Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.
An Indicator of Attack (IoA) is a behavioral pattern or activity that reveals a cyberattack is in progress or about to occur. IoAs focus on detecting an attacker’s intent and methods in real time, enabling organizations to identify and stop malicious actions before they cause major harm.
Rather than relying on evidence of past breaches, IoAs highlight the attacker’s tactics, techniques, and procedures (TTPs) as they unfold, providing early warning of active or emerging threats.
IoA vs IoC
It’s important to distinguish IoAs from indicators of compromise (IoCs). IoAs focus on the behaviors and tactics that suggest an attack is currently in progress or about to occur, while indicators of compromise tell you that a compromise has already happened. Both are crucial for a comprehensive cybersecurity strategy.
DarkOwl and IoAs
Examples of IoAs in the Darknet that DarkOwl Monitors
Malware and exploit kits: Advertisements for or discussion of high-quality malware designed to evade detection or exploits that can be used in an attack.
Tools for malicious activity: Evidence of groups using specific tools to disable security software, like an EDR (endpoint detection and response) killer, to facilitate an attack.
TTPs: Discussion and sharing of attack techniques on darknet forums, which indicates active development and use of new methods.
How DarkOwl Helps Identify IoAs
Entity API: This tool helps identify and contextualize entities like IP addresses and domains within the collected darknet data, which is crucial for correlating indicators and assessing threats in real-time. With Entity API, users can quickly and efficiently identify, monitor, and target particular threats in the darknet that are relevant to their particular needs and use-cases.
Vision platform: This platform collects and indexes vast amounts of darknet data, allowing for the identification of potential attacks in progress by searching for relevant keywords and patterns. Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search darknet data.
Threat intelligence: By monitoring forums, marketplaces, and other sources, DarkOwl can identify the latest threats and attack methods being discussed and sold on the darknet. With 227,500 pages of darknet content scraped and indexed every hour, DarkOwl’s collection database is continuously expanding.
DarkOwl helps detect both through its darknet intelligence by identifying attacker tactics, techniques, and procedures (TTPs). Examples include advertisements for malware or exploit kits, discussions of attacks on darknet forums, or the use of tools, all of which indicate a potential or ongoing attack.
Product Highlight: Actor Explore
In today’s digitally driven world, the landscape of cyber threats is ever-evolving and increasingly sophisticated. As businesses and individuals become more dependent on technology, the need to protect sensitive data and critical infrastructure from cyber attacks has never been more critical.
One effective approach to enhancing cybersecurity is to track and monitor cyber threat actors. The actors that are responsible for conducting attacks; individuals or groups with malicious intent, often targeting organizations, governments, or individuals. Understanding why they are operating, what they hope to achieve and what methodologies they are using can assist analysts in protecting infrastructure and predicting future activities. Identifying and monitoring the tactics, techniques, and procedures (TTPs) of cyber threat actors, is also an important step to gain insights into actor’s strategies. This information can be invaluable in understanding how attacks are executed and identifying potential vulnerabilities in an organization’s defense.
With DarkOwl’s Actor Explore users can review analyst curated insights into active threat actor groups on the darknet and wider. We explore the motivations behind the groups, the tools they have used and searchable attributes to pivot on within DarkOwl Vision. Tracking available information about threat actors such as their motivations, TTPs, victims and activities can provide valuable intelligence which allows analysts to predict behavior and take proactive steps to protect their organizations.
Product Highlight: DarkSonar API
With cyberattacks increasingly on the rise, organizations need better intelligence to safeguard themselves, employees and customers from incidents such as data breaches and ransomware attacks. This rise in illicit cyber activity only increases the need to protect against and determine the likelihood of these attacks. The darknet contains data critical to understanding criminal behavior and security risk, and companies need an understanding of their exposure on the darknet to determine risk and take mitigating actions.
DarkSonar, a relative risk rating based on darknet intelligence, measures an organization’s credential exposure on the darknet. DarkSonar enables companies to model risk, understand their weaknesses and anticipate potential cyber incidents. In turn, organizations are able to take mitigating actions to protect themselves from loss of data, profits, and brand reputation.
DarkSonar in the Wild
General Motors
In April 2022, General Motors disclosed that it suffered a credential stuffing attack. The attackers accessed customers’ personally identifiable information (PII)and redeemed reward points for gift cards.
Takeaway: DarkSonar’s email exposure signal detected an abnormal increase in plaintext and hashed credentials in the months leading up to the attack.
Colonial Pipeline
In late April 2021, hackers gained entry into the networks of Colonial Pipeline Co. The hack took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password, according to a cybersecurity consultant who responded to the attack. The virtual private network account was no longer in use at the time of the attack but could still be used to access Colonial’s network, he said.
Takeaway: DarkSonar detects plain text credentials available on the darknet.
FujiFilm
In early June 2021, Fujifilm’s company servers were infected by Ransomware. While they have never released the specific details, it is believed to be the Qbot Ransomware. Qbot is typically initiated by phishing.
Takeaway: DarkSonar detected an increase in email exposure which can be used as part of a phishing attack.
With recent global events, you’ve likely come across articles, conversations, or opinion pieces about Discord. As of 2024, the instant messaging platform boasts over 150 million monthly users. Once known primarily as a communication tool for gamers, Discord has evolved into a hub for a wide range of communities—from book clubs and fandoms to casual chat groups with friends and family.
What sets Discord apart from traditional social media is its unique structure: no public feeds, no traditional advertising, and a focus on private, curated spaces.
As more attention turns to corners of the internet that might be unfamiliar to the mainstream, this blog aims to shed light on Discord’s ecosystem and answer some of the questions you may be asking yourself.
What Is Discord?
Discord was established in 2015 as a social platform for people with similar interests to share voice notes, videos, and texts with one another. The app originally targeted gamers, offering superior voice chats and customizable server options. Individuals were able to live chat with other Discord users while playing their favorite games and build communities solely focused on their hobbies.
The app received an influx of users not connected to the gaming community in the late 2010’s and during COVID-19. The pandemic led many people to Discord, where they built virtual communities for a myriad of topics ranging from musician fan groups to book clubs. The features that originally appealed to the gaming community were also applicable for establishing virtual classrooms and information sharing among groups.
Discord offers both private and public servers. Public servers work similarly to other social platforms; it allows users to chat with any public server that they would like. Most public servers are monitored by moderators who have the power to remove or edit information shared in the server. Private servers offer users more secrecy, are typically invite only, and offer users an exclusive forum for group chats. Whoever sets up the server has admin rights, which allows them to add/remove members, ban content/words, and add additional admin members.
Is Discord Dangerous?
Discord can be used safely but as with any social media app, there are bad actors and users can be susceptible to harmful behavior.
Cybercriminals employ a range of tactics to deceive Discord users into installing malware—often referred to as a Discord virus—which can have serious consequences for their devices and data. Beyond technical threats, users may also encounter harmful behavior such as the sharing of explicit content or experiences of bullying and harassment within the platform. The platform has also been used in the past to share classified information as well as manifestos related to violent extremism.
The major concerns with Discord are:
Discord Scams & Viruses– A majority of Discord scams involve deceiving users into “clicking links, scanning QR codes, or logging in to off-site locations” so bad actors can spread malicious software. Research states that the most common type of malware in Discord is Remote Access Trojan (RAT), which hackers distribute using malicious links. Discord’s security team does have tools to filter malicious files but can sometimes miss ones when they initially hit the platform.
Risk to Children/Teens– To protect children, the app has an age requirement of 13 though people believe it is easy to bypass their verification process. The risk of exposure to NSFW (not suitable for work) content is hard to mitigate when children have their own accounts. Users may post sexually explicit imagery or videos in public servers without warning.
Cyberbullying/Harassment – Because many individuals using Discord to connect with communities, there are frequent conversations that occur between strangers. Cyberbullying includes sending, posting, or sharing negative, harmful, false, or mean content about someone else. In a 2024 transparency report released by Discord, they claim to have taken some form of action against 92K accounts, which included disabling over 19k for some form of harassment and bullying.
How to Protect Yourself
Some risks on Discord are similar to those found across the open web. However, both cybersecurity experts and Discord itself offer practical steps that users can take to stay safe and protect their accounts from malicious activity.
Key safety tips:
Always enable two-factor authentication (2FA) to add an extra layer of security to your account.
Block and report suspicious users to help keep the community safe.
Stay alert for scams: Discord recommends avoiding links from unknown senders and never downloading code or files you don’t recognize.
Control who can message you: Adjust your privacy settings to limit direct messages to friends or members of shared servers. You can also enable filters to reduce spam and unwanted messages.
Conclusion
While Discord offers a fun and dynamic way to connect with friends, communities, and shared interests, it’s important to stay mindful of your safety online. By taking a few simple precautions like managing your privacy settings and being cautious with unknown links or users, you can enjoy everything the platform has to offer without putting yourself at risk. Staying aware of potential threats ensures you can make the most of your experience without compromising your safety.
Check out our field-tested guide to cyber hygiene here.
With increasing regularity, the media is filled with reports of mass shootings, assassinations, political violence, and other forms of targeted violence. While targeted violence is nothing new, our fractured society does appear to be experiencing these events more frequently as time goes on.
One of the ways in which law enforcement, security professionals, and healthcare professionals have sought to combat and prevent these acts of violence is through the practice of threat assessment. A systematic process, built over decades, which seeks to identify and prevent targeted violence through assessment of behavior and managing risk.
However, in an increasingly digital age the sheer volume of data that is available to these professionals is ever growing. Whether monitoring social media for any mentions of credible threats or reviewing large volumes of emails in response to a triggering event or reviewing messaging apps it can be impossible to identify which individuals actually pose a threat and the best way to assist them. This does not even take into consideration the issue of identifying who the real person is behind sometimes anonymous online personas.
This study focuses on high-volume threatening communication within far-right Telegram channels. The far-right is understood here as an umbrella term encompassing a diverse range of ideologies, movements, and political actors situated at the extreme end of the right-wing spectrum. While diverse, these groups usually share some characteristics: nationalism, racism, xenophobia, anti-democratic tendencies, or strong state advocacy (Mudde, 2000). All far-right ideologies, view human inequality as natural and even desirable (Mudde, 2019). Translating definitions of ideology to the online sphere is challenging, since information about individuals or groups is often limited to their digital expressions. As Conway (Conway, 2020) observes, the contemporary online far-right is best understood as a decentralized “scene,” “milieu,” or “ecology” — a fluid and rapidly shifting network of individuals, groups, movements, political parties, and media outlets that overlap and interact in complex ways.
Many of the far-right channels identified by DarkOwl remain active on the platform, which has allowed us to collect a substantial amount of data from the communications within the channels selected for this analysis.
Using a dataset collected from active far-right Telegram channels, DarkOwl and Mind Intelligence Labs sought to examine whether combining AI tools with manual analysis of text-based content from far-right Telegram channels could enhance the identification of threats and deepen understanding of their nature to support threat assessors.
The far-right Telegram channels analyzed in this study contain a high volume of threatening communication, making it challenging to determine which threats are more credible than others. Our analysis shows that most threats are explicit and directed at specific targets. Operationally detailed threats are also common, indicating a normalization of violent rhetoric and a potential for mobilization within these online communities.
What is Threat Assessment
Threat assessment is the process of identifying if individuals may be at risk for engaging in targeted violence and managing that risk to prevent violence from occurring. Assessments are conducted based on an individual’s observable behavior and therefore require a review of how an individual is acting, what they are saying both online and in the “real world,” as well as communications of intent and contextual stressors.
Both the FBI and the Secret Service provide guidance for how to conduct threat assessment, highlighting that it is not just about identifying an initial risk, but ongoing management to prevent any risk that may be posed over time as an individual’s situation changes.
Key components of threat assessment include:
Identify – Detect behaviors or statements that a person may be moving towards violence. This can include direct threats, planning behaviors, or having a grievance. Bystanders such as friends or family members are often those that report concerning behaviors, but it can also be detectable through online communications that can be tracked.
Assess – Collect and assess information about the person, what motivates them, what accesses do they have, and what opportunities for violence do they have. Have they shared a specific threat and is this credible and or viable? This can include a review of their online communications as well as interviews with colleagues or family members, and even the subject themselves.
Manage – A very important aspect of threat assessment is the ongoing management of the risk. This requires developing tailored strategies to reduce the threat. Options can include mental health support, social services, law enforcement involvement, safety planning, and ongoing monitoring and follow up on the subject.
Threats made online differ from those expressed in person since digital platforms provide anonymity, lower inhibitions, and offer wide reach. As noted in the FBI’s Making Prevention a Reality guide (2019), perceived anonymity can reduce typical social restraints, allowing individuals to voice hostility or intimidation they might not display in face-to-face settings. Yet, detecting and evaluating threats that are posted online is important to prevent violence.
Assessing threats in a high-volume environment poses substantial challenges. The sheer number of online communications makes it difficult to distinguish which threats are credible and require further analysis. The FBI emphasizes that not every threatening message indicates a genuine intent to harm. The goal of assessing concerning communications is to determine whether a message is an expression of anger or frustration or a behavioral indicator of movement toward violence. An assessment helps decide which communications warrant deeper investigation or management intervention.
When assessing threats online, several factors must be considered — particularly the specificity, credibility, and intent behind the communication.
A threat is considered specific if it contains concrete information such as who will carry out the act, the intended target, when and where it will occur, and how it is supposed to happen. Specific details — such as the mention of weapons, timing, or location — increase the level of concern because they demonstrate planning or forethought.
Credibility relates to the source of the threat and its feasibility. Analysts evaluate whether the source is reliable or directly connected to the individual of concern, whether similar threats have been made before, and whether there is a consistent pattern of behavior. The assessment also considers how viable the threat is: does the individual have the means, access, or capability to act on their words?
Determining intent involves examining signs of motivation, planning, or commitment to carry out an attack. Indicators may include expressions of grievance, fixation on a target, or evidence of preparation. Establishing intent can be particularly challenging in online environments, where individuals may exaggerate or use violent rhetoric without a genuine plan to act.
Telegram
The messaging app Telegram was founded in 2013 by Pavel Durov who previously founded the popular Russian social media app VK. Telegram has approximately 950 million registered users worldwide. Although a messaging app, Telegram operates more like a social media platform. Users register using a telephone number but can use any display name they want. Users can message each other directly, but the platform also has the concept of channels and groups where mass communication can occur.
In a channel, multiple users can communicate with each other, acting as a chat function you are able to see the username and their comments. Other channels operate more of a broadcast system where only the admins can share messages. Users are able to join channels and are notified of any comments. As well as operating as a communications platform, some of these channels are also used as markets, buying and selling goods such as drugs, counterfeit items and personally identifiable information (PII).
Over the years, Telegram has been used by a wide range of criminal communities. This includes terrorist activity, hacktivism, ransomware, hacking, CSAM, drugs, and the distribution of stolen data. In recent years, it has also become a hub for extremist rhetoric, with groups such as Terrorgram using the platform to promote their views and incite violence among followers. As Telegram’s role in criminal and extremist ecosystems has expanded, Telegram threat intelligence has become increasingly important for analysts and investigators seeking to monitor channels, identify threat actors, and connect Telegram-linked activity to broader online threat environments. At the same time, many other groups – often right-wing – have emerged on the platform, each with different ideological angles and audiences.
Telegram has long been criticized by law enforcement and security analysts for hosting extremist content, CSAM material, and other illicit content. It is renowned for not cooperating with law enforcement. In August 2024 Durov was arrested in Paris for not taking steps to curb the criminal use of Telegram. Since that time, the platform has taken some steps to remove channels reportedly conducting criminal activity, but there does not appear to have been any consistency to this activity.
Methodology
Using DarkOwl’s collection of Telegram channels, analysts identified and reviewed a variety of far-right channels and selected those that had some of the most concerning content from a variety of right-wing movements. Concerning content was defined as those that included mentions of extremist views, violence or appeared to be attacking groups or individuals. Although we classified the channels as far-right, they had a range of ideologies within that belief system, some were explicitly pro-Trump, some were composed almost exclusively of J6 rioters, some were conspiracy theory heavy, others were racist and xenophobic, etc.
Since our focus was on analyzing threatening language, we selected channels that were not overly image based. However, we acknowledge that images and memes constitute an important component of threat analysis. We also prioritized channels that were highly active and had a substantial number of members.
Below is a list of the channels selected and dates for which we had collected data that was analyzed as part of this project.
About the Data
A total of 190,535 messages written by 11,068 individuals was collected from the listed channels. To identify threatening and violent communication within this dataset, we used a set of threat detection tools developed by Mind Intelligence Lab. The tools are based on a machine learning model designed to automatically detect violent threats (Lundmark et al, 2024). Of the 190,535 messages collected, 5% (9,442) contained threatening or violent content. Nearly 4% of the users had posted at least one violent threat. These figures illustrate the exceptionally high volume of threatening communication, which poses significant challenges for threat assessors and law enforcement in determining the severity and credibility of individual threats.
Assessing Threatening and Violent Communication
To better understand the nature of threatening and violent communication, we conducted a qualitative content analysis of a random sample of 749 threatful messages that were automatically identifed using Mind Intelligence Labs tools. Each threat was annotated according to five analytical categories:
Explicit Target – The message clearly identifies a specific person, group, institution, or location as the target of harm. Example: “I’m going to make sure Senator James pays for this.”
Operational Details – The author provides information on how violence should be executed (e.g., weapon type, method). Example: “I’m getting my AR-15 to shut them up.”
Explicit Date or Time – A concrete date or timeframe is given for when the act will occur. Example: “You’ll all see what happens on July 4th.”
Research on the Target – The writer indicates surveillance, investigation, or personal knowledge about the target. Example: “I know her schedule — she always leaves work at 6 p.m.”
General Threatening or Hateful Language – Non-specific expressions of hostility, hate, or implied violence. Example: “People like them deserve to suffer.”
Findings
The purpose of our analysis was to examine the extent to which the identified threats contained identifiable targets, operational details, or explicit temporal markers—features that are often indicative of intent, planning, and potential capability. Our findings revealed that 93% of the threats (697 cases) explicitly mentioned a specific target, indicating a strong focus on particular individuals, groups, or institutions. More than 41% of the threats (308 cases) included operational details or descriptions of how the act should be carried out, suggesting a degree of planning and tactical consideration. Only a small fraction, 0.3% (2 cases), contained an explicit date or time for the intended act, indicating that while detailed, most threats did not include a defined timeline for execution. When a timeframe was given, it was vague — for example, “next week” or “by tomorrow.” None of the threats contained information about research conducted on the target.
Nearly 40% of the analyzed threats contained general threatening or hateful language, reflecting a broad spectrum of hostility rather than concrete plans for violence. This category included dehumanizing expressions, where individuals or groups were referred to as “monkeys”, “cockroaches”, or other derogatory terms that strip them of human qualities. Such language serves to justify or normalize aggression by framing the target as less than human — a well-documented precursor to acceptance of violence in both extremist and hate-based contexts.
In addition to dehumanization, many threats expressed violent fantasies or wishes, such as hoping that harm, punishment, or death would befall a specific person or group.
These findings indicate that even when no actionable plans are present, generalized hate and dehumanizing rhetoric can reflect underlying attitudes relevant to risk assessment. Such expressions may foster or normalize an environment in which violence is encouraged, justified, or perceived as acceptable, making this form of language an important factor to consider in both threat assessment and ongoing monitoring of threats.
Explicit Targets
Almost all threats (93%) had a explicit target. More than half of the threats (58%) were directed toward unspecified groups or individuals (they/them, he/she or you). These general expressions of aggression often use dehumanizing language and reflect a diffuse sense of grievance rather than a specific intent to harm. However, even non-specific threats serve an important function since they normalize violent discourse and reinforce group identity.
Explicitly racialized threats are highly prevalent. Black people (12%), immigrants (7%), Jews (4%), and Muslims/Arabs (3%) together constitute over one-quarter of all the analyzed threats. This pattern is consistent with far-right narratives centered on nationalism, racism, xenophobia, antisemitism, and anti-Muslim sentiment.
Threats against women (5%) and LGBTQ+ individuals (3%) reflect the intersection of misogyny and anti-LGBTQ+ within far-right telegram channels. Although less frequent, government officials (3%), politicians (1%), law enforcement (2%), and political opponents (2%) represent an important category of threats directed toward institutions of authority. These messages often frame violence as legitimate resistance against a disfunctional or corrupt state. Even though these threats form a smaller proportion of the total, they are of particular concern due to their potential to inspire real-world attacks on public officials or infrastructure.
A small part of the threats targets pedophiles (1%) and “race traitors” (1%). Threats against alleged pedophiles are often framed as a defense of children or morality, providing a pseudo-legitimizing rationale for violence. In contrast, attacks on so-called “race traitors” reflect that a perceived ideological disloyalty within the in-group is punished rhetorically or violently.
Operational Details
More than 41% of the threats included details on how the act should be carried out. References to specific methods offer valuable insight into how far-right actors imagine and express violence. The threats ranged from fantasies of large-scale attacks to symbolic punishments. While many of them may not reflect an immediate ability to act, the repeated calls for violence help to incite and encourage further violent behavior.
Shooting (31%) is the most frequently mentioned method, underscoring the centrality of firearms in far-right violent imagination. Guns are often presented as tools of justice or resistance, reflecting a broader cultural fascination with militarization and armed self-defense. References to specific weapons (e.g., “AR-15,” “rifle,” “sniper”) are common, and their frequency indicates potential access or aspiration toward weapon use.
Hanging (18%) and execution (10%) threats are notable for their symbolic weight. These methods are often framed as public punishment for perceived “traitors,” political opponents, or minority groups. Such imagery mirrors historical lynching narratives and functioning both as intimidation and as a performative assertion of dominance.
Beating (13%) and torture or inflicting pain (8%) represent more personal and intimate forms of violence. These threats often emphasize suffering and humiliation rather than efficiency, indicating a sadistic dimension.
Threats involving burning (5%) and explosives (4%) are less common. Burning is often directed toward symbolic targets such as religious buildings or refugee centers, while explosive threats are associated with aspirations toward large-scale attacks. Although these references are relatively rare, they reflect higher levels of operational imagination and thus represent elevated threat potential.
A smaller part of threats involves stabbing (3%), poisoning (2%), or other forms of methods (2%) such as being hit by vehicles, attacked by animals, drowned, or starved. These methods indicate creative variability in violent expression and sometimes suggest opportunistic or improvised violence.
Mentions of prison or arrest (3%) and deportation (1%) demonstrate how far-right actors also employ state-like punitive language. Such threats often frame violence as an extension of “justice” or legitimate punishment, blurring the line between vigilante violence and imagined authority.
Conclusion
Overall, the threat landscape on far-right Telegram channels is dominated by broadly directed, racially motivated, and ideologically charged hostility. The combination of generalized incitement and specific identity-based targeting suggests a dual function of such communication: maintaining a shared sense of grievance and providing moral justification for violence. Although explicit threats against named individuals are relatively rare, the pervasive use of dehumanizing and violent language toward entire social groups constitutes a persistent incitement environment.
The dominance of operational methods such as shooting, hanging, and beating in the threats shows two key aspects of far-right violent language: it is both militarized and ritualized. Firearms represent strength and control, while hanging and execution reflect ideas of punishment and revenge. Together, they express a worldview that portrays violence as justified and even necessary.
Although many threats lack clear plans for action, their impact should not be overlooked. They normalize violent attitudes, define who is seen as a legitimate target, and create a shared language that can encourage real-world violence.
The mix of modern weapons and old forms of punishment shows how far-right communities combine past and present ideas of violence into a single story of resistance, revenge, and exclusion.
Recommendations
Monitor high-threat environments: Continuous monitoring of far-right online spaces is essential to detect emerging risks and shifts in rhetoric.
Identify targeted groups and trends: Mapping which individuals or groups are being targeted, and how these patterns evolve over time, helps in understanding broader threat dynamics.
Assess credibility carefully: Determining whether a threat is credible is challenging when analysis is limited to digital communication. Online expressions may range from symbolic aggression to genuine intent.
Address incitement and inspiration: Even when individuals do not act directly, exposure to violent rhetoric and extremist narratives can inspire others to commit acts of violence. Efforts should therefore focus not only on explicit threats but also on messages that glorify or encourage violence.
Lundmark, L., Kaati, L. & Shrestha, A. (2024). Visions of Violence: Threatful Communication in Incel Communities. In: 2024 IEEE International Conference on Big Data (BigData): pp. 2772-2778.
Mudde, C. (2000). ‘The Ideology of the Extreme Right’, Oxford University Press.
Mudde, C. (2019). ‘The Far Right Today’, John Wiley & Sons.
Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
On September 26, Medusa’s dark web site claimed to have exfiltrated 834.4 gigabytes of data and are demanding $1.2 million for interested buyers to download it. To support their claims, the group uploaded 20 screenshots showing alleged internal data. In one exposed directory, the information appeared to be connected to HR folders that contained personnel records. Medusa ransomware is a known aggressive group that has compromised over 300 organizations between 2021 and 2024. The group typically gains access through social engineering such as phishing emails, exploiting vulnerabilities, or purchasing stolen credentials. Once the group acquires data, they use a double extortion method to gain ransom. Read full article.
2. US seizes $15 billion in crypto from ‘pig butchering’ kingpin – Bleeping Computer
The Department of Justice (DOJ) has seized $15 billion worth of Bitcoin from the Cambodian Prince Group, a criminal organization known for orchestrating large-scale cryptocurrency scams, primarily involving romance baiting and ‘pig butchering’ schemes. Unsealed court documents revealed the group operates over 100 shell and holding companies across 30 countries, which have been extorting countless victims since 2015. Additionally, the group runs automated call centers that were run by employees who were allegedly forced to work due to the threat of violence. The DOJ called the centers, “violent forced labor camps”. Article here.
3. New Rust-Based Malware “ChaosBot” Uses Discord Channels to Control Victims’ PCs – Bleeping Computer
Discord user, chaos_00019, has implemented the malware ChaosBot to gain access to other user’s systems and networks. According to researchers, “ChatBot is noteworthy for its abuse of Discord for command-and-control (C2)”. The malware was observed using phishing messages that contained a malicious Windows shortcut file, after opening the file, a PowerShell command is executed to download and execute ChaosBot. A decoy PDF concealed as legitimate correspondence from the State Bank of Vietnam is displayed as a distraction mechanism. Read more here.
4. ShinyHunters launches Salesforce data leak site to extort 39 victims – Bleeping Computer
“Scattered Lapsus$ Hunters” has launched a new data leak site extorting 39 companies that were impacted by the Salesforce breaches. The companies extorted in the link include Disney/Hulu, FedEx, Google, McDonald’s and more. A separate entry on the site requested that Salesforce pay a ransom to prevent impacted customers (approximately 1 billion records containing personal information) from being released. Salesforce has released a statement claiming, “Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support.” Read here.
5. Active Exploits Hit Dassault and XWiki — CISA Confirms Critical Flaws Under Attack – The Hacker News
On October 28, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed three new vulnerabilities that have impacted Dassault Systèmes DELMIA Apriso and XWiki. The vulnerabilities CVE-2025-6204, CVE-2025-6205, and CVE-2025-24893 allow threat actors to execute arbitrary code and gain access to applications. Both CVE-2025-6204 and CVE-2025-6205 affect versions of DELMIA Apriso dating back to 2020. Combining these vulnerabilities allow creation of accounts that obtain elevated privileges and deposit executable files into a web-served directory, resulting in complete compromise of the application. Starting in March, CVE-2025-24893 impacted XWiki by using a two-stage attack chain that delivers a cryptocurrency miner. Learn more.
6. Have I Been Pwned: Prosper data breach impacts 17.6 million accounts – Bleeping Computer
In September, Prosper, a peer-to-peer lending marketplace, announced a breach had been detected with hackers gaining access to customer accounts and funds. Have I Been Pwned announced that 17.6 million unique email addresses had been affected by the incident. The companies statement claimed that “confidential, proprietary, and personal information, including Social Security Numbers, was obtained”. The company is also going to offer free credit monitoring while they determine what data was affected. Information on how the data was obtained and ways the company is combatting future leaks have not been discussed. Read full article.
7. Researchers Identify PassiveNeuron APT Using Neursite and NeuralExecutor Malware – The Hacker News
The malware campaign dubbed, PassiveNeuron, was first flagged using different methods in November 2024 for targeting government, financial, and industrial organizations located in Asia, Africa, and Latin America. One incident showed that the threat actors were able to gain initial access through remote command on a compromised machine running Windows Servers through Microsoft SQL. The exact method is unknown, but it is possible the attackers are either brute-forcing the administration account password or leveraging an SQL injection flaw in an application running on the server. Read full article.
8. BatShadow Group Uses New Go-Based ‘Vampire Bot’ Malware to Hunt Job Seekers – The Hacker News
BatShadow, a Vietnamese threat actor, has leveraged a new social engineering tactic that delivers a malware called, Vampire Bot, to job seekers and digital marketing professionals. Posed as recruiters, the attackers distribute malicious files disguised as job descriptions and corporate documents. Victims who click the link in the lure PDF to “preview” the job description are taken to a landing page that displays a fake error saying the browser is unsupported, through multiple attempts the error message eventually triggering an automatic ZIP download containing the supposed job description and a malicious executable named Marriott_Marketing_Job_Description.pdf.exe (the file mimics a PDF by inserting extra spaces between “.pdf” and “.exe”). Learn more.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
This Halloween, the scariest thing might be what’s tucked inside the candy bar, a lure that looks harmless but hands an attacker the keys to your digital life.
Phishing and social-engineering attacks are the “tricks” that become catastrophic when the dark web supplies ready-made toolkits and AI-generated messages to amplify them. The result: low-effort, high-impact scams that can ruin reputations and drain bank accounts.
This Halloween we explore the “scary tricks” cyber criminals are using to successfully trick you into clicking on phishing emails and other attack types, and what you can do to avoid this activity.
Phishing & Social Engineering: Why They’re Halloween-Worthy
Phishing and the wider family of social-engineering attacks (spear-phishing, smishing, vishing, “quishing” via QR codes, and voicemail impersonation) remain one of the simplest ways to get real access to real systems. For that reason, they remain one of the top cyber-attack vectors in 2025. Phishing and social engineering attacks have been responsible for some of the largest breaches so far this year, such as Salesforce and Allianz.
Researchers have highlighted that the large majority of successful cyber-attacks usually include a human element and are not purely technological vulnerabilities.
But two trends are supercharging phishing today:
Automation and commoditization — phishing kits and “phishing-as-a-service” lower the technical bar for attackers. These are readily available software people can purchase to conduct attacks meaning they do not need to have the technical skills to conduct the attack.
AI-augmented social engineering — generative models craft extremely convincing lures at scale. That combination turns the old “spray-and-pray” email into a professional, targeted, and scalable crime machine. Not to mention the creation of believable videos, images and voices which can be used to conduct vishing and other attacks.
The Dark Web Connection: Toolkits and Kits for Sale
The dark web and underground communities are where the tools, templates and services live, both marketplaces and forums offer software for sale as well as how to tutorials on how to conduct these attacks. Telegram also shared this information via marketplace channels. Below are some of the things being sold.
Security researchers have indicated that the availability of ready-to-use phishing kits on the dark web rose by ~50% from 2021 to 2025, highlighting that this is a trend that is only increasing.
Phishing Kits
Pre-built fake pages, sending scripts and hosting/configuration guides. Research and reporting show fully fledged kits are routinely sold for pocket change, some reports find kits advertised for as little as ~$25 while others are open source, making it trivial for novices to impersonate banks, delivery services, or SaaS providers. The below image from a dark web forum shows users sharing a list of openly available phishing kits claiming they are the best kits to use in 2025.
Phishing-as-a-Service & Automation Platforms
Another offering which is provided on dark web sites, is providing the service on the behalf of an actor. This means the actor doesn’t not need to take any action but can pay someone else to conduct the attack. The below image from Telegram shows a threat actor offering hacking services including phishing kits.
More advanced offerings include campaign dashboards, SMTP pools, deliverability testing and analytics (some newer tools even pair generative AI with mailing infrastructure). The below images show an advertisement for a phishing related AI model as well as the site to purchase the software. The “SpamGPT” toolkit—AI-powered spam-as-a-service sold on underground forums for around US $5,000.
Stolen Contact Lists & Harvested Credentials
While we have previously shared the sale of human organs, this Halloween the harvesting of credentials can be even more scary with wide ranging ramifications. Harvested credentials and victim lists, often sold in bulk, let attackers skip reconnaissance and target previously compromised users.
These data leaks, with credentials and sometimes a lot more information can be really useful to threat actors when conducting social engineering attacks. This can make phishing attacks seem much more believable as they have accurate and real information in them.
These tools lower the barrier to entry, enabling less-skilled attackers to launch large campaigns. They are readily available on the dark web and adjacent sites like Telegram. This means that the number of attacks being conducted can and will increase as individuals need less skills to conduct them. But it is likely that AI develops that the attacks themselves will become more sophisticated and complex. A scary thought!
How Phishing Campaigns Actually Play Out (The Attack Chain)
Figure 5: Phishing Campaign Cycle
Attackers will start with the reconnaissance phase, conducting research usually through open channels or stolen data to find information about the intended targets. Then they create the bait – using a phishing kit or AI they will create a message that they think will hook the target and bypass spam filters. They use the information they found during the reconnaissance phase to make it as believable as possible.
Next comes the delivery phase. Depending on what they are trying to achieve there are multiple delivery methods that can be used such as email, SMS, QR codes and even phone calls. In some cases, actors will use multiple channels as part of their attacks to increase the success rate.
The Exploit phase requires input from the victim to be successful. A victim will click on a link or provide credentials to a phishing site or inadvertently install malware on their computer. These credentials are then used by the attackers to conduct further attacks. But the information can be monetized further by selling the stolen information or access to other actors on the dark web – continuing the cycle of phishing attacks.
New Scary Technologies: AI + Phishing = Mass-Targeting on Steroids
Generative AI has already begun to improve the quality, personalization, and scale of phishing. Platforms and toolkits that combine text generation with campaign automation create highly convincing lures that are difficult for users (and sometimes filters) to distinguish from real messages.
A new class of underground offerings — some reported under names like “SpamGPT” — pair natural language generation with mailing infrastructure and analytics, effectively giving attackers a polished marketing stack for phishing.
The net effect: phishing no longer requires good writing skills or deep technical know-how. It requires money (often small) and an account on an underground marketplace. That democratization of attack capabilities is why credential theft and phishing success rates have jumped in recent reporting.
How to Stop Being Tricked
For Organizations
Multi-factor authentication (MFA) everywhere — reduces the value of stolen passwords even if credentials leak. (Use phishing-resistant MFA like hardware keys where possible.)
Email protections + DMARC/DKIM/SPF + advanced detection — deploy and tune anti-phishing gateways, URL detonation, and link rewriting. Train filters to use behavior signals (login geography, device fingerprinting).
Phishing simulations + continuous user training — recurring, contextual training that adapts to current phishing themes reduces click rates. Combine simulated attacks with coaching, not just shame.
Dark-web monitoring & rapid credential-remediation — monitor for leaked credentials or company data; have a playbook to force resets and contain exposed accounts.
Least privilege + segmentation + strong logging — limit how far a single compromised account can go; log and monitor anomalous account activity for fast detection.
For Individuals (Easy Wins)
Use a password manager and unique passwords for every site.
Turn on MFA (preferably an authenticator app or hardware key).
Hover before you click — inspect links, check sender addresses for subtle typos, and don’t enter credentials after arriving at a link from an email.
Treat SMS and phone callbacks as suspicious for requests about credentials or money; verify independently.
If you click or think you’re compromised — change passwords from a known-good device, enable MFA, run a full malware scan, and notify your employer or bank.
Conclusion
Phishing and social engineering are the silent spooks in the house: they don’t break doors in—they get invited. And when the dark-web toolkit makes it easy, the threats multiply. This Halloween, treat your security like locking the door and checking the candy.
Phishing is deceptively simple, but the underground economy and fast-moving AI technology have turned it into an industrialized threat. The good news: many countermeasures are straightforward and inexpensive (MFA, password hygiene, basic email controls). Don’t take a bite of the candy unless you’re sure it’s your friend handing it. Treat yourself to security hygiene; don’t let the attacker trick you with something sweet.
In an increasingly hostile cyber landscape, organizations need visibility into the tactics and techniques used by threat actors. The MITRE ATT&CK Framework has become the gold standard for understanding adversary behavior, providing a structured taxonomy of real-world attack patterns.
While no single platform can address every category within this comprehensive framework, DarkOwl delivers exceptional coverage of critical, high-impact darknet sources, empowering organizations worldwide to anticipate, prevent, and respond to cyber attacks with greater confidence.
Understanding the MITRE ATT&CK Coverage Gap
The MITRE ATT&CK Framework encompasses hundreds of techniques across dozens of categories. The Darknet is establishing itself as a critical early-warning system for reconnaissance, credential compromise, and data exfiltration threats. By providing transparent and flexible navigation of darknet data, DarkOwl maximizes detection capabilities across its core categories, offering organizations unprecedented insight into emerging threats before they impact their systems.
DarkOwl’s MITRE ATT&CK Coverage: Breakdown Per Technique
Gather Victim Host Information
DarkOwl continuously scans stealerlogs, breaches, and darknet channels and fora to identify corporate IPs, credentials, and sensitive host exposures targeting your organization or those in your supply chain. This reconnaissance capability allows you to understand what information about your infrastructure is circulating in criminal marketplaces. Early visibility into compromised host data enables rapid remediation before attackers launch exploitation attempts.
Gather Victim Network Information
Threat actors extensively target networks before striking. DarkOwl monitors high-fidelity darknet sources for corporate network exposures, including IP leaks, asset names, trade secrets, tools, and databases. By surfacing these exposures early, your organization gains the critical advantage of knowing what network vulnerabilities and assets have been discovered by adversaries.
Gather Victim Identity Information
Personal and corporate identity information is among the most valuable commodities in underground marketplaces. DarkOwl detects when your employees’ and contractors’ emails, passwords, sessions, and devices appear in stealerlogs and breach databases. Reset credentials and block fraudulent access before it materializes.
Search Closed Sources
DarkOwl maintains a proprietary database of historic darknet content spanning years of darknet fourm posts, marketplace listings and ransomware site chatter. This institutional knowledge allows your organization to understand not just current threats, but historical patterns that may indicate ongoing targeting. Access to this closed-source intelligence significantly accelerates threat investigation and attribution.
Search Open Websites and Domains
Criminal and terrorist activity thrives across Telegram, Discord, and dark web list sites where threat actors openly advertise services and share stolen data. DarkOwl scans high-fidelity OSINT sources to identify when your organization is being discussed, targeted, or compromised. This open-source monitoring complements traditional security tools by capturing threats in spaces where defenders traditionally have limited visibility.
Compromise Accounts
Credential theft is the foundation of modern cyber attacks, and DarkOwl detects compromised social media, email, cloud, and personal accounts from your staff and supply chain partners.
Compromise Infrastructure
Infrastructure compromise—including domains, servers, and networks—represents a severe threat to organizational continuity. DarkOwl detects when your infrastructure appears in leaked files and darknet chatter, while also maintaining actor profiles highlighting the hardware, software, and CVEs commonly exploited by specific threat groups. This combination of compromise detection and threat actor intelligence enables targeted defensive hardening.
Supply Chain Compromise
Third-party relationships create indirect attack surfaces that many organizations overlook. DarkOwl identifies when contractors, suppliers, and vendors have compromised accounts and infrastructure, providing visibility into supply chain vulnerabilities that could be leveraged to reach your organization. Understanding these indirect exposures allows you to assess risk and implement compensating controls across your extended ecosystem.
Account Manipulation
Account takeover (ATO) represents a critical threat vector that DarkOwl actively monitors across all cloud and system accounts, including those from former contractors or suppliers. By collecting stealer logs and highlighting device and OS exposures, DarkOwl alerts your team to anomalous account activity before it escalates into a full-scale compromise. Rapid detection of account manipulation enables swift incident response and evidence preservation.
Modify Authentication Process
Multi-factor authentication is a cornerstone of modern security, yet DarkOwl discovers MFA redirect URLs in stealerlogs exposing authentication mechanisms. By publishing comprehensive stealer data organized by device, DarkOwl provides your security team with concrete evidence of authentication modifications and potential bypass techniques used by attackers.
Persistent Account Manipulation
Sophisticated attackers maintain long-term persistence through continuous account manipulation, particularly targeting supply chain vendors. DarkOwl monitors stealerlogs to identify ongoing account misuse within your supply chain, alerting to persistent threats that might otherwise remain hidden. Early detection of persistent manipulation prevents attackers from establishing a sustainable foothold within your ecosystem.
Access Token Manipulation: Token Impersonation and Theft
Modern applications rely on tokens for authentication, making token theft an attractive target for adversaries. DarkOwl monitors darknet Initial Access Broker advertisements and sales activity to detect when tokens from your organization enter criminal circulation. This intelligence on token compromise allows your team to invalidate affected tokens and audit token-based access before unauthorized actions occur.
Brute Force: Password Guessing
While brute force attacks are blunt instruments, they remain effective when attackers possess compromised password lists. DarkOwl detects compromised passwords of staff and supply chain partners circulating on darknet breach sites, indicating that your organization faces elevated risk of password-guessing attacks. Proactive password resets based on DarkOwl’s compromise intelligence significantly reduces the success rate of these attacks.
Reversible Encryption
Weak password hashing algorithms create reversible encryption risks, allowing attackers to crack stored passwords at scale. DarkOwl automatically surfaces hashed passwords from corporate domain exposures in historic breach files, highlighting those with weak algorithms subject to reversal by threat actors. This capability allows your team to identify and remediate weak hashing implementations before attackers exploit them.
Unsecured Credentials
Credentials often leak beyond your network perimeter, appearing in messenger apps and across distributed networks like TOR, I2P, and Zeronet. DarkOwl collects these widely-scattered credential exposures to demonstrate the full scope of your credential compromise landscape. Understanding where your credentials have been exposed enables comprehensive remediation across all affected platforms and services.
Internal Spear phishing
Executive and supplier credentials are prized targets for internal phishing campaigns. DarkOwl continuously monitors darknet sources to detect when your executives’ and partners’ credentials are newly shared by threat actors.
Browser Session Hijacking
Stealer logs inherently capture browser sessions, creating direct risks of session hijacking attacks. DarkOwl actively monitors and collects stealer log data containing compromised corporate and personal browser sessions, providing visibility into hijacking risks before attackers exploit them. This intelligence enables your team to invalidate compromised sessions and investigate the scope of browser-based compromise.
Exfiltration Over Web Service
Data exfiltration frequently occurs across web services where attackers blend malicious activity with legitimate traffic. DarkOwl detects when your corporate data appears on darknet services including Telegram, TOR sites, ransomware platforms, and underground forums. Rapid detection of exfiltration allows your incident response team to contain the breach, quantify the exposure, and implement targeted notifications.
External Defacement
Attackers often publicize breaches through external defacement to maximize damage and reputation impact. DarkOwl monitors for keyword/signpost mentions of your company and alleged stolen data across TOR, I2P, file repositories, and paste sites throughout the darknet. This continuous monitoring ensures your security team detects external defacement threats before they escalate into widespread public disclosure or regulatory complications.
Financial Theft
Cryptocurrency plays an increasingly central role in attacks, making financial theft tracking essential for investigation and attribution. DarkOwl allows your organization to validate illicit activity by linking it to specific crypto wallet IDs involved in attacks. This capability supports forensic analysis, law enforcement cooperation, and the tracking and tracing of cryptocurrency flows used to fund future attacks.
The DarkOwl Advantage: Deep Darknet Intelligence for Modern Threats
DarkOwl doesn’t attempt to be a universal MITRE ATT&CK solution. Instead, it excels at what matters most: providing transparent, flexible navigation of darknet data to deliver unprecedented visibility into how adversaries gather intelligence, compromise credentials, and exfiltrate data. By mastering these critical categories, DarkOwl gives organizations the early warning and actionable intelligence needed to transform defense from reactive to proactive.
In today’s threat landscape, organizations need platforms that go deep rather than wide. DarkOwl’s specialized focus on darknet reconnaissance and threat actor activity provides exactly this—strategic depth where it matters most. For security teams committed to staying ahead of emerging threats, DarkOwl represents the specialized intelligence layer that bridges the gap between your internal detection systems and the criminal activity planning your compromise.
Prepare for attacks before they begin. Detect compromise before it escalates. Respond with confidence backed by darknet intelligence. That’s the DarkOwl advantage in the MITRE ATT&CK era.
For specific details on how DarkOwl meets MITRE ATT&CK framework, contact us.
As we wrap up Q3, we’re excited to share a major expansion to our investigative capabilities within Vision UI—introducing a powerful new module designed specifically for darknet marketplace research. This release reflects our continued commitment to delivering actionable intelligence with precision and depth.
Enhanced Marketplace Research
DarkOwl has made substantial updates to the way we capture and store data collected from product listings on darknet marketplaces.Darknet marketplace listings now include up to 26 content fields—including listing titles, categories, vendors, shipping information, prices and payment options, reviews, refund policies, and many more. Access our full listing collection through our new Markets module in Vision UI, or Markets endpoint options in Vision API.
Figure 1: An example of a market listing collected from Abacus market, prior to its shutdown in July 2025
Aggregated Result Set Summaries
Search by product name, vendor, or even a market name—and see aggregated information and visualizations about your result set. This view provides:
A timeline of new listings
A map of Shipping Sources by volume
Metrics of total and top markets
Metrics of total and top vendors
Figure 2: Aggregated information for a product search ‘Xanax’.
Additional Features in our Markets module
Specialized search operators/filters: Search listings by Keyword, Vendor, Market, Category, Price, or other market-specific option.
Additional date options: Search listings or sort results by when the listing was First Seen or Last Changed on the market.
Figure 3: The Markets module provides customized searching and retrieval for product listings. Listings are also available in the All Sources general search, which provides a uniform experience across all data types within DarkOwl Vision.
Figure 4: Additional filtering options in this module include Price, Shipping Source, and Shipping Destination.
Marketplace Research in Vision API
We’ve launched three new endpoints for programmatic access to our enhanced darknet marketplace data. These endpoints provide optimized searching, filtering, and formatting specific to market listing content:
The Markets Search endpoint for an optimized experience and market-specific parameters.
The Markets Summary endpoint provides aggregate information about your search result set.
The Listing Detail endpoint retrieves all information from a single market listing.
You can continue to find market listing results using our Search API endpoint, which have been enhanced with vendor, price, shipping information, as well as a reference to pull the full listing content from the Listing Detail endpoint if desired.
Other Vision UI Updates
We’ve made several search experience upgrades, which streamline and improve search workflows in Vision UI:
Source Domains Filter: The input field has been redesigned for a cleaner, more intuitive experience, making it easier to include or exclude source domains in your searches.
Chat Channel Filters: Our chatfilters now support exclusion, allowing you to refine result sets by removing specific channels.
Search Block Expansion: Chat types are now available as search block types—ideal for monitoring high-interest sources.
Figure 5: The new Source Domains filter provides easier ways to filter to or exclude specific domain sources.
Leaks of Interest Collected
When your search results are from data leaks, users can review additional information curated by DarkOwl analysts, giving you enrichment on the data leak. The descriptions below are all available in our Leak Explore UI feature, or Leak Context API endpoint.
USA fullz info cc x200
A post on LeakBase, a hacking forum, on January 28, 2025, linked to the file: ggjtv.txt. According to the post, there are 200 lines of full USA credit cards. Data exposed includes names, email addresses, CVV, physical addresses, expiration dates, dates of birth, Social Security Numbers, phone numbers, passwords, mobile numbers, and credit card numbers.
etsy.com
Data purported to be from Etsy was posted on BreachForums, a hacking forum, on December 5, 2024. According to the post, the leak consists of 3,600 rows of data, containing 3,535 unique Social Security numbers, 1,915 email addresses, and 32 email domains. Data exposed includes customer information, email addresses, physical addresses, genders, dates of birth, SSNs, phone numbers, mobile numbers, user identification number (UID), company names, and product data. The threat actor noted the leak contained additional files of parsed and deduplicated SSN, emails and email domains from the raw leak data, noting the files that contained emails and email domains had free email services removed from them. While the victim data is listed as Etsy, the post indicates the company exploited by the MOVEit vulnerability was Delta Dental.
3.9M Allianz Life 2025.19.08 Sample
Data purported to be from Allianze Life, obtained via Salesforce, was posted on scattered lapsus$ hunters, a Telegram channel, on August 19, 2025. According to the post, the leaked data include Salesforce’s “Accounts” and “Contacts” tables and contains a total of 3.9 million sensitive records, though only 2.8 million were publicly posted. Data exposed includes customer and partner data, names, addresses, dates of birth, and professional information. The Threat Actor indicated that the full leaked database was posted for sale for $10,000 US, with a final sale of $9,000 for the complete database completed on August 21, 2025 by Season via a BitCoin transaction. According to media reports, Allianz Life confirmed a third-party CRM platform was accessed by a threat actor on July 16, 2025. The Threat Actor group is a combination of Scattered Spider, ShinyHunters and Lapsus$. Telegram channels associated to the group are quickly banned, with backup channels being regularly created to repost content associated to their recent activities.
Serasa Experian 2.9 GB
Data purported to be from Serasa Experian was posted on LeakBase, a hacking forum, on September 10, 2022. According to the post, a hacker known as JBR initially posted the file that affected 223 million users. Data exposed includes names, genders, dates of birth, and CPF (Cadastro de Pessoas Físicas) numbers. The dataset includes static identifiers such as CPF numbers and dates of birth. Consequently, the age of the leak does not lessen the potential impact of the exposed data. A February 2023 post on BreachForums from a user named “TheBlob” explained that the original breach was carried out by a Brazilian hacker known as “JustBr” (or “JBR”), who initially advertised the data on the now-defunct forum, RaidForums. The complete database was reportedly sold for $30,000, while portions, which consisted of 40 parts, were available for $755 each.
Curious how these features and data can make your job easier? Get in touch!
Command-and-control (C2) frameworks are used by both red teams and cybercriminals. They provide a wide range of functionality and capabilities that make post-exploitation tactics easier and more effective. In simple terms, a C2 acts as a central server that connects to, communicates with, and manages compromised systems. It establishes persistence and allows the operator to control dozens of infected machines from one central environment.
There are many reasons why C2 frameworks are popular among attackers and red teams. Most frameworks offer operators powerful capabilities such as privilege escalation, network pivoting, scanning, and data exfiltration. They are so useful, in fact, that cybersecurity companies have developed their own commercial C2 products for ethical red-team engagements. Cobalt Strike is often regarded as the industry leader for production-grade post-exploitation operations due to its broad set of easy-to-use features, making engagements accessible even to less technically skilled operators. Open-source options are also widely available, with frameworks like Covenant, Sliver, Metasploit, and many others freely downloadable from GitHub.
Regardless of the framework, stealth is the most critical factor for both ethical red teams and cybercriminals. Security Operations Centers (SOCs) constantly monitor traffic and look for suspicious packets moving through the network. No matter how polished a C2 product may appear, it is useless if detected and blocked. In addition to internal monitoring, dedicated threat-hunting teams at Microsoft, Google, Meta, Cisco, CrowdStrike, IBM, and others search for malicious infrastructure outside their own networks as well.
Security Through Obscurity
Offensive security operators understand the importance of obfuscating traffic and minimizing detection. Great effort is made to ensure payloads are covertly delivered, network traffic is routed inconspicuously, and C2 frameworks are hidden behind innocent-looking websites. This constant need for concealment has led to several tactics, techniques, and procedures (TTPs) that blue teams, SOCs, and organizational leaders should be aware of.
“Small Sieve,” for example, uses the Telegram bot API to communicate over HTTPS and relay commands to and from malicious C2 servers. To defenders, this HTTPS-encrypted traffic moving through the organization’s network may appear normal. Since Telegram is not considered a malicious service, such traffic could easily be overlooked by blue teams and SOC analysts.
Throughout 2021, a suspected Iranian-backed threat group known as “Oil Rig” conducted an operation called “Outer Space” targeting Israeli organizations. To conceal their malicious traffic, they compromised an Israeli human resources server and repurposed it as a dedicated C2. Subsequent operations appeared to originate from this trusted source.
This technique is not limited to concealing C2 servers. When a stage-one payload needs to download additional malware, threat actors often host stage-two payloads on trusted platforms that are less likely to raise alarms. Saint Bear, a Russian threat actor active against Ukraine and Georgia as early as 2021, frequently used Discord’s content delivery network for hosting malicious files. To defenders, this traffic appeared to come from Discord, making it harder for intrusion detection systems to flag as suspicious.
DarkOwl Vision: Threat Intelligence on C2
The popularity and awareness of these C2 techniques have expanded beyond nation-state actors and advanced attackers. Using the DarkOwl Vision platform, we can observe multiple discussions emphasizing the importance of stealth in C2 operations.
Source: DarkOwl Vision
One user highlights the software’s ability to “function covertly, employing stealthy techniques to avoid detection… and [avoid detection from] network security monitoring tools”.
The following example describes another piece of malware that uses Telegram as its command-and-control platform for communication with infected machines. Again, the author boasts of the software’s “low detection rates due to its advanced obfuscation techniques”.
Source: DarkOwl Vision
Conclusion: Cyber Cat and Mouse
For cyber defenders and blue teams, it is critical to understand these TTPs. In some cases, an SOC analyst may identify something suspicious within an otherwise benign Telegram packet. In others, endpoint detection and response platforms can be tuned to better recognize this malicious traffic. More importantly, the cybersecurity community must accept that these TTPs will continue to evolve into more sophisticated methods. Just as blue teams grow comfortable detecting one technique, red teams adopt the next lesser-known approach that has yet to be widely publicized.
Resources such as attack.mitre.org are invaluable for fingerprinting and understanding the TTPs that a company, organization, or industry might face during an incident. After an attack, investigators and cyber experts often publish their findings, which can help future targets prepare to identify and thwart similar threats.
In this blog, we explained how powerful C2 frameworks can be in maintaining stealthy operations for both red teams and cybercriminals. We highlighted examples where advanced persistent threats (APTs) leverage trusted applications and networks to conceal post-exploitation activity. The dark web remains a rich source of intelligence, where forums and discussion boards provide valuable insight into evolving trends and shared techniques. Ultimately, staying ahead in this cyber cat-and-mouse game requires defenders to remain adaptive, vigilant, and continuously informed.
Practical Habits That Protect Your People, Your Data, and Your Peace of Mind
Since the Covid Pandemic in 2020, it’s been proven time and again that the boundary between work and home is thin. Your “office” might be a kitchen table. Your “help desk” might be your teenager asking for the Wi-Fi password. And while we like to think that security is something handled by IT or left to our antivirus, the truth is simpler. It’s your daily habits: at work and at home. They can decide whether attackers get a foothold.
Below is a field-tested guide to cyber hygiene that treats all aspects of your life with the reality that they are all connected. Use it to harden the places you click, type, scan, and share, no matter where you are.
Step 1: Start with the “Big Four” (everywhere you log in)
Multi-Factor Authentication (MFA)
Turn on MFA for every important account. It adds a second proof (app prompt, code, or security key) so a stolen password alone won’t grant access.
Strong, Unique Passwords (via a Password Manager)
Use a password manager to generate and store long, unique passwords for each site. This prevents one breach from unlocking multiple accounts.
Relentless Updates (OS, Apps, Browsers, Firmware)
Keep everything current—laptops, phones, browsers, and even routers/IoT. Updates patch known flaws attackers actively exploit.
Phishing Awareness & Reporting
Slow down on links and attachments. Verify unusual requests on a separate channel and report suspicious emails/messages to IT.
Go one level deeper: choose phishing-resistant MFA
Not all MFA is equal. SMS codes and push prompts can be bypassed (push fatigue, SIM swaps). Where available, use FIDO2/WebAuthn security keys or passkeys for phishing-resistant authentication (CISA).
Passkeys = fewer headaches, more security
Passkeys use public-key cryptography, so there’s nothing reusable for criminals to steal or phish—and they’re now supported across major platforms. If a site offers passkeys, turn them on (FIDO Alliance).
Step 2: Treat your home like a branch office
Attackers don’t care if they land on a CFO’s laptop or a teenager’s tablet, both act as launchpads to your data.
Segment your Wi-Fi
Create separate networks for primary devices, guests, and IoT (cameras, TVs, smart speakers). This limits blast radius if one thing gets infected. At minimum: Primary, Guest, and IoT SSIDs (U.S. Department of War).
Harden the router
Change default passwords, disable WPS, enable WPA3/WPA2, update firmware, and hide/rename default SSIDs that leak your router model (CISA).
Update edge devices
Firewalls, routers, VPN gateways, and internet-facing boxes need regular patching—treat them like crown jewels, not appliances (CISA).
Family reality check
Kids and elders are prime targets because they’re helpful and curious. Set up non-admin accounts, turn on automatic updates, and require approval for new installs. Teach a simple rule: no scanning random QR codes. EVER! QR-based phishing (“quishing”) is rising—from stickers on parking meters to QR codes sent in the mail.
Step 3: Close the “human gaps” at work
Technology can’t save us from workflows that reward speed over safety.
Slow down where it counts
Clicking a link, approving an MFA prompt, or running an attachment is a risk decision. If something feels rushed or emotional, pause and verify on a separate channel.
Defend against MFA fatigue
Never approve a push you didn’t initiate; report repeated prompts to IT. Ask your org to move critical apps to phishing-resistant MFA (CISA).
Kill shadow IT kindly
People use unsanctioned tools to get work done. Offer safe, approved alternatives—and make them easier than the workaround.
Separate identities and browsers
Use different browser profiles (or separate browsers) for corporate vs. personal accounts to avoid cross-contamination of cookies, extensions, and autofill.
Step 4: Five Pillars of Cyber Hygiene (with “Work” and “Home” plays)
Think of these as your daily vitamins—boring, effective, non-negotiable.
Identity
Work: Require MFA everywhere; prefer FIDO2 keys or platform passkeys for high-risk roles. Review admin privileges quarterly (CISA).
Home: Use a password manager for everyone in the house. Turn on passkeys where offered. Store account recovery codes securely (not in your email) (CISA).
Devices
Work: Enforce OS/browser/driver updates. Block unsigned macros; restrict USB media.
Home: Auto-update everything. On kids’ devices, require approval for new apps and in-app installs. Back up photos/docs to a service or external drive (3-2-1 rule).
Home: Separate SSIDs: Primary | Guest | IoT. Change router defaults; update firmware; prefer WPA3 (U.S. Department of War).
Applications
Work: Maintain an allow-list of approved software and browser extensions. Monitor OAuth app grants to corporate accounts.
Home: Delete apps you don’t use. In browsers, keep extensions minimal and reputable; disable third-party cookies; use separate profiles for kids.
People
Work: Run short, contextual training (60–90 seconds) tied to real incidents: “Why this phish worked,” “How that MFA prompt slipped through,” etc.
Home: Have a five-minute family drill: “If a pop-up says we’re infected, what do we do?” (Answer: close the browser, don’t call numbers, tell an adult.)
Step 5: A 15-Minute Monthly Tune-Up
Set a recurring reminder synced to all your devices will help and knock these out
Update all devices (phones, laptops, tablets, routers, smart TVs).
Review your password manager for weak/reused passwords; rotate any shared family passwords. (CISA)
Check bank and email alerts (sign-ins, transfers, forwarding rules).
Audit browser extensions and remove anything you don’t use.
Test backups by restoring a file (don’t wait for an emergency).
Step 6: If you slip (because we all do)
At work: Unplug from the network if malware is suspected; call IT; do not try to “clean it” yourself; preserve evidence (timestamps, screenshots).
At home: Power down the affected device; change important account passwords from a different device; call your bank if credentials were exposed; reset router and update firmware; reinstall OS if necessary.
If you scanned a suspicious QR code or clicked a fake login: reset any password, you entered and revoke OAuth sessions for the affected app. Watch for new MFA prompts you didn’t initiate.
The Takeaway
Cyber hygiene isn’t a fancy toolkit; it’s a set of small, repeatable habits your whole circle can manage. Enable MFA that resists phishing. Use passkeys when available. Update relentlessly. Segment the home network. Slow down on links, attachments, QR codes, and MFA prompts. These are the same moves that security teams recommend, because they meaningfully cut risk at work and at home (IT Services).
Do this now, and when Clean Out Your Computer Day rolls around next February, you’ll be cruising through a short, satisfying tune-up instead of tackling a backlog.
Finally, the next time a child asks for your phone at dinner or a relative forwards a “too-good-to-be-true” link, remember: YOU may be the gateway (for better or worse).
During this webinar experts Jane van Tienen (OSINT Combine) and Erin Brown (DarkOwl) explore the evolving role of artificial intelligence in investigations and how it is transforming investigative workflows, the ethical challenges it presents, and how threat actors are exploiting AI for phishing, deepfakes, fraud, and propaganda. Learn why keeping the human in the loop is essential and how to build resilient, AI-aware intelligence practices.
NOTE: Some content has been edited for length and clarity.
Kathy: And now I’d like to turn it over to Jane, Chief Intelligence Officer with OSINT Combine, and Erin Brown, the Director of Intelligence and Collections with DarkOwl, to introduce themselves and start our discussion.
Erin: Thanks, Kathy. So yeah, we’re going to jump right in because as Kathy mentioned, we’ve got a lot of content to go over, but we’re just going to start with a brief introduction to who DarkOwl are, and OSINT Combine.
I’m just going to give the brief background on DarkOwl. As Kathy mentioned, my name’s Erin, I’m the Director of Collections and Intelligence at DarkOwl, so responsible for the data that we collect and also the investigations that we conduct. DarkOwl has been around since early, well, Vision since 2014, I think we’ve been around since 2012, and we primarily collect data from the dark web, from forums, from marketplaces, from Telegram, from Discord, and other sources where we’re seeing kind of what threat actors are talking about, what they’re selling, and some of the trends out there and making that data available to our customers. And if anyone has any further questions on DarkOwl, I’m sure Kathy can share some more information, but with that, I’m going to hand over to Jane.
Jane: Thanks very much, Erin, and thanks, Kathy, as well. I’m really pleased to join you here on the webinar today, so thank you for inviting me to come along. So, good afternoon, everyone. My name’s Jane van Tienen, and I’m the Chief Intelligence Officer for a company called OSINT Combine. I’ve spent a career in intelligence, predominantly national security and international intelligence diplomacy, before more recently moving into open-source intelligence.
I’m assuming that most people on the call would probably know what open-source intelligence or OSINT is, but just to ground truth it, it’s intelligence derived from publicly available or commercially available information, rather than classified sources.
Today, Erin and I are going to be talking all about artificial intelligence, of course, but not just because of the way it enhances our capabilities of investigators and intelligence professionals, but also because of the capabilities of the bad guys that we investigate. But before we delve into that interesting topic, just a little bit more to touch on this slide here about OSINT Combine. We are a proud partner of DarkOwl. OSINT Combine is a global company, we’re US-owned, but Aussie-founded so, Australian-founded and veteran-operated. And we’re all about helping build enduring OSINT capability, which we do through our AI-enabled OSINT collection platform that’s called Nexus Explorer, our foundational and advanced open-source intelligence training, as well as thought leadership.
And so, our focus on building enduring OSINT capability means that our company is more than just about giving people great tooling, although, of course, great tooling is important, but we feel really passionately about making sure that people are able to use the tools, understand the tradecraft to operate effectively, safely, and ethically in their work. We work with clients similar to DarkOwl, actually, ranging from national security agencies through to global banks. And that means that we’re seeing OSINT practices, as well as increasing AI adoption up close in different kinds of workplaces.
And we’re sort of getting insights, therefore, into what’s working, what’s kind of breaking or tricky, and where practitioners and leaders are struggling in relation to these issues.
Before we get into the actual thick of the webinar today, I wondered if there might be an opportunity for us to do just a quick poll in the chat there, just to give us a sense about how many of you are already using AI in some form as a part of your workflow. I was going to see if I can have a peep in the chat while we do that. If there’s anyone there already using AI as a part of the workflow. And let’s go on to the next slide while people might consider that there, Erin. Thank you.
So, my point in asking that is really to observe that for many of us, AI isn’t really a future concept anymore, is it? It’s already embedded into a lot of our investigation’s workflows, whether we’re working law enforcement or intelligence investigations or even corporate due diligence. And really, it’s the necessity that’s driving that adoption. Every day, practitioners are using AI really to expand the human capacity for things, for all sorts of things, actually, like language translation, rapid entity resolution, network mapping, pattern recognition, even brainstorming alternative scenarios, which I really enjoy using AI for these days, as well as summarizing vast volumes of content and doing all of that within minutes.
In that context, particularly at, say, a government level here in the US, but also across allied governments, so think Five Eyes, as well as NATO member states, we’ve already seen some pretty strident language and strategic choices about how AI should be embedded into intelligence workflows. And that’s probably most prominent when we’re thinking about open-source intelligence workflows. A great example is here in the US in defense strategy, where we’ve heard, OSINT being referred to as the INT of first resort.
And of course, we know that when it comes to private industry, OSINT really is the INT of only resort. And so, I think that’s important to observe, because oftentimes, you know, the increased utilization of OSINT also means hand in glove, the increased utilization and exploration of AI and AI augmented workflows. So, the point being that regardless of sector regional budget, really, our debate now has moved far beyond should we use AI to more about how do we use it wisely?
So, for investigations and intelligence work, we’ve always needed to ask critical questions, haven’t we? And those critical questions and those fundamental skills of tradecraft really haven’t gone away. But in an AI augmented workflow, regardless of purpose, the scope of those questions has absolutely expanded. And so, in understanding how to use AI to greatest effect, analysts and investigators must now not just interrogate the content or the information that they derive, but also the machines that help produce it.
And so, these areas on the slide, Brainstorming Partner, Research Support, Analytical Partner, Writing and Communication support, these are areas where OSINT combined through our work, we’re most commonly seeing AI being utilized as a part of OSINT workflows in various workplaces today. And indeed, the role of AI will continue to expand as technology evolves, no doubt.
I think the key issue is, though, that when deciding when to use AI in your work, the consideration really is about, you know, the accountability in decision making, and who owns the accountability in the decision making, because that is you, because it is always a human issue. It’s not to be, you know, for the machine. So, it doesn’t really matter at the end of the day how advanced our tools become. We cannot, in fact, must not remove the human from the investigative workflow. And so that’s what we mean when we say the phrase, keep the human in the loop, which we’ll be speaking to a little bit further in the presentation.
We have to remember that, as good as AI might be in any given moment, there are always going to be things that it cannot or should not do. And sometimes those boundaries are determined by governance frameworks that might exist in your organization or even your community of interest. We know that investigations and intelligence work, it lives and dies by its credibility. And so, no matter how the advanced tools we use, how great they are, our assessments are only really going to be value if they’re trusted by those who rely on them. And so, the challenge is really one where rather AI can overwhelm with lots of different plausible outputs that can actually bypass some of the analytical tradecraft or critical thinking that we might apply otherwise. And so, when we receive an AI output response, the trouble is that it can look right, but it doesn’t always mean that it is. And so, within OSINT combined, we’ve been investing a lot of thought, time and effort into how to most soundly incorporate AI into OSINT workflows, understanding what it can and cannot do, and know when to trust AI and when to challenge it. And it’s important that you do so as a part of your own investigative and intelligence products and to maintain your operational security online. And I’ve got an example of one of those resources that is freely available to download there on the slide, more to come on that.
If we look at the pros and cons of AI as it stands at the moment, I think these are fairly accepted in our industry and our collective work. And so there should be no surprises there, and I’m not going to go through every one of them. Some of these we will absolutely be showcasing in various means throughout the webinar.
But to pull the thread on one of these things in the Cons column there, which is a bit of a passion project of mine, if you like, and it pertains to role clarity, which is something that we don’t talk about as often as I think we should in this regard. And so, what I mean by that is that analysts, team leaders, decision makers, even boards, you know, each role in the decision-making chain or in the chain of command, if you like, really interacts with AI differently. Using AI to best effect isn’t really about only a practitioner level AI literacy or fluency, but it’s about the capacity of others as well as the organization and organizational system to understand it.
I think one of the most dangerous assumptions that we see in investigative work is this issue of mirror imaging, which is both believing that adversaries think and act like we do, as well as the fact that they don’t have the access to the same technology as we do. Unfortunately, not only do they have access to technology, the same as we do, but they also have a willingness to operate outside our own ethical and moral compass.
This is something not to be underestimated when we need to consider AI. The same generative models that we use to draft reports to identify patterns or detect anomalies are going to be used by criminal and extremist actors to fabricate personas or automate deception and manipulate narratives at scale. I think the real trouble is that AI makes generating some of these artifacts pretty trivial in some cases. And so, our tradecraft is really evolving beyond how do I find that needle in the haystack or how do I find the truth to now also include how do I recognize what’s been machine shaped to look like the truth. And that’s a really hard nut to crack.
Erin, I wonder if we might hear from you now about some of the examples that you and your team are seeing sort of in the wilds out there, just to illustrate some of these points.
Erin: Yeah, thanks very much, Jane. As Jane has mentioned, we hopefully are all using AI as part of our workflows and investigations. But you know, the criminals, the terrorists, extremists are definitely using AI as well.
I’m going to run through kind of a couple of examples that we’re seeing of those using that technology.
But I think one of the key things that I want to start with is so far, at least I think in what we’re seeing of threat actors using AI, is they’re using it in the same way that we all are too, in that they’re using it to increase productivity, improve the output of what they’re working on. But it still requires that human intervention, right? And they still need to do things as a threat actor and have some experience.
You know, even if we’re talking about them using, vibe coding to create malware, they need to have a basic understanding of coding and how they do that to be able to do that effectively. So at least thus far, we’re just seeing them using it to enhance the types of attacks and operations that they were already doing. With I guess the one caveat to that being, deep fakes and the way that they’re developing and how good generative AI is at producing images and speech now is definitely becoming more and more of a problem.
But let’s dive into some examples of how exactly they are using AI. And I stole this from a Trend Micro report, but I think it nicely maps out kind of the different attack vectors and vulnerabilities that criminals are going after in terms of deep fakes but also using their own LLMs. And we’ll talk about that in a little bit more detail.
And we’ll go through some of these examples in more detail too. But, you know, things like business email compromise and creating more sophisticated and believable phishing emails is something that we’ve seen go on the rise, but also, you know, business compromise in terms of spoofing CEOs or executives through their voice, through their images, through Zoom calls, things like that is definitely on the rise. We’re also seeing, you know, more targeting of foreign victims. I think, gone are the days of the Nigerian prince with language that you don’t really understand, and you can tell quite quickly that it’s fraudulent just because of the fact that a native English speaker hasn’t written it. That’s not really happening anymore because they’re using AI to translate their messages and to create those images for them. We’re also seeing an increase in things like romance scams, sextortion, CSAM, unfortunately, and virtual kidnappings and things like this. So, using AI and what we would maybe traditionally think as the cyber realm for more real-world effects. And some of those are having really awful consequences on a lot of people. And so, something that we all need to be kind of aware of and how to deal with.
I mentioned there are criminal versions of LLMs. These are based usually on the, you know, open source or other LLMs that we’re using out there, things like ChatGPT that have been made freely available. But they’re basically getting rid of the guardrails that these companies have put in place around this AI to try and combat the technology being used for nefarious purposes.
WormGPT is one of the models that came out fairly early. I think it’s been around for a year or two now. And this is taken from a darknet web page where they’re advertising it. And one of the interesting things and one of the reasons I wanted to raise this is you’ll see that they’re advertising it very much in the same way that, you know, OpenAI or PerplexC or those other, you know, ethical companies, I hope, are kind of putting this out there. So, they’re telling you it’s a game-changer, you know, what it does, how it can help you.
It has pricing plans. You can get different plans depending on your expertise and kind of what information you want to use it for. And then you can see that they’ve got it on the command line as well. So, they’re able to see it. They call it the biggest enemy of well-known ChatGPT. And it allows you to kind of do all of those malicious things without the guardrails that you will get in those more legitimate services. So WormGPT is one.
Another one is FraudGPT. And this kind of does what it says on the tin. It’s really helping threat actors to conduct fraud. And it’s, you can see at the bottom, it’s not just the LLM. They’ve also got testing, cracking, access tools. So, they’re trying to build a whole ecosystem around offering this, to be honest, as a criminal enterprise.
And again, you can see that they’re advertising it on their site. This is another dark website where they’re talking about the different ways that you can use it. So, you can create phishing pages. You can create hacking tools. You can write scam pages. You can find leaks. And some of these things in here are things that we as investigators might want to do, you know, finding leaks or finding, you know, vulnerabilities from a red team perspective. And AI can help you do that. But I think the thing to think of, and to Jane’s point about, you know, is that threat actors have access to this technology too. And they are using versions of these tools in some cases that make it easier to find some of those things than maybe we have as investigators.
And again, this is just the FraudGPT pricing. So, you can see they have a breakdown of a lot of different tools and accesses that you can get.
They really are selling this as a service, as a way to give other threat actors that maybe aren’t up to tax.
And this was also taken from the FraudGPT site. You can see this is a kind of a chatbot telling them kind of how to put the prompts in to be able to get some of this information back. So, the top one is, “write me a short but professional SMS spam text I can send to victims who bank with Bank of America, convincing them to click on my malicious short link”. This really feeds into that kind of phishing kind of attacks, where this is one area where we’re seeing AI really kind of increase the sophistication, for want of a better word, of those types of attacks, just in terms of it’s making it a lot harder for victims to identify when they’re receiving these malicious emails, or SMS messages, based on the way that they are written. And you can see it’s fairly simple for them to kind of put in these prompts and get that kind of information back that’s going to assist them with that.
And these are just some shots of kind of threat actors actually talking about this technology on various forums that we collect on the dark web. So, you can see there’s threads talking, you know, about FraudGPT and what it can do for you and how it can help you. We can see things on Russian hacking forums as well, and that’s been used. So, they’re talking about useful AI, which ones are the best. So, we’re seeing them talking about different methodologies and how they can use this as part of their workflows as criminals. And then you can see them talking as well about kind of the different services that are out there. So, the bottom one’s very hard to see, but they’re talking about Grok. It’s not just ChatGPT, they’re talking about a lot of the other kind of AI services that are out there as well. This is just to show that, you know, the same way we’re, you know, having this webinar and talking about uses of AI and how AI can help us in our workflows and our investigations, the threat actors are talking about that too. And we are seeing that kind of pop up on forums.
We have also seen AI being used as part of attacks. I’m not going to delve into this hugely because it’s not really kind of on the dark web side of things, but this is just kind of an article highlighting how Grok AI was used to bypass app protections and spread malware to millions. We are seeing more and more of this. We are seeing, you know, ransomware strains being developed using AI or having kind of some AI implementation as part of them. And I think this is something that we expect to rise as, you know, the technology becomes more widely used and I assume continues to increase in sophistication. We are going to see a lot more of these types of attacks and it is going to become an attack vector in cyber as we kind of move on with that. I just kind of wanted to mention that as a side.
I’m going to dive in now into some specific examples of how this is being used. Starting off with criminals, I’ve kind of already touched on this, but we’re seeing it very much in phishing, social engineering attacks, romance scams, and also for defeating KYC to get into kind of financial fraud.
We’ll go through those in a little bit more detail. This is an example of an advertisement on Telegram. This is a service where they are offering an AI face builder. It will create a unique face and then you can use that for whatever you need. So, this is being used, we’ve seen this being used for defeating KYC.
You can see you’re swapping faces on photos and videos so that you can look like you’ve got your ID card. For those organizations where they ask you to take a picture of yourself with your ID, this is kind of helping them to kind of combat those checks and balances that are put in place. But we’re also seeing these kind of face builders and generators being used in sextortion as well, and I’ll kind of touch on that in a bit. But you can see kind of how this is part of the business that they’re offering. You can get a tutorial; they give you kind of free services to start off with to test it. You can do bulk processing and purchasing credits. So, it is kind of interesting how they’re using this going forward.
This is another discussion on a dark web forum talking about fraud GPT, but I highlighted it here because it’s saying this is what it’s going to help you do. It’s going to help you write phishing emails, develop malware, forge credit cards. These are the types of activities and crimes that are being posted as AI will be able to help you to conduct these types of crimes.
This is also another news article that I came across in terms of them using deep fakes to spoof a celebrity. The individual that was spoofed is an actor in a US soap opera.
His videos were generated and being sent to a woman based in California, and he was able to scam several thousand dollars out of that individual by asking for money and kind of creating a relationship with this victim by pretending to be this famous soap actor.
This one I don’t think did have a romance angle, but this is very much how romance scams can be operating with the use of AI as well in terms of them generating fake videos of fake individuals or pretending to be a celebrity, impersonating their voice, but obviously getting them to say things that they would never say and targeting individuals to get them to send them money, usually via cryptocurrency. And there has been a huge increase in this, and a lot of celebrities are being targeted in terms of their likenesses being used via social media to target victim to get that financial fraud out of it. And I don’t actually have the video to play here. This is a screenshot. But if you see any of these videos and to Jane’s point about like how do you identify this information, they’re very realistic. It’s very difficult for people to identify that this might not be real, especially I think for some of those victims that might be more vulnerable and not as savvy to be open to this technology, but also these kinds of attacks.
These are some more advertisements from Telegram, but this is more related to social engineering services that they’re providing. So Purple on the right, you can see that they’re doing call protection, but they’re generating ultra realistic voices via AI. They’re offering different tones, male, female, neutral. And they’re using these voices to spam people basically to have these calls to try and get people to hand over their money. They’re providing this as a service to people so they can use these different voices to scam unsuspecting individuals. So, you know, it isn’t, I think when we think of phishing, we tend to think of emails or maybe SMS messages, but I think more and more phone or video messages are going to become more of an issue with the advent of AI.
On the left-hand side as well, this is kind of more of the business email compromise where they’re kind of talking about all the different ways that they can make sure that an email campaign would be successful, including AI powered optimization. And I think to go back to, you know, it’s the same way, you know, that we’re using this in our everyday life, the criminals are using it. I mean, you could have an SEO marketing company that’s kind of saying the same thing to businesses that want to kind of advertise their services. But from the threat actor side, if you put the different slant on it, they are using AI and customizing email addresses to make sure that you can spam people more successfully and conduct those financial crimes. It’s interesting how it’s being used in a similar way, but, you know, with a lot more malicious intent than the rest of us would be using it.
Moving onto sex related crimes, I think this is a really important one and one that people don’t always necessarily think of or sometimes think that there isn’t a victim if it’s AI generated, but that’s definitely not the case. I think the main areas where we are seeing AI being used is child sexual abuse material, CSAM, and generation images relating to that, Human Trafficking and Sextortion and Romance Scams.
To highlight the AI generated child sexual abuse material, you know, Europol have made arrests quite recently related to this and put out information about it.
But a lot of people are using AI to generate fairly real looking videos depicting CSAM. And there are still victims in this because the individuals that are watching this material may go on to also target children in the real world, but also, they need to train these models and create these images based on something. And so, there are children that are still being victimized by this kind of activity, and it is making it more prevalent.
It’s something that I think is really important that we are able to stop. And it is becoming, you know, more and more sophisticated. And I think this quote from the IWF, Internet Watch Foundation, is probably a little bit out of time now, but saying that, it has progressed at such an accelerated rate that they’re very realistic examples of videos depicting this. And I think we are seeing those very realistic videos and images being distributed across the dark web and other sources at this time. It’s definitely something that obviously we need to stop.
Human trafficking, I think people might not necessarily equate AI with human trafficking and see exactly how it’s working. This map actually just shows human trafficking victims across the world. It isn’t specific to AI, but I think I wanted to highlight kind of how much of an issue human trafficking still is. This is from Interpol.
But also, in terms of how we’re seeing AI, it’s being used to generate fake job advertisements. So, kind of as part of that initial phase of the human trafficking of enticing victims in and generating material that’s going to make them think there’s a believable job or there’s kind of a believable activity that they want to be involved in and kind of suckering them into that whole industry. It’s also being used to bribe people in terms of generating false sexually explicit images for victims of human trafficking and using that to really kind of enforce the activity that’s going on.
And that brings us in the same vein to sextortion. In a lot of cases, AI is being used to generate images of individuals and then extort money from them. So basically, creating nudes or sexually explicit images of individuals, it’s not them, it’s AI generated, their face has been put on it, but threatening to share those images and say that they are real with their friends, with their family, with their colleagues. It’s really prevalent against young people using social media vectors, so things like Snapchat, Instagram, things where images are shared quite a lot but it is targeting people of all ages and it is targeting both females and males and it’s really you know an awful kind of practice there have been noted suicides of people that have been targeted by these types of sex distortion attacks. So again, it’s going back to how can people identify that these images aren’t real you know the victims feel that they look so real even though that they know that they’re not because they haven’t shared that material with them, that they’re so worried about this, that they are paying these people. And there are, unfortunately, fairly well-organized criminal groups that are kind of doing this on a rotation basis, trying to kind of build up these relationships with these individuals generating these images and getting this money from them. It is becoming a real huge issue, as I said, particularly among the younger generation.
We’re also seeing AI being used by terrorist organization and extremist groups. It’s primarily being used, I would say, for Propaganda, but also Disinformation as part of those propaganda campaigns and campaigns and putting a lot of that information out there. We’re also seeing them using it for Translation a lot to make sure that they can reach individuals in multiple countries to bring them into their extremist beliefs and also generating images, again, with propaganda and disinformation in mind. But some examples of that, this is taken from an ISIS chat group. You can kind of blurred out in the back of the ISIS flag, but it’s an AI-generated image on an article about building bombs. So, part of their propaganda, part of their education of individuals, they’re using AI to make this look kind of more believable and kind of draw in individuals. So that’s kind of one aspect we’ve seen.
This is another one that kind of looks you know, if you don’t know what to look for, but it’s Iranian terrorists claiming that they crashed a plane into Disney World in Anaheim. You can see the Disney castle in the background and the crash plane. I would argue the plane isn’t that realistic because planes don’t tend to crash backwards. But it’s highlighting that propaganda. It’s well kind of incentivizing people to go after these kind of targets. They’re putting ideas and people’s minds using AI of ways in which you could, you know, go about conducting attacks. And that’s something we need to be very mindful of.
This is a video that was put out with Hamas. So, Hamas talking, again, this was not a real video, but it looked like a news conference of Hamas leadership talking about the Israeli army and how they wear diapers because they’re stationed for so long and that led to generated images of you know Israeli forces wearing diapers which in some cases look quite authentic.
I mean I think most people would see this as a joke but obviously there you know there can be more concerning ways in which people about providing these kind of generated images. But to the point where they even had a TikTok video that was going around that went viral where an Israeli commander was talking about the nappy. So again, they were impersonating him and getting him to speak as if it was him to kind of try and back up the story that was put out there. And this is obviously all put out there to undermine Israeli from Hamas terrorist group. So, you know, it’s that disinformation. This one, obviously, I think most people would not believe, but they are putting things out there that are much more believable and it’s making it very difficult for people to understand what is real, especially in these times of kind of conflict.
And with that, I’m going to stop talking and hand it back to Jane.
Jane: Thanks, Erin. What you’ve demonstrated there in that kind of collection of examples is just the fact that, you know, AI, unfortunately, can increase the sophistication of a lot of bad actors really quickly. And so that can make our jobs, of course, really challenging.
So, we won’t necessarily do the poll now in the interests of time, but I’ll still talk through it because I think it’s interesting in the fact that, you know, when you reflect on these kinds of questions yourself, thinking about your own environment, whether, you know, your biggest challenges relate to some of the synthetic media that Erin sort of spoke about or perhaps it’s the scale of all of the things that you’re challenged with and in some cases even organizational readiness and maturity can pop up to being a big challenge for some practitioners and workplaces. But I think what is really interesting just to kind of emphasize your point there, Erin, is that this question really is one where the risks are kind of symmetrical in the sense that the same capability that helps us as practitioners, investigators, analysts, whatever in terms of automation and language generation, pattern recognition, it’s exactly what the threat actors are going to be using against us. And so, there’s an absolute need that we ensure that we have high levels of literacy when we’re kind of engaging in our work today. Because, AI itself, it’s not inherently malicious or benevolent, really. It’s what determines that is the outcome of its use and how well we govern it and verify and all of those kinds of things.
I think a lot of these are making things extremely difficult for practitioners and we can see a world where sometimes we might not we might simply not be able to verify whether something is true or not and that’s sort of the future that we’re looking at but at the moment we’re not quite there and so there are certainly some techniques that we kind of encourage you to consider Let’s have a look at the next slide, Erin.
I think one of the key things when at least OSINT combined when we’re talking about this challenge is that, you know, we really are talking about the analyst requiring stronger discernment, which references the fact that we acknowledge that AI gives velocity and capability in a way that perhaps, threat productors didn’t before have. But also, analysts must maintain this skill for validation and be the purveyors of veracity in as much as possible.
We think the most effective lens to kind of look at this is a multi-kind of modality kind of approach, if you like, that blends both traditional verification and analytical tradecraft with AI aware cues. And so, we acknowledge that this can be a difficult task, of course. Certainly, in some of those disinformation examples, Erin, that you provided, where analysts are going to be requiring to perform validation and verification, as well as potentially some really detailed content and metadata analysis. So, you’re adding on to your traditional analytical tradecraft tool sets around critical thinking and some of your analytical practices, you’re adding onto that some quite technical skills when it comes to sort of unpicking content and metadata analysis. But we think that it’s doable at this stage if you break it down. And so, we favor kind of practical steps and some guides for that process such as inauthentic content analysis maps which we’ve written blogs about that you can check it out on our website. And so, I’ve put some key examples there around anatomical artifacts and reverse retrieval and those kinds of things which of course are always going to be helpful. Providence Chain also super interesting for us when we’re kind of considering whether how something has proliferated online and where it was created and so forth.
But for me, I can’t get my head out of this space of the meta questions, and I think that’s got to do with largely my traditional intelligence training. And so, the questions that I always come back to in addition to some of these AI-aware cues are things like, “What would I expect to see if this were true?” And so that has me going to actually, look at some of the context, which is still super important to us. And the other question I like to ask when I’m considering the adversary is, “Well, what would my adversary need AI to achieve here – Would it be scale, speed or story?” And that really speaks to intent capability and, you know, the motivation factor, of course, which we always need they always need to maintain an eye on. But having the AI helping us out, as well as applying some of that human validation and verification activity is a real emphasis, I think, to ensure that the human remains in the loop. Really, we want our analysts to think critically, act ethically, and adapt intelligently alongside the machine that they’re working with.
There’s some available resources, all available to you, to download from the OSINT Combined website, and there are certainly more available. Let’s look at some key takeaways.
I think what we’ve been able to demonstrate today as a base of sort of numerous examples across different kinds of crime types and actor groups that absolutely adversaries have access to AI and they’re not afraid to use it. And they’re certainly, experimenting with it just as we are at the moment too. Human in the loop remains essential. We’ve discussed that. And there’s an importance there for layered verification. So not just trust in one modality over the other, but kind of really thinking quite deeply about, well, what are the different kinds of ways that I can speak to reliability, relevance, credibility, and consistency when I’m looking to verify information. And as a bonus tip, always thinking about, hey, some of these deep fakes, particularly the voice synthetic media that you identified, Erin, are becoming pretty sophisticated. And so, there is an element here to prepare for the inevitable in terms of preparing your organization to harden against impersonation and to prepare a playbook if you like about what happens if. And so, I think we can’t really avoid that.
I can see we’re at time. Kathy, I wonder if we pass to you and more than happy to take questions offline and respond to people if there are any, but over to you for final words.
Kathy: Sure, we do have a couple of questions that have come in. If you two want to go ahead and address them now, we can address the two that have come in and if any others come in, we can address those offline later if that would work.
Jane: Yes, I think that’s fine for us. I can see Erin nodding. So please, please fire away. And of course, if people need to drop off, they can, and they’ll received the recording.
Kathy: Sure. So, the first question is, how do you brief leadership when you suspect synthetic media but can’t prove it?
Jane: Yeah, we get asked that one quite a bit, Kathy and Erin, you might have thoughts on this too, but I think I still go back to this factor about you need to sort of explain confidence, not just certainty, to the leadership group and so that means about being really transparent about what you do know and what you suspect and what’s unverified and being open to being contested about that too. So, you know you have to sort of be professionally honest here. So, we want people to sort of show you know their reasoning how they came to a particular conclusion, could be you know to identify the anomalies and maybe even network behavior or some kind of thing that was flagged during the analysis. But I think it’s also really useful for leadership to sort of say, hey, if this is genuine, then here’s the impact, because that’s essentially what the leaders need to know is the impact so that they can act accordingly. And then vice versa, well, if it’s fabricated, here’s what, you know, we know that the adversary is trying to achieve against us. And so, both of those things are actually really important, I think, for all leaders to know about.
Erin: Yeah, I just add to that. I think I agree with what you’re saying, Jane, but I think just transparency, I think, you know, outside of AI, when we’re talking about intelligence and the things that we find, just because something is low confidence, or, you know, we haven’t been able to verify it with a lot of other sources, doesn’t mean it’s not something that should be shared and should be part of the intelligence package. So, I think it’s just making sure that we’re using those traditional kind of ways of how we do assessment and not doing anything different just because it’s AI.
Kathy: Great, thank you both. And kind of piggybacking on that a little bit. What’s your protocol for documenting AI’s role in your findings?
Jane: Yeah, I mean, I think it’s really important, Erin, and you were just sort of touching on it then, weren’t you? Like, just because we have AI now in the mix doesn’t mean that we’re going to be throwing the baby out with the bathwater when it comes to analytical and assessment tradecraft. All of that still applies, but we need to be professionally honest and transparent about when and how AI is being utilized throughout the process. And so actually, you know, in the US, there’s some strong guidance around this point for the US intelligence community, but OSINT Combine has actually, produced a best practice guide for citing AI to just for anyone. So, don’t have to be intelligence community, could be private sector, but really it’s about accountability through transparency is essentially it. And so, you want to be pretty transparent about how AI was utilized as a part of your assessment, what tasks it supported, where the output was validated, and where the human analyst made the final judgement. So typically, I see almost like a short provenance note or some kind of disclaimer in the methods section of analytical reporting now, that’s not uncommon. But we really need to be transparent to your point, Erin, earlier.
Kathy: Great. Thank you. That is all the questions that have come in to us right now, but we do have up on the screen contact information for both Jane and Erin, if anybody has further questions, or they’d like to reach out to us.
And I’d like to thank Jane and Aaron for an insightful discussion today. As a reminder to all of the attendees, we will be following up via email with a link to the recording and other resources. And we thank you all for joining us for this webinar and we hope to see you all again at another webinar in the future. Thank you.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
