Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.
Credential stuffing, often shortened to ‘cred stuffing’, is a widespread technique utilized by cybercriminals to test if historically exposed e-mail addresses and password combinations are valid logins across multiple commercial websites. Opportunistic cyber criminals automate the testing of large ‘combo lists’ containing compromised e-mail addresses and passwords against commercial websites and once a successful authentication occurs readily steals the PII (personally identifiable information) and financial information, often saved, on the e-commerce shopping platform’s user profile.
Wordlists and compromised lists of email address and password combinations are the foundation for credential stuffing operations. Many multi-million record data leaks in circulation on the darknet make potential username/password combinations easily discoverable and exploitable at scale. Such leaks are utilized as input for credential stuffing scripts and applications. Wordlists are also in regular circulation amongst darknet threat actors, and some are already integrated into Linux distributions favored by pen-testers and hackers alike.
Figure 1: Wordlist Github Repository Popular with Offensive Security Specialists
Credential stuffing using malicious software and botnets affects not only the individuals but also the commercial organizations whose user accounts are surreptitiously accessed, as many immediately assume access was achieved due to vulnerabilities with the commercial service provider’s technical configuration instead of a simple credential stuffing technique conducted en masse. The uncertainty potentially erodes consumer and stakeholder confidence warranting that commercial agencies consider credential stuffing in their internal security frameworks and corporate risk assessments as well.
To the left we see an example of a combolist (a list of email addresses and password combinations that may be used in a brute force attempt or credential stuffing operations to gain unauthorized access to servers and services) that was leaked and posted on a darknet site. Databases from data harvesting will often include usernames and passwords, fullz (full identity profiles), financial records or health records. These are all often highly confidential or sensitive and can cause a lot of harm and headache when posted without consent.
Credential stuffing campaigns exploit password reuse and utilize email address and password combinations to attempt logins outside of the source of the original leak. Although you can’t prevent commercial services getting breached and usernames, email addresses, and password combinations getting leaked, you can follow some simple steps to ensure you employ robust password hygiene and reduce the risk of a password getting brute forced or exploited in a credential stuffing campaign. We review this steps later on in this blog.
Credential Stuffing in the Wild
The North Face
In a customer notice letter in June, The North Face revealed that on April 23, 2025, it was discovered that customer information was stolen in a credential stuffing attack. Exposed information includes full names, purchase histories, shipping addresses, email addresses, dates of birth, and phone numbers.
Hacking Forums Seized in “Operation Talent”
In January, the hacking forums Cracked[.]io and Nulled[.]to were seized following an international law enforcement operation dubbed “Operation Talent.” The joint operation involved law enforcement departments from the United States, Italy, Spain, Europe, France, Greece, Australia, and Romania. Additional impacted sites included starkrdp[.]io, mysellix[.]io, and sellix[.]io. As highlighted by CyberScoop, SellIX allowed users to create storefronts for illicit goods while StarkRDP—the remote desktop hosting service—“was allegedly leveraged by threat actors to anonymize attacks.”
The seizure of multiple major online forums linked to cybercrime reflects ongoing international law enforcement efforts to crack down on cybercrime by dismantling infrastructure used for illicit activity. Cracked[.]io and Nulled[.]to in particular were known for hosting cybercriminal activity, including “password theft, cracking, and credential stuffing attacks.” Similar large scale law enforcement operations have been observed in recent years, including the takedown of BreachForums in May, 2024.
New Atlantis AIO platform automates credential stuffing on 140 services
In March Bleeping Computer reported a new cybercrime platform called “Atlantis AIO” which automates credential stuffing attacks on over 140 online services. Atlantis AIO features modules for brute-force attacks, CAPTCHA bypass, and automated account recovery. It targets various services including email, e-commerce, banking, and VPNs. Compromised accounts are often sold on underground forums. To defend against such attacks, the article recommends using strong, unique passwords and multi-factor authentication, and for websites to implement rate limiting, advanced CAPTCHAs, and suspicious behavior monitoring.
Actor Spotlight: ShinyHunters
ShinyHunters is a cybercriminal group known for their high-profile data breaches and relentless pursuit of sensitive information, and has carved out a reputation as one of the most prolific and dangerous actors in the cybercrime arena. They are known to infiltrate company databases, exfiltrating sensitive information, and then selling this data on underground forums or using it for extortion purposes. They are not shy about sharing this information on dark web sites created to share exfiltrated data. ShinyHunters utilize advanced hacking techniques to gain unauthorized access to company systems. They often exploit vulnerabilities in web applications, engage in credential stuffing attacks, and use phishing campaigns to steal login credentials.
How to Avoid Being Exploited in a Credential Stuffing Campaign
Everyone can follow some simple steps to ensure you employ robust password hygiene and reduce the risk of a password getting brute forced or exploited in a credential stuffing campaign.
Turn on multi-factor authentication (MFA) for important accounts like financial and banking sites.
Use an automated complex password Manager like Lastpass, BitWarden, or 1Password.
Don’t reuse passwords. Have unique password for every login and streaming service you sign up for.
Choose passwords at least 16 characters in length.
Include symbols and numbers for increased complexity.
Avoid using passwords with dictionary words or names.
Don’t use sequential numbers or the word “password”
Don’t use the year of your birth or anniversary in your password.
Interview with DarkOwl’s Alison Halland and Jennifer Ewbank
August 26, 2025
For the fourth year in a row, in honor of Women’s Equality Day today, August 26th, the DarkOwl marketing team highlights the women in our workforce. This year, our DarkOwl Chief Business Officer, Alison Halland, interviews a member of our Board of Directors, Jennifer Ewbank. DarkOwl is very proud of our women leadership and workforce and strives to continue to build a balanced workforce with the most talented and effective team possible.
Interview: Thoughts on Being a Women in Cybersecurity from Two Members of DarkOwl’s Team
To commemorate Women’s Equality Day, we sat down for a candid interview about working in the cybersecurity industry with two women from our team.
Editors Note: Some content has been edited for length and clarity.
Intro
In a world increasingly reliant on digital infrastructure, the need for robust cybersecurity has never been more critical. Yet, as the threats evolve, so too must our approach to building the defenses. One of the most promising avenues for strengthening our digital shield lies in fostering a more diverse and inclusive cybersecurity workforce, particularly by empowering women in this vital field.
While challenges remain, the landscape is shifting. Just a few years ago in 2019, women constituted only about 20% of the global cybersecurity workforce. Today, that number has modestly, yet significantly, climbed to around 25%, with projections aiming for 30% by 2025 and potentially 35% by 2031. This upward trend is a testament to the incredible talent and dedication of women who are stepping up to fill a critical void, especially given that an estimated 3.5 million cybersecurity roles remain unfilled globally between 2022 and 2025.
Over half of all cybersecurity professionals, regardless of gender, entered the field from non-IT backgrounds. This includes 17% who transitioned from entirely unrelated careers, 15% who leveraged formal education, and another 15% who are self-taught or independently explored the space. This highlights that a passion for problem-solving and a dedication to digital safety are far more crucial than a traditional tech background.
Beyond professional strides, the statistics also underscore the importance of fostering safer online spaces. While not directly about careers, it’s telling that only 23-24% of women feel comfortable expressing political opinions online, compared to around 40% of men. The significantly higher fear of online harm, from misogyny to cyberstalking, and its heavier psychological impact, leads women to use more “safety tools” and engage less in online participation. By championing women in cybersecurity, we’re not just building a stronger defense for everyone, but also fostering a more equitable and secure digital world where all voices can thrive without fear.
Join us as we celebrate the trailblazing women who are shaping the future of cybersecurity, inspiring the next generation, and proving that diversity is our greatest strength in the digital age.
Alison: Thank you so much, Jennifer, for taking this time. I always enjoy speaking with you. And for those of you that don’t know, Jennifer Ewbank served as the Deputy Director of the CIA for Digital Innovation. And you were there from 2019, having recently retired in January of 2024. Did I get those dates right?
Jennifer: I was in that role from 2019 to January 2024, and then I retired from CIA a couple months after that. Yes.
Alison: And then Jennifer joined the DarkOwl board in 2024, and she’s been instrumental in helping us navigate the government landscape and providing us with so much feedback. So thank you for that, Jennifer. Thank you.
I wanted to do something a little bit different and dig into some of your background. Women’s Equality Day is coming up August 26th, and this is celebrated every year to commemorate the anniversary of the 19th Amendment to the Constitution, which granted all of us women the right to vote. I wanted to ask some questions geared both at your background, how you got into the CIA, and focus a little bit on women in that field.
As we know, there’s a huge gap globally right now in that field. There’s an estimated 3.5 million cybersecurity roles that were unfilled in the last three years. So there’s a talent gap. And, according to some of the statistics I was looking at, women only represent about a quarter of the global cybersecurity workforce, which is up from 20% in 2019. But I think that’s a pretty modest increase.
To kick things off, I am curious what it was like coming up through the CIA – specifically as a woman and if you ever faced any kind of imposter syndrome, or just speak a little about what it was like to be a female within the CIA organization.
Jennifer: Thank you. So a bit of this is going to be like archaeology for young people, right? Because, you know, I joined the CIA long, long, long ago. I didn’t join in a technical field, I joined in the operational world. Hollywood would have you think that that’s James Bond, which is obviously glamorized and dramatized. But, there’s some truth to the fundamental tasks that one has to perform in operations. So that is collecting secrets about what your adversaries around the world want to do to harm the United States and our allies. So that’s terrorist plots, it’s plans to proliferate weapons of mass destruction, it’s plans to penetrate our government with espionage, lots and lots of plans for a coup, plans for international narcotics trafficking. And the job was to go out and find those things and thwart the threats.
Alison: How old were you when you stepped into the operation?
Jennifer: I was young. So, I was in the State Department first, joined in my late 20s, and then a few years later, now people are going to do their math because you have a lot of smart people at DarkOwl. A few years later, the Cold War ended and our mission really changed at the State Department. I had joined thinking I was going to fight international communism through diplomacy, which was, you know, kind of corny, I think people would think today, but that’s how I grew up – a child of the 60s and the space race. And those things really mattered to me. And so the mission changed. I had a great experience, but I thought, hey, I want to do something else. And I wanted to do something a bit, I don’t know, let’s say bold. So I went off and did something that most rational people don’t do, which is join the CIA and become an operations officer. So I was still young at that point.
I spent decades moving around the world to different countries every couple of years, learning a different language, meeting new people, tackling new issues, and then climbing the ladder at the CIA in the operational world to become a chief of station, which is their senior most role in each country, that is responsible for everything CIA does, but also is kind of a coordinator, integrator of everything the broader intelligence community does.
I served in that role four times. As I tell people, it was small, medium, large mega stations all the way through the stack. And then after that last experience, I was invited to take this Digital Tech Deputy Director role by our Director.
Alison: Had any females served in those roles?
Jennifer: It’s a good question because when I joined, there were very, very few women in operations. It had a certain stereotype of who a “successful” officer was, and that stereotype was a very outgoing, extroverted, sociable guy. And there was a reason for that stereotype because that’s what the world was and those were the people who were successful. And somehow I thought, well, I can do that. And all those things I just described, I am not a single one of those things: not a guy, not an extrovert. I’ll phrase it this way, it’s an extreme career. If I wanted to be an astronaut, which I wanted to be when I was a child, or a fighter pilot, or a firefighter, it’s an extreme career, it’s all consuming, and it demands a lot of people. It demands everything of you. It’s full commitment. I thought, you know, I’m going to try that.
The challenge, back to our theme, was that there really were very few women. I didn’t work for a woman directly for, oh, I don’t know, 15 years. And I didn’t really have in my orbit people who would be role models or sponsors or mentors who happened to be women. The good news, in a way, and of course, like any large organization, the CIA has had its issues over the years, but, in some ways, the CIA is the ultimate meritocracy. It is all about outcomes. And so you deliver, and now that’s not to say that there aren’t individual cases where people experience discrimination of one kind or another, because of course, they’re human just like any other place. And so, good is balanced with people who aren’t so great. But more or less, it is a meritocracy and that’s how you kind of succeed. And so luckily for me, I worked for bosses who were keen to just get great results.
If I can just make a little bit of a detour, I’ll share with you. So my first tour, as we call our assignments overseas, my first tour as a case officer with operations, I would say the first year, I really did flail about a little bit trying to figure out how I’m going to do this. Because, again, there was a certain stereotype for how the job was done. And I’ll oversimplify, but it’s, you know, roll into a diplomatic reception, lots of glad handing and, you know, whiskey in one hand and a cigar in the other hand. And, inviting everybody, invite guys out to play golf and late-night drinking. Socially, it was a certain stereotype. And I wasn’t any of those things. And in the country where I was serving, it was not usual for young women to come rolling into a reception alone and chat up men. And so it wasn’t structured for my success and I wasn’t really designed for that. And so I had, at the end of about my first year, I won’t call it a crisis, but a real moment where I had to dig deep and I thought if I’m going to succeed I have to figure out a different way to do this and I’m not ever going to succeed if I play this game by the rules that exist today. I had to – this is going to sound a little strange perhaps – sit back and really analyze who these people were who were succeeding in a traditional model: those who were out in our environment had access to secrets that we really needed to collect for the agency and for our country. And then what were my comparative advantages in this environment? What were the things that I could do that other people couldn’t do? And there were some things. And I had, I’ll say modestly, I had exceptional foreign language skills in this very difficult language. None of the men in my office did. So that gave me a leg up. I had, therefore, a deeper connection to culture and history of that country than others did. I was very good at what we called handling things – our assets, our sources, really maximizing the collection of intelligence, handling the cases well with good tradecraft, securely. There were things that I did well and that I could handle a large volume of work. And so I could just continue – continue to pump out more and more and more and more. And so, I found a way to take those things that I did well and turn them into my special way of doing the job and delivered results. As I was saying, it’s a meritocracy. And so, at the end of that second year, I sat down with my supervisor and we had an annual performance review. He was a great guy, very candid. He said, look, I’m struggling with how I evaluate you. And I said, okay, talk to me about that. And he said, you’re producing a lot, but I don’t see the classic approach and skills being honed. I said, okay, that’s fair enough. But is the challenge to produce or is the challenge to be like everybody else? And to his credit, he said, you’re right. And we had a narrative section, then we had numbers, we scored on various skills. And so he struggled with the scores. He’s like, you know what, you’re right. And he gave me the top numerical score for all those categories because of the delivery. So that’s a really long way of saying that meritocracy did matter. But that’s not to say it was easy, not at all.
Alison: Was there scrutiny over your different approach? Sounds like there was.
Jennifer: There’s a lot. That’s an interesting question, actually, because in the CIA, particularly in the operational world, there’s a lot of autonomy. You are trained, you are vetted, you are trusted to do things appropriately without supervision because the job is alone. You’re out doing your job alone. And so you go out and do your thing, come back and report. You’re expected to report fully and with integrity in detail on everything you’ve done. And so I did not encounter resistance along the way. So it’s really a long way of saying that it’s a really hard job. It’s a really hard job and it takes everything out of you.
I wrote a book review recently. Somebody had written a book about being a woman in the CIA, and I said something about it being a career guided by the goddess Kali, you know, both destruction and creation simultaneously – a job you love, even as it’s basically ripping you apart. And it’s just, all-consuming, and it was. So I will say that’s a long description of the job, but I came up through that world in a career that tracked the development of digital tech and its application to this very specialized, challenging mission.
And so when I, in 2019, was returning from one of these big posts, our largest place overseas, our director invited me to become one of her deputy directors for digital innovation, as you mentioned, which is all the digital tech stuff. So IT, global secure communications, cybersecurity, cyber collection, open source intelligence, data science, artificial intelligence, a bunch of policy and legal stuff and then training and education, et cetera. Lots of other things hanging off of that directorate, but a big job. And her intent in doing that was to bring somebody with a field perspective, a practitioner, to come partner with amazing technologists to serve as a bit of a catalyst. And that was a great experience for me. I hope people who worked with me would say the same. I think it was overall quite successful. But that was my, let’s say, non-traditional path into digital tech.
I wasn’t completely ignorant of it all. I had some background and I’d certainly been on the user end of every new technology that we had created. And by nature of the teams that I led overseas, we were actually right in the mix innovating with technologists to solve tough problems in tough places. And so it gave me, I would say, a complimentary perspective on what we needed to do in digital tech to succeed.
Alison: Do you feel like you garnered more respect in that role because you had already been in an operational role and actually been boots on the ground, as they like to say?
Jennifer: Well, you know fair question – so the CIA is a large organization and like any large organization you have your different tribes and cultures and so coming into digital tech, I would suggest there were probably a few senior officers there, officials who thought that they should be in my job. Right? Why do we need this outsider? And so there was a bit of skepticism. It did help in two different ways, initially it helped in terms of credibility with folks in the operational world and the analytic world – kind of more directly mission facing roles – recruiting spies, producing analysis for the president, doing the things that the CIA was created to do. And so with them, I think it gave me direct credibility. And there was a lot of engagement around what they needed? What were we doing well? What could we do better in the future, etc. So I think that was helpful for what was a relatively new organization at the time, this directorate.
And then over time, and it didn’t take that long, I figured out what my complementary skill set would be to lead that organization and part of it was really all around that connection to mission – the connection to the big “why,” a sense of purpose around what we are here to do and then rallying that organization around a common understanding of what our key challenges were, which were in the form of a particular very aggressive and capable adversary. I think that helped a lot because I didn’t try to pretend that I was going to be the best data scientist or that I was an expert at cybersecurity more so than the CISO, none of that. I always approached those discussions with humility in terms of the technical expertise, but confidence in terms of what I understood we needed to accomplish and I think that balance worked.
Alison: Did that skepticism motivate you or intimidate you?
Jennifer: You know, it did not surprise me. It did not intimidate me. I mean, I’m kind of driven anyways. So I guess motivation? Sure, sure. It pushed me to dig deep and figure out what I was going to do? Again, back to that story from my first assignment last year. What were my strategic or comparative advantages? How was I going to play to my strengths and not focus on trying to polish up any perceived weakness, right? I think a lot of people waste time on weaknesses. Of course, you know, you want continuing education, you want to keep learning, you want to keep developing, all of that’s great. But if I spend all my time thinking about my relative deficiencies in, you know, coding Python, that’s a waste of my time and energy. And that’s not how you win. You win by playing to, I believe, your comparative strengths. And so I cataloged those. I looked across this organization with thousands and thousands and thousands of people and billions of dollars in budget all around the world. And yes, I can say there were a handful of things that I brought that nobody else did. And that’s what I tried to focus on.
Alison: Did you go through the activity of actually writing those down, pen to paper?
Jennifer: I would say it was a mental list in that instance. But over time, sure, I did kind of articulate those things. But I think that does go back to that first, that very first, very difficult assignment with the CIA, doing an impossible job. I mean, most people would consider it an impossible job. And trying to figure out how on earth I was going to succeed if what I had learned in training and the model that I saw all around me was not the model that would work for me. So very much the same approach.
Alison: Well, I love it. That’s a good segue. I’m curious if you were in a room right now with a bunch of high school girls that wanted to go into cybersecurity or more specifically into the CIA, it sounds like one piece of advice would be to figure out your comparative advantages, potentially. What else would you share in terms of advice?
Jennifer: It’s a good question. I actually had the opportunity a few months back. I spoke at an unusual cybersecurity conference and unusual in the sense that it was at a university and they invited a really large number of high school seniors to come explore careers in cybersecurity. And what I would try to tell people is to spend a little time and think about the broader issues at play in cybersecurity. There could be those who just like the technical challenge and that’s fantastic, right? I love that. That only takes you so far. And I think going back to something I’ve already said, figuring out what you want to accomplish in life. I don’t mean you have to know everything when you’re 18 years old, not that, but what matters to you? What’s important? How do you find a sense of purpose in what you do? Because of course you need a job, and of course you want to be paid for that job, but the thing that keeps you coming back every day, I mean it is work and there can be bad days and good days. There’s going to be challenges. The thing that keeps you coming back is if you are connected to some broader purpose. In my corny example, I really did grow up in a family where we valued service to our country, where we thought it was important to defend the United States, where you wanted to fight communism, all that kind of stuff. And without over-dramatizing it, there is a similar dynamic at play today between digital tech in open societies and digital tech in digital authoritarian countries. And there’s this whole competition playing out that is going to determine the future of humanity. And if one can stop for a moment and just think about that, most people, I think, in the United States would think: “oh, yeah, I can really get behind that”. That’s really important. I need to defend. If you’re interested in cybersecurity, fantastic. Then you’re on the front lines of that battle.
And so I would encourage people to think about what that purpose might be. I would encourage young people, women, young girls, to be a little bold. Be unconventional. Don’t worry. Of course, I grew up like every other teenage girl that wanted to be like other people. But if I look back, the people, the heroes, the heroines who really resonated with me were completely unconventional. They were bold, resilient, a little audacious, maybe a little controversial even. And those were the people, those were the women I thought about.
So if anybody’s looking for great books that they didn’t read when they were at school, one of them that really stayed with me was “West with the Night” by Beryl Markham. And Beryl Markham was the first person to fly westward across the Atlantic successfully. A lot of people tried and some had died in the process. Everyone thinks of Amelia Earhart, very intrepid, intelligent, compelling figure and she flew across the Atlantic East right, but West is much harder much, much harder. Earhart had had a team but Beryl Markham did it alone and westward and she was the first ever and she wrote about it in this book – that I should go back and read – but what I remember of it was just so compelling and I just thought man, what a badass, right? And something in me clicked. I’m like, yeah, you know, that’s what I want. That’s what I want. I didn’t end up doing that, but in my own way, I landed in a career that was unconventional and a little bold and on days maybe even a little bit dangerous.
And I would just challenge young women in a society that wants to cocoon them in bubble wrap to just take some chances and be bold and try something that you think might make you nervous, might be hard. That’s okay. Just get out there and do it.
Alison: I think that’s great advice for high school seniors that are contemplating what they want to be when they grow up, or at least where do I want to put some of my energy? Do you think organizations should encourage more participation from non-traditional groups?
Jennifer: I think there are a lot of things that can be done. And the CIA, for whatever its reputation may be, and we’re a democracy, people are going to have different views on it, and that’s fine. There are a lot of people in the United States who might not say that they support an intelligence service. It’s just a reality of the world that every country has one, and you need to know what your adversaries are trying to do to you. So there may be people out there who think they don’t really like the idea of an intelligence service and that’s okay. But I will say that despite the reputation, it is mostly about merit. And I started at a time when there were very, very few women. And then fast forward, and when I became Deputy Director for Digital Innovation, without going down a rabbit hole here, there are five directorates. Each one is headed by a deputy director. The five deputy directors basically run the CIA, and then you have a director. And so when I became deputy director of digital innovation, all five directorates were headed by women and the director was a woman. In fact, six of the top eight positions in the CIA were women.
And so, you know, it didn’t take me long to just pause and think, you know what? Wow, things change. Things can change. They do change. And I’ve always felt it’s my responsibility to, if I walked through a door, I need to keep it open and help others. But I never felt it was my job to give somebody a particular advantage. I wanted people to have the opportunity to compete.
And so a couple things I’m going to say about that. I saw moments when I felt that there should have been more women in, say, some group of leadership positions. And I was also in a position years ago where I oversaw selections for key leadership positions and found myself very disappointed a few times by how few women put themselves out there for the roles. And it’s a bit of a stereotype, I understand this, but it seems to hold true. If I have a job vacancy that says you must have these 10 skills and a man has two and a woman has eight, the woman won’t apply and the man will. And I know that’s a stereotype and I’m generalizing, but there’s something to that.
So I had to do the selection of some of the most coveted senior leadership roles and I was heading a panel to do so. I was in charge of that entire process. And one year, the deadline was passed and all the applications were in. And I looked around, I thought, wait a second, we have 10% of the applications for women for these key roles that are catalysts for something more in the future that are great jobs and they give you a leg up, right? And so the next year, when the same process came around, like I said, I never wanted to give anyone special advantage, it’s not about that, but I did start calling a bunch of people and just saying, did you see these vacancies? Have you ever thought of yourself as, in this case, a chief of station? Have you ever thought about applying? And by the way, I’m not calling to tell you that you would get a job. I’m just telling you that I’d love to see your name on the list. And just trying to encourage people to apply, it really does make a difference. It can make a big difference.
The other two things I will say, we did really, really well, as I used to put it, as an organization that represents the United States. I would love our organization to be representative of the United States. But, you know, we’re in digital tech, so we have to also deal with demographics in the US. What percentage of college graduates with technical degrees are, you know, various demographics? And we were very careful not to measure and hire by any of those demographics because you can’t in government. It’s not lawful. But I wanted to make sure that the pipeline had a really rich representation. And so, honestly giving applicants the opportunity in the interviews, in the recruiting fairs, and all of that to actually see that diversity in action, to see a group of recruiters who look like America, that actually made a difference. There’s a psychology in that where people walk into a room, it’s a job fair, and you come to a table and you’ve got say five or six people, and you look across the five or six people and you’re like, oh, I do kind of fit here. Right? That has an impact.
The other thing I will say though, because I’ve always had a bit of a difficult relationship with what we used to call agency resource groups, the groups representing the interests of certain demographics. And lots of large organizations have these. So maybe it may be based on a gender issue or race or something else. And at the same time, I always felt, like I said before, I wanted to open the door behind me and bring people. And so I had many opportunities to serve, as what we used to call, executive champion for these organizations. People would ask me, would you please serve as executive champion for this resource group? And I did. I served as an executive champion for three particular resource groups. I had the same conversation each time, which was that, you know, I’d love to, but I just have two requests. First is that whatever programming you offer, you know, if it’s a seminar or it’s a webinar or if it’s a job, it’s a career fair, whatever it is, it needs to be open to everyone in the organization and needs to uplift everyone.
And then two is, I will never say or do or tolerate, in any session, somebody suggesting that people in this group are victims in any way. I just don’t think that’s productive. And I said, if that’s okay with you, then I’m all in. I’ll do everything I can. And it was. So, and I know that may sound a little tough, but just growing up in CIA early in my career, of course there were women’s groups, it didn’t have the positive impact that I would have hoped and I was glad to see over the years that changed and it was really about providing resources and uplifting everyone. So I’ve always had this slightly, not difficult, but nuanced relationship with those efforts. And for me, what worked best was to try to uplift everyone, ensure that the programming was for everyone and to avoid falling into a pit where discussions were around how, all the different ways that I’m a victim as a woman.
Alison: That resonates with me too, because I feel like I’m oftentimes the only female in the room when we have external meetings. The other day I looked around and it was seven guys and me. And I always, I always want the opportunity to be in that room, but I 100% want to be in that room because I’m qualified, not just because I am the token female.
Jennifer: I had lots of unique experiences like that. Most of my career, I was the only woman in the room and one of my last assignments as a chief of station was in a country with a military junta so everyone was a general. They were all men. And in the 75 years that the CIA had a presence there, there had never been a woman in the role. And so it was just a fun experience for me. I just took it as my own challenge to convince them through my own actions and professionalism that, hey, guess what? A woman can do this. And by the way, when I leave, you’re gonna think that I’m better than any of them were. That was my goal.
Alison: Any final thoughts, closing remarks, tying back to Women’s Equality Day or words of wisdom or even a fun story? Because I know you’re full of them.
Jennifer: Oh, no, I don’t want to bore people with more stories. I just think for anyone who’s considering cybersecurity, if we want to go back to that in particular, I just think it’s a fantastic time, right? Because A, there’s such a need, and B, there’s so many different pathways to cybersecurity. And yes, there’s a more traditional one where I’m going to go to university, I’m going to get a degree in a relevant field, and then I’m going to study and get a certification. That’s great. Fantastic. And that’s today the typical way, and it’s a really wonderful one. I also know people who’ve come through many other different paths. So one of my friends who’s quite well known in cybersecurity circles has her own company. She came up through the intelligence world, working on insider threat issues and then built her own company and built her own skills. And I’m sort of in a perpetual state of self-education on all of these issues and I try my best. My sweet spot is sort of cyber security for the C-suite, so not the deeply technical piece, but really thinking about the strategy and the rest of it. But there’s so much out there, there’s so much opportunity. I would suggest for anyone who’s really interested, I guarantee wherever you are today, you can map a path. And it can be through self-study, it can be through online certifications, it can be through a traditional education process, it could be on the job training, it could be lots of different things. And maybe if I’m thinking about the future and building a really successful cybersecurity career for the future, somebody is eager to do that, I would invest a little extra time to develop some level of data fluency, to really start thinking about what is coming, it’s already here in some respects, but what’s coming is really that confluence of data science and cybersecurity, where the two are gonna have to be working hand in hand. And the people who will have the superpowers in the not-differentiated future and who’ll be leading in this field are gonna be those who understand data, AI, and cybersecurity. That’s the sweet spot, I think, for the future where women, men, anyone can really carve out an exciting and successful career.
As families, students and teachers prepare for the new school season, we wanted to take some time to cover one of the toughest battles for parents today: keeping their kids safe on the internet. The internet can be a dangerous place. It connects us with millions of people from all walks of life—and unfortunately, some of those people have bad intentions.
The National Center for Missing & Exploited Children (NCMEC) reported a 197% increase in reported CyberTips—totaling 36.2 million reports—and a staggering 1,325% increase in AI-generated CSAM (child sexual abuse material) cases. These numbers are only expected to rise.
So, what is being done about it? While there are law enforcement task forces like Internet Crimes Against Children (ICAC) and new laws being passed to prevent CSAM, it’s simply not enough.
So, What’s the Answer?
It’s simple: Education and communication, not just for children, but for us as parents too. Fortunately, there are great online resources that can help us educate both ourselves and our children.
One of my favorite resources is NetSmartz, a program by NCMEC. It provides interactive games, videos, and resources for children of all ages to learn about online dangers. It also offers helpful materials for parents to guide their conversations.
Mistakes Will Happen!
Even with all the education in the world, kids will make mistakes online. Just look at adults—many still fall victim to online fraud, which is now a billion-dollar industry. We can’t expect our kids to be perfect either; mistakes are how we learn best as humans.
The goal of education isn’t to prevent every mistake it’s to teach kids how to recognize warning signs and know what to do before a mistake becomes too serious. It’s also about creating an open line of communication with a trusted adult.
As my father always said:
“Son, I’ve never made a mistake in my life—because I’ve learned from all of them. That makes them learning experiences.”
Expect mistakes. The goal is to make sure they’re small and that every mistake becomes a learning experience.
My Favorite Resource from NetSmartz
One of the most valuable tools from NetSmartz is a guide called “Protecting Your Kids Online 2.0.” It presents a simple, three-step approach: Connect, Learn, Engage.
1. Connect
This first step is all about setting clear ground rules and having honest conversations about them. These rules might include limits on screen time, restrictions on certain apps or websites, or guidelines about online behavior. The key is to ensure everyone understands what’s expected.
This phase also involves researching devices, apps, and games before purchase. Ask questions like:
Does this game or app allow in-game chat or direct messaging?
Can users send images, videos, or share their location?
While monitoring tools may seem like an easy solution, they aren’t foolproof. Kids determined to bypass controls often can. Instead, focus on teaching them about risks, warning signs, and what to do if something goes wrong.
2. Learn
This step falls mainly on parents. You need to learn about the platforms your kids are using whether it’s a video game or a social media site. Understand how strangers can contact them and review the platform’s privacy settings.
Start teaching kids about:
Sexual conversations, roleplay, and grooming behaviors
The importance of never sharing personal information like their school, sports team, or favorite hangouts
Recognizing red flags such as:
Unsolicited inappropriate images or videos
Promises of gifts or free items
Strangers pretending to be younger
Threats or extortion tactics (“I’ll tell your parents/school!”)
Mistakes will happen. But if kids know the red flags, they’ll be more likely to stop before something serious happens and, ideally, they’ll feel comfortable telling a trusted adult
3. Engage
The final step is engagement, which means having ongoing, open conversations about online safety.
Personally, I aim for a monthly chat with my kids. I ask if they’ve noticed anything suspicious, remind them about online red flags, and reinforce that they can always come to me if something feels wrong.
Another great way to engage? Play their favorite games with them! Challenge them to a duel it’s fun and also lets you learn more about the platform they’re using. This helps build trust and shows you care about their interests, making it easier for them to open up.
Lastly, be prepared for how you’ll respond if your child comes to you with a mistake. While every family disciplines differently, I encourage you to focus more on communication than punishment. The goal isn’t just to “punish” it’s to encourage honesty and prevent more serious problems down the line.
How to Report It
When an online incident happens, here’s what to do:
Report it to the platform or app where the issue occurred.
Don’t delete anything, until you have made your report or took screenshots.
Submit a CyberTip to NCMEC (https://report.cybertip.org/).
Anyone can file a report, anonymously or with contact info.
You can upload screenshots or files.
NCMEC reviews every tip and forwards it to the appropriate provider and law enforcement, if necessary.
Involve law enforcement, if the situation is serious.
Before reporting, review the incident carefully. Is it simply an inappropriate conversation, or something more severe? Don’t delete messages or evidence; you’ll need to provide this information to investigators.
Once reported, sit down with your child. Make sure they understand what happened, talk through next steps, and explain any consequences clearly, again, balancing discipline with communication.
Summary
Education, for both parents and kid, is the only way to prevent online crimes against children. We can’t shield kids from technology entirely, so we must teach them how to navigate it responsibly.
Resources like NetSmartz offer incredible tools for both parents and children. And remember there are thousands of law enforcement officers and volunteers working every day to make the internet safer.
Don’t be afraid to have these conversations. Your kids will make mistakes, but mistakes are often our greatest teachers. The key is to catch red flags early and turn every misstep into a learning opportunity.
Lastly, if you’re able, consider donating to the National Center for Missing & Exploited Children. Their work is crucial in keeping our kids safe online.
In the ever-evolving realm of cybersecurity—where the dark web lingers just beneath the surface—DEF CON continues to shine as a gathering point for innovation, collaboration, and curiosity. Each August, Las Vegas transforms into a hub for hackers, security experts, policy makers, and tech enthusiasts. DEF CON is more than a conference; it’s a living laboratory of ideas and challenges where attendees can immerse themselves in the cutting edge of technology, explore the boundaries of security, and engage with a global community that thrives on solving the toughest digital puzzles.
Embracing the New Look
Last year, our analysts noted DEF CON’s evolving look and feel—a new location, emerging villages, and community-driven initiatives. DEF CON 33 leaned into those changes with an expanded NextGen Village, growing from 150 young participants in 2024 to over 200 in 2025. Many challenges designed for ages 8–18 ran short, as enthusiastic participants quickly cracked puzzles and riddles. When non-technical parents couldn’t help, seasoned attendees stepped in to guide the next generation of hackers.
DarkOwl representatives even assisted one young challenger in conducting an OSINT investigation to locate a ‘mysterious’ individual needed to earn scavenger points—fitting, since OSINT is one of the many services DarkOwl provides. The rep, a longtime subscriber to DarkNet Diaries, brought real-world investigative expertise to the challenge.
Another community gaining traction is the Noob Community, connecting newcomers to experienced hackers through Capture the Flag competitions and skill-building events. DEF CON 33 also introduced DEF CON Academy, a new initiative by Arizona State University that creates hands-on opportunities for learning and practicing cybersecurity skills in a collaborative environment.
No Surprise: AI Took Center Stage
The AI Village was, unsurprisingly, one of the busiest at DEF CON 33. Attendees waited up to two hours to explore deepfake implications, attend talks on large language model integrations, and learn about securing AI systems. AI wasn’t confined to one space—across the event, multiple villages tackled AI topics, from the risks of using shared AI libraries across secure and public-facing applications to the potential for those same tools to be exploited.
One of the most anticipated AI-related features was the AIxCC (AI Cyber Challenge), a two-year DARPA and ARPA-H competition aimed at developing AI systems capable of autonomously securing critical code. With $29.5 million in total prizes, including $7 million earmarked for small businesses in the initial phase, the challenge united top AI companies, open-source communities, and security researchers to address urgent cybersecurity concerns—especially those impacting critical infrastructure and open-source software.
From transportation to healthcare, these systems run the backbone of daily life, making their security paramount. The AIxCC semifinals at DEF CON 32 featured a simulated town with hackable infrastructure. For the finals at DEF CON 33, massive infographics showcased real-time results, illustrating vulnerabilities, mitigation strategies, and the winning teams’ approaches. It was an awe-inspiring demonstration of the power of collaborative, AI-driven security innovation.
A DarkNet Perspective – 2025 Insights for DarkOwl
Each year, DEF CON provides an unparalleled opportunity to bridge emerging cybersecurity trends with the realities of the darknet. DEF CON 33 continued this tradition, offering fresh insights directly applicable to DarkOwl’s darknet intelligence mission.
Relevance to DarkNet Professionals
DEF CON 33 underscored that darknet actors are far from the stereotypical lone hackers in basements. Many are highly organized, professionalized networks that continuously evolve their tactics. Increasingly, these groups are harnessing social engineering techniques—not just in phishing emails or scams, but in elaborate trust-building exercises within forums, encrypted channels, and darknet markets. For investigators, understanding these human-driven exploits is just as vital as analyzing technical vulnerabilities.
AI is also reshaping this landscape. On the one hand, darknet actors are experimenting with generative AI to craft more convincing lures, automate disinformation campaigns, and even generate malicious code snippets. On the other hand, DEF CON highlighted how defenders can leverage AI for anomaly detection, threat actor profiling, and rapid analysis of vast data sets. This duality makes AI both a challenge and an opportunity for professionals working in darknet intelligence.
The crossover between digital and physical security—illustrated through lock-picking and physical security villages—remains equally critical. Social engineering often bridges the gap between online deception and real-world intrusion, showing that the human element remains the most persistent vulnerability in cybersecurity.
Conclusion
As DEF CON 33 draws to a close, the takeaways for DarkOwl are actionable and immediate. From AI-driven detection to next-generation crawling tools, the conference has provided the strategies and innovations necessary to refine our capabilities. In an environment where information dominance determines security, DEF CON remains an essential guidepost—transforming the dark web from a chaotic risk landscape into a source of actionable intelligence.
DarkOwl will be at several conferences the rest of the year – meet up with us!
Esports has evolved from late-night gaming sessions to sold-out arenas, multi-million dollar prize pools, and sponsorships from global brands. But behind the glitz and glamour lies a growing problem: the esports industry is increasingly under threat from cyber-attacks to cheating scandals and even personal safety risks.
This isn’t just about players losing matches or teams missing out on prize money. These threats strike at the very integrity of competitive gaming and pose real dangers to people, organizations, and brands alike.
Esports: A New Cyber Battlefield
Esports platforms, streamers, and tournaments have become prime targets for cyberattacks. The reasons are simple: high visibility, massive online audiences, and often, poorly secured infrastructure.
A report from Control Risks explains that “the sheer popularity of esports, combined with lax security protocols in some areas, makes them an ideal target for DDoS attacks, credential theft, and extortion.” In fact, the report states that over 37% of all DDoS attacks are directed at online gaming and esports platforms.
These aren’t hypothetical threats. In recent years, major tournaments have been halted mid-stream due to attacks, players have been forced offline during crucial matches, and attackers have used ransomware to hold tournament servers hostage.
Cheating, Match-Fixing, and Exploiting the Game
The competitive integrity of esports is under constant assault. Cheating isn’t limited to aimbots or wallhacks anymore. Today’s methods are more sophisticated—and more dangerous.
A 2023 study in the International Journal of Esportsnotes that, “The esports ecosystem is particularly susceptible to technological manipulation, including the use of third-party software, programmable peripherals, and real-time data exploits.”
Then there’s the issue of match-fixing and betting fraud, which can have far-reaching implications. One infamous case, the iBUYPOWER CS:GO scandal, involved players deliberately throwing a match in exchange for valuable in-game item bets. According to a summary on Wikipedia, the scandal “rocked the North American CS:GO scene and led to indefinite bans for several top players.”
The Esports Integrity Commission (ESIC) has since reported a sharp uptick in similar investigations, especially in lower-tier tournaments where regulation is weaker. As esports gambling grows, both legally and through black-market sites, so too does the incentive to manipulate outcomes.
“The lack of consistent regulation across regions and titles makes it difficult to maintain competitive fairness,” says one ESIC whitepaper. “Without centralized enforcement, threats like match-fixing go unchecked.”
Personal Safety: More Than Just a Game
Esports professionals, streamers, and even fans are increasingly becoming targets of doxing, harassment, and swatting; a dangerous trend where attackers send emergency services to someone’s home under false pretenses.
In a recent legal analysis by Clyde & Co., the authors noted:
“Esports professionals are now public figures, and the legal system has not yet caught up with the need to protect them from online threats that turn into real-world consequences.”
One well-documented case involved a professional Fortnite player being swatted during a live stream, a terrifying experience for the player and his family.
At live events, player safety is also a growing concern. As fan engagement increases, so do the risks associated with in-person appearances and meet-and-greets, especially without proper security measures.
Toxicity and Brand Risk
Toxic behavior in online gaming is nothing new—but in esports, where millions of dollars and high-profile sponsors are involved, it becomes a serious brand liability.
A research paper published on arXiv highlighted the scale of the issue:
“Toxicity in online team competition games is not only pervasive but also contagious. A single toxic player can create a ripple effect that damages team morale and community health.”
Publishers like Riot Games and Valve have begun using AI to monitor voice chat, text logs, and gameplay behavior in real-time but there’s no foolproof solution yet. Sponsors are increasingly wary of being associated with players or teams who become the face of online toxicity.
No Referee? The Regulatory Problem
Unlike traditional sports, esports doesn’t have a centralized governing body. Each game has its own rules, enforcement methods, and approach to discipline.
“This lack of standardized governance has left room for exploitation,” according to a literature review in the Journal of Gaming and Computer-Mediated Simulations. “From doping and cheating to match-fixing and harassment, the fragmented nature of esports oversight has created blind spots.”
Some groups, like ESIC and NASEF, are trying to build frameworks for integrity and accountability, but widespread adoption remains a challenge.
What Can Be Done?
Solving these problems won’t be easy—but there are clear paths forward:
Robust cybersecurity frameworks for tournaments, servers, and team infrastructures
Stronger industry-wide enforcement of cheating, match-fixing, and harassment violations
Support for player safety, both online and in person
Education and awareness campaigns for fans, sponsors, and players
Standardized governance models modeled after traditional sports regulators
Final Thoughts
Esports is thrilling, fast-paced, and full of opportunity but it’s not immune to threats. Whether it’s a rigged match, a hacked server, or a swatted player, these risks have real consequences.
As the industry continues to grow, we must ensure it grows safely. That means more transparency, better safeguards, and a willingness to tackle the hard problems head-on.
The future of esports is bright but only if we protect it.
Evan Blicker from DarkOwl explains the three types of internet (Surface Net, Deep Web, Dark Web) and the origins and workings of Tor. The session also covers common misconceptions about the dark web, types of information found there (e.g., PII, banking data, corporate data), and the importance of understanding it for cybersecurity. The speaker emphasizes operational security for investigators and introduces DarkOwl’s role in automating dark web data collection and analysis.
NOTE: Some content has been edited for length and clarity.
Good morning, everybody, and thank you for joining our iTOOsday. Today’s session was made possible by Leslie Cameron, who is the Managing Director of Alert Plus Technologies. Leslie is a seasoned IT professional with a long-standing career in technology, innovation and business solutions. His current focus is on cybersecurity and fraud prevention with a passion for helping individuals stay protected against identity theft as well as online threats. From DarkOwl, we will be joined by Evan Blicker. Evan is a cyber security professional with over a decade of experience in cyber threat intelligence, dark web investigations and digital forensics. He began his career at the Pasco Sheriff’s Office investigating cybercrime and internet crimes against children. He later served as a task force officer with Homeland Security Investigations, where he led transnational investigations focused on the dark web. His unique background bridges law enforcement with corporate security, and he has a deep expertise in OSINT, emerging threats and proactive intelligence strategies. For those of you who are unfamiliar with DarkOwl, they are the industry leading provider of dark net data, offering the world’s largest commercially available database of information collected from the dark net. With that, let’s jump into the conversation.
In today’s session, we are going to explore a side of the internet that very few people truly understand, yet it does impact us all, the dark web. Often sensationalized in media, the dark web is more than just a digital underworld. It’s a thriving ecosystem where stolen data, compromised credentials, cyber attack tools and illicit services are traded like currency. A cybercrime becomes increasingly organized, sophisticated and global, understanding what happens beneath the surface is essential for individuals and businesses looking to stay secure. I’m thrilled to be joined today by our expert, Evan from DarkOwl, which is one of the world’s leading providers in darknet intelligence. Over the next hour, we’ll uncover what’s really happening in the dark web, how it affects you, and as an organization and how you can effectively manage against it.
Evan: I’m a cyber threat investigator with DarkOwl. We’re here today to talk about the dark web, kind of unpacking it so we can get a better understanding of what it is, what type of data we can obtain from the dark web and how can we utilize that to better protect our clients, our organizations, and help make the internet and a little bit safer.
To start, we have a short disclaimer about this presentation being for informational purposes, only accessing the dark web manually can lead to security concerns if proper operational security is not followed. So, we want to make sure that this is understood that our presentation today is for informational purposes only.
We’re gonna cover some very awesome topics. We’re gonna go into how the dark web works, its origin, different things that we can find on there and the communities that operate on the dark web. The dark web very much is a community. Similar to any other community, whether you play sports or in the business community or volunteering. However that works, there’s always subsets, there’s always communities in there. So, we’re going to talk about some of those communities. And then we’re going to also go into a little bit about dark web investigations, right? How to utilize this information, how to take it from raw data to actionable intelligence. We’re going to cover a lot. It should be really fun. So, let’s get started.
What is the dark web? That is a question that gets asked a lot because we see movies, we see TV, it’s dramatized as this really cool person sitting in a basement wearing a hoodie, typing away at a black and green screen. And it’s not as cool as that, but it is still pretty interesting. So, there’s essentially three types of internets. The first one is the surface net – all of us here have used the surface net, right? That’s that sites that have been indexed by Google. So, if you have gone to any website like a news provider or to a you sports site or any of those other things. That’s the surface net, a website anybody can get to and you can find it through Google or one of the other search engines.
Now there’s also the deep web or deep net. We’ve all accessed this whether you’ve known it or not and this is any type of website that can’t be found without doing something else. So, for instance going to your banking site, you have to type in a login to get into your or your bank account information, that’s once you type in that login, you go to your bank account site, that itself is the deep web or the deep net. ‘Cause that’s not something that you would want to show up on Google. Could you imagine the world if you could just Google somebody’s bank account and see, it’d be a wild place.
And then we have the dark web or the darknet, and this is an internet that uses standard internet but requires special software. And this special software typically allows for anonymity. It also provides some level of security through encryption. It allows people to bypass maybe countries restriction on certain websites or whatever the case is. And that’s the dark web, which is what we’re going to be kind of focusing on today.
The dark web. It actually got its start by the U.S. Naval Research Laboratory. Onion Routing, it was designed to protect sensitive information for government communications. Then in about 2002, it was released as an open-source project to the public, where it remains as an open-source project, where lots of companies and organizations actually donate to keeping the project alive. So, it went away from its government excludability and went into average people, anybody being able to use it for their purposes. Because though when we hear the word dark web, we think cybercrime and criminals, there’s actually some very, very valid uses which we’ll touch into later related to the dark led. It has some good uses in this world. It’s used by a wide range of people seeking anonymity while they’re on the internet. They want some type of encryption for privacy concerns, but it is also involved into such a good complex ecosystem where you have not only people using it for negative purposes, but also people using it for good. The thing that I always kind of fall back on when talking about stuff on the internet is for everything good on the internet, there’s somebody there that’s able to take that good and use it for evil.
There are multiple dark web technologies. The one that we’re going to focus on and talk about today is Tor, because it is the most widely known dark web, but there are several others. So, these are logos from across the different one. The one in the upper left of the screen, that’s the onion routing, that’s TOR. That’s typically the one when somebody’s talking about the dark web, that’s what they’re referring to.
The onion router, TOR. It’s multi-layered encryption, right? It means data is wrapped into multiple layers of encryption and each node that you go through, I’ll explain this a little bit better in the next slide, encrypts only what it needs to, to pass the traffic onto the next thing. So, it typically goes through a minimum of three nodes. You have your entry node, you have your middle node, your exit node. The exit node is what sends your traffic onto your destination. And this allows for your data to be fully encrypted in through its path.
And this is its path. Now for any of those in the audience that maybe have a little bit more knowledge into the dark web, you don’t have to have a minimum of three notes. You can have seven, eight, nine, adding to your level of protection while using it. But this is typically how it goes standard, right? So, Alice needs to send the information to Bob. Bob’s a server. Alice’s traffic will go through three different nodes in a certain pattern. It’s a randomized pattern. And each one of those nodes, each one of those computers that the traffic passes through only has access to the information it needs to continue that packet onto its final destination. And then at which point it goes to Bob. The only time that that traffic is not encrypted is that final jump from the exit node to the target server. And this allows for that secure communication, right, allowing for that anonymity while using Tor.
Some of those features that we’ve already spoken about, anonymity, right, it gives you access to .onion websites. So, the Tor network doesn’t use .com or .net, they all end in .onion. It’s decentralized. The Tor project is actually really, really successful and really good at making sure one entity does not own too many nodes, right? Because I think it was mathematically calculated that if you owned 40% of the nodes, you can actually track somebody’s traffic across the Tor network. So, they do a really, really good job and so does the community as well as making sure that the people who are registering Tor nodes because anybody can do it, it’s a volunteer basis that they don’t own too many of them, right? Because we want to keep this decentralized. We want to make sure that the anonymity of what Tor provides us is there. And it also allows you to bypass censorship. Some countries censor the news and the media of what’s going on and this allows people and organizations in those countries to get valid news of what’s going on in the world. It allows for privacy and sensitive communications. So, take for instance, a journalist who is getting ready to break a big story with a whistleblower, this allows them to communicate in a manner which will protect the source and the story, right? And it has multi-platform support. So, you can be on your phone, you can be on your computer, whether it’s Mac, Windows, Linux, and still be able to access the Tor network.
It is downloadable at the torproject.org. There is a lot of very, very good information about the Tor project and the dark web on torproject.org. You can actually see all of the different nodes and things that are being used. They do a very, very good job. They also list who donates to them and how they support themselves. And if you are so inclined to believe so, you’re able to do that as well.
There are other types. The Zeronet is another big one. Freenet is one that isn’t really widely used anymore plus you have i2P and then the other ones listed. For the most part, Tor is your primary dark web network that is used today.
We have some common misconceptions, right, because those movies make the dark web look just so utterly fantastic and makes everyone feel like a hacker. We have some misconceptions that come along with the dark web. So, the first one, everyone on the dark web is a criminal and that’s not true. It hosts communities and some of these communities are just privacy focused people. Others are based in free speech. Others are trying to help prevent human trafficking or help, you know, refugees out of countries, whatever the case is. There are some very good uses for it, right? Some governments are extremely restrictive on the news and media that their citizens are allowed to see, and the dark web provides that access, right? And it allows journalists and whistleblowers and human rights activists to communicate in a manner in which they can try to help make the world a better place.
The next misconception is that exploring the dark web is illegal and it is not. Now there may be activities carried out on the dark web, which are illegal. And if you engage in those activities, then yes, now you’re committing a crime and that becomes illegal, but it is not inherently illegal to be on the dark web. There are many legitimate purposes. For instance, the New York Times, which is a very well-known news agency in the United States, they have their own dark web site, where they host their normal site on the dark web for people that are in oppressed countries. So, these are things to keep in mind.
And lastly, the dark web, it’s actually not lastly, but the dark web is completely anonymous, and that’s not 100% sure. There are tools that researchers and law enforcement and methods that can be used and implemented to extract information on threat actors, on people that are using the dark web for malicious purposes, right? Law enforcement also sees this dark web sites and they seize the servers which store information and that information can be used to track and determine who these threat actors are. So those supports extremely strong privacy protections. It’s not infallible because nothing is right. Locks only keep honest people honest, and so there’s always a chink in the armor somewhere.
And lastly, accessing the dark web is super difficult or super easy, and it’s not either or neither. There’s not one specific place to go – the dark web is made up of many hidden services, many different websites, multiple different platforms. Though there are technically dark web search engines, they’re not the same as Google or Bing or any of those other ones. So can accessing the dark web can be complex to find the information that you’re looking for, because you need to know the link. You need to know how to find a specific site. You need to know that that site actually exists, right? So, it’s the same as using the internet back in ’98, ’99 before search engines became really popular, you had to know where you were going in order to get there.
Some dark web concerns. Obviously cybercrime is a concern of dark web and it is used very prevalently by threat actors of many different facets of crime. From financial crime, to hacking, to ransomware, to narcotics trafficking, whatever the case is.
Also, misinformation campaigns happen – the spreading of disinformation and extremist content happens, stuff to try to destabilize public opinion and trust. And so, misinformation can happen. And then there’s also the illegal non-ethical surveillance of the dark web, right? Dark web monitoring needs to have ethics that are involved in it to protect the good people that are on the dark web, using the dark web for valid reasons. So, these are some of our dark web concerns.
We’ve talked about what the dark web is. We’ve talked about its nuts and bolts of where it was created, how it operates, how it keeps us safe. We talked about some of the misconceptions. So, let’s get to a little bit more of the interesting stuff. What is actually on the dark web? What type of information are we able to find that relates to what we’re trying to do? How are we able to protect our clients? How are we able to protect ourselves?
There are several different facets or avenues that we can do to try to find some information. There are Marketplaces where things are bought and sold similar to eBay or any other type of marketplace, Amazon that you go to where you can buy and sell different items in an unmoderated manner. There’s Forums where collaboration between threat actors happens where people ask questions, postings for sale, whatever the case is. Social media related stuff. Obviously, there’s Cryptocurrency information. There’s Leaks from companies. There’s also Leaks from government and then Ransomware related stuff. All of these things are found somewhere in some shape or form on the dark web.
There’s also dark web adjacent stuff. And this is the big thing that a lot of people don’t think about when they investigate the dark web. The dark web, like I said earlier, was a community and we got to look at that community and the community and any one of the communities that you’re a part of, you know, take your work community. So, when you go to work, you’re part of the community with your co-workers and you are talking about work at work. But you also talk about work elsewhere, right? So, a co-worker comes over to your house for dinner and you guys start gossiping about the you know stuff in the office, right? Things happen outside of your office related to what that community is about, which is work. The dark web is the same way. We have messaging apps, we have gaming apps, we even have surface web places. For instance, Reddit is a well-known social media site that has several places on there where they talk about dark web topics and issues and things along those lines. So, monitoring these things is just as important as monitoring the dark web to give you that kind of inclusive photo of what is going on. And a lot of the data on the dark web comes from many different things. So, a lot of the raw data, a lot of the raw data is your PII, your personal identifiable information from leaks. So, data birth, social security numbers, credit card numbers, addresses, things like that. Banking data, stolen bank accounts get sold on the dark web. Corporate data that has been taken maybe from a ransomware organization or from a hacker, whatever the case it is. Credentials and compromised accounts, whether it’s fake accounts to a social media site or accounts that have been taken over, being sold, as well as corporate accounts, personal, whatever the case is, plus there’s malware, there’s hacking tools, there’s ransomware, there’s a lot of different things. And then obviously on your forums, your marketplaces, tactics, ideas, how to do this stuff is there. You can buy guides and forms. And this all leads over to some of the biggest kind of risks that we’re kind of thinking about. So, DDoS attacks, right, data exfiltration inside or threat cyber-attacks, and then just, you know, anything from identity theft down to a much more personal level, right, of like somebody being doxxed on the dark web where their personal information is released.
So, let’s delve a little deeper into that type of data that can be found. That was a more high-level overview. let’s get into a little bit more of the nuts and bolts.
Ransomware. Most ransomware groups, which new ones are coming out every single day. It is a very successful business model, if you’re a threat actor. They have most of their sites are hosted on the dark web. Also, their chat sites, where you go to negotiate once you have been, once you have been compromised are typically .onion sites because it allows for that level of anonymity. So, some of these screenshots are a little older and the reason for that is that you can’t control necessarily what’s going to happen on a dark web site. So, if we went to it live, there’s a chance that there could be material that we wouldn’t want to see or produce. So, we try to capture screenshots. For instance, LockBit, which is now up to LockBit 3.0, their site is hosted on the dark web, several different ones, we’re constantly in a motion of tracking all of the new sites that are popping up from different ransomware groups.
I guess they like that business model. I don’t like it, though.
Markets. So, these are what essentially eBay would look like and a lot of them are based off of the same. So, this marketplace, Kerberos, has been taken down. There are several new ones that pop up and they will run until either one of two things happens. Either law enforcement takes down the marketplace or they do what is called an exit scam. And an exit scam is where the owners of the site take all of the money that’s been put into the site for making purchases and then they ride off into the sunset stealing everybody’s, all of their users’ money. Those are typically the only two things, but anything is purchasable through here. There are marketplaces that are specific to firearms. There are marketplaces that cover a wide range of things, from personal identifiable information to credit card numbers, social security numbers between narcotics and drugs, to hacking tools, whatever the case is. Some like to specialize, others like to be a little bit more broad to try to get as many users as possible.
It is kind of crazy some of the things that you can see on a dark web marketplace for sale. There are scam sites and things that pop up. So, for instance, you’re not going to really find a marketplace that’s, you know, human trafficking related. Also, you know, hitman services on the dark web are not real. That’s not how that works. But a lot of people will like to talk about that, especially in movies and TV and things like that. But those types of things are almost always scams. But you can buy just about everything else. You can buy cell phones, skimmer devices, the steel credit cards. The imagination is the limit for what marketplaces may or may not have. But they operate very well and they have better customer service than any company you probably know today because trust is a big part of the dark web. So, one of the things that they do is they hold an escrow service. So, you would actually put your money into the site. The site would hold it. And then once you have made a purchase and you’ve received your product, the site will then release the money. So that way there’s trust between vendor and purchaser. That’s where that exit scan comes in.
Financial crime. Financial crime is a big part of the dark web. You won’t find all of your financial fraudsters on the dark web, some don’t need it, but you will find a lot of information and a lot of stuff being sold because it’s a really easy product to sell on the dark web because you’re not shipping something from point A to point B, it’s a digital good. And we also have a little bit of that dark web adjacent. So, the two photos on the lower right, those are actually taken from telegram. Telegram was a very big hot spot as a dark web adjacent location. It’s since kind of cooled down because Telegram has changed their kind of trust and safety policy, so they’re cracking down on this a little bit more, but for a few years there it was very rampant that every dark web site or marketplace would also have a Telegram channel associated with it. But you can buy anything from credit card numbers as low as 10 cents to bulk credit card information, which will provide the credit card number, the number in the back of the card, the person’s name, address, location, everything that you needed to use that card in a manner to prevent you getting caught by law enforcement as well as information on how to commit fraud. It was a very big thing for the dark web.
There are drugs and gun sales as well on the dark web. A lot of sites, a lot of marketplaces do try to avoid firearm sales only because that gets a lot of American law enforcement involved. It kind of increases their profile. So, a lot will not allow sale of firearms, but they unfortunately, you know, everything done on the internet has a way to be used for bad and the people that sell these find a way to get their markets, their merchandise posted. And then as well as narcotics. Narcotics are a big sale item on dark web marketplaces and different sites from there. But the nice thing, at least for the good guys related to this type of stuff, is that they have to be shipped from point A to point B, and law enforcement does monitor those shipping avenues, and so do the private companies that do that as well. So, a lot of times, this type of stuff is able to hopefully be stopped before it gets anywhere.
Stolen data. This is going to be something that I’m sure this audience is going to be interested in and about, but stolen data from companies. A lot of organizations have their data stolen. Sometimes they’re not part of ransomware. Sometimes people just steal it to either try to sell it themselves or they post it. They post it for cloud reasons or reputational reasons to give it out to the community. These are screenshots from breach forms, which was recently shut down and potentially working its way on coming back that’s been an interesting saga. But you could go to the site at any point in time, search for a lot of different companies, and find stolen data from those companies. Now that’s obviously bad reputationally for those companies, but it could also be very good for the company’s competitors if they’re not operating in an ethical manner, right? They get that information and if that information contains confidential business secrets to the success of that business, now your competitors have your playbook. As well as the damage that could potentially happen to the clients of those companies if their personal information has been released.
Leaked data. So leaked data is different than stolen data. So leaked data, a lot of times, could involve an insider threat. It could be data that was able to be captured through a tool, for instance, being scraped from a deep website that a company owns, say, for instance, a social media site. You have to log in to access the stuff in the social media site, and then you start running custom tools to pull all of that information down, and then you release it. And then there’s also usernames and passwords that get leaked as well. This is actually a screenshot from our tool, which shows a lot of the leaked content that we are finding out there and are able to catch them. And there is a lot of leaked data that’s out there. It’s actually mind-blowing to understand how easy it is for your personal data to be leaked or your corporate data to be leaked onto the dark web.
Stealer logs. Stealer logs are a very big thing. They can affect corporations, but a lot of times they affect the more individual person. But stealer logs are logs from specific type of malware that when they affect the computer, their job is to pull down all of the usernames and passwords and text files and take a screenshot and get all of the information that they can about that computer. And then these logs are either posted for free or if they’re good logs, they typically get posted for sale. There’s a couple marketplaces on the dark web where one log will cost $10 USD and it will have a person’s entire password history on there, right? All of the passwords that are saved inside browsers, which you should never save your password in a browser due to Stealer Logs because it captures all of that. And then they’re able to access all of your information. And the biggest one that we want to protect is your email, especially if you have used two-factor authentication through email. But Stealer Logs are everywhere. And this is also something else that ends up being dark web adjacent. For instance, Alien Text Base, this one here, they still operate, but they operate mainly on telegram. Even though telegram is very active in trying to shut them down, you will typically find them on telegram releasing this service that they have here. And one month of unlimited amount of stealer logs is only $100, which is crazy. And $1,000 dollars is a lifetime access. So, if you are intentionally trying to hack somebody’s computer to pull down credit card information or to use it for other malicious purposes, that’s relatively a bargain.
And then we have our corporate data. And corporate data involves many different things. It could be our corporate secrets. It could be information related to a tax eminent to that corporation. It could be customer information, whatever the case is, right? And not everybody is immune, right? So, the FBI, federal government, American government agencies have been affected by corporate data issues. CloudStrike, LinkedIn, Facebook, all of your major social media companies at some point in time have had their corporate data leaked, and a lot of that can still be found on the dark web today, even if it’s old data. Just because it’s older data doesn’t mean it’s still not valid and still can’t be put to use. And then also, you know, in here in America, we have the United Healthcare CEO who was assassinated. And you can find corporate, you know, talk about those corporations and the CEO, for instance, this one here, which was posted on an anonymous message board, saying that the healthcare CEO being shot would be a long time coming and for people to stop defending them. So, there’s a lot of information, a lot of things that can break down here, right, from just corporate information to also threats to corporations and businesses. Things to monitor and different avenues to go down.
And the communities that bonds them. I’m very big in saying the dark web is a community, and we have several different communities on the dark web. So, one of the big ones is extremism. You can find a lot of extremist information on the dark web, from everything from terrorism all the way to racially motivated type stuff, to politically motivated things, it’s all on there.
Hacktivist groups. Hacktivists are hackers that claim that they are hacking for the correct reasons because they don’t agree with something, whether it’s a political mind, a political decision, or a business that didn’t do the right thing that they thought was ethically correct. Hacktivists go after them, which was made famous by Anonymous back in the 2000s initially. Hacktivist groups operate on the dark web all the time. They post information, they get together to share ideas, different things like that.
And then we have our ransomware groups. This is a screenshot from our tool showing a lot of the different groups that we are targeting or not targeting but monitoring and pulling information down. This list actually currently has 317 different ransomware groups and threat actors that we’re monitoring and trying to get as much information from it. And the number of ransomware groups that operate on the dark web is growing every single day. And that number never stays static.
And then obviously we have our hackers. What’s interesting about this slide and as we’re talking about hackers is this is how initial access is sold. So, most ransomware groups do not do their own happy. They typically purchase the access from somebody who did the access. And what will happen is in certain dark web forms, a user will post revenue, a companies’ revenue of around 25 million. They’ll say how many hosts the network has. So, in this one in the left by Benjamin Franklin, there’s 500 hosts on this network. They’re looking for $1,500 to purchase this. And then a ransomware group will purchase this access, install their ransomware, and then attempt to export the company when they’re able to. And this is how it gets post. They never necessarily post names. Sometimes they do, but they provide enough information that you can try to disseminate down who the target is in hopes of maybe preventing ransomware. That’s a really big thing for companies to use the dark web is to monitor the initial access side of the ransomware lifecycle. And if they’re able to see that they’re potentially popping up on initial access sale, they can go ahead and start doing extra tests and monitoring and finding where the hole is and hopefully able to plug it before anything bad happens. But hackers do operate on the dark web in many different facets.
And then we have our main APT groups, our advanced persistent threats. For instance, like North Korean groups, different things like that, Chinese groups that are constantly trying to break into things and hack things and gain information, which is another thing that this is a screenshot similar to the ransomware groups from our tool and where we curate information on them.
Why is the dark web important? I’ve touched on this a lot, but it really does allow us the opportunity to learn more from the threat actor to make better decisions as to what we need to do to protect ourselves. So, it gives better insight and allows us to learn from them. There are tools that you can capture and figure out how they work to prevent them from working on your network. There’s also tutorials in fraud, in hacking, in social engineering, whatever the case is, and we can learn directly from the threat actors and monitor that, and it can also give us an early warning sign before anything before anything goes happen.
The early detection of potential emergent threats. It’s a more proactive approach to cyber defense. We’re learning directly from the threat actors, and hopefully it allows us to prevent threats from escalating, which is why it’s important.
So how do we find things on the dark web? One, there are open source tools to help you, but you need to take into consideration the OPSEC considerations, the operational security considerations. There are websites, for instance, ransomlook.io, post information daily on new ransomware groups that are operating on the dark web. There’s also different monitoring stuff and blog posts and things along those lines. But there’s also command line based open-source tools for investigating it. It’s just, you really need to know the operational security side of it.
On the dark web, there are list sites or link sites or directories that will provide links to dark web sites. And they will monitor those links to determine if the site is online or offline. And then we use OSINT. OSINT is our best friend. OSINT, stands for open-source intelligence techniques and it is a way of finding and learning information that’s publicly available. So, whether it’s from the news, it’s from government publications, blogs. At DarkOwl, we post blogs pretty regularly from there. Social media accounts from influencers that specialize in this stuff and then academia and research as well provides good, insight into what is going on.
And then now the operational security concern of investigating the dark web, which our tool does definitely allow to help with this situation, and it is something that very regularly needs to be taken into consideration, right? So, it’s a process to prevent our adversaries from gaining information about us, our capabilities, so that we can identify who they are, right? We’re not trying to become the victim. We’re the investigator or the analyst trying to prevent this.
So, it’s important, right? It’s important for the investigator and the researcher’s safety. We want to make sure that their identity does not get released or known. It also prevents against retaliation and targeting and it ensures that safety during and after dark web investigations, right? We want to make sure that we protect our sensitive information exposure and to avoid data. For instance, downloading certain things off of the dark web because we need them for investigative purposes. If it’s not done correctly in a secure machine that doesn’t have network access, we could potentially be putting malware or ransomware into our own network, you know, and now becoming an actual victim of what is going on. It allows us to maintain that confidentiality and anonymity and does not compromise our investigations. It allows us to reduce detection and tracking by sophisticated adversaries, for instance, some of those APTs that are nation-state groups are very well-trained, have everything that they need, have many people to help them. So, we want to make sure that we reduce detection by them so that we can continue gathering information. And then we want to reduce risks associated with linking affiliate investigations and researchers. We want to try to keep that attribution down to a very low level. And OPSEC is one of the most important things that needs to– and it should be the primary thing that is kept into that mind of dark web investigations.
Six steps to OPSEC. We want to identify the critical information that we need and how we need to keep it secure. We want to analyze the threat. What are our adversaries? What are their capabilities? What are they able to do? We want to look for weaknesses and configurations and behaviors to make sure that we can protect ourselves, evaluate the likelihood and impact of those risks. We want to implement countermeasures, apply security practices. Do we need a machine that’s never connected to the company network, virtual machines, VPNs, things along those lines and we want to constantly reevaluate as we progress in that investigation to make sure that our operation security is providing what we need it to provide. It’s important for protecting investigator safety, securing that sensitive information, maintaining operational integrity for the surveillance and tracking purposes, and then attribution risks, right? We wanna make sure we keep those tools on minimum.
We have gone over a lot. We’ve gone from what the dark web is, to what type of information is on the dark web, to tools for investigating the dark web, open source and ARPS tool and things like that, and operation security. But what are the strategies, right? We have the information, or we need to get the information. What are the strategies to take that investigation and make it fruitful? So, darknet intelligence, right, is involves collecting and analyzing data, like any other investigation would. Going through these specialized tools that we need to get it and determining, right, the complex ecosystems where cyber criminals trade goods and services, right? We need to know is the information that we are looking for on a forum, marketplace, a chat group, whatever the case is.
The intelligence pyramid, everything in intelligence and investigations has some type of diagram or analogy or acronym. This is no different. We start at the bottom with our raw data. That is all of the data that we’ve collected that may be useful for us. We’ll take all of that and turn it into some type of information to figure out kind of the buckets it needs to be in, and then from there we’ll put that into our actual intelligence that we can make decisions on. Kind of weeding out the noise that we don’t need. And you’ll want to do that with dark web data because you will be able to find a lot of things, but not all of those things will matter to your current investigation or needs, right?
So, we’re going to start with the planning and direction through our intelligence life cycle. Once we have — this is what we’re worried about. This is kind of the information that we need to learn. This is our questions. We’ll work on those collections. Once we collect our information, then we’ll move to the analysis phase. Once we analyze all of our data, kind of go through that intelligence pyramid will move into production, write our reports, make our recommendations, and then disseminate that out and get feedback from your cross-functional partners or your clients or whoever the case is. And then we start that all over again for the next question that pops up, the next threat that we have to worry about.
Strategies for monitoring the dark web. You have to know what your intelligence requirement is. You’ve got to know what you want to achieve. Do you need to worry about a client being hacked? Do you need to worry about their data being stolen, whatever the case is. We want to identify the areas that most interest us. For instance, maybe we need to monitor for credit card information. Well, some of the best places to see a specific credit card information pops up are in those marketplaces, right? We want to make sure that we keep a way of monitoring those sources. Once we collect data, we want to analyze that data, see if we need to find more data. Sometimes you need to. There’s always language assessment. If you need to figure out if you need to translate the information that you’re getting, Google Translate Works, AI tools help with that. And then obviously the last thing that we want to do is report our findings to actually have our recommendations matter and help strengthen security posture, prevent cybercrime, and all of those fun things.
Just real quick – to touch on DarkOwl and what we do. DarkOwl is a darknet data technology company headquartered in Denver, Colorado. Our mission was to build automated technology to allow analysts to investigate and monitor the dark web without actually having to go to the dark web. And we have come a long way in producing that tool. We’re led by our CEO, Mark Turnage, and we have a very fantastic team of analysts and engineers to produce that. So, the information in our tool, you don’t ever actually have to go to the dark web to be able to access that information. And it’s all searchable, which is the best thing. So, you don’t actually have to know how to get to a certain forum or have an account on that forum. You’re able to get it yourself.
In our beginning in 2012, we pioneered dark net collection in relevant search, you know, we created our Vision UI tool, which allows you to have a graphical interface to search all of our data. But we also have API access as well. So, we can tie into tools like Maltego has a transform to where you can tie into dark web data. But it gives access to your analysts to have this information, find it, use it and also monitor it through cases or alerts in different things along those lines. So, layers of the surface even dark web that we go after, right? So some of these high-risk surface websites are like pay spin sites or discussion boards, you know, Reddit, social media sites as well. We monitor underground forums and marketplaces as well as Discord, Telegram, IRC. We’re always looking to move into new messaging platforms as we see the community shift, right? And then currently we are in Tor, I2P, and ZeroNet as dark web marketplaces, because those are the main places that threat actors operate, typically now in Tor. There was a little bit that I2P was gaining traction, but that has since lost its momentum. We’ve pull about 2 million documents off of the dark web in about a 24-hour period. And we are constantly pulling in new information every single day. Our information is relatively able to be real-time, depending on the site and how often we crawl it. I was actually just doing research the other day and literally had information that was within the last six hours into the tool. So, it is very successful and really does help in these types of investigations, and it solves your operational security problem. So, you don’t have to worry about that using our tool.
And then our ecosystem – we have the Vision UI, which has pretty much everything an analyst would need, but then we also have different things. And in our Vision UI, what’s really nice about it is that you can have exposures for us. So, we have an algorithm that we created to where you can put in some information and we can monitor a company’s exposure off of our algorithm inside of the tool. And then this is our contact information. I do have some questions that was brought up. I’m gonna touch on that real quick and then we can go ahead and end. So, one of the questions that was asked was what kind of data are most commonly traded or exposed on the dark web and how has that changed over the past few years? Which is a fantastic question. So, starting with the past few years and how that’s changed. So initially, you saw a lot of financial and drug-related stuff on the dark web, especially around the time where a former marketplace called Silk Road, which was one of the first law enforcement takedowns of the marketplace, there was a lot of financial-related and drug trafficking that was happening through the dark web. And as the years have progressed, we now see a lot more technologically based crimes. Ransomware, leaks, data being sold, personal information being sold. This has grown because more companies from five, six, ten, fifteen years ago, are putting anything and everything on technology and with this come budget cuts at times where security teams diminish. So, cybercrime goes up, hacking goes up, as well as we’re in a time where everything involves ground technology. This has become a very big topic on the dark web. A lot of that information is now available.
Question number two that we got: Are there specific industries or sectors that are more heavily targeted or discussed on the dark web? And there is. And it’s hard to quantify. Healthcare is one that is on it. That personal information, medical records, that type of information, because if a ransomware organization is able to a healthcare organization, they’re typically going to get paid. And most ransomware groups aren’t the most trustworthy people, so they still release the information after being paid. Financial services, bank access fraud opportunities, selling crypto accounts that have already bypassed KYC. So, a threat actor can purchase that account sell it so now or use it to where they can’t be attributed back to them and then your government and defense contractors are always something that pops up as well on the dark web but anybody can be a target. It just depends on if it’s your day or not. Critical infrastructure, that is another thing that can pop up if there’s talk related to that because those are things that typically the payments go through.
The next question we have is, “What are the early warning signs that a company’s data or credentials might be circulating on the dark web?” And that’s actually a very interesting topic and could probably warrant its own webinar in itself. But some of the quick things that we want to do is company credentials, appealing and of their logs in combo lists. So those numbers, if for instance, an employee of a company access their company’s portal from their personal computer, which isn’t monitored by the company’s IT, and it did get captured in stealer logs, that popping up is a definitely strong sign you may be attacked, ’cause it just takes one person to understand, hey, I have a company login. Let me go login and figure out what I want to do. Mention of the company’s domain or brand on dark web forms as that starts increasing, concerns should start populating. That’s more like your medium concerns. Leaked internal documents obviously are an issue. And then that initial access, if you start to see initial access postings that appear to match your organization, that is something that you want to take seriously. Even though it has the potential to be a false positive, we still want to take that seriously. And then, of course, ransomware sites announcing that they hacked you. That is a clear indication that there’s trouble ahead and that we need to monitor that. Because ransomware sites, a lot of times, will post that something is happening before it happens because they’ve already initialized what they were going to start with.
And then the last question I have is: “With the growing use of encrypted messaging platforms and private marketplaces, is the traditional dark web still the biggest threat or is the landscape evolving?” That’s a fantastic question. And yes, the dark web is still a very, very big threat, but we have to make sure that we monitor the adjacent. The thing with the dark web where encrypted messaging platforms won’t ever be able to overtake it is the ability for somebody to find that information, to be able to start the conversations or purchase whatever they need to be. For instance, Telegram was very, very big a few years ago. And even some marketplaces shutting down on the dark web to be in Telegram. Because it was still very easy to find those marketplaces by just using the search bar. There’s no real messaging application that takes that over. So, a lot of times what you’ll see is that things will start on the dark web. And then from there they may move conversations into encrypted messages or channels. That doesn’t mean that that information still can’t be obtained and used for intelligence purposes. But I don’t think messaging will ever be able to take away from the dark web. It’s just another adjacent place that needs to be monitored as the investigation and intelligence needs to develop.
In previous blogs, DarkOwl has explored reactions from hacktivist groups on the deep and dark web in response to the Israel-Iran conflict and the U.S.’ attacks against nuclear sites in Iran. In addition to activity from hacktivist groups, analysts have also observed extensive online chatter within far-right spaces in response to the Israel-Iran-U.S. conflict. For this blog, DarkOwl specifically examined some of the most popular political far-right Telegram channels to determine which opinions and sentiments have been most prevalent within these groups.
Significantly, since the U.S. strike on Iranian nuclear sites on June 22, analysts observed a striking difference in opinion between vocal subscribers in multiple far-right Telegram channels. These channels are known for platforming misinformation and conspiracy theories and are characterized by a significant number of subscribers—in some cases as many as 200,000. In recent weeks, many of the articles posted by the channels on a daily basis have been regarding developments in the Israel-Iran conflict. Upon review, the discussions observed in response to these developments have been marked by disagreement and incoherence. Though this disconnect is not particularly unusual in and of itself, the Israel-Iran-U.S. conflict appears to have brought out inconsistencies within extreme right-wing circles even more so than before. Nonetheless, however, hatred remains a binding force between many of the members of these groups despite ideological or subideological differences.
Ideological Rifts
A review of multiple discussions within far-right Telegram channels since June 22 revealed significant ideological rifts. More specifically, opinions fell into a striking collection of not necessarily mutually exclusive categories: (1) pro-Israel; (2) pro-Trump; (3) anti-Israel; (4) anti-Israel and anti-Iran; (5) antisemitic and pro-Iran; (6) Islamophobic and pro-Israel (7) antisemitic AND Islamophobic (i.e. racist); (8) anti-U.S; etc. For instance, while some vehemently praised the Trump Administration’s response to the conflict—dubbing the president the “Moses of our Time”—others fiercely criticized the administration, arguing that the U.S. “will suffer a national humiliation” as a result (it is worth noting for context that these channels are generally known for consistently supporting the current administration). Meanwhile, while some actively advocated for intervention in the conflict, others strongly opposed any involvement. These ideological oppositions were even made evident in users’ emoji reactions to comments. In response to one individual referring to the U.S. as a terrorist state for targeting Iran, some responded negatively with “thumbs down” emojis, while others responded positively with “thumbs up.” Similar emoji breakdowns were also noted in other instances.
Furthermore, in addition to this wide variety of ideological differences, many individuals were also seen sharing conspiracy theories, misinformation, and disinformation. This included, for instance, some claiming that the “Deep State Cabal”—rather than Iran—poses a threat to the United States. This merging of conspiracy theories and disparate ideologies further conveyed the chaotic nature of this typically more homogenous information space.
Shared Hatred
In addition to a wide variety of contradicting opinions and ideologies, analysts noted an unsurprisingly significant amount of hatred directed at groups and individuals perceived as threats or adversaries to the current system. Among specific Israel-Iran-U.S. conflict updates, notably fierce comments were observed in response to two key events in recent weeks: the declaration of a fatwa against U.S. President Trump and reports that the U.S.’ strikes against Iran did not destroy the nation’s nuclear infrastructure.
A June 29 article regarding the issuing of a fatwa against President Trump by an Iranian cleric gained notable traction on Telegram, with numerous users calling for the assassination of Supreme Leader Ayatollah Ali Khamenei in response. In a reflection of the previously noted ideological disagreement between far-right users in the channels, some were observed calling for the end of U.S. involvement, suggesting the responsibility to address the conflict lies with Israel instead. Among these responses, however, one sentiment emerged as most dominant: Islamophobia. Though such rhetoric was not limited to fatwa-related discussions within the channel, it appeared even more frequently in this instance, with individuals sharing hateful, violent rhetoric directed at Iranians and Muslims broadly. Several users also called for the targeting and deportation of American Muslims (referred to by one individual as “savages in our society”), claiming that they “pose a threat.” This rampant hate is consistent with the observed increase in both Islamophobia and antisemitism since the escalation of the Israeli-Palestinian conflict in October, 2023. Indeed, the FBI found that anti-Muslim incidents rose by 300% in just two months following Hamas’ October 7 attack.
Similarly fervent responses were observed in response to an article addressing reports indicating that the U.S. did not destroy Iran’s nuclear capabilities—despite the administration’s assertions that the targeted sites were “obliterated.” The misleading article—which attempted to undermine the findings of U.S. intelligence officials—was repeatedly shared across far-right channels and gained more than 20,000 views. In response to the story, numerous users referred to the reporters who shared the findings as “traitors” and called for them to be jailed. One individual also called for charging a specific reporter with “espionage against the United States” and expressed disdain for the intelligence officers who compiled the report. Similar to Islamophobic rhetoric, this hate directed towards reporters and officials who share facts contradicting the administration’s claims is consistent with the persistent animosity towards reputable sources shared by far-right groups.
Conclusion
Overall, analysts observed nearly every possible combination of opinions within multiple far-right Telegram channel discussions in response to the Israel-Iran-U.S. conflict. This finding is significant in that it reflects what appears to be a fracturing of far-right ideology within this specific monitored ecosystem of large-scale Telegram channels. Even though pro-administration rhetoric appears to remain dominant, many users were observed criticizing one another—seemingly more fervently than in response to previous non-foreign policy-related discussions. Despite this noted difference in opinion, however, one fact remains consistent: regardless of specific ideology/ideologies, many of the individuals within these groups are linked by a hatred that transcends any ideological framework. Whether it’s hatred directed at journalists or members of targeted religious communities, the sentiment remains an overriding force within these communities.
Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
1. Ukraine arrests suspected admin of XSS Russian hacking forum – Bleeping Computer
In a July 23 press release, French authorities announced the arrest of the alleged administrator of the notorious, Russian cybercrime forum XSS. According to the announcement, the suspect was arrested in Kyiv, Ukraine, by Ukrainian authorities on July 22 in the presence of French police and with support from Europol. The investigation was launched four years ago, on July 2, 2021, by the cybercrime division of the Parquet de Paris (the Public Prosecutor’s Office). In addition to the arrest in Ukraine, authorities also seized the XSS.is domain. As noted by Hackread, following the action the site featured a seizure notice stating that the domain had been seized by French law enforcement. Read full article.
2. Android malware Anatsa infiltrates Google Play to target US banks – Bleeping Computer
Researchers at ThreatFabric have identified a new Android banking malware campaign which utilizes the Anatsa Android banking trojan. According to the report, the campaign is targeting North American users and posed as a PDF viewer app in the U.S. Google Play Store; it was downloaded over 50,000 times before being removed. The app was initially launched as a legitimate app before being “transformed into a malicious one approximately six weeks after release.” The latest campaign is notably characterized by a broadened target list including a range of American mobile banking apps. Article here.
3. Iranian-Backed Pay2Key Ransomware Resurfaces with 80% Profit Share for Cybercriminals – The Hacker News
Researchers at Morphisec have observed the resurgence of the Iranian-backed ransomware-as-a-service (RaaS) “Pay2Key.” The company’s report—released just a month after Israel launched attacks against Iran’s nuclear and military facilities—reveals that the scheme now operates as “Pay2Key.I2P” and offers a greater profit share to those who target Iranian adversaries. As noted by the researchers, “the group offers an 80% profit share (up from 70%) to affiliates supporting Iran or participating in attacks against the enemies of Iran, signaling their ideological commitment.” Read more here.
4. China-Based APTs Deploy Fake Dalai Lama Apps to Spy on Tibetan Community – The Hacker News
In a July 23 report published by Zscaler ThreatLabz, researchers attributed two cyberattack campaigns against the Tibetan community to a China-linked APT group. The two campaigns—dubbed Operation GhostChat and Operation PhantomPrayers—targeted Tibet with multi-stage infection chains deploying Ghost RAT and PhantomNet backdoors. These attacks capitalized on heightened online activity in the weeks leading up to Dalai Lama’s 90th birthday on July 6. The campaigns functioned by “leveraging multiple subdomains […] to impersonate legitimate platforms.” Read here.
5. CISA and FBI warn of escalating Interlock ransomware attacks – Bleeping Computer
On July 22, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a cybersecurity advisory warning of the ongoing threat posed by Interlock ransomware. According to the report, the relatively new ransomware operation has targeted a variety of sectors since it first emerged in September 2024. Targets have included “a wide range of business and critical infrastructure sectors in North America and Europe.” Learn more.
6. FBI seizes $2.4M in Bitcoin from new Chaos ransomware operation – Bleeping Computer
On July 28, Dallas FBI announced the seizure of over $1.7 million worth of cryptocurrency in mid-April 2025. According to the statement, the funds were “traced to a cryptocurrency address allegedly associated with a member of the Chaos ransomware group.” The seized amount has now been valued at over $2.4 million. The alleged member of Chaos has been tied to ransomware attacks carried out against Texas companies and other targets. Read full article.
7. Four arrested in UK over M&S, Co-op, Harrods cyberattacks – Bleeping Computer
In a July 10 press release, the U.K.’s National Crime Agency (NCA) announced the arrest of four individuals for their suspected involvement in a series of cyberattacks against three major retailers (Marks & Spencer, Co-op, and Harrods). According to the statement, the arrested individuals include two 19-year-olds, one 17-year-old, and a 20-year-old. They were arrested on suspicion of “Computer Misuse Act offences, blackmail, money laundering and participating in the activities of an organised crime group.” Read full article.
8. US sanctions North Korean firm, nationals behind IT worker schemes – Bleeping Computer
In a July 24 press release, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced the sanctioning of the North Korea-based Korea Sobaeksu Trading Company and three associated individuals for their participation in fraudulent remote IT worker schemes. As previously noted in DarkOwl’s Weekly Intelligence Summaries, the DPRK government uses these IT worker schemes to generate illicit revenue. The IT workers involved in the scheme use “fraudulent documents, stolen identities, and false personas to obfuscate their identities and infiltrate legitimate companies.” Learn more.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.
Indicators of Compromise (IoCs) are pieces of forensic data or artifacts found on a network or operating system that, with high confidence, indicate a potential intrusion, breach, or malicious activity has already occurred. Think of them as the “digital fingerprints” or “clues” left behind by an attacker and help security be able to determine if an attack has taken place.
Indicators of compromise help security professionals in several ways. They are essential for detecting both ongoing and past cyberattacks, even if the initial breach went unnoticed. Once an IoC is identified, it serves as a guide forincident response teams, helping them understand the full scope, nature, and methods of the attack. This understanding allows them to effectively contain the threat, eradicate the malicious presence, and recover compromised systems. Furthermore, by analyzing IoCs from previous incidents, organizations can proactively strengthen their defenses, updating security tools such as firewalls, intrusion detection systems, and antivirus software to prevent similar attacks in the future. Finally, sharing IoCs within the cybersecurity community is important to help other organizations defend against the same evolving threats, fostering a stronger collective defense across the digital landscape and keep up to date with the latest TTPs (tactics, techniques and procedures) of threat actors.
It’s important to distinguish IoCs from Indicators of Attack (IoAs). While IoCs tell you that a compromise has already happened, IoAs focus on the behaviors and tactics that suggest an attack is currently in progress or about to occur. Both are crucial for a comprehensive cybersecurity strategy. We will dive into IoAs in an upcoming blog.
IoCs in the Wild
Crowdstrike IoC list
Data purported to be from CrowdStrike was posted on BreachForum, a hacking forum, on July 28, 2024. According to the post, UsDoD claims to have the entire IoC (Indicator of Compromise) list from Crowdstrike but only released the first 100,000 records. Data exposed includes indicators, types of malware, actors, reports, kill chains, published dates, latest updates, and labels. Read more.
CISA and FBI: Ghost ransomware breached orgs in 70 countries
On February 19 this year, the Cybersecurity & Infrastructure Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint advisory detailing indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with Ghost (Cring) Ransomware. Since 2021, threat actors utilizing Ghost ransomware have targeted organizations in more than 70 countries. Victims have included organizations in a variety of sectors, including critical infrastructure, education, and healthcare.
SolarWinds
As was seen during the SolarWinds hack, monitoring the darknet for malicious discussions enables organizations to understand when and if they’re a target, and prepare accordingly. In the case of SolarWinds, we have evidence that they have been a target by hackers for a number of years. A few searches in DarkOwl Vision’s database of darknet content reveal glaring potential indicators of compromise that, when taken seriously, could have been leveraged by their customers as a cue to safeguard themselves against what ultimately resulted in the devastating hack that transpired this year.
DarkOwl Vision has collected 98 documents from a single popular zero-day marketplace with mentions of SolarWinds-specific vulnerabilities since February 2020 (shown below).
Tracking and Sharing IoCs
As shared above, sharing IoCs within the cybersecurity community is vital to developing collective defenses and sharing best practices. By keeping to date with IoCs in the wild, organizations can expand their understanding of current attack vectors, speed up their own incident response, avoid analyzing threats that have already been analyzed, and improve their overall security posture.
One way for tracking and sharing IoCs is through TIPs (Threat Intelligence Platforms). These specialized platforms are designed to collect, process, and disseminate crucial threat intelligence, including IoCs, to the wider community. To ensure efficient and interoperable sharing, IoCs are often exchanged using standardized formats and protocols. For instance, STIX (Structured Threat Information eXchange) provides a common language for representing and sharing cyber threat intelligence, encompassing not only IoCs but also threat actors and their tactics. The TAXII (Trusted Automated eXchange of Intelligence Information) protocol then facilitates the secure transmission of this STIX-formatted data between different organizations or security platforms.
Beyond specialized platforms, many cybersecurity vendors, research organizations, and government agencies provide Threat Intelligence Feeds. These feeds deliver real-time or near real-time updates of IoCs directly to an organization’s security tools. Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs) play a critical role as well. These sector-specific or cross-sector organizations create trusted environments for their members to share sensitive threat information, including IoCs, and collaborate on defense strategies. For example, there are dedicated ISACs for sectors like finance, energy, and healthcare. Governments also contribute significantly; many have Government Initiatives to facilitate threat intelligence sharing, such as CISA’s Automated Indicator Sharing (AIS) in the United States, which provides federal agencies and partners with machine-readable cyber threat indicators.
Finally, the broader Security Research and Open-Source Communities are invaluable contributors. Independent security researchers, ethical hackers, and open-source projects frequently discover and publish IoCs through various channels like blogs, online forums, GitHub repositories, and specialized websites.
Product Highlight: Entity API
Entity API enables the identification and contextualization of specific entities—such as email addresses, IP addresses, and domains—within DarkOwl’s darknet data. This tool is invaluable for incident responders and threat hunters seeking to correlate Indicators of Compromise (IOCs) and assess potential threats.
Investigators can gather IOCs from dark web sources and link them to threat actors or campaigns. This helps in profiling the activities, tactics, and techniques of adversaries, enabling proactive threat hunting and vulnerability assessments.
Emails and Domains
Email Address and Domain endpoints allow you to request all exposed information relating to a single email address or email domain. For example, you can request a list of all emails belonging to a particular domain, or see if a specific email address has been exposed with a hashed or plaintext password (if detected).
Credit Cards and BIN
Credit Card and Bank Identification Number (BIN) endpoints allow you to request to see information relating to a single credit card number or BIN. For example, end users can query all credit cards belonging to a specific BIN that have not expired or the URL source of the pages on which a specific credit card was posted.
Cryptocurrency Addresses
Cryptocurrency Address endpoints allow you to see if specific cryptocurrency addresses have been exposed. Sample response include: a contextual text fragment provided from the original source document.
IP Addresses
IP Address endpoints allow you to request to see information relating to a single IP address. For example, end-users can leverage search parameters to find: if a specific IP address has been posted on darknet forums.
One of the most prevalent use cases for insight into DarkOwl’s data is the recent persistent rise in cybercriminal activity as a whole, and specifically ransomware activity, which largely presents itself in the dark web. The global dark web intelligence market size is expected to raise at a CAGR rate of 22.3% by 2028, to the total of $1.3 billion.
Other recent reporting from Kaspersky maintains that the most common attack vector for all ransomware attacks continues to be via account takeover utilizing stolen or brute forced credentials. Entity API will empower threat intelligence teams with the tools to determine when such account information has been compromised, and take remediation steps accordingly.
Monitor Cryptocurrency Mentions Using Entity API
With Entity API, users have access highly-targeted, structured information from the largest commercially available collection of darknet and deep web sources. This includes Tor, I2P, Zeronet, Data Breaches, encrypted chats, IRC, and authenticated forums. Users can search for a crypto address that DarkOwl has captured from darknet sources including illegal marketplaces and vendor forums to detect wallets with problematic activity. Cryptocurrency address endpoints allow users to see if specific cryptocurrency addresses have been exposed.
Cryptocurrency types include:
Bitcoin
Ethereum
Monero
zCash
Litecoin
Dash
Figure 2: Request to see all instances of a specific cryptocurrency address appearing on the darknet (or other underground networks). Sample responses pictured above.
For those in charge of monitoring for critical information regarding their business or their customers, having access to DarkOwl’s darknet data means access to near real-time data from exclusive dark web sources including authenticated forums and emerging chat networks. Contact us to learn more.
In an increasingly volatile cyber security landscape, no organization is safe from cyber attacks. One group of organizations which has been increasingly targeted by ransomware groups and other threat actors is UK councils which are the local level of government in the UK.
In this blog we will explore what UK councils are and how they have been subjected to cyber attacks in recent times.
What are UK Councils?
Councils, which are also known as local authorities are the local level of government in the UK. They are responsible for delivering public services, which can range from social care and schools to roads and transport, trash collection and recycling, housing and planning permission as well as the management of parks, recreational areas and libraries. They are responsible for large swathes of local life in the UK, and all residents pay a council tax in order to receive and maintain services.
Councils are run by locally elected officials, who are responsible for making decisions on budgets, policies and the services that are provided. Often councils will have a lead, often the mayor who is either directly elected by local residents or selected from the councilors. There will also be non-political officers, or civil servants, that will run day to day operations.
There are also different types of councils depending on where they are located and the communities that they support. In England these form a tier system:
Two-tier system (mainly in shire counties like Kent or Hampshire):
County Councils
Handle large-scale services like education, social care, and transport.
District/Borough Councils
Handle local services like housing, waste collection, and planning.
Single-tier system (in cities and urban areas):
Unitary Authorities
Handle all services.
Metropolitan Boroughs
Do everything in large urban areas (e.g., Manchester, Birmingham).
London Boroughs
Each borough (like Camden or Croydon) has its own council.
Greater London Authority (GLA)
Oversees strategic issues like transport (TfL), policing, and planning.
UK councils face a wide range of cybersecurity threats due to the large volumes of sensitive data they manage (e.g. social services, housing, benefits, and education).
Cyber Security Threats
There are multiple types of cyber threats that can affect local councils, here we summarize some of the common attacks we have seen conducted.
Ransomware Attacks
Ransomware attacks happen when a threat group obtains access to a network and encrypts the data demanding a ransom to return the information to the owner. More and more these attacks also include the theft of data and making this available on Dark web sites. This can have very serious ramifications for councils given the services that they support. It can stop them being able to carry out these services as well as exposing sensitive personal information.
Figure 1: InterLock Ransomware group share data from West Lothian Council
Data Breaches
A data breach can occur in many ways but ultimately is when sensitive or protected data is made publicly available when it should not be. Councils can fall victim to this either through bad security practices or because they are victim of a hacking attack.
Recently the Oxford City Council reported that attackers had been able to access PII data through a breach of some of their legacy systems. The information targeted largely related to individuals who had worked on local elections, including ballot counters and poll station workers.
Distributed Denial of Service (DDoS) Attacks
A Denial-of-Service attack is when a website or service is overloaded, making the services unavailable. This can lead to council websites, where many local residents will access services and obtain support can be unavailable. Recently hacktivist groups which are associated with countries involved in conflict such as Russia, Ukraine, Palestine, Iran and Israel have been known to conduct these DDoS attacks. In some cases, they have successfully targeted council websites.
Figure 2: Proof of DDOS against London Borough of Harrow from Palestinian affiliated hacktivist group
Real World Incident:
Perpetrator: Hacktivist group NoName057(16).
Targets: Multiple local councils including Blackburn with Darwen, Exeter, and Arun District Council.
Impact: Temporary website outages and service disruptions; attacks were politically motivated in response to the UK’s support for Ukraine
Misconfigured Systems and Insider Threats
Misconfiguration of systems can lead to public access to sensitive data due to poor configuration of databases or file-sharing platforms. When systems are not configured properly it may be possible for individuals who should not have access to this data. Similarly, an insider threat is where unintentional staff errors or malicious actors (disgruntled employees) can leak or share sensitive information or accesses.
Supply Chain Attacks
A supply chain attack is when an organization is targeted because of their position in the supply chain to another organization. This is usually because the targeted organization has less security and is an easier target – but can lead to information and data from other organizations in the chain being exposed.
Real World Incident:
Incident: Cyberattack on Locata, a housing service provider.
Impact: Disruption of housing services for Manchester, Salford, and Bolton councils; users received phishing emails attempting to harvest personal information
Phishing & Spear Phishing
Phishing attacks are when emails or other communications are sent to an individual in order to gain information. They can either “trick” individuals into sharing information they shouldn’t usually by posing as someone in the organization or containing malicious links which people inadvertently click on allowing hackers to gain access to networks.
Council members and staff are often targeted in these types of attacks. In February 2025 Hammersmith and Fulham Council reported that they face around 20,000 attempted cyber-attacks a day, and that the majority of these consist of phishing attempts.
Conclusion
Local authorities have become a popular target for cyber criminals in recent years, thanks to the large amount of valuable personal data they hold, often-outdated IT systems, and comparatively poor cybersecurity budgets. Councils need to take more proactive measures to combat the increasing threat. Some of the actions that can be taken:
Adopting advanced threat detection systems and regular security assessments.
Conducting cybersecurity awareness programs for staff to prevent phishing and other social engineering attacks.
Developing and regularly updating incident response plans to swiftly address breaches.
Working closely with national bodies to share intelligence and best practices. The NCSC is the point of contact for cyber incidents in the UK.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
