October 14, 2025

Or, watch on YouTube

During this webinar experts Jane van Tienen (OSINT Combine) and Erin Brown (DarkOwl) explore the evolving role of artificial intelligence in investigations and how it is transforming investigative workflows, the ethical challenges it presents, and how threat actors are exploiting AI for phishing, deepfakes, fraud, and propaganda. Learn why keeping the human in the loop is essential and how to build resilient, AI-aware intelligence practices.

NOTE: Some content has been edited for length and clarity.

---

Kathy: And now I’d like to turn it over to Jane, Chief Intelligence Officer with OSINT Combine, and Erin Brown, the Director of Intelligence and Collections with DarkOwl, to introduce themselves and start our discussion.

Erin: Thanks, Kathy. So yeah, we’re going to jump right in because as Kathy mentioned, we’ve got a lot of content to go over, but we’re just going to start with a brief introduction to who DarkOwl are, and OSINT Combine.

I’m just going to give the brief background on DarkOwl. As Kathy mentioned, my name’s Erin, I’m the Director of Collections and Intelligence at DarkOwl, so responsible for the data that we collect and also the investigations that we conduct. DarkOwl has been around since early, well, Vision since 2014, I think we’ve been around since 2012, and we primarily collect data from the dark web, from forums, from marketplaces, from Telegram, from Discord, and other sources where we’re seeing kind of what threat actors are talking about, what they’re selling, and some of the trends out there and making that data available to our customers. And if anyone has any further questions on DarkOwl, I’m sure Kathy can share some more information, but with that, I’m going to hand over to Jane. 

Jane: Thanks very much, Erin, and thanks, Kathy, as well. I’m really pleased to join you here on the webinar today, so thank you for inviting me to come along. So, good afternoon, everyone. My name’s Jane van Tienen, and I’m the Chief Intelligence Officer for a company called OSINT Combine. I’ve spent a career in intelligence, predominantly national security and international intelligence diplomacy, before more recently moving into open-source intelligence.

I’m assuming that most people on the call would probably know what open-source intelligence or OSINT is, but just to ground truth it, it’s intelligence derived from publicly available or commercially available information, rather than classified sources.

Today, Erin and I are going to be talking all about artificial intelligence, of course, but not just because of the way it enhances our capabilities of investigators and intelligence professionals, but also because of the capabilities of the bad guys that we investigate. But before we delve into that interesting topic, just a little bit more to touch on this slide here about OSINT Combine. We are a proud partner of DarkOwl. OSINT Combine is a global company, we’re US-owned, but Aussie-founded so, Australian-founded and veteran-operated. And we’re all about helping build enduring OSINT capability, which we do through our AI-enabled OSINT collection platform that’s called Nexus Explorer, our foundational and advanced open-source intelligence training, as well as thought leadership.

And so, our focus on building enduring OSINT capability means that our company is more than just about giving people great tooling, although, of course, great tooling is important, but we feel really passionately about making sure that people are able to use the tools, understand the tradecraft to operate effectively, safely, and ethically in their work. We work with clients similar to DarkOwl, actually, ranging from national security agencies through to global banks. And that means that we’re seeing OSINT practices, as well as increasing AI adoption up close in different kinds of workplaces.

And we’re sort of getting insights, therefore, into what’s working, what’s kind of breaking or tricky, and where practitioners and leaders are struggling in relation to these issues.

Before we get into the actual thick of the webinar today, I wondered if there might be an opportunity for us to do just a quick poll in the chat there, just to give us a sense about how many of you are already using AI in some form as a part of your workflow. I was going to see if I can have a peep in the chat while we do that. If there’s anyone there already using AI as a part of the workflow. And let’s go on to the next slide while people might consider that there, Erin. Thank you.

So, my point in asking that is really to observe that for many of us, AI isn’t really a future concept anymore, is it? It’s already embedded into a lot of our investigation’s workflows, whether we’re working law enforcement or intelligence investigations or even corporate due diligence. And really, it’s the necessity that’s driving that adoption. Every day, practitioners are using AI really to expand the human capacity for things, for all sorts of things, actually, like language translation, rapid entity resolution, network mapping, pattern recognition, even brainstorming alternative scenarios, which I really enjoy using AI for these days, as well as summarizing vast volumes of content and doing all of that within minutes.

In that context, particularly at, say, a government level here in the US, but also across allied governments, so think Five Eyes, as well as NATO member states, we’ve already seen some pretty strident language and strategic choices about how AI should be embedded into intelligence workflows. And that’s probably most prominent when we’re thinking about open-source intelligence workflows. A great example is here in the US in defense strategy, where we’ve heard, OSINT being referred to as the INT of first resort.

And of course, we know that when it comes to private industry, OSINT really is the INT of only resort. And so, I think that’s important to observe, because oftentimes, you know, the increased utilization of OSINT also means hand in glove, the increased utilization and exploration of AI and AI augmented workflows. So, the point being that regardless of sector regional budget, really, our debate now has moved far beyond should we use AI to more about how do we use it wisely?

So, for investigations and intelligence work, we’ve always needed to ask critical questions, haven’t we? And those critical questions and those fundamental skills of tradecraft really haven’t gone away. But in an AI augmented workflow, regardless of purpose, the scope of those questions has absolutely expanded. And so, in understanding how to use AI to greatest effect, analysts and investigators must now not just interrogate the content or the information that they derive, but also the machines that help produce it.

And so, these areas on the slide, Brainstorming Partner, Research Support, Analytical Partner, Writing and Communication support, these are areas where OSINT combined through our work, we’re most commonly seeing AI being utilized as a part of OSINT workflows in various workplaces today. And indeed, the role of AI will continue to expand as technology evolves, no doubt.

I think the key issue is, though, that when deciding when to use AI in your work, the consideration really is about, you know, the accountability in decision making, and who owns the accountability in the decision making, because that is you, because it is always a human issue. It’s not to be, you know, for the machine. So, it doesn’t really matter at the end of the day how advanced our tools become. We cannot, in fact, must not remove the human from the investigative workflow. And so that’s what we mean when we say the phrase, keep the human in the loop, which we’ll be speaking to a little bit further in the presentation.

We have to remember that, as good as AI might be in any given moment, there are always going to be things that it cannot or should not do. And sometimes those boundaries are determined by governance frameworks that might exist in your organization or even your community of interest. We know that investigations and intelligence work, it lives and dies by its credibility. And so, no matter how the advanced tools we use, how great they are, our assessments are only really going to be value if they’re trusted by those who rely on them. And so, the challenge is really one where rather AI can overwhelm with lots of different plausible outputs that can actually bypass some of the analytical tradecraft or critical thinking that we might apply otherwise. And so, when we receive an AI output response, the trouble is that it can look right, but it doesn’t always mean that it is. And so, within OSINT combined, we’ve been investing a lot of thought, time and effort into how to most soundly incorporate AI into OSINT workflows, understanding what it can and cannot do, and know when to trust AI and when to challenge it. And it’s important that you do so as a part of your own investigative and intelligence products and to maintain your operational security online. And I’ve got an example of one of those resources that is freely available to download there on the slide, more to come on that.

If we look at the pros and cons of AI as it stands at the moment, I think these are fairly accepted in our industry and our collective work. And so there should be no surprises there, and I’m not going to go through every one of them. Some of these we will absolutely be showcasing in various means throughout the webinar.

But to pull the thread on one of these things in the Cons column there, which is a bit of a passion project of mine, if you like, and it pertains to role clarity, which is something that we don’t talk about as often as I think we should in this regard. And so, what I mean by that is that analysts, team leaders, decision makers, even boards, you know, each role in the decision-making chain or in the chain of command, if you like, really interacts with AI differently. Using AI to best effect isn’t really about only a practitioner level AI literacy or fluency, but it’s about the capacity of others as well as the organization and organizational system to understand it.

I think one of the most dangerous assumptions that we see in investigative work is this issue of mirror imaging, which is both believing that adversaries think and act like we do, as well as the fact that they don’t have the access to the same technology as we do. Unfortunately, not only do they have access to technology, the same as we do, but they also have a willingness to operate outside our own ethical and moral compass.

This is something not to be underestimated when we need to consider AI. The same generative models that we use to draft reports to identify patterns or detect anomalies are going to be used by criminal and extremist actors to fabricate personas or automate deception and manipulate narratives at scale. I think the real trouble is that AI makes generating some of these artifacts pretty trivial in some cases. And so, our tradecraft is really evolving beyond how do I find that needle in the haystack or how do I find the truth to now also include how do I recognize what’s been machine shaped to look like the truth. And that’s a really hard nut to crack. 

Erin, I wonder if we might hear from you now about some of the examples that you and your team are seeing sort of in the wilds out there, just to illustrate some of these points.

Erin: Yeah, thanks very much, Jane. As Jane has mentioned, we hopefully are all using AI as part of our workflows and investigations. But you know, the criminals, the terrorists, extremists are definitely using AI as well.

I’m going to run through kind of a couple of examples that we’re seeing of those using that technology.

But I think one of the key things that I want to start with is so far, at least I think in what we’re seeing of threat actors using AI, is they’re using it in the same way that we all are too, in that they’re using it to increase productivity, improve the output of what they’re working on. But it still requires that human intervention, right? And they still need to do things as a threat actor and have some experience.

You know, even if we’re talking about them using, vibe coding to create malware, they need to have a basic understanding of coding and how they do that to be able to do that effectively. So at least thus far, we’re just seeing them using it to enhance the types of attacks and operations that they were already doing. With I guess the one caveat to that being, deep fakes and the way that they’re developing and how good generative AI is at producing images and speech now is definitely becoming more and more of a problem.

But let’s dive into some examples of how exactly they are using AI. And I stole this from a Trend Micro report, but I think it nicely maps out kind of the different attack vectors and vulnerabilities that criminals are going after in terms of deep fakes but also using their own LLMs. And we’ll talk about that in a little bit more detail.

And we’ll go through some of these examples in more detail too. But, you know, things like business email compromise and creating more sophisticated and believable phishing emails is something that we’ve seen go on the rise, but also, you know, business compromise in terms of spoofing CEOs or executives through their voice, through their images, through Zoom calls, things like that is definitely on the rise. We’re also seeing, you know, more targeting of foreign victims. I think, gone are the days of the Nigerian prince with language that you don’t really understand, and you can tell quite quickly that it’s fraudulent just because of the fact that a native English speaker hasn’t written it. That’s not really happening anymore because they’re using AI to translate their messages and to create those images for them. We’re also seeing an increase in things like romance scams, sextortion, CSAM, unfortunately, and virtual kidnappings and things like this. So, using AI and what we would maybe traditionally think as the cyber realm for more real-world effects. And some of those are having really awful consequences on a lot of people. And so, something that we all need to be kind of aware of and how to deal with.

I mentioned there are criminal versions of LLMs. These are based usually on the, you know, open source or other LLMs that we’re using out there, things like ChatGPT that have been made freely available. But they’re basically getting rid of the guardrails that these companies have put in place around this AI to try and combat the technology being used for nefarious purposes.

WormGPT is one of the models that came out fairly early. I think it’s been around for a year or two now. And this is taken from a darknet web page where they’re advertising it. And one of the interesting things and one of the reasons I wanted to raise this is you’ll see that they’re advertising it very much in the same way that, you know, OpenAI or PerplexC or those other, you know, ethical companies, I hope, are kind of putting this out there. So, they’re telling you it’s a game-changer, you know, what it does, how it can help you.

It has pricing plans. You can get different plans depending on your expertise and kind of what information you want to use it for. And then you can see that they’ve got it on the command line as well. So, they’re able to see it. They call it the biggest enemy of well-known ChatGPT. And it allows you to kind of do all of those malicious things without the guardrails that you will get in those more legitimate services. So WormGPT is one.

Another one is FraudGPT. And this kind of does what it says on the tin. It’s really helping threat actors to conduct fraud. And it’s, you can see at the bottom, it’s not just the LLM. They’ve also got testing, cracking, access tools. So, they’re trying to build a whole ecosystem around offering this, to be honest, as a criminal enterprise.

And again, you can see that they’re advertising it on their site. This is another dark website where they’re talking about the different ways that you can use it. So, you can create phishing pages. You can create hacking tools. You can write scam pages. You can find leaks. And some of these things in here are things that we as investigators might want to do, you know, finding leaks or finding, you know, vulnerabilities from a red team perspective. And AI can help you do that. But I think the thing to think of, and to Jane’s point about, you know, is that threat actors have access to this technology too. And they are using versions of these tools in some cases that make it easier to find some of those things than maybe we have as investigators.

And again, this is just the FraudGPT pricing. So, you can see they have a breakdown of a lot of different tools and accesses that you can get.

They really are selling this as a service, as a way to give other threat actors that maybe aren’t up to tax. 

And this was also taken from the FraudGPT site. You can see this is a kind of a chatbot telling them kind of how to put the prompts in to be able to get some of this information back. So, the top one is, “write me a short but professional SMS spam text I can send to victims who bank with Bank of America, convincing them to click on my malicious short link”. This really feeds into that kind of phishing kind of attacks, where this is one area where we’re seeing AI really kind of increase the sophistication, for want of a better word, of those types of attacks, just in terms of it’s making it a lot harder for victims to identify when they’re receiving these malicious emails, or SMS messages, based on the way that they are written. And you can see it’s fairly simple for them to kind of put in these prompts and get that kind of information back that’s going to assist them with that.

And these are just some shots of kind of threat actors actually talking about this technology on various forums that we collect on the dark web. So, you can see there’s threads talking, you know, about FraudGPT and what it can do for you and how it can help you. We can see things on Russian hacking forums as well, and that’s been used. So, they’re talking about useful AI, which ones are the best. So, we’re seeing them talking about different methodologies and how they can use this as part of their workflows as criminals. And then you can see them talking as well about kind of the different services that are out there. So, the bottom one’s very hard to see, but they’re talking about Grok. It’s not just ChatGPT, they’re talking about a lot of the other kind of AI services that are out there as well. This is just to show that, you know, the same way we’re, you know, having this webinar and talking about uses of AI and how AI can help us in our workflows and our investigations, the threat actors are talking about that too. And we are seeing that kind of pop up on forums.

We have also seen AI being used as part of attacks. I’m not going to delve into this hugely because it’s not really kind of on the dark web side of things, but this is just kind of an article highlighting how Grok AI was used to bypass app protections and spread malware to millions. We are seeing more and more of this. We are seeing, you know, ransomware strains being developed using AI or having kind of some AI implementation as part of them. And I think this is something that we expect to rise as, you know, the technology becomes more widely used and I assume continues to increase in sophistication. We are going to see a lot more of these types of attacks and it is going to become an attack vector in cyber as we kind of move on with that. I just kind of wanted to mention that as a side.

I’m going to dive in now into some specific examples of how this is being used. Starting off with criminals, I’ve kind of already touched on this, but we’re seeing it very much in phishing, social engineering attacks, romance scams, and also for defeating KYC to get into kind of financial fraud.

We’ll go through those in a little bit more detail. This is an example of an advertisement on Telegram. This is a service where they are offering an AI face builder. It will create a unique face and then you can use that for whatever you need. So, this is being used, we’ve seen this being used for defeating KYC.

You can see you’re swapping faces on photos and videos so that you can look like you’ve got your ID card. For those organizations where they ask you to take a picture of yourself with your ID, this is kind of helping them to kind of combat those checks and balances that are put in place. But we’re also seeing these kind of face builders and generators being used in sextortion as well, and I’ll kind of touch on that in a bit. But you can see kind of how this is part of the business that they’re offering. You can get a tutorial; they give you kind of free services to start off with to test it. You can do bulk processing and purchasing credits. So, it is kind of interesting how they’re using this going forward.

This is another discussion on a dark web forum talking about fraud GPT, but I highlighted it here because it’s saying this is what it’s going to help you do. It’s going to help you write phishing emails, develop malware, forge credit cards. These are the types of activities and crimes that are being posted as AI will be able to help you to conduct these types of crimes.

This is also another news article that I came across in terms of them using deep fakes to spoof a celebrity. The individual that was spoofed is an actor in a US soap opera.

His videos were generated and being sent to a woman based in California, and he was able to scam several thousand dollars out of that individual by asking for money and kind of creating a relationship with this victim by pretending to be this famous soap actor.

This one I don’t think did have a romance angle, but this is very much how romance scams can be operating with the use of AI as well in terms of them generating fake videos of fake individuals or pretending to be a celebrity, impersonating their voice, but obviously getting them to say things that they would never say and targeting individuals to get them to send them money, usually via cryptocurrency. And there has been a huge increase in this, and a lot of celebrities are being targeted in terms of their likenesses being used via social media to target victim to get that financial fraud out of it. And I don’t actually have the video to play here. This is a screenshot. But if you see any of these videos and to Jane’s point about like how do you identify this information, they’re very realistic. It’s very difficult for people to identify that this might not be real, especially I think for some of those victims that might be more vulnerable and not as savvy to be open to this technology, but also these kinds of attacks. 

These are some more advertisements from Telegram, but this is more related to social engineering services that they’re providing. So Purple on the right, you can see that they’re doing call protection, but they’re generating ultra realistic voices via AI. They’re offering different tones, male, female, neutral. And they’re using these voices to spam people basically to have these calls to try and get people to hand over their money. They’re providing this as a service to people so they can use these different voices to scam unsuspecting individuals. So, you know, it isn’t, I think when we think of phishing, we tend to think of emails or maybe SMS messages, but I think more and more phone or video messages are going to become more of an issue with the advent of AI.

On the left-hand side as well, this is kind of more of the business email compromise where they’re kind of talking about all the different ways that they can make sure that an email campaign would be successful, including AI powered optimization. And I think to go back to, you know, it’s the same way, you know, that we’re using this in our everyday life, the criminals are using it. I mean, you could have an SEO marketing company that’s kind of saying the same thing to businesses that want to kind of advertise their services. But from the threat actor side, if you put the different slant on it, they are using AI and customizing email addresses to make sure that you can spam people more successfully and conduct those financial crimes. It’s interesting how it’s being used in a similar way, but, you know, with a lot more malicious intent than the rest of us would be using it.

Moving onto sex related crimes, I think this is a really important one and one that people don’t always necessarily think of or sometimes think that there isn’t a victim if it’s AI generated, but that’s definitely not the case. I think the main areas where we are seeing AI being used is child sexual abuse material, CSAM, and generation images relating to that, Human Trafficking and Sextortion and Romance Scams.

To highlight the AI generated child sexual abuse material, you know, Europol have made arrests quite recently related to this and put out information about it.

But a lot of people are using AI to generate fairly real looking videos depicting CSAM. And there are still victims in this because the individuals that are watching this material may go on to also target children in the real world, but also, they need to train these models and create these images based on something. And so, there are children that are still being victimized by this kind of activity, and it is making it more prevalent.

It’s something that I think is really important that we are able to stop. And it is becoming, you know, more and more sophisticated. And I think this quote from the IWF, Internet Watch Foundation, is probably a little bit out of time now, but saying that, it has progressed at such an accelerated rate that they’re very realistic examples of videos depicting this. And I think we are seeing those very realistic videos and images being distributed across the dark web and other sources at this time. It’s definitely something that obviously we need to stop.

Human trafficking, I think people might not necessarily equate AI with human trafficking and see exactly how it’s working. This map actually just shows human trafficking victims across the world. It isn’t specific to AI, but I think I wanted to highlight kind of how much of an issue human trafficking still is. This is from Interpol.

But also, in terms of how we’re seeing AI, it’s being used to generate fake job advertisements. So, kind of as part of that initial phase of the human trafficking of enticing victims in and generating material that’s going to make them think there’s a believable job or there’s kind of a believable activity that they want to be involved in and kind of suckering them into that whole industry. It’s also being used to bribe people in terms of generating false sexually explicit images for victims of human trafficking and using that to really kind of enforce the activity that’s going on.

And that brings us in the same vein to sextortion. In a lot of cases, AI is being used to generate images of individuals and then extort money from them. So basically, creating nudes or sexually explicit images of individuals, it’s not them, it’s AI generated, their face has been put on it, but threatening to share those images and say that they are real with their friends, with their family, with their colleagues. It’s really prevalent against young people using social media vectors, so things like Snapchat, Instagram, things where images are shared quite a lot but it is targeting people of all ages and it is targeting both females and males and it’s really you know an awful kind of practice there have been noted suicides of people that have been targeted by these types of sex distortion attacks. So again, it’s going back to how can people identify that these images aren’t real you know the victims feel that they look so real even though that they know that they’re not because they haven’t shared that material with them, that they’re so worried about this, that they are paying these people. And there are, unfortunately, fairly well-organized criminal groups that are kind of doing this on a rotation basis, trying to kind of build up these relationships with these individuals generating these images and getting this money from them. It is becoming a real huge issue, as I said, particularly among the younger generation.

We’re also seeing AI being used by terrorist organization and extremist groups. It’s primarily being used, I would say, for Propaganda, but also Disinformation as part of those propaganda campaigns and campaigns and putting a lot of that information out there. We’re also seeing them using it for Translation a lot to make sure that they can reach individuals in multiple countries to bring them into their extremist beliefs and also generating images, again, with propaganda and disinformation in mind. But some examples of that, this is taken from an ISIS chat group. You can kind of blurred out in the back of the ISIS flag, but it’s an AI-generated image on an article about building bombs. So, part of their propaganda, part of their education of individuals, they’re using AI to make this look kind of more believable and kind of draw in individuals. So that’s kind of one aspect we’ve seen.

This is another one that kind of looks you know, if you don’t know what to look for, but it’s Iranian terrorists claiming that they crashed a plane into Disney World in Anaheim. You can see the Disney castle in the background and the crash plane. I would argue the plane isn’t that realistic because planes don’t tend to crash backwards. But it’s highlighting that propaganda. It’s well kind of incentivizing people to go after these kind of targets. They’re putting ideas and people’s minds using AI of ways in which you could, you know, go about conducting attacks. And that’s something we need to be very mindful of.

This is a video that was put out with Hamas. So, Hamas talking, again, this was not a real video, but it looked like a news conference of Hamas leadership talking about the Israeli army and how they wear diapers because they’re stationed for so long and that led to generated images of you know Israeli forces wearing diapers which in some cases look quite authentic.

I mean I think most people would see this as a joke but obviously there you know there can be more concerning ways in which people about providing these kind of generated images. But to the point where they even had a TikTok video that was going around that went viral where an Israeli commander was talking about the nappy. So again, they were impersonating him and getting him to speak as if it was him to kind of try and back up the story that was put out there. And this is obviously all put out there to undermine Israeli from Hamas terrorist group. So, you know, it’s that disinformation. This one, obviously, I think most people would not believe, but they are putting things out there that are much more believable and it’s making it very difficult for people to understand what is real, especially in these times of kind of conflict.

And with that, I’m going to stop talking and hand it back to Jane.

Jane: Thanks, Erin. What you’ve demonstrated there in that kind of collection of examples is just the fact that, you know, AI, unfortunately, can increase the sophistication of a lot of bad actors really quickly. And so that can make our jobs, of course, really challenging.

So, we won’t necessarily do the poll now in the interests of time, but I’ll still talk through it because I think it’s interesting in the fact that, you know, when you reflect on these kinds of questions yourself, thinking about your own environment, whether, you know, your biggest challenges relate to some of the synthetic media that Erin sort of spoke about or perhaps it’s the scale of all of the things that you’re challenged with and in some cases even organizational readiness and maturity can pop up to being a big challenge for some practitioners and workplaces. But I think what is really interesting just to kind of emphasize your point there, Erin, is that this question really is one where the risks are kind of symmetrical in the sense that the same capability that helps us as practitioners, investigators, analysts, whatever in terms of automation and language generation, pattern recognition, it’s exactly what the threat actors are going to be using against us. And so, there’s an absolute need that we ensure that we have high levels of literacy when we’re kind of engaging in our work today. Because, AI itself, it’s not inherently malicious or benevolent, really. It’s what determines that is the outcome of its use and how well we govern it and verify and all of those kinds of things.

I think a lot of these are making things extremely difficult for practitioners and we can see a world where sometimes we might not we might simply not be able to verify whether something is true or not and that’s sort of the future that we’re looking at but at the moment we’re not quite there and so there are certainly some techniques that we kind of encourage you to consider Let’s have a look at the next slide, Erin.

I think one of the key things when at least OSINT combined when we’re talking about this challenge is that, you know, we really are talking about the analyst requiring stronger discernment, which references the fact that we acknowledge that AI gives velocity and capability in a way that perhaps, threat productors didn’t before have. But also, analysts must maintain this skill for validation and be the purveyors of veracity in as much as possible.

We think the most effective lens to kind of look at this is a multi-kind of modality kind of approach, if you like, that blends both traditional verification and analytical tradecraft with AI aware cues. And so, we acknowledge that this can be a difficult task, of course. Certainly, in some of those disinformation examples, Erin, that you provided, where analysts are going to be requiring to perform validation and verification, as well as potentially some really detailed content and metadata analysis. So, you’re adding on to your traditional analytical tradecraft tool sets around critical thinking and some of your analytical practices, you’re adding onto that some quite technical skills when it comes to sort of unpicking content and metadata analysis. But we think that it’s doable at this stage if you break it down. And so, we favor kind of practical steps and some guides for that process such as inauthentic content analysis maps which we’ve written blogs about that you can check it out on our website. And so, I’ve put some key examples there around anatomical artifacts and reverse retrieval and those kinds of things which of course are always going to be helpful. Providence Chain also super interesting for us when we’re kind of considering whether how something has proliferated online and where it was created and so forth.

But for me, I can’t get my head out of this space of the meta questions, and I think that’s got to do with largely my traditional intelligence training. And so, the questions that I always come back to in addition to some of these AI-aware cues are things like, “What would I expect to see if this were true?” And so that has me going to actually, look at some of the context, which is still super important to us. And the other question I like to ask when I’m considering the adversary is, “Well, what would my adversary need AI to achieve here – Would it be scale, speed or story?” And that really speaks to intent capability and, you know, the motivation factor, of course, which we always need they always need to maintain an eye on. But having the AI helping us out, as well as applying some of that human validation and verification activity is a real emphasis, I think, to ensure that the human remains in the loop. Really, we want our analysts to think critically, act ethically, and adapt intelligently alongside the machine that they’re working with.

There’s some available resources, all available to you, to download from the OSINT Combined website, and there are certainly more available. Let’s look at some key takeaways.

I think what we’ve been able to demonstrate today as a base of sort of numerous examples across different kinds of crime types and actor groups that absolutely adversaries have access to AI and they’re not afraid to use it. And they’re certainly, experimenting with it just as we are at the moment too. Human in the loop remains essential. We’ve discussed that. And there’s an importance there for layered verification. So not just trust in one modality over the other, but kind of really thinking quite deeply about, well, what are the different kinds of ways that I can speak to reliability, relevance, credibility, and consistency when I’m looking to verify information. And as a bonus tip, always thinking about, hey, some of these deep fakes, particularly the voice synthetic media that you identified, Erin, are becoming pretty sophisticated. And so, there is an element here to prepare for the inevitable in terms of preparing your organization to harden against impersonation and to prepare a playbook if you like about what happens if. And so, I think we can’t really avoid that.

I can see we’re at time. Kathy, I wonder if we pass to you and more than happy to take questions offline and respond to people if there are any, but over to you for final words.

Kathy: Sure, we do have a couple of questions that have come in. If you two want to go ahead and address them now, we can address the two that have come in and if any others come in, we can address those offline later if that would work.

Jane: Yes, I think that’s fine for us. I can see Erin nodding. So please, please fire away. And of course, if people need to drop off, they can, and they’ll received the recording.

Kathy: Sure. So, the first question is, how do you brief leadership when you suspect synthetic media but can’t prove it?

Jane: Yeah, we get asked that one quite a bit, Kathy and Erin, you might have thoughts on this too, but I think I still go back to this factor about you need to sort of explain confidence, not just certainty, to the leadership group and so that means about being really transparent about what you do know and what you suspect and what’s unverified and being open to being contested about that too. So, you know you have to sort of be professionally honest here. So, we want people to sort of show you know their reasoning how they came to a particular conclusion, could be you know to identify the anomalies and maybe even network behavior or some kind of thing that was flagged during the analysis. But I think it’s also really useful for leadership to sort of say, hey, if this is genuine, then here’s the impact, because that’s essentially what the leaders need to know is the impact so that they can act accordingly. And then vice versa, well, if it’s fabricated, here’s what, you know, we know that the adversary is trying to achieve against us. And so, both of those things are actually really important, I think, for all leaders to know about.

Erin: Yeah, I just add to that. I think I agree with what you’re saying, Jane, but I think just transparency, I think, you know, outside of AI, when we’re talking about intelligence and the things that we find, just because something is low confidence, or, you know, we haven’t been able to verify it with a lot of other sources, doesn’t mean it’s not something that should be shared and should be part of the intelligence package. So, I think it’s just making sure that we’re using those traditional kind of ways of how we do assessment and not doing anything different just because it’s AI.

Kathy: Great, thank you both. And kind of piggybacking on that a little bit. What’s your protocol for documenting AI’s role in your findings?

Jane: Yeah, I mean, I think it’s really important, Erin, and you were just sort of touching on it then, weren’t you? Like, just because we have AI now in the mix doesn’t mean that we’re going to be throwing the baby out with the bathwater when it comes to analytical and assessment tradecraft. All of that still applies, but we need to be professionally honest and transparent about when and how AI is being utilized throughout the process. And so actually, you know, in the US, there’s some strong guidance around this point for the US intelligence community, but OSINT Combine has actually, produced a best practice guide for citing AI to just for anyone. So, don’t have to be intelligence community, could be private sector, but really it’s about accountability through transparency is essentially it. And so, you want to be pretty transparent about how AI was utilized as a part of your assessment, what tasks it supported, where the output was validated, and where the human analyst made the final judgement. So typically, I see almost like a short provenance note or some kind of disclaimer in the methods section of analytical reporting now, that’s not uncommon. But we really need to be transparent to your point, Erin, earlier.

Kathy: Great. Thank you. That is all the questions that have come in to us right now, but we do have up on the screen contact information for both Jane and Erin, if anybody has further questions, or they’d like to reach out to us.

And I’d like to thank Jane and Aaron for an insightful discussion today. As a reminder to all of the attendees, we will be following up via email with a link to the recording and other resources. And we thank you all for joining us for this webinar and we hope to see you all again at another webinar in the future. Thank you.

Jane: Thank you.

---

Have questions? Contact us.

October 07, 2025

Or, watch on YouTube

This fireside chat, “New Regulations and What They Mean for Your Supply Chain,” features legal expert Rich Hanstock and DarkOwl’s Lindsay Whyte as they unpack the evolving cybersecurity regulatory landscape across the UK and EU. The discussion explores the shift toward mandatory, continuous, and ecosystem-based compliance, highlighting key regulations such as the EU Cyber Resilience Act, NIS2 Directive, and the UK’s Cyber Security and Resilience Bill. With increasing supply chain complexity and heightened accountability, the speakers examine how organizations can proactively manage risk, leverage threat intelligence, and prepare for upcoming compliance deadlines—all while navigating the broader implications for cybersecurity professionals and industry resilience.

NOTE: Some content has been edited for length and clarity.

---

Kathy: And now I’d like to turn it over to Lindsay, a Regional Director for DarkOwl and Rich Handstock, Barrister and founder of pwn.legal to introduce themselves and start our discussion.

Lindsay: Thanks very much, Kathy. The aim of today’s session is to shed some light on the regulatory landscape as it relates to cybersecurity practices in the UK and Europe. And obviously from DarkOwl’s perspective, we’re always keen to share how our technology and ever-evolving collection approach meets these regulations. But today, it’s important to spend a bit of time setting the scene, I think, and stepping back a little, because there’s a few things at play here which affect many more professionals than just those involved in DarkInt collection and threat intelligence.

So perhaps, Rich, I can start by asking you as a specialist, legal professional in the world of cybersecurity and data privacy. What is the regulatory landscape right now with regards to cyber resilience?

Rich: Thanks, Lindsay. I think it’s quite an exciting time to be talking about this. Jurisdictions around the world, it seems to me, are converging around this idea of the challenges and risks of cybersecurity being shared, rather than seeing responsibility concentrated in states or in a few larger kind of critical infrastructure type organizations. Take CrowdStrike, for example, events like that surface into the popular imagination, the kind of sheer extent of hidden dependency on technology, many of which are not readily understood by or foreseeable to the average person and the systems we’re seeing vulnerabilities in ways that are not necessarily well understood either. But what is understood is that when it goes wrong, even for one company, even if that company isn’t currently a household name, that incident can have ramifications for a vast number of people outside that one organization. And so, if that keeps happening, and I think we have to assume that it will, that has the potential to erode the sense of security that many of us at least are fortunate to depend upon. Some of us maybe take for granted. And when that happens at scale, it can become a national security issue. But the challenge is just so huge. And fundamentally, I think governments are realizing that the cybersecurity challenge is too big, too great, too rapidly evolving for states alone to solve.

So, for the last few years in the kind of cyber policy space there’s been a discussion around what’s been termed a ‘whole-of-society’ approach to cyber security and this idea that partnerships not just between states and those key kind of private sector organizations that are deeply embedded in kind of infrastructure of the internet and so on, but critically between cooperation within the private sector, between and across markets and sectors and jurisdictions, with the focus really being now on assuring business continuity, data security and integrity, so as to project confidence to end users and to other businesses that everyone’s working together to help to keep the lights on globally.

So, to answer your question, I think it’s the recognition in policy of a need for that whole of society, everyone working together in partnership approach to cybersecurity that is driving this kind of shift in the regulations towards focus on the supply chain, ensuring private sector organizations of all shapes and sizes are taking the threat seriously, not just to their own backyard, but looking outward to their dependencies in their supply chain as well. There’s a sense, I think, that regulators need to have the power to ensure that more organizations are thinking about business continuity and security with ever broader responsibilities and so on. But it’s all about enhancing our collective security.

Lindsay: Yes, I see what you mean. And what are you saying then is the sort of general direction of travel on that basis then?

Rich: Again, it’s broadly the same idea, right? More accountability for cybersecurity throughout what are life cycles and throughout the supply chain. Whilst there is alignment around that central idea, national implementation is creating complexity for multinationals. And I think that there are effectively three kinds of big handful, big three, three big key shifts that I want to talk about.

First of all, we’ve got the shift from voluntary standards to kind of mandatory standards, at least for those who are in scope. Historically, cybersecurity standards have been kind of largely self-regulated. You can get ISO certified, adopt various frameworks, get your cyber essentials and so on. All of its really good practice. Sometimes you see those kinds of certifications as being conditional upon kind of eligibility for a contract. It’s kind of a compliance requirement. But fundamentally, they’re voluntary. And what we’re seeing now is regulators kind of saying, well, if you’re in scope of our regulatory powers, that’s not going to be enough. You need to have these as kind of a minimum baseline. And that’s why we’re seeing kind of legal duties of care being put on kind of manufacturers and operators, as well as just the critical infrastructure providers. That’s shift one, voluntary to mandatory.

The second shift is a move from point in time security and assurance, to more continuous monitoring and assurance, which is kind of linked to the first point. It’s not performative, or supposedly, it’s not just performative. You need to be taking this kind of focus on effectiveness and outcomes rather than just ticking boxes. So, for example, under the CRA, the EU’s Cyber Resilience Act, you don’t just certify a product is secure when you launch it, you’ve got ongoing obligations throughout its life cycle. So, if three years after release of vulnerability emerges, and it’s being exported, and you become aware of that, you’ve got specific notification timelines that are pretty sporty, actually, to the relevant authorities. And that fundamentally changes what compliance looks and feels like inside an organization. It’s not just okay, we’ve got a stiff cut on the wall, big tick. It’s a continuous operational responsibility. That means that you have to understand the threat environment as it evolves. So, voluntary to mandatory, point in time to continuous.

Thirdly, from perimeter thinking to more ecosystem thinking. It’s this idea that traditionally compliance is focused on your backyard, within your fence, your organization’s security. These new regulations effectively make you responsible to an extent for understanding your own supplier’s security. And in some cases, your supplier’s suppliers, this kind of idea of nth-party security, where does it stop, you’re now accountable for risks that you might not even have visibility into at the moment. There’s kind of a question about underwiring your ability to discharge your own responsibility by getting insight into what your suppliers are doing. That’s part of the challenge in effect. And critically, the penalties of getting bigger and sharper teeth, you know, like 15 million euros, two and a half percent of turnover for CRA, that really changes the conversation in the boardroom. And we’ll hopefully empower CISOs and certain people who are responsible for compliance in this space to be stepped up and listened to and maybe have more budget than typically they’ve had previously.

Lindsay: That’s such a good point because there are now just these endless strings of supply chains in this day and age. Why do you think these changes are happening then?

Rich: Well, I think primarily it’s the instance that I mentioned. We can list them off all day, SolarWinds, CrowdStrike, JLR, MLS, these weren’t necessarily isolated attacks on single companies in terms of the way that they were, that the impacts were felt, these were supply chain compromises that kind of cascaded across many people, many different organizations and I think we have seen regulators watching companies with quite sophisticated security programs getting breached because of vulnerabilities in third party software that they maybe didn’t have any or enough visibility into. That goes back to the point I made a moment ago about perimeter-based security, just not really working when the threat enters through your supply chain. We’ve also got because of that kind of cascading effect, the kind of sense of market failure, where cybersecurity incidents are what economists might term a negative externality, right? When a product is insecure, that it’s not the manufacturer alone that bears all the cost, customers suffer the impacts of breaches, critical infrastructure is disrupted, but the manufacturer’s liability might not necessarily capture what is regarded by the sort of person on the street as kind of being fair. The idea is that if markets aren’t naturally optimizing for security because of the externalization of some of the cost, regulation; there’s a case for regulation stepping in to correct that market failure. I think regulators are trying to use the law to internalize those costs to kind of make manufacturers and operators bare the true cost of insecurity.

Which actually leads me onto another important point, which I think is often overlooked in this space, which is the insurance market. This has been a lot of conversation about this, around the JLR incident. Insurers, I think, have historically struggled to price risk effectively to understand the risk because there’s no kind of standardized way to assess security practices across supply chains and I think without that without baseline security standards there’s a risk that the risk transfer mechanism it kind of breaks down. So, look at the discussion around insurance up to JLR, would it even, would the insurance that JLR was criticized for not having picked up even have been sufficient? Maybe not, right? And to the extent that that reflects a gap in the market, I think we’re going to see the insurance market mature, partly as a consequence of these regulations, partly as a result of the incident and the discussion that is now going on about it.

It’s not just about preventing breaches is my point. I think these regulations are also about creating more predictable risk environments so that insurance markets, ultimately capital markets, can function more effectively. So, without that predictability or that ability to understand what’s going on in the supply chain, where the dependencies are, where the vulnerabilities are, there’s a risk that the digital economy is more unstable than we would like it to be.

Lindsay: And on that question of the new regulations, could you talk a little bit more about what they are saying?

Rich: Sure. I mean, there’s a lot of them. I know you’ve– I think we’ve got a slide. If you could call that up, that’d be great. I’m not going to try and cover all the detail now, but I think there are kind of two or three main tracks.

We’ve got the EU Cyber Resilience Act, which came into force in December last year. The reporting obligations kick in in September 26th, full compliance by the end of ’27. NIS2 alongside that came into effect in 2023, which that was really about expanding critical infrastructure obligations. And a lot of the conversation in the UK now around the Cyber Security Resilience Bill is about extending original NIS regulations to managed service providers, bringing a big chunk of the supply chain into the scope for the first time. We’ve talked at the beginning about the big handful shifts, and we’re drilling down now into some more of the regulations and what it is that they actually say.

I think Question Zero the clients always ask is, am I in scope? I know scope is expanding, there’s a lot of talk about the fact that scope is expanding and the greater burden that therefore imposes on people. That’s obviously an interesting and important feature of these regulations, but it tends to drive the conversation around, while there are some new regulations coming, how do I avoid them or minimize my exposure to them? Obviously, that’s important to understand it, but I always advise clients that the conversation doesn’t stop there. So, kind of my prediction is that the requirements that each of these frameworks bring will over time become market norms, to the extent that we could see those requirements invoked by analogy, like in private litigation, even those who are outside the scope of regulatory jurisdiction. So, if you have an obligation, say in a contract, to take reasonable steps or perform due diligence, I think we’re going to see a failure to take steps that in some sectors are required by regulators, potentially being deployed against people who are otherwise out of scope in litigation or at least in negotiation around a commercial contract or following an incident. I think it makes sense that whether you’re in scope or not to understand what more you can do to understand your exposure to risk.

Big handfuls, if in the EU manufactured importers, you’re looking at the Cyber Resilience Act, so if you’re making or importing products with digital elements into the EU, so that could be software, IoT devices, anything connected, you’re going to have obligations at sort of three main stages. Before the market, you’re looking at being able to demonstrate security by design in software and hardware, risk assessments, documentation, so on. At market, the things like CE marking, conformity assessments, kind of build on the pre-market stuff. You’re looking at creating what’s called software builds of materials, or SBOMs, in a particular, format that need to be given to regulators on request to goagain, to show that you understand where the dependencies are in your software.

Then the big shift is throughout the lifecycle of the product, right? You’ve got a monitor for vulnerabilities in your product throughout a support period, usually five years. And if you become aware of a vulnerability that’s actively exploited, maybe through responsible disclosure or otherwise. You’ve got to notify National Authorities and ENISA within 24 hours, a detailed report within 72 hours, final report 14 days. This is pretty quick in the context of an incident, right? And critically becoming aware can include constructive knowledge. So, if it’s publicly available, you could be deemed to know. So, you need to be monitoring what’s going on, have a vulnerability disclosure policy and be engaging responsibly with those who make those responsible exposures, that’s a bit of a bugbear of mine.

NIS2 then, if you’re kind of an essential or important operator in say energy, transport, banking, health, infrastructure, those kinds of sectors, in the UK this is expanding to MSSPs, you’re going to have similar kind of key obligations around risk management, including understanding your supply chain and your exposure to risk there. Again, incident reporting, early warning within 24 hours, 72 hours, detailed notification, final report within a month. And so, you can see like an integration point here where if you’re an operator within this too, you’ve probably got to verify your supply is compliant to the CRA.

So effectively, what we’re seeing is a cascading accountability. So, you can’t just take your vendors at their word, you know, you just get a warranty that says, “Oh yeah, we comply with all of this stuff “and it’s all fine.” You actually need ongoing visibility into their security posture as well as your own. And it makes sense as well to make sure that you have the contractual levers, but critically the relationships in which those levers might be pulled to ensure that you’ve got the right information available to you and to demonstrate that you have the right information if a regulator comes knocking, as well as the competence to interpret that information. So, this is about investing in relationships, contracts, people, so that you can ensure that you’re able to assure a regulator or a supplier that you have the visibility that you need into your organization, but also those on which you depend. It’s really, really quite broad.

Lindsay: Yeah, and I guess, bringing these two subjects together, you know, taking that spider’s web of supply chain now, can companies in your opinion rely on, you know, the government for all matters relating to threat intelligence, you know, is it sufficient to rely on the government and, you know, government punishments and that sort of thing to prevent threats in future?

Rich: No, so I think the short answer is no. Why threat intelligence with government on its own isn’t enough and I think that is by design, going back to my point earlier about kind of reducing perceived dependence on government to mitigate these risks. And I think effectively the regulations are structured to make sure that you are taking responsibility for your own security, your own company’s security, as well as that of your supply chain, and to make that make commercial sense. That’s the point about regulation to correct perceived market failure. From a big broad policy perspective, I think that reflects a broader global shift in thinking about commercial resilience as a component of national security, in which we all play a part, right?

So again, come back to JLR. People are asking now, what is the proper role of the state when an incident hits, right? Kind of like the conversation we were having a few years ago, about banks and fraud, right? Who should bear the cost of a hostile act? and what protective measures need to be in place to then fail and how severe do the impacts need to be before somebody other than the victim, typically in that dynamic, a consumer, intervenes or maybe even the state intervenes to kind of swaddle or mitigate the loss.

And my sense is that these regulations are kind of the beginning of a clarification of what the role of the state is in a cyber-attack, a cyber incident, like it’s more about the state setting standards and enforcing them, but giving advice about how to meet those standards without providing the kind of operational security service at scale for individual companies or people in the supply chain. That’s everyone’s responsibility, not just the state. It’s that whole of society approach again, right? And again, so states can help with things like quality assurance to a credit, cyber security solution providers. They can help with setting what cyber essential should be, but that sort of thing. But the day-to-day security, your backyard and your competitors, that’s on you, that’s the clear message. And you can kind of see that as and when a critical mass kind of adopt that mindset to the extent that that hasn’t already happened whether compelled through regulation or voluntarily, the idea is we should be more secure because there is this natural surveillance within the market around threats, but that doesn’t mean you can out source it, you need to be looking at our own and those on who your continuity depends.

Specifically on threat intelligence, I think government threat intelligence is clearly invaluable. The NCSC in the UK, CISA in the US, ENISA in the EU, it tends to provide the quite strategic contextual information about kind of nation-state level threats, because that’s naturally where the focus is, kind of big vulnerability disclosures, maybe some sector-specific guidance. But because it’s operating at that macro level, it’s not enough on its own, that’s why I say it is not enough, because you look at the what the CRA and NIS2 require you to be looking for; they are requiring you to monitor for threats that are really quite specific to your products and your supply chain and that means effectively if your components have got vulnerabilities, if your credentials are circulating on criminal forums, if your employees or contractors or suppliers are vulnerable or being targeted that kind of granular operational intelligence is on you to collect and understand and interpret and assess. Government just can’t provide that kind of granularity as a service to all industries all of the time. They don’t know your specific bit of material, your supplier relationships, your attack surface. And there’s always a bit of a lag, right between the filtering down of government intelligence to, to public advisories, right, by which time the pace at which the threat is evolving, especially with AI and so on, its attackers have probably moved on a little bit. I think that’s always part of the challenge with public advisories. And I think governments accept this, right.

We’re seeing regulatory guidance that explicitly encourages companies to use commercial threat intelligence, right? Look at the British lawyer, look at the NCSC, for example. The NCSC’s guidance on supply chain security recommends continuous monitoring using multiple intelligence sources and seeks to equip companies to kind of understand what the market is offering in the threat intelligence space and the continuous monitoring space in order to make an informed choice for their organization as between what could be quite expensive, in some cases, and quite technical, different products. So yeah, that I think is the role of government. It’s helping you to make choices, but it’s the making of those choices that you still need to do in order to get the information that you need. So, if you’re relying solely on government threat intelligence, you’re probably not going to satisfy the appropriate procedures standard in the regulations. You need to be demonstrating proactive continuous monitoring, tailored to your risk profile. Loads of vendors do that, some are better than others.

I think fundamentally these regulations are trying to align compliance incentives with actual security outcomes. The idea is that we move away from this box ticking compliance much more towards actually improving your resilience to cyber attack, which is kind of in your commercially interest anyway, right? But it’s also about making sure that you can demonstrate if you’re audited or if a supplier comes knocking that you are doing all the right things, as well as actually using the intelligence in the right way.

Anyway, I’m conscious I’ve been talking for quite a long time, and I’ve got a few questions for you, Lindsay, if I may, about your experience at DarkOwl. So, reflecting on your experience with your clients, people who use your products, what kind of common challenges are they facing? Why is supply chain security important to them?

Lindsay: There’s a few reasons. I think one is best explained by the way that cloud technology is creating what could be described as a logarithmic network effect, the sort of spider’s web that I described earlier, where the ease of integrations between technology, which is a brilliant thing, causes an enormous reliance on external parties and risks from the supply chain. I mean, as you mentioned earlier, and I think it’s worth repeating. We know that last month that the CEO of Sophos, an enormous European cybersecurity company, Joe Levy, he summed it up nicely by saying that third party risk management is now “Nth Party Risk Management” that deserves being repeated, given the endless string of supplies involved in the provision of a product or a service.

And it’s not just B2C end products. Most B2B products on the infrastructure level now can’t escape a world of interdependence and over reliance on suppliers. We all thought data centers were that sort of the end of the supply chain thread where risks are more controllable from a sort of compliance perspective, etc. But you just have to look at the recent events with underwater sea cables in the Red Sea to realize that no one is safe.

And I think another big issue is the diversity of regulations as they relate to supply risk. If your supply chain is getting longer, so too is the certainty that some of those supplies are based in a different jurisdiction to your companies, and they’re probably more focused on that jurisdiction too from a compliance perspective. So, one of the regulations that you mentioned, the UK Cybersecurity and Resilience Bill, you know, that extends the current network and information security systems regulations to cover more ground, like you mentioned, managed service providers. And that is an enormous chunk of the cybersecurity supply chain for almost any sized company. So, not only are you contending with different suppliers, more supplies, but also, different countries and approaches to regulations in which those supplies operate.

Rich: Yeah, so thinking about those security professionals’ jobs, how are they impacted day-to-day by these regulations?

Lindsay: Yeah, I think that’s probably why we talk about people specifically working in the roles within threat intelligence and allied professions. If you take a look at the micro level, there are so many things to talk about even just within that category.

There’s a lot of things to consider. There’s the onboarding of third parties and all the checks that that entails. For example, you have within the lifetime of a third-party contract, the ongoing maintenance and technical debt, there’s the offboarding, the decommissioning phase, often done so often with less sort of support from cross functional teams who just want to get rid of the contract they have with this supplier.

There’s the ever-evolving world of application security too. But then, what about the consultants, in a world of outsourced services and staffing? You know, the people who have been working on this technology or so, have they got key cards on them? Then there’s that added issue of maybe areas that are blended with corporate security responsibilities. You need to account for those and stepping back even further. This is all in a world in which an information security professional probably doesn’t actually own the supplier relationship or even project manage the deployment. So, looking at all of these variables on both the job level for people working in security through to this macro level of nation state threats as you mentioned quite rightly in the complex and independent supplier applications and networks. It’s no surprise that some of the prevailing guidance is about how to take matters into your own hands as you ended with, because we can’t readily rely on the government to sort it out for us.

Rich: Yeah, I mean, there’s the inflection point right between what we’ve been talking about. New technologies and sort of big data, there’s more data out there swimming around, there’s got to be an opportunity there, right, to better understand these threats?

Lindsay: Yeah. We should probably talk about something positive, I think in all of this, because no doubt we’re all affected by the speed with which data can be crawled and fused in the threat intelligence sector. And yes, the explosion in supply chains means that there’s more ways for threat actors to get lucky, you know, business email compromise, service desk social engineering and beyond, you know, there’s a broader attack surface, meaning there’s need for more threat intelligence. And I think thankfully, there’s now a renewed attention you’re starting to see on threat intelligence and open-source intelligence that encapsulates everything from APT group reconnaissance to Twitter feeds and ways that we confuse this normalized data to give warning signals to information security pros. Alert fatigue is a problem especially, you know the moment you introduce responsibilities to monitor the supply chain and the wider regulatory sort of consequences for doing so the answer will inevitably lie in looking over the horizon, looking over the IT network and strategically addressing the issue rather than tactically. And technology can certainly help us do that.

Rich: What a neat segue into DarkOwl. So how has DarkOwl helped to equip information security professionals and others to navigate that increasingly complex environment and think differently about how it and get ahead of those risks?

Lindsay:  Yeah, when we were sort of thinking about this, we developed something called DarkSonar. So, DarkSonar is a risk score. So that when there’s been more activity surrounding a company’s domain and staff credentials on the darknet, essentially it would let you know when there has been more exposed than you’d normally expect. Breaking this apart a little bit, it gives a relative risk rating to an email domain that considers the nature, the extent and severity of credential leakage on the darknet to provide a company with a signal that acts as a measurement for a company’s exposure in advance of an attack. Because we know that one of the biggest threat vectors to this day is still compromised credentials for entry to a system. And we tested this metric against 237 cyber-attacks occurring between 2021 and 2022 and found our signal was elevated within the last four months as it says there, a prior to an attack for 74% of the attacks on organizations. And I suppose there’s three things going on here.

So, number one, it’s data-driven future warnings as opposed to alerts after the fact. Number two, it’s scalable to all domains and supplies included. In fact, Security Scorecard have endorsed this for us publicly for this reason. And then finally, it offers companies the ability to measure market benchmarks because their supplier may not know where their exposure lies in relation to other companies, especially in relation to government departments and local councils, for example, that sit side by side, but are actually not always sure as to what exposure level they should come to expect, especially if you can benchmark it against predicting breaches and ransomware attacks.

So, this is the way for you and your supplier to do just that. It’s one contribution we’re making to at scale help organizations look over the horizon at risks to their suppliers and by extension themselves.

Rich:  That predictive model sounds really critical for businesses that are trying to get ahead of a threat, right? And/or if you want to criticize someone else in your supply chain who didn’t get ahead of it. I was just going to say, did you have some slides that kind of demonstrated that?

Lindsay: Yeah, so if we look at a couple of examples that we threw together of sort of brand names just to make the data pop a little bit, you can sort of just visually sort of evaluate the success of using this sort of metric to predict an oncoming attack, just looking at Fujifilm and Robin Hood and their ransomware and data breaches that they experienced, respectively.

So yeah, I mean, this is something that we’re working on, we’re always looking for people to try it, to test it out. We like to be very transparent and understand where people are in their journey. This industry only works, threat intelligence only works if, you know, information flows both ways and we can certainly benefit from that. So, I mean, talking of that, I mean, perhaps we can turn to some questions from the floor because we’ve both been talking enough now.

So, Kathy, I don’t know if any questions have come in, but we can maybe answer any in case.

Kathy: Yes, thanks, Lindsay. We have one question that came in. It is, your webinar is looking at future trends, but from existing commercial customers, is DarkOwl seeing any trends today and how to leverage the darknet?

Lindsay: Good question. It’s funny because I was reading the UK government’s chronic risk report that was brought out last month and inside it, it details the ways in which so many risks are converging. So, I mean, the report itself was consistently emphasizing the interdependence of cyber risks, geopolitical risk, economic risk, even ecological risks. And one of the long-term uncertainties they officially were outlining is that the internet is going to become fragmented into sort of splinter nets, which basically means that, you know, the internet will fragment, thanks to regional policies, which will sort of isolate digital interactions and data access, creating sort of digital islands. And when you add that sort of thought to, okay, at the same time in the UK, we’ve got a, you know, explosion of VPN adoption since the online safety act and the sort of the risk we’re re-anonymizing the internet. Really, what that all means is a big trend we’re hearing from customers and partners is that they’re finally treating the darknet as an online space, just like the rest of the internet, which is needed for brand protection, situational awareness, just as importantly as they’re using the surface net for those same purposes.

Kathy: Okay. Thank you, Lindsay. We have another question that has come in: We are a mid-sized manufacturer, December 2026 feels close for CRA reporting obligations. What should we be doing now?

Rich: Yeah, it is close. I tend to advise my clients to kind of phase their preparation over the next 12 to 18 months if they haven’t started already. Their objectives really need to be to getting and making sure they’ve got the right people on it, first of all, sort of the right consultants, lawyers, to help to ensure preparedness. And the first thing to do, I suggest, really is to map the supply chain, get visibility into what components you’re using, who your critical suppliers are, what your relationships look like, what contractual and commercial levers you’ve got to get information about their exposure to risk.  Where you have a gap? How do you fill it?  Do you need to buy threat intelligence?  Do you need to buy access to data?  That kind of thing, then you assess your vulnerability monitoring.  Can you at the moment detect when your components have actively exploited vulnerabilities? Are you researching vulnerabilities entering software yourself. If not, I suggest certainly the former is quite a serious gap. Start looking at continuous monitoring solutions, get some quotes, start integrating. Then if you’re not already generating SBOMs, the builds and materials start building or procuring that capability, because that’s again foundational to compliance.

And then once all that’s in place, we need to look at incident notification planning. So, running tabletops, what does it look like in practice to meet that kind of 24-hour notification timeline as the case may be, who needs to be involved, who calls whom, at what point, who makes the decisions. And these could be quite big decisions, right? Like, do we pay a ransom? Like, whose job is it to decide and what’s recorded. Where is it recorded? Probably not on a compromised system, right? Whose job is it to record everything? And then test them, test the response procedures, document them, improve them, test them again. And it’s kind of acontinuous cycle.

What else? Reviewing supplier contracts, you probably need or will be asked to give kind of CRA specific warranties and indemnities, Make sure they’re fair and that there isn’t this kind of knee jerk, complete and utter transfer of risk onto you. Think as well about on the topic of risk transfer, think about insurance. Whilst I think I’ve said that the market is still maturing, if you’re not insuring, make sure the risk is at least surfaced and noted at the correct level. I think the companies that struggle in 2026, 2027 will be those who kind of see this as a bit of a last-minute compliance exercise trying to buy their way into like a performative compliance at the last second. Like not acting now I suggest is also a decision and you should think about where the accountability for that decision might lie and if you don’t know where that is, it’s probably you. The companies that are succeeding in in 2027 will be those who have embedded security monitoring, continuity planning, and so on into their operations. Now, easier said than done, right? It needs investment and time and money and people, but that’s the way of the world.

Kathy: Great. Thank you, Rich. Both Lindsay and Rich, that looks like that’s the last of our questions, and I just want to thank the both of you for an insightful discussion today.

And as a reminder to all of our attendees, we will be following up via email with a link to the recording and other resources. If you’d like to contact either Lindsay or Rich, their contact information is presented on this slide. And we thank you again, and we look forward to seeing you at another webinar in the future.

---

Questions? Contact us.

August 12, 2025

Or, watch on YouTube

Evan Blicker from DarkOwl explains the three types of internet (Surface Net, Deep Web, Dark Web) and the origins and workings of Tor. The session also covers common misconceptions about the dark web, types of information found there (e.g., PII, banking data, corporate data), and the importance of understanding it for cybersecurity. The speaker emphasizes operational security for investigators and introduces DarkOwl’s role in automating dark web data collection and analysis.

NOTE: Some content has been edited for length and clarity.

---

Good morning, everybody, and thank you for joining our iTOOsday. Today’s session was made possible by Leslie Cameron, who is the Managing Director of Alert Plus Technologies. Leslie is a seasoned IT professional with a long-standing career in technology, innovation and business solutions. His current focus is on cybersecurity and fraud prevention with a passion for helping individuals stay protected against identity theft as well as online threats. From DarkOwl, we will be joined by Evan Blicker. Evan is a cyber security professional with over a decade of experience in cyber threat intelligence, dark web investigations and digital forensics. He began his career at the Pasco Sheriff’s Office investigating cybercrime and internet crimes against children. He later served as a task force officer with Homeland Security Investigations, where he led transnational investigations focused on the dark web. His unique background bridges law enforcement with corporate security, and he has a deep expertise in OSINT, emerging threats and proactive intelligence strategies. For those of you who are unfamiliar with DarkOwl, they are the industry leading provider of dark net data, offering the world’s largest commercially available database of information collected from the dark net. With that, let’s jump into the conversation.

In today’s session, we are going to explore a side of the internet that very few people truly understand, yet it does impact us all, the dark web. Often sensationalized in media, the dark web is more than just a digital underworld. It’s a thriving ecosystem where stolen data, compromised credentials, cyber attack tools and illicit services are traded like currency. A cybercrime becomes increasingly organized, sophisticated and global, understanding what happens beneath the surface is essential for individuals and businesses looking to stay secure. I’m thrilled to be joined today by our expert, Evan from DarkOwl, which is one of the world’s leading providers in darknet intelligence. Over the next hour, we’ll uncover what’s really happening in the dark web, how it affects you, and as an organization and how you can effectively manage against it.

Evan: I’m a cyber threat investigator with DarkOwl. We’re here today to talk about the dark web, kind of unpacking it so we can get a better understanding of what it is, what type of data we can obtain from the dark web and how can we utilize that to better protect our clients, our organizations, and help make the internet and a little bit safer.

To start, we have a short disclaimer about this presentation being for informational purposes, only accessing the dark web manually can lead to security concerns if proper operational security is not followed. So, we want to make sure that this is understood that our presentation today is for informational purposes only.

We’re gonna cover some very awesome topics. We’re gonna go into how the dark web works, its origin, different things that we can find on there and the communities that operate on the dark web. The dark web very much is a community. Similar to any other community, whether you play sports or in the business community or volunteering. However that works, there’s always subsets, there’s always communities in there. So, we’re going to talk about some of those communities. And then we’re going to also go into a little bit about dark web investigations, right? How to utilize this information, how to take it from raw data to actionable intelligence. We’re going to cover a lot. It should be really fun. So, let’s get started.

What is the dark web? That is a question that gets asked a lot because we see movies, we see TV, it’s dramatized as this really cool person sitting in a basement wearing a hoodie, typing away at a black and green screen. And it’s not as cool as that, but it is still pretty interesting. So, there’s essentially three types of internets. The first one is the surface net – all of us here have used the surface net, right? That’s that sites that have been indexed by Google. So, if you have gone to any website like a news provider or to a you sports site or any of those other things. That’s the surface net, a website anybody can get to and you can find it through Google or one of the other search engines.

Now there’s also the deep web or deep net. We’ve all accessed this whether you’ve known it or not and this is any type of website that can’t be found without doing something else. So, for instance going to your banking site, you have to type in a login to get into your or your bank account information, that’s once you type in that login, you go to your bank account site, that itself is the deep web or the deep net. ‘Cause that’s not something that you would want to show up on Google. Could you imagine the world if you could just Google somebody’s bank account and see, it’d be a wild place.

And then we have the dark web or the darknet, and this is an internet that uses standard internet but requires special software. And this special software typically allows for anonymity. It also provides some level of security through encryption. It allows people to bypass maybe countries restriction on certain websites or whatever the case is. And that’s the dark web, which is what we’re going to be kind of focusing on today.

The dark web. It actually got its start by the U.S. Naval Research Laboratory. Onion Routing, it was designed to protect sensitive information for government communications. Then in about 2002, it was released as an open-source project to the public, where it remains as an open-source project, where lots of companies and organizations actually donate to keeping the project alive. So, it went away from its government excludability and went into average people, anybody being able to use it for their purposes. Because though when we hear the word dark web, we think cybercrime and criminals, there’s actually some very, very valid uses which we’ll touch into later related to the dark led. It has some good uses in this world. It’s used by a wide range of people seeking anonymity while they’re on the internet. They want some type of encryption for privacy concerns, but it is also involved into such a good complex ecosystem where you have not only people using it for negative purposes, but also people using it for good. The thing that I always kind of fall back on when talking about stuff on the internet is for everything good on the internet, there’s somebody there that’s able to take that good and use it for evil.

There are multiple dark web technologies. The one that we’re going to focus on and talk about today is Tor, because it is the most widely known dark web, but there are several others. So, these are logos from across the different one. The one in the upper left of the screen, that’s the onion routing, that’s TOR. That’s typically the one when somebody’s talking about the dark web, that’s what they’re referring to.

The onion router, TOR. It’s multi-layered encryption, right? It means data is wrapped into multiple layers of encryption and each node that you go through, I’ll explain this a little bit better in the next slide, encrypts only what it needs to, to pass the traffic onto the next thing. So, it typically goes through a minimum of three nodes. You have your entry node, you have your middle node, your exit node. The exit node is what sends your traffic onto your destination. And this allows for your data to be fully encrypted in through its path.

And this is its path. Now for any of those in the audience that maybe have a little bit more knowledge into the dark web, you don’t have to have a minimum of three notes. You can have seven, eight, nine, adding to your level of protection while using it. But this is typically how it goes standard, right? So, Alice needs to send the information to Bob. Bob’s a server. Alice’s traffic will go through three different nodes in a certain pattern. It’s a randomized pattern. And each one of those nodes, each one of those computers that the traffic passes through only has access to the information it needs to continue that packet onto its final destination. And then at which point it goes to Bob. The only time that that traffic is not encrypted is that final jump from the exit node to the target server. And this allows for that secure communication, right, allowing for that anonymity while using Tor.

Some of those features that we’ve already spoken about, anonymity, right, it gives you access to .onion websites. So, the Tor network doesn’t use .com or .net, they all end in .onion. It’s decentralized. The Tor project is actually really, really successful and really good at making sure one entity does not own too many nodes, right? Because I think it was mathematically calculated that if you owned 40% of the nodes, you can actually track somebody’s traffic across the Tor network. So, they do a really, really good job and so does the community as well as making sure that the people who are registering Tor nodes because anybody can do it, it’s a volunteer basis that they don’t own too many of them, right? Because we want to keep this decentralized. We want to make sure that the anonymity of what Tor provides us is there. And it also allows you to bypass censorship. Some countries censor the news and the media of what’s going on and this allows people and organizations in those countries to get valid news of what’s going on in the world. It allows for privacy and sensitive communications. So, take for instance, a journalist who is getting ready to break a big story with a whistleblower, this allows them to communicate in a manner which will protect the source and the story, right? And it has multi-platform support. So, you can be on your phone, you can be on your computer, whether it’s Mac, Windows, Linux, and still be able to access the Tor network.

It is downloadable at the torproject.org. There is a lot of very, very good information about the Tor project and the dark web on torproject.org. You can actually see all of the different nodes and things that are being used. They do a very, very good job. They also list who donates to them and how they support themselves. And if you are so inclined to believe so, you’re able to do that as well.

There are other types. The Zeronet is another big one. Freenet is one that isn’t really widely used anymore plus you have i2P and then the other ones listed. For the most part, Tor is your primary dark web network that is used today.

We have some common misconceptions, right, because those movies make the dark web look just so utterly fantastic and makes everyone feel like a hacker. We have some misconceptions that come along with the dark web. So, the first one, everyone on the dark web is a criminal and that’s not true. It hosts communities and some of these communities are just privacy focused people. Others are based in free speech. Others are trying to help prevent human trafficking or help, you know, refugees out of countries, whatever the case is. There are some very good uses for it, right? Some governments are extremely restrictive on the news and media that their citizens are allowed to see, and the dark web provides that access, right? And it allows journalists and whistleblowers and human rights activists to communicate in a manner in which they can try to help make the world a better place.

The next misconception is that exploring the dark web is illegal and it is not. Now there may be activities carried out on the dark web, which are illegal. And if you engage in those activities, then yes, now you’re committing a crime and that becomes illegal, but it is not inherently illegal to be on the dark web. There are many legitimate purposes. For instance, the New York Times, which is a very well-known news agency in the United States, they have their own dark web site, where they host their normal site on the dark web for people that are in oppressed countries. So, these are things to keep in mind.

And lastly, the dark web, it’s actually not lastly, but the dark web is completely anonymous, and that’s not 100% sure. There are tools that researchers and law enforcement and methods that can be used and implemented to extract information on threat actors, on people that are using the dark web for malicious purposes, right? Law enforcement also sees this dark web sites and they seize the servers which store information and that information can be used to track and determine who these threat actors are. So those supports extremely strong privacy protections. It’s not infallible because nothing is right. Locks only keep honest people honest, and so there’s always a chink in the armor somewhere.

And lastly, accessing the dark web is super difficult or super easy, and it’s not either or neither. There’s not one specific place to go – the dark web is made up of many hidden services, many different websites, multiple different platforms. Though there are technically dark web search engines, they’re not the same as Google or Bing or any of those other ones. So can accessing the dark web can be complex to find the information that you’re looking for, because you need to know the link. You need to know how to find a specific site. You need to know that that site actually exists, right? So, it’s the same as using the internet back in ’98, ’99 before search engines became really popular, you had to know where you were going in order to get there.

Some dark web concerns. Obviously cybercrime is a concern of dark web and it is used very prevalently by threat actors of many different facets of crime. From financial crime, to hacking, to ransomware, to narcotics trafficking, whatever the case is.

Also, misinformation campaigns happen – the spreading of disinformation and extremist content happens, stuff to try to destabilize public opinion and trust. And so, misinformation can happen. And then there’s also the illegal non-ethical surveillance of the dark web, right? Dark web monitoring needs to have ethics that are involved in it to protect the good people that are on the dark web, using the dark web for valid reasons. So, these are some of our dark web concerns.

We’ve talked about what the dark web is. We’ve talked about its nuts and bolts of where it was created, how it operates, how it keeps us safe. We talked about some of the misconceptions. So, let’s get to a little bit more of the interesting stuff. What is actually on the dark web? What type of information are we able to find that relates to what we’re trying to do? How are we able to protect our clients? How are we able to protect ourselves?

There are several different facets or avenues that we can do to try to find some information. There are Marketplaces where things are bought and sold similar to eBay or any other type of marketplace, Amazon that you go to where you can buy and sell different items in an unmoderated manner. There’s Forums where collaboration between threat actors happens where people ask questions, postings for sale, whatever the case is. Social media related stuff. Obviously, there’s Cryptocurrency information. There’s Leaks from companies. There’s also Leaks from government and then Ransomware related stuff. All of these things are found somewhere in some shape or form on the dark web.

There’s also dark web adjacent stuff. And this is the big thing that a lot of people don’t think about when they investigate the dark web. The dark web, like I said earlier, was a community and we got to look at that community and the community and any one of the communities that you’re a part of, you know, take your work community. So, when you go to work, you’re part of the community with your co-workers and you are talking about work at work. But you also talk about work elsewhere, right? So, a co-worker comes over to your house for dinner and you guys start gossiping about the you know stuff in the office, right? Things happen outside of your office related to what that community is about, which is work. The dark web is the same way. We have messaging apps, we have gaming apps, we even have surface web places. For instance, Reddit is a well-known social media site that has several places on there where they talk about dark web topics and issues and things along those lines. So, monitoring these things is just as important as monitoring the dark web to give you that kind of inclusive photo of what is going on. And a lot of the data on the dark web comes from many different things. So, a lot of the raw data, a lot of the raw data is your PII, your personal identifiable information from leaks. So, data birth, social security numbers, credit card numbers, addresses, things like that. Banking data, stolen bank accounts get sold on the dark web. Corporate data that has been taken maybe from a ransomware organization or from a hacker, whatever the case it is. Credentials and compromised accounts, whether it’s fake accounts to a social media site or accounts that have been taken over, being sold, as well as corporate accounts, personal, whatever the case is, plus there’s malware, there’s hacking tools, there’s ransomware, there’s a lot of different things. And then obviously on your forums, your marketplaces, tactics, ideas, how to do this stuff is there. You can buy guides and forms. And this all leads over to some of the biggest kind of risks that we’re kind of thinking about. So, DDoS attacks, right, data exfiltration inside or threat cyber-attacks, and then just, you know, anything from identity theft down to a much more personal level, right, of like somebody being doxxed on the dark web where their personal information is released.

So, let’s delve a little deeper into that type of data that can be found. That was a more high-level overview. let’s get into a little bit more of the nuts and bolts.

Ransomware. Most ransomware groups, which new ones are coming out every single day. It is a very successful business model, if you’re a threat actor. They have most of their sites are hosted on the dark web. Also, their chat sites, where you go to negotiate once you have been, once you have been compromised are typically .onion sites because it allows for that level of anonymity. So, some of these screenshots are a little older and the reason for that is that you can’t control necessarily what’s going to happen on a dark web site. So, if we went to it live, there’s a chance that there could be material that we wouldn’t want to see or produce. So, we try to capture screenshots. For instance, LockBit, which is now up to LockBit 3.0, their site is hosted on the dark web, several different ones, we’re constantly in a motion of tracking all of the new sites that are popping up from different ransomware groups.

I guess they like that business model. I don’t like it, though.

Markets. So, these are what essentially eBay would look like and a lot of them are based off of the same. So, this marketplace, Kerberos, has been taken down. There are several new ones that pop up and they will run until either one of two things happens. Either law enforcement takes down the marketplace or they do what is called an exit scam. And an exit scam is where the owners of the site take all of the money that’s been put into the site for making purchases and then they ride off into the sunset stealing everybody’s, all of their users’ money. Those are typically the only two things, but anything is purchasable through here. There are marketplaces that are specific to firearms. There are marketplaces that cover a wide range of things, from personal identifiable information to credit card numbers, social security numbers between narcotics and drugs, to hacking tools, whatever the case is. Some like to specialize, others like to be a little bit more broad to try to get as many users as possible.

It is kind of crazy some of the things that you can see on a dark web marketplace for sale. There are scam sites and things that pop up. So, for instance, you’re not going to really find a marketplace that’s, you know, human trafficking related. Also, you know, hitman services on the dark web are not real. That’s not how that works. But a lot of people will like to talk about that, especially in movies and TV and things like that. But those types of things are almost always scams. But you can buy just about everything else. You can buy cell phones, skimmer devices, the steel credit cards. The imagination is the limit for what marketplaces may or may not have. But they operate very well and they have better customer service than any company you probably know today because trust is a big part of the dark web. So, one of the things that they do is they hold an escrow service. So, you would actually put your money into the site. The site would hold it. And then once you have made a purchase and you’ve received your product, the site will then release the money. So that way there’s trust between vendor and purchaser. That’s where that exit scan comes in.

Financial crime. Financial crime is a big part of the dark web. You won’t find all of your financial fraudsters on the dark web, some don’t need it, but you will find a lot of information and a lot of stuff being sold because it’s a really easy product to sell on the dark web because you’re not shipping something from point A to point B, it’s a digital good. And we also have a little bit of that dark web adjacent. So, the two photos on the lower right, those are actually taken from telegram. Telegram was a very big hot spot as a dark web adjacent location. It’s since kind of cooled down because Telegram has changed their kind of trust and safety policy, so they’re cracking down on this a little bit more, but for a few years there it was very rampant that every dark web site or marketplace would also have a Telegram channel associated with it. But you can buy anything from credit card numbers as low as 10 cents to bulk credit card information, which will provide the credit card number, the number in the back of the card, the person’s name, address, location, everything that you needed to use that card in a manner to prevent you getting caught by law enforcement as well as information on how to commit fraud. It was a very big thing for the dark web.

There are drugs and gun sales as well on the dark web. A lot of sites, a lot of marketplaces do try to avoid firearm sales only because that gets a lot of American law enforcement involved. It kind of increases their profile. So, a lot will not allow sale of firearms, but they unfortunately, you know, everything done on the internet has a way to be used for bad and the people that sell these find a way to get their markets, their merchandise posted. And then as well as narcotics. Narcotics are a big sale item on dark web marketplaces and different sites from there. But the nice thing, at least for the good guys related to this type of stuff, is that they have to be shipped from point A to point B, and law enforcement does monitor those shipping avenues, and so do the private companies that do that as well. So, a lot of times, this type of stuff is able to hopefully be stopped before it gets anywhere.

Stolen data. This is going to be something that I’m sure this audience is going to be interested in and about, but stolen data from companies. A lot of organizations have their data stolen. Sometimes they’re not part of ransomware. Sometimes people just steal it to either try to sell it themselves or they post it. They post it for cloud reasons or reputational reasons to give it out to the community. These are screenshots from breach forms, which was recently shut down and potentially working its way on coming back that’s been an interesting saga. But you could go to the site at any point in time, search for a lot of different companies, and find stolen data from those companies. Now that’s obviously bad reputationally for those companies, but it could also be very good for the company’s competitors if they’re not operating in an ethical manner, right? They get that information and if that information contains confidential business secrets to the success of that business, now your competitors have your playbook. As well as the damage that could potentially happen to the clients of those companies if their personal information has been released.

Leaked data. So leaked data is different than stolen data. So leaked data, a lot of times, could involve an insider threat. It could be data that was able to be captured through a tool, for instance, being scraped from a deep website that a company owns, say, for instance, a social media site. You have to log in to access the stuff in the social media site, and then you start running custom tools to pull all of that information down, and then you release it. And then there’s also usernames and passwords that get leaked as well. This is actually a screenshot from our tool, which shows a lot of the leaked content that we are finding out there and are able to catch them. And there is a lot of leaked data that’s out there. It’s actually mind-blowing to understand how easy it is for your personal data to be leaked or your corporate data to be leaked onto the dark web.

Stealer logs. Stealer logs are a very big thing. They can affect corporations, but a lot of times they affect the more individual person. But stealer logs are logs from specific type of malware that when they affect the computer, their job is to pull down all of the usernames and passwords and text files and take a screenshot and get all of the information that they can about that computer. And then these logs are either posted for free or if they’re good logs, they typically get posted for sale. There’s a couple marketplaces on the dark web where one log will cost $10 USD and it will have a person’s entire password history on there, right? All of the passwords that are saved inside browsers, which you should never save your password in a browser due to Stealer Logs because it captures all of that. And then they’re able to access all of your information. And the biggest one that we want to protect is your email, especially if you have used two-factor authentication through email. But Stealer Logs are everywhere. And this is also something else that ends up being dark web adjacent. For instance, Alien Text Base, this one here, they still operate, but they operate mainly on telegram. Even though telegram is very active in trying to shut them down, you will typically find them on telegram releasing this service that they have here. And one month of unlimited amount of stealer logs is only $100, which is crazy. And $1,000 dollars is a lifetime access. So, if you are intentionally trying to hack somebody’s computer to pull down credit card information or to use it for other malicious purposes, that’s relatively a bargain.

And then we have our corporate data. And corporate data involves many different things. It could be our corporate secrets. It could be information related to a tax eminent to that corporation. It could be customer information, whatever the case is, right? And not everybody is immune, right? So, the FBI, federal government, American government agencies have been affected by corporate data issues. CloudStrike, LinkedIn, Facebook, all of your major social media companies at some point in time have had their corporate data leaked, and a lot of that can still be found on the dark web today, even if it’s old data. Just because it’s older data doesn’t mean it’s still not valid and still can’t be put to use. And then also, you know, in here in America, we have the United Healthcare CEO who was assassinated. And you can find corporate, you know, talk about those corporations and the CEO, for instance, this one here, which was posted on an anonymous message board, saying that the healthcare CEO being shot would be a long time coming and for people to stop defending them. So, there’s a lot of information, a lot of things that can break down here, right, from just corporate information to also threats to corporations and businesses. Things to monitor and different avenues to go down.

And the communities that bonds them. I’m very big in saying the dark web is a community, and we have several different communities on the dark web. So, one of the big ones is extremism. You can find a lot of extremist information on the dark web, from everything from terrorism all the way to racially motivated type stuff, to politically motivated things, it’s all on there.

Hacktivist groups. Hacktivists are hackers that claim that they are hacking for the correct reasons because they don’t agree with something, whether it’s a political mind, a political decision, or a business that didn’t do the right thing that they thought was ethically correct. Hacktivists go after them, which was made famous by Anonymous back in the 2000s initially. Hacktivist groups operate on the dark web all the time. They post information, they get together to share ideas, different things like that.

And then we have our ransomware groups. This is a screenshot from our tool showing a lot of the different groups that we are targeting or not targeting but monitoring and pulling information down. This list actually currently has 317 different ransomware groups and threat actors that we’re monitoring and trying to get as much information from it. And the number of ransomware groups that operate on the dark web is growing every single day. And that number never stays static.

And then obviously we have our hackers. What’s interesting about this slide and as we’re talking about hackers is this is how initial access is sold. So, most ransomware groups do not do their own happy. They typically purchase the access from somebody who did the access. And what will happen is in certain dark web forms, a user will post revenue, a companies’ revenue of around 25 million. They’ll say how many hosts the network has. So, in this one in the left by Benjamin Franklin, there’s 500 hosts on this network. They’re looking for $1,500 to purchase this. And then a ransomware group will purchase this access, install their ransomware, and then attempt to export the company when they’re able to. And this is how it gets post. They never necessarily post names. Sometimes they do, but they provide enough information that you can try to disseminate down who the target is in hopes of maybe preventing ransomware. That’s a really big thing for companies to use the dark web is to monitor the initial access side of the ransomware lifecycle. And if they’re able to see that they’re potentially popping up on initial access sale, they can go ahead and start doing extra tests and monitoring and finding where the hole is and hopefully able to plug it before anything bad happens. But hackers do operate on the dark web in many different facets.

And then we have our main APT groups, our advanced persistent threats. For instance, like North Korean groups, different things like that, Chinese groups that are constantly trying to break into things and hack things and gain information, which is another thing that this is a screenshot similar to the ransomware groups from our tool and where we curate information on them.

Why is the dark web important? I’ve touched on this a lot, but it really does allow us the opportunity to learn more from the threat actor to make better decisions as to what we need to do to protect ourselves. So, it gives better insight and allows us to learn from them. There are tools that you can capture and figure out how they work to prevent them from working on your network. There’s also tutorials in fraud, in hacking, in social engineering, whatever the case is, and we can learn directly from the threat actors and monitor that, and it can also give us an early warning sign before anything before anything goes happen.

The early detection of potential emergent threats. It’s a more proactive approach to cyber defense. We’re learning directly from the threat actors, and hopefully it allows us to prevent threats from escalating, which is why it’s important.

So how do we find things on the dark web? One, there are open source tools to help you, but you need to take into consideration the OPSEC considerations, the operational security considerations. There are websites, for instance, ransomlook.io, post information daily on new ransomware groups that are operating on the dark web. There’s also different monitoring stuff and blog posts and things along those lines. But there’s also command line based open-source tools for investigating it. It’s just, you really need to know the operational security side of it.

On the dark web, there are list sites or link sites or directories that will provide links to dark web sites. And they will monitor those links to determine if the site is online or offline. And then we use OSINT. OSINT is our best friend. OSINT, stands for open-source intelligence techniques and it is a way of finding and learning information that’s publicly available. So, whether it’s from the news, it’s from government publications, blogs. At DarkOwl, we post blogs pretty regularly from there. Social media accounts from influencers that specialize in this stuff and then academia and research as well provides good, insight into what is going on.

And then now the operational security concern of investigating the dark web, which our tool does definitely allow to help with this situation, and it is something that very regularly needs to be taken into consideration, right? So, it’s a process to prevent our adversaries from gaining information about us, our capabilities, so that we can identify who they are, right? We’re not trying to become the victim. We’re the investigator or the analyst trying to prevent this.

So, it’s important, right? It’s important for the investigator and the researcher’s safety. We want to make sure that their identity does not get released or known. It also prevents against retaliation and targeting and it ensures that safety during and after dark web investigations, right? We want to make sure that we protect our sensitive information exposure and to avoid data. For instance, downloading certain things off of the dark web because we need them for investigative purposes. If it’s not done correctly in a secure machine that doesn’t have network access, we could potentially be putting malware or ransomware into our own network, you know, and now becoming an actual victim of what is going on. It allows us to maintain that confidentiality and anonymity and does not compromise our investigations. It allows us to reduce detection and tracking by sophisticated adversaries, for instance, some of those APTs that are nation-state groups are very well-trained, have everything that they need, have many people to help them. So, we want to make sure that we reduce detection by them so that we can continue gathering information. And then we want to reduce risks associated with linking affiliate investigations and researchers. We want to try to keep that attribution down to a very low level. And OPSEC is one of the most important things that needs to– and it should be the primary thing that is kept into that mind of dark web investigations.

Six steps to OPSEC. We want to identify the critical information that we need and how we need to keep it secure. We want to analyze the threat. What are our adversaries? What are their capabilities? What are they able to do? We want to look for weaknesses and configurations and behaviors to make sure that we can protect ourselves, evaluate the likelihood and impact of those risks. We want to implement countermeasures, apply security practices. Do we need a machine that’s never connected to the company network, virtual machines, VPNs, things along those lines and we want to constantly reevaluate as we progress in that investigation to make sure that our operation security is providing what we need it to provide. It’s important for protecting investigator safety, securing that sensitive information, maintaining operational integrity for the surveillance and tracking purposes, and then attribution risks, right? We wanna make sure we keep those tools on minimum.

We have gone over a lot. We’ve gone from what the dark web is, to what type of information is on the dark web, to tools for investigating the dark web, open source and ARPS tool and things like that, and operation security. But what are the strategies, right? We have the information, or we need to get the information. What are the strategies to take that investigation and make it fruitful? So, darknet intelligence, right, is involves collecting and analyzing data, like any other investigation would. Going through these specialized tools that we need to get it and determining, right, the complex ecosystems where cyber criminals trade goods and services, right? We need to know is the information that we are looking for on a forum, marketplace, a chat group, whatever the case is.

The intelligence pyramid, everything in intelligence and investigations has some type of diagram or analogy or acronym. This is no different. We start at the bottom with our raw data. That is all of the data that we’ve collected that may be useful for us. We’ll take all of that and turn it into some type of information to figure out kind of the buckets it needs to be in, and then from there we’ll put that into our actual intelligence that we can make decisions on. Kind of weeding out the noise that we don’t need. And you’ll want to do that with dark web data because you will be able to find a lot of things, but not all of those things will matter to your current investigation or needs, right?

So, we’re going to start with the planning and direction through our intelligence life cycle. Once we have — this is what we’re worried about. This is kind of the information that we need to learn. This is our questions. We’ll work on those collections. Once we collect our information, then we’ll move to the analysis phase. Once we analyze all of our data, kind of go through that intelligence pyramid will move into production, write our reports, make our recommendations, and then disseminate that out and get feedback from your cross-functional partners or your clients or whoever the case is. And then we start that all over again for the next question that pops up, the next threat that we have to worry about.

Strategies for monitoring the dark web. You have to know what your intelligence requirement is. You’ve got to know what you want to achieve. Do you need to worry about a client being hacked? Do you need to worry about their data being stolen, whatever the case is. We want to identify the areas that most interest us. For instance, maybe we need to monitor for credit card information. Well, some of the best places to see a specific credit card information pops up are in those marketplaces, right? We want to make sure that we keep a way of monitoring those sources. Once we collect data, we want to analyze that data, see if we need to find more data. Sometimes you need to. There’s always language assessment. If you need to figure out if you need to translate the information that you’re getting, Google Translate Works, AI tools help with that. And then obviously the last thing that we want to do is report our findings to actually have our recommendations matter and help strengthen security posture, prevent cybercrime, and all of those fun things.

Just real quick – to touch on DarkOwl and what we do. DarkOwl is a darknet data technology company headquartered in Denver, Colorado. Our mission was to build automated technology to allow analysts to investigate and monitor the dark web without actually having to go to the dark web. And we have come a long way in producing that tool. We’re led by our CEO, Mark Turnage, and we have a very fantastic team of analysts and engineers to produce that. So, the information in our tool, you don’t ever actually have to go to the dark web to be able to access that information. And it’s all searchable, which is the best thing. So, you don’t actually have to know how to get to a certain forum or have an account on that forum. You’re able to get it yourself.

In our beginning in 2012, we pioneered dark net collection in relevant search, you know, we created our Vision UI tool, which allows you to have a graphical interface to search all of our data. But we also have API access as well. So, we can tie into tools like Maltego has a transform to where you can tie into dark web data. But it gives access to your analysts to have this information, find it, use it and also monitor it through cases or alerts in different things along those lines. So, layers of the surface even dark web that we go after, right? So some of these high-risk surface websites are like pay spin sites or discussion boards, you know, Reddit, social media sites as well. We monitor underground forums and marketplaces as well as Discord, Telegram, IRC. We’re always looking to move into new messaging platforms as we see the community shift, right? And then currently we are in Tor, I2P, and ZeroNet as dark web marketplaces, because those are the main places that threat actors operate, typically now in Tor. There was a little bit that I2P was gaining traction, but that has since lost its momentum. We’ve pull about 2 million documents off of the dark web in about a 24-hour period. And we are constantly pulling in new information every single day. Our information is relatively able to be real-time, depending on the site and how often we crawl it. I was actually just doing research the other day and literally had information that was within the last six hours into the tool. So, it is very successful and really does help in these types of investigations, and it solves your operational security problem. So, you don’t have to worry about that using our tool.

And then our ecosystem – we have the Vision UI, which has pretty much everything an analyst would need, but then we also have different things. And in our Vision UI, what’s really nice about it is that you can have exposures for us. So, we have an algorithm that we created to where you can put in some information and we can monitor a company’s exposure off of our algorithm inside of the tool. And then this is our contact information. I do have some questions that was brought up. I’m gonna touch on that real quick and then we can go ahead and end. So, one of the questions that was asked was what kind of data are most commonly traded or exposed on the dark web and how has that changed over the past few years? Which is a fantastic question. So, starting with the past few years and how that’s changed. So initially, you saw a lot of financial and drug-related stuff on the dark web, especially around the time where a former marketplace called Silk Road, which was one of the first law enforcement takedowns of the marketplace, there was a lot of financial-related and drug trafficking that was happening through the dark web. And as the years have progressed, we now see a lot more technologically based crimes. Ransomware, leaks, data being sold, personal information being sold. This has grown because more companies from five, six, ten, fifteen years ago, are putting anything and everything on technology and with this come budget cuts at times where security teams diminish. So, cybercrime goes up, hacking goes up, as well as we’re in a time where everything involves ground technology. This has become a very big topic on the dark web. A lot of that information is now available.

Question number two that we got: Are there specific industries or sectors that are more heavily targeted or discussed on the dark web? And there is. And it’s hard to quantify. Healthcare is one that is on it. That personal information, medical records, that type of information, because if a ransomware organization is able to a healthcare organization, they’re typically going to get paid. And most ransomware groups aren’t the most trustworthy people, so they still release the information after being paid. Financial services, bank access fraud opportunities, selling crypto accounts that have already bypassed KYC. So, a threat actor can purchase that account sell it so now or use it to where they can’t be attributed back to them and then your government and defense contractors are always something that pops up as well on the dark web but anybody can be a target. It just depends on if it’s your day or not. Critical infrastructure, that is another thing that can pop up if there’s talk related to that because those are things that typically the payments go through.

The next question we have is, “What are the early warning signs that a company’s data or credentials might be circulating on the dark web?” And that’s actually a very interesting topic and could probably warrant its own webinar in itself. But some of the quick things that we want to do is company credentials, appealing and of their logs in combo lists. So those numbers, if for instance, an employee of a company access their company’s portal from their personal computer, which isn’t monitored by the company’s IT, and it did get captured in stealer logs, that popping up is a definitely strong sign you may be attacked, ’cause it just takes one person to understand, hey, I have a company login. Let me go login and figure out what I want to do. Mention of the company’s domain or brand on dark web forms as that starts increasing, concerns should start populating. That’s more like your medium concerns. Leaked internal documents obviously are an issue. And then that initial access, if you start to see initial access postings that appear to match your organization, that is something that you want to take seriously. Even though it has the potential to be a false positive, we still want to take that seriously. And then, of course, ransomware sites announcing that they hacked you. That is a clear indication that there’s trouble ahead and that we need to monitor that. Because ransomware sites, a lot of times, will post that something is happening before it happens because they’ve already initialized what they were going to start with.

And then the last question I have is: “With the growing use of encrypted messaging platforms and private marketplaces, is the traditional dark web still the biggest threat or is the landscape evolving?” That’s a fantastic question. And yes, the dark web is still a very, very big threat, but we have to make sure that we monitor the adjacent. The thing with the dark web where encrypted messaging platforms won’t ever be able to overtake it is the ability for somebody to find that information, to be able to start the conversations or purchase whatever they need to be. For instance, Telegram was very, very big a few years ago. And even some marketplaces shutting down on the dark web to be in Telegram. Because it was still very easy to find those marketplaces by just using the search bar. There’s no real messaging application that takes that over. So, a lot of times what you’ll see is that things will start on the dark web. And then from there they may move conversations into encrypted messages or channels. That doesn’t mean that that information still can’t be obtained and used for intelligence purposes. But I don’t think messaging will ever be able to take away from the dark web. It’s just another adjacent place that needs to be monitored as the investigation and intelligence needs to develop.

Thank you so much for your time, everybody.

---

Questions? Contact us.

March 21, 2025

Or, watch on YouTube

Attendees of this webinar, hosted with Carahsoft, learned about how in today’s world, Open Source Intelligence (OSINT) plays a critical role in uncovering threats and mitigating risks by leveraging publicly available information. This webinar dove deep into the practical side of OSINT investigations, focusing on how dark web data can be strategically utilized to enhance threat detection and risk assessment for organizations.

During this webinar, the Director of Intelligence of Collections at DarkOwl, demonstrated the power of DarkOwl Vision through real-world examples, including:

• Tracking stolen credentials from a recent data breach
• Monitoring dark web marketplaces for insider threats
• Identifying emerging cybercrime trends
• Analyzing chatter on forums to predict potential attacks
• Protecting executives and high-profile individuals

Participants gained hands-on insights into gathering, analyzing, and interpreting OSINT data, with a focus on applying dark web intelligence to solve real challenges.

NOTE: Some content has been edited for length and clarity.

---

Erin: Hi everybody. I am the Director of Intelligence and Collections at DarkOwl and I’m going to talk you through some background on the dark web and some OSINT investigations.

What we’re going to cover today, I’m going to give you a little bit of background on who DarkOwl are, what the dark web is, why it’s important, how we can use it in OSINT. And I’m going to do a couple of use cases and walk you through some examples of what we see on the dark web and how you might be able to use it for OSINT.

A bit of background about DarkOwl. We’ve been around since 2014, but collecting data I would say from the dark web in earnest since around 2017-2018. So, our goal is to collect data from the dark web so people are able to use that data for their investigations and to protect their organizations. We allow people to do that in a number of different ways, so you can access data through our platform Vision, which I’ll be showing you how to use today, but we also have APIs and data feeds which allow you to access dark web data, and the idea really is challenging to access the dark web, and also it can be against policies and violations to access it. It’s not easy to access and there are things on there that you might want to avoid. So we allow you to access that data in a secure way.

What kind of data do we have? We have layers of the deep and dark web as well as some surface web, although we are primarily a dark web company. Everything that you see here in red is something that we do collect from. We’re always looking to increase our coverage though and look at other areas where we see criminals, cyber threat actors, insider threats, people proposing violence, operating. So, we’re always on the lookout for other areas that we can collect from. But as I said, we’re primarily dark web, TOR, onion sites is where we get most of our data from, but we do also collect some surface websites, things like Doxbin, paste sites, certain forums where we see extremist activity being discussed, as well as underground criminal forums and markets and discussion boards. We also collect from Telegram and Discord. We see a lot of criminal activity operating in those areas. And this just gives you a breakdown of the volume of data that we have.

I believe there’s a polling question up on the board for you now. And that’s just to highlight, are there any messaging apps you’re seeing as part of your investigations at the moment that you would like to have more coverage of. As I mentioned, we do cover Telegram and Discord, but we’re always looking for other options. So please fill that in. You can have multiple choices. But going back to the slides, you’ll see that we’ve got a large volume of data that we collect. We have been collecting since 2017, and we do not remove any historical data because that can still be important to your recent investigations. And so, you can see the numbers that we have here. We also extract particular entities, so email addresses, IP addresses, credit cards and crypto addresses that can help you with your recent investigations. And we also have a large volume of data leak records that we’ll talk about in a little bit more detail.

And this is just to give you an overview of how our ecosystem works. We do have the Vision UI where you can access all of our data as well as APIs. We have several API products that allow you to generate scores and risk assessments based on the exposure that an individual has as well as context information about our data leaks.

And we also provide darknet services. So, for those that don’t have the resources and/or do not have the experience working with the dark web, we are able to do investigations and OSINT investigations on your behalf and produce reports regarding whichever you’re investigating. So, this is our Vision UI, it supports Boolean logic, it has darknet data within it, and it can also be used for alerting, but I will go through that in a lot more detail later in the presentation. But so, just so that we’re on the same page, let’s start with talking about what is the dark web.

No OSINT presentation is complete without an iceberg slide so this is our obligatory iceberg slide which breaks down the surface net, the deep net and the darknet.

We really do focus on the darknet you know collecting from onion sites, TOR, ITP, ZeroNet that is specific software that you need to download to access that and also, it’s not indexed so you need to know the URL that you are going to in order to find that information. So, it makes it a lot more difficult to navigate and identify sources that are going to be beneficial to you as part of your recent investigations. And that’s one of the things that we assist with. We, you know, have broad coverage across the dark web. We’re always looking to identify new sites and new areas where individuals are communicating or buying and selling goods. And so that allows you to be able to search that information. We also do do the deep net. So, this is not indexed by search engines, usually behind a firewall of some kind or password protected. It’s not easy to access, but it’s easier to access than the dark web. You can still do it using your usual browser. And there are a lot of forums and marketplaces and vendor shops, et cetera, that sit on the deep net. And then you also have the surface net. So this is, you know, the internet we’re all used to. It’s indexed by search engines. So, you can, you know, go to Google, go to Yahoo and find a site that you’re looking for and it’s all open. I would say more and more we are seeing fights on the surface web that are also engaging in criminal activity. People seem to be less concerned about obfuscating what they’re doing then they had traditionally been and also, I think law enforcement’s been quite successful in taking down some dark net sites and that has kind of moved people onto the surface net so that’s an interesting trend that we’re seeing at the moment and that’s why we cover those areas as well as just the dark net.

To give you a little bit of history on the darknet, It started in around 2000. The Darknet Tor project itself was actually created by the US Navy as a means of secure communications for their operations. And then they decided to make it an open source tool. The Tor project is a not-for-profit that runs Tor and the onion sites and the bridges, et cetera. It’s always worth noting that there are fully legitimate reasons for using the dark web for those that live in countries where communications may be limited and, you know, they may not be able to access mainstream media, things like that. Tor can be used for that. And also, people who do really want privacy. They can use the dark web to enable that privacy. I’m not going to go through everything here on this slide obviously it goes up to 2020, but you can see that there’s been a lot of things that have happened in the darknet, things like cryptocurrency becoming more prevalent and being a semi-private way of people transacting and law enforcement operating on the dark web to take down sites has been a game changer as well. But there’s a lot of things that have happened on the dark web ecosystem and continue to happen to this day.

Okay, so why is dark web data important? I’ve kind of touched on this, but a lot of criminals operate on the dark web. So, we see people communicating on the dark web in forums, in messaging apps, having conversations, but we also see people selling and buying goods. We see people offering services. There is a lot of activity that happens on the dark web that can be useful to your investigations. And there’s also sites where people’s data is released. So, data leaks, stealer logs will go into in a little bit of detail, as well as things like DoxBin where people’s information is released. So, it can really help you in your investigations identifying information about individuals, but also can help you to kind of protect individuals from an executive protection perspective and we’ll talk about that in a bit more detail as well.

While we’re level setting on dark web, hopefully everyone on this webinar is aware of what OSINT is, but it’s basically the collection analysis and dissemination of information that is gathered from publicly accessible sources and these are a couple the sources that are out there that I think are familiar to most people doing OSINT investigations. But people don’t always think of the dark net. I think some people think it’s scary. There are questions about whether or not it’s truly open. But it is in fact open. It’s harder to access, but all of the data is out there for people to go and view if they choose to. So, I like to think of it as a tool in the toolbox that an OSIN investigator has. you know, you should be looking at social media, you should be looking at public records, you should be looking at, you know, other mainstream websites that are out there, things like the Wayback Machine, but the dark web is an important element of that investigation and gives you kind of a broader overview of information that you might not get from other sources. I feel like, again, I have the obligatory iceberg slide, this is my obligatory AI generated image. You can see that it’s AI generated because it’s the Dark Wab and not Dark Web. It seems that when you give it a few too many prompts, it gets confused, but this is my obligatory AI image.

Okay, so but what things do we see on the dark web? So hopefully people are familiar with some of these. I think some are more well known but marketplaces are definitely, you know, a mainstream and one of the things that first started in the kind of criminal ecosystem of the dark web with things like Silk Road, which was not the first market, I believe, Farm was, but, you know, marketplaces for buying and selling drugs, illicit goods, hacking tools, tutorials. You can purchase hitmen, you can purchase all manner of strange things, whether or not that’s legitimate or not is something that we can also discuss.

There’s also a wide range of forums, so people kind of talking about things that interest them. Breach forums is probably one of the most famous forums out there that works in buying and selling data and sharing data. But there’s also extremist forums out there, things like the in-sell community, right-wing extremists operating on forums too or people just discussing general things not all of the forums are bad. There are some social media sites that are on the dark web too. There are mirrors of things like Facebook and Twitter that appear on the dark web so people can access them in countries where there might be censorship so that that’s one of the more legitimate areas and also we  talk about social media and I’ll go onto this in the next slide as a dark web adjacent area where we do see criminals operating on mainstream social media as well.

Cryptocurrency obviously is the currency of the dark web. We still see bitcoin as the largest currency being used but things like Monero and Zcash and more of the privacy coins are also popular. You you know, wallet explorers, there are dark web wallets, there are tumblers, mixers, et cetera. So a lot of cryptocurrency activity can occur on the dark web as well as being, you know, again, perfectly legitimate information, there are a lot of new sites that are on the dark web. The BBC has a new site. I believe CNN has a new site. And there’s also just kind of other sites that share information. These can be kind of data repositories, you know, when information is leaked by whistleblowers that can sometimes appear on the dark web as well. And then we have data leaks. So rather than kind of whistleblowers, that’s more stolen data and data that’s been taken illegally. And in that vein, we also have ransomware. So, a lot of ransomware groups have leak sites on the dark web where they will kind of shame their victims into paying the ransom by saying that they are a victim and they’re gonna release the data. If the victim does not pay the ransom where they do usually then release that data which is downloadable on the dark web.

But as I mentioned, there’s also some things that we refer to as dark web adjacent. Oh, there’s a poll question. So, what areas of the dark web are of most use to you. So I’ve gone through some of them, but it’d be really interesting to know from your perspective what is most beneficial for you and your investigations and your day-to-day job. But in that thing we also have some dark web adjacent. That’s what we refer to as sites that aren’t or messaging apps or platforms that aren’t exactly on the dark web, but they’re still being used by the same community of people, i.e. usually criminals or extremists or some form of bad guy for one of the better phrase. Things like Telegram, ICQ, Jabber, Discord is a gaming site as is Twitch, where we see people are sharing classified information, they’re making threats. A lot of the so-called gore community are very active on places like Discord tends to be younger generations and people that are into gaming, as you would expect. But these are all areas that we think it’s important to also have coverage of in order to, you know, have a full coverage of these communities and these groups and how they’re interacting. Obviously, I would say there’s been some changes in Telegram. In recent months, but that we are still seeing a huge amount of people operating on Telegram in a malicious way.  And then the surface web, marketplaces, vendor shops, forums, as I mentioned before, excuse me, we are seeing some people that are operating in the same way they operate on the dark web on the surface web. You can find those vendor stores and those marketplaces, which I think is an interesting evolution and how these communities are operating.

Okay, so there is a lot of data on the dark web as well. So, we’ve kind of talked about the general themes and the types of sites that there are, but there’s also a lot of different types of data and a lot of different types of information. So, a huge amount of PII appears in data leaks and is discussed on some of the sites as well. Financial information, There’s a huge ecosystem of financial fraud, people selling credit card data, selling banking information, selling details of how to operate in a financial fraud way. So, we see a lot of people doing tutorials and giving guidance about how to conduct some of these scams. There’s also a huge, as you would expect, cyber and hacking community. So, people trading malware, and exploits, and different tools that you can use, you know, the phrase script kiddies, individuals who aren’t necessarily that sophisticated enough to build code or build these vulnerabilities, but they can purchase them and execute them and still kind of use them for criminal activity. So, we see a lot of trading of those kind of things, drugs, obviously, and cryptocurrency I’ve also mentioned. There’s a lot of activity that can come from this kind of data. We see cyber-attacks. We see data exfiltration and hacking. There’s also cyber espionage. I mean, APT groups are hard to identify, but they’re definitely operating in some of these places. And insider threats as well, people, you know, talking about sharing information that they should not be sharing or making threats to their organization. These are all the types of things that we see on the dark web.

Let’s dive in a little bit more into what data we actually see and kind of try to look at it from an OSINT perspective where possible.  Ransomware I have already mentioned. This is two examples of ransomware leak sites, one is LockBit, the other one, I actually don’t remember which ransomware site it is, but you can see like they will share the information about the company that has been victim of a ransomware attack.

But you can see they’re also operating the yellow image. You see that they have a Telegram channel. They are on Twitter and they are on Facebook. So they have a dark website where they share this information, but they’re also operating on kind of more of the mainstream areas. And that can be really useful for you as part of an OSINT investigation. If you’re trying to identify more information about these, you’re building that kind of what we call darknet footprint and digital footprint for these groups and how they’re operating. So, you know, their sites can give you information about them that can help with understanding how they operate. But also, you know, the information that they share while stolen and really should not be shared can be used as part of investigations as well. Especially if you’re concerned about supply chain or third party risk, understanding what data has been released about an organization can help you protect your organization if, you if one of your supply chain vendors is in there, or if you are the person that has been leaked, sorry, had been ransomed, knowing what of your data has been released and is out there for other criminals to kind of delve into, is an important thing to know. And I think some people get concerned about this data and it’s stolen data, but the thing I think people need to understand is criminals have access to this data, threat actors have access to this data and they will use it to conduct more criminal attacks, so it’s important to know what is out there from a risk perspective so you can better protect yourself.

Financial crime I’ve mentioned, we see a lot of marketplaces but also places like Telegram being used as a market for people to sell financial information. So, you can see here there’s stimulus checks being sold, there’s people selling plain credit cards, there’s other things that they’re making available on here, cash apps, etc. So there is a huge ecosystem of this financial crime.

And in the theme of markets, we also see people selling drugs and weapons on the dark web as well.

You’ll see that a lot of these markets look similar to what you would expect to see from, you know, a commerce website on the surface web as well. They provide pricing, they provide images, they also provide reviews. And that can be really useful for us from an OSINT perspective. So, you know, things that you might want to look into on these markets that can give you some clues that you can go and look through in more traditional sources. So, you know, you’ve got OSINT, sorry, you’ve got reviews, as I just mentioned. So, these are some examples of reviews. I don’t know that they are legitimate to be honest, but you’ve got the username, you’ve got the date that they purchase, And sometimes they give some information in there, like, you know, it arrived really promptly that could give you ideas about, you know, where are they based? Where are they purchasing from? And, you know, how it operates. We’ve also got here, like, more descriptions about the drugs that they’re selling. So, they’re telling you the type of drug. It’s a pressed pill. They’re made in-house. So that’s something that they’re, you know, Again, you can never really trust a threat actor, but they might be operating this themselves. That’s something to go on. And they’re also saying that we ship worldwide.

We’ve got other examples where they tell you where they’re shipping from. So, this is actually counterfeit money that they’re shipping. And they’re telling you kind of how they operate it, what techniques they have in terms of producing this counterfeit money, but also they say they’re shipping from Romania. It’s a pretty good starting point that they could be operating in Romania and that they’rei ndividuals based in that country. Again, with OSINT, you also always have to verify everything. You can’t take anything at face value, but these are data points that I think it’s important that you pull out.

And this one is a little bit maybe harder to read, but I thought it was important because they’re giving them details and almost like TTPs of how they’re operating. So they’re telling you they ship it in an envelope that it uses anti-extra bags and if it’s inspected, it will get through it. And they’re actually saying that the National Post Service is the safest way to order it and that they also use express shipping. So, if you’re doing an investigation into kind of the methodology of someone selling these drugs or counterfeit goods, I think I believe this one was still a counterfeit money. You can get from these marketplaces and from these sites information about how they are actually operating, which can really help you in your investigation and maybe where you wanna focus to identify things from other sources that are out there.

Stolen data is also a big one. I’m not really going to show real examples here because I don’t want to expose people’s PII, there’s some of that. But these are, this is Breach Forums and I believe LeapBase. These are sites that appear on the dark web where people are sharing data. And again, we get a lot of questions about is this open? I would say predominantly on these sites; the data is shared freely. Sometimes you need credits, so you need to have a reputation on the sites and that have built kind of some of that persona. But by and large, this is freely available data that again, criminals are going to have access to and it’s something to be aware of.

This gives you an idea. This is a breakdown from data that’s in our platform and Vision.

I looked at the last 90 days and it gives you a breakdown of some of the PII that is available in these leaks. So, you know, names and email addresses you’d expect, but you’re also seeing identification numbers, information about people’s genders, information about companies, phone numbers, dates of birth. You know, there’s kind of two use cases for this kind of data, I think, in the OSINT realm. One is, you know, attribution of looking at threat actors. There’s so much leaked data out there now, but threat actor information is going to appear in there as well as, you know, legitimate people’s data. So, it can really help you with that kind of attribution use case but also from a risk analysis perspective understanding what information is out there about yourself or your employees or you know individuals that you might seek to protect. This lets you know kind of what level of risk they have, what level of exposure they have and how criminals might be able to target them.

Stealer Logs is something that we’ve seen a huge rise in. They’re not new, but they just seem to be a lot more prevalent in the last year or two than they were previously. This is an example. ALIEN TXTBASE is a group that have been sharing not full stealer logs, actually, but what we would call combo stealer logs, where it has the URL, the password, and the username of an individual. And they’re making that available on Telegram. So, you know, this is great for criminals in terms of they are able to log into accounts, do account takeover attacks, depending on what URLs appear here, it could be access into someone’s network. But CELA logs are basically malware that exists on your computer or a victim’s computer and steal things like cookies like your auto fills on your browser, your passwords, and your usernames. It can also steal things like cryptocurrency wallet addresses, basically anything you’re doing on the internet, it can hoover up and we have some good blogs that I would recommend about stealer logs and how they work and how they operate and the different types of them. But they have a huge wealth of data in them.

And again, threat actors have been victims of these as well as legitimate citizens. And we’ve seen a lot of research where you are able to search for places like XXS or exploit, you know, dark web forums and see people’s user information and that can really help with attribution, but also knowing that risk of your password and your username is out there and that can be used for a variety of different attacks is really important and also because the cookies are in there it can help threat actors get past two-factor authentication and OTP codes as well, so that’s something to bear in mind. Again, I said I wasn’t going to share actual data, so I wanted to give a really basic description of how some of this data can be useful. But if you have an email address for a threat actor or someone you’re interested in understanding more about, you can search for that in leak data, and it might appear and show that it’s linked to a password. Depending on how unique that password is, you might be able to identify other accounts that they’re using because we all reuse passwords. We shouldn’t and we get told not to all the time, but most people do. So, you might be able to identify other email addresses and then you can use other OSINT techniques to find more information linked to that. There are tools out there that will allow you to search for an email address and using open-source techniques can find things like telephone numbers that link to social media accounts, that link to things like Cash App and Venmo that can give you access to the real identity of an individual. So, this is a very basic, simplistic way of talking about the workflow, but you can definitely use information and data leaks to be able to investigate individuals. I see it as another tool in the toolkit of data that’s open that you can use as part of your investigation.

We also see a lot of extremist activity on the dark web and on particularly Telegram. So, these are some images that we identified related to ISIS but we also have things on there that are you know right-wing, extremist, racist information that’s being shared and it’s important to monitor these because they can lead to real world threats and so we need to identify what is being done. You can see with the ISIS threats these were around some sporting events where they were encouraging people to target the sporting events and they were giving specific areas that they should do that and this is something we’ve definitely seen an increase of is using the dark web using things like telegram to incite violence in others and create loan actor attacks. So, it’s definitely something that needs to be monitored.

Executive protection is also a use case that we’re seeing more and more active on the dark web or the data on the dark web helping with that use case I should say. So here I’ve got and I apologize for some of the language in this, but just to highlight, on the left-hand side, we’ve got a post from DoxBin where they’re talking about X FBI agent, whether this information is accurate, I don’t know, but you can see they’re providing things like date of birth, address,] telephone number, his wife’s information, what their role was. He’s also got their daughter’s information. So, huge amounts of data are being shared about individuals on Doxbin. If you’re not monitoring that, then that’s going to be an issue because, you know, a lot of when people’s information is shared here, it can lead to real -world attacks, like things like swatting attacks. A lot of that information would come from Doxbin. You can also see we’ve got a data leak here that specifically mentioned CrowdStrike employees. Again, I haven’t provided any of the actual data, but you’ve got first name, last name, email, where they’re located, their phone number, their job title. So, this is information that’s being released about employees. And again, why you need to kind of be monitoring data leaks for your employee’s information being shared. And I think it’s really important as well that you do that from a corporate perspective of looking at corporate email addresses, but to do this completely you also need to have access to personal information too. And then the the one with the not great language so apologies again for that is it’s from 4Chan and it is an example of a particular individual that I have blanked out being threatened and being said he will be shot, shot like the healthcare CEO and it’s a long time coming. So, we can see kind of chatter and rhetoric of people making threats against individual on dark websites as well. And it’s really important to analyze those and make a judgment about, you know, the risk that these individuals pose and then using OSINT techniques to see if you can identify who these individuals are so you can have a bigger picture. 4chan unfortunately, is a difficult one to do that with because it’s anonymous, but it’s so important to know what people are discussing.

And then you can also do threat actor investigations and attribution. So, this is a bit of a historic one, but Pompompouren was the admin of Breach Forums previously. He was also on raid forums, and you know, from analyzing the data, we were able to look at the username and see that he was active on all of these different dark web forums. We were really able to build that footprint of how he’s operating, but you’ll see he was also, on Discord. And so, it really allows you to kind of understand how this person’s operating, and obviously you can analyze their language and what they’re talking about. And if there’s any clues within those forums to location and information. But I highlighted the DoxBin for executives through Actors Get Docks all the time as well. So, this is an example of information relating to him that was shared online. Several people doxed this individual. So, it’s clear now that Pompompouren was Conor Bryant Fitzpatrick. He was subsequently arrested. So, using the data, and again, this is a very simplified version, but you’re able to identify a real person based on a username and kind of how people are interacting in the community. And from that, we were able to identify telephone numbers that they use that you can do further research on IP addresses that we use. And I believe one of the IP addresses that was associated with of Fitzpatrick was actually where he was hosting breach forums, and the FBI were able to use that. He is now or he was incarcerated, he was charged. So using the data and the information online can really help you doing investigations into threat actors as well.

Okay, and we have a third question. So what use cases are most important to you? I think it’s important to understand what use cases people are working on so we can best identify kind of the data that’s going to support that from the dark web.

But with that said, I’m going to move on to a couple of quick demos to show you real world examples of how we can find data using the Vision platform (see recording for demo portion).

---

Interested in your own demo? Request one.

February 19, 2025

Or, watch on YouTube

Executives are increasingly targeted by activists of all types, posing significant threats to them personally and risks to their organizations. Many of these attacks can be detected or even predicted by monitoring exposure of the executives in the darknet, including leaked and stolen PII, credentials, chatter around the executives, and in some cases direct threats.

Despite utilizing various security tools, many organizations lack a dedicated executive protection service to monitor and alert on potential threats or negative chatter targeting executives. Addressing this challenge might seem complex, but the stakes have never been higher.

In this webinar, attendees learned how to effectively baseline, monitor, and alert on organizational and executive threats using Dark Owl’s Vision platform. Discover practical steps to safeguard your executives and your organization against these evolving threats.

NOTE: Some content has been edited for length and clarity.

---

Kathy: Today’s webinar will be held as a fireside chat with Mark Turnage, DarkOwl’s CEO as our moderator. Before we begin, we’d like to give each company a moment to introduce themselves.

Brandon, would you like to tell us a little about Ascent Solutions?

Brandon: Absolutely. So, if you’ve never heard of us before, we are Ascent Solutions. We’re an award-winning Microsoft Solutions partner that specializes in the Microsoft security stack. We offer a wide range of cybersecurity services to include advisory, professional services, as well as managed services, including Cyber Threat Intelligence, Security Operations Center, and Threat and Vulnerability Management as a service, just to name a few.

Kathy: Mark, would you like to tell us about DarkOwl and then start our chat?

Mark: I’d love to. My name is Mark Turnage. I’m the CEO of DarkOwl and Co-founder of DarkOwl. DarkOwl is a company that was established for the sole purpose of monitoring the darknet and what we call darknet adjacent networks for criminal activity and underground activity on behalf of our clients. We monitor over tens of thousands of sites a day and they include everything from the traditional TOR network all the way to Telegram channels where threat actors are now, are now active. Our product is, our data is available via a number of different ways, UI, APIs, data transfers, and we number many of the world’s largest cybersecurity companies as our customers.

It’s a pleasure to be here today with Brandon, and I’m going to just let Erin introduce herself really quickly, and let’s start with questions.

Erin: Hi, everybody, I’m Erin. I’m the Director of Intelligence and Collections at DarkOwl, so responsible for the data that we collect as well as doing investigations on behalf of our customers.

Mark: Great, let me go ahead and start. I’m going to direct this question first at Brandon and then at Erin. Can you give us the basics of executive protection? What is it and why is it important?

Brandon: Well at Ascent Solutions we offer what we call digital executive protection monitoring and alerting services that succinctly tie in with our team’s approach to continuous threat exposure management. Our approach to executive protection is actually rather simple. We provide enhanced monitoring of the dark web that specifically focuses on key executives and organizational leadership, so alerts that we recognize that alerts specifically pertaining to these individuals and key personnel could require a more tailored and of course timely approach with additional requirements actions activities and engagement beyond just the regular security team.

Mark: Great. Thank you. And Erin. Why is it important to monitor specifically, executives’ data online?

Erin: Executives tend to be the most visible people in any company. So, their information is out there, they’re doing things like webinars, they’re putting press releases out, et cetera. And so that makes them more of a target to individuals. And I think historically we’ve thought about physical threats and that’s still a concern obviously in terms of people being targeted, but more and more we’re seeing with cyber threat actors is that they’re using the information that they can obtain in the digital realm in order to target those quite visible people. And they can do this in a number of ways and this is why it’s important to monitor digital activities from different perspectives because there’s information that can be leaked about executives which can lead to information that threat actors can use and they can get their credentials and get access things that way. But there’s also a social engineering aspect to this, you know, if people are putting a lot of information out there on social media about their movements, about their hobbies, about how they operate, that makes it a lot easier for threat actors to impersonate them or use them to target members of the company. And we see that a lot with phishing attacks. So, I think it’s really important to understand, especially for executives, but probably for all employees and individuals, you know, what information is out there about you and what steps can you take to protect your digital footprint.

Mark: And I’m gonna go off script here, so I’m gonna cause our hostess Kathy to have a heart attack.

You know, I have heard through the years and have seen it, we’ve seen a little bit of it ourselves that oftentimes not only are executives the most visible members of a company, but also, they’re the least cautious. It’s the C -suite. Have you guys found that to be the case in some cases? I don’t want you to bad mouth your clients or our clients, but do you find that to be the case?

Brandon: I’d say it depends on the executive when it comes to that, but I’d say that there’s some consistency with that, Mark.

Erin: Yeah, I would say anecdotally, that does seem to happen. But I feel like maybe it makes bigger splash when it’s the C -suite that’s messed up. But you know, people, I think as well, like it could be, you know, a generational thing as well. C -suite tend to be older. They tend to be less tech savvy. They tend to not think about social engineering attacks or how the information that they’re providing could be used. But then in the same vein, younger people put way too much information on social media, in my opinion, so it’s a balance.

Mark: Sure. I mean, I’ve been subject to phishing attacks myself. Some of them quite sophisticated. And all of them, all of the most sophisticated ones tried to take advantage of the fact that I was the CEO. They had a message or a sender that I would pay attention to. They were quite sophisticated.

Brandon: Yeah, I would love to add to this one too big time. Multiple vendors throughout 2024 identified that threat actors are increasingly targeting executives basically to get a foothold into their organization causing reputational damage or just picking an insidious activity. This is also actually quite consistent with what we’ve mentioned about what we’ve seen in our SOC and we have to keep in mind that executives often have access to the organization’s most critical business functions that threat actors can have used to gain the foothold. We don’t exactly, to Erin’s point, make it very hard either. We feature our executives, in some cases, we feature the contact information, direct contact information for these folks and stuff out there as well. So, putting it all together, we basically roll out a red carpet for these folks to attack our most senior folks.

Erin: I think it’s what you have to think about the senior folks being impersonated as well. So, you know, employees are much more likely to respond to a phishing email if they think that it’s coming directly from an executive. And, you know, with things like AI now, you can generate an executive’s voice. If an executive is out there doing a lot of press webinars, their voices on the internet, you can impersonate that and use that against their employees. So there’s aspects of it as well.

Mark: We’re gonna come onto that. And the question I had for you, Brandon, was what is it about now? What’s different about now that makes monitoring this type of data more important than ever?

Brandon: Well, I think threat actors are getting more creative every day. And we’re seeing them attack and exploit things that are often on the periphery, especially since throughout 2024, we watched a lot of different vendors, third party vendors and stuff that have access into different environments get hit and whatnot. So, I do think that most of the time, when we get dark web monitoring and learning services, it’s specifically monitoring your email domain. But we need to open up the aperture on that, in my opinion, we need to be monitoring the organizational and any mentions of the organization, obviously email domains and credentials. But specifically with executives, sometimes a lot of these executives’ link some of their non-business email addresses or contact information to their business email contact information as well. So, with that, we got to be mindful of threat actors exploiting these fringe and these periphery things and stuff to get access. Their goal remains the same, causes much damage, get access, sell access, etc. We’ve got to be cognizant of that.

Mark: And Erin, what’s different about the dark web as opposed to more social media sites? Give us some sense of that difference.

Erin: Yeah, I think people on the dark web have a bit more of a sense of they can do whatever they want. So, you know, we see things like doxing, where threat actors will just provide information about individuals, and it will basically be a dossier of that individual, all the information that they can find about them. We don’t tend to see that shared as much on things like social media. And also, just the sheer breadth of kind of leak and stolen data and Stealer Logs is something that we’re seeing, a huge surge in and the dark web is where they buy and sell that information.

And I think everyone needs to be cognizant of this. You can be as careful as you want about your digital data and your footprint, but you don’t have any control over the third parties that you’re putting your information into. And if they get breached, your information is out there. So you can be pretty savvy, you can have limited social media profiles, you can have all the privacy settings, etc. But if you have my fitness power, my fitness power gets leaked, your information is out there. So that’s on the dark web. So, I think it’s very important to be aware of that.

And then kind of moving to some of the dark web adjacent sites that we monitor as well, things like Telegram and Discord. We see a lot of individuals talking about targeting or talking about accessing particular companies or just geopolitical events that their lives and you know are hitting on organizations and companies so I think just monitoring that rhetoric as well, stepping slightly away from specific executive protection but just kind of general organizational protection and reputational risk there are a lot of individuals out there that you know making anti-Semitic comments making violent comments you know making threats against executives and against organizations. And I will say social media has probably changed slightly in the last year or so where some people feel that they can do that on that open web as much as they can on the dark web, but it’s certainly something we’ve seen in the dark web, you know, over the last few years increasing.

Mark: And Brandon, give us some examples of some of the threats and risks that you guys have found and maybe talk about a unique case that you’ve you’ve come across.

Brandon: I think most commonly we see stolen credentials, data breaches ransomware posts, threat actors discussing sharing proofs of concepts or just the sale of weaponized exploit code targeting specifically vulnerabilities amongst many other different nefarious things. So, we got a couple of I think the most consistent one that we see, I would say more than often is, you know, we, our customers ask us, well, why, why are my executives, my leadership the most phished? Well, it’s like, well, look at your website, man, you got the contact information right up there. And, or, it’s something as like, your boss keeps signing up for all these random newsletters that continue to get hit, you know, with his business email, which is why he’s on X amount of different data of different data breaches. That’s the most common, the most consistent. But I think the most bizarre case that we ever had to respond to, we had a customer that had just moved organizations and went to an organization that recently got hit by a threat actor. And he had called us in to give him a hand and some assistance. Specifically, my part was to monitor the dark web, kind of get a good idea of what their presence really looked like on the dark web as well, which was very important for him, obviously. So built a couple of different cases, a couple of different cases, specifically watching for organizational mentions, email domains, or just anything and all things related to the victim company. And sure enough, the threat actor wanted to gloat about his ill -begotten gains, and he threw up a post detailing exactly what he had stolen from the company at that point took that handed it over to the team that was investigating the situation and it kind of gave them a better idea of where this threat actor could have been. So, continuing to monitor updating as needed you know especially the posts and stuff as the thread grew on there and I guess the threat actor made some enemies of his own kind, and they decided to dox him.

Mark: Oh my god.

Brandon: After they doxed him, they basically put it out there like this is who he is, thisis where he lives, this is his home address, this is where his parents work, here’s all his socials, these are all his data repositories, this is where he stores his data. And they basically stripped this threat actor, all this anonymity and then immediately I turn that over to the team and I would like to believe they finally adjudicated him. I haven’t seen a post from him since. So, it could be that, well, let’s hope.

Mark: That’s very, very interesting. Erin, give us a sense of what trends you’re seeing in terms of threats in the current environment.

Erin: Yeah, I just want to jump onto what Brandon was saying there. I always find it really interesting, like I think we focus very much on, “let’s protect our executives and our organizations,” or it’s absolutely we should be doing but I love the fact that the data that we have in leaks and from doxing and stealer logs helps us to attribute who is actually doing this so we can kind of use what they’re using against us back against them and it really helps to know kind of why someone’s doing something and what their motivation is because it allows you to assess the threat you know a lot better you know there’s a difference between armchair trolls that are just making threats because they’ve got nothing better to do and someone that is going to follow through on that threat. So, I think it’s really interesting to have that motivation.

In terms of trends, we’re just seeing a huge mass of data, it’s just growing and growing. We’re not seeing that diminishing in any way in terms of data leaks. I think stealer logs, they’re not new, but they definitely seem more prominent in this sector in terms of people being able to use those, the amount of credentials that are stolen and how people can use that to access things. I think we’ve definitely as well seen a lot more sophisticated social engineering, I think particularly some threat actor groups in terms of targeting call centers and targeting help desks of organizations as well as the executives and CEOs, and being pretty convincing based on the information that they’re able to find on both the dark web and the surface web to put that out there. Brandon’s already mentioned phishing as well, you know, not a new trend, but phishing is not going anywhere. I think as long as your email address is out there, it’s a technique that works. I mean, you look at things like colonial pipeline that was, you know, really basic phishing and lead to credential attack that, you know, led to the shutdown of the colonial pipeline. So, I think those are the things that we continue to see and that we have to continue to mitigate against.

And then I guess the other thing that I’ve kind of already touched on that we see in terms of threats being made against executives or organizations, I feel like anecdotally, people are less concerned about the threats that they’re making there. They’re not trying to obfuscate who they are as much as they used to. I think people feel a little bit braver about what they can and can’t say. And you know, part of that’s people on the internet, they’re sitting behind a screen, you know, they think they’re untouchable. But also, I think it’s just kind of the way things are developing geopolitically, people have a sense that they can do things and take action. And I think, you know, we’d be remiss in an executive protection webinar not to talk about the United Health Care assassination. You know, that individual, as far as we know from reports, obviously, I wasn’t involved in that investigation in any way, didn’t have a huge amount of rhetoric online, you know, thinking about doing that. But I think it really just highlights, you know, when people have pain points, and they’re talking about those pain points, you need to kind of pay attention to them. And that the digital world and the digital things that people are talking about and the exposure that people have, you know, he had to know that that executive was going to that hotel at that time, and that was probably from his digital footprint. And so there can be real world, you know, real world impacts outside of, you know, hacking and, you know, network things that I think it’s important to be aware of as well.

Mark: And can I ask you both a question when you’re monitoring an executive take me as an example you’re monitoring Mark Turnage. How often do you pay attention to Mark Turnage’s is spouse or partner and family. Have you seen that as an attack vector by threat actors?

Erin: I would say it’s definitely an attack vector. Again, executives will get education through their security, through their SOC, whoever telling them what they shouldn’t do and they can improve that. Whereas kids might post where they’re going on holiday and things like that, and it can make them more vulnerable. What I would say about that, though, is that it’s really up to the organization and the executive whether they want to extend the monitoring that wide. A lot of people for very legitimate reasons don’t want to share the more personal side of their information, their family, their personal emails, etc. I would caution against that because, you know, you need to look at things in the whole when it’s looking at this. But yeah, that does tend to be an issue is the privacy concerns around that.

Brandon: Yeah, I grouped that with the periphery as well.

Mark: We’ve seen one or two cases where the social, as Erin said, the social media posts of children were a primary attack vector because they could follow an executive’s family around. And as Erin said, it’s a choice for the executives and the organization to make.

Give me a sense, Brandon, what practical steps can be taken to baseline an organization and then monitor it? And how have you used DarkOwl to monitor and alert to these threats?

Brandon: Yeah, absolutely. Well, one thing I learned after 20 years in the Marine Corp., is collection planning is key for any different type of operation. So, what we do for Digital Executive Protection Monitoring and Learning Services, we have a whole menu of different things that we offer our different customers and stuff who wish to subscribe to this. So, it’s up to them. From there, we pump that stuff into DarkOwl to specifically monitor for those different things. And the great thing about DarkOwl is you’re able to build a case and stuff where it’s gonna go out and fetch whatever frequency that you want it to. This is the information that you ask it to go look for on various different things. If I wanna specifically look in extremist forums or just other threat actor-based forums, I can have it look specifically for these different things and stuff there. Or if I just wanna focus on email domains or email addresses or all that in these different forums, like – Yeah, absolutely, I’m gonna go do that. Most consistently, as far as our basic package goes, what we do is we monitor the organization, organizational email domain, and the names and the business email addresses, and in some cases, personal email addresses that are joined to the network environment of the different executives, and we build a case around that. So anytime something does pop up, it’s I get a notification and then we handle it accordingly.

Mark: So great. And and those can be in relatively real time, you know, within a minute of a post being posted.

Brandon: Yup.

Mark: Erin, give me a sense of what mitigations companies can take to protect their executives. I mean, it sounds like there’s this Wild West world where data is being spilled out there or doxed out there, you know, what kind of company or an organization really do to mitigate the risk to their executives and to the organization itself?

Erin: Yeah, so I think one is doing this kind of monitoring and being able to baseline what is already out there because there’s no way that there isn’t something out there to begin with. So, you want to have that and you want to be able to see for any changes. But basic steps that organizations can take is giving people cybersecurity training on phishing attempts and what to look out for, giving people advice on what they shouldn’t share on social media and how they should set their privacy settings, etc. I think having a really strong password policy leaks are going to happen, but if you’re not using the same password on every account, it really reduces the risk that it has to your overall footprint. I think using things like password managers can really help with that.

And then I think being cognizant of what data is out there, you know, there are ways to remove some of that data, not on the dark web, unfortunately. So if your data is on the dark web, your data is out there. But there are a lot of kind of data brokers and other organizations that will hoover information up from public records and from social media and you can legally ask for that information to be removed. So that’s something that you should probably look at doing as well.

And I think just being generally vigilant, making sure that your employees are trained and know what to look out for, but also know what they should and shouldn’t do. Like, don’t post too much information on social media. Don’t mix your personal and your business email addresses on accounts like don’t use your business account for your hotel bookings and things like that because that’s the way that threat actors can you know piece together your life and do those kind of doxes that Brandon was talking about. So, I think it’s just having good cyber hygiene and having good education to try and mitigate and reduce the risks as much as possible. I think everyone needs to be aware that you can’t remove the risk. You know, there’s steps you can take. We can do this monitoring. We can be looking out for that. We can be as vigilant as possible. That we can’t protect all third parties where we’ve put our data. And so, you just need to be very vigilant for these types of attacks.

Mark: And you must get this question all the time, Brandon. What do we do about this? Can I take darknet data off the darknet? Can I take my data?

Brandon: No.

Mark: You must get this asked this all the time by your clients.

Brandon: All the time. Adding to what Erin said, I think enacting a continuous monitoring of your executives on the dark web and integrate custom alerting into your SIM to identify and respond to potential security threats. I think that’s awesome, which is why we bring that into our continuous threat exposure management, modest operandi here at Ascent Solutions. We bring this all in together. And I think it’s important having the sufficient processes in place and stuff to monitor for these specific things. DarkOwl enables a lot of that. And there’s a lot of science that goes after that when these things happen, which is why I’m just very graceful to have such an awesome SOC team that I’m a part of.

Mark: And we haven’t talked about this. Let me ask this question. How deep in an organization is it? Have you monitored for executive protection below the C-suite level, senior management as well, or do you tend to focus on just the C-suite?

Brandon: I think it depends on the organization and where they have determined their most critical business functions are. So, although this person is a mid-level part of the organization, this person is in charge of all these different industrial control system equipment here, and they have a public-facing presence that interfaces with the OT environment and the IOT environment. So yeah, that’s definitely a high-valued individual. It depends on the organization to answer your question, but yes.

Mark: Yeah, I was thinking about system administrators, for example, they’re not as sweet, but they’re very, very important people and in organization.

Erin: Yeah, I think it can depend on the role. Again, it depends on the organization, their size and their appetite for this kind of thing. But there are certain roles that you definitely need to kind of be aware of. But I think it’s also, I think to Brandon’s point, what public exposure those individuals have, the bigger footprint that they have out there, the more likely they are to become a target. So, you might be someone that has a really important role, but you’re very discreet and kept quite quiet and not publicly listed on the website or anything like that. And that’s not to say you shouldn’t want to say for them, but it’s probably less risky.

Brandon: Correct.

Mark: I’ve never heard of a company like ours or yours doing this, Brandon, but you might want to do a social media audit of all the employees to see who has the most social media exposure. Because I mean…

Erin: There’s a direct correlation with that, right? Like, so Mark, you were talking earlier about how you get phished all the time. And I know other people in our company have received those phishing emails. I never get them. And my hypothesis is, because I’m not on LinkedIn. So, you know, you can make yourself less of a target by protecting your digital footprint in certain ways. I know anecdotally of a case going back to what you were saying of family members and like checking social media and things. They had an executive who was pretty careful and pretty secure, but their wife had uploaded a review that included locational information. So, you know, it’s what people put out there.

Mark: Yeah. I have seen CISOs, system administrators, and other cybersecurity professionals very active on social media, which is an interesting tension given their roles. We’ve talked a little bit about use cases, but if you guys could both finish with sort of – one of the most unique cases that you’ve seen using the tool, that’d be, I think it’d be informative for our listeners here.

Brandon: I think the one that we specifically talked about with the other company with the threat actor getting doxed, like that was the absolute most unique case that I’ve ever seen. You know, and that’s definitely in the Hall of Fame for as far as DarkOwl for the win moments for our company.

Erin: I’m trying to think I don’t know that I can think of something that’s particularly unique. But I mean, we definitely see impersonations of executives on telegram and other areas, threats being made, a lot of memes being used for that kind of activity. And then I just think that the doxing thing is such an interesting area of data set that we collect from. I’ve seen everything from executives to FBI agents having their information released. And once that information is out there, there’s very little that you can do about that, but you need to know that it’s out there. So having that monitoring capability to know what of your information is out there and how you can be vulnerable. But as I said, I think turning that back, the threat actors do this themselves to each other. And so, it’s very helpful. I mean, there’s a lot of threat actors out there that are involved in things like swatting, they’ll swat executives and other famous people’s homes or schools or universities. And they make a kind of a game out of that. But because they’re interacting with each other, they, you know, they anger each other and that causes their information to be doxed, which helps us as an investigator to find out who is doing this. And as I said, that important part of motivation, which I think some security people, they just wanna stop an incident, they just wanna stop data being stolen. But I think it’s always really important to look at that motivation piece as well.

Mark: And Brandon and Erin, do you see any trends and threats to executives that are sort of based on geopolitical events. Something happens geopolitically or politically here in the US or something like this shooting, this tragic shooting of the United Health Care CEO. Do you see risks go up or chatter go up or does it tend to be fairly flat line throughout?

Brandon: From a geopolitical perspective, absolutely. We got to go back in time for this one a bit. But when Russia was getting sanctioned a lot by a lot of different commercial vendors and stuff, that kind of set off a red flag for a lot of the Russian-based e-crime actors and stuff to start going after and specifically targeting these companies because of the Russia-Ukrainian war and stuff. So that really prompted a lot of these folks and stuff to start going after them. So yeah, it really depends. It really depends on the situation, you know, and what the and what the atmospherics are surrounding that situation as well.

Erin: Yeah, I mean, we’ve definitely seen, I think the most recent one off the top of my head that I can think of is the Israel Hamas conflict. That definitely caused a lot of individuals that were Jewish to be targeted, and Palestinians to be targeted, so you definitely see those trends in relation to big geopolitical events, and I think that’s something that executives and organizations need to be aware of as well as posturing around these types of events. I would say with the main trend I’ve seen with the United Health Care incident was executives are more concerned. they’re taking more of a proactive approach to maybe looking at their footprint. And I think a lot of people were very surprised by the response to that from a lot of individuals on social media, on things like Telegram, where there wasn’t a lot of disgust at what the alleged assassin had done, and more concern about, you know, we don’t like these executives. There was one individual on social media who produced a deck of cards with different CEOs’ faces on them as targets. So there’s definitely that kind of rhetoric, whether that leads to actual threats or it’s just people talking. You know, it’s hard to say, and that’s again why that motivation point is important. But yeah, I think there’s definitely trends and activities that happen that have an impact on all of this kind of thing.

Brandon: It’s never a dull day in the life of a threat intelligence manager in a cyber security.

---

Check our blog on Executive Protection and the Darknet. Read Here

February 13, 2025

Or, watch on YouTube

In this webinar, analysts demonstrated how to investigate and pivot on front company infrastructure, using Falkor and DarkOwl dark web data, to analyze and enumerate possible front companies and their employees.

Highlights:

• Adversaries of the West are using front companies to obfuscate/hide their malign activities against the West
• Sanctions and notable indictments from recent months
• Enriching information using both Falkor and DarkOwl platforms
• Investigating personnel, infrastructure, and other evidence linked to front companies

NOTE: Some content has been edited for length and clarity.

---

Ari: It’s a pleasure to be here with you. My name is Ari. I am an OSINT analyst here at Falkor responsible for integrating various tools like DarkOwl into Falkor, also general sales engineering, training, handling, any sort of client affairs that come up. You also may know me due to my blog, memeticwarfare, where I write about influence operations and investigating them, and a number of other ventures that I happen to be involved in. I’m very happy to be here with you today alongside with Steph, and we’ll let her introduce herself shortly as we show how you can utilize dark web and deep web data from DarkOwl in Falkor to investigate, in my opinion, very interesting Russian influence activity globally to uncover new front organizations from a few data points.

Steph, you wanna introduce yourself?

Steph: Absolutely, yeah. I second that this is going to be really interesting. I’m so excited to dive into it. So, hey everyone, I’m Steph Shample. I work here at DarkOwl. I used DarkOwl’s data before I became an employee, so I’ve got tool perspectives, very similar to Ari. I think once you’re an analyst, you just can’t get out of being pulled into everything. So, I also help with client training, use cases for how you might employ DarkOwl intelligence in your other day-to-day operations or your separate intelligence operations. And we’re going to get more into our company specifics as well. So, Ari, back to you.

Ari: So, Falkor is an interesting product. In my opinion, it’s kind of leading the next generation of what analysts are going to be using going forward. It’s an API forward analyst operating system, where in addition to carrying out all of your link analysis data visualization, querying of various tools or so on, you can connect all of your internal data sets, be they files, databases, any other REST APIs you happen t have, all into one place. And then, of course, to use OSINT sources like DarkOwl or whatever else you happen to have into Falkor to utilize all of it simultaneously and seamlessly.

There’s also, of course, a full collaboration suite, task management, management, case management, all those additional add-ons that you need to run a case effectively. We have built in AI capabilities, including an analyst investigative chatbot, digital profiling, real-time monitoring, and much, much more in what I may say is probably the most aesthetically pleasing dark mode first, analyst platform out there, which anybody here who works in this space knows just how important that is. I’ll let Steph introduce DarkOwl.

Steph: Yeah, thanks. I’ll take it for DarkOwl. So, we’ve been around for about 12 or 13 years, DarkOwl. We are the world’s leading provider in Darkint intelligence. We cover, of course, the dark and deep web. We also cover what we consider dark web adjacent platforms that is places like Telegram channels, Discord servers, and, of course, IRC chat. We consider them dark web adjacent because you’re gonna see now, especially since Telegram has entered the fold and become more popular in GEO political events, influence operations, and cybersecurity. It’s also cross-referencing, and actors are using both their onion platforms, their markets, their forums, to advertise on Telegram and vice versa, thus maximizing the potential for financial return or notoriety in their operations.

So, the image that’s on your screen here is of course we covered Tor, that’s the browser that you would download and use to access the dark web. We also have I2P and ZeroNet. We are definitely on discussion boards as more people share tactics techniques and procedures or TTPs, underground criminal forms and markets have touched on pretty self-explanatory. And then of course those chat platforms that I’ve referenced how they go back and forth.

Ari, real quick. Do you want me to go into the dark web and how it works now? Or do you want to save that?

Ari: No, absolutely. Absolutely. Let’s lay the foundation for sure.

Steph: Let’s lay it. I like it. So, Ari and I did want to be very clear, you know, for those who aren’t in this space, what is the dark web? What is the deep web? Everyone’s got their own definition. You’ll see all kinds of chatter and people contributing to that conversation. But let’s just keep it very simple. So, the surface web, you download a browser, right? Your choice, Chrome, Firefox, Brave, whatever that is. Very easy. Everything that you’re accessing, if you’re searching on there for recipes or how to, you know, sew or whatever that looks like, it’s attributable. You can find that information, several clicks, couple buttons, you’re good to go. It’s attributable, right? Every IP address and every website is mapped. They relate to one another. All activity is generally able to be observed. Where is this website hosted? Is it a Google domain, an Amazon domain or something else?

Whereas the dark web is meant and was built to be obfuscated. It is built to be more anonymous. It has more privacy features. So, you need special equipment to download it. When you access a .onion URL, you cannot put that .onion URL into, say, a Google or any kind of other browser. You’ve got to put it in Tor or there are a couple of other browsers. Some people work with tails as well. It is not indexed, so you really can’t search a lot on the dark web for recipes or any kind of thing. You have to know what you’re looking for and where that type of material is hosted. So, if you need something, say, if you had a ransomware incident, if you’re in this space, you’ve got to know how to access the ransomware blogs where they host them. If there’s an initial access broker that’s selling access to your company on the dark web, you’ve got to know maybe their name, how to get ahold of them, what market or forum they operate on. And again, it’s built for privacy, right? It is not going to easily give up information such as locations, IP addresses in Tor, you have three of them, you have a beginning IP address, a middle and an end, they change every approximately 10 minutes. It’s meant to be obfuscated. It is designed to be anonymous. So that’s our high level. What is the dark web? How do we access it? What are we doing? We welcome further questions on that if you’d like to put it in the chat or contact either one of us. No problem.

All right, Ari I’ll kick it back to you unless you have a question.

Ari: No, no, there’s just so much more to go with this stuff. I just say, again, everyone wants to know about how dark web URL resolution works, let us know later. But yeah, but alongside the dark web data, I think the most important thing that we’re going to bring up is the use of that in the conjunction with deep web data, Telegram in particular, but also other sources as well as they come up, right? And that’s, I think in my opinion, the real added value of what tools like dark, DarkOwl and other tools that provide similar data sources do that you can really have essentially all three layers in one setup.

So, with no further ado, let’s discuss the case that we’re going to be looking at today. The case that we’re going to be looking at today is the Center for Geopolitical Expertise. Now, you may have heard of this. They were sanctioned, I believe, about two months ago, maybe a bit less by the US Treasury Department. Here’s the statement. If you want, you can see that over here.

And we have the Moscow-based CGE, or Center for Geopolitical Expertise, founded by the OVAC -designated Alexander Dugan, and we’ll discuss briefly perhaps later on. And then, of course, the main person running a whole operation, Valery Mikhaylovich Korovin, and other relevant CGE personnel. So, we’re going to see how we can essentially investigate this organization, the CGE, by the way, as a side note, Russian front organizations love utilizing terms like geopolitical, whatever, and expertise and that sort of stuff, just a cultural thing that happened to really enjoy doing, and you’ll see that repeat itself in this space quite a bit. To see what we can essentially find out on this given organization, utilizing deep and dark web data, and then how we can expand upon that to find other signs of new front organizations and just better understand their general activity. So, we’ll cover not only dark web data, but also some investigative tips that you can utilize when investigating front activity on your own, and then we’ll conclude with a Q&A.

So, the most recent case that we have of the CGE was apparently, or they’re alleged I should say, and though it’s becoming increasingly well-founded in terms of the research, right? Was there organized election interference inside of the ongoing election interference, I would say, inside of the current German elections? They’ve also been quite active in Ukraine. They’ve ran probably the single most successful operation inside of the US called CopyCop, that was published on by Recorded Future. Great report, highly recommend, that you read it. And they utilize locals and other individuals to set up these AI -generated domains, targeting whether election or given country they happen to be targeting.

Here we have an example from News Guard over here of a various number of German language domains used to target Germans.

Now there hasn’t been much coverage of Corovan individually beyond the Gnida project. By the way, a great substack that I recommend that you follow. If you’re interested in tracking Russian influence operations internationally, they do a lot of great stuff. They’ve been the only ones to publish anything in depth on Korovin individually. There have been a few mentions here and there, but nothing really in depth. So, let’s see what else we can find on them. There we go. So, just to recap where we are so far and how we’re going to start our investigation, which by the way, I find to be often one of the most difficult places for analysts, especially new analysts, you know, to have it right when they get going, is where to even begin with looking into such sprawling types of activity.

We have the sanctions announced on this given group, and there have been past reporting on them from other individuals also as well. And we have the number one person of interest of POI, Valerie Korovin, and of course information on him published by the U.S. Department of Treasury, including the Russian tax ID over here, which is like their social security number, date of birth, general area, and of course, the registration information of the CGE also as well. I built a very humble little graph over here in Falkor’s link analysis, showing you essentially how these things work, how Korovin over here is essentially an agent of the GRU, right, he’s their liaison for the actual activity that the GRU, which is Russian military intelligence wants to carry out internationally. We have the awards for justice from the US government announcement over here, his affiliation with American John Mark Dougan, another activity, the Eurasia Organization, and other key individuals that we’ll get into in a little bit.

Just a quick word about Dougan if you haven’t heard of him. Dougan is the founder of the CGE and is a fascinating figure who we can dedicate multiple awareness to just for himself. But in short, he is a Russian far-right political polemicist with a very unique political philosophy and how the world works and how things should be, at the very least, founded on multi-polarism, meaning the world not being unipolar centered around the United States, and essentially Russian borderline fascism, if not fascism itself in many ways. So he’s a sanctioned individual known for his very, very, very extreme views. Now, thanks to Gnita, we also know about Natalia Makeeva, who is the senior official at the CGE and is the right hand of Korovin, but we can also find out more about her independently as part of our investigation. We don’t need a project just for that. So now we’re going to see how we can take these individuals and the basic data points that we have here, identify entities for investigation, further identify new relevant entities, and then keep going. Now one thing I do want to bring up and Steph do you want to enrich further astound upon this is the Russian dark will be some ecosystem in general, which is incredibly rich. So, if you have any words you want to add to that, I think that’d helpful.

Steph: I’m fully in agreement with you, you know, the Russians are, of course, not the only actors, APT or cybercrime focused on the dark web. But I would say they are the most frequent. They know what they’re doing. They’ve been using the dark web in their operations probably longer than any of our other adversaries. You will see Iran, China, Belarus and pick a country if their actors are on the dark web, you know, they are using it, but Russia is the most frequent and uses it in a variety, right? From ransomware to cyber-crime, to info ops, to all kinds of influence operations, Russians are all over the dark web. We have learned the most from them. Ari, so that’s a great point.

Ari: Absolutely, and the most important point for us is that that cuts both ways, right? So there are tons of data leaks on Russia, tons. I mean, perhaps the single mostly country I’ve ever seen articulately, in terms of sheer number of leaks and data available, and that’s how we’re going to utilize this information to keep investigating. So Just from doing a name search on Korovin and Falkor with this full name, which would give them the sanctions, we get a large number of interconnected results over here. And by the way, as an aside, if you’re interested in seeing the full investigation with other information from DarkOwl and Falkor, feel free to contact us separately. We’d be happy to schedule a demo to show you more of the in-depth information on this individual case.

Just from looking up his name, we find all these various interconnected data points. We find from leaks of data available on the dark web, a Facebook profile with a UID, a leaked telegram account, leaked Gmail entities appearing in a dark web post over here, and multiple other entities belonging to this individual.

Now, I see we’re getting questions in the chat, so I’m not going to refer to that now, but we’ll save that for the end. But if you do have any questions, feel free to send.

So, one thing I do want to bring up also is that one of the results that we get here is that Korovin has an additional email at the Eurasian organization, which we mentioned over here, which is another organization tied to Dougan. Okay, so that also came up in the results. Now if we look up the Eurasia.org organization, which is by the way another Russian instrument of influence headed by Dougan and active globally, looking at who is records, here we have from WhoXY, which is a great free tool, which is a side note by the way, highly recommend it, if you need a free tool for that, or of course the full suite of domain intelligence available in Falkor. We can see that in fact the person who registered Eurasia.org was Makeeva@Eurasia .org, Natalia Makeeva, the woman mentioned earlier, and she also registered the CGE domain over here as we can see as well. So, she’s a pretty central individual then having registered the domain for CGE. And then we can also see over here a very broad overview of the leak data available from the deep web on the actual Eurasia domain. So going back to that, just by querying essentially the domain itself in Falkor, we also have the Korovin’s individual email address over here. But here we have the full swath of results. I’m sorry, I try to fit a lot in on this slide.

I know we only have so much real estate over here. But you can see the sheer wealth of data that we have on the actual domain, which is somewhere over here in the middle, right, including the large number of actual individual posts in which the domain is mentioned, but also more interestingly, perhaps a leak total of 360 email addresses in leaked records originating from the domain.  Of which, we have 28 unique ones. So, Steph, I know if you have anything you want to add to that on the dark web, on DarkOwl’s data enrichment features over here in terms of profiling.

Steph: Absolutely, we are a niche DarkOwl intelligence, but one of the tools that we have to get extremely granular is this bottom right image that Ari has been highlighting. So, when Ari and I were going back and forth saying, you know, what can we do? We want to talk about front companies, but it’s intimidating, it’s overwhelming to get started. There’s a lot to follow, there’s a lot of threads to pull, there’s a lot of misdirection that can happen. But when Ari gave the domains of some of the proven front companies, and we definitely source those from indictments and treasury, as we’ve mentioned, you can put any top-level domain into our tool, and of course in Falkor now that’s also using it, and get a pullback of, okay, here are the amounts of emails exposed, that’s that 360 numbers. There are 28 unique ones, because of course there’s going to be repeat breaches, accounts in certain pieces of information with the same password or exposed in the same place. So, it’s just really important to help flesh out your top level domain research, get the patterns. You know, what password does this individual use? Is it constantly exposed on the clear web, on social media, on the dark web? So it’s a really cool feature to kind of build this out and we use it heavily in our investigation.

Ari: Absolutely, then you can get it all visualized for you nicely inside of Falkor, giving you the clustering over here of what’s actually important. You can filter, of course, by degrees and so on and move on from there. But the point that you think you’re going to remember is that every one of these data points is essentially another pivot point that we can use as part of our investigation. So as we can see that certain clusters of activity here are more central, right, or more active in terms of relations to other entities, we can then take Falkor’s, say integrations with email and phone number lookup tools or people investigation tools, or social media enrichment, and then enrich those further to further investigate the in domain. Now the next thing to keep in mind, and this is especially relevant when investigating organizations of any kind, be they companies or front companies or whatever it happens to be, the leaks don’t lie at the end of the day, right?

Firstly, having no leaks is suspicious because almost every organization has an employee who utilizes some given company data point to register for some service. It’s rare to not have that happen at all. And then when they inevitably do, as we can see here, we can see who’s more active with their company email or other company assets online to find other relevant data points really easily. We have here, we have a number of individuals, including Makeeva, who was the single most popular leaker in terms of using her email address, which also hints to us that she’s probably a pretty active individual in the given organization. So, we can use DarkOwl data for investigations, right, for pivoting, but we can also utilize it to qualitatively understand and analyze what actually occurs with this given organization.

So, we can see here that Korovin’s email address appears in a dark web post taken from an onion site that we can see over here as well, which was actually a leaked copy of the internal information policy of the Lugansk People’s Republic. So, you know, occasionally you’ll see there’s some news article about a list of leaked data, you know, exposes this or leaked, you know, government reports say that, et cetera. One of the places you can easily find that data is in fact on DarkOwl because as Steph would say, you guys are constantly indexing all of the available posted and leaked data online. And here we can see, in fact, that Korovin and Eurasia are mentioned as key bodies for promoting Russian interests in the Lugansk People’s Republic, which is one of the breakaway regions of Eastern Ukraine, currently being fought over in the war. So, it has an official role in, say, promoting Russian interests there also as well, which was not publicly available data previously. Now, we can also then look at Korovin’s Twitter account, which is easily found publicly, but also easily found via breach web data. And then inside of Falkor’s social media enrichment, we can bring back followers posts and more. So, we can see that his followers globally, of course, make sense roughly what we would expect, mostly in Europe and Eastern Europe and, of course, Western Russia, some in the Middle East and other parts of Asia, Latin America, Africa, and the US a little bit. And we can use all these also for further investigation, especially when it comes to finding new organizations globally that might be following him that could be potentially related. And then we can also utilize the Falkor link analysis to better understand clusters. We have Korovin over here; that’s the original account over here. Then here we have one other account that he shares a large number of shared followers with.

And this is of course, who else but Natalia Makeeva. So even without the needed project telling us earlier that she’s a key individual and providing the receipts as we say, which we’ll see shortly, we can also find out, of course, also ourselves utilizing open source investigation. Now, if we begin to look her up by looking up her email address also in DarkOwl, we get another kind of dark web data that we can utilize quite effectively, which are actually leaked emails from between Makeeva and an individual affiliated with the pro-Russia and Novorossiya movement based also in, of course, Donbass, the eastern part of Ukraine that’s being fought over in the war. We can see here in these individual emails which I translated into English, they were of course sent originally in Russian, that they were coordinating sending over propaganda material from Dugan, of course, into that area. Now, one of the other things that DarkOwl does that Steph might want to explain briefly is tokenizing entities, and then I’ll describe how we do that in Falkor.

Steph: Absolutely. You can see in the bottom left image; we have that highlight once Ari shared the names of the individuals that we wanted to focus on for this investigation. I just ran that through our tool, and we highlight our results. We want to make it easier for our analysts, make it visually appealing. So Makeeva, we see her domain confirmed, she’s sending emails back and forth, so there’s a couple of things. We’re going to pull out that email address so that you can further pivot on that, build off of it, find passwords, find anything that you might want to find. We got very lucky in this instance that we had contacts for these emails. So then you can also, when need be, pivot to Gubarev at NovoRussia, you can take a look at NovoRussia’s top level domain, what’s exposed, what’s out there. You can try and see if that resolves to any IP address based on what, you know, Russia, how they’re setting up their operations. So, you have a whole bunch of different pivots and different pieces of analysis to add to just Natalia Makeeva and her email address, we built out a whole other graph that is evidenced in Ari’s image on the bottom, phone numbers, contacts, patterns of life, patterns of contact, and other people she’s working with. So yes, we pull that all out in DarkOwl for pivots.

Ari: Exactly. And then we can just easily right-click on that document in Falkor to extract those tokens as entities into entities for further investigation automatically. So, if you have this email address, instead of needing to copy and paste each individual email address or phone number or username or whatever happens to be, you just right click, you have it, and then you can right click and further enrich and investigate effectively. So just to recap where we are so far, we had the original CGE organization. By looking into it, we found the Eurasia group organization also unsurprisingly affiliated with this group. And now we see pretty close ties between the leader of the Nova Rocio community over here and of course, Nathalia Makeeva, indicating there might be other ties as well that we could investigate. Beyond the original organization, there’s also evidence from, of course, Gnida as well, that Korovin and Makeeva, who we can see here, this is Korovin, and this is Italian Makeeva, are active globally beyond Eastern Europe and Russia, involved in setting up the Fundación Fidel Castro para Desarrollo de las Aracenas Frusal Cubanas, the Fidel Castro Foundation for Promoting Russian-Cuban Relations, which they utilize essentially to promote Russian interests in Latin America and the Spanish-speaking world. And here we can then utilize Telegram. So, Steph, I’ll let you then describe perhaps how DarkOwl handles Telegram and Discord and other deep web sources before I describe what we’re seeing here.

Steph: Of course, no problem. So, once again, we kind of went on the name of Valery Korovin I wanted to do a search. We know that Russia is also avid users of Telegram. We saw that activity really increase where they were sharing battle plans, pictures, strategy on Telegram after Russia invaded Ukraine. But we also saw that pop up when the Afghan government fell in 2021 in the summer. So just to let you know that Telegram is all over. We pull everything down from a Telegram channel. So, we’re going to get the metadata, we’re going to get the channel ID, because this, you know, for right now, the title of this is called Amigos de Evesiones Fides. Tomorrow, that could be literally anything else. But if you have the Telegram number, the actual channel number, you can continuously track that no matter how many name changes there are. The same is true for those usernames. So, we pull that all down. We have the metadata for your investigation to share with your clients if you’re sharing intel with someone else. And then, of course, after we have Valery Korovin one name, now we have a whole spate of other identifiers that we can pivot on. So, we’ve got a Facebook group for this group as well as Twitter. We’ve got, of course, their Telegram. We’ve got a Yahoo address. So, it’s just a lot more information that we added. And it’s the same for Discord. We pull down server IDs, we make sure that we have the information that’s never going to change, even if a user handle or the title of a server or room does change.

Ari: Absolutely. And then we can start the actual hard work of investigating, right? At the end of the day, there are very few shortcuts in life. We’ve been lucky so far with these lead emails and other things that we come across. But sometimes you gotta, you know, put the elbow grease in there and really just look at all these various entities that come through and you can do that easily in Falkor by enriching them to bring back information on the domains, on the social media profiles and more to see if they are in fact front organizations or have any other types of relations to the actual individual that you’re looking at or not. We have other sources across Telegram also as well from parts of Latin America and even Italy and other global organizations that are promoting Thurovan and these front organizations that we can then look into further also. Now we’re going to conclude the investigative portion of this with one final tip that I would like to bring up. Gnida project brought this up also as well, but anybody could figure this out, that the Fidel Castro Foundation is registered at the same physical address as a few other interesting groups. Firstly, we have the Russian House of International and Scientific and Technical Cooperation. I haven’t looked into it myself yet, but who knows? It wouldn’t be the first time they’ve utilized scientific cooperation as a front for other sorts of activity. Eurasia itself is also based in that same building over here. The Russian influence outlet Geopolitika RU, which is very well known for anybody active in the space, you should recognize that immediately, is also of course registered and based out of the same, comparatively small building in Moscow, you can look it up in Google Maps, it’s not very big. Doesn’t make sense that it’d be hosting so many large organizations. And the lesson to keep in mind here, even though the CGE is registered by the way in a different address, is that threat actors always reuse for a variety of reasons right sometimes they don’t you know can’t afford to rent to different places they want to rent they want to buy domains they want to get new office space where it happens to be but they don’t and they did utilize the same thing over and over again. So, whether or not it’s digital or physical infrastructure if it’s being reused you can use that very effectively to find potential signs of a given organization being a front or otherwise uncover hidden ties right.

Now you have to be careful about that about that also as well of course if it’s a large office building it could be feasible, they’re all based in the same building as well, right? But if you can check it out on Google Maps quite easily, see whether or not it makes sense that you have multiple large organizations in a given, you know, three-story building, right, let’s say, and then from there make your own decisions. And then we’ll conclude also over here with the Falkor geo search, which has the ability to search this area for social media data, other data points also as well, and even connect other tools also to search if you have other geo -relevant data points too. So, on that note, let’s conclude, and I’ll let Steph also, if you have anything you want to add, let me know too, feel free to barge in here. dark web data is critical for investigation of all times, of all kinds, right? Beyond just looking up leaked data, leaked creds, threat actor chat, and that sort of thing, we can utilize it for things like profiling, finding leaked geopolitical data of any sort of interest, right? Government data, that sort of thing, and we can utilize that leaked data to expose ties to additional organizations very easily. This is often like the shortcut that I mentioned that we don’t often have earlier essentially, right? The leak data giving you that actual connecting point is what you can often utilize effectively. But there are other data points that we can utilize also, as well that we can find, right? Shared physical addresses, reutilizing digital infrastructure and more are critical. And deep web data really can’t, in my opinion shouldn’t be ignored for investigations of any kind, let alone influence investigations operations as well as looking into front groups. And we can utilize them to find with the low amount of investment, let’s say, or time invested in this, international activity very, very easily. So, Steph, if you want to add to that, let me know.

And if not, we think we can move them to Q &A.

Steph: Love to, just to repeat, front organizations are tricky. They’re a little difficult to follow to get started to know where to work with. But look, Ari and I started with one organization, one top level domain, two human beings. We then got their selectors on social media, on the dark web. We found two other organizations, we had a global investigation, but we had to pivot, we had to turn around, we hit some dead ends. When we were first talking about this webinar, we were gonna maybe focus on Iran or a different kind, but Ari did an excellent job of saying, no, let’s do this, this is good, and then really made something that’s intimidating and a little difficult and complicated, simple, seamless, and you can see all the information we ended up with after starting with just three entities, an organization and two humans. So, Ari hats off to you. Thank you for demonstrating how we can use deep web and telegram and Discord data. It’s absolutely amazing. And I look forward to reading what you do in the future, because it’s awesome.

Ari: Thanks. And there’s a lot more, by the way. So, if anyone wants to see more, feel free to contact us separately, like I said. All right, the final step that I would do here for a Falkor plug before we go under the Q&A is the monitoring dashboard. And this is also, of course, relevant for DarkOwl as well. Falkor is a full monitoring suite available so you can set up dark web data over here to be monitored right set up your keywords your Boolean queries and strings whatever you happen to have you can set those up over here I set one up for mentions of Eurasian.org and other mentions as well and then you’re going to get a live feed of new onion data discord data telegram data and more coming in relevant for that sort of data also here as well we also of course have a full alert mechanism set up through some of the keywords or things you want to be triggering rules for and that sort of thing, we can do that. And we also of course support social media. So, if you want to say follow Korovin’s Twitter account or follow any other individuals’ Twitter account for your investigations, you can do that also as well. And lastly, we also support RSS feeds. So, if you want to say track the OPAC RSS feed or any other RSS feed that you happen to have, no problem, you can throw it all in here and track all of those things in one pane of glass.

Steph: Super, super kudos to Falkor. There are so many tools out there and everything is very disparate, right? We’ve got RSS feeds and Slack and all of this, but what you guys have is a dashboard where you can truly have everything in one place, and that’s essential as an analyst. We’ve got enough information to deal with, so it’s an amazing, amazing product.

Ari: I’ll send that over to the development team. We’re very happy to hear that. I think we have some time then for Q&A.

Kathy: Yes, we do, and we’ve had some questions come in. The first one is in reference to Telegram, have we got any possibilities to follow a target if a Telegram account is closed and not open?

Steph: Yeah, we absolutely do. So, you know, you can build infrastructure to try and ask for permission to enter. You can run different personas or try to get people that work in your organization into a closed or private Telegram. There are a lot of different ways to do that. Strike up a common conversation, strike up investigations, and just kind of see how you can break that door down based on observing other activities surrounding it and knowing what the types of discussion are that’s happening inside those telegram channels. It’s not a perfect science, you might get denied, but you can get into closed ones if you play your cards right. Yes. Or anything to add to that on your end?

Ari: No, I mean, that’s that, listen, that’s, you know, like I said, sometimes there aren’t any shortcuts and you gotta just, you know, Do the cold approach and hope it works out, right?

Kathy: Okay, well, staying on the topic of Telegram, when considering Telegram provides encryption and privacy features, why do threat actors still choose to communicate there instead of using more anonymous platforms like I2P , TOX, or peer-to-peer encrypted channels?

Steph: Yeah, absolutely. So, we see actors talk, I mean, I’ve been all over the web, right? I’ve been in this game for a lot of years. I’m very old and I’ve seen a lot of trends. So actors are openly stating that Telegram is safer. It is a Russia-based tool, right? It was developed by a Russian. And so, they feel that in lieu of the dark web where they have openly identified, they feel that federal agents and law enforcement’s working to try to take down criminal operations, criminal infrastructure, actors still feel that the majority of the safest tools are things like Telegram and TOX. They are definitely active on TOX. They have moved away as ransomware groups fall, as markets are shut down, think Silk Road, think Alphabet. As all of those go away, they move to what they feel is safer. I do think that probably in the next two to four years here, we’re gonna see a migration away from Telegram because you know how that goes. Once things get very popular and are used frequently, pivots for investigations change, They probably will feel that law enforcement will move there, but we see that all the time first, you know, with cryptocurrency, for instance, Bitcoin was viewed as very safe. Now they’re saying Bitcoin is a tool of the United States, you know, intelligence agencies and federal investigations is their words and chats. So, they’re moving to Zcash, Litecoin, etc, etc. They openly espouse what they feel is safe versus what isn’t. And it’s our job as investigators to follow that. So that’s probably why, that’s definitely why they’re saying what they’re saying.

Ari: I have some points that I’d like to add to that. So, there are a few things to keep in mind because the much vaunted, let’s say, encryption of Telegram really isn’t quite as good or as quality as people say. We can get into it; it’s a whole separate thing. It’s not intent encrypted by default, which is what really matters for the average user. The reason people use it, in my opinion, is that it’s a really effective town square. You wanna sell your cyber crime services online or make sure your leaks get, you know, spread and amplified and that sort of thing. It’s an amazing place to be active and the barrier to entry is super low. You don’t need a computer. If you are a thought actor within a country that doesn’t have, you know, that in which GDP is low and you want to start scamming, you don’t have a hundred bucks in your pocket, you can do that, for example, right? It’s instead of buying a computer and download Tor and have a reliable, indirect connection and do that sort of thing. Telegram is much more accessible. You can buy a burner phone, remove the camera, microphone yourself if you’re that concerned and kind of get to work. And then like you said, also step regarding TOX, move to TOX, move to any sort of end-to-end encrypted solution that’s a bit more secure for actual communications, which is a very common trend also as well. So, there’s this town square market element of it that I think is incredibly appealing. And then it also has other features that make it appealing to threat actors as well. In fact, that it’s easy to use. In fact, there’s other content on there that’s also interesting. The built -in messaging experience is really seamless. There’s a lot of other reasons to use it also as well. And I think it’sa fascinating platform, but those who know me know I also have been a bias.

Steph: Great points.

Kathy: Great. Thank you. We’ve had another question about leaks in the darknet are not too old to use with efficiency?

Steph: Absolutely not. So human beings are creatures of pattern. They reuse passwords. They reuse their data. They can’t keep track of it. We do not have enough people. Think of your coworkers. Think of maybe older family members or something, they’re not using password keepers, like 1password, key password, et cetera, et cetera. They reuse something because it’s easy. So, if something is exposed and always out there, it’s very easy to keep reusing. We have had actors who have not changed their passwords since 2010, 2011. Not all of them. Some of them do have better opsec and cybersecurity, but it’s very, very simple to glom onto one password or one account or a handle or a username that an actor uses and then keeps going with minimal changes throughout the years. It’s foolish, but they do it. So no, data that’s old is not too old to use no matter where it’s from. There’s always a potential. Anything on your end for that, Ari?

Ari: No, that’s a great explanation. I mean, it depends also on your usage, right? I mean, if you’re just trying to protect, you know, if you want like those, you have some of the lead employee password from nine years ago, it’s probably not as bad as, say, something from last year. But, you know, for investigation purposes, It’s still quite as useful for pivoting. I don’t know that in terms of other stuff. So, it depends on what you’re doing, but yeah, I completely agree with you.

Kathy: We have one more question that came in. How else can dark and deep web data be used for investigations or attribution of influence operations?

Ari: And this is, I think, a really interesting topic because people love to talk about attributing influence cyber operations online effectively and the leaked data is one of the most effective ways to do so, like by far. Looking at past Twitter scrapes and Facebook leaks and that sort of thing, people manipulate the APIs, these platforms, and then post all this account information online. There have been cases where known influence operation accounts and entities have had their personal information exposed, be that say the registration IP or their last used IP or their password or that sort of thing, that you can utilize to very effectively either further investigate or even kind of on the spot, determine whether or not it’s an authentic account or not. So that’s one of the biggest things that I’d say that we see. And there have also been multiple cases of influence operators themselves experiencing leaks, right? So recently the SDA, the company behind doppelganger had a lot of data leaked on them, hasn’t really made it much onto the dark web for a variety of reasons, right? But essentially the data is still leaked and available to certain other individuals. And that’s another way that we can expose other actual operators themselves as we saw in this investigation. So, the leak data is in many cases the only way to investigate and attribute these activity, not a nice to have. Is that anything you want to add to that?

Steph: Yeah, and as far as just other data on the dark web, people, criminals, actors, they do feel that the dark web with its flaws and its security issues is still one of the safest places online. So, they’re still very open, they’re still very transparent. They might be cautious at first, but as they carry on more operations and build bigger networks and build a name for themselves, selling data, infiltrating companies, getting infrastructure, they open up more, right? The dark web is full mostly of criminals. They have an ego. They want to talk about who they got into. They want to build themselves up. And so, every piece of information, despite what you’re looking for, what you might be working, ransomware, info ops, DDoS planning, you know, anything. There’s always a piece of intel on there. It’s just that you have to look harder to find it. But as Ari and I have mentioned, schedule a demo with us. We’d like to take you deep. We also want to show you how you can enrich open source OSIN or social media information with dark web intelligence. It works really well to enrich too. So, there’s a bunch of different lines of investigation and tactics and we’d love to go deeper with you on that.

Kathy: Great. We do have a couple of minutes, and we had one more question come in. In other countries, considering that credit card details are frequently leaked on the darknet – does DarkOwl provide access to full credit card data to licensed companies or is the data redacted for compliance and ethical reasons? Additionally, how does DarkOwl ensure that security teams using its platform do not misuse such sensitive financial information?

Steph: Let me answer that in two parts. So, we do indeed have full credit card details. Listen, at DarkOwl we are GDPR compliant, we are DOJ compliant, we do not purchase stolen data. That data is out there openly available, whether it’s a forum where it’s sold or whether it’s a pay site where it’s hosted. It is open information that anybody who downloads the tools and knows how to access can. So, we do have that. As far as part two, we indeed have checks and balances. My CTO is always eager to jump on the phone and explain. I’m not going to get into those checks and balances here. Please do schedule a call for us, but we absolutely ensure that there is no misuse of sensitive information, whether that’s financial, PII, PHI, HIP, or protected. We absolutely have that a way to get around that, and I invite you to please get with us and we will explain that further in depth on the call, for sure.

Ari: The one thing I would add, the one thing I would add on top of that is in fact where there’s a full auditing capability, right? So, inside of the actual system admin users can go and audit all the actions taken by other users in the system to see that they’re utilizing all the data and sources they have appropriately and ethically.

---

Interested in chatting? Contact Us.

October 25, 2024

Or, watch on YouTube

In this webinar, DarkOwl analysts explore the disinformation landscape on the dark web in the context of the upcoming U.S. presidential election. What emerges is a complex, multifaceted online space characterized by a variety of actors, ranging from nation states to American citizens and U.S.-based conspiratorial political movements. All of the above play key roles in both creating and amplifying mis- and disinformation which has seeped from the deep and dark web onto the surface web, and vice versa. As a number of prominent social media platforms maintain policies of limited disinformation regulation, false narratives previously concentrated on the dark web and alternative social media platforms have become mainstream, thereby gaining traction and reaching greater audiences. Combined, these factors reflect a complex environment in the lead up to the election and highlight the importance of identifying and combatting mis- and disinformation.

Make sure to check out our full report on this topic.

NOTE: Some content has been edited for length and clarity.

---

Erin: We’re excited to kind of talk about this topic. I’m Erin, I’m the Director of Collections and Intelligence at DarkOwl, and I’m joined by my colleague Bianca who works on all of our investigations and services and has been digging into this topic quite a bit. So obviously, it’s November next week, which I find insane. And we’re just about two weeks out from the election. And there’s a lot of things going on out there on mainstream media, obviously. But we wanted to take a deep dive and see what we’re seeing from our side of things on the dark web. So, with that being said, I think we can dive right in and Bianca, I guess the first question would be:

Why is it important that we’re looking at the dark web in this election cycle?

Bianca: Well, during this election period, as with previous elections and recent years, particularly since 2016, we’re seeing disinformation narratives gaining pretty significant traction. And disinformation, as we know, can play quite a significant role in influencing voters. And much of these false narratives that we’re seeing are originating on the dark web and dark web adjacent spaces, especially Telegram. And so, because of that, in order to get a comprehensive picture of the online disinformation landscape and the role it can play influencing voters, it really is vital to examine the role that the dark web plays in spreading that disinformation.

Who are probably the main groups that we should be concerned about them that we’re seeing kind of having, spreading this kind of disinformation and misinformation?

I think you can basically broadly divide the main groups into two categories. And I’d say that the first one is nation states and then you also have domestic actors. So, starting off with the nation states, two of the main actors we’re seeing are Russia and Iran. Russia of course has a history of leading influence operations against the US as we’ve seen since 2016. Russia’s strategy this year though, it’s worth noting, does seem quite different compared to previous years. Most notably, they really seem to be taking advantage of domestically produced conspiracy theories more and more really this year, as opposed to, as we’ve seen previously from them – creating their own false narratives and then sharing and disseminating those narratives. And I think that shift in tactics is a reflection of the domestic disinformation landscape that we’re seeing right now, where you have these absurd conspiracy theories entering the mainstream and then being viewed by millions of people online. So really, nation states like Russia that are leading these foreign influence operations are recognizing that that’s unfortunately something they can take advantage of these domestically produced conspiracy theories.

Other than Russia moving on with these nation -state actors, we are of course seeing Iran emerging as a key player right now in election influence operations. In the lead-up to November 5th, Iran has already carried out cyber-attacks against election campaigns with the DOJ – just recently announcing the indictment of, I believe, three Iranian hackers for targeting former President Donald Trump’s campaign. Importantly though, Iran is also actively sharing content that like Russia’s, is aimed at sowing discord in the US. And that’s something we’ve seen from Russia, of course, since 2016, increasingly. And for Iran, Microsoft researchers in particular identified these websites associated with Iran that are basically posing as American sources and spreading in disinformation.

So we’ve got Russia, Iran, and continuing on with nation states, we really shouldn’t forget China was also leading its own election -focused influence operations. One of its influence operation campaigns has been active since 2017. And we’ve recently been seeing increased activity from that campaign. But I do want to highlight that researchers do seem to believe that China’s efforts likely will be more restrained compared to Russia and Iran. And they don’t really seem to be aiming to undermine one campaign over another. So whereas you see Russia attempting to undermine Vice President Kamala Harris’s campaign and Iran attempting to undermine former President Donald Trump’s campaign, we’re not really seeing that lean or favoring from China to the same extent. So those are the main nation-state actors.
 
Erin: It’s interesting as well, sorry to interrupt you, but how the landscape has changed since 2016, right? So I saw some reporting with Russia as well that they didn’t necessarily get what they wanted maybe out of the Trump presidency and is that impacting what their goals are and how they’re reacting now. So it seems like as you were just saying, that they’re more trying to focus on just creating that conflict internally in the US, as well as still, promoting Trump, but it’s interesting how they’ve changed their tactic.
 
Bianca: Yeah, that’s a great point. And they’re just continuing to so discord, like that seems to be the number one priority, really, and undermining faith in the election process and undermining faith in democracy. So that’s something we’re still seeing from them. Those are the main nation-state actors to answer your question that are kind of the main players right now in the disinformation landscape.

But I do also want to highlight that second bucket I mentioned that’s domestic actors. And there are US-based individuals and political movements that are generating disinformation related to the election and candidates that we’re seeing right now. For instance, the far-right conspiratorial movement, QAnon in particular, which first appeared in 2017, they seem to have effectively entered the mainstream at this point, and their conspiracy theories are seen across the surface web. And that’s a lot of the disinformation that we’re seeing in the current landscape is coming from these far-right conspiratorial
movements. To answer your question, I’d say those are the two main buckets, the nation-states, but then also domestic actors.

What are the most common types of disinformation narratives that we’re currently seeing being circulated?

I’d say broadly you can group the main narratives into two groups, two categories. So those that are questioning election integrity and then you have those that are targeting presidential candidates. So, for the first category, you have essentially all of the disinformation that’s questioning election integrity. So unfounded claims of voter fraud, which of course was also a very dominant narrative in 2020, and we’ve seen that narrative persist and enter the mainstream increasingly. And some of those narratives are being amplified by foreign actors, but American citizens themselves are also responsible, I think, for a lot of that amplification. That’s the first category and then the second category broadly is disinformation aimed at undermining either Vice President Kamala Harris’ campaign or former President Donald Trump’s campaign. To give an example, you have Russia spreading disinformation that’s again meant to support Trump and undermine Harris and then at the same time Iran spreading disinformation meant to support Harris and undermine Trump. To give a more specific example, one of the most recent examples of disinformation aimed at undermining a candidacy was this staged video that was created by Russia that falsely accused Governor Tim Walz of sexual misconduct. And that was a story in the news this week. The video has already been debunked, but it nonetheless gained hundreds of thousands of views on Twitter and has been shared on the dark web and on groups in Telegram. So, I’d say those are really the two main categories that we’re seeing right now.
 
Erin: I think with AI and things, it really highlights how videos can be made relatively easily these days that can be shared. And by the time that they’re debunked or shown to be false, the damage is almost done, the genie’s out of the bottle. So definitely concerning, but you just touched on the dark web and Telegram.

How are we seeing it being shared on the dark web and how are apps like Telegram being utilized?

Well, to address Telegram, right now we are seeing lots of groups on Telegram, especially far-right ones, that are basically spreading disinformation meant to sway voters. And again, some of that disinformation is coming from nation states. There are Russian news bots in a lot of these channels that are sharing headlines and articles that, again, are false and have no basis in fact. So, like you’ll see RT news, Russian bots, RT news, of course, being Russian funded propaganda. And then you’ll also have some of these same Telegram groups and channels sharing disinformation that’s originating from U.S. based individuals and again, conspiratorial movements like QAnon. So going back to this, the role that domestic actors are playing in addition to nation-states. It’s really interesting that a lot of the conspiratorial content that we’re seeing on spaces like Telegram, a lot of that content is leaking into the surface web. And vice versa, there is a lot of content overlap. And that’s concerning given that there used to be a much clearer distinction between the surface web and platforms, dark web adjacent platforms like Telegram. So, you’re seeing a lot of interaction in terms of the content we’re seeing on both spaces.
 
Erin: I think that’s an interesting point, right? Because we tend to think of the dark web, some dark web adjacent platforms like Telegram where there’s limited oversight, although obviously that seems to be changing at the moment, where people want to hide their intentions and stay anonymous. And with this, we’re really seeing people like move over and have less concern about hiding their identity. Like, how do you see that happening and why do you think that’s happening?
 
Bianca: I think it’s not surprising that we’re seeing, you know, anonymity being weaponized to spread this information, right? It’s more difficult to attribute this disinformation to a specific group, even a nation state or an individual, if they’re remaining anonymous, and that’s not just on the dark web, you know, we’re also seeing the anonymity on the surface web with users on Twitter, now X, spreading disinformation, but kind of hiding their true identity. And that’s become a lot easier on Twitter, especially where the verified checkmarks don’t signify reputability anymore that you just buy the checkmark. And it’s easier to kind of stay anonymous and sell yourself as this reputable source.

I did want to touch back about Telegram, though. I think it’s not surprising that we’re seeing a lot of disinformation there, of course, wanting to flag that just a few months ago in August, the app’s founder was arrested and charged in France in relation to an investigation into criminal activity on Telegram. So, it’s really not just disinformation being shared on the platform. The main concern right now also is violent extremist content and child sexual abuse material that we’re seeing on Telegram. But in terms of disinformation, I think it’s worth highlighting that one of the main concerns about Telegram is the sheer size of the groups and channels there. So, channels don’t have a limit on the number of subscribers and groups can have, I think as many as 200,000 members, which is massive, right? And that scale means that disinformation can very quickly reach large audiences and then gets shared and amplified by these massive groups in over and over and over again. So overall, Telegram is absolutely hosting a lot of the disinformation we’re seeing regarding the election, whether that’s false claims of voter fraud or also disinformation targeting presidential candidates. And that’s definitely something to be concerned
about.
 
Erin: Yeah, and I think we’ve definitely seen Telegram being used in other arenas in that way as well. Israel Hamas is an excellent example of disinformation being shared and even actual news information being shared quicker on Telegram than it is on mainstream media. And someone was asking me earlier this week, actually, if I think what’s next after Telegram now that the CEO’s been arrested and moved on
and I was like, honestly, I don’t think people are going to move or not quickly because there’s too many people in too many groups and they’re too well established that I think it will be difficult for them to move and create that with any of the other apps that are out there, but it’s definitely having an impact I think on
a lot of the things that are going on. So that’s a really interesting insight.

There’s a lot of conspiracy theories going around and some conspiracy theories have even been shared by the candidates themselves. How do you think that’s impacting the information that’s being shared and how viral those things are getting?

Bianca: Conspiracy theories are effectively significantly distorting the information landscape
right now, in the lead up to the election. And as you noted, a lot of them are gaining a lot of traction. And I think, you know, to give an example, a good example of the prominence of conspiracy theories right now is the information landscape we saw during Hurricane Helene and Milton. So you had far-right groups and individuals who were spreading disinformation claiming that the US government was using weather control technology so that the hurricane would be steered towards Republican voters. And you had, as you noted, of course, prominent figures reiterating these theories. There were politicians and public figures amplifying that conspiracy theory. Former President Donald Trump claimed that hurricane relief funds were being spent on illegal migrants, so having public figures reiterate those conspiracy theories lend them more credence, right, and makes it easier for them to gain traction, even though they are completely false. A lot of these conspiracy theories gained millions of views on Twitter and were reshared by more prominent figures in the Republican Party and also by Twitter’s own CEO, Elon Musk. And a lot of the most viral posts were from far-right individuals sharing often xenophobic and racist conspiracy theories. And so, I think the fact that there are millions of people engaging with this content, on Twitter especially, and amplifying and agreeing with the conspiracy theories is very concerning. And it’s ultimately a reflection of the divisiveness that we’re seeing ahead of the election. What we saw with Hurricane Helene and Milton was effectively the weaponization of tragic events, right? To influence voters ahead of the election. And that weaponization unfortunately worked and reached a massive audience. And it of course also had unfortunately real world implications with meteorologists receiving death threats. So absolutely conspiracy theories are playing a key part in this disinformation landscape right now.

What are we seeing from the far left or from others? Is it quite a similar activity or is it different?

Well, that’s a really interesting question because, of course, no political party is immune to conspiracy theories. But based on the research we’re doing right now, far-right individuals, including public figures or Republican members of Congress are dominating the disinformation landscape right now on the dark web and also on the surface web, importantly, and like I said, there is a lot of overlap in terms of content in both of those places. A lot of the dominant conspiracy theories we are seeing right now are rooted in far-right ideas. So again, for the Hurricane Helene and Hurricane Milton response and information landscape, we saw a lot of conspiracy theories and disinformation aimed at undermining the Biden-Harris administration and the Harris Walz presidential campaign. And on dark web adjacent platforms like Telegram, far-right groups are also dominant in terms of election disinformation. The group spreading significant disinformation and with the largest numbers of subscribers are our right groups as we’ve seen up until now. And that’s consistent with findings as well that that type of disinformation does tend to be particularly prevalent and toxic in that far-right online space.

Turning to left-wing conspiracies, the most prominent one I’d say that we’ve seen up until now was the baseless claim that the July 13th assassination attempt against former President Donald Trump in Pennsylvania was staged by the Trump campaign. And a lot of that chatter surrounding that unfounded conspiracy theory, interestingly enough, was on Twitter, X, rather than on the dark web. Ultimately, no political movement is free of conspiracy theories. But the ones gaining the most traction right now do appear to be far right conspiracy theories.
 
Erin: Yeah, I feel like it seems like the far right are just a lot better at organizing and weaponizing things like social media and telegram and etc. because we did a lot of work to try and balance and see what we could find left-wing group that’s thought of out there talking and you know maybe they’re just better at hiding what they’re saying or maybe they’re not you know doing it in the same way but it’s interesting how it does always seem to lean to that far-right side.

I know there was a recent arrest a couple of weeks back of an individual in Oklahoma that the FBI stated had intentions to attack voters. This is a very real-world impact. Can you talk about how that was linked to Telegram and how we’re seeing that thing being spoken about on dark web adjacent sites?

Bianca: Yes, absolutely. For more context, earlier this month, the DOJ announced that they had arrested this Afghan national who was based in Oklahoma City. Like you said, for plotting an attack on election day on behalf of ISIS. And then he was arrested by the FBI for purchasing two AK 37s with his brother-in-law, who was an accomplice, and the suspect admitted that he was going to carry out the attack on election day and expected to die in that attack and go down as a martyr. In terms of his connections to Telegram, the suspect interestingly was very active in pro-ISIS telegram groups and allegedly saved ISIS propaganda, as was noted in the indictment document, to his iCloud account and I believe also to his Google account. So, ISIS propaganda from Telegram. He had also been in contact with an ISIS associate via Telegram who was giving him guidance regarding the upcoming attack that he was plotting. So definitely Telegram connections there and it’s ultimately not that surprising given that Telegram is notorious for being a hotbed or extremist activity, particularly for ISIS. There are lots of pro-ISIS groups there. And not just, of course, pro-ISIS groups, unfortunately, a lot of domestic extremist groups, as I noted, that being one of the main issues leading to the CEO’s arrest recently in France. But absolutely,
the individual had ties to individuals in ISIS,and those connections were through Telegram.
 
Erin: Yeah, it’s interesting how we see this group for really being used in Telegram and how the arrest of the CEO may impact that. I mean, we definitely saw after the announcements that Telegram are going to cooperate with law enforcement and individuals talking about moving to other messaging platforms. As I said, I’m not sure, that they’re all going to move, but I think it’s interesting that they’re having those conversations because Telegram really has been that hotbed and obviously, we’re talking about elections now, but I think you can go to any big event that’s happened or any kind of extremist group and find some kind of telegram footprint for them at the moment.

How do you think things are comparing to the disinformation and what we were seeing in the 2016 campaign?

Well, in 2016, we, of course, had Russia leading extensive disinformation operations against the U.S., also in an effort to interfere with the presidential election, and, as you mentioned, the aim of those campaigns was to sow discord and undermine American democracy, and they used bots and intelligence officers that were masquerading as American citizens to spread this information and again exacerbate divisions. And these operations have not stopped, right? We’re still seeing that activity today. But what’s different now, in 2024 compared to 2016, is that other nation-states have significantly ramped up their influence operations as well, you know, as I mentioned, particularly Iran, and they’re engaging in similar large-scale campaigns, you know, Iran in this election has really emerged as a prominent actor in the current disinformation landscape in the lead-up to November 5th. They’ve already carried out cyber-attacks against presidential candidates, campaigns, they’ve actively disseminated disinformation meant to sow discord among American voters like Russia did in 2016. And you know, as I mentioned, we’ve also seen China similarly amplifying divisive rhetoric and there are Chinese linked influence operations
and campaigns that are spreading disinformation and conspiracy theories.

So, to answer your question, ultimately, this year is quite different from 2016, just in terms of the variety of actors that we’re seeing engaging in large scale influence operations. But also importantly, I think that what’s particularly concerning right now, and especially different from 2016 is the way that, as I’ve noted, conspiracy theories have effectively become mainstream. And that’s really not to say that 2016 was devoid of conspiracy theories. There were, of course, conspiracy theories in 2016 and there will always be conspiracy theories. But the scale of their reach today is on a completely different level. As I mentioned, there are mainstream platforms, particularly X, so not just the dark web, where false claims about presidential candidates and regarding the validity of the election, these conspiracy theories are gaining millions of views. And part of the reason that their It is so significant is that you have US prominent US based individuals that are amplifying those conspiracy theories and allowing it to gain even more traction. And because of that, these conspiracy theories have entered the mainstream and are
not just in the dark corners of the internet anymore. So, I think that’s really the the main difference between 2016 and 2024.
 
Erin: Yeah, I feel like domestically, people are just more emboldened to share their views regardless of if they’re conspiracy theories or even if they’re not, they’re just, I think people are less concerned about the impact that that’s going to have as you say, because on both sides, so many politicians are backing that kind of rhetoric. And as you say, it’s interesting, obviously, we focus on the dark web and
dark web adjacent, that it’s kind of impossible to look at this topic these days without looking at social media, because there’s such an overlap and they interact so much, like the things that are shared on Twitter, and then immediately put onto Telegram and vice versa. And there’s no one policing that or checking that. And the likes of Facebook and Instagram will try and say, this isn’t true or this isn’t verified or read this at your own cost, but Twitter seems to have moved away from doing that a little bit in recent years. And yeah, I think it’s very difficult with the amount of information that individuals are receiving to make sense of everything that’s going around and just the pure, as you say, the sheer size of data and conspiracy theories and things that are being shared now compared to previously. I can see why it’s difficult for people to make a judgment. And as I said earlier, like once these things are out there, it’s really hard to walk them back. There’s a lot of people that however many times you tell them something isn’t true and it’s been debunked, aren’t going to believe you.

Do you think we should expect a shift, as I said at the outset, we’re just over two weeks away from election day. So are we expecting any shift as we move closer to the election day?

Yes, absolutely. It’s very likely that we’ll see a pretty significant increase in disinformation targeting American voters as we get closer to November 5th. Russia, Iran and China are well aware of the fact that their influence operations can have a greater impact closer to the date of the election when they can influence voters. And as individuals have already begun to vote. And US intelligence officials are actually already warning of this increase. There were reports stating that influence operations targeting specific political campaigns have already increased. I think it’s really important to note, though, that foreign influence operations aren’t going to stop after November 5th. And the ODNI actually just released a report, I think yesterday, warning that Russia, China, and Iran are all expected to continue their influence operations well through inauguration day. And it’s very likely that they’ll continue spreading disinformation again meant to sow discord among Americans and to undermine trust in the election process. And that’s something we already saw with the presidential election in 2020. Election officials and intelligence officials have particularly warned that there’s a possibility that Russia, Iran and China could actually try to stoke post-election violence. So that’s something that definitely needs to be closely monitored. But yes, we’re expecting to see an increase in that kind of activity leading up to November
5th, but also well after November 5th up until inauguration day.

We’ve mainly been talking about all the concerning things that are happening in this run up to the election, but I want to touch on what steps can individuals and organizations take to try and combat some of this election related disinformation.

I think the most important step and the quickest one, at least for individuals, to combat disinformation and this it seems very simple but it’s to verify sources. So before sharing or reposting anything online, just taking a few minutes to check the credibility of the source and also take the time to cross reference and see if you can find another source that’s also a reputable or sharing the same information. So if you can cross-reference, there’s a greater likelihood that that information is valid. For organizations, I’d say carrying out fact-checking initiatives already is vital. Social media platforms, it’s worth noting, have the ability to give users the opportunity to report disinformation. And that’s huge. But Twitter, again, coming back to Twitter unfortunately removed a feature that allowed users to report misinformation and disinformation. So, bringing that back that feature, I think, and for other organizations and social media platforms implementing that features is a pretty vital first step to combat election related disinformation.
But yeah, fact checking in general and verifying your sources is the way to go.
 
Erin: I think knowing where something came from and make sure that it’s not just circular reporting. Everything is coming from one place. Usually, you know, a place that may not be that legitimate is such an important thing to do. And I think having discussions about that. So just going back to the dark web briefly, I think we’ve talked about how there’s a lot of crossover that’s going to mainstream social media sites. Would you say that there’s anything specific on the dark web relating to elections? I know like in the past, we’ve seen things related to like voting machines and hacking. And you know, DEF CON is famous for having their hacking village. Have we seen an increase in that kind of discussion or not really? Absolutely, seeing a lot of narratives about kind of questioning election integrity, like you said, voting systems.
 
Bianca: Absolutely, a lot of that on the dark web and on telegram channels, especially in a lot of these channels that have as many as, you know, and groups that have as many as 200,000 subscribers. Again, a lot of them are aimed at undermining confidence in the election process in the U.S. and sowing discord. So definitely seeing those conspiracy theories dominant on Telegram, but as you noted as well, you really can’t look at it in the vacuum, right, because a lot of those disinformation narratives are also being seen on mainstream platforms. So, it’s interesting that we’re seeing this kind of dialogue between the two spaces and that theories that previously would have probably been limited to the corners of the internet as it were are now very much so in the mainstream. And it’s sometimes even hard to identify where they first originated? Just because of the fact that we’re seeing them all over the place, all these
conspiracy theories.
 
Erin: Yeah, absolutely. And I think that’s the thing I think on the dark web, the more things that we see are the traditional dark web things that you see people doing, like talking about hacking, or talking about, you know, leaking voter information or information that could be used relating to voters. That’s the dark web bread and butter whereas you know outside of things like Telegram I’m not sure that people are using the dark web for those kinds of conversations because they don’t need to they can do it on mainstream platforms without fear of you know reprisal so it’s a really interesting shift I think that you’re highlighting.

Any final thoughts that you wanted to share?

Well, just highlighting again I’m glad that you asked the question about things people can do to combat disinformation and just flagging again the importance of verifying sources. There are lots of great sources online as well from CISA on step selection officials can take to ensure to ensure that we’re combating disinformation right now. Organizations and individuals can do a lot to combat this rise in misinformation and disinformation that we’re seeing right now. Thank you all for joining this webinar.
 
Erin: That just made me think as well – I was at some sessions recently where I feel like you can’t have a dark web or an OSINT or a chat these days about mentioning AI. And I just feel like these days with the way AI is improving and deep fakes in terms of generating stories and generating videos and generating images is just something people that need to be so aware of and goes back to your point about really validating those sources because things can look so believable these days in a way that they couldn’t several years ago. So I think that’s an interesting point as well.

---

Interested in reading more on this topic? Check Out Our Research Report.

June 12, 2024

Francis Rose of Fed Gov Today, recently sat down with DarkOwl CEO and Co-Founder, Mark Turnage, to discuss the current state of open-source intelligence (OSINT) in government. You can check out the article from Fed Gov Today here.

The link to the YouTube video, and the transcription can be found below.

NOTE: Some content has been edited for length and clarity.

---

Francis: Mark Turnage, Welcome. It’s great to talk to you. What’s the current state, do you think, of the government getting the data that it needs and deciding what sources it’s going to draw that data from, open sources, proprietary information and so on?

Mark: That’s a great question. And you know, I think there’s been a big change in the government in their approach to OSINT in general, and frankly, their understanding of the need for OSINT and the value of OSINT. And we live in an environment where data, broadly speaking, and OSINT, broadly speaking, is growing dramatically. The amount of data, the types of data, and so the government, in some respects, is playing catch up in trying to understand how to use it, how to aggregate it, how to analyze it. And that’s a big change that is underway. But gaps, gaps in the government’s collection. We’re [DarkOwl] a darknet data collection company. We collect data from 30,000 plus sites a day in the darknet, and we provide that to the government and other commercial users. And just that one tiny sliver of OSINT alone can tax any organization’s ability to integrate data, store it, and then manage it. So that’s it. That’s a tiny little example of some of the challenges that the government faces.

Francis: One of the things I think has been interesting about tracking this over time is that organizations, for example, like NGA, have not fought the change in the lines of delineation what used to be open or what used to be proprietary is now open-source and so on they’ve kind of said we have to get with the game and them and go with it. Has that helped, do you think, organizations in government to go through this change?

Mark: I think it’s been a big culture shift for them. I mean, NGA in particular, but other organizations as well. Take the examples of satellite data, satellite imagery. What’s available today commercially is better than what was available, on the high side, 10 years ago. And that is only going to keep happening. Using a cell phone, you can get battlefield information on the front lines in the Ukraine that’s far more detailed and far more timely than what is what then what our analysts have access to here in the US, you know from high-side data. So, I think any organization that understands that, then has to embrace it fully and start to use those commercial sources and integrate them fully into their with their high-side data. And then they’ll, then they have the best of both worlds, to be honest.

Francis: Take me farther into that definition of embracing that fully. What does that mean to those organizations to do from a tactical perspective?

Mark: Well, first of all, there’s a culture shift. I’m not sure that’s tactical, but there’s a, there’s a cultural shift that’s necessary. But once that cultural shift, once they actually understand it and get it in their DNA, I think there’s a couple of things. Number one, don’t fear it. Don’t fear open-source data. Embrace it. Buy it. Integrate it. Use it. And by the way, part of that is also staying on top of what open-source data is out there and available because it changes and it shifts dramatically as time goes on. Secondly, integrate it with your high-side data. Look at them side by side. Understand that that data, sometimes that commercially available data is better than what you have and sometimes it’s very complementary to what you have. It makes your analyst team far more powerful looking at both sets of data and correlating them together. But embracing, I think, means buying, understanding it, buying it, integrating it.

Francis: That integration process, it sounds like when you use the term changes and shifts dramatically, it sounds like that integration process may be the key factor to all of the ones that you just laid out there. Is that a fair read?

Mark: That is an absolutely fair statement. I think understanding what that technology or that tech stack is that you need to build and maintain to integrate open-source data is a journey that all the federal agencies we work with are on right now.

Francis: What does the technological underpinning of this infrastructure underpinning? And is that changing over time as well?

Mark: It’s likely to change over time, but the technological underpinning is you have to have the ability to integrate extremely large data streams, parse those data streams, store them in a secure environment, and then make them available through whatever interface or tools to your analysts that are available. You make them available in live time to your analysts. So, there are off the shelf products that allow you to do that. And obviously there are cloud data storage capability available to the government through a number of different avenues. The one interesting thing that is a challenge for many of these agencies is how do you integrate open-source data coming from the low side with high-side data? How do you cross that chasm? Because taking OSINT intelligence into a skiff, and then trying to correlate it with high-side data becomes a real challenge, you would rather have them on the same screen. So that creates a completely different technological challenge, I think, for many of these organizations.

Francis: I want to come back to that idea, but you talked about analysts and the importance of the analysts a number of times in this conversation already. What does the skill set for the analyst of the future look like potentially compared to the analyst of today given the advances that you’ve discussed?

Mark: That’s a really good question. And obviously, AI is front and center in that process. I would say that the analyst of the future needs to be able to contextualize the intelligence that they are getting. And in fact, a good chunk of that data of that intelligence they’re getting is going to be AI generated. But they have to contextualize it, and they also have to be able to keep it honest. When you have AI hallucination and other things, and you don’t have a trained analyst who doesn’t understand the context in which this is being done, you could go down a rat hole pretty quickly. So, the world of the future is going to be divided between, broadly, between people who can use AI to be more productive and those who can’t. And that’s the new social split that we’re coming to as a society, that’s no different with an analyst. They have to understand how AI works. They have to understand the data AI is looking at. They have to understand the output, and they have to then stress test that output.

Francis: You mentioned the desire to mash up high-side data with open-source data. What is the challenge potentially, if any, to maintaining, I guess, tagging is the best word I can think of, so that one knows throughout the entire data stream this piece is just for us to see and this stuff is okay for others to see when you’re combining?

Mark: When you combine those datasets, you have to tag it, you have to give them metadata so that an analyst a month out or a year out or five years out knows where that data came from, knows the source, knows the provenance of the data, and obviously can distinguish between a sentence which may have been come from high-side and a sentence that’s right, immediately adjacent to it, that came from the open-source. So that’s obviously a real challenge, but there are technical, that’s actually, I think that’s relatively solvable with metadata and tagging that’s available. If you don’t pay attention to it, going to be an analyst down the road in five years who’s going to get himself in real trouble or herself in real trouble.

Francis: Mark, it’s great to talk to you. Thanks for your time.

Mark: Really nice to talk to you as well.

---

Interested in learning more? Contact us.

March 28, 2024

Or, watch on YouTube

The government, along with Law Enforcement, is heavily impacted by ever-evolving technology and there is a multitude of malicious actors conducting espionage, stealing data, attempting to infiltrate, and shut down systems critical to everyday life.

These malicious actors with a proven state-sponsored tie are often called Advanced Persistent Threats (APTs). The digital realm is heavily involved in geopolitical conflict, and its role and that of adversarial actors must be explored.

In this session, we will dive into the big 4 cyber adversaries:

• Explain how cyber experts are trained
• Explore the use of front companies and technology to online activities
• Examine ties to their governments
• Cover common offensive and defensive capabilities
• Glimpse into the possible future with AI used in operations

For those that would rather read the presentation, we have transcribed it below.

NOTE: Some content has been edited for length and clarity.

---

Mark: My name is Mark Turnage, I’m the CEO and Co-Founder of DarkOwl and with me, I have Erin Brown, who’s our Director of Intelligence. We’re pleased that you joined us here this morning. I’m just going to make some introductory remarks, and we’re going to conduct this webinar as a sort of fireside chat between me and Erin and talk about four cyber countries – powerful cyber countries: Iran, North Korea, China, and Russia.  

Just a couple of introductory remarks from me, we live in very interesting times. It’s a very famous Chinese curse and I think it’s fair to say that over the last several years, the world has become considerably more uncertain and more unstable. We have wars being waged in Ukraine, in the Middle East, we have a considerable amount of tension in East Asia, between China and Taiwan, and against that backdrop, there are a number of elections taking place this year around the world, including here in the United States, our presidential election. All that means that the cyber sphere has become even more important and more deserving of our attention as we think about that instability and how to better manage that instability. And against that background, four countries are continually mentioned: Iran, Russia, China, North Korea. Interestingly enough, two of those, China and Russia, are quite large countries and powerful in their own right. Two of them, North Korea and Iran, are cyber superpowers, in spite of being relatively small and in the case certainly of North Korea, having quite a small economy.  So, we thought it would be useful to talk, to have a conversation about those four countries and talk about their cyber capabilities and how they use the cyber sphere, both for their own purposes and to sow instability and discord. So, with that, I’m going to just start asking Erin some questions.

What are the main cyber threats posed by these four countries?

Erin: There are a lot of different threats that they’re posing, and it really depends on what they’re trying to achieve. We see them conducting cyber espionage, we see intellectual property theft, attacks on infrastructure. It really depends on what their motivations are and they have many groups within their countries that are conducting these types of attacks – but most of them, all four of them, I would say, have a joint desire to advance their global influence. They all want to be the superpower of the world and they want to do that in both the digital and the physical world. We’re seeing that overlap, as you just mentioned in your introduction, as there’s more and more real-world conflicts happening. We’re seeing a huge cyber element to that. But then they do have their own distinct motivations as well in terms of what operations they’re conducting. North Korea, for example, we’ve seen them conducting a lot of attacks that lead to financial gain because they’re using those funds to finance other operations that they’re doing and things that they’re doing within the country.  So, they all pose a huge amount of risk to both countries and organizations in terms of what they’re trying to achieve to advance their global power, basically.

And is it fair to say that of those four, North Korea is the most quote unquote, financially oriented in terms of their cyber activities? Or is the same true, say, of Russia?

I would say so. I think we know North Korea from a government perspective, is doing that financial motivation and gain. I think with Russia, especially and Iran, to a certain extent as well, we see that overlap and bleeding between who is the state-sanctioned, state-sponsored groups, and those actors that maybe the state is allowing them to operate. So obviously, you know, the ransomware gangs in Russia are making a huge amount of money off of corporations worldwide and there are suggestions that they’re at least allowed to conduct their activities by the Russian government. One could infer from that that the Russian government may be getting kickbacks from them and from that type of activity, but we don’t see necessarily the state-sponsored groups that are the military groups necessarily having that financial motivation and other countries. But Iran and Russia certainly have that criminal overlap.

Which brings us to the question of how these countries actually organize their cyber operations. You mentioned that some of them may or may not incorporate private actors in those operations, and others are more official. So, how do they organize their operations?

It’s quite a complex makeup across all the different countries and they all do it slightly differently. You do get those differences between what is state-sponsored, what is state-sanctioned, what is state-allowed. So, there are all of these distinctions within how you group them, but primarily, we see that the countries have military and civilian intelligence services. So, they’ll have military operators that are part of their armed forces that are going out and conducting these cyberattacks, and then you’ll also have intelligence agencies. So similar to how we have the CIA in the US, they have their equivalents that will also be conducting cyber operations on their behalf as well and depending on who’s conducting the attack, you’ll see different types of attacks and different victims as well in terms of what they’re trying to achieve.

But then we do also see civilians that are somewhat separated from the government being utilized. So, we do see a lot of front companies being used by these countries. This will be a seemingly legitimate company that is set up in country that has government backing behind it. That’s not necessarily obvious, so that they can have that air of conducting activity and not being linked to the government, even though they are. Then also we do see, as we just mentioned, with the financial motivation, we do see in especially North Korea, around countries that don’t have as much stability and financial security. We’ll see these actors that are doing a day job with the government and then in the evening, they’ll be using those skills that they’ve learned with the government to conduct cyber activities and criminal activities. So, it’s a murky infrastructure in terms of how these are set up but I would say is all of these countries do have set up groups and organizations that are there to conduct cyber espionage and cyberattacks on other countries.

Mark: This odd mixture of official and unofficial criminal gangs must make attribution really difficult when you’re looking at an activity, trying to attribute who the actor is who is behind the actual action.

Erin: Yeah, it’s incredibly difficult. And I would say it’s probably more difficult for people like ourselves that are outside of the government remit to identify that information because it’s very noisy in terms of what’s being conducted, who’s doing what attacks, and then things like the malware that they use. A lot of countries will use off the shelf malware, but lots of other groups use that as well. So, just because a malware is being used doesn’t mean that it’s attributed to one particular group. Even if that group invented it. For instance, Stuxnet is a good example of that – it was developed by the US and the Israelis, but it has been utilized far and wide by other nation-states, and by criminal actors since then. So, it’s really difficult to know who is conducting these activities and mistakes are made in terms of these attributions as well between different groups. Whenever we’re looking at this attribution, whenever we’re looking at this activity, the attacks that are happening, we’ll make assumptions about what we think that’s connected to you don’t really know unless you’re in those groups and being able to see that. So attribution is incredibly difficult and when we’re talking about APTs and we’re talking about nation-states, we’re talking about probably the most sophisticated cyber actors that are out there, that most of the time are trying very hard to obfuscate their activities and obfuscate who they are and who is conducting them. It’s a very tricky thing to be able to attribute that activity. So, one of the things I would say about it is it’s more about knowing what the techniques are than knowing who is doing it so that you can protect yourself from those techniques and those vulnerabilities within your organization. I guess some might say it doesn’t really matter who’s doing it when it comes down to attribution, it just matters that you stop it. So, it’s an interesting balance.

Mark: Yeah. Although, if you’re a foreign leader, say, the president of the United States, the Prime Minister of Great Britain, the President of France, and your country is in some fashion attacked by a cyber operator, attribution becomes important in terms of how you respond. So that’s a challenge I’m sure that many leaders face.

Let me switch gears a little bit and talk specifically about China. The Great Firewall of China – what’s the impact of that on both their capabilities and on the ability of outsiders to see what’s happening in China?

Erin: For those who don’t know, I’m sure most people do, but the Great Firewall is what we refer to as the operations that China put in place to silo their internet from the rest of the world. So, it means that most of their citizens aren’t able to access the internet in the same way that we do and they’re not allowed to access certain things. So, it means that the government can really lock down the messaging and the news that citizens are being able to access. And as part of that, they do also have their own apps and search engines and things like that. A lot of social media like Facebook and Instagram and WhatsApp can’t be accessed in China. Instead, they have WeChat and WeChen and Weibo and other ways that they’re, doing that. It always from the outside is seen as a way of controlling the citizens and the messaging that they’re getting and what they’re able to do, but it does also highlight the sophistication that the Chinese government have in terms of cyber activities, in terms of how they’re able to monitor their own citizens and lock down that information and how sophisticated their surveillance and censorship is. So, it really highlights some of the skills that they have. It’s the same cyber operators influencing the Great Firewall as conducting some of these attacks that are happening, and it shows how they want to have their world order and what some of their motivations are in terms of the cyber operations that they’re targeting.

It’s worth mentioning that they aren’t the only country that’s doing that. Russia has Runet – they are expanding and trying to lock down what their citizens are able to see. And Iran and North Korea have very similar methodologies in place. I would say with North Korea, we know even less about that, just because of the isolationist way that North Korea operates. It’s very hard to know how that functions but I think it just demonstrates the sophistication that they have and the abilities that they have of surveillance and censorship that they utilize outside of the firewall as well as inside it.

Mark: So, from an adversarial perspective, we’re in an environment where these four countries have unencumbered access to the world’s internet. It’s open. We’ve made it open deliberately, but we have very limited access, on a variable basis to their internal country networks and I would put, you would put China at the top of that at the top of that list.

Erin: Yeah, definitely. So, it’s very hard as analysts. Going back to that attribution point as well, to know what’s going on inside of that firewall because they’re locking down that information. What messages are they sharing? What is it that they’re putting out about adversaries when there is a campaign that is publicly reported or Chinese actors are indicted, which has happened several times? What is the messaging that they’re putting inside internally? And I think, with Russia, we’ve seen this with the Ukraine war and the messaging that they’ve put forward about Ukraine to their citizens in terms of “they’re saving the country, it’s not a war, it’s a defensive position,” like very different to what we’re seeing outside of, of that realm. So, it definitely impacts on that attribution and what we’re able to understand about what they’re doing. One thing I would mention, just as well, because we’re a dark web company, but this is one of the ways that Tor can be used in a very legitimate way. I think we tend to focus on the dark web being a bad thing for criminal activities, but it’s a way that a lot of citizens are in these countries that have lockdown internet, are able to access Western and outside media and this is the reason that a lot of social media companies will have mirrors on the dark web. X, formerly Twitter, has it, Facebook has it, some governments have websites on the dark web. So, people are able to access that information. It’s a useful way for people to be able to get that outside information as well.

Can you talk about some of the notable cyber campaigns that have been conducted by these four countries?

Sure. There are a lot, and as we’ve already covered attribution is tricky in terms of how we associate particular campaigns that we’re seeing to particular countries and the groups within them. China has had some very significant operations in recent years targeting a lot of countries in their region. We’ve seen them spying on Cambodia, the Philippines, South Korea, and they do this using phishing techniques to gain access. So, you know, they are using some of the same techniques that we’re seeing criminals using that we’re all warned about at our companies in terms of “don’t click on a link.” Those sophisticated users are using those methodologies as well and we have seen things like when they recently targeted Japan’s space agency and one of the things that China is well known for is targeting companies in stealing intellectual property, and then taking that information back and using it to develop their own technologies and issue patents on their technologies. So, that is a thing that they continue to do in terms of expanding their power and what they have access to. That’s something that we’ve seen China doing a lot of recently. 

With Russia, probably the most significant one that is fairly recent was that they targeted Microsoft’s corporate systems. They targeted the executives and I believe the legal team and were able to access some emails and documents, and they did this again with fairly simple methodology. It was a password spray attack. So basically, they just took lots of different ways that people might use a password and put it across all of their systems. This really highlights why you need to have good password hygiene across your corporation, and governments everywhere because that is a way, not just with nation-states, but across the whole adversarial cyber field that we’re seeing people get access is through credentials.  So, it’s a really important thing to identify. And then I think you can’t talk about Russia’s activities without mentioning the war in Ukraine, because there definitely is a cyber war going on as well as the on the ground war. One of the things we’ve seen fairly recently was they hacked into webcams in Kiev, so that they could look at what air defenses were being used in the city and they did that ahead of a missile attack. They wanted to see where their missiles would be defended and where they wouldn’t. That is a real-world example of how the cyber and the real world are linked together and they’re utilizing cyber tools to help them with military campaigns.

In terms of Iran, there is a group known as, Mint Sandstorm.  So again, using phishing techniques, but social engineering as well. This is something we see a lot with Iranian actors – utilizing social media and fake social media accounts to lure people into giving them what they want. We saw them on a large recruitment and job networking sites that were creating these accounts, creating several levels of personas that knew each other to make them look as, as real as possible and then we’re using that to identify people that they wanted to target as part of the Israel-Gaza conflict. They were using this as an espionage dash intelligence gathering campaign. With these campaigns, it’s not just about disruptive action or getting access, sometimes it’s just understanding things that are going on to help them with other areas.

Then North Korea, again, is a trickier one just because of their isolationism and the groups that we see. Probably the most prominent group that’s been mentioned in recent years, and they have been around for a long time now is Lazarus. They have been involved in significant financial thefts as well as espionage. So, a lot of cryptocurrency, ransomware attacks, etc. They were responsible for the Sony hack way back when, I believe it was 2016, but as recently as this year, they’re still operating. They were seen conducting cyber espionage campaigns, targeting defense technologies, again creating fake social media profiles, and then deploying malware once they’ve got access to individuals. So, you know, there’s a range of activities that are going on and that very much is a high-level overview of some of the activities. There’s probably a lot more going on that we don’t know about, and a lot more going on that we do know about, but it hopefully gives you a sense of the types of campaigns that they’re conducting and also the variety of people that they’re targeting. I think you said earlier about governments obviously care about attribution, and they should, and their governments hopefully are better at attribution, but I think there’s an old world view that nation-states and spying and espionage is a thing between governments and these days with cyber, it just isn’t like everyone is vulnerable to attacks.  Everyone has information worth stealing, so everyone has to be vigilant.

Mark: It’s notable that in your answer, in talking about the various cyber campaigns conducted by these countries that many, if not most of them, are using basic password access, phishing, social engineering, as opposed to, Zero-day exploits that they have access to on an exclusive basis. That’s quite notable.

Erin: Zero-day exploits are really hard to develop and they’re really expensive to develop. If you don’t need them, because you can get in by a weak link of a person clicking on a link or believing a phishing email, then then why waste your time and infrastructure? I would say they still definitely do utilize those Zero-day attacks and that is something that’s developed, especially Russia and China, but those are the ones that it’s harder to hear about, right? Those are the ones that they don’t want people to know what that capability is and who they’re targeting. And they would save that for their most important victims.

Mark: We, in the cyber security industry, live in evolving times. There’s a lot of changes in technologies and I would include in that, by the way, artificial intelligence, the rise of artificial intelligence. How does that affect how these four countries are both organizing themselves and conducting their cyber operations?

Erin: I think in the same way that the rest of us are, right, they’re still learning. They’re still coming to grips with these new technologies and how they can utilize them and how they’re going to work, but they definitely are. I think they definitely want to utilize them and there is a growing sophistication. We have seen particular countries trying to target AI companies. I think there was an article, a month or two ago about OpenAI reporting, I think it was 4 or 5 specific APT actors that they had kicked off of their site and they were using AI to do the things that a lot of other people are doing, like help them with their work, but also create phishing emails and ask it questions to do research for them about the capabilities that other countries and their victims have. So, we know that they’re using AI, we know that that’s happening.

There are also, I believe it was China, I’m trying to remember – it was either China or North Korea, but they’re actually investing in companies that are developing AI in certain areas of the world so that they can own that technology for themselves as well. What I would say with AI and those technologies is the US and Europe and the likes of OpenAI, oh, I can’t their name is escaping me.  But, you know, the prominent AI providers at the moment, they are far and above, ahead of Russia, and China at the moment. But I was actually at a talk with someone from those companies a couple of weeks ago, and they were saying, we’re only a couple of months ahead and they are going to catch up, like it is going to happen. So, it’s something that everyone needs to be aware of and needs to be vigilant about. I think the takeaway point from that is that they are using it. They are keeping an eye on emerging technologies. They themselves as well have to constantly evolve to remain relevant and successful because people’s defense gets better all the time. So, you need to constantly evolve to get around those defenses and those ways of operating. It’s definitely something that they focus on.

Mark: You mentioned earlier, by the way we’re a darknet company and we cover the darknets, and we cover darknet adjacent sites. You mentioned earlier in one of your answers the use of the darknet by citizens in countries which are behind firewalls or where they have limited access to the outside internet. But how do the countries themselves use darknet and these other online platforms in their own operations?

Erin: Yeah, that’s a difficult one and it’s a bit murky. Again, going back to that attribution problem and especially on the dark web where everyone is trying to stay as anonymous as possible to know who is doing what. We know that they definitely do utilize it. We know that there are probably actors on there that are sowing disinformation and details on the dark web and sharing them. But, you know, one of the things that we’ve seen more in recent years and is a bit more obvious is hacktivist groups and criminal groups that are associated or in somewhat sanctioned by governments. So, we’ve seen this with Killnet in Russia and a handful of other groups that came out in support of Russia when the invasion of Ukraine happened, and they are very active on things like Telegram. They will say who they’re targeting. They will say why they’re targeting them. They’re often going after NATO participants. They will show evidence of defacements or DDoS attacks. So, they’re very vocal and they want people to know what they’re doing, and they do have those links or at least a nationalist fervor that is very clear. And we see that other groups linked to North Korea and Iran also have telegram channels and other channels that are very vocal. One of the interesting things that we’ve seen, though, that is less how they’re operating but gives us more insight into how they’re operating, is we have seen a lot of data leaks relating to some of these countries and their governments. Everyone’s falling victim to data leaks in recent years. It’s big business on the dark web – selling that data, but there’s been a huge increase in the last probably 6 to 9 months, especially for China in terms of government data being leaked. There was a huge leak of the Shanghai police late last year that was assessed to be one of the biggest breaches ever, data breaches ever, and it had a huge amount of information about their law enforcement, but also their tools that they were using to target their citizens. So, it gave security analysts insight into what they’re doing that the governments wouldn’t necessarily want them to have and there was another recent one as well on a GitHub repository. So slightly not the dark web, but where it was one of the front companies that was conducting cyberattacks on behalf of China. All of their information was released, and we’ve seen large scale releases of Russian data, Israeli data as well, talking about those conflicts. There is information like that and while we’re all looking at that dark web data and saying, oh, this is giving us insights into these countries that we don’t know as much about. You can believe that they are also doing the same. So, when there are leaks of US, UK, European data, those countries are definitely going to have individuals that are on those dark websites collecting that data and reviewing it as well.

What do we do about this?  It’s not like these four countries are going to wake up tomorrow and become parliamentary democracies and decide to conform to rules of international law. So, what do we do?  What do we do about this?

Erin: I think it’s points we’ve already mentioned. You just have to be vigilant, and you have to have as much security as possible. I think there’s education that needs to happen to people about how you should operate, as you said, like these phishing techniques, password spray attacks, things like that. They’re fairly simple and they’re things that we can educate people about and I think we’ve been too focused in recent years on; okay, people know that if you get a bad email that you shouldn’t click on it, hopefully most of the time, but we’re seeing more and more smishing attacks, so text messaging and with the advent of AI, you can develop someone’s voice and get them to say anything you want them to say.  So, you can get like a voicemail from your boss telling you to send you money or to click on a link. Things are becoming way more sophisticated in terms of how attacks can be conducted and therefore, our education to people about how to combat those attacks needs to be more sophisticated and I think it’s just staying up to date with what these threat actors are doing and this isn’t just the nation-states, it’s across the board, like what tools and techniques are being utilized, and are your systems set up to protect against those vulnerabilities? So I think it’s trying to be as proactive as possible and not just reacting when attacks happen.

---

Interested in reading more on this topic? Check Out Our Research Report.

March 05, 2024

Or, watch on YouTube

The internet is a vast realm that extends far beyond the surface web we commonly explore. Beneath the surface lies the darknet, a hidden network that poses significant challenges but also holds immense potential for open-source intelligence (OSINT) investigations. Join DarkOwl’s Director of Intelligence to learn how the darknet expands the scope of information available to researchers and analysts.

In this 30-minute session, Erin covers how darknet data:

• Enhances OSINT investigations by unveiling hidden information
• Strengthens our ability to combat cybercrime and protect individuals and organizations
• Enhances threat intelligence and helps maintain a safer digital ecosystem
• Is utilized in identity theft, fraud, compromised accounts and other real world examples

For those that would rather read the presentation, we have transcribed it below.

NOTE: Some content has been edited for length and clarity.

---

Erin: Good morning or good afternoon, everyone. I’m going to do a quick high-level talk today of what darknet data is, why it’s important and how it can fit into your investigations. Please do ask any questions that you have throughout, and I’d be more than happy to answer those. So, what we’re going to cover today is what is the dark web? A really quick intro, what is OSINT? Again, very high level. Why is dark web important? And then what I really want to focus in on are some use cases and hopefully show you how we can integrate dark web and OSINT together to find some really interesting things in our investigations.

The obligatory who am I side… as any good analyst, I hate having any details about me on the internet, so I’m going to keep it brief, but my name is Erin. I’m the Director of Collections and Intelligence here at DarkOwl, and I’ve been an intelligence analyst for over 12 years now.

Another obligatory slide is the iceberg, you can’t really have an OSINT presentation without including an iceberg of some kind in here. This is to highlight the different areas of the internet. They’re all open-source, so they all form part of open-source investigations but obviously at DarkOwl, and me personally at the moment, focus on the darknet, but it’s always important to see the whole view and look at everything that’s going on. You want to be able to look at sources that are on the deep net and the surface net as well to make sure you’re getting as much information as possible and that you’re able to validate that information as well.

Diving into the dark web, hopefully most of you that are listening are familiar, but I’ll just give a very quick background of what the dark web is and what can be found there.  I’m not going to read everything on this slide, but you can see that it’s been around since the 2000, so we’ve got about 20 years now and there’s a lot of things that have happened in terms of the access, the marketplaces that are emerging and forums, breaches starting to occur, terrorists using the information, etc. There’s been a lot of uses of the dark web, and I would like to say that it isn’t just there for illicit uses. There are a lot of legitimate uses for the dark web. I think one of the best things is allowing some individuals that might not have open access to the internet in the countries that they live in are able to access a lot of websites, social media sites, etc. using the dark web that they wouldn’t otherwise be able to access. There are legitimate purposes, but obviously a lot of nefarious actors also use it and take advantage of the anonymity that they believe exists there.

What is on the Dark Web? What can you find there?

Marketplaces, people selling goods. These are usually illicit goods, usually, hacking tools, malware, data, drugs, weapons, counterfeit goods. We see all of those being sold on a regular basis. We also see forums – people chatting and talking to each other but also usually selling some kind of information or sharing information, some of it’s not all for sale. We do also see a lot of extremists, forums, people talking about, information that’s not great, but also getting together, planning events, things like that. As I just mentioned, there are also social media sites on there. There are mirrors of Twitter or X or Facebook, Reddit.  All that can be accessed from the dark web. There are cryptocurrency exchanges, mixers, other forms of things. Cryptocurrency is the currency of the dark web. Really, that’s the main way that people transact. The full ecosystem for cryptocurrency also exists on the dark web. You also get news media, news sources. A lot of the main media outlets and newspapers will also have dark web mirrors. The CIA has a dark web mirror. There are a lot of legitimate sites out there. And then of course, everyone is aware of data leaks, that is the main place that they are shared and ransomware. A lot of ransomware groups will have leak sites where they will have a shame board of all their victims, which they will put on the dark web for people to go and view. If the company doesn’t pay their ransom, then that information will be released there and can be downloaded. I should say with the leaks as well, it’s usually advertised on the dark web, but the dark web is very slow in terms of downloading information. Often a downloading service or a torrent will be used if the files are quite large.

This is just to give you kind of an idea of what the dark web looks like. These are some sites selling counterfeit goods, organs, drugs, cash apps and accounts. Then also we’ve got some of the advertisements that are shown here. 

You can see the different marketplaces that exist with the different areas, we’ve got people selling Social Security numbers, malware, botnets, different types of drugs. There really is this booming commercial aspect to the dark web and a lot of different stores that have been set up either for niche things or sell a huge amount of goods. And as I said, cryptocurrency is the currency of choice. You can see in that middle image: Monero, Bitcoin, Dogecoin, Litecoin are just some of the ones that are accepted. But it is a variety of cryptocurrencies that are usually accepted these days.

There are quite a lot of challenges, though, with collecting from the dark web. I mean, the first one is you’ve got to know where to look. You don’t have the nice URLs that you would get on the surface web. You also don’t have Google to help you. There are search engines on the dark web, but the majority of sites are not indexed and therefore not easy to find. You need to know where to look, and need to be into networks where that information is being shared. You also, in most cases, need a login to access the pages. So, you need to create personas and you need to do that in a secure way. The threat actors that set up these sites and maintain these sites are very against bots. They’re very against DDoS, all of the things that they’re very familiar with but also, they don’t want people going in and crawling the data. They don’t want people to access it that aren’t there for the purposes that they’ve set it up for. I would say the dark web has some of the most sophisticated captures I have ever seen. I can spend quite a bit of my day just trying to solve math issues or see letters in squiggly lines or putting images together. It is quite difficult to get into those. There is a lot of bot traps on the dark web and a lot of human interaction that is required to get into it. It’s not easy but there is a huge amount of data and intelligence to be found once you do get into those sites.

I also just wanted to touch on before I get into some of what that data is what we call at DarkOwl dark web adjacent sites. These are things that are not necessarily on the dark web. They’re not on Tor or I2P or ZeroNet, or some of the other dark web services that are out there but they are used by the same types of people. They are used in the same kind of way. Telegram is a huge one where we do see a huge amount of marketplaces. We see a lot of fraud being conducted. We see a lot of hacking operations. There’s a lot of hacktivist channels, extremist channels, etc. That’s something that you need to be aware of as well when you’re doing these dark web and OSINT investigations. I’ve also mentioned ICQ and Jabber. But there are other things like Rocket, Tocket.io, Tox and things like that where people are communicating. We also see it on gaming apps. Discord got a lot of publicity last year with the leaks from the Pentagon leak. I believe he was just sentenced, actually, this week. In terms of leaking that information on there, but generally, a lot of threat actors are on Discord actively. It is a gaming site, but you can set up different servers and different channels. And so, we see a lot of people sharing and operating there as well. Then a lot of threat actors these days aren’t as worried about anonymity as they perhaps used to be. There’s been a lot of instances where dark web forums and marketplaces have been taken down by law enforcement action. So, some threat actors, I think, think, why should I go to all of this effort of having a Tor node and a Tor site and setting this up when I could just do it on the surface web with the same risks, almost. There are marketplaces that are vendor shops that are forums that sit on the surface web that’s still used by the same kind of actors for the same kind of use cases. We’re very much monitoring and looking at those as well.

To give you an idea of some of the things that we’re able to find from the darknet. A lot of data comes from the darknet, so we see things, huge amounts of personal data, PII. That is the currency of the dark web at the moment. I would say we see a huge amount of issues being stolen, email addresses, passwords, Social Security numbers, social media accounts, stealer logs becoming really prevalent in the last year or two. There’s cookies in there. There’s two factor authentication sign-ins. There’s key questions, etc. So, there’s a huge amount there. We also see a lot of banking information and fraud. There’s a lot of corporate data, especially with ransomware attacks which are only increasing. I’ve mentioned malware and then also risks. There’s a lot of threat actors on the dark web that are very good at what they do. There’s a lot of cyberattacks. There’s a lot of education, actually, on the dark web about how you can conduct those cyberattacks, leaks, etc. There’s a huge amount of information out there if you know where to look.

Will you be discussing during this webinar the uptick in Drainer as a service (DaaS) or explaining it to those new to dark web marketplaces?

No, that is not in the presentation, but I can definitely get to that at the end.

OSINT 101

OSINT is open-source intelligence. It’s information that’s been found from open-sources. Any information found on the dark web does count as OSINT information but obviously it’s a lot broader than that. These are just some of the sources and information that’s out there that you can use as part of OSINT to find information for whatever kind of investigation you’re trying to conduct.

I did want to highlight some tips in terms of doing OSINT. This is true of looking on social media or looking on the dark web. I created my little AI generated sock puppet. That’s what that’s supposed to be if no one can tell but always use the sock puppet. Always have a persona, always ensure that you’re doing this in a secure way – using VPN or proxies. Use a virtual machine, use burner phones. Don’t use any of your own equipment to do any of these investigations. You should never cross over your real-life persona with what you’re doing online ensuring that you’re recording all of the information you find. I mean, it really depends on if you’re doing this for law enforcement or internally. But I would say most people you need to record what you’re finding with the dates, the timestamp so you are able to validate the data is accurate as of the time that you found it. Because obviously all of these things can change, and particularly with the dark web sites go up and down all of the time. What you find today might not be there tomorrow. It might not be there an hour from now. There are a lot of open-source tools out there that can help you with doing that kind of collection. So I would recommend looking into those and if anyone has any questions, I’m more than happy to share some of the, the tools that I’m aware of that can help you with that collection. There’s lots of other OSINT tips and tricks out there. There’s a huge amount of resources, online and for anyone who’s new to the area, I would recommend having a look at those.

Why is Dark Web Important to OSINT Investigations

Basically, there’s a lot of illicit information and activity that’s happening on the dark web, so it can be a really good starting point for investigations in terms of finding out what’s going on. You can see what people are discussing, you can see trends, you can see victims, you can see how things are operating. Then moving into more surface web OSINT investigations, you can sometimes expand on that and build out a really big picture. I would say they’re very complementary of each other and especially if you’re looking at fraud or extremism or drugs or weapons trafficking or human trafficking, the dark web is going to be a really valuable source for you to find information and data points to help you in your investigation.

LockBit

Now I’m hopefully going to go on to some of the interesting bits and walk you through a couple of recent case studies that we have. I’m going to start with Lockbit. Obviously, this has been in the news a lot recently. Kathy is going to share in the chat a blog that we recently did on Lockbit. I think it’s been about two weeks now, Lockbit leak site was taken down by law enforcement. Really interestingly, I thought, rather than just seizing the site as they usually do, they actually had fun with it and started posting on the leak site things about the Lockbit group themselves. One of the things that they did share was that there were two Lockbit affiliates that they had sanctioned and put indictments against. This is after the fact, but I wanted to highlight how you can get really good information from government sources and official sources about threat actors, and then use that and pivot into other data.

So here we have this individual, Ivan, I’m not going to attempt to say, but Vassalord. We’ve got all his usernames and things that he’s using here, and we can pivot in our own data. We were able to identify that he was active on a number of dark web Russian speaking forums. Here we can see him, this is in Russian, I haven’t translated it, but he is selling malware. He is giving people advice on different malware and also selling it within the group. So, through looking at this you know obviously it’s after the fact, but we can see what his activity was. We can see this dates back to 2022, but we can also see who he was interacting with. We can see kind of what tools he was operating, and we can see more information about him. You can also then take that information and put it into social media tools. This is What’s My Name app, where you can put in usernames, and it will search across social media sites and identify if an account exists. So here we can see that there’s some old Twitter accounts. There’s a telegram account which I already mentioned. The threat actors are very active on. We’ve got a Roblox account. You know, threat actors love gaming.  It’s giving you these other areas to go and look and to go and research and investigate and can give you more information to build that picture about that individual.

One thing I was just going to highlight, just because I thought it was kind of funny, was that Lockbit actually put something out a few months ago, I believe it’s a few months ago. It might have been a bit longer, saying they would pay anyone who got Lockbit tattooed on them, and several people did it. And they shared that online, and we were able to see those tattoos, which they probably regret quite a lot now.

There was a second Lockbit affiliate, also that I wanted to highlight. This is just highlighting the usefulness of leaked data. We collect data breaches and leaked information and have that within our system. Here you can see there’s two separate leaks. One includes an email address with the full name of the individual. If you only knew this email address was linked to someone who was doing bad things, you could put that into a leak and see if you can get more information about them. And here we’ve got their full name in Cyrillic, which I’ve translated, and also their telephone number. And then pivoting on that telephone number, we’re able to see another leak, which I believe is linked to Yandex app for ordering food. So, you can see kind of the payments information. You can see his name again in Cyrillic as Arthur, you’ve got the phone number there. But also interestingly, you’ve got the iOS version.

So, there’s a lot of information that you can find within these leaks with information about threat actors. And then what I’ve shown below is again, using open-source tools, these are two freely available Python tools that you can use, where you can search on the email address or on the phone number, and it will go and look across social media sites to see if they appear there. And it won’t share that information with the email or the phone number holder. So, you still have OpSec, but here you can see that email address. It has a LastPass account, it has a Nike account, it has a Twitter account so you can start to see where this individual is operating.

Cryptocurrency and Extremism

Another use case I just wanted to highlight. I mentioned cryptocurrencies are used extensively on the dark web. I also wanted to highlight some of the extremist activity that we see. I’m not going to highlight any particular threads on this page because I personally don’t find them to be, I don’t agree with their point of view, but Kiwi Farms is an open forum where people share information about different things. It’s similar to a chan. It does have, some not so nice threads on it but just highlighting that with our Vision platform you’re able to find that information and then also view it through our direct to darknet feature as it would look on the site, and you can see this is their homepage. But one of the things that Kiwi Farms do is they have a donation address, so the people that maintain the account are asking individuals to provide them money to keep the site going. So I wanted to see if I could find out anything about that cryptocurrency address and how the funds are being used. I used an open-source blockchain explorer. This is called breadcrumbs; you can get a basic free account and it allows you to do some kind of network analysis. You can see we’ve got the Kiwi Farms bitcoin address right at the beginning with some of the people that are paying into that. But I was more interested in seeing where that money went and a lot of it was circling back. I have removed some of the nodes on this just to make it a little bit more visually easy to see but a lot of it was going back into Kiwi’s Farm, but then I was able to find areas where it was being cashed out; Kraken, Binance. And then Bravada, were some of the areas where we were seeing that the funds were actually being cashed out. And you can see that the site, breadcrumbs, does also give you an overview of the Bitcoin address and how much funds have gone in and out. You can see it’s quite a high volume and it’s been active for the last three years. You can also see that it plugs into bitcoin abuse. Bitcoin abuse, which I believe its name has changed now to Chain abuse, but it’s another really good source for looking at any cryptocurrency addresses you come across and seeing if they’ve previously been reported as linked to nefarious activity. One of the addresses in the Bravada exchange is actually been reported to be linked to terrorism and sponsoring groups in Russia. It’s interesting that an extremist forum, Kiwi Farms is utilizing and sending funds out that way. Obviously, I can’t say for definite that that’s what’s happening, but we can see that those funds are being trickled out that area and it’s another area for us to investigate and look into.

Israel-Hamas Conflict

The Israel-Hamas conflict has obviously been ongoing for a while now and it’s been all over telegram. So, as I mentioned, telegram is a really useful place to see a lot of hacktivism, a lot of threat groups. There’s also marketing there, but it’s also being used more and more as a new source and whether that news is factually accurate or is disinformation is always up for debate, but it’s been a really good source of being able to see what is happening on both sides of the conflict. Actually, on October 7th, it was one of the first places that anyone saw that something was happening. You can see one of the images here is them going through the wall into Israel.

This was on telegram almost immediately and anecdotally; I know that people in Israel were watching telegram for news updates because they were coming through quicker than they were on traditional media sources. But as I said, there’s also been a lot of information that’s been shared there that is probably not accurate. There were definitely videos that were being posted at the beginning of the conflict that actually came from video games and things like that but there’s also been a lot of the hacktivist groups on both sides, saying who they’re going to target or saying that they have successfully targeted someone showing evidence of DDoS attacks, showing evidence of defacement attacks, showing documents that have been stolen and leaks. A huge amount of leaks are being shared on telegram but one of the things I wanted to highlight, and I don’t necessarily have a good example here, but you definitely can do it, is taking some of these images and the videos that are being shared. Telegram, unlike Facebook, Instagram, Snapchat doesn’t always strip out the metadata on the images.  There are a lot of open-source tools that can kind of help you to see what the metadata is, and if there is any Exif data that’s going to help you there but also you can get hints of where things are occurring and what’s happening by looking at the images and matching them up with satellite imagery or previous images that have been shared as well.

Scattered Spider

I’m conscious I’m running out of time, so I’m going to go quickly. Scattered spider is another group, threat actor group that we’ve been monitoring. They are a financial crime group. Scattered spider is the name that’s been given to them by one of the cyber security threat actors, but they’ve been responsible for some very high-profile attacks in recent years, including taking down Vegas with the MGM and Caesars Palace ransomware attacks. They do a lot of social engineering and phishing techniques; we expect those to probably increase in sophistication. Not that they aren’t already, but we know that AI is being used to assist with those attacks but they are very active on telegram and discord and part of what is known within the community as the comm. We’re doing some analysis on who is active in those groups, who is interacting with each other, and what information can we find out about them. So, there’s a lot you can do with the data that’s in telegram to do analysis, to do that link analysis to, to find out who the individuals are and of course the main ones you can go and look in other sources to see if they have other social media profiles or other areas that you would want to be looking into.

Conclusion and Questions

So, I ran through that really, really quickly.  I’ll just leave the key takeaways up here for people to read.  Hopefully, that’s what you’ve taken away from it. I think the question about the Drainer service highlights that there’s a huge amount of things that you could cover here. This is very much designed to be an initial overview and an introduction but if there’s topics and interests that people would like to know more about, please put those into the chat and we can look at providing more information on that in the future. 

But with that being said I just wanted to highlight we do provide investigation services at DarkOwl for dark web and OSINT investigations so we can assist you with any investigations that you currently have. With that, I will open it up for questions.

What data sources are considered dark web?

Dark web traditionally is sites that are accessed through Tor, so the Onion router, but you also have things like I2P and ZeroNet, which are also dark web providers and there’s a few more out there, but they’re not as used as regularly, such as Magnesium. As I mentioned in the presentation, we also view things as dark web adjacent when it’s the same kind of use case and the same kind of individuals that are operating. So, we definitely consider that to be Telegram, to be Discord, ICQ and then some surface websites as well which are there. So, I think it’s open to interpretation. It depends how narrow you want to be but I think with OSINT Investigations you always need to be open to all of the information that’s out there and being able to validate it against different sources. So, the more data points that you have, the more likely that you’ll be able to do that.

How do you locate and identify new groups on Telegram or Onion sites?

Manually is the main way. So, telegram you can do searches in the global search or telegram on the desktop app. If you have a keyword or a search that you’re aware of, you can put that in and see what you would find. I would also look at the groups that you’re already tracking and monitoring and search for the links. If you click on the channel page, you can go to links and it will show you other telegram channels that have been shared. I will also sometimes look at other social media sources – people on Twitter or other forums will sometimes say, let’s take this conversation to telegram and they will share an invite link there. You can also use Google Dorking to search telegram, which is quite useful, but I would say it’s a keyword phrase. If you’ve got a particular topic you’re interested in, um, search for that. And then also if you’re looking at individuals in other countries, do you use the native language? So if you’re looking at Russian threat actors search for your turn and Cyrillic as well as in Roman characters because you’ll find more information that way. Onion sites, again, it’s similar. We are already monitoring the major forums and marketplaces, and they will share other areas that they’re accessing. There are sites out there that will track new onion sites that have been created and what they’re being used for. So we can look at those. It is kind of just kind of pulling through the different links that are being found and then reviewing them to make sure that they have actually got useful information on them.

Does DarkOwl have copies of entire sites that can be walked through. For example, could one walk through Silk Road and see the listings and users that were active back then?

Yes and no. We have our data, it goes back to 2016 in earnest. So, we do have all of that information, but we store it in documents and pages. You could search Silk Road and go through it. But one of the things that we don’t do is collect images due to legalities around CSAM material. You would be able to see the postings, you would be able to see the usernames and all of that information from any site that we’ve been collecting since 2016 but it wouldn’t be a walk through in terms of – it wouldn’t look like the site. You couldn’t click on buttons and things like that, but the data is all there.

Other than breadcrumbs and chainabuse, what are some other great sources for tracking crypto and blockchain across the deep and dark web?

I think there’s so many sources out there. Breadcrumbs is the one that I like to use just because it’s free. I mean obviously there’s paid services out there that are very, very good. I’m not aware of many others, especially not on the dark web. They’re not there for tracking purposes. I think one I heard of that I’m not familiar with but was recommended to me recently was Qlue – that is supposed to be quite good for cryptocurrency, monitoring but it really depends if you want to do a paid service or open-source.

---

Don’t miss our next webinar on Big 4 Cyber Adversaries > Register here.