June 13, 2025

In the early hours of 13 June (local time) Israel confirmed that that had launched airstrikes against Iran. The targets were reported to be against Iran’s nuclear program and other military targets. Further strikes were reported throughout the day. Iran’s Supreme Leader Ali Khamenei warned that Iranian forces will “act with strength” against Israel. Subsequently Iran fired missiles into Israel. Loud explosions have been heard over Tel-Aviv.

On Telegram, hacktivist and news media sites have been reacting. Telegram is often used in the area as the first point of news. Hacktivist groups have used the platform in order to share details of their cyber-attacks and victims.

Hacktivist group DieNet claimed that they will attack Israeli radio stations in tandem with the attacks from Iran. 

They then shared images which they claimed to be proof.

They also claimed to have attacked Israeli companies and obtained data that they would share in order to assist Iranian Intelligence and military efforts.

Other groups shared images of the bombing of Tel-Aviv and images of the red alert system in Israel.

Another hacktivist group which states it supports Iran, has posted a call to action asking anyone with cyber security experience to help them target Israel.

Others are sharing information of cyber attacks against Israel targets.

Another hacktivist group, Islamic Hacker Army, is targeting Iranian government entities.

The IDF are using Telegram in order to make updates, informing citizens about what they need to do and encouraging people not to share any footage or information about airstrikes which they state have been intercepted.

Israeli news sites are also using Telegram to update on the ongoing events, with reports that Iran has targeted populated areas in Israel and caused casualties as well as videos of the attack.

This is an ongoing situation that DarkOwl will continue to monitor.

---

Follow us on LinkedIn to stay up to date.

June 12, 2025

Understanding the Divide in Offensive Security Tactics 

In the cybersecurity world, not all hackers wear the same hat. While the term “hacker” often carries a negative connotation, ethical hacking plays a vital role in defending systems, exposing vulnerabilities, and preventing malicious intrusions. In this blog, we’ll break down the differences between white hat and black hat hackers, and why ethical hacking is essential in the fight against cybercrime—especially as threats increasingly originate from the dark web. 

What Is Ethical Hacking? 

Ethical hacking is the practice of intentionally probing systems, applications, and networks for security vulnerabilities—with permission. These security professionals, often referred to as white hat hackers, simulate cyberattacks to identify and patch weaknesses before malicious actors can exploit them. 

Ethical hackers follow strict legal and contractual guidelines. Their work typically includes: 

• Penetration testing (network, web app, social engineering) 

• Vulnerability assessments 

• Red team/blue team simulations 

• Threat modeling and risk assessments 

Who Are White Hat Hackers? 

White hat hackers are cybersecurity experts who use offensive tactics for defensive purposes.  

They may work in-house at large enterprises, for managed security providers, or as freelance consultants. Their goal is to: 

• Identify misconfigurations and zero-day vulnerabilities 

• Help organizations comply with frameworks like NIST, ISO 27001, or GDPR 

• Harden systems before attackers find their way in 

White hats often contribute to bug bounty platforms like HackerOne or Bugcrowd, earning legal income through responsible disclosure. 

Who Are Black Hat Hackers? 

Black hat hackers exploit vulnerabilities for personal or financial gain, espionage, political disruption, or simply malicious intent. Their activities are illegal and unethical, and can include 

• Deploying ransomware or info-stealer malware 

• Harvesting credentials for sale on dark web markets 

• Running phishing campaigns and exploit kits 

• Selling zero-days or initial access on dark web forums 

These actors thrive in anonymity, often using dark web to communicate, trade tools, or collaborate with other threat groups. 

The Gray Area: Gray Hat Hackers 

Gray hat hackers operate in the middle. They might find vulnerabilities without permission but report them without malicious intent—sometimes requesting payment afterward. While not always harmful, their actions can still violate ethical and legal boundaries. 

Why Ethical Hackers Are Crucial in the Age of the Dark Web 

As threat actors increasingly coordinate and monetize attacks through dark web infrastructure, organizations need white hat hackers to stay one step ahead. For example: 

• Ethical hackers often emulate TTPs (tactics, techniques, and procedures) observed in dark web-sourced threat intel. 

• Red teams simulate attacks modeled after real-world adversaries, using leaked credentials or known malware strains. 

• Threat hunters rely on collaboration with ethical hackers to validate indicators of compromise (IOCs) harvested from dark web sources. 

By pairing dark web monitoring with ethical hacking, companies can proactively reduce risk exposure, especially in industries with high-value data (e.g., finance, healthcare, government). 

Conclusion: It’s About Intent—and Impact 

The difference between a white hat and a black hat isn’t in capability—it’s in intent, authorization, and impact. 

Hacker Type	Motivation	Legality	Common Tools & Tactics
White Hat	Security & defense	Legal	Metasploit, Burp Suite, Kali Linux, Cobalt Strike (licensed)
Black Hat	Profit or sabotage	Illegal	Ransomware, phishing kits, stealer logs, RATs, dark web forums
Gray Hat	Curiosity, recognition	Often borderline	Exploits, port scanners, self-written scripts

---

Don’t miss any updates from DarkOwl. Follow us on LinkedIn.

June 10, 2025

When most people hear the word “darknet,” they picture something out of a movie—hooded hackers, flickering monitors, maybe a green Matrix-style glow. But for companies, the darknet isn’t some far-off concept. It’s real. It’s active. And there’s a good chance your brand is already being mentioned there. 

And no—it’s not just paranoia. It’s reality. 

Let’s break down why that matters and what you should be watching for. 

1. Your Company’s Data Might Be for Sale 

One day, everything seems fine. The next? Your customer database, employee records, or internal strategy documents are listed on a darknet marketplace for a few hundred bucks in crypto. Maybe the breach happened through your systems. Maybe it was a third-party vendor. Either way, the fallout is yours. 

Hackers aren’t just targeting banks and tech giants anymore. Everyone has data worth stealing. 

Sites like the now-defunct Breached Forums were notorious for posting company breach data daily. In the wrong hands—whether cybercriminals or even unethical competitors—that data can do serious damage. 

Figure 1: Threat actor, ShinyHunters, advertise Ticketmaster data on BreachForums 

Take Oracle’s Cloud Supply Chain breach as an example. More than 6 million records were leaked, affecting over 140,000 tenants. The data reportedly included encrypted SSO passwords—critical keys to user authentication. 

Why it matters: Once your data hits the darknet, you can’t undo it. The faster you know, the faster you can respond—before customers, investors, or regulators find out the hard way. 

2. Your Employees’ Passwords Could Be Floating Around 

This one’s disturbingly common. All it takes is a phishing email or infected website, and suddenly someone’s corporate credentials are being traded online. 

Even more concerning is the rise of “stealer logs.” These are text files pulled from infected computers containing saved passwords, browser sessions, cookies, and more. They’re sold in bulk on markets like RussianMarket or 2easy. For as little as $10, a threat actor could buy their way into your network. 

Figure 2: Browser data in a stealer log showing phone numbers, dates of birth, usernames, and passwords; Source: DarkOwl Vision

What’s worse? You don’t always know what those credentials unlock. Access to email? Internal tools? Sensitive databases? 

Monitoring these stealer log sites is no longer optional—it’s a critical step in stopping ransomware and unauthorized access before it starts. 

3. Someone on the Inside Might Be Selling Access 

This is every security leader’s nightmare: an insider selling access to their own company’s systems. 

Disgruntled employees, ex-contractors, or even someone in financial distress may post offers like: 

“Access to large healthcare org. Admin rights. Serious buyers only.” 

Not all insider threats are intentional. Sometimes, an employee unknowingly becomes a risk—by being too trusting or unaware of security policies. Others may be driven by resentment, especially in today’s environment where layoffs are frequent and workloads increase for those who remain. 

The bottom line? Insider threats are incredibly hard to detect until it’s too late. Monitoring the dark web for chatter about your company can give you a head start in spotting them. 

Why it matters: These posts often appear just before a ransomware attack or data leak. The longer you stay unaware, the bigger the damage. 

4. Are Your Products Being Counterfeited? 

Copyright law isn’t the most exciting topic, but it becomes very real when your products start showing up as fakes online. 

If you ever plan to take legal action for copyright violations, one of the first questions a court will ask is: What steps did your company take to protect and enforce the copyright? 

That’s why big brands like the NFL send teams to sniff out counterfeit goods during events like the Super Bowl. 

The dark web is a known hub for counterfeit products. You can find knockoff software, clothing, purses—even security tools—for under $20. 

Figure 3: Darknet marketplace advertisement for counterfeit Rolex watch for $4500 USD

If your brand relies on copyrighted products or content, darknet monitoring is a smart move. It strengthens internal investigations, arms your legal team with evidence, and shows the courts you’re actively enforcing your rights. 

Final Thought 

The darknet isn’t just a playground for hackers. It’s a marketplace, a communication channel, and sometimes, a launchpad for real-world damage. 

Whether you know it or not, your company is being talked about. The only question is: 

Are you listening? 

---

Curious to learn more about what is on the darknet? Contact us.

June 04, 2025

Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, brute force attacks, zero-day exploits, and doxing. In this blog, DarkOwl analysts provide a summary of the digital whistleblower landscape, outlining the role of the dark web and examining some noteworthy whistleblower platforms. 

Whistleblower Sites 101

Though contemporary cases usually come to mind, whistleblowers—individuals “who disclose evidence of wrongdoing”—are by no means a recent phenomenon. The first documented whistleblowers in the United States were 10 American officers who, in 1777, reported abuses by their commander, Esek Hopkins. As explained by Dr. Allison Stanger, Hopkins, the first commodore of the U.S. Navy, was accused of torturing British prisoners of war. Following a testimony by the whistleblowers to the Continental Congress, Hopkins was suspended and subsequently retaliated against the officers, who were ultimately protected when the Continental Congress passed America’s first whistleblower law on July 30, 1778. 

The whistleblower landscape, however, has unsurprisingly changed since the 18^th century, in large part due to the emergence of digital whistleblowing platforms. As noted by Philip Di Salvo, the author of Digital Whistleblowing Platforms in Journalism,  whistleblowing platforms allow individuals to “submit documents to recipient journalists, using safer and anonymizing technologies based on strong encryption.” Di Salvo describes these platforms as being at the crossroads between journalism and hacking, and are significant in that they provide journalists’ potential sources “with safer, anonymous, communication channels online.” Many of the platforms in question utilize Tor—The Onion Router—to ensure whistleblowers remain anonymous by hiding their IP addresses and browsing history.  

The use of Tor by whistleblowers aiming to expose waste, fraud, abuse, or corruption challenges the common misconception that the dark web is accessed exclusively by bad actors. While the dark web does contain illicit marketplaces, hacking groups, terrorist activity, child pornography, and more, it can also protect whistleblowers and journalistic sources. The anonymity provided by the dark web is especially vital for sources and activists living in repressive regimes. 

As similarly highlighted by Di Salvo, since its emergence the digital whistleblower landscape has grown to include a wide variety of platforms that provide users with encrypted submission systems. Below, analysts examine some notable whistleblower platforms. 

WikiLeaks 

WikiLeaks is a whistleblowing platform originally founded by the Australian computer programmer Julian Assange in 2006. The platform, which publishes secret information obtained from anonymous sources, was initially created with the intention to “streamline the whistleblowing process.” Despite being founded in 2006, the platform only gained international attention in 2010, when it published hundreds of thousands of documents pertaining to the U.S. wars in Iraq and Afghanistan. The documents, leaked by former U.S. Army intelligence analyst Chelsea Manning, revealed that the U.S. military had “killed hundreds of civilians in unreported incidents.” The leak is still considered to be the largest classified leak in history.  

SecureDrop 

Initially developed by Aaron Swartz, Kevin Poulsen, and James Dolan under the name DeadDrop, the platform was subsequently taken over by the Freedom of the Press Foundation in October 2013. As noted on the company’s website, SecureDrop is “an open source whistleblower submission system that media organizations and NGOs can install to securely accept documents from anonymous sources.” Di Salvo highlights that the platform has become a standard in the whistleblower ecosystem, as reflected by the fact that the system is currently used by over 60 news organizations worldwide (“including The New York Times, The Washington Post, ProPublica, The Globe and Mail, and The Intercept”). The platform utilizes the encrypted Tor network.  

GlobaLeaks 

Another standard in the digital whistleblowing landscape, the free, open source software was developed in 2010 with support from the Hermes Center for Transparency and Digital Human Rights, an Italian civil rights organization. GlobaLeaks provides its users with software to “set up secure and anonymous whistleblowing initiative[s].” To provide whistleblowers with anonymity, the platform utilizes Tor, includes “robust security and legal features, such as free encryption software, and does not keep records of IP addresses or leave traces in web browsers.” As highlighted by RESET, GlobaLeaks has been used by a wide variety of entities, including by four French language media companies (Le Monde, La Libre Belgique, Le Soir de Bruxelles, and RTBF) to establish the whistleblower website Source sûre in 2015. 

Platform to Protect Whistleblowers in Africa (PPLAAF) 

Founded in 2017, The Platform to Protect Whistleblowers in Africa (PPLAAF) is a non-governmental organization (NGO) that aims to defend and support whistleblowers in Africa. PPLAAF provides whistleblowers, NGOs, media, and governments with legal assistance, media assistance, and advocacy and research. As highlighted by the non-profit Whistleblowing International Network (WIN), PPLAAF also “provides a secure web portal for sending information and documents.”  

WildLeaks 

Founded by the NGO Earth League International (ELI), WildLeaks is a whistleblowing initiative dedicated to environmental and wildlife crime. Launched in 2014, WildLeaks’ mission is to “receive and evaluate anonymous information and tips regarding environmental and wildlife crime, and then transform those tips into concrete action.” The initiative also provides potential whistleblowers with secure communication channels via Tor. Upon receiving information, WildLeaks may launch an investigation or share the information with trusted law enforcement agencies and media partners. As summarized by the organization, WildLeaks’ first priority is to “facilitate the identification, arrest, and prosecution of criminals, traffickers, businessmen, and corrupt government officials behind environmental crime, including the poaching of endangered species, the trafficking of wildlife and forest products, illegal logging and IUU (Illegal, Unreported, and Unregulated) fishing.” 

Climate Whistleblowers (CW) 

Founded in 2023, Climate Whistleblowers (CW) is a non-profit dedicated to protecting individuals “who expose wrongdoings that worsen the climate crisis.” The organization defines a climate whistleblower as an individual who “discloses information about abuses that worsen the climate crisis in order to protect the environment and public health.” As highlighted on their website, CW provides secure communication channels for whistleblowers. Additionally, the non-profit advocates for whistleblower protection by publishing articles and providing training to professionals and organizations.  

Psst  

Founded in 2024, Psst is a “non-partisan, non-profit public service that helps people bring forward public interest information.” In addition to providing whistleblowers with legal and media support, the non-profit has also created a secure web portal—dubbed “Psst Safe” for submitting non-public information. Psst Safe is described as a “digital safe haven” for information of concern that allows users to remain anonymous and encrypts any uploaded information.    

International Consortium of Investigative Journalists 

Founded in 1997 by the American journalist Charles Lewis, the International Consortium of Investigative Journalists (ICIJ) is a network of “more than 290 of the best investigative reporters from more than 100 countries and territories.” Importantly, the network provides whistleblowers with secure communication channels, and “encourages​ ​whistleblowers​ ​to securely​ ​submit​ ​all​ ​forms​ ​of​ ​content​ ​that​ ​might​ ​be​ ​of​ ​public​ ​concern​ ​-​ ​documents,​ ​photos, video​ ​clips​ ​as​ ​well​ ​as​ ​story​ ​tips.” 

Final Thoughts 

As highlighted in this blog, the whistleblowing landscape has evolved significantly since the first documented whistleblowing in the U.S. in the 18^th century. The emergence of digital whistleblowing platforms like SecureDrop over the past two decades has transformed the whistleblowing process by providing sources with more secure online communication channels. By using Tor, whistleblowers can remain anonymous and improve their safety by hiding their IP addresses and browsing history. The number of online whistleblowing platforms has also grown to include platforms dedicated to specific causes, such as combatting wildlife crime and the climate crisis. The existence of such efforts once again highlights that while the dark web is home to extensive criminal activity, it is also used by individuals aiming to expose wrongdoings and can be a force for good.  

---

Stay up to date with DarkOwl. Follow us on LinkedIn.

June 02, 2025

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. FBI: Scammers pose as FBI IC3 employees to ‘help’ recover lost funds – Bleeping Computer

On April 18, 2025, the Federal Bureau of Investigation (FBI) released a public service announcement warning of an ongoing fraud scheme in which scammers are impersonating FBI Internet Crime Complaint Center (IC3) employees. According to the announcement, the FBI has received more than 100 reports of such impersonation scams between December 2023 and February 2025. The scammers have been observed impersonating IC3 employees while offering to assist victims of fraud. Read full article.

2. Europol Shuts Down Six DDoS-for-Hire Services Used in Global Attacks – The Hacker News

In a May 7 press release, Europol announced that Polish authorities arrested four individuals “who allegedly ran a network of platforms used to launch thousands of cyberattacks worldwide.” The suspects were linked to six DDoS-for-hire platforms, specifically Cfxapi, Cfxsecurity, neostress, jetstress, quickdown and zapcut. As noted in the report, the arrests were part of a coordinated international operation involving four countries and assisted by Europol. Furthermore, as part of the operation the United States also seized nine domains associated with booster services. Article here.

3. Chinese hackers target Russian govt with upgraded RAT malware – Bleeping Computer

Researchers at Kaspersky’s Global Research and Analysis Team have observed IronHusky hackers targeting Russian and Mongolian government entities. IronHusky, a Chinese-speaking threat group that has been active since at least 2017, is using an upgraded version of MysterySnail remote access trojan (RAT) malware. Researchers identified the updated RAT “while investigating recent attacks where the attackers deployed the RAT malware using a malicious MMC script camouflaged as a Word document.”
Read more here.

4. Fake AI video generators drop new Noodlophile infostealer malware – Bleeping Computer

Researchers at Morphisec have observed threat actors distributing malware via fake AI-powered video generators. According to Morphisec’s May 08 report, the fake AI platforms are being predominantly advertised in Facebook groups. Victims who are lured into visiting the fake site are prompted to upload their images or videos to generate content. The users are subsequently asked to download the generated AI content—in attempting to do so, however, the victims unknowingly download a malicious ZIP archive instead (“VideoDreamAI.zip”). The file then installs the newly identified infostealer dubbed “Noodlophile.” Read here.

6. 3AM ransomware uses spoofed IT calls, email bombing to breach networks – Bleeping Computer

In a May 20 report, Sophos researchers outlined two distinct threat clusters using “’email bombing’ to overload a targeted organization’s employee with unwanted emails, and then […] posing as a tech support team member to deceive that employee into allowing remote access to their computer.” As noted in the report, Sophos has observed over 55 attempted attacks using this technique between November 2024 and January 2025. Among the tracked incidents was an attack carried out in 2025 by a 3AM ransomware group affiliate that used a similar email bombing technique; rather than calling via Microsoft Teams, however, the threat actors used a real phone spoofing the organization’s IT department. Read full article.

7. U.S. Charges Yemeni Hacker Behind Black Kingdom Ransomware Targeting 1,500 Systems – The Hacker News

In a May 1 press release, the U.S. Department of Justice (DOJ) announced that a Yemeni national was indicted for allegedly deploying Black Kingdom ransomware “on roughly 1,500 computers in the United States and abroad.” The 36-year-old suspect has been charged with “one count of conspiracy, one count of intentional damage to a protected computer, and one count of threatening damage to a protected computer.” According to the press release, the individual is currently believed to be residing in Yemen. Read full article.

8. Germany Shuts Down eXch Over $1.9B Laundering, Seizes €34M in Crypto and 8TB of Data – The Hacker News

In a May 07 press release, Germany’s Federal Criminal Police Office, the Bundeskriminalamt, announced the takedown of the cryptocurrency exchange platform “eXch” for alleged money laundering. According to the report, the operation took place on April 30, 2025, and also involved authorities seizing over eight terabytes of data and €34 million worth of crypto assets (Bitcoin, Ether, Litecoin, and Dash). Significantly, this is the “third-largest seizure of crypto assets in the history of the BKA”. Learn more.

---

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

May 29, 2025

Government and law enforcement agencies are increasingly treating the dark web as a serious threat. Over the past five years in particular, takedowns of marketplaces and forums have become more frequent and coordinated—a welcome and long-overdue shift. While dark web enforcement isn’t new, it has clearly gained momentum and visibility in recent years. 

So, what exactly are government agencies and investigators doing to regulate, monitor, and stay ahead of dark web-enabled cybercrime? Let’s break it down. 

Are There Even Enacted Regulations? 

The short answer—so you can move on to the next section—is: no. 

There are currently no laws that explicitly target the dark web itself. What we have instead are laws aimed at illicit activities commonly associated with the dark web. 

However, a proposed bill, the Dark Web Interdiction Act, would take meaningful steps. According to Congressman Chris Pappas’ website, the bill would: 

• Increase criminal penalties for individuals convicted of trafficking illegal drugs on the dark web by directing the U.S. Sentencing Commission to enhance sentencing guidelines. 

• Strengthen and make permanent the Joint Criminal Opioid and Darknet Enforcement (J-CODE) task force, which has coordinated federal, state, local, and international efforts since 2018. J-CODE has already led to hundreds of arrests, major drug seizures, and marketplace takedowns. 

• Require a comprehensive report from the DOJ, DHS, and the Treasury Department on how cryptocurrency is being used on the dark web—plus recommendations on how Congress should address virtual currency in opioid trafficking cases. 

The U.S. has historically lagged behind in addressing cybercrime. This bill is a step in the right direction—especially when it comes to drug trafficking and interagency coordination. 

That said, some states do have laws that can be applied in dark web-related cases. For example, Florida Statute 934.215 – Unlawful Use of a Two-Way Communications Device—can be added as a charge when a suspect uses a device to facilitate a felony. To convict under this statute, prosecutors must show: 

• The defendant used a device capable of two-way communication; and 

• That device was used to further the commission of a felony. 

Even so, this statute doesn’t specifically target the dark web—just the tools often used to commit dark web crimes. 

When Lawmakers Lag, Law Enforcement Logs On 

With little legislative backing, the burden of confronting the dark web has largely fallen on law enforcement. So, what exactly are they doing—and how? 

Federal agencies are leading the charge, but state and local departments are getting involved as well. It seems like every week there’s a press release announcing the takedown of a forum, vendor, or marketplace. Here are the core tactics behind those headlines: 

• Undercover Operations: Agents go undercover in forums and marketplaces, posing as vendors, buyers, terrorists, or traffickers to infiltrate criminal networks. 

• Cryptocurrency Tracing: Investigators are using advanced blockchain analysis tools—often in partnership with private companies—to follow the money trail, even across anonymized transactions. 

• Controlled Buys: Borrowing tactics from traditional narcotics work, law enforcement is conducting digital sting operations on dark web vendors. 

• Cross-Agency Collaboration: Most major takedowns involve 6–9 agencies working together. Agencies like the FBI are also partnering with private-sector firms to build new intelligence pipelines and share valuable information. 

One of the most powerful tools in their arsenal? The Network Investigative Technique (NIT) search warrant. These warrants authorize the use of technical tools or code to identify users operating on anonymized or encrypted networks like Tor. Think of it as a legally sanctioned hacking method used to pierce digital anonymity. 

Notable Dark Web Cases 

Silk Road (U.S. v. Ross Ulbricht) 

• The first major dark web marketplace for drugs and services (launched in 2011) 

• Ulbricht, aka “Dread Pirate Roberts,” was arrested in 2013 and sentenced to life (although recently pardoned) 

• Paved the way for the rise—and fall—of copycat markets 

AlphaBay (Operation Bayonet) 

• Became the dominant market after Silk Road’s fall 

• Shut down in 2017 through a global operation; founder Alexandre Cazes committed suicide in custody 

• Showed how effective international coordination can be in disrupting cybercrime 

Operation Pacifier / Playpen 

• FBI took control of a child exploitation site and used NITs to identify users 

• Led to hundreds of arrests and intense legal debate over warrant scope and privacy 

Hansa Market Takedown 

• Dutch authorities secretly operated Hansa while AlphaBay was live 

• After AlphaBay’s fall, users flocked to Hansa—unaware law enforcement was in control 

• A strategic win that yielded a wealth of investigative intelligence 

Shedding Light with DarkOwl: Giving Law Enforcement a Strategic Edge 

Too often, investigators are taught how to access the dark web manually in training—only to be told by their agency that they can’t use those methods due to cybersecurity risks. That’s where DarkOwl steps in. 

DarkOwl allows federal, state, and local law enforcement to access dark web intelligence—without having to log in, risk exposure, or authenticate into hidden forums. 

From fraud and identity theft to weapons trafficking and the sale of stolen goods, DarkOwl’s data isn’t just for cybercrime units. It supports a wide range of investigations, like economic crime, property crimes, human trafficking, missing person, by: 

• 🔍 Keyword searches across millions of dark/deep web records (emails, usernames, VINs, credentials, IPs, etc.) 

• ⏱️ No direct access needed—reducing risk and operational overhead 

• 📬 Real-time alerts when new mentions of targets appear 

• 🤝 Multi-jurisdictional coordination, helping agencies work together to track threats and follow digital leads 

Whether you’re working a fraud ring using stolen credit cards, a counterfeit ID scheme, or a local burglary ring fencing goods on dark markets, DarkOwl gives investigators the intelligence and visibility to act quickly—and safely. 

In short, DarkOwl enables broader use of dark web intelligence, putting actionable data in the hands of every level of law enforcement. 

As threat actors become more anonymous and their tactics more complex, having access to tools like DarkOwl is no longer optional—it’s essential. 

Summary 

While there are no current laws that directly regulate the dark web, law enforcement is adapting and responding aggressively. It’s an uphill battle—and it may never be fully “won”—but every arrest, takedown, and disruption counts. The more we invest in intelligence, coordination, and modern investigative tools, the better our chances of keeping communities safe in both the physical and digital worlds. 

---

Curious how DarkOwl can help you? Contact us.

May 27, 2025

We all have a fear—or at least know of someone with a fear—of getting breached. And chances are, you yourself have been, or at the very least, know someone who has. But what is a breach, really? What actually happens when you or someone close to you becomes the victim of one? 

A data breach occurs when unauthorized individuals gain access to sensitive information—like login credentials, personal data, financial info, or private communications. These breaches can happen through phishing, malware, weak passwords, or exploiting security vulnerabilities. Once inside, attackers may steal, copy, sell, or leak your data—often on places like the dark web. The consequences can range from identity theft to financial fraud to long-term reputational damage. 

The sense of violation people feel after a breach is real—and often overwhelming. What follows is a quick personal story of someone who experienced this firsthand: an acquaintance trying to make sense of a data breach that impacted his family. 

---

I had an old coworker reach out to me a while ago. One of her current coworkers had recently experienced a breach for one of his loved ones and asked if it was okay for her to give him my contact information so we could talk about the options.  

When we hopped on a call, he informed me that his daughter had been breached and given away her various credentials for both her bank, social media, and email. He knew vaguely about what was happening – he knew that the information stolen would probably be sold on the darknet, and wanted to know what he could do as a father: “Should I get a copy of tails up and running? Am I able to find the data that was stolen?” Tails is a flavor of linux with anonymity as a focus. “How do I even approach this?  Where do I get started with the dark web?”  

I let him know that he could get a tor browser and start browsing around but warned him that that’s problematic for a couple of reasons, one just being your own mental state depending on some of the things one could stumble across when searching on the dark web.

He was just at such an utter loss and unsure of what to do with the complete sense of violation that he was feeling. He did have some technical abilities as he’d been a software engineer. So I explained to him the process of some of these operations.

Even if he did learn the technologies required to browse the darknet safely, which is a non-trivial task, he’d still need to know where to go, which in itself is information that is shielded.  Even if he were able to do that, and find sites where stolen data is being brokered, the chances of finding his daughter’s data are very slim. While it’s true that some hackers will post the entirety of their breaches for cred, organizations that do this as a business will generally post a subset of the data they steal as a sample to entice buyers. The chances of his daughters information being in that sample are slim. But let’s say that happens to be the case. If that was the case, would he be attempting to purchase the data? Firstly, that’s very illegal, but also, there are no guarantees that they won’t sell it to multiple people anyway. On top of that, if his daughter’s data was posted as a sample, it’s out there to everyone that can see it now anyway.

All this to say once it’s out there, it’s better to just assume it’s out there. With the major breaches of companies with millions of users that have been happening for years, it is safe to say that plenty of our data is already out there – yours and mind. It’s just the world we live in.

What Can You Actually Do After a Breach? 

I gently told him that diving into the dark web in search of his daughter’s stolen data wasn’t just risky and likely futile—it also wouldn’t change the outcome. Once data is out there, it’s essentially impossible to retrieve or erase. In most cases, the better path forward is not chasing what’s already lost but protecting what remains. 

If you or someone you know has been breached, here’s what you can and should do immediately: 

• Freeze or close any compromised accounts (banking, email, social media, etc). 

• Change all passwords—not just the affected ones. 

• Enable two-factor authentication everywhere possible. 

• Monitor financial accounts and credit reports for unusual activity. 

And most importantly, take this as a chance to build long-term security habits. Teach your kids, friends, and coworkers to: 

• Use a different password for every site. 

• Regularly update passwords, even if there’s no sign of compromise. 

• Think twice before sharing information, especially in response to unexpected emails, texts, or calls. 

The best thing we can do in a world where breaches are increasingly common is stay vigilant, proactive, and prepared—not paralyzed by what’s already been lost. ll do is keep a posture of vigilance, instead of attempting to recover what’s been lost.

---

Curious what data is on the darknet? Contact us.

May 22, 2025

It all started pretty simply. Back in the early days of the internet, scammers figured out that pretending to be someone else could be a quick way to make money. Remember the old “Nigerian Prince” email scam? A fake royal asking for help moving millions of dollars in exchange for a cut of the fortune? It was laughable in hindsight, but at the time, it worked—really well. 

Fast forward to today, and the game has changed completely. Thanks to AI and deepfake technology, pretending to be someone else has become disturbingly easy—and incredibly convincing. 

Deepfake Video & Image Impersonation 

We’ve always believed in the idea that “seeing is believing.” That’s what makes video and image deepfakes so dangerous. These aren’t just edited photos or silly face swaps—they’re full-blown synthetic creations that can make someone look and sound like they’re doing or saying something they never did. 

Now imagine this: You get a video message from your company’s CEO asking you to send an urgent wire transfer. Everything checks out—the voice, the mannerisms, even the background looks legit. But it’s all fake. 

Or you see a photo online of a public figure in a controversial situation. It goes viral, causes outrage—and turns out to be completely manufactured. 

These are no longer “what if” scenarios. This is happening now. And the tools to create these fakes? They’re getting better, faster, and easier to use by the day. 

Bypassing Security with Deepfakes 

Here’s where things get really concerning: deepfakes aren’t just fooling people—they’re starting to fool machines, too. 

Many social media platforms and financial institutions rely on something called “liveness detection” to make sure the person on the other side of the screen is real. That usually means showing your face on a live video, submitting ID, and allowing the system to check your location. 

But threat actors are finding ways around it. On underground forums and in Telegram groups, there are step-by-step guides on how to fake your way through identity checks. Using AI-generated videos, virtual webcam tools, stolen images, and even custom code, scammers can trick systems into verifying a completely fake person. 

Why? To open crypto accounts that are nearly impossible to trace. To commit fraud. Or simply to vanish into the digital ether. 

The 3 A.M. Scam Call That Sounds Just Like Your Loved One 

Let’s make this personal. Picture this: it’s 3 a.m. Your phone rings. You’re half-asleep, but you pick up. It’s your daughter—or at least, it sounds like her. She’s crying, panicked. There’s been an emergency. She needs money. Now. 

You don’t even think twice. You send it. 

But it wasn’t her. 

That’s the scary part. With just a few seconds of someone’s voice—grabbed from a video, a voicemail, or a TikTok—AI can clone it so accurately that it’s almost impossible to tell the difference. These scams are targeting families, grandparents, and even businesses. And they’re working. 

Deepfake Attacks That Really Happened 

This isn’t sci-fi—it’s happening all over the world. Here are a few real examples: 

• $25M Fraud at Arup (2024) 
  A deepfake video call tricked an employee into wiring $25 million after impersonating the company’s executives. 

• Fake CEO at WPP (2024) 
  Scammers used a deepfake of CEO Mark Read in a fake Microsoft Teams meeting to trick staff into giving up sensitive data. 

• Joe Biden Robocall (2024) 
  A cloned voice of President Biden told voters not to vote in the New Hampshire primary—an actual attempt at voter suppression. 

• Zelenskyy Deepfake (2022) 
  A video of Ukraine’s president calling for surrender during the war—completely fake, but temporarily believable. 

• Nick Cave Crypto Scam 
  A man lost $130,000 after a deepfake of the musician endorsed a phony investment platform. 

• Elon Musk & Martin Lewis Scams 
  Fraudulent videos of both celebrities have been used to push fake crypto deals online. 

• AI Voice Scam on a Grandparent 
  A scammer cloned a grandson’s voice to con a grandmother into sending bail money. 

• Brad Pitt Romance Scam (2024) 
  A French woman was duped out of €1 million after falling for a deepfake of the actor during an online “relationship.” 

• Crypto KYC Bypass 
  Deepfakes and virtual webcams have been used to fool crypto exchanges’ identity checks and create anonymous accounts. 

What Can We Do About It? 

Deepfakes are changing the rules. The line between real and fake has never been blurrier. Whether you’re a business, a parent, or just someone who uses the internet—being aware of these tactics is the first step to staying safe. 

Technology alone won’t solve this. We need better tools, smarter policies, and more digital skepticism. If something feels off, don’t rush—verify first. In a world where even your own eyes and ears can be fooled, a little doubt could go a long way. 

---

Follow DarkOwl on LinkedIn for more.

May 15, 2025

Overview of April 2025 Turmoil

BreachForums abruptly went offline, prompting a wave of opportunistic copycat domains and widespread confusion within the dark web community. The shutdown—now allegedly confirmed via a PGP-signed statement by former administrators—was attributed to a zero-day exploit targeting the MyBB forum software. This vulnerability was reportedly exploited either by law enforcement or rival threat actors.

The most recent clearnet domain, breachforums[.]st, began returning a 403 error on or around April 15–16. Telegram channels affiliated with the forum and its associated onion service also went offline during this period. A message allegedly authored by “Anastasia,” one of the key administrators, hinted at FBI involvement—though this remains unverified. Speculation flourished across darknet community, with theories ranging from insider betrayal to technical collapse due to outdated software and poor operational security (OPSEC).

Figure 1: BreachForums.st PGP signed message by its admins

Adding to the uncertainty, BreachForums’ backend was reportedly spotted for sale for $2,000, suggesting a deeper compromise. Notably, the site never displayed an official law enforcement seizure banner, which is typically required in such takedowns.

Figure 2: Breached.fi site view on April 20, 2025

Copycats and Chaos

In the aftermath, a proliferation of clone and impersonation domains emerged—breached[.]fi, breachforums[.]uk, and others. Some, such as the .fi variant, were initially perceived as legitimate but were quickly discredited.

The threat actor Rey, reportedly connected to the Hellcat Ransomware group, exposed breached[.]fi as fraudulent. Around the same time, the Telegram-based hacktivist group Dark Storm claimed responsibility for a DDoS attack on the same domain. Other impersonators, including breachforums[.]af, .is, .im, and .lol, featured fake FBI seizure notices or links redirecting to law enforcement sites and suspicious database vendors.

Figure 3: Rey’s X Post Commenting on BF Chaos

Figure 4: Breachforums.im screenshot showing paid registration announcement

Some variants also demanded payment from users to access content, allegedly to prevent law enforcement infiltration.

April 28 Statement and Fragmented Reboots

On April 28, the original .st domain resurfaced with another PGP-signed message, confirming the MyBB zero-day exploit, denying arrests or data loss, and announcing a full backend rewrite. The message warned users that many of the copycat sites could be honeypots or phishing lures.

Despite this message, rumors about the admins’ fate and the legitimacy of emerging replacement sites persisted. Several splinter groups and reboot attempts have since appeared: 

Faction Backed by 888, Technically Led by 302:

Following the April shutdown, a new initiative emerged reportedly backed by the BreachForums user 888, with technical support from another user, 302. Infrastructure linked to this faction surfaced in leaks pointing to IP 176.65.137.250:19191. While specific goals remain unclear, their involvement signals growing fragmentation. Notably, 888 had previously claimed credit for the BMW Hong Kong data leak in July 2024.

HassanBroker’s Initiative (Funded by Rey)

Another reboot attempt came from HassanBroker, who registered multiple lookalike domains, including breach-forums[.]com, .net, .org, and breached[.]ws. Claiming ties to IntelBroker, Hassan framed the project as a tribute to the original forum. It allegedly received a $500 USD donation from Rey, but doubts persist due to questions around the maturity of the moderation team and operational competence.

“Momondo” Reboot Claim

A user under the alias “Momondo” declared intentions to resurrect BreachForums, citing ties to its original founder Conor Brian Fitzpatrick (aka Pompompurin). While distancing himself from figures like Anastasia and ShinyHunters, Momondo emphasized community trust and OPSEC. However, investigations raised concerns that “Momondo” may be an impostor, potentially representing a honeypot or scam.

Context & Law Enforcement Pressure

BreachForums’ history is closely tied to law enforcement actions. Prior admins like “Omnipotent” and “Pompompurin” were arrested between 2022–2023, with roots tracing back to its predecessor RaidForums, launched in 2015. As of this writing, no official law enforcement action or confirmed arrests have been reported in connection with the April 2025 outage, despite the emergence of fake seizure pages on copycat domains.

These developments underscore the increasing volatility and decentralization of cybercriminal ecosystems under sustained law enforcement scrutiny. The BreachForums community now finds itself fragmented—caught between operational failures, mistrust, and intensifying pressure from global authorities.

Figure 7: BreachForums Timeline

Conclusion

Recent events highlight the instability of darknet forums, even those with established reputations like BreachForums. Despite law enforcement pressure and internal conflict, such platforms often re-emerge in new forms. What shape the next version of BreachForums will take—and who will lead it—remains uncertain. DarkOwl will continue to monitor this evolving situation closely.

---

Don’t miss any updates. Subscribe to email.

 

May 13, 2025

Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, brute force attacks, and zero-day exploits. In this edition, we dive into doxing.

This blog aims to provide a comprehensive overview of doxing, its implications, and strategies to safeguard against it.

Doxing 101

Doxing, derived from the phrase “dropping documents,” is the act of publicly providing PII and other data about an individual or organization without their consent. In recent years, this has predominantly been done using the internet and is a process that began in the late 1990s. The act of doxing an individual in of itself is not illegal depending on how the information shared is obtained. Most data shared is likely obtained from data brokers and social media sites. Although, others are obtained through illegal means. Regardless of the way the data is obtained, the purpose and outcomes are usually nefarious and used for online shaming, extortion, targeting, stalking, and hacktivism operations.

Targets of Doxing

Anyone can be a target of doxing. Celebrities and politicians are often targets, employees of prominent organizations, and law enforcement agencies and officers. For instance, during the 2019–2020 Hong Kong protests, both pro-democracy activists and police officers were doxed, leading to harassment and threats against them and their families. Another notable example is the doxing of a New York Times reporter who revealed the identity of the person behind the “Libs of TikTok” Twitter account, leading to significant backlash. Business leaders and employees, especially those associated with contentious industries or decisions, can be targets. A website named “Dogequest” reportedly published personal details of Tesla owners across the U.S., aiming to shame and intimidate them due to Elon Musk’s political affiliations. Unfortunately, ordinary citizens can become victims, especially in cases of personal disputes, online arguments, or as collateral damage in broader conflicts.

Resources Used to Dox

Doxers use a multitude of sources and resources to dox. The graphic below is a great outline and resource from Homeland Security.

Consequences of Doxing

Although this information is posted online, it can have very real consequences for the individuals whose information is posted. An impact of doxing is identity theft and financial crime, as all information about an individual is provided, criminals can use this data to conduct financial crimes. This can be a difficult thing to identify and recover from, with funds often taken before an individual even knows their data has been shared.  

The posts can also cause reputational damage, sharing information an individual may not want shared with their friends and family. There is also the possibility that material could be shared which may affect an individuals employment status.  

Furthermore, this data can be used to stalk and harass individuals, some of the posts on Doxbin actively encourage others to target individuals. This can leave the victims open to threats of physical violence as well as the trauma of knowing that someone knows where they live and work and could attempt to contact them at any time. Victims are often also subjected to harassment through prank/harassing phone calls, spam emails, and online harassment and cyber bullying through social media. 

These threats can have a lasting emotional impact on individuals.   

Real Life Example

Site Spotlight: Doxbin

In our marketplace, site and actor spotlight series, we highlighted Doxbin. You can check out the full write up on it here, which offers an in-depth examination of the controversial paste site known for facilitating the publication of personal information.

To summarize, Doxbin is a paste site that allows users to post personal identifiable information (PII) about individuals, often without their consent. Originally operating as a Tor-based .onion site, Doxbin has since transitioned to the clearnet and maintains an official Telegram channel, broadening its accessibility while retaining its association with underground communities.

Doxbin facilitates doxing by allowing users to upload text-based content related to individuals. The site claims to restrict content that is spam, child explicit material (CSAM), or violates the hosting country’s jurisdictional laws. However, in practice, there is minimal moderation, and information is often shared with the intent to target individuals.

The exposure of PII on Doxbin can lead to severe consequences for victims, including harassment, identity theft, and threats to personal safety. Victims may also be subjected to harassment through prank calls, spam emails, and cyberbullying on social media.

How Can I Protect Myself?

While it’s impossible to eliminate all risks, certain measures can reduce the likelihood of being doxed:

• Limit Personal Information Online: Be cautious about the details you share on social media and other platforms.
• Enhance Privacy Settings: Adjust settings on social media accounts to restrict who can view your information.
• Use Strong, Unique Passwords: Implement robust passwords and consider using a password manager.
• Enable Two-Factor Authentication: Add an extra layer of security to your accounts.
• Monitor Your Digital Footprint: Regularly search for your name online to identify and address potential exposures.
• Be Wary of Phishing Attempts: Avoid clicking on suspicious links or providing information to unverified sources.

Doxing represents a significant threat in the digital era, emphasizing the importance of proactive measures to protect personal information. By understanding the tactics used by doxers and implementing robust security practices, individuals can better safeguard their privacy and well-being. As always, if you are a victim of online crime, file a complaint with the FBI’s Internet Crime Complaint
Center (IC3) at ic3.gov.

---

Curious to learn more? Contact us.