October 24, 2023

Last week, DarkOwl participated in OsmosisCon, an Open Source Intelligence Skills-building Conference, in New Orleans, LA. The annual, training-oriented event is comprised of workshops and classes to earn Continuing Education Credits (CEUs) lead by industry leaders focusing on the latest in OSINT and SOCMINT tools. In addition, the exhibiting companies provide real world examples of industry standard products and services, allowing attendees to either advance their own research or find a solution for their company.

The networking and consulting opportunities at OsmosisCon are incredibly valuable for anyone in the OSINT space – whether you participate in the pre-event workshops and presentations, speak during the networking events or via the virtual conference platform. Sessions this year dove into a wide range of topics including open source techniques and skills related to exposing fraud, utilizing artificial intelligence, currents and future threats, identifying unknown users, and more.

The Osmosis Institute’s mission is “to educate and train cyber intelligence investigators, researchers, reporters, and analysts on OSINT and SOCMINT techniques and best practices.” Their statement continues to say, “to that end, we seek to foster professional growth in our community. We strive to inform professionals on how to protect personal privacy data and abide by national and international laws and ethics standards.” OsmosisCon allows them to put this mission into practice and in its 9^th year has continued to grow and bring hundreds of cyber intelligence analysts together.

Representing DarkOwl at OsmosisCon this year was Alison Halland, Chief Business Officer, Caryn Farino, Director of Client Engagement, and Damian Hoffman, Product Engineer and Data Analyst, based out of DarkOwl’s headquarters in Denver. 

Leading up the kick off of the conference, Damian presented, “Finding Actionable Intelligence in Dark Web Data for OSINT Investigations,” focused on how the dark web is an essential source of information for OSINT investigations across a wide variety of use cases. Showcasing DarkOwl Vision, his talk reviewed some of the considerations that should be taken when using dark web data, how the data can provide value for investigators, and offered DarkOwl’s perspective on the techniques and tools needed to maximize the utility of dark web data. The team was happy to report that this was a packed presentation with standing room only!

During the conference, Damian also participated in the Bits & Bytes Speed Networking Session. During these roundtable discussions, presenters and attendees were able to sit with industry specialists to discuss quick compact tips in their area of expertise and engage in discussion. Each table presenter prepared and hosted discussion on a different topic. Damian’s topic “Mental Health Strategies for OSINT Investigators” is a crowd-sourced, data driven project aimed at collecting, validating, categorizing, and distributing mental health strategies freely for the OSINT community. Researchers on this project aim to collect Strategies (specific actions, behaviors, or modifications of belief that will lessen the negative impacts of vicarious trauma when exposed to distressing content) from a wide variety of OSINT practitioners and validate their effectiveness using empirical evidence. More about the research project can be found here and you can submit your strategies here.

In addition to presenting and manning the DarkOwl tabletop, the team was able to meet with many current customers. Attending OsmosisCon is invaluable for face-to-face time to build and maintain relationships. Being able to meet with clients in person provides a great opportunity to share new product features, features in development, gather product feedback, and keep up to date with the latest trends.

DarkOwl looks forward to OsmosisCon 2024 and hope to see both familiar and new faces in Las Vegas!

You can see what conferences we will be attending coming up and request time to chat with us.

October 20, 2023

Introduction

One of the latest companies to be victim of a data breach, 23andMe, has had their data shared on various dark web marketplaces as well as Telegram. Interestingly, the data from this breach has partly been shared in response to the conflict in Israel and Gaza with one of the sharers of the data citing this as a reason for sharing some of this information.  

23andMe is a genealogy company which as well as providing ancestry services uses DNA to identify where individuals’ ancestors are likely to have come from. They also provide details of individuals’ health and genetic predispositions. The leak purports to contain full names, year of birth, location, as well as DNA markers and locations they may have links to.  

23andMe has indicated that the data was obtained as part of a credential stuffing attack, and that there has been no evidence of a security breach on their IT systems.

The First Leak is Shared

The first identified mention of a leak of 23andMe data was on the marketplace Hydra Market on August 11, 2023. The post was made by a user using the alias Dazhbog. In the post he claimed to have access to 10M DNA data that he was providing for sale. He claimed that the file size was over 300TB and that the data would only be sold once, the asking price for the data was $50 million. 

The seller also indicated that they would be open to selling the data in parts, based on location and ethnicity. This was priced at $10k per 1k of data.  

Although it is unclear who is behind the username Dazhbog, they did indicate that 23andMe was not allowed to operate in their country. They also gave specific instructions for how buyers in China would be able to receive the data – in hard copy. The user first registered on Hydra Market on August 10, one day before the original post was made.  

The poster provides details of how the information was obtained – claiming it was obtained through an API service used by pharmaceutical companies.  

As proof of the data obtained, links we provided for Sergey Brin – Co-founder of Google and Anne Wojcicki – CEO of 23andMe. Images were also shown.  

A post was made by the original poster on August 14 claiming that the full data had been sold to an Iranian individual and requested that the original post be removed. The post is still active, but the original poster has made no new posts since this time. Their profile also indicates that they have not been active since this time. This would suggest that this account was created specifically to share this leak.  

Parts of the Leak Emerge 

Once the original leak had been shared, several other leaks emerged on the forum Breached Forum which is known for providing leaked data.  

The user Golem posted on October 1, 2023, a link to data which they claimed was DNA of Celebrities. The description of the leak indicates that it will provide details of 1 million Ashkenazi Jews. The poster claims there is more data to come, and that raw data can be provided for a fee.  

Although this post was not available for long, other users began to share the information – providing multiple leaks. A Telegram account was also created with the sole purpose of sharing this leak shortly after the attack on Israel on 7 October.  

A further post was made on October 17 providing a leak claiming to provide details of individuals from the UK or with links to the UK. The poster, Golem stated that this information was being released in response to what they claimed was “the bombing of a hospital by the Israelis.” 

Again, the leaks were not available for long, but the information was posted by other users. This also included links to German and Chinese data.  

Golem also made a post, in response to 23 and Me claiming this was not a data leak, providing details of how the information was accessed. They also give examples which were provided in the original post. It is unclear if Golem has any links to Dazhbog or how they obtained this information.  

Conclusion 

The leak of this data provides threat actors with information relating to individuals’ personal ancestry and their DNA and could pose threats to those individuals, particularly those in the public eye. Some of the releases of this leak highlights how data leaks are being used as part of the conflict in Israel and Gaza with data being weaponized as part of the conflict. It also underlines the way that leaks are shared on the dark web, often first being made available for sale and then being shared for free. DarkOwl never pays for data from the dark web. 

It is currently unclear if all the data obtained as part of this attack will be made available. DarkOwl analysts will continue to monitor for any further posts. All data that has been made freely available thus far is available via DarkOwl Vision. 

Stay up to date with the latest research from the DarkOwl analyst team and subscribe to our email newsletter.

October 19, 2023

Last week, DarkOwl participated in the well-regarded law enforcement conference: ISS World Latin America. The annual, training-oriented event describes itself as “the world’s largest gathering of Regional Law Enforcement, Intelligence and Homeland Security Analysts, Telecoms as well as Financial Crime Investigators responsible for Cyber Crime Investigation, Electronic Surveillance and Intelligence Gathering.” 

ISS World events focus on the latest in cyber tools and methodologies specifically for law enforcement, public safety, government and private sector intelligence communities. The first full day of ISS events are dedicated to training and in-depth sessions. Trainings and topics covered throughout the event include how to use cyber to combat drug trafficking, cyber money laundering, human trafficking, terrorism and other nefarious activity that occurs all across the internet.

DarkOwl is a regular sponsor of several ISS shows around the world, but this was our first year attending ISS Latin America and we were thrilled with the quality and quantity of conversations and interest. Representing DarkOwl at this year’s show was Dustin Smith, Director of Marketing, and Steph Shample, Senior Intelligence Analyst, both based out of DarkOwl’s headquarters in Denver, CO.

During the event, Steph lead a seminar on the Use of darknet for National Intelligence and Law Enforcement purposes. This session details the intelligence available on deep/dark web (DDW) platforms, as well as adjacent platforms such as Telegram and Discord, which can be enriched and used by law enforcement and government officials to reduce criminal activity and simultaneously protect national security. Types of intelligence include: tracing financial transactions to illuminate drug, weapon, human trafficking, and other supply chains that contribute to malicious activity, whether fiat or cryptocurrency transactions; hybrid incidents events that threaten both cyberspace and physical safety; and the kinds of equipment, kits, and material sold by criminal actors that contribute to digital attacks against critical infrastructure and key resources (CIKR), threatening the safety of everyday services. Those interested can find a summary of the presentation in Spanish here.

In addition to presenting, Steph and Dustin were able to connect and have several conversations with prospects as well as current clients and partners. Building these relationships face-to-face is invaluable. Visitors at the DarkOwl tabletop included those from Panama, El Salvador, Peru, Mexico, Colombia, Paraguay, Brazil, Guatemala, and Bolivia. Connecting with cybersecurity professionals from around the world and hearing the latest trends, concerns and challenges that they are facing is a huge benefit of ISS shows. Steph shared, “I was blown away by the quality of conversations we had at our table, the need for darknet intelligence is evident and being able to share search results in real time with attendees got everyone really excited.”

Due to the layer of anonymity it provides, the darknet is often a hub for illegal activity. However, investigating crime on the darknet and deep web poses technical challenges, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next. The technology DarkOwl leverages to scrape and index hidden digital undergrounds are key to the mission of obtaining proactive situational awareness for protection of the nation’s security initiatives. DarkOwl Vision UI provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. DarkOwl Vision has been used to support local and federal police investigations, as well as work done in intelligence/fusion centers and federal agencies to uncover human trafficking, opioid selling, terrorism, security issues, and other illegal activity.

DarkOwl looks forward to continuing our presence at ISS World events as part of our ongoing initiative to support the global law enforcement community in their efforts to police illegal and nefarious activity on the darknet. 

Interested in learning how DarkOwl can help your cyber investigations? Get in touch.

October 17, 2023

Homoglyphs are characters from one language set that look like characters of a different language set. Threat actors use different character sets to cause confusion and register domain names similar to legitimate domains, but with one or more characters from another language, for phishing and credential harvesting campaigns.

In this blog, DarkOwl analysts outline several examples, all including an example screenshot of the fake website. Readers will notice that the vast majority of these are cryptocurrency or NFT (non fungible token) phishing scams.

IDN Homograph Attacks

An Internalized Domain Name (IDN) homograph attack, also referred to as “homograph attack,” “homoglyph attack,” homograph domain name spoofing,” and “script spoofing” is a type of spoofing attack in which the cybercriminal deceives their victim with a website that seems real and genuine but is not. To many, this may sound like typosquatting. Typo-squatting, or URL hijacking, differs as it relies on the victim mistyping a URL in the address bar. For example, a user may type in “gooogle.com” instead of “google.com” and the prior domain may be owned by a hacker and used for malicious purposes.

For both IDN homograph attacks and typo-squatting attacks, once the attacker has deceived their victim, they then exploit the victim on the site by asking them to input credit card details, login credentials, and other personal identifiable information (PII) to later use for their own benefit, usually relating to financial gain. In the case of IDN homograph attacks, these fake websites are created and registered using homoglyphs, resulting in a URL that looks very similar, nearly identical if not paying close attention, to the real URL. For example, an attacker may use the number “0” instead of the letter “O”, or vice versa. Common characters come from the English, Chinese, Latin and Greek alphabets.

Examples in the Wild

Cryptocurrency and Cryptowallets

It is no secret that cryptocurrency is often a target of cyber criminals, especially those looking for financial gain. Cryptocurrency wallets have a “veneer of anonymity;” an address owners identity is actually often able to be associated with crypto transactions due to the connections with financial institutions, blockchain addresses and crypto-related service providers. However, hackers do not necessarily need your personal identifiable information (PII) to conduct a successful attack – as long as they are able to infiltrate and gain access to a wallet, they can then transfer crypto from there. Crypto transactions are not able to be cancelled or reversed (unless refunded by the receiver), as transfers take place on a decentralized network.

It has been estimated that more than 50% of total cybercrime revenue globally comes from the darknet with Bitcoin being used in 98% of cases and the other 2% being other cryptocurrencies. In the spring of 2023, Kaspersky reported 85,000 scam emails had been delivered to the most popular cryptocurrency hot and cold wallets users, with the scam emails impersonating popular cryptocurrency exchanges and wallet providers. Chainalysis reported that in 2022, cryptocurrency hackers stole $3.8 billion USD, up 5 million from 2021, setting a new record.

Entity API, part of the DarkOwl API product suite, allows users to access highly targeted, structured information from the largest commercially available collection of darknet and deep web sources. This includes Tor, I2P, Zeronet, Data Breaches, encrypted chats, IRC, and authenticated forums. You can check out how to use Entity API to monitor cryptocurrency mentions here.

Below are examples of cryptocurrency wallet websites that have been targets of internalized domain name homoglyph attacks.

metamasķ.com (clone of metamask.com)

Metamask is an Ethereum-based cryptocurrency wallet that allows users to access their Ethereum wallet though a browser extension or their mobile app. The screenshot to the left demonstrates a great example of internet browsers alerting users of potential danger ahead – these should always be paid attention to. The character used in this homoglyph substitution domain is “ķ” in place of the “k” in “metamask,” which comes from the Latvian alphabet.

treźor.com (clone of trezor.com)

Trezor is a hardware wallet that securely manages your Bitcoin and other cryptocurrencies. Hardware wallets like this are designed to protect your digital assets from hacks and theft. The character used in this homoglyph substitution domain is “ź” in place of the “z” from the Polish alphabet.

app-uniśwap.org (clone of app.uniswap.org)

Uniswap is a platform to trade, sell and buy crypto and NFTs. It is one of the most popular ways to exchange with the Uniswap Protocol. The Uniswap Protocol is a leading decentralized crypto trading protocol that allows users to swap, earn, and build on it. The character used in this IDN homoglyph is “ś” in place of the “s” from the Latin alphabet.

cóinómi.com (clone of coinomi.com)

Coinomi is a blockchain wallet that allows secure storing, managing and trading of Bitcoin, Ethereum and over 1,770 other blockchains. Note on the first image that the IDN homoglyph homepage loads up for a split second before redirecting to the fake page, seen in the second image, which looks identical to the real homepage. The threat actor is using an open-source website clone tool for the campaign but not hiding their tracks very well, this “Index of locally available sites” page should be a clear warning that something is not right and should raise a red flag to users. The character used in this homoglyph substitution domain is “ó” (and 2 of them) in place of the “o” from the Latin and Polish alphabets.

Technology Vendors

The technology vendor examples are quite different than those above. The IDN homoglyph sites examples below were likely used for phishing campaigns. Phishing is a type of fraudulent social engineering for data collection designed to trick users into revealing sensitive information to what appear to be trustworthy sources via email. Earlier this year, DarkOwl analysts created accounts for fake email addresses that were posted on the darknet to learn more about trends in the phishing and spam email landscape. That research can be found here.

cloudfǀare.com (clone of cloudflare.com)

Cloudflare is a content delivery network (CDN) and cloud cybersecurity company that provides services to increase the security, performance, and reliability of websites and web services. This IDN homoglyph website just leads to a blank homepage. This was probably used for phishing campaigns where email victims were tricked into clicking a link that goes to a specific directory on this site. The character used in this homoglyph substitution domain is “ǀ” in place of the “l” which is a “dental click” used to denote the sound “tsk! tsk!”

intųit.com (clone of intuit.com)

Intuit is a leading financial software technology company offering numerous products to help businesses and individuals alike. Like the fake cloudflare site in the example above, this has a web server but no default home page and is probably part of a phishing campaign trying to to trick victims into clicking on a link from an email that leads to a deeper directory on the server. The character used in this homoglyph substitution domain is “ų” in place of the “u” which comes from the Latin alphabet.

flaṣh.com (clone of flash.com)

Flash.com leads to an Abode site, but if you land on the IDN homoglyph “flaṣh.com” you will see the warning below. This is a great example of an internet browser warning users before entering a potentially dangerous site and even explains what triggered the fake site warning. The character used in this homoglyph substitution domain is “ṣ” in place of the “s” which comes from the Latin alphabet.

Retail

aırdyson.com (clone of airdyson.com)

Airdyson is a very popular hair styler. This site is seems to be either selling counterfeits or just harvesting credit card info. The character used in this homoglyph substitution domain is “ı” in place of the “i” which is called a “dotless i” and comes from used in the Latin-script alphabets of Azerbaijani, Crimean Tatar, Gagauz, Kazakh, Tatar, and Turkish.

The List Goes On…

Other homoglyph substitution domains DarkOwl analysts found, most of which were able to process email but either had no website or a missing default index page, include:

• baɾclays.com (clone of barclays.com)
• crypţo.com (clone of crypto.com)
• dişcord.com (clone of discord.com)
• freshmań.com (clone of freshman.com)
• opènsea.com (clone of opensea.com)
• polygoñ.com (clone of polygon.com)
• applẹ-icloud.com (clone of apple-icloud.com)
• bítfinex.com (clone of bitfinex.com)
• pornĥub.com (clone of pornhub.com)
• unıvısıon.com (clone of univision.com)
• zeǁepay.com (clone of zellepay.com)
• bmobạnking.com (clone of bmobanking.com)
• mėgạ.com (clone of mega.com)
• dỉscovercard.com (clone of discovercard.com)
• cỉtynationalbank.com (clone of citynationalbank.com)
• crawfordandcoproductíons.com (clone of crawfordandcoproductions.com)
• zỉonsbank.com (clone of zionsbank.com)

Takeaways

Our analysts note that threat actors are not leveraging homoglyphs as much as was previously seen. Homograph attacks have declined but this does not mean that cybercriminals will not create more complex spoofing domains. Security measures are in place among web browsers to detect and alert users when they suspect they may be entering a fake site that they thought was legitimate, as seen in the Flash example above. It is important for users to pay attention to URLs and always exercise caution.

Steps to protect yourself from IDN homograph attacks:

1. Regularly update your browser for the latest security updates and patches.
2. Confirm the legitimacy of the website by making sure it has an Extended Validation Certificate (EVC), especially before sharing on sensitive information.
3. Avoid clicking suspicious links from emails, chat messages, publicly available content, and social media sites, and verify that the visible link matches the real destination.
4. When in doubt, there are several browser tools such as Punycode Alert and Quero Toolbar help sus out potential danger.

If you do find a phishing domain or IDN homoglyph site, there are several ways to report it. DarkOwl analysts found hostinger.com to be the fastest responding registrar in shutting them down, and you can always report to Google, the Federal Trade Commission and the Internet Crime Complaint Center.

To keep up to date with the latest research from DarkOwl, register for our weekly newsletter.

October 12, 2023

DarkOwl analysts have assembled a list of Telegram channels commenting on the current conflict in the Middle East. It is important to note that the channels labeled hacktivists are hacker groups, people actively DDoSing websites (distributed denial-of-service attacks), defacing websites, etc. Conflict media includes channels that are not related to hacking but are sharing various forms of near real time content from the conflict in the form of text, audio, images, and video. Analysts have found that there is more propaganda and misinformation on the conflict media accounts versus the hacktivist accounts (not say that it does not exist).

The team will continue to update this chart as more Telegram channels emerge amongst the continued conflict.

October 12, 2023

Introduction

When Hamas militants entered Israel along several fronts on 7 October 2023, Israel and the world were shocked. As events have unfolded this has turned to disbelief that Hamas were able to mount such a complex and successful attack without prior intelligence to indicating an attack. In the months and years to come people will surely reflect on the entirety of intelligence failures that lead to these events, but initial reports seem to suggest that Hamas succeeded by “going dark.”

DarkOwl analysts reviewed our coverage of Hamas linked Telegram channels to identify if there was any change in their activity preceding the assault. We identified that there was a period of inactivity in the run up to the attacks for some but not all the channels. This could have been a coincidence, and we have seen no hard evidence suggesting that the period of inactivity was a precursor to the invasion. However, it is important to monitor the activity of pro Hamas Telegram channels to establish if there were any patterns to the posts.

In this blog, we review some of the channels we are currently monitoring.  

Hamas Telegram Channels Go Dark 

DarkOwl has been tracking several Telegram channels which are linked to Hamas or are pro-Palestine. These channels actively share information related to their “cause” with messages from Palestinian officials and military statements from al-Qassam Brigades. While most of these channels were making several posts a day, a pattern has emerged where a period of inactivity ensued before the attacks.  

The telegram channel حماس | HAMAS | فلسطین | غزة, which translates to Hamas | Hamas | Palestine Gaza, has over 66,000 subscribers. The description of the channel claims to provide a media network, with speed and credibility and exclusive firsthand news. Regular posts were made until 4 July when they stopped, with no explanation. The next post was made at 8:04am local Gaza time on 7 October.  

Figure 1:  حماس | HAMAS | فلسطین | غزة, telegram channel 

[TRANSLATED IMAGE]

Urgent Commander in Chief of the Qassam Brigades, Muhammad Al -Dhaif: We decided to put an end to Israeli violations and start the Al -Aqsa Flood Operation

From that point on that channel is very active, with regular posts made in Arabic and many images shared, including breaching “the wall.”

[TRANSLATED IMAGE]

Young people are storming the Gaza Strip after storming the settlements and burning Israeli military vehicles. 

The group I.C.C (Islamic Cyber Corps) is a hacktivist group that publishes leaked information and shares details of their hacking activities. Although it is not a very active channel, there is a noticeable gap in postings between 22 September and 7 October. From that time, they have shared more posts including information purportedly from the Israeli DOD and fact checking media stories.  

AnonGhost Data Leak channel, which is a channel dedicated to sharing leaked information obtained by the hacking group last posted on 2 April. Their next post was on 7 October when they began to leak information related to Israeli car systems, encouraging followers to capture Israelis in their cars. This group has always targeted Israel specifically, and it is worth noting they were more active on their official channel.  

Figure 2: AnonGhost Data Leak Telegram Channel 

The channel “أبو عبيدة “الناطق العسكري باسم كتائب القسام” which translates to “Abu Ubaidah, Military Spokesman for the Al-Qassam Brigades” has almost 400,000 followers. The Al-Qassam Brigade is the military wing of Hamas. The channel is used to make official announcements. Although the updates are not regular, there are no posts made between 6 July and 7 October. 

[TRANSLATED IMAGE]

Shortly after … an urgent and important tweet of the military spokesman in the name of the Al -Qassam Brigades Abu Ubaidah through his channel on Telegram 

The channel Free Palestine 48 had a period of inactivity from 10 September until 7 October, when its first post was a video, it claimed showed “children of Gaza rejoice, playing on top of an armored truck seized by the resistance fighters.”

Figure 3: Free Palestine 48 telegram channel 

Previous posts had shown pro-Palestine images and details of Saudi Arabia’s normalization talks with Israel as well as what it claims are Israeli infractions on the people of Gaza. There is no indication of why the channel did not post between these time periods. Unlike many other channels reviewed in this blog the posts are made in English rather than Arabic, likely to project its message to a larger audience. 

تغريدات || جيش فلسطين الإلكتروني PEA, The PalestineEArmy had not posted on their Telegram channel since 5 August. They first posted on 6 October. The majority of the posts were forwarded from the Arab Anonymous Team Telegram Channel. The Arab Anonymous Team were also inactive from 27 July to 7 October. Their first post announced the bombing of Israel from Gaza.  

[TRANSLATED IMAGE]

Gaza bombed Zionist settlements 🔥 

Hamas Linked Channels Stay Active 

The Telegram channel طوفان الاقصئ من قلب الحدث (The flood of Al Aqsa from the heart of the event) has nearly 4,000 subscribers. The account self identifies as pro-Palestine and regularly reshares prominent religious texts. The channel was actively posting in the run up to the attacks. They did not start posting images or text related to the invasion until the afternoon of 7 October. The videos shared of the attacks including images of hostages and militants entering Israel have not been corroborated at this time.

Figure 4: Image from Sahr_2023 telegram channel 

كتيبة جنين الإعلام الحربي-الحساب الاح – Jenin Military Media Brigade-Account, did not publish videos related to Hamas militants breaking through the wall. On 3 October they posted images of what appear to be militants holding pro-Palestinian images with pictures of individuals, they indicate this is “part of the participation of the Al-Quds Brigades-Kaba, the commemoration of the Jihadist launch, the Martyrs of Victory.”

Figure 5: Sarayajneen Telegram channel 

The content of the posts in the days preceding the invasion continued with a similar tone, often displaying images of militants with weapons, sometimes holding images of martyrs (fallen soldiers). These images are likely intended to evoke excitement from their supporters. Although they continued sharing images of militants with weapons and messages from the brigade and posts which appear to be religious text, unlike a lot of the other channels that we are monitoring they do not share images or videos of the Hamas incursion.  

المَـرْيَــ𓂆ــم𓂆 طوفـ𓂆ـان_الاقصى 🔥💚²(Al -Maryoufan_Al -Aqsa 🔥💚) is another Telegram channel that was active in the period preceding the attack. They had previously shared images of militants holding weapons, as well as some memes. Subsequent to the attack this channel regularly shared a large number of videos of the events, some of which are very graphic in nature. They also regularly make what are known as martyrdom posts — or sharing the images of militants who have been killed, from personal pictures.   

Of note, a channel named Hamas Online, which appears to make official statements on behalf of Hamas in English, did not stop posting in the lead up to the activity. However if official channels had gone quite that could have been an indication that the status quo had changed. The last post made before the events of 7 October is a post in relation to the October war of 1973 which it says “bears witness that resistance is the only option to deter the Zionist colonial occupation.” Which, in hindsight does seems to be an indication of what was to come. 

New Pro-Hamas Channels Pop Up 

As part of our collection efforts DarkOwl is constantly searching for an adding new sources of relevance to our data collection. Since the events of last Saturday, we have identified a number of new channels which have been created in response.  

Other channels were created in direct response to the conflict. للإعــلام_الـحــربـي 🇵🇸 (for war flags) was created on 8 October and has already amassed a following of over 5,000 followers. This purports to be sharing news about the conflict and updates on what has been bombed.  

Conclusion 

Our coverage of Telegram channels linked to Hamas or Pro-Palestine have shown that they have operated in different ways. It is unclear if any of this activity was linked to the invasion or directly linked to it. Although there were strange periods of inactivity on some of the channel, we cannot know what caused that. However there does not seem to be a clear pattern in the activity that would suggest that the periods of inactivity were in any way coordinated among the different groups. Furthermore, the number of channels that remained active would indicate there was no mandate of silence.  

What is clear is that these channels are being used by the operators to spread information relating to the conflict and in the days since the invasion they have become very active sharing videos, images, and commentary on the events. While we cannot corroborate the validity of what is being shared, it is clear that Telegram is being used as a way to share news and information at a speed that is quicker than the traditional news media. In our next blog we will examine how this is being done.  

October 10, 2023

In recognition of World Mental Health Day, DarkOwl is excited to announce the initiation of the “Mental Health Strategies for OSINT Professionals” (MHS4OSINT) Project, aiming to provide OSINT professionals strategies to reduce the mental health impact of exposure to distressing content in their work.

Quick Links:

• Why OSINT Analyst Mental Health Matters
• The Mental Health Strategies for OSINT Professionals Project
• Project Methodology
• Contribute!

Why OSINT Analyst Mental Health Matters

Most individuals report experiencing stress in the workplace – 94%, according to the American Institute of Stress. However, OSINT analysts (such as those involved in anti-human trafficking efforts or dark web research) are routinely exposed to subject matter and content that an average person does not willfully engage with when navigating online spaces. Exposure to “distressing content” may result in vicarious trauma which in turn leads to an array of negative mental health outcomes.

Vicarious, or secondary in some literature, trauma has competing definitions. For the purpose of this project, we will adopt a more general definition from Hannah Ellis at Bellingcat: “mental distress that is experienced as an outcome of interacting with graphic online media.” Vicarious trauma is thought to occur when exposed to what we will refer to as distressing content, or content that elicits negative responses from users upon exposure. The nature of distressing content is highly varied and includes (but is not limited to) war footage, gore, CSAM, extreme ideology, X-rated content, among others. Further, this content is not limited to only photos or videos; sounds, imagery, or extreme rhetoric is thought to also invoke vicarious trauma.

The toll of vicarious trauma is thought to be cumulative over time. Repeated, frequent exposure to such materials adds up, and this exposure cannot be undone; in other words, it’s not possible to “unsee” something once exposed to it. This can contribute to multiple negative mental health outcomes, such as analyst burnout. Burnout is, of course, a poor outcome for the analyst themselves, but also impacts the long-term health of OSINT as a profession and is economically impactful for employers and organizations who rely on OSINT work. Other professionals that frequently experience vicarious trauma, such as 911 operators and journalists in sensitive areas, typically have access to plentiful resources to combat the negative effects of exposure to distressing content. OSINT professionals however do not have a centralized repository of resources dedicated to combating burnout and other negative outcomes (though some excellent individual materials exist, such as the 2 previously linked Bellingcat articles). Further, advice from individual OSINT professionals on reducing burnout may be differentially effective; a strategy used by one OSINT analyst to reduce burnout may not be impactful for another, or the variances in reduction may vary depending on the nature of the distressing content. This project seeks to help address these issues in the OSINT community.

The Mental Health Strategies for OSINT Professionals Project

The Mental Health Strategies for OSINT Professionals Project (MSH4OSINT) is a crowd-sourced, data driven project aimed at collecting, validating, categorizing, and distributing mental health strategies freely for the OSINT community.

Researchers on this project aim to collect Strategies (specific actions, behaviors, or modifications of belief that will lessen the negative impacts of vicarious trauma when exposed to distressing content) from a wide variety of OSINT practitioners and validate their effectiveness using empirical evidence. Once validated, Strategies will then be categorized using qualitative research methodology and distributed to the OSINT community via DarkOwl’s website, presentations at conferences, social media, and other typical ways of reaching OSINT professionals.

These strategies will be freely accessible and accessing the strategies (as well as contributing to the project) is anonymous. Note that these strategies are not medical advice nor intended as a replacement for professional therapy or other medical interventions. It is also unlikely that all strategies, even when empirically validated, will be impactful, thus we encourage trying out strategies from numerous categories.

Project Methodology

Though decidedly not an academic project, this project endeavors to follow sound academic principles and methodology to ensure the highest likelihood of success at reducing burnout.

The first phase of the MHS4OSINT project is data collection of strategies used by OSINT professionals. This will be done via an anonymous self-administered online survey, hosted here. Data collection will be ongoing and Strategies will be evaluated as they are submitted.

Once data is collected, it will be cleaned and enter the validation step. This project will only put forth strategies that have empirical backing (though we invite contributors to include ALL strategies used). Project researchers will seek out literature to demonstrate the efficacy of a submitted strategy and include that source with the suggested Strategy. Strategies with no evidence of success at improving mental health outcomes will not be moved on to the categorization step.

Upon validation, Strategies will then be categorized using qualitative research methods. As we are in the very early stages of data collection (and the fact the data should derive the categories), permanent “categories” are yet undefined and are very likely to change. However, some possible categories we may see from the data include:

• Environmental/Physical Strategies
  • Proximity/working space, changes in clothes/style, physical health and nutrition
• Mental Strategies
  • Meditation, mindfulness, building resilience, “inoculation against the internet”, work/life balance, professional identity
• Technical Strategies
  • Browser extensions that blur images, pause auto-playing videos, mute extensions
• Moral? Social?
  • Can mission success mediate the impacts of exposure?

Once a considerable amount of data is collected, validated, and categorized, we will then distribute Strategies for the community via future blog content, social media, and conference presentations. As more data is collected, ongoing updates will be made to the Strategies and their categories, with the aim to have a large repository of Strategies that may prove effective at reducing burnout regardless of the type of distressing content OSINT professionals are exposed to.

Contribute!

If you’re an OSINT professional that would like to offer Strategies you use to reduce burnout, we would love your (anonymous) input! The entire success and impact of this project hinges on the collection of quality data from the OSINT community. Submit your strategy. We will also be at OSMOSISCon in New Orleans, Louisiana on October 15-17, 2023, detailing some of the very preliminary findings from the project.

Make sure to get the latest research and our findings. Sign up for our newsletter!