AI Come into Play
Mark: The big issue that both Justin and I have discussed in the past is anytime you bring an end to a problem, it needs a data set to sit on, to learn, to learn that problem in order to be effective. And so what becomes the most critical in that is the data we aggregate – darknet data. Socialgist aggregates open source data across a variety of different platforms. Those data sets become extremely valuable and extremely important in the application of an LLM to address or learn about a specific problem. And you know, in the case of DarkOwl, I can speak to that, our data set has been aggregated over 5 or 6 years. That’s not something that you can just recreate overnight. If you’re a new company coming into this space or somebody looking to utilize AI, the same I’m sure is true for Socialgist. So it’s a very interesting insight into the power of the underlying data that that any organization can has in terms of addressing the problem via an LLM.
Justin: And I totally agree with everything Mark just said. I think the other thing to think about is, how much easier it is to get things out of the data value, out of the data with LLMs, and how in general, the biggest thing you’re going to see in the software world, the biggest constraint is going to be software engineering capacity. Every company in the world wishes they had more software engineers because it’s hard to do things like connect a data set into an analytics platform. It’s a very technical work. These engineers now are doing work 40% faster, so it’ll be easier to make progress and solve problems when you put these types of applications together. What that should mean is that you should have in the long run, and again, marginal like dislocation is hard and things need to change and we have to cross the chasm and all these sayings, but what we’re really talking about is in the long run, things should get cheaper with technology and things should also get better. So the data sets that we ship to our clients that are working very hard to get incredible data out, get incredible insights out of it, should be able to get insights out of it faster and better and cheaper because they need less engineers. And then the tools to analyze these data sets should only get more powerful as well. I really see there will be an area where, you know, there’s different segments in our space, right? There’s the people that are at these big companies, and they have all the budgets in the world, and they have the fanciest tools, and there’s people below that, and there’s people literally using their cell phones to track people doing medical research. Those people should get increasingly better tools that will make them much more effective. So we’re talking about the capability of people with less budget getting much more effective, which I think really creates a much better world.
With the caveat that the other guys have it too. So there’s always a push and pull, but I see a lot of positive headwinds in the in the long run with AI.
Mark: I mean look, you know it’s going to increase, as Justin said, productivity per worker significantly. And the comment that I heard recently in a conference was, you know, AI will be tremendously dislocating of many types of employees and many types of groups, but the world’s going to divide itself into to two camps. Those people who know how to use AI to make themselves more productive and those who don’t. And that’s the digital divide that we’re actually hurtling towards. I’m deeply optimistic, personally, about what I can do across multiple different fields, but starting with our own field in cybersecurity – I’m very optimistic about it.
Kathy: We’ve had another question come in and an attendee is interested to know “Will DarkOwl and its peers sell their data sets to companies?”
Mark: Good question. We’ve been approached by a couple of companies, and we’ve done our own early work on putting an LLM onto our own dataset. I suppose I should put on my businessman’s hat and say it depends on the price. Yes, it depends on the price. But it’s not something that we’re going to do loosely or without a lot of thought. Because once that data is out there under somebody else’s LLM, obviously the data is available to whoever has access to that platform.
Justin: It depends, I think is a good answer. I think the thing to understand about perhaps my company, Mark’s company, is like, you know, our mission is to extract information from the world’s online conversations and if you can help us with that mission, because we’re very serious about it for the reasons we’ve discussed throughout this whole thing, we’re seriously going to talk about it. Now, there’s sometimes choices that make decisions. There’s sometimes choices that make that not the case. And there’s always a lot of nuance. But at a high level, if you help us with our mission and the business makes sense, then that would seem something that should happen. But also, Mark, you touched on a really interesting point of, you know, I do think data companies like ourselves are also going to explore training with our own LLMs too. to have the full picture. So I think the key is as long as LLMs capability is used on these data sets to make the world a better place, we’re for it. The machinations, I don’t know. There could be a world where two data providers do one together, etcetera, but the technology should make the data more useful, and that is our goal.
Mark: I will point out we’re in discussion right now with our first client who wants to put in on a subset of our data. It’s exciting.
Disclaimer: DarkOwl analysts do not endorse any of these marketplaces or offerings and have not confirmed legitimacy of any of these sites. This information is provided for awareness only and has not been independently verified.
Introduction
This Halloween season, DarkOwl analysts decided to delve into some of the scary things that are available for purchase on the dark web. The dark web is well known for dealing in illicit goods such as drugs, counterfeit goods, and hacking tools as well as leaked data. But there are also sites out there which claim to be selling goods that are a bit more gruesome and creepy…
This blog explores some of the weird and scary things we have found being sold on the dark web.
Warning: This blog contains images some may find distressing.
Organs For Sale
A number of sites have been identified on the dark web that claim to be selling human organs. DarkOwl analysts have seen both stand-alone sites selling these as well as individual postings on marketplaces. In the image below, we can see a stand-alone site which offers organs for transplant and claims to provide shipping worldwide.
The image below is an example of the items that are being offered for sale. Ranging from hearts, kidneys, and livers. They claim that the organs remain viable for one year – which is scientifically impossible. There is no indication from this site on how the organs are transported, or how the purchaser is expected to transplant the organs, as no medical help is provided. The do provide a money back guarantee however.
The cryptocurrency address associated with this site has received a total of 0.61955435 BTC, which equates to around $34,000 depending on the conversion rate. Although the address currently has a balance of 0. Most of the transactions that have taken place have been for $100-200 which is far below the asking price on the website. So, it is unlikely that they have actually sold the items they are advertising or at least not at the prices shown above.
It is doubtful if this is a legitimate offering, DarkOwl analysts have observed the same images being used on multiple sites which may indicate that they are using stock images and that this is a scam. The fact that they claim the organs will survive a year is also suspicious.
It is also unclear from the sites we have reviewed, ifthey are legitimate, where these organs are sourced from. There is the potential that this could be linked to criminal activity such as human trafficking or the black-market trade of organs.
Another site we identified is more specific about the locations that they are able to export organs to and also indicates that they will provide medical expertise to assist with the transplant. It is worth noting that this particular dark web site is not currently active.
“Human” Meat
Perhaps the “creepiest” site we found was one that advertises the sale of human “meat” for consumption – “For those with taste.”
The site states that eating human meat is not immoral as long as you haven’t killed to get it. Although they don’t directly state where the meat is sourced from, they suggest it comes from road traffic accidents and morgues.
The site also gives information about where they will export the “meat” to and suggest that everyone should taste human meat at least once. They offer a range of “cuts” as well as organs which can be sent to Europe, Asia, and Africa.
DarkOwl has no evidence to suggest if this is legitimate or not. We do not suggest trying to order.
Hitmen
It has been widely reported previously that hitmen are available for hire on the dark web. Although it is never clear if the sites are legitimate or not, there have been examples where they have been proved to be true and murders or attempted murders have taken place.
One such example of hitman services being offered was identified by DarkOwl. The Mexican Mafia claim to offer the following services in their own words:
Death by shoot and drive away
Death by making it look like accident or robbery gone wrong
Death by sniper
Beating
Arson
Guns
They offer proof that they are legitimate by posting the names of individuals they claim to have murdered in multiple jurisdictions. No further research was conducted to substantiate this claim and it is possible they could have obtained stories from the media and claimed them as their own.
Conclusion
The dark web holds many secrets, some of which can be gruesome. At this time of year, they can seem like “tricks” but we are unable to confirm if any of the things mentioned in this blog are legitimate or not but either way they are creepy for spooky season.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
