Gaming and the Darknet

July 08, 2024

In celebration of National Video Game Day on July 8th, this blog examines the intersection between gaming and darknet communities, notably instances of criminal activity targeting gamers or carried out by gamers themselves. This blog will highlight the prevalence of hacking in gaming communities—stolen accounts, pirated games, leaked data, etc.—as well as the infiltration of violent extremist ideologies into certain gaming communities. Our previous blog looking at the intersection of streaming, gaming, and the darknet can be found here.

Open-source research reveals an extensive game-hacking community on the deep and dark web. The community consists of individuals on forums, channels, servers, and marketplaces that target gamers and gaming software to gain unauthorized access to systems and accounts. The targets of these hacking efforts most often include user accounts on a variety of online games, notably League of Legends, Minecraft, Fortnite, and Roblox. Hackers may “crack” accounts by utilizing usernames and passwords previously leaked in data breaches or by targeting young or naïve players through chat features. These “cracked” accounts are subsequently sold on the darknet, where their prices are determined by factors such as account level, collection of rare characters, amount of in-game currency, or inventory of in-game items (such as collectable character “skins”).

Figure 1: Genshin Impact account for sale; Source: DarkOwl Vision

Recent data points to an increase in compromised accounts over the past few years across several games. Figures released in 2024 revealed that Roblox, one of the most targeted online games, saw a 231% increase in hacked accounts in 2023 compared to 2021. In addition to the games themselves, gaming platforms such as Steam have also been increasingly targeted; these accounts are often even more appealing to hackers as they may be linked to credit cards and can thus allow for real-money theft as well as in-game currency theft.

In addition to hacking users’ gaming accounts and selling them on the dark web, hackers also target the games themselves. “Cracked” or pirated games are frequently distributed by hackers on the darknet either for free or at a reduced cost. Not all games, however, are hacked with the intention of distributing pirated software; malicious actors also target game servers in the interest of leaking data. In June of 2023, for instance, hackers carried out a cyberattack against GSC Game World—the Ukrainian video game developer behind S.T.A.L.K.E.R 2: Heart of Chernobyl—and leaked builds from the game online. GSC Game World was also targeted by Russian hacktivists earlier that year, who threatened to release game data if their demands were not met by the developer. It’s worth noting that the malicious actors who engage in these leaks are not always hacktivists. Most recently, in June of 2024, Disney’s Confluence server was hacked by individuals believed to be fans of the massively multiplayer online game (MMO) Club Penguin. The hackers stole 415 MB of Club Penguin data from the server and the data was subsequently shared on 4chan.

Figure 2: Cracked Gaming Websites; Source: Dark Owl Vision

Unfortunately, game leaks are not always limited to game data. While the Club Penguin fans targeted data related to the game, they also stole and leaked internal, business-related Disney data. There have been other instances in which hackers have stolen and leaked not only the targeted company’s business data, but also its employees’ personal information. In 2023, the ransomware group “Rhysida” leaked 1.67 TB of data stolen from Insomniac Games, which—in addition to footage and images from the upcoming Wolverine game—also included employees’ personal information. Specifically, the leak included passport scans and HR files, thereby resulting in the doxing of more than 400 Insomniac Game employees.

In addition to continued hacking efforts, online gaming communities have been increasingly targeted and infiltrated by violent groups and individuals seeking to harass, extort, radicalize, promote hate, and inspire acts of violence. These violent extremist groups have successfully co-opted gaming aesthetics and features—such as leaderboards and livestreams—in an effort to gain supporters. For instance, the white supremacist “Terrorgram” network on Telegram consistently posts “Saints Calendars” and “Saints Cards” meant to commemorate individuals—dubbed “saints”—who have carried out far-right attacks. The militant accelerationist group engages in the gamification of violence by releasing saint cards in the style of trading cards and including details such as “kill counts.” The more victims a terrorist claims in an attack, the more “points” they receive and the more likely they are to receive the “saint” title.

Moreover, as highlighted in a 2023 Global Network on Extremism & Technology (GNET) report, this gamification is further achieved by the repeated live streaming of mass shootings, which allows viewers to experience the attack from a first-person shooter (FPS) perspective often utilized in games. This visual choice—as seen with the 2019 Christchurch attacks—can facilitate viewers’ identification with the perpetrator while simultaneously emotionally distancing them from the victims. The sheer reach of livestreamed attacks (the 2022 Buffalo shooting was viewed “more than 600,000 times in less than 24 hours”), combined with their ability to generate a connection between perpetrator and viewer, threatens to radicalize more individuals and inspire similar attacks.

Apart from the adoption of gaming aesthetics and features, the gamification of violent extremism is made even more apparent by the actual creation of new or “modified” violent games by extremist groups and individuals. Open-source research on the deep and dark web reveals a slew of video games created since the early 2000s which allow players to target at-risk communities. Targeted groups most often include the Jewish and LGBTQ+ communities, with the 2002 anti-semitic video game Ethnic Cleansing being one of the notorious. Many of these games also recreate previous attacks—including the Christchurch shootings and the Pittsburgh synagogue shooting—in existing games like Roblox. Such modifications of existing games are referred to as “mods.” Other than white supremacist groups and individuals, Foreign Terrorist Organizations (FTOs) including ISIS and Hezbollah have also created extremist video games meant to radicalize and inspire. While it is believed that the vast majority of these games reach a self-selected audience with an existing interest in violent extremism, they may nonetheless play a key part in further radicalizing individuals and bringing them closer to carrying out attacks in the real world.

Figure 3: Antisemitic Video Game; Source: Dark Owl Vision

In addition to the creation of extremist video games, gaming platforms used by gamers to communicate have also been infiltrated by individuals seeking to identify targets for radicalization and exploitation. This targeting is particularly prevalent on the darknet adjacent platform Discord, where there have been numerous instances of children being groomed for violence and/or sexual exploitation. Among these violent groups is the notorious web of Discord servers originating from, or affiliated with, the group “764,” which has become increasingly active since late 2023. The 764 network overlaps with violent extremist and militant accelerationist movements—notably the Satanist, neo-Nazi group Order of the Nine Angles (O9A). In September of 2023, the Federal Bureau of Investigation released a Public Service Announcement warning of the 764 network’s ability to use “extortion and blackmail tactics, such as threatening to SWAT or DOX the minor victims […] [to] manipulate and extort minors.” Victims are often pressured to engage in self-harm and animal cruelty, share sexually explicit images or videos, and commit suicide. Members of affiliated Discord servers and Telegram channels have also been observed engaging in mass swatting and doxing efforts, most often targeting one another.

Open-source research reveals overlap between gaming communities and criminal activity on the deep and dark web. Instances of hacked gaming systems and accounts remain prevalent, with recent figures highlighting an increase in hacked gaming accounts over the past few years. Gaming platforms have proven to be desirable targets for hackers seeking to sell cracked accounts and engage in real-money theft. Hackers also continue to successfully carry out cyberattacks against video game developers, often releasing company data and employees’ personally identifying information (PII) in ensuing leaks. As such, it is recommended that organizations be on alert for any possible leaks affecting their data.

Research also points to a persistent infiltration of violent extremist ideologies into gaming platforms. Many gaming communities have become hotbeds for violent extremist groups and individuals, who utilize chat-enabled online spaces to promote violent narratives and radicalize users. Young gamers are particularly vulnerable to radicalization and recruitment efforts, as evidenced by numerous instances of teenagers being groomed for violence and sexual exploitation across multiple platforms. Continued reports of harmful and criminal activities carried out by individuals in the gaming space signals a need to address the rampant exploitation of gaming by criminals. It is critical to emphasize that these activities do not represent the entire gaming space: for many, gaming is a key source not only of enjoyment, but of community. In an interconnected world, online games have the ability to bring together individuals from around the world and foster a sense of belonging. So, rather than vilifying gaming communities, it is vital that steps are taken to address the infiltration of criminal activities, hate, and violence in order to combat the victimization of gamers.


Don’t miss any research from DarkOwl analysts. Subscribe to email.

Security Threats Emerging from AI

July 02, 2024

At the beginning of 2024, the National Institute of Standards and Technology (NIST) issued a warning about cybercriminals and other nefarious actors using Artificial Intelligence (AI) and Adversarial Machine Learning technologies to enhance their malicious operations. There are, of course, state-sponsored threat actors and actor groups who are also focusing on the malicious use of AI in their operations. These include Russia’s Fancy Bear a.k.a. Forrest Blizzard, North Korea’s Kimsuky a.k.a.Emerald Sleet, and Crimson Sandstorm.

DarkOwl, leading experts of the underground digital realm, witnessed threat actors of both groups (state-sponsored and government agnostic, independent actors) actively trading tips on various dark web platforms about the best AI tools to use, as well as effective tactics, techniques, and procedures (TTPs). Throughout the first part of 2024, threats to security stemming from AI have been frequently discussed, and tools were sold on the dark web and dark web adjacent chat platforms, such as Telegram.

This blog aims to take a high-level look at the types of conversations threat actors are having, as well as the tools they are selling, to carry out their mission(s) using malicious techniques and AI tools, so that we can best share the typical uses of AI in malicious operations.

AI trains on massive amounts of data, so a logical threat to begin with is data poisoning. This involves manipulating the information used to train systems, because what is put in shapes the output. Malicious actors intentionally inputting erroneous, biased, or hateful data spreads misinformation, degrades overall performance, and results in biases that can divide and harm society. Online groups have been observed attempting to poison information to produce pro-extremist, pro-violence, pro-war, racist and misogynistic related themes and output at large scale, using AI tools:

Figure 1: A March 2024 Telegram user claims that training AI to only produce material that society claims is acceptable is not the goal, and that they want [sic] “uncut, explicit, super controversial content”; Source: DarkOwl Vision
Figure 2: A Telegram user posts that Google’s Gemini tool is being fed “woke” material to spread diversity to society; Source: DarkOwl Vision

Extremist views regarding AI, and what these extremists view as countering “wokeness” are discussed across 4chan, Discord, and the aforementioned Telegram platform, as well as on underground forums.

A separate threat concerns prompt injection, which helps shape the output of AI systems by feeding a system meticulously crafted prompts or cues. When prompts are malicious in nature, this results in malicious output. Incidents involving this could include prompting a system to reveal sensitive, personal data:

Figure 3: A Telegram user discusses a prompt injection game in February, 2024, with the intent of getting AI to give away “sensitive data”; Source: DarkOwl Vision

Or prompting a system to output racist/sexist hate speech based on biases and maladaptive thinking:

Figure 4: A 4chan user discusses the possibility of using a racist LLM to call out certain groups of people in April, 2024; Source: DarkOwl Vision

Nightshade, mentioned in the figure below, is a specific tool discussed and sold on the dark web as well as its adjacent platforms. Nightshade arose as a vehicle to help content creators prevent their content from being automatically included into generative AI. Nightshade turns images into “poisoned” samples. If AI using images to train does so without the artists’ consent, or without respect to copyright, these “poisoned” images introduce unexpected and abnormal behavior, changing the image output and introducing errors, degrading the accuracy of the output. Nightshade is considered an offensive tool:

Figure 5: Users in a Russian telegram channel discuss the Nightshade AI tool in February 2024, specifically and intentionally used for data poisoning; Source: DarkOwl Vision

WormGPT emerged as one of the most public, malicious adaptations of an AI model. Unlike other AI tools, the author of WormGPT included no limitations to the tool, which means WormGPT users can use it for malware generation, among other criminal operations. Protective efforts toward another emerging threat, which is automated malware generation, also have a large presence on the dark web and its adjacent platforms. Since inception, certain language models have proved a limited proficiency in computer coding/programming. The more these initial efforts are corrected, trained, and improved, the better the models get at producing malware, and increasing the attack surface. As of now, the cost for many AI tools online is not super expensive, allowing for high sales volume and elevated use:

Figure 6: A Telegram user advertises Worm GPT for sale for $17 USD in April, 2024; Source: DarkOwl Vision
Figure 7: A user on a criminal forum asks for help procuring various malicious AI tools (while reviewing their capabilities) in April, 2024; Source: DarkOwl Vision

Protecting systems from malicious AI and enhancing overall security features is still a work in progress when it comes to AI and machine learning in general. The good news is that as quickly as the discussion and implementation of AI tools emerged, simultaneous conversations occurred surrounding the security and protection of these AI tools and systems. The traditional cybersecurity threat intelligence community, still grappling with protecting traditional cyber platforms and tracking bad actors, immediately set to work issuing warnings about the threats facing AI. However, the essential need for this was recognized, and conversations are happening at every level to properly protect AI and machine learning while taking advantage of its benefits.


Don’t miss any research from DarkOwl. Subscribe to email.

Threat Intelligence RoundUp: June

July 01, 2024

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Police arrest Conti and LockBit ransomware crypter specialist – Bleeping Computer

The Dutch police and the Ukraine cyber police revealed this week that they arrested a man in April, 2024, who worked with both Conti and LockBit ransomware gangs. The man, whose name has not yet been revealed, made ransomware payloads fully undetectable, and sold his skills to both groups. He also directly participated in at least one ransomware attack himself. Full article here.

2. Rockwell’s ICS Directive Comes as Critical Infrastructure Risk Peaks – Dark Reading

With increased geopolitical tensions around the globe and constant connectedness of devices, industrial control system (ICS) experts Rockwell Automation emphasized Cybersecurity and Infrastructure Security Agency’s (CISA) previous warning about water supplies, telecommunications companies, power plants, and more sensitive, daily life services coming under digital attack. Russia, Iran, and China are all leading malicious campaigns to disrupt daily services and stoke fear among civilian populations. Read more.

3. CISA warns of criminals impersonating its employees in phone calls – Bleeping Computer

The Cybersecurity and Infrastructure Security Agency (CISA) publicly warned that threat actors are impersonating CISA employees for financial gain. Actors are calling people and asking for cryptocurrency, gift cards, cash, and other financial resources. CISA provided a hotline for individuals to call, and report attempted impersonation and scam phone calls. This is the second such campaign in a year. Article here.

4. ONNX phishing service targets Microsoft 365 accounts at financial firms – Bleeping Computer

A new Phishing-as-a-service (PhaaS) platform, ONNX Store, is using Microsoft 365 accounts to target employees of the financial sector using malicious QR codes in PDF attachments. The operation uses Telegram bots and can bypass multi-factor authentication (MFA). The main threat is the bots posing as an HR employee, offering “raises” or salary discussion to employees of credit unions, banks, and other financial firms. Read article.

5. Chinese and N. Korean Hackers Target Global Infrastructure with Ransomware – The Hacker News

Governments and critical infrastructure around the globe were heavily targeted between 2021 and 2023 by gangs such as ChamelGang (CamoFei), and a ransomware variant known as CatB. The goal of these attacks, conducted by both Chinese and North Korean actors who have a suspected overlap, was espionage. ChamelGang also uses Cobalt Strike in its operations. Full article here.

6. Microsoft Uncovers ‘Moonstone Sleet’ — New North Korean Hacker Group – The Hacker News

“Moonstone Sleet” recently debuted as one of the newest North Korean hacker groups. Thus far, the group has been observed using fake companies to lure possible job applicants as targets, and then deploys trojans and in some instances, a new custom ransomware. Microsoft states that the new collective also has overlap with Lazarus group, in some instances. However, it has its own unique tactics, techniques, and procedures (TTPs) which occur on completely different infrastructure than Lazarus Group. Code reuse from the Comebacker malware also targets security researchers. Full article.

7. BreachForums Returns Just Weeks After FBI Seizure – Honeypot or Blunder? – The Hacker News

Only two weeks after an international law enforcement operation took the onion website and Telegram channel for BreachForums offline, one of the domains – breachforums[.]st – returned to operation with a user named “ShinyHunters” operating it. This time, however, users are required to establish a user account before viewing the site’s content. Read more.

8. Empire Market owners charged for enabling $430M in dark web transactions – Bleeping Computer

Continuing the global trend of cracking down on online criminal marketplaces and actors, actors “Dopenugget”, real name Thomas Pavey, and “Sydney/Zero Angel”, real name Raheim Hamilton, were charged by the US Department of Justice. While it is suspected they began their activity on AlphaBay, the men eventually went on to facilitate transactions for stolen credit card numbers, narcotics purchases, and other criminal underground material on Empire Market with a value of approximately $430 million dollars. Read here.

A new “V3B” phishing kit is on Telegram, used to target financial institutions in the Netherlands, Austria and Germany, Finland, Italy, and several other European countries. The kit runs between $130 – $450 a month and has customization options. The Telegram channel selling it has approximately 1,250 members as of the time of this writing and is expected to grow due to ease of use and availability. Read more.


Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

DarkOwl Deepens International Relationships at ISS World Europe

June 28, 2023

Earlier this month, DarkOwl participated in ISS World Europe in Prague. ISS World Europe prides themselves on being “the world’s largest gathering of Regional Law Enforcement, Intelligence and Homeland Security Analysts, Telecoms as well as Financial Crime Investigators responsible for Cyber Crime Investigation, Electronic Surveillance and Intelligence Gathering.” ISS World events focus on the latest in cyber tools and methodologies specifically for law enforcement, public safety, government and private sector intelligence communities. The first full day of ISS events is dedicated to training and in-depth sessions. Trainings and topics covered throughout the event include how to use cyber to combat drug trafficking, cyber money laundering, human trafficking, terrorism and other nefarious activity that occurs all across the internet.

Representing DarkOwl this year at ISS World Europe was David Alley, CEO of DarkOwl FZE based in Dubai, Magnus Svärd, Director of Strategic Partnerships, and Caryn Farino, Director of Client Engagement, both based out of DarkOwl’s headquarters in Denver, CO.

As is the norm at ISS Prague, the networking opportunities with current clients, partners, opportunities and net new prospects alike are well worth the travel across the pond. The team saw great international attendance and interest this year, with visitors to the booth from Sweden, Germany, Italy, Turkey, Hungary, The Czech Republic, Serbia, Spain, South Africa, Latvia, Lithuania, Estonia, The Netherlands, France, UK, Poland, Ukraine, Romania, Bosnia-Herzegovina, Saudi Arabia, Israel, among others. For the time at any ISS event, Magnus noted, “Our number of engagements on the booth needed a minimum of two people on the booth; three would be better as we were not able to engage with everyone that came to the booth.” What an incredible turn out! The team is excited to nurture these conversations and needless to say, looks forward to next year’s event! In addition the great conversations at the booth, the team hosted a dinner with Pegasus Intelligence, who DarkOwl works with to provide cutting-edge security solutions to government and military clients.

Throughout the event, top minds of the space share the latest technology, trends and thought leadership in the cyber community. Tracks this year included: Investigating DarkWeb, Bitcoin, Altcoin and Blockchain Transaction, Threat Intelligence Gathering and Cyber Security Product Training, Social Network Monitoring, Artificial Intelligence and Analytics Product Training, LEA, Defense and Intelligence Analyst Product Presentations, Lawful Interception and Criminal Investigation Training, Mobile Signal Intercept Product Training and Presentations, Electronic Surveillance Training and Product Presentations, and 5G Lawful Interception Product Training.

Due to the layer of anonymity it provides, the darknet is often a hub for illegal activity. However, investigating crime on the darknet and deep web poses technical challenges, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next. The technology DarkOwl leverages to scrape and index hidden digital undergrounds are key to the mission of obtaining proactive situational awareness for protection of the nation’s security initiatives. DarkOwl Vision UI provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. DarkOwl Vision has been used to support local and federal police investigations, as well as work done in intelligence/fusion centers and federal agencies to uncover human trafficking, opioid selling, terrorism, security issues, and other illegal activity, making it the perfect tool for this audience to be able to dive into.

Live Demonstration of DarkOwl Vision: Darknet Intelligence Discovery and Collection

The first day of the event, before booths were open, David Alley was able to give a live presentation to attendees demonstrating DarkOwl Vision: Darknet Intelligence Discovery and Collection. The team is thrilled to share that the conference room was filled to the brim with standing room only. The goal of this session was to further educate the international intelligence community on how threat actors on the darknet are evolving in their use of new tools and methodologies.

Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search the largest commercially available source of darknet data. Vision provides a user friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. You can read more about Vision UI here.


DarkOwl looks forward to continuing our global presence at ISS events, you can see where we will be next and request time to meet with us here.

Scattered Spider: Update on Arrests

June 27, 2024

As DarkOwl have previously reported, a group known as Scattered Spider have been attributed to several high-profile attacks including against MGM casinos and Caesars Palace. They are known to use social engineering techniques to target call center staff in order to gain access to systems. Active since early 2022, Scattered Spider is also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra and is largely financially motivated. 

Although many cyber security researchers hypothesized that the actors were Western-based, due to the times that they operated and the language used, little is known about the individuals behind the attacks. Although the group has been named Scattered Spider by researchers, it is thought that there are many different groups of individuals who have been involved in this and other nefarious activity.  

The FBI had announced in May that they were seeking to charge members of the Scattered Spider group. However, the first individual purported to be a member of Scattered Spider was arrested in January 2024 in Florida. Noah Michael Urban who is 19 years old was charged with stealing $800,000 from 5 victims. He is awaiting trial.  

On June 14th, the VX Underground reported via X (formerly Twitter) that a 22-year-old British man was arrested in Palma de Mallorca Spain. The arrest was reported to be part of a multi-agency operation between the FBI and Spanish authorities.  

An official statement stated that the individual was alleged to be behind a series of large enterprise “hacks” which resulted in the theft of corporate information. 

Further reporting indicated that the individual arrested used the alias “Tyler” and that he was a sim swapper allegedly involved in the Scattered Spider group. VX Underground reported: “Most notably he is believed to be a key component of the MGM ransomware attack, and is believed to be associated with several other high profile ransomware attacks performed by Scattered Spider.

A video was circulated online which purported to be this individual being arrested by Spanish authorities, which happened as he attempted to board a flight to Italy.  

Scattered Spider are also reported to be behind the Oktapus campaign which used SMS phishing campaign to target several high profile organizations. The arrested individual was reported to be active in sim swapping.  

Brian Krebs later reported that the individual arrested was Tyler Buchanan from Dundee, Scotland who used the alias “tylerb” on sim swapping channels. 

Searching for further information relating to Tyler Buchanan in DarkOwl Vision, highlights that individual was doxed in January of this year. Details were shared on the Doxbin site which included his full name, address, telephone numbers, email addresses, IP addresses, usernames and social media accounts.  

The post seems to have been made by a rival who appears to share the information in retaliation for Buchanan speaking about his and states that he has made money off him whereas Buchanan doesn’t have money.  

But this was not the first time this individual was victim of a dox, with other posts identified in 2023 which includes financial information and information about his family members. Another post was found as early as 2019. 

A review of the usernames listed highlights that Buchanan was also active on several dark web markets selling financial information.  

Further reporting from Krebs indicated that Buchanan had been subject to an attack from a rival trying to access his cryptocurrency keys. In that event his mother was assaulted highlighting the real-world risks that are posed by these criminal groups and sharing their information online. 

We will await further information from law enforcement on what Buchanan is charged with.  


Don’t miss any updates. Follow us on LinkedIn.

StarFraud Chat – Telegram Channel Analysis using A.I.

June 19, 2024

In the digital age, understanding user behavior and engagement within online communities is crucial for any OSINT or dark web investigator. Increasingly, Telegram channels have been used by threat actors to communicate, sell illicit goods, share disinformation, and generally communicate among other activities. Monitoring of these channels is important to track the activities of these groups and mitigate any threats they may pose to individuals and/or organizations.  

However, the amount of data that can be included in these channels can be very large in volume. DarkOwl, therefore, wanted to establish if AI (artificial intelligence) could be used to analyze the data included in a specific channel and what could be discerned from that data.  

Disclaimer: This blog is based on A.I analysis of a Telegram channel content. This covered the period of August 2022 to February 2024. DarkOwl does not take responsibility for the analysis conducted and is shared for informational purposes only. Other AI platforms are available.  

The Telegram channel “Star Fraud Chat” was selected as a channel to analyze to see what information could be gleaned about this group from their activity on Telegram. This group have been attributed by security researchers to a group known as Scattered Spider which is assessed to have been responsible for the attack on MGM Casinos. Furthermore, they are assessed to be part of a group which describes itself as “the Com” who are reported to conduct cyber attacks as well as cyber bullying and swatting attacks.  

Figure 1: Profile page for StarFraud Chat 

DarkOwl analysts used open-source tools to extract a download of the Telegram chat content from when it was started in August 2022 to February 2024. This generated a CSV file which included the usernames of participants, timestamps of activity, content, media shares, replies, and reactions. ChatGPT was then used to analyze the CSV file, with specific questions being asked to identify what information could be gleaned.  

This blog was written with a mix of AI analysis produced directly by ChatGPT as well as analyst review and enrichment.  

ChatGPT was asked to analyze the CSV file to see what information could be found. It initially had issues due to the formatting of the document but was able to overcome these issues after a few tries.  

The initial attempt to read the CSV file encountered issues due to irregularities in the data format, such as varying numbers of fields per line and improperly escaped or quoted strings. By inferring the delimiter and adjusting parsing strategies, we successfully re-parsed the data using a semicolon (;) as the delimiter. This correction allowed us to structure the dataset properly, revealing 56,210 rows and 42 columns, including information on message IDs, display names, user IDs, message texts, timestamps, and reactions. 

First, we wanted to understand which topics were most commonly being discussed in this Telegram channel to understand what threat that the users of this channel could pose. We therefore asked ChatGPT to analyze the message content itself and provide us with a summary of what was discussed.  

The most common words in the messages are general and do not provide specific insight into the topics discussed. To better understand the themes, we should look for specific terms and phrases related to the context of the chat. 

Key Observations: 

  1. Fraud-related Terms
  • Words like “debit,” “pin,” “balance,” “card,” and “verified” suggest discussions about fraudulent financial activities and the exchange of sensitive financial information. 
  1. Communications
  • Common conversational terms like “you,” “me,” “for,” “is,” and “on” indicate typical interactions among users. 
  • Informal and slang terms like “lol” and “bro” indicate casual communication. 
  1. User Mentions
  • Usernames and mentions, such as “@FENTOPENUPS” and “@bankopendropps,” likely reference specific users or groups within the chat. 

We wanted more information, so we then asked ChatGPT to do a deeper analysis of the text used related to fraud and take samples of the data. ChatGPT itself suggested ways in which we may be able to conduct further analysis. The output was as follows: 

Summary of Topics Discussed: 

  1. Sale of Financial and Personal Information
  • Users are discussing the sale and exchange of debit cards, ATM PINs, verified personal information (SSN, DOB), and related financial details. 
  1. Resetting and Hacking Services
  • Offers for resetting email accounts and other services for specific fees, indicating a market for hacking services. 
  1. Social Engineering Techniques
  • Strategies for social engineering and cashing out from accounts, including profit-sharing details and specific email domains targeted. 
  1. Account Requests
  • Requests for various types of accounts, such as Netflix, indicating a broader market for access to subscription services and accounts. 
  1. Panel Management and Availability
  • Discussions around the availability and longevity of panels, which could relate to account management services or access points for various fraudulent activities. 

The chat primarily revolves around fraudulent activities, including the sale of financial and personal information, hacking services, social engineering techniques, and requests for various account types. There is also a market for managing and providing access to certain panels or services related to these activities. This environment indicates a highly active and diverse exchange of illegal services and information.

Once the document had been reviewed and we understood what information was being discussed, we then wanted to understand more about the users of the channel. We began to ask ChatGPT specific questions about the users starting with an analysis of which users were the most active. 

The analysis determined the most active users based on the number of messages sent. The top 10 most active users are: 

1. **”.”** – 1,076 messages 

2. **netbox** – 1,062 messages 

3. **ㅤ** (a whitespace character) – 718 messages 

4. **MY UZI HOLDS A HUNDRED ROUND CONSCIENCE** – 697 messages 

5. **ʹ** (a single quote) – 504 messages 

6. **Osama (GENERATING)** – 469 messages 

7. **Perc** – 468 messages 

8. **bloed** – 347 messages 

9. **Systoned** – 327 messages 

10. **boomb** – 320 messages 

These users have significantly contributed to the conversation, making them central figures in the community. 

The analysis highlighted that many of the most active users didn’t have a specific display name, with punctuation or blank spaces being used. This analysis also did not account for the fact that users are able to change their display names, so there may be messages within the data from the same user that appear to be different. It is possible to conduct this analysis based on the user IDs as that was included in the data extracted from Telegram.  

The admins of the account are listed on the Telegram channel, this includes a bot which is likely used to administer new joiners etc. None of these appear in the most active users: 

Figure 2: List of StarFraud Chat admins 

We then wanted to establish if we could look at the activity on the channel from a different perspective, not just who had posted in the chat, but who had provided a reaction. Telegram users can react to posts on Telegram using emojis etc. We looked at which users post had received the most reactions from other users.  

Reactions to messages indicate the level of engagement and resonance of user contributions. The users who received the most reactions are: 

1. **Star Sanctuary** – 34 reactions 

2. **netbox** – 15 reactions 

3. **Jack** – 12 reactions 

4. **ㅤ** (a whitespace character) – 9 reactions 

5. **.** (a period) – 8 reactions 

6. **Perc** – 6 reactions 

7. **digital cannibal** – 6 reactions 

8. **MY UZI HOLDS A HUNDRED ROUND CONSCIENCE** – 6 reactions 

9. **Stardusts in my memoryCard** – 5 reactions 

10. **Panama Creative** – 5 reactions 

This list highlights the users whose contributions garnered the most engagement from others. 

This did include posts by some of the admins, the number of reactions given the volume of posts appeared to be relatively low.  

We then wanted to understand how the users were interacting to do this we asked ChatGPT to analyze replies between users. However, this did not take into consideration the nature of the posts, as some posts may garner more interest than others. Added context would be needed to understand how they users were interacting.  

Understanding who interacts with whom provides insights into the community dynamics. The top user interactions, based on reply activity, include: 

1. **’** replied to **fan (real)** – 6 times 

2. **Perc** replied to **netbox** – 5 times 

3. **nef** replied to **boxingloves** – 5 times 

4. **Systoned** replied to **Osama (GENERATING)** – 5 times 

5. **ㅤ** (whitespace character) replied to **Osama (GENERATING)** – 4 times 

6. **Osama (GENERATING)** replied to **Systoned** – 4 times 

7. **ㅤ** replied to **geekypoo** – 3 times 

8. **Osama (GENERATING)** replied to **ㅤ RR BB** – 3 times 

9. **King** replied to **𐕣₩** – 3 times 

10. **netbox** replied to **Uno[Shop in Bio]** – 3 times 

These interactions highlight the most engaged pairs of users within the community. 

However, this again did not take into consideration that display names could change, nor does it factor in who made the most replies. Which user generally received the most replies and to what content. It is possible that this information could be obtained from the data using ChatGPT with more precise questions. 

We wanted to see if it was possible to visualize these interactions, network analysis is a really useful tool for analysts see connections between individuals and identify who is communicating with who and if patterns can be identified. So, we asked ChatGPT to create this visualization and to clean it up.  

A network graph was created to visualize the interactions between users. Each node represents a user, and each directed edge indicates that one user has replied to another. This graph illustrates the structure of interactions, showing which users are more centrally involved in conversations and how clusters of users interact more closely with each other. 

Figure 3: ChatGPT generated visualization of user replies 

Being able to review this information can be incredibly useful for analysis and gives us an insight into which users in the StarFraud chat interact the most and are the most active on the channel. Being able to manipulate this graph and see which users are most active could give analysts a starting point for which users it may be most useful to investigate. 

We then wanted to know if it was possible to identify the time that the chat was most active, as this could maybe help us identify which time zone the users were in helping us to narrow down a location. We therefore asked ChatGPT to review the timestamps.  

Analyzing the timestamp data revealed that users are most active at 1 AM, with a total of 3,973 messages sent during this hour. This peak in activity suggests that the majority of users might be located in a specific time zone or find this time particularly convenient for engaging in conversations. 

Figure 4: ChatGPT generated timeline of posts 

However, it was not possible to ChatGPT to identify the time zone without additional context. The timestamp provided by Telegram appeared to use GMT however which would indicate that most of the posts were made during the early hours of the morning in Europe or late afternoon US time.  

As this analysis was inconclusive, we wanted to see if there was any information in the messages sent which may link to a location. So, we asked ChatGPT to look for this information within the posts.  

A search for location-related keywords identified 152 messages referencing specific locations. Examples include: 

– ““victory park” its a 2 story police department…” 

– “u in middle of street” 

– “ghost town” 

– “smh u the same ni**a scared to meet up and we …” 

– “**🎉 Get the Best RDP/VPS Deal with StealthRDP!…” 

These references vary in context, ranging from conversational mentions to specific addresses or locations. 

This analysis did not add much value as the locations mentioned were very generic in nature, again more specific questions and directions may be beneficial to improve results here, perhaps focusing on country or city locations rather than more generic terms.  

The analysis of StarFraud Chat provides valuable insights into user activity, engagement, and interaction patterns. By understanding the most active users, the times of peak activity, and the dynamics of user interactions, we can better understand how this group is operating and where best to focus our analysis. We can also analyze the topics discussed to understand what threats this group poses.  

This also highlights how AI can be used by analysts to assist in their investigations, allowing them to speed up how long it takes so review large amounts of data. However, these specific examples also highlight the importance of asking AI models very specific questions and ensure they understand the information you are seeking to obtain, these models are only as good as the seed questions that are being asked.  


Questions about AI impacts DarkOwl’s darknet data collection? Contact us.

Site Spotlight: Doxbin

June 15, 2024

DarkOwl analysts regularly follow darknet threat actors, marketplaces and sites. Such analysis helps DarkOwl’s collection team direct crawlers and technical resources to potentially actionable and high-value content for the Vision platform and its clients.

Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are published.


The site Doxbin is a paste site which allows users to post information in text format about other individuals, usually containing personal identifiable information (PII). Information is posted for a range of alleged reasons, which are usually provided in the title of the dox and can contain extensive information about individuals. Although this site is currently hosted on the clearnet and maintains an official Telegram channel, the site originally operated as an .onion site and is still used by dark web affiliated individuals. 

In this blog, we explore the history of the site, who is behind it and the impact that it can have on the victims of a dox, as well as alleged recent activity related to the reported owner.  

To understand the purpose of Doxbin and how it is used, we must first understand the concept of “Doxing”.  

Doxing is the act of publicly providing PII and other data about an individual or organization without their consent. In recent years, this has predominantly been done using the internet and is a process that began in the late 1990s. The act of doxing an individual in of itself is not illegal depending on how the information shared is obtained. Most data shared is likely obtained from data brokers and social media sites. Although, others are obtained through illegal means. Regardless of the way the data is obtained, the purpose and outcomes are usually nefarious and used for online shaming, extortion, targeting, stalking, and hacktivism operations. The law has not yet caught up with this practice and it is difficult to prosecute the sharing of publicly available information. However, this is beginning to change as outlined below.   

Doxbin is a site that facilitates doxing. It is a paste site that allows users to upload any text-based content relating to individuals. It is exclusively used to share data about others or elicit more information about others. 

The current controllers of Doxbin state that any text can be uploaded to the site, with the only limitations being that it should not be spam, child explicit material (CSAM), or something that violates the hosting countries jurisdictional laws (Domain and IP analysis linked to the site suggests that it is hosted in Russia and uses a DDoS Guard to protect the site from bot attacks). They also state that support of terrorism or threats of physical violence are not allowed.

However, in practice there is very little that cannot be posted and often information is shared in the hope that an individual will be targeted in some way – including risks of physical violence. A reason does not need to be provided, although one often is, and nothing is validated.  

The current administrators of Doxbin have posted a lengthy description on their site about how it was founded and is currently run. In this description, they describe this iteration of the site as having been active since early 2018, being created by kt and Brenton “as a place to store personal doxes as an alternative to platforms which were not satisfactory.”

However, the name/site “Doxbin” has a history that precedes this. Originally Doxbin was launched in May 2011 on the dark web by an individual using the alias “nachash” as a pastebin for people posting personal information of others. The site was eventually seized by law enforcement – with the FBI and Europol taking town Doxbin in November 2014 as part of Operation Onymous, which also took down several other .onion sites, primarily those related to the sale of drugs, and led to the arrest of several individuals.  

In 2019 it was reported that Doxbin was being controlled by a white supremacist group, who were using the site to maintain a list of swatting (more on that later) targets. In 2020 the controller was arrested by the FBI.

In 2022, the site was reportedly purchased by a threat actor associated with the group Lapsus$, using the alias “White”. However, it is alleged that due to ban management of the site, users started to target White and he himself was doxed. Before this occurred, White leaked the Doxbin data set which included private doxes which had not been published. The information contained in the dox of White, which included videos of his home proved to be accurate. Arion Kurtaj was later arrested and prosecuted for his role in several data breaches as part of his association with Lapsus$.

The current iteration of the site, which is on the clearnet, rather than TOR states that it is no longer affiliated with “nachash”, and that he left the operation in 2015. It also describes how the original site was created and transferred, mentioning several different aliases that have been connected to the original site. They also claim that there was no legal reason for the original seizure of the site.  

Founders, Administrators, Users 

At the time of writing the site indicates that it has 308,681 registered users, although there is no need to register. Registered users are listed and broken down into tiers which include: 

  • Admins 
  • Manage 
  • Mod 
  • Council 
  • Founder 
  • Clique 
  • Rich 
  • All Users 

The oldest user – a founder – joined 5 years ago whereas the newest user joined 3 minutes ago (at time of writing). There is no description provided of the different tiers.  

It is possible to search for users, as well as observe how many pastes that user has made and if they have commented on other’s posts. The most active user appears to be a user called “o” who is listed as a moderator. They have made 120 pastes and 3,333 comments, likely mostly in a moderator capacity. It is also possible to paste anonymously so there may be users that have made more posts.  

What? 

At the time of writing, the site contains 157,225 pastes. Any text-based information can be uploaded very simply. 

The site states that they provide users “the ability to upload text information without the fear of censorship. Most pastes won’t come down without a court order. What this means is that if your info goes up, it’s not coming down unless it’s inaccurate, breaks our TOS or we receive a court order from our server hosted country.” There are no details provided about how they validate if the information posted is accurate. However, there are terms that the site provides which users must stick to, if this is violated, in the opinion of the moderators, then it will be removed. 

Examples of the type of information that are shared on Doxbin include full names, addresses, telephone numbers, IP addresses, account information including passwords and usernames commonly for streaming services and social media accounts, work locations, financial information, and email addresses. They often also post details of family members.  

The information included in a Dox generally comes from a range of locations, usually open-source information from data brokers or social media, but some of the information is stolen through hacking activities.  

Who? 

Anyone can be the victim of a Dox.  

Many individuals from the hacking community are targeted by their associates, the site has a section which it refers to as the “Hall of Autism” where it provides a list of individuals they have targeted. This area includes images of the individuals, their name, alias and a description of why they are included. This area of the website also has a song…

Celebrities and politicians are also often targets, employees of prominent organizations, and law enforcement agencies and officers, but any individuals can be targeted and often are.  

Why? 

The motivations for doxing someone can be very varied. On the site itself, a very common reason to share the data is because the individual is alleged to be a pedophile, however there is usually no evidence supplied to support this and is likely used as a means to encourage others to target the individuals.  

Other reasons provided are that they have no hacking skills, they have done something to annoy the poster, they are accused of being bullies or of being scammers. The reasons can vary and likely there is very little behind why some of the individuals are targeted. However, posting this information can have real dangerous consequences.  

Although this information is posted online, it can have very real consequences for the individuals whose information is posted.  

The owners of the original Doxbin used it to target individuals they were not happy with. In June 2014, after their Twitter account was suspended, information relating to the founders and CEO of Twitter was posted on Doxbin. That same year, information relating to a federal judge who had presided over the case against Silk Road was shared on Doxbin leading to death threats and swatting attempts. 

Swatting is the practice of reporting a serious crime at an individual’s address which leads to a strong response by law enforcement often with SWAT teams surrounding the area. The practice has become more and more commonplace, with the current version of Doxbin often being used as a source of information to conduct these swatting attacks. These attacks can be very damaging to the victims and can be dangerous. However, law enforcement has sought to prosecute these crimes and ensure prison sentences for the perpetrators.

Another impact of doxing is identity theft and financial crime, as all information about an individual is provided, criminals can use this data to conduct financial crimes. This can be a difficult thing to identify and recover from, with funds often taken before an individual even knows their data has been shared.  

The posts can also cause reputational damage, sharing information an individual may not want shared with their friends and family. There is also the possibility that material could be shared which may affect an individuals employment status.  

Furthermore, this data can be used to stalk and harass individuals, some of the posts on Doxbin actively encourage others to target individuals. This can leave the victims open to threats of physical violence as well as the trauma of knowing that someone knows where they live and work and could attempt to contact them at any time. Victims are often also subjected to harassment through prank/harassing phone calls, spam emails, and online harassment and cyber bullying through social media. 

These threats can have a lasting emotional impact on individuals.   

In mid-May the Doxbin site was briefly taken offline. A post on the official Telegram channel indicated that the administrators had taken it offline for security reasons.  

Soon after images began to circulate on Telegram alleging that one of the “current” owners of Doxbin “Operator” had been kidnapped. The images showed an unknown individual wrapped in trash bags as well as videos that were claimed to be of the kidnapping, showing him being beaten. However, this could not be validated and many online question if this was actually some kind of exit scam.   

After this was posted, not much further information was shared. The site came back up and is currently operating as normal. It is unclear if this video was real. 

Doxbin is a site which exists on the clear net and has been used to target countless individuals for largely unknown reasons. The site facilitates individuals who wish to cause harm to others through a variety of different reasons. Once this data is shared on the site, it is all but impossible to have it removed. Meaning that the victims can be subject to harassment and threats not just by the original poster but also by other viewers of the site. Much of the time this data is used by threat actors to torment victims and conduct swatting attacks seemingly for personal entertainment.  

Constant monitoring of this site is recommended to ensure company and employee data is not shared.  


Curious how DarkOwl analysts can help monitor Doxbin for your organization? Contact us.

[Interview Transcription] OSINT in Government: Industry Insights on Challenges and Opportunities

June 12, 2024

Francis Rose of Fed Gov Today, recently sat down with DarkOwl CEO and Co-Founder, Mark Turnage, to discuss the current state of open-source intelligence (OSINT) in government. You can check out the article from Fed Gov Today here.

The link to the YouTube video, and the transcription can be found below.

NOTE: Some content has been edited for length and clarity.


Francis: Mark Turnage, Welcome. It’s great to talk to you. What’s the current state, do you think, of the government getting the data that it needs and deciding what sources it’s going to draw that data from, open sources, proprietary information and so on?

Mark: That’s a great question. And you know, I think there’s been a big change in the government in their approach to OSINT in general, and frankly, their understanding of the need for OSINT and the value of OSINT. And we live in an environment where data, broadly speaking, and OSINT, broadly speaking, is growing dramatically. The amount of data, the types of data, and so the government, in some respects, is playing catch up in trying to understand how to use it, how to aggregate it, how to analyze it. And that’s a big change that is underway. But gaps, gaps in the government’s collection. We’re [DarkOwl] a darknet data collection company. We collect data from 30,000 plus sites a day in the darknet, and we provide that to the government and other commercial users. And just that one tiny sliver of OSINT alone can tax any organization’s ability to integrate data, store it, and then manage it. So that’s it. That’s a tiny little example of some of the challenges that the government faces.

Francis: One of the things I think has been interesting about tracking this over time is that organizations, for example, like NGA, have not fought the change in the lines of delineation what used to be open or what used to be proprietary is now open-source and so on they’ve kind of said we have to get with the game and them and go with it. Has that helped, do you think, organizations in government to go through this change?

Mark: I think it’s been a big culture shift for them. I mean, NGA in particular, but other organizations as well. Take the examples of satellite data, satellite imagery. What’s available today commercially is better than what was available, on the high side, 10 years ago. And that is only going to keep happening. Using a cell phone, you can get battlefield information on the front lines in the Ukraine that’s far more detailed and far more timely than what is what then what our analysts have access to here in the US, you know from high-side data. So, I think any organization that understands that, then has to embrace it fully and start to use those commercial sources and integrate them fully into their with their high-side data. And then they’ll, then they have the best of both worlds, to be honest.

Francis: Take me farther into that definition of embracing that fully. What does that mean to those organizations to do from a tactical perspective?

Mark: Well, first of all, there’s a culture shift. I’m not sure that’s tactical, but there’s a, there’s a cultural shift that’s necessary. But once that cultural shift, once they actually understand it and get it in their DNA, I think there’s a couple of things. Number one, don’t fear it. Don’t fear open-source data. Embrace it. Buy it. Integrate it. Use it. And by the way, part of that is also staying on top of what open-source data is out there and available because it changes and it shifts dramatically as time goes on. Secondly, integrate it with your high-side data. Look at them side by side. Understand that that data, sometimes that commercially available data is better than what you have and sometimes it’s very complementary to what you have. It makes your analyst team far more powerful looking at both sets of data and correlating them together. But embracing, I think, means buying, understanding it, buying it, integrating it.

Francis: That integration process, it sounds like when you use the term changes and shifts dramatically, it sounds like that integration process may be the key factor to all of the ones that you just laid out there. Is that a fair read?

Mark: That is an absolutely fair statement. I think understanding what that technology or that tech stack is that you need to build and maintain to integrate open-source data is a journey that all the federal agencies we work with are on right now.

Francis: What does the technological underpinning of this infrastructure underpinning? And is that changing over time as well?

Mark: It’s likely to change over time, but the technological underpinning is you have to have the ability to integrate extremely large data streams, parse those data streams, store them in a secure environment, and then make them available through whatever interface or tools to your analysts that are available. You make them available in live time to your analysts. So, there are off the shelf products that allow you to do that. And obviously there are cloud data storage capability available to the government through a number of different avenues. The one interesting thing that is a challenge for many of these agencies is how do you integrate open-source data coming from the low side with high-side data? How do you cross that chasm? Because taking OSINT intelligence into a skiff, and then trying to correlate it with high-side data becomes a real challenge, you would rather have them on the same screen. So that creates a completely different technological challenge, I think, for many of these organizations.

Francis: I want to come back to that idea, but you talked about analysts and the importance of the analysts a number of times in this conversation already. What does the skill set for the analyst of the future look like potentially compared to the analyst of today given the advances that you’ve discussed?

Mark: That’s a really good question. And obviously, AI is front and center in that process. I would say that the analyst of the future needs to be able to contextualize the intelligence that they are getting. And in fact, a good chunk of that data of that intelligence they’re getting is going to be AI generated. But they have to contextualize it, and they also have to be able to keep it honest. When you have AI hallucination and other things, and you don’t have a trained analyst who doesn’t understand the context in which this is being done, you could go down a rat hole pretty quickly. So, the world of the future is going to be divided between, broadly, between people who can use AI to be more productive and those who can’t. And that’s the new social split that we’re coming to as a society, that’s no different with an analyst. They have to understand how AI works. They have to understand the data AI is looking at. They have to understand the output, and they have to then stress test that output.

Francis: You mentioned the desire to mash up high-side data with open-source data. What is the challenge potentially, if any, to maintaining, I guess, tagging is the best word I can think of, so that one knows throughout the entire data stream this piece is just for us to see and this stuff is okay for others to see when you’re combining?

Mark: When you combine those datasets, you have to tag it, you have to give them metadata so that an analyst a month out or a year out or five years out knows where that data came from, knows the source, knows the provenance of the data, and obviously can distinguish between a sentence which may have been come from high-side and a sentence that’s right, immediately adjacent to it, that came from the open-source. So that’s obviously a real challenge, but there are technical, that’s actually, I think that’s relatively solvable with metadata and tagging that’s available. If you don’t pay attention to it, going to be an analyst down the road in five years who’s going to get himself in real trouble or herself in real trouble.

Francis: Mark, it’s great to talk to you. Thanks for your time.

Mark: Really nice to talk to you as well.


Interested in learning more? Contact us.

What are APIs?

June 06, 2024

Cybersecurity might has well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.

In this blog series, we aim to explain and simplify some of the most commonly used terms. Earlier this month, we covered CVEs. In this edition, let’s dive into APIs.

Simply put, application programming interfaces (APIs) allow for two software applications to communicate each other, to make requests, receive responses, and exchange data. This is true for both mobile and web-based applications. APIs permit humans and machines to exchange, process, and use data using rules and protocols. Once of the important benefits is that APIs allow for and enable applications that are written in different programming languages, or are running on different operating systems, to easily communicate and pass data.

While APIs run behind the scenes and allow for software to communicate with other software, but there are plenty of current examples of API use one might not be aware of. For instance, if a user logs into an account or service by opting to use their Google or a social media account (to avoid having to create a brand new account), this login flow uses API services to exchange authentication information between the Google or social media account and the platform to enable a convenient and seamless login experience for the user.

There are two primary designs for APIs – Simple Object Access Protocol (SOAP) and Representational State Transfer (REST) approaches. While we will not dive deep into the technical aspects, the main takeaway is that SOAP is a very structured XML data format, while REST is more flexible and permits data exchange in multiple formats, such as JSON, Plaintext, or XML. Being more flexible, REST can use SOAP protocol, but the reverse is not true – SOAP cannot use a REST protocol. REST protocols are useful for mobile devices that use an API.

Here at DarkOwl, we allow for access to our platform via a curated User Interface (UI) as well as several API endpoints. The APIs enable our customers to use DarkOwl Vision data in their own software applications. You can view our product offerings here.

Unfortunately, while APIs automate and permit quick transfer of a large amount of data, like so many facets of the cyber world, they are subject to malicious activity and attacks.

Malicious actors are focusing on attacking APIs more and more as APIs transmit loads of valuable information and data. Without proper security, including regular software updates and securing the multiple entry points that facilitate API function, as well as legacy APIs which could be overlooked and left unprotected, APIs can be subjected for malicious use. This is especially true when in most cases, developers provide very detailed API documentation to allow for sanctioned API use. New and prospective customers are not the only ones who rely on API documentation to fine tune API use.

Actors can go against APIs with several traditional types of attacks. This list is not exhaustive, but is provided as a high-level example of the possible kinds of attacks directed against API infrastructure:

  • Distributed denial of service (DDoS) attacks, which would overwhelm an API and make its services unavailable to legitimate, paying customers.
  • Malicious actors can also brute-force APIs, using credentials to gain access and abuse the interface, and then steal sensitive/proprietary/corporate information.
  • Machine-in-the-middle or attacker-in-the-middle (MITM or AITM, respectively) is where an actor can intercept and change communications, permitting data theft or manipulation of API data.
  • Procuring legitimate API keys, which are often left accidentally exposed or compromised.

DarkOwl constantly observes actors discussing methods for API attacks at multiple layers of the tech stack, trading methods for having maximum impact, and selling possible API access to various organizations:

Figure 1: An actor on (now defunct) Breached Forums advertises possible methods to attack APIs at various levels of the tech stack; Source: DarkOwl Vision
Figure 2: A Discord server publishes materials, including a website, that specifically aids attackers in going after and attacking APIs; Source: DarkOwl Vision

Mitigating API attacks includes protection at multiple stages.

  • First, like everything that involves data transfer, data must be encrypted both at rest and during transit. Role-based access control (RBAC) permits explicitly approved applications and users to have access, lessening the possibility for an unintended individual to gain unauthorized access.
  • APIs also have their own gateways, which are positioned between the client and the provided services. The gateway implements rules and standards that allow for access and authenticates attempted access.
  • Finally, zero-trust models are also applicable to protecting APIs. Zero trust requires user rights for authentication and is an effective way to prevent repeat users that, behind the scenes, could be an imposter. In addition to all of the above specific steps, constant monitoring and vigilance is suggested, as API’s are a data rich source, and technology is constantly changing.

Contact DarkOwl today to learn more about our API access, as well as protection methods we suggest based on observing actor discourse and tactics live on the deep and dark web.

Threat Intelligence RoundUp: May

June 03, 2024

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. LockBit ransomware admin identified, sanctioned in US, UK, Australia – Bleeping Computer

Dmitry Yuryevich Khoroshev, a Russian citizen, was revealed as the admin and developer of LockBit ransomware. Earning approximately $100 million dollars through the ransomware gang activity, Khoroshev is now subject to travel bans and his assets are frozen. His enjoyment of speaking and granting interviews to media outlets and his high level of activity posting on Russian dark web forums also contribute to the totality of the picture of LockBit’s ransomware activity. Five other members of the gang were arrested and are pending trial. Full article here.

2. FBI warns of fake verification schemes targeting dating app users – Bleeping Computer

Malicious actors are using malicious links to lure dating app users to a (fake) website that proves they are not sex offenders. On this fake website, the user enters their email, phone, and other pieces of personal information to verify they are not a sex offender and prove this to the audience on the dating site. However, after this information is entered, the person is subject to a monthly fee that is charged on their credit card, and their other PII is sold in criminal operations on dark web markets, as well as in certain cases, on Telegram. Read more.

3. Ascension redirects ambulances after suspected ransomware attack – Bleeping Computer

In another example of the digital realm having a physical impact, US-based Ascension healthcare had to change the destination hospital for several ambulances when a ransomware attack impacted their systems. The incident also caused clinical treatment disruption, such as delaying medical test and medication orders, as well as system outages. No group has publicly claimed this incident as of the time of this writing. Article here.

4. US Post Office phishing sites get as much traffic as the real one – Bleeping Computer

Continuing to emphasize the usefulness and success of typo- and combo-squatting, researchers observed that websites impersonating the US Postal Service official website get as much web traffic as the actual website, and during holiday times, the fake websites receive more web traffic than the official website. Combined with SMS messages that send “package unable to be delivered” themed messages and often provide a link to a malicious website, the fraud targeting the USPS is sophisticated, and expected to continue to remain elevated. Read article.

5. Chinese hackers hide on military and govt networks for 6 years – Bleeping Computer

A new threat actor attributed to China, “Unfading Sea Haze,” has been hiding on military and government networks in the South China Sea for the past six years. Their primary goals are both espionage and intel collection, and their tools appear to overlap with APT41. The group uses spear-phishing to begin their attacks, and sends documents laced with LNK files that will execute a PowerShell script under the right circumstances. They also use a custom keylogger named “xkeylog” as well as some GhostRAT malware variants. Full article here.

6. A Russian Influence Campaign Is Exploiting College Campus Protests – Wired

In what has become a normal operation for Russian intel operatives, the Kremlin is using Telegram, bot farms, and other social media platforms such as X (formerly Twitter) to increase division in US society. Doppelganger, a well-known, Kremlin-aligned group of actors, uses its vast botnet network to pass links that contain fake news about real world events to global publications, including Le Monde and other European new networks, as well as news outlets in the United States. Full article.

7. Owner of Incognito dark web drugs market arrested in New York – Bleeping Computer

Continuing the trend of actor arrests and online market/malicious operation takedowns, this week witnessed the arrest of Incognito Market operator Rui-Siang Lin. Lin was arrested in New York City for his oversight and operations of the popular drug market, which had over ~200,000 customers that purchased all types of narcotics. Read more.

8. US charges two brothers with novel $25 million cryptocurrency heist – Reuters

Two MIT students who are also brothers stole $25 million dollars in Ethereum in 12 seconds in an attack that questions the very integrity of blockchain technology. The actors gained access to pending transactions by fraudulent means and altered the movements of Ethereum cryptocurrency. The brothers experimented with manipulating protocols in the months leading up to the theft, using a software vulnerability. Read here.

Small businesses and home internet users often use open-source HTTP and HTTPS proxy servers in their internet access. Cisco warned of a new flaw covered under CVE-2023-49606, which detailed a remote code execution issue that impacts incorrectly managed HTTP headers. This leads to actors possibly being able to access freed memory. Censys also confirmed approximately 90,000 internet exposed Tinyproxy services, over half of which were subjectable to the aforementioned CVE. Read more.


Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.