Webinars Archives

[Webinar Transcription] Leveraging Dark Web Intelligence for Real World OSINT Investigations

Written by DarkOwl Content Team on March 21, 2025. Posted in Blog, Webinars.

March 21, 2025

Attendees of this webinar, hosted with Carahsoft, learned about how in today’s world, Open Source Intelligence (OSINT) plays a critical role in uncovering threats and mitigating risks by leveraging publicly available information. This webinar dove deep into the practical side of OSINT investigations, focusing on how dark web data can be strategically utilized to enhance threat detection and risk assessment for organizations.

During this webinar, the Director of Intelligence of Collections at DarkOwl, demonstrated the power of DarkOwl Vision through real-world examples, including:

Tracking stolen credentials from a recent data breach
Monitoring dark web marketplaces for insider threats
Identifying emerging cybercrime trends
Analyzing chatter on forums to predict potential attacks
Protecting executives and high-profile individuals

Participants gained hands-on insights into gathering, analyzing, and interpreting OSINT data, with a focus on applying dark web intelligence to solve real challenges.

NOTE: Some content has been edited for length and clarity.

Erin: Hi everybody. I am the Director of Intelligence and Collections at DarkOwl and I’m going to talk you through some background on the dark web and some OSINT investigations.

What we’re going to cover today, I’m going to give you a little bit of background on who DarkOwl are, what the dark web is, why it’s important, how we can use it in OSINT. And I’m going to do a couple of use cases and walk you through some examples of what we see on the dark web and how you might be able to use it for OSINT.

A bit of background about DarkOwl. We’ve been around since 2014, but collecting data I would say from the dark web in earnest since around 2017-2018. So, our goal is to collect data from the dark web so people are able to use that data for their investigations and to protect their organizations. We allow people to do that in a number of different ways, so you can access data through our platform Vision, which I’ll be showing you how to use today, but we also have APIs and data feeds which allow you to access dark web data, and the idea really is challenging to access the dark web, and also it can be against policies and violations to access it. It’s not easy to access and there are things on there that you might want to avoid. So we allow you to access that data in a secure way.

What kind of data do we have? We have layers of the deep and dark web as well as some surface web, although we are primarily a dark web company. Everything that you see here in red is something that we do collect from. We’re always looking to increase our coverage though and look at other areas where we see criminals, cyber threat actors, insider threats, people proposing violence, operating. So, we’re always on the lookout for other areas that we can collect from. But as I said, we’re primarily dark web, TOR, onion sites is where we get most of our data from, but we do also collect some surface websites, things like Doxbin, paste sites, certain forums where we see extremist activity being discussed, as well as underground criminal forums and markets and discussion boards. We also collect from Telegram and Discord. We see a lot of criminal activity operating in those areas. And this just gives you a breakdown of the volume of data that we have.

I believe there’s a polling question up on the board for you now. And that’s just to highlight, are there any messaging apps you’re seeing as part of your investigations at the moment that you would like to have more coverage of. As I mentioned, we do cover Telegram and Discord, but we’re always looking for other options. So please fill that in. You can have multiple choices. But going back to the slides, you’ll see that we’ve got a large volume of data that we collect. We have been collecting since 2017, and we do not remove any historical data because that can still be important to your recent investigations. And so, you can see the numbers that we have here. We also extract particular entities, so email addresses, IP addresses, credit cards and crypto addresses that can help you with your recent investigations. And we also have a large volume of data leak records that we’ll talk about in a little bit more detail.

And this is just to give you an overview of how our ecosystem works. We do have the Vision UI where you can access all of our data as well as APIs. We have several API products that allow you to generate scores and risk assessments based on the exposure that an individual has as well as context information about our data leaks.

And we also provide darknet services. So, for those that don’t have the resources and/or do not have the experience working with the dark web, we are able to do investigations and OSINT investigations on your behalf and produce reports regarding whichever you’re investigating. So, this is our Vision UI, it supports Boolean logic, it has darknet data within it, and it can also be used for alerting, but I will go through that in a lot more detail later in the presentation. But so, just so that we’re on the same page, let’s start with talking about what is the dark web.

No OSINT presentation is complete without an iceberg slide so this is our obligatory iceberg slide which breaks down the surface net, the deep net and the darknet.

We really do focus on the darknet you know collecting from onion sites, TOR, ITP, ZeroNet that is specific software that you need to download to access that and also, it’s not indexed so you need to know the URL that you are going to in order to find that information. So, it makes it a lot more difficult to navigate and identify sources that are going to be beneficial to you as part of your recent investigations. And that’s one of the things that we assist with. We, you know, have broad coverage across the dark web. We’re always looking to identify new sites and new areas where individuals are communicating or buying and selling goods. And so that allows you to be able to search that information. We also do do the deep net. So, this is not indexed by search engines, usually behind a firewall of some kind or password protected. It’s not easy to access, but it’s easier to access than the dark web. You can still do it using your usual browser. And there are a lot of forums and marketplaces and vendor shops, et cetera, that sit on the deep net. And then you also have the surface net. So this is, you know, the internet we’re all used to. It’s indexed by search engines. So, you can, you know, go to Google, go to Yahoo and find a site that you’re looking for and it’s all open. I would say more and more we are seeing fights on the surface web that are also engaging in criminal activity. People seem to be less concerned about obfuscating what they’re doing then they had traditionally been and also, I think law enforcement’s been quite successful in taking down some dark net sites and that has kind of moved people onto the surface net so that’s an interesting trend that we’re seeing at the moment and that’s why we cover those areas as well as just the dark net.

To give you a little bit of history on the darknet, It started in around 2000. The Darknet Tor project itself was actually created by the US Navy as a means of secure communications for their operations. And then they decided to make it an open source tool. The Tor project is a not-for-profit that runs Tor and the onion sites and the bridges, et cetera. It’s always worth noting that there are fully legitimate reasons for using the dark web for those that live in countries where communications may be limited and, you know, they may not be able to access mainstream media, things like that. Tor can be used for that. And also, people who do really want privacy. They can use the dark web to enable that privacy. I’m not going to go through everything here on this slide obviously it goes up to 2020, but you can see that there’s been a lot of things that have happened in the darknet, things like cryptocurrency becoming more prevalent and being a semi-private way of people transacting and law enforcement operating on the dark web to take down sites has been a game changer as well. But there’s a lot of things that have happened on the dark web ecosystem and continue to happen to this day.

Okay, so why is dark web data important? I’ve kind of touched on this, but a lot of criminals operate on the dark web. So, we see people communicating on the dark web in forums, in messaging apps, having conversations, but we also see people selling and buying goods. We see people offering services. There is a lot of activity that happens on the dark web that can be useful to your investigations. And there’s also sites where people’s data is released. So, data leaks, stealer logs will go into in a little bit of detail, as well as things like DoxBin where people’s information is released. So, it can really help you in your investigations identifying information about individuals, but also can help you to kind of protect individuals from an executive protection perspective and we’ll talk about that in a bit more detail as well.

While we’re level setting on dark web, hopefully everyone on this webinar is aware of what OSINT is, but it’s basically the collection analysis and dissemination of information that is gathered from publicly accessible sources and these are a couple the sources that are out there that I think are familiar to most people doing OSINT investigations. But people don’t always think of the dark net. I think some people think it’s scary. There are questions about whether or not it’s truly open. But it is in fact open. It’s harder to access, but all of the data is out there for people to go and view if they choose to. So, I like to think of it as a tool in the toolbox that an OSIN investigator has. you know, you should be looking at social media, you should be looking at public records, you should be looking at, you know, other mainstream websites that are out there, things like the Wayback Machine, but the dark web is an important element of that investigation and gives you kind of a broader overview of information that you might not get from other sources. I feel like, again, I have the obligatory iceberg slide, this is my obligatory AI generated image. You can see that it’s AI generated because it’s the Dark Wab and not Dark Web. It seems that when you give it a few too many prompts, it gets confused, but this is my obligatory AI image.

Okay, so but what things do we see on the dark web? So hopefully people are familiar with some of these. I think some are more well known but marketplaces are definitely, you know, a mainstream and one of the things that first started in the kind of criminal ecosystem of the dark web with things like Silk Road, which was not the first market, I believe, Farm was, but, you know, marketplaces for buying and selling drugs, illicit goods, hacking tools, tutorials. You can purchase hitmen, you can purchase all manner of strange things, whether or not that’s legitimate or not is something that we can also discuss.

There’s also a wide range of forums, so people kind of talking about things that interest them. Breach forums is probably one of the most famous forums out there that works in buying and selling data and sharing data. But there’s also extremist forums out there, things like the in-sell community, right-wing extremists operating on forums too or people just discussing general things not all of the forums are bad. There are some social media sites that are on the dark web too. There are mirrors of things like Facebook and Twitter that appear on the dark web so people can access them in countries where there might be censorship so that that’s one of the more legitimate areas and also we talk about social media and I’ll go onto this in the next slide as a dark web adjacent area where we do see criminals operating on mainstream social media as well.

Cryptocurrency obviously is the currency of the dark web. We still see bitcoin as the largest currency being used but things like Monero and Zcash and more of the privacy coins are also popular. You you know, wallet explorers, there are dark web wallets, there are tumblers, mixers, et cetera. So a lot of cryptocurrency activity can occur on the dark web as well as being, you know, again, perfectly legitimate information, there are a lot of new sites that are on the dark web. The BBC has a new site. I believe CNN has a new site. And there’s also just kind of other sites that share information. These can be kind of data repositories, you know, when information is leaked by whistleblowers that can sometimes appear on the dark web as well. And then we have data leaks. So rather than kind of whistleblowers, that’s more stolen data and data that’s been taken illegally. And in that vein, we also have ransomware. So, a lot of ransomware groups have leak sites on the dark web where they will kind of shame their victims into paying the ransom by saying that they are a victim and they’re gonna release the data. If the victim does not pay the ransom where they do usually then release that data which is downloadable on the dark web.

But as I mentioned, there’s also some things that we refer to as dark web adjacent. Oh, there’s a poll question. So, what areas of the dark web are of most use to you. So I’ve gone through some of them, but it’d be really interesting to know from your perspective what is most beneficial for you and your investigations and your day-to-day job. But in that thing we also have some dark web adjacent. That’s what we refer to as sites that aren’t or messaging apps or platforms that aren’t exactly on the dark web, but they’re still being used by the same community of people, i.e. usually criminals or extremists or some form of bad guy for one of the better phrase. Things like Telegram, ICQ, Jabber, Discord is a gaming site as is Twitch, where we see people are sharing classified information, they’re making threats. A lot of the so-called gore community are very active on places like Discord tends to be younger generations and people that are into gaming, as you would expect. But these are all areas that we think it’s important to also have coverage of in order to, you know, have a full coverage of these communities and these groups and how they’re interacting. Obviously, I would say there’s been some changes in Telegram. In recent months, but that we are still seeing a huge amount of people operating on Telegram in a malicious way. And then the surface web, marketplaces, vendor shops, forums, as I mentioned before, excuse me, we are seeing some people that are operating in the same way they operate on the dark web on the surface web. You can find those vendor stores and those marketplaces, which I think is an interesting evolution and how these communities are operating.

Okay, so there is a lot of data on the dark web as well. So, we’ve kind of talked about the general themes and the types of sites that there are, but there’s also a lot of different types of data and a lot of different types of information. So, a huge amount of PII appears in data leaks and is discussed on some of the sites as well. Financial information, There’s a huge ecosystem of financial fraud, people selling credit card data, selling banking information, selling details of how to operate in a financial fraud way. So, we see a lot of people doing tutorials and giving guidance about how to conduct some of these scams. There’s also a huge, as you would expect, cyber and hacking community. So, people trading malware, and exploits, and different tools that you can use, you know, the phrase script kiddies, individuals who aren’t necessarily that sophisticated enough to build code or build these vulnerabilities, but they can purchase them and execute them and still kind of use them for criminal activity. So, we see a lot of trading of those kind of things, drugs, obviously, and cryptocurrency I’ve also mentioned. There’s a lot of activity that can come from this kind of data. We see cyber-attacks. We see data exfiltration and hacking. There’s also cyber espionage. I mean, APT groups are hard to identify, but they’re definitely operating in some of these places. And insider threats as well, people, you know, talking about sharing information that they should not be sharing or making threats to their organization. These are all the types of things that we see on the dark web.

Let’s dive in a little bit more into what data we actually see and kind of try to look at it from an OSINT perspective where possible. Ransomware I have already mentioned. This is two examples of ransomware leak sites, one is LockBit, the other one, I actually don’t remember which ransomware site it is, but you can see like they will share the information about the company that has been victim of a ransomware attack.

But you can see they’re also operating the yellow image. You see that they have a Telegram channel. They are on Twitter and they are on Facebook. So they have a dark website where they share this information, but they’re also operating on kind of more of the mainstream areas. And that can be really useful for you as part of an OSINT investigation. If you’re trying to identify more information about these, you’re building that kind of what we call darknet footprint and digital footprint for these groups and how they’re operating. So, you know, their sites can give you information about them that can help with understanding how they operate. But also, you know, the information that they share while stolen and really should not be shared can be used as part of investigations as well. Especially if you’re concerned about supply chain or third party risk, understanding what data has been released about an organization can help you protect your organization if, you if one of your supply chain vendors is in there, or if you are the person that has been leaked, sorry, had been ransomed, knowing what of your data has been released and is out there for other criminals to kind of delve into, is an important thing to know. And I think some people get concerned about this data and it’s stolen data, but the thing I think people need to understand is criminals have access to this data, threat actors have access to this data and they will use it to conduct more criminal attacks, so it’s important to know what is out there from a risk perspective so you can better protect yourself.

Financial crime I’ve mentioned, we see a lot of marketplaces but also places like Telegram being used as a market for people to sell financial information. So, you can see here there’s stimulus checks being sold, there’s people selling plain credit cards, there’s other things that they’re making available on here, cash apps, etc. So there is a huge ecosystem of this financial crime.

And in the theme of markets, we also see people selling drugs and weapons on the dark web as well.

You’ll see that a lot of these markets look similar to what you would expect to see from, you know, a commerce website on the surface web as well. They provide pricing, they provide images, they also provide reviews. And that can be really useful for us from an OSINT perspective. So, you know, things that you might want to look into on these markets that can give you some clues that you can go and look through in more traditional sources. So, you know, you’ve got OSINT, sorry, you’ve got reviews, as I just mentioned. So, these are some examples of reviews. I don’t know that they are legitimate to be honest, but you’ve got the username, you’ve got the date that they purchase, And sometimes they give some information in there, like, you know, it arrived really promptly that could give you ideas about, you know, where are they based? Where are they purchasing from? And, you know, how it operates. We’ve also got here, like, more descriptions about the drugs that they’re selling. So, they’re telling you the type of drug. It’s a pressed pill. They’re made in-house. So that’s something that they’re, you know, Again, you can never really trust a threat actor, but they might be operating this themselves. That’s something to go on. And they’re also saying that we ship worldwide.

We’ve got other examples where they tell you where they’re shipping from. So, this is actually counterfeit money that they’re shipping. And they’re telling you kind of how they operate it, what techniques they have in terms of producing this counterfeit money, but also they say they’re shipping from Romania. It’s a pretty good starting point that they could be operating in Romania and that they’rei ndividuals based in that country. Again, with OSINT, you also always have to verify everything. You can’t take anything at face value, but these are data points that I think it’s important that you pull out.

And this one is a little bit maybe harder to read, but I thought it was important because they’re giving them details and almost like TTPs of how they’re operating. So they’re telling you they ship it in an envelope that it uses anti-extra bags and if it’s inspected, it will get through it. And they’re actually saying that the National Post Service is the safest way to order it and that they also use express shipping. So, if you’re doing an investigation into kind of the methodology of someone selling these drugs or counterfeit goods, I think I believe this one was still a counterfeit money. You can get from these marketplaces and from these sites information about how they are actually operating, which can really help you in your investigation and maybe where you wanna focus to identify things from other sources that are out there.

Stolen data is also a big one. I’m not really going to show real examples here because I don’t want to expose people’s PII, there’s some of that. But these are, this is Breach Forums and I believe LeapBase. These are sites that appear on the dark web where people are sharing data. And again, we get a lot of questions about is this open? I would say predominantly on these sites; the data is shared freely. Sometimes you need credits, so you need to have a reputation on the sites and that have built kind of some of that persona. But by and large, this is freely available data that again, criminals are going to have access to and it’s something to be aware of.

This gives you an idea. This is a breakdown from data that’s in our platform and Vision.

I looked at the last 90 days and it gives you a breakdown of some of the PII that is available in these leaks. So, you know, names and email addresses you’d expect, but you’re also seeing identification numbers, information about people’s genders, information about companies, phone numbers, dates of birth. You know, there’s kind of two use cases for this kind of data, I think, in the OSINT realm. One is, you know, attribution of looking at threat actors. There’s so much leaked data out there now, but threat actor information is going to appear in there as well as, you know, legitimate people’s data. So, it can really help you with that kind of attribution use case but also from a risk analysis perspective understanding what information is out there about yourself or your employees or you know individuals that you might seek to protect. This lets you know kind of what level of risk they have, what level of exposure they have and how criminals might be able to target them.

Stealer Logs is something that we’ve seen a huge rise in. They’re not new, but they just seem to be a lot more prevalent in the last year or two than they were previously. This is an example. ALIEN TXTBASE is a group that have been sharing not full stealer logs, actually, but what we would call combo stealer logs, where it has the URL, the password, and the username of an individual. And they’re making that available on Telegram. So, you know, this is great for criminals in terms of they are able to log into accounts, do account takeover attacks, depending on what URLs appear here, it could be access into someone’s network. But CELA logs are basically malware that exists on your computer or a victim’s computer and steal things like cookies like your auto fills on your browser, your passwords, and your usernames. It can also steal things like cryptocurrency wallet addresses, basically anything you’re doing on the internet, it can hoover up and we have some good blogs that I would recommend about stealer logs and how they work and how they operate and the different types of them. But they have a huge wealth of data in them.

And again, threat actors have been victims of these as well as legitimate citizens. And we’ve seen a lot of research where you are able to search for places like XXS or exploit, you know, dark web forums and see people’s user information and that can really help with attribution, but also knowing that risk of your password and your username is out there and that can be used for a variety of different attacks is really important and also because the cookies are in there it can help threat actors get past two-factor authentication and OTP codes as well, so that’s something to bear in mind. Again, I said I wasn’t going to share actual data, so I wanted to give a really basic description of how some of this data can be useful. But if you have an email address for a threat actor or someone you’re interested in understanding more about, you can search for that in leak data, and it might appear and show that it’s linked to a password. Depending on how unique that password is, you might be able to identify other accounts that they’re using because we all reuse passwords. We shouldn’t and we get told not to all the time, but most people do. So, you might be able to identify other email addresses and then you can use other OSINT techniques to find more information linked to that. There are tools out there that will allow you to search for an email address and using open-source techniques can find things like telephone numbers that link to social media accounts, that link to things like Cash App and Venmo that can give you access to the real identity of an individual. So, this is a very basic, simplistic way of talking about the workflow, but you can definitely use information and data leaks to be able to investigate individuals. I see it as another tool in the toolkit of data that’s open that you can use as part of your investigation.

We also see a lot of extremist activity on the dark web and on particularly Telegram. So, these are some images that we identified related to ISIS but we also have things on there that are you know right-wing, extremist, racist information that’s being shared and it’s important to monitor these because they can lead to real world threats and so we need to identify what is being done. You can see with the ISIS threats these were around some sporting events where they were encouraging people to target the sporting events and they were giving specific areas that they should do that and this is something we’ve definitely seen an increase of is using the dark web using things like telegram to incite violence in others and create loan actor attacks. So, it’s definitely something that needs to be monitored.

Executive protection is also a use case that we’re seeing more and more active on the dark web or the data on the dark web helping with that use case I should say. So here I’ve got and I apologize for some of the language in this, but just to highlight, on the left-hand side, we’ve got a post from DoxBin where they’re talking about X FBI agent, whether this information is accurate, I don’t know, but you can see they’re providing things like date of birth, address,] telephone number, his wife’s information, what their role was. He’s also got their daughter’s information. So, huge amounts of data are being shared about individuals on Doxbin. If you’re not monitoring that, then that’s going to be an issue because, you know, a lot of when people’s information is shared here, it can lead to real -world attacks, like things like swatting attacks. A lot of that information would come from Doxbin. You can also see we’ve got a data leak here that specifically mentioned CrowdStrike employees. Again, I haven’t provided any of the actual data, but you’ve got first name, last name, email, where they’re located, their phone number, their job title. So, this is information that’s being released about employees. And again, why you need to kind of be monitoring data leaks for your employee’s information being shared. And I think it’s really important as well that you do that from a corporate perspective of looking at corporate email addresses, but to do this completely you also need to have access to personal information too. And then the the one with the not great language so apologies again for that is it’s from 4Chan and it is an example of a particular individual that I have blanked out being threatened and being said he will be shot, shot like the healthcare CEO and it’s a long time coming. So, we can see kind of chatter and rhetoric of people making threats against individual on dark websites as well. And it’s really important to analyze those and make a judgment about, you know, the risk that these individuals pose and then using OSINT techniques to see if you can identify who these individuals are so you can have a bigger picture. 4chan unfortunately, is a difficult one to do that with because it’s anonymous, but it’s so important to know what people are discussing.

And then you can also do threat actor investigations and attribution. So, this is a bit of a historic one, but Pompompouren was the admin of Breach Forums previously. He was also on raid forums, and you know, from analyzing the data, we were able to look at the username and see that he was active on all of these different dark web forums. We were really able to build that footprint of how he’s operating, but you’ll see he was also, on Discord. And so, it really allows you to kind of understand how this person’s operating, and obviously you can analyze their language and what they’re talking about. And if there’s any clues within those forums to location and information. But I highlighted the DoxBin for executives through Actors Get Docks all the time as well. So, this is an example of information relating to him that was shared online. Several people doxed this individual. So, it’s clear now that Pompompouren was Conor Bryant Fitzpatrick. He was subsequently arrested. So, using the data, and again, this is a very simplified version, but you’re able to identify a real person based on a username and kind of how people are interacting in the community. And from that, we were able to identify telephone numbers that they use that you can do further research on IP addresses that we use. And I believe one of the IP addresses that was associated with of Fitzpatrick was actually where he was hosting breach forums, and the FBI were able to use that. He is now or he was incarcerated, he was charged. So using the data and the information online can really help you doing investigations into threat actors as well.

Okay, and we have a third question. So what use cases are most important to you? I think it’s important to understand what use cases people are working on so we can best identify kind of the data that’s going to support that from the dark web.

But with that said, I’m going to move on to a couple of quick demos to show you real world examples of how we can find data using the Vision platform (see recording for demo portion).

Interested in your own demo? Request one.

[Webinar Transcription] Executive Protection and Security in a Dangerous World

Written by DarkOwl Content Team on February 19, 2025. Posted in Blog, Webinars.

February 19, 2025

Or, watch on YouTube

Executives are increasingly targeted by activists of all types, posing significant threats to them personally and risks to their organizations. Many of these attacks can be detected or even predicted by monitoring exposure of the executives in the darknet, including leaked and stolen PII, credentials, chatter around the executives, and in some cases direct threats.

Despite utilizing various security tools, many organizations lack a dedicated executive protection service to monitor and alert on potential threats or negative chatter targeting executives. Addressing this challenge might seem complex, but the stakes have never been higher.

In this webinar, attendees learned how to effectively baseline, monitor, and alert on organizational and executive threats using Dark Owl’s Vision platform. Discover practical steps to safeguard your executives and your organization against these evolving threats.

NOTE: Some content has been edited for length and clarity.

Kathy: Today’s webinar will be held as a fireside chat with Mark Turnage, DarkOwl’s CEO as our moderator. Before we begin, we’d like to give each company a moment to introduce themselves.

Brandon, would you like to tell us a little about Ascent Solutions?

Brandon: Absolutely. So, if you’ve never heard of us before, we are Ascent Solutions. We’re an award-winning Microsoft Solutions partner that specializes in the Microsoft security stack. We offer a wide range of cybersecurity services to include advisory, professional services, as well as managed services, including Cyber Threat Intelligence, Security Operations Center, and Threat and Vulnerability Management as a service, just to name a few.

Kathy: Mark, would you like to tell us about DarkOwl and then start our chat?

Mark: I’d love to. My name is Mark Turnage. I’m the CEO of DarkOwl and Co-founder of DarkOwl. DarkOwl is a company that was established for the sole purpose of monitoring the darknet and what we call darknet adjacent networks for criminal activity and underground activity on behalf of our clients. We monitor over tens of thousands of sites a day and they include everything from the traditional TOR network all the way to Telegram channels where threat actors are now, are now active. Our product is, our data is available via a number of different ways, UI, APIs, data transfers, and we number many of the world’s largest cybersecurity companies as our customers.

It’s a pleasure to be here today with Brandon, and I’m going to just let Erin introduce herself really quickly, and let’s start with questions.

Erin: Hi, everybody, I’m Erin. I’m the Director of Intelligence and Collections at DarkOwl, so responsible for the data that we collect as well as doing investigations on behalf of our customers.

Mark: Great, let me go ahead and start. I’m going to direct this question first at Brandon and then at Erin. Can you give us the basics of executive protection? What is it and why is it important?

Brandon: Well at Ascent Solutions we offer what we call digital executive protection monitoring and alerting services that succinctly tie in with our team’s approach to continuous threat exposure management. Our approach to executive protection is actually rather simple. We provide enhanced monitoring of the dark web that specifically focuses on key executives and organizational leadership, so alerts that we recognize that alerts specifically pertaining to these individuals and key personnel could require a more tailored and of course timely approach with additional requirements actions activities and engagement beyond just the regular security team.

Mark: Great. Thank you. And Erin. Why is it important to monitor specifically, executives’ data online?

Erin: Executives tend to be the most visible people in any company. So, their information is out there, they’re doing things like webinars, they’re putting press releases out, et cetera. And so that makes them more of a target to individuals. And I think historically we’ve thought about physical threats and that’s still a concern obviously in terms of people being targeted, but more and more we’re seeing with cyber threat actors is that they’re using the information that they can obtain in the digital realm in order to target those quite visible people. And they can do this in a number of ways and this is why it’s important to monitor digital activities from different perspectives because there’s information that can be leaked about executives which can lead to information that threat actors can use and they can get their credentials and get access things that way. But there’s also a social engineering aspect to this, you know, if people are putting a lot of information out there on social media about their movements, about their hobbies, about how they operate, that makes it a lot easier for threat actors to impersonate them or use them to target members of the company. And we see that a lot with phishing attacks. So, I think it’s really important to understand, especially for executives, but probably for all employees and individuals, you know, what information is out there about you and what steps can you take to protect your digital footprint.

Mark: And I’m gonna go off script here, so I’m gonna cause our hostess Kathy to have a heart attack.

You know, I have heard through the years and have seen it, we’ve seen a little bit of it ourselves that oftentimes not only are executives the most visible members of a company, but also, they’re the least cautious. It’s the C -suite. Have you guys found that to be the case in some cases? I don’t want you to bad mouth your clients or our clients, but do you find that to be the case?

Brandon: I’d say it depends on the executive when it comes to that, but I’d say that there’s some consistency with that, Mark.

Erin: Yeah, I would say anecdotally, that does seem to happen. But I feel like maybe it makes bigger splash when it’s the C -suite that’s messed up. But you know, people, I think as well, like it could be, you know, a generational thing as well. C -suite tend to be older. They tend to be less tech savvy. They tend to not think about social engineering attacks or how the information that they’re providing could be used. But then in the same vein, younger people put way too much information on social media, in my opinion, so it’s a balance.

Mark: Sure. I mean, I’ve been subject to phishing attacks myself. Some of them quite sophisticated. And all of them, all of the most sophisticated ones tried to take advantage of the fact that I was the CEO. They had a message or a sender that I would pay attention to. They were quite sophisticated.

Brandon: Yeah, I would love to add to this one too big time. Multiple vendors throughout 2024 identified that threat actors are increasingly targeting executives basically to get a foothold into their organization causing reputational damage or just picking an insidious activity. This is also actually quite consistent with what we’ve mentioned about what we’ve seen in our SOC and we have to keep in mind that executives often have access to the organization’s most critical business functions that threat actors can have used to gain the foothold. We don’t exactly, to Erin’s point, make it very hard either. We feature our executives, in some cases, we feature the contact information, direct contact information for these folks and stuff out there as well. So, putting it all together, we basically roll out a red carpet for these folks to attack our most senior folks.

Erin: I think it’s what you have to think about the senior folks being impersonated as well. So, you know, employees are much more likely to respond to a phishing email if they think that it’s coming directly from an executive. And, you know, with things like AI now, you can generate an executive’s voice. If an executive is out there doing a lot of press webinars, their voices on the internet, you can impersonate that and use that against their employees. So there’s aspects of it as well.

Mark: We’re gonna come onto that. And the question I had for you, Brandon, was what is it about now? What’s different about now that makes monitoring this type of data more important than ever?

Brandon: Well, I think threat actors are getting more creative every day. And we’re seeing them attack and exploit things that are often on the periphery, especially since throughout 2024, we watched a lot of different vendors, third party vendors and stuff that have access into different environments get hit and whatnot. So, I do think that most of the time, when we get dark web monitoring and learning services, it’s specifically monitoring your email domain. But we need to open up the aperture on that, in my opinion, we need to be monitoring the organizational and any mentions of the organization, obviously email domains and credentials. But specifically with executives, sometimes a lot of these executives’ link some of their non-business email addresses or contact information to their business email contact information as well. So, with that, we got to be mindful of threat actors exploiting these fringe and these periphery things and stuff to get access. Their goal remains the same, causes much damage, get access, sell access, etc. We’ve got to be cognizant of that.

Mark: And Erin, what’s different about the dark web as opposed to more social media sites? Give us some sense of that difference.

Erin: Yeah, I think people on the dark web have a bit more of a sense of they can do whatever they want. So, you know, we see things like doxing, where threat actors will just provide information about individuals, and it will basically be a dossier of that individual, all the information that they can find about them. We don’t tend to see that shared as much on things like social media. And also, just the sheer breadth of kind of leak and stolen data and Stealer Logs is something that we’re seeing, a huge surge in and the dark web is where they buy and sell that information.

And I think everyone needs to be cognizant of this. You can be as careful as you want about your digital data and your footprint, but you don’t have any control over the third parties that you’re putting your information into. And if they get breached, your information is out there. So you can be pretty savvy, you can have limited social media profiles, you can have all the privacy settings, etc. But if you have my fitness power, my fitness power gets leaked, your information is out there. So that’s on the dark web. So, I think it’s very important to be aware of that.

And then kind of moving to some of the dark web adjacent sites that we monitor as well, things like Telegram and Discord. We see a lot of individuals talking about targeting or talking about accessing particular companies or just geopolitical events that their lives and you know are hitting on organizations and companies so I think just monitoring that rhetoric as well, stepping slightly away from specific executive protection but just kind of general organizational protection and reputational risk there are a lot of individuals out there that you know making anti-Semitic comments making violent comments you know making threats against executives and against organizations. And I will say social media has probably changed slightly in the last year or so where some people feel that they can do that on that open web as much as they can on the dark web, but it’s certainly something we’ve seen in the dark web, you know, over the last few years increasing.

Mark: And Brandon, give us some examples of some of the threats and risks that you guys have found and maybe talk about a unique case that you’ve you’ve come across.

Brandon: I think most commonly we see stolen credentials, data breaches ransomware posts, threat actors discussing sharing proofs of concepts or just the sale of weaponized exploit code targeting specifically vulnerabilities amongst many other different nefarious things. So, we got a couple of I think the most consistent one that we see, I would say more than often is, you know, we, our customers ask us, well, why, why are my executives, my leadership the most phished? Well, it’s like, well, look at your website, man, you got the contact information right up there. And, or, it’s something as like, your boss keeps signing up for all these random newsletters that continue to get hit, you know, with his business email, which is why he’s on X amount of different data of different data breaches. That’s the most common, the most consistent. But I think the most bizarre case that we ever had to respond to, we had a customer that had just moved organizations and went to an organization that recently got hit by a threat actor. And he had called us in to give him a hand and some assistance. Specifically, my part was to monitor the dark web, kind of get a good idea of what their presence really looked like on the dark web as well, which was very important for him, obviously. So built a couple of different cases, a couple of different cases, specifically watching for organizational mentions, email domains, or just anything and all things related to the victim company. And sure enough, the threat actor wanted to gloat about his ill -begotten gains, and he threw up a post detailing exactly what he had stolen from the company at that point took that handed it over to the team that was investigating the situation and it kind of gave them a better idea of where this threat actor could have been. So, continuing to monitor updating as needed you know especially the posts and stuff as the thread grew on there and I guess the threat actor made some enemies of his own kind, and they decided to dox him.

Mark: Oh my god.

Brandon: After they doxed him, they basically put it out there like this is who he is, thisis where he lives, this is his home address, this is where his parents work, here’s all his socials, these are all his data repositories, this is where he stores his data. And they basically stripped this threat actor, all this anonymity and then immediately I turn that over to the team and I would like to believe they finally adjudicated him. I haven’t seen a post from him since. So, it could be that, well, let’s hope.

Mark: That’s very, very interesting. Erin, give us a sense of what trends you’re seeing in terms of threats in the current environment.

Erin: Yeah, I just want to jump onto what Brandon was saying there. I always find it really interesting, like I think we focus very much on, “let’s protect our executives and our organizations,” or it’s absolutely we should be doing but I love the fact that the data that we have in leaks and from doxing and stealer logs helps us to attribute who is actually doing this so we can kind of use what they’re using against us back against them and it really helps to know kind of why someone’s doing something and what their motivation is because it allows you to assess the threat you know a lot better you know there’s a difference between armchair trolls that are just making threats because they’ve got nothing better to do and someone that is going to follow through on that threat. So, I think it’s really interesting to have that motivation.

In terms of trends, we’re just seeing a huge mass of data, it’s just growing and growing. We’re not seeing that diminishing in any way in terms of data leaks. I think stealer logs, they’re not new, but they definitely seem more prominent in this sector in terms of people being able to use those, the amount of credentials that are stolen and how people can use that to access things. I think we’ve definitely as well seen a lot more sophisticated social engineering, I think particularly some threat actor groups in terms of targeting call centers and targeting help desks of organizations as well as the executives and CEOs, and being pretty convincing based on the information that they’re able to find on both the dark web and the surface web to put that out there. Brandon’s already mentioned phishing as well, you know, not a new trend, but phishing is not going anywhere. I think as long as your email address is out there, it’s a technique that works. I mean, you look at things like colonial pipeline that was, you know, really basic phishing and lead to credential attack that, you know, led to the shutdown of the colonial pipeline. So, I think those are the things that we continue to see and that we have to continue to mitigate against.

And then I guess the other thing that I’ve kind of already touched on that we see in terms of threats being made against executives or organizations, I feel like anecdotally, people are less concerned about the threats that they’re making there. They’re not trying to obfuscate who they are as much as they used to. I think people feel a little bit braver about what they can and can’t say. And you know, part of that’s people on the internet, they’re sitting behind a screen, you know, they think they’re untouchable. But also, I think it’s just kind of the way things are developing geopolitically, people have a sense that they can do things and take action. And I think, you know, we’d be remiss in an executive protection webinar not to talk about the United Health Care assassination. You know, that individual, as far as we know from reports, obviously, I wasn’t involved in that investigation in any way, didn’t have a huge amount of rhetoric online, you know, thinking about doing that. But I think it really just highlights, you know, when people have pain points, and they’re talking about those pain points, you need to kind of pay attention to them. And that the digital world and the digital things that people are talking about and the exposure that people have, you know, he had to know that that executive was going to that hotel at that time, and that was probably from his digital footprint. And so there can be real world, you know, real world impacts outside of, you know, hacking and, you know, network things that I think it’s important to be aware of as well.

Mark: And can I ask you both a question when you’re monitoring an executive take me as an example you’re monitoring Mark Turnage. How often do you pay attention to Mark Turnage’s is spouse or partner and family. Have you seen that as an attack vector by threat actors?

Erin: I would say it’s definitely an attack vector. Again, executives will get education through their security, through their SOC, whoever telling them what they shouldn’t do and they can improve that. Whereas kids might post where they’re going on holiday and things like that, and it can make them more vulnerable. What I would say about that, though, is that it’s really up to the organization and the executive whether they want to extend the monitoring that wide. A lot of people for very legitimate reasons don’t want to share the more personal side of their information, their family, their personal emails, etc. I would caution against that because, you know, you need to look at things in the whole when it’s looking at this. But yeah, that does tend to be an issue is the privacy concerns around that.

Brandon: Yeah, I grouped that with the periphery as well.

Mark: We’ve seen one or two cases where the social, as Erin said, the social media posts of children were a primary attack vector because they could follow an executive’s family around. And as Erin said, it’s a choice for the executives and the organization to make.

Give me a sense, Brandon, what practical steps can be taken to baseline an organization and then monitor it? And how have you used DarkOwl to monitor and alert to these threats?

Brandon: Yeah, absolutely. Well, one thing I learned after 20 years in the Marine Corp., is collection planning is key for any different type of operation. So, what we do for Digital Executive Protection Monitoring and Learning Services, we have a whole menu of different things that we offer our different customers and stuff who wish to subscribe to this. So, it’s up to them. From there, we pump that stuff into DarkOwl to specifically monitor for those different things. And the great thing about DarkOwl is you’re able to build a case and stuff where it’s gonna go out and fetch whatever frequency that you want it to. This is the information that you ask it to go look for on various different things. If I wanna specifically look in extremist forums or just other threat actor-based forums, I can have it look specifically for these different things and stuff there. Or if I just wanna focus on email domains or email addresses or all that in these different forums, like – Yeah, absolutely, I’m gonna go do that. Most consistently, as far as our basic package goes, what we do is we monitor the organization, organizational email domain, and the names and the business email addresses, and in some cases, personal email addresses that are joined to the network environment of the different executives, and we build a case around that. So anytime something does pop up, it’s I get a notification and then we handle it accordingly.

Mark: So great. And and those can be in relatively real time, you know, within a minute of a post being posted.

Brandon: Yup.

Mark: Erin, give me a sense of what mitigations companies can take to protect their executives. I mean, it sounds like there’s this Wild West world where data is being spilled out there or doxed out there, you know, what kind of company or an organization really do to mitigate the risk to their executives and to the organization itself?

Erin: Yeah, so I think one is doing this kind of monitoring and being able to baseline what is already out there because there’s no way that there isn’t something out there to begin with. So, you want to have that and you want to be able to see for any changes. But basic steps that organizations can take is giving people cybersecurity training on phishing attempts and what to look out for, giving people advice on what they shouldn’t share on social media and how they should set their privacy settings, etc. I think having a really strong password policy leaks are going to happen, but if you’re not using the same password on every account, it really reduces the risk that it has to your overall footprint. I think using things like password managers can really help with that.

And then I think being cognizant of what data is out there, you know, there are ways to remove some of that data, not on the dark web, unfortunately. So if your data is on the dark web, your data is out there. But there are a lot of kind of data brokers and other organizations that will hoover information up from public records and from social media and you can legally ask for that information to be removed. So that’s something that you should probably look at doing as well.

And I think just being generally vigilant, making sure that your employees are trained and know what to look out for, but also know what they should and shouldn’t do. Like, don’t post too much information on social media. Don’t mix your personal and your business email addresses on accounts like don’t use your business account for your hotel bookings and things like that because that’s the way that threat actors can you know piece together your life and do those kind of doxes that Brandon was talking about. So, I think it’s just having good cyber hygiene and having good education to try and mitigate and reduce the risks as much as possible. I think everyone needs to be aware that you can’t remove the risk. You know, there’s steps you can take. We can do this monitoring. We can be looking out for that. We can be as vigilant as possible. That we can’t protect all third parties where we’ve put our data. And so, you just need to be very vigilant for these types of attacks.

Mark: And you must get this question all the time, Brandon. What do we do about this? Can I take darknet data off the darknet? Can I take my data?

Brandon: No.

Mark: You must get this asked this all the time by your clients.

Brandon: All the time. Adding to what Erin said, I think enacting a continuous monitoring of your executives on the dark web and integrate custom alerting into your SIM to identify and respond to potential security threats. I think that’s awesome, which is why we bring that into our continuous threat exposure management, modest operandi here at Ascent Solutions. We bring this all in together. And I think it’s important having the sufficient processes in place and stuff to monitor for these specific things. DarkOwl enables a lot of that. And there’s a lot of science that goes after that when these things happen, which is why I’m just very graceful to have such an awesome SOC team that I’m a part of.

Mark: And we haven’t talked about this. Let me ask this question. How deep in an organization is it? Have you monitored for executive protection below the C-suite level, senior management as well, or do you tend to focus on just the C-suite?

Brandon: I think it depends on the organization and where they have determined their most critical business functions are. So, although this person is a mid-level part of the organization, this person is in charge of all these different industrial control system equipment here, and they have a public-facing presence that interfaces with the OT environment and the IOT environment. So yeah, that’s definitely a high-valued individual. It depends on the organization to answer your question, but yes.

Mark: Yeah, I was thinking about system administrators, for example, they’re not as sweet, but they’re very, very important people and in organization.

Erin: Yeah, I think it can depend on the role. Again, it depends on the organization, their size and their appetite for this kind of thing. But there are certain roles that you definitely need to kind of be aware of. But I think it’s also, I think to Brandon’s point, what public exposure those individuals have, the bigger footprint that they have out there, the more likely they are to become a target. So, you might be someone that has a really important role, but you’re very discreet and kept quite quiet and not publicly listed on the website or anything like that. And that’s not to say you shouldn’t want to say for them, but it’s probably less risky.

Brandon: Correct.

Mark: I’ve never heard of a company like ours or yours doing this, Brandon, but you might want to do a social media audit of all the employees to see who has the most social media exposure. Because I mean…

Erin: There’s a direct correlation with that, right? Like, so Mark, you were talking earlier about how you get phished all the time. And I know other people in our company have received those phishing emails. I never get them. And my hypothesis is, because I’m not on LinkedIn. So, you know, you can make yourself less of a target by protecting your digital footprint in certain ways. I know anecdotally of a case going back to what you were saying of family members and like checking social media and things. They had an executive who was pretty careful and pretty secure, but their wife had uploaded a review that included locational information. So, you know, it’s what people put out there.

Mark: Yeah. I have seen CISOs, system administrators, and other cybersecurity professionals very active on social media, which is an interesting tension given their roles. We’ve talked a little bit about use cases, but if you guys could both finish with sort of – one of the most unique cases that you’ve seen using the tool, that’d be, I think it’d be informative for our listeners here.

Brandon: I think the one that we specifically talked about with the other company with the threat actor getting doxed, like that was the absolute most unique case that I’ve ever seen. You know, and that’s definitely in the Hall of Fame for as far as DarkOwl for the win moments for our company.

Erin: I’m trying to think I don’t know that I can think of something that’s particularly unique. But I mean, we definitely see impersonations of executives on telegram and other areas, threats being made, a lot of memes being used for that kind of activity. And then I just think that the doxing thing is such an interesting area of data set that we collect from. I’ve seen everything from executives to FBI agents having their information released. And once that information is out there, there’s very little that you can do about that, but you need to know that it’s out there. So having that monitoring capability to know what of your information is out there and how you can be vulnerable. But as I said, I think turning that back, the threat actors do this themselves to each other. And so, it’s very helpful. I mean, there’s a lot of threat actors out there that are involved in things like swatting, they’ll swat executives and other famous people’s homes or schools or universities. And they make a kind of a game out of that. But because they’re interacting with each other, they, you know, they anger each other and that causes their information to be doxed, which helps us as an investigator to find out who is doing this. And as I said, that important part of motivation, which I think some security people, they just wanna stop an incident, they just wanna stop data being stolen. But I think it’s always really important to look at that motivation piece as well.

Mark: And Brandon and Erin, do you see any trends and threats to executives that are sort of based on geopolitical events. Something happens geopolitically or politically here in the US or something like this shooting, this tragic shooting of the United Health Care CEO. Do you see risks go up or chatter go up or does it tend to be fairly flat line throughout?

Brandon: From a geopolitical perspective, absolutely. We got to go back in time for this one a bit. But when Russia was getting sanctioned a lot by a lot of different commercial vendors and stuff, that kind of set off a red flag for a lot of the Russian-based e-crime actors and stuff to start going after and specifically targeting these companies because of the Russia-Ukrainian war and stuff. So that really prompted a lot of these folks and stuff to start going after them. So yeah, it really depends. It really depends on the situation, you know, and what the and what the atmospherics are surrounding that situation as well.

Erin: Yeah, I mean, we’ve definitely seen, I think the most recent one off the top of my head that I can think of is the Israel Hamas conflict. That definitely caused a lot of individuals that were Jewish to be targeted, and Palestinians to be targeted, so you definitely see those trends in relation to big geopolitical events, and I think that’s something that executives and organizations need to be aware of as well as posturing around these types of events. I would say with the main trend I’ve seen with the United Health Care incident was executives are more concerned. they’re taking more of a proactive approach to maybe looking at their footprint. And I think a lot of people were very surprised by the response to that from a lot of individuals on social media, on things like Telegram, where there wasn’t a lot of disgust at what the alleged assassin had done, and more concern about, you know, we don’t like these executives. There was one individual on social media who produced a deck of cards with different CEOs’ faces on them as targets. So there’s definitely that kind of rhetoric, whether that leads to actual threats or it’s just people talking. You know, it’s hard to say, and that’s again why that motivation point is important. But yeah, I think there’s definitely trends and activities that happen that have an impact on all of this kind of thing.

Brandon: It’s never a dull day in the life of a threat intelligence manager in a cyber security.

Check our blog on Executive Protection and the Darknet. Read Here

[Webinar Transcription] Expose & Enrich Intelligence Related to Front Companies and their Influence Operators

Written by DarkOwl Content Team on February 13, 2025. Posted in Blog, Webinars.

February 13, 2025

Or, watch on YouTube

In this webinar, analysts demonstrated how to investigate and pivot on front company infrastructure, using Falkor and DarkOwl dark web data, to analyze and enumerate possible front companies and their employees.

Highlights:

Adversaries of the West are using front companies to obfuscate/hide their malign activities against the West
Sanctions and notable indictments from recent months
Enriching information using both Falkor and DarkOwl platforms
Investigating personnel, infrastructure, and other evidence linked to front companies

NOTE: Some content has been edited for length and clarity.

Ari: It’s a pleasure to be here with you. My name is Ari. I am an OSINT analyst here at Falkor responsible for integrating various tools like DarkOwl into Falkor, also general sales engineering, training, handling, any sort of client affairs that come up. You also may know me due to my blog, memeticwarfare, where I write about influence operations and investigating them, and a number of other ventures that I happen to be involved in. I’m very happy to be here with you today alongside with Steph, and we’ll let her introduce herself shortly as we show how you can utilize dark web and deep web data from DarkOwl in Falkor to investigate, in my opinion, very interesting Russian influence activity globally to uncover new front organizations from a few data points.

Steph, you wanna introduce yourself?

Steph: Absolutely, yeah. I second that this is going to be really interesting. I’m so excited to dive into it. So, hey everyone, I’m Steph Shample. I work here at DarkOwl. I used DarkOwl’s data before I became an employee, so I’ve got tool perspectives, very similar to Ari. I think once you’re an analyst, you just can’t get out of being pulled into everything. So, I also help with client training, use cases for how you might employ DarkOwl intelligence in your other day-to-day operations or your separate intelligence operations. And we’re going to get more into our company specifics as well. So, Ari, back to you.

Ari: So, Falkor is an interesting product. In my opinion, it’s kind of leading the next generation of what analysts are going to be using going forward. It’s an API forward analyst operating system, where in addition to carrying out all of your link analysis data visualization, querying of various tools or so on, you can connect all of your internal data sets, be they files, databases, any other REST APIs you happen t have, all into one place. And then, of course, to use OSINT sources like DarkOwl or whatever else you happen to have into Falkor to utilize all of it simultaneously and seamlessly.

There’s also, of course, a full collaboration suite, task management, management, case management, all those additional add-ons that you need to run a case effectively. We have built in AI capabilities, including an analyst investigative chatbot, digital profiling, real-time monitoring, and much, much more in what I may say is probably the most aesthetically pleasing dark mode first, analyst platform out there, which anybody here who works in this space knows just how important that is. I’ll let Steph introduce DarkOwl.

Steph: Yeah, thanks. I’ll take it for DarkOwl. So, we’ve been around for about 12 or 13 years, DarkOwl. We are the world’s leading provider in Darkint intelligence. We cover, of course, the dark and deep web. We also cover what we consider dark web adjacent platforms that is places like Telegram channels, Discord servers, and, of course, IRC chat. We consider them dark web adjacent because you’re gonna see now, especially since Telegram has entered the fold and become more popular in GEO political events, influence operations, and cybersecurity. It’s also cross-referencing, and actors are using both their onion platforms, their markets, their forums, to advertise on Telegram and vice versa, thus maximizing the potential for financial return or notoriety in their operations.

So, the image that’s on your screen here is of course we covered Tor, that’s the browser that you would download and use to access the dark web. We also have I2P and ZeroNet. We are definitely on discussion boards as more people share tactics techniques and procedures or TTPs, underground criminal forms and markets have touched on pretty self-explanatory. And then of course those chat platforms that I’ve referenced how they go back and forth.

Ari, real quick. Do you want me to go into the dark web and how it works now? Or do you want to save that?

Ari: No, absolutely. Absolutely. Let’s lay the foundation for sure.

Steph: Let’s lay it. I like it. So, Ari and I did want to be very clear, you know, for those who aren’t in this space, what is the dark web? What is the deep web? Everyone’s got their own definition. You’ll see all kinds of chatter and people contributing to that conversation. But let’s just keep it very simple. So, the surface web, you download a browser, right? Your choice, Chrome, Firefox, Brave, whatever that is. Very easy. Everything that you’re accessing, if you’re searching on there for recipes or how to, you know, sew or whatever that looks like, it’s attributable. You can find that information, several clicks, couple buttons, you’re good to go. It’s attributable, right? Every IP address and every website is mapped. They relate to one another. All activity is generally able to be observed. Where is this website hosted? Is it a Google domain, an Amazon domain or something else?

Whereas the dark web is meant and was built to be obfuscated. It is built to be more anonymous. It has more privacy features. So, you need special equipment to download it. When you access a .onion URL, you cannot put that .onion URL into, say, a Google or any kind of other browser. You’ve got to put it in Tor or there are a couple of other browsers. Some people work with tails as well. It is not indexed, so you really can’t search a lot on the dark web for recipes or any kind of thing. You have to know what you’re looking for and where that type of material is hosted. So, if you need something, say, if you had a ransomware incident, if you’re in this space, you’ve got to know how to access the ransomware blogs where they host them. If there’s an initial access broker that’s selling access to your company on the dark web, you’ve got to know maybe their name, how to get ahold of them, what market or forum they operate on. And again, it’s built for privacy, right? It is not going to easily give up information such as locations, IP addresses in Tor, you have three of them, you have a beginning IP address, a middle and an end, they change every approximately 10 minutes. It’s meant to be obfuscated. It is designed to be anonymous. So that’s our high level. What is the dark web? How do we access it? What are we doing? We welcome further questions on that if you’d like to put it in the chat or contact either one of us. No problem.

All right, Ari I’ll kick it back to you unless you have a question.

Ari: No, no, there’s just so much more to go with this stuff. I just say, again, everyone wants to know about how dark web URL resolution works, let us know later. But yeah, but alongside the dark web data, I think the most important thing that we’re going to bring up is the use of that in the conjunction with deep web data, Telegram in particular, but also other sources as well as they come up, right? And that’s, I think in my opinion, the real added value of what tools like dark, DarkOwl and other tools that provide similar data sources do that you can really have essentially all three layers in one setup.

So, with no further ado, let’s discuss the case that we’re going to be looking at today. The case that we’re going to be looking at today is the Center for Geopolitical Expertise. Now, you may have heard of this. They were sanctioned, I believe, about two months ago, maybe a bit less by the US Treasury Department. Here’s the statement. If you want, you can see that over here.

And we have the Moscow-based CGE, or Center for Geopolitical Expertise, founded by the OVAC -designated Alexander Dugan, and we’ll discuss briefly perhaps later on. And then, of course, the main person running a whole operation, Valery Mikhaylovich Korovin, and other relevant CGE personnel. So, we’re going to see how we can essentially investigate this organization, the CGE, by the way, as a side note, Russian front organizations love utilizing terms like geopolitical, whatever, and expertise and that sort of stuff, just a cultural thing that happened to really enjoy doing, and you’ll see that repeat itself in this space quite a bit. To see what we can essentially find out on this given organization, utilizing deep and dark web data, and then how we can expand upon that to find other signs of new front organizations and just better understand their general activity. So, we’ll cover not only dark web data, but also some investigative tips that you can utilize when investigating front activity on your own, and then we’ll conclude with a Q&A.

So, the most recent case that we have of the CGE was apparently, or they’re alleged I should say, and though it’s becoming increasingly well-founded in terms of the research, right? Was there organized election interference inside of the ongoing election interference, I would say, inside of the current German elections? They’ve also been quite active in Ukraine. They’ve ran probably the single most successful operation inside of the US called CopyCop, that was published on by Recorded Future. Great report, highly recommend, that you read it. And they utilize locals and other individuals to set up these AI -generated domains, targeting whether election or given country they happen to be targeting.

Here we have an example from News Guard over here of a various number of German language domains used to target Germans.

Now there hasn’t been much coverage of Corovan individually beyond the Gnida project. By the way, a great substack that I recommend that you follow. If you’re interested in tracking Russian influence operations internationally, they do a lot of great stuff. They’ve been the only ones to publish anything in depth on Korovin individually. There have been a few mentions here and there, but nothing really in depth. So, let’s see what else we can find on them. There we go. So, just to recap where we are so far and how we’re going to start our investigation, which by the way, I find to be often one of the most difficult places for analysts, especially new analysts, you know, to have it right when they get going, is where to even begin with looking into such sprawling types of activity.

We have the sanctions announced on this given group, and there have been past reporting on them from other individuals also as well. And we have the number one person of interest of POI, Valerie Korovin, and of course information on him published by the U.S. Department of Treasury, including the Russian tax ID over here, which is like their social security number, date of birth, general area, and of course, the registration information of the CGE also as well. I built a very humble little graph over here in Falkor’s link analysis, showing you essentially how these things work, how Korovin over here is essentially an agent of the GRU, right, he’s their liaison for the actual activity that the GRU, which is Russian military intelligence wants to carry out internationally. We have the awards for justice from the US government announcement over here, his affiliation with American John Mark Dougan, another activity, the Eurasia Organization, and other key individuals that we’ll get into in a little bit.

Just a quick word about Dougan if you haven’t heard of him. Dougan is the founder of the CGE and is a fascinating figure who we can dedicate multiple awareness to just for himself. But in short, he is a Russian far-right political polemicist with a very unique political philosophy and how the world works and how things should be, at the very least, founded on multi-polarism, meaning the world not being unipolar centered around the United States, and essentially Russian borderline fascism, if not fascism itself in many ways. So he’s a sanctioned individual known for his very, very, very extreme views. Now, thanks to Gnita, we also know about Natalia Makeeva, who is the senior official at the CGE and is the right hand of Korovin, but we can also find out more about her independently as part of our investigation. We don’t need a project just for that. So now we’re going to see how we can take these individuals and the basic data points that we have here, identify entities for investigation, further identify new relevant entities, and then keep going. Now one thing I do want to bring up and Steph do you want to enrich further astound upon this is the Russian dark will be some ecosystem in general, which is incredibly rich. So, if you have any words you want to add to that, I think that’d helpful.

Steph: I’m fully in agreement with you, you know, the Russians are, of course, not the only actors, APT or cybercrime focused on the dark web. But I would say they are the most frequent. They know what they’re doing. They’ve been using the dark web in their operations probably longer than any of our other adversaries. You will see Iran, China, Belarus and pick a country if their actors are on the dark web, you know, they are using it, but Russia is the most frequent and uses it in a variety, right? From ransomware to cyber-crime, to info ops, to all kinds of influence operations, Russians are all over the dark web. We have learned the most from them. Ari, so that’s a great point.

Ari: Absolutely, and the most important point for us is that that cuts both ways, right? So there are tons of data leaks on Russia, tons. I mean, perhaps the single mostly country I’ve ever seen articulately, in terms of sheer number of leaks and data available, and that’s how we’re going to utilize this information to keep investigating. So Just from doing a name search on Korovin and Falkor with this full name, which would give them the sanctions, we get a large number of interconnected results over here. And by the way, as an aside, if you’re interested in seeing the full investigation with other information from DarkOwl and Falkor, feel free to contact us separately. We’d be happy to schedule a demo to show you more of the in-depth information on this individual case.

Just from looking up his name, we find all these various interconnected data points. We find from leaks of data available on the dark web, a Facebook profile with a UID, a leaked telegram account, leaked Gmail entities appearing in a dark web post over here, and multiple other entities belonging to this individual.

Now, I see we’re getting questions in the chat, so I’m not going to refer to that now, but we’ll save that for the end. But if you do have any questions, feel free to send.

So, one thing I do want to bring up also is that one of the results that we get here is that Korovin has an additional email at the Eurasian organization, which we mentioned over here, which is another organization tied to Dougan. Okay, so that also came up in the results. Now if we look up the Eurasia.org organization, which is by the way another Russian instrument of influence headed by Dougan and active globally, looking at who is records, here we have from WhoXY, which is a great free tool, which is a side note by the way, highly recommend it, if you need a free tool for that, or of course the full suite of domain intelligence available in Falkor. We can see that in fact the person who registered Eurasia.org was Makeeva@Eurasia .org, Natalia Makeeva, the woman mentioned earlier, and she also registered the CGE domain over here as we can see as well. So, she’s a pretty central individual then having registered the domain for CGE. And then we can also see over here a very broad overview of the leak data available from the deep web on the actual Eurasia domain. So going back to that, just by querying essentially the domain itself in Falkor, we also have the Korovin’s individual email address over here. But here we have the full swath of results. I’m sorry, I try to fit a lot in on this slide.

I know we only have so much real estate over here. But you can see the sheer wealth of data that we have on the actual domain, which is somewhere over here in the middle, right, including the large number of actual individual posts in which the domain is mentioned, but also more interestingly, perhaps a leak total of 360 email addresses in leaked records originating from the domain. Of which, we have 28 unique ones. So, Steph, I know if you have anything you want to add to that on the dark web, on DarkOwl’s data enrichment features over here in terms of profiling.

Steph: Absolutely, we are a niche DarkOwl intelligence, but one of the tools that we have to get extremely granular is this bottom right image that Ari has been highlighting. So, when Ari and I were going back and forth saying, you know, what can we do? We want to talk about front companies, but it’s intimidating, it’s overwhelming to get started. There’s a lot to follow, there’s a lot of threads to pull, there’s a lot of misdirection that can happen. But when Ari gave the domains of some of the proven front companies, and we definitely source those from indictments and treasury, as we’ve mentioned, you can put any top-level domain into our tool, and of course in Falkor now that’s also using it, and get a pullback of, okay, here are the amounts of emails exposed, that’s that 360 numbers. There are 28 unique ones, because of course there’s going to be repeat breaches, accounts in certain pieces of information with the same password or exposed in the same place. So, it’s just really important to help flesh out your top level domain research, get the patterns. You know, what password does this individual use? Is it constantly exposed on the clear web, on social media, on the dark web? So it’s a really cool feature to kind of build this out and we use it heavily in our investigation.

Ari: Absolutely, then you can get it all visualized for you nicely inside of Falkor, giving you the clustering over here of what’s actually important. You can filter, of course, by degrees and so on and move on from there. But the point that you think you’re going to remember is that every one of these data points is essentially another pivot point that we can use as part of our investigation. So as we can see that certain clusters of activity here are more central, right, or more active in terms of relations to other entities, we can then take Falkor’s, say integrations with email and phone number lookup tools or people investigation tools, or social media enrichment, and then enrich those further to further investigate the in domain. Now the next thing to keep in mind, and this is especially relevant when investigating organizations of any kind, be they companies or front companies or whatever it happens to be, the leaks don’t lie at the end of the day, right?

Firstly, having no leaks is suspicious because almost every organization has an employee who utilizes some given company data point to register for some service. It’s rare to not have that happen at all. And then when they inevitably do, as we can see here, we can see who’s more active with their company email or other company assets online to find other relevant data points really easily. We have here, we have a number of individuals, including Makeeva, who was the single most popular leaker in terms of using her email address, which also hints to us that she’s probably a pretty active individual in the given organization. So, we can use DarkOwl data for investigations, right, for pivoting, but we can also utilize it to qualitatively understand and analyze what actually occurs with this given organization.

So, we can see here that Korovin’s email address appears in a dark web post taken from an onion site that we can see over here as well, which was actually a leaked copy of the internal information policy of the Lugansk People’s Republic. So, you know, occasionally you’ll see there’s some news article about a list of leaked data, you know, exposes this or leaked, you know, government reports say that, et cetera. One of the places you can easily find that data is in fact on DarkOwl because as Steph would say, you guys are constantly indexing all of the available posted and leaked data online. And here we can see, in fact, that Korovin and Eurasia are mentioned as key bodies for promoting Russian interests in the Lugansk People’s Republic, which is one of the breakaway regions of Eastern Ukraine, currently being fought over in the war. So, it has an official role in, say, promoting Russian interests there also as well, which was not publicly available data previously. Now, we can also then look at Korovin’s Twitter account, which is easily found publicly, but also easily found via breach web data. And then inside of Falkor’s social media enrichment, we can bring back followers posts and more. So, we can see that his followers globally, of course, make sense roughly what we would expect, mostly in Europe and Eastern Europe and, of course, Western Russia, some in the Middle East and other parts of Asia, Latin America, Africa, and the US a little bit. And we can use all these also for further investigation, especially when it comes to finding new organizations globally that might be following him that could be potentially related. And then we can also utilize the Falkor link analysis to better understand clusters. We have Korovin over here; that’s the original account over here. Then here we have one other account that he shares a large number of shared followers with.

And this is of course, who else but Natalia Makeeva. So even without the needed project telling us earlier that she’s a key individual and providing the receipts as we say, which we’ll see shortly, we can also find out, of course, also ourselves utilizing open source investigation. Now, if we begin to look her up by looking up her email address also in DarkOwl, we get another kind of dark web data that we can utilize quite effectively, which are actually leaked emails from between Makeeva and an individual affiliated with the pro-Russia and Novorossiya movement based also in, of course, Donbass, the eastern part of Ukraine that’s being fought over in the war. We can see here in these individual emails which I translated into English, they were of course sent originally in Russian, that they were coordinating sending over propaganda material from Dugan, of course, into that area. Now, one of the other things that DarkOwl does that Steph might want to explain briefly is tokenizing entities, and then I’ll describe how we do that in Falkor.

Steph: Absolutely. You can see in the bottom left image; we have that highlight once Ari shared the names of the individuals that we wanted to focus on for this investigation. I just ran that through our tool, and we highlight our results. We want to make it easier for our analysts, make it visually appealing. So Makeeva, we see her domain confirmed, she’s sending emails back and forth, so there’s a couple of things. We’re going to pull out that email address so that you can further pivot on that, build off of it, find passwords, find anything that you might want to find. We got very lucky in this instance that we had contacts for these emails. So then you can also, when need be, pivot to Gubarev at NovoRussia, you can take a look at NovoRussia’s top level domain, what’s exposed, what’s out there. You can try and see if that resolves to any IP address based on what, you know, Russia, how they’re setting up their operations. So, you have a whole bunch of different pivots and different pieces of analysis to add to just Natalia Makeeva and her email address, we built out a whole other graph that is evidenced in Ari’s image on the bottom, phone numbers, contacts, patterns of life, patterns of contact, and other people she’s working with. So yes, we pull that all out in DarkOwl for pivots.

Ari: Exactly. And then we can just easily right-click on that document in Falkor to extract those tokens as entities into entities for further investigation automatically. So, if you have this email address, instead of needing to copy and paste each individual email address or phone number or username or whatever happens to be, you just right click, you have it, and then you can right click and further enrich and investigate effectively. So just to recap where we are so far, we had the original CGE organization. By looking into it, we found the Eurasia group organization also unsurprisingly affiliated with this group. And now we see pretty close ties between the leader of the Nova Rocio community over here and of course, Nathalia Makeeva, indicating there might be other ties as well that we could investigate. Beyond the original organization, there’s also evidence from, of course, Gnida as well, that Korovin and Makeeva, who we can see here, this is Korovin, and this is Italian Makeeva, are active globally beyond Eastern Europe and Russia, involved in setting up the Fundación Fidel Castro para Desarrollo de las Aracenas Frusal Cubanas, the Fidel Castro Foundation for Promoting Russian-Cuban Relations, which they utilize essentially to promote Russian interests in Latin America and the Spanish-speaking world. And here we can then utilize Telegram. So, Steph, I’ll let you then describe perhaps how DarkOwl handles Telegram and Discord and other deep web sources before I describe what we’re seeing here.

Steph: Of course, no problem. So, once again, we kind of went on the name of Valery Korovin I wanted to do a search. We know that Russia is also avid users of Telegram. We saw that activity really increase where they were sharing battle plans, pictures, strategy on Telegram after Russia invaded Ukraine. But we also saw that pop up when the Afghan government fell in 2021 in the summer. So just to let you know that Telegram is all over. We pull everything down from a Telegram channel. So, we’re going to get the metadata, we’re going to get the channel ID, because this, you know, for right now, the title of this is called Amigos de Evesiones Fides. Tomorrow, that could be literally anything else. But if you have the Telegram number, the actual channel number, you can continuously track that no matter how many name changes there are. The same is true for those usernames. So, we pull that all down. We have the metadata for your investigation to share with your clients if you’re sharing intel with someone else. And then, of course, after we have Valery Korovin one name, now we have a whole spate of other identifiers that we can pivot on. So, we’ve got a Facebook group for this group as well as Twitter. We’ve got, of course, their Telegram. We’ve got a Yahoo address. So, it’s just a lot more information that we added. And it’s the same for Discord. We pull down server IDs, we make sure that we have the information that’s never going to change, even if a user handle or the title of a server or room does change.

Ari: Absolutely. And then we can start the actual hard work of investigating, right? At the end of the day, there are very few shortcuts in life. We’ve been lucky so far with these lead emails and other things that we come across. But sometimes you gotta, you know, put the elbow grease in there and really just look at all these various entities that come through and you can do that easily in Falkor by enriching them to bring back information on the domains, on the social media profiles and more to see if they are in fact front organizations or have any other types of relations to the actual individual that you’re looking at or not. We have other sources across Telegram also as well from parts of Latin America and even Italy and other global organizations that are promoting Thurovan and these front organizations that we can then look into further also. Now we’re going to conclude the investigative portion of this with one final tip that I would like to bring up. Gnida project brought this up also as well, but anybody could figure this out, that the Fidel Castro Foundation is registered at the same physical address as a few other interesting groups. Firstly, we have the Russian House of International and Scientific and Technical Cooperation. I haven’t looked into it myself yet, but who knows? It wouldn’t be the first time they’ve utilized scientific cooperation as a front for other sorts of activity. Eurasia itself is also based in that same building over here. The Russian influence outlet Geopolitika RU, which is very well known for anybody active in the space, you should recognize that immediately, is also of course registered and based out of the same, comparatively small building in Moscow, you can look it up in Google Maps, it’s not very big. Doesn’t make sense that it’d be hosting so many large organizations. And the lesson to keep in mind here, even though the CGE is registered by the way in a different address, is that threat actors always reuse for a variety of reasons right sometimes they don’t you know can’t afford to rent to different places they want to rent they want to buy domains they want to get new office space where it happens to be but they don’t and they did utilize the same thing over and over again. So, whether or not it’s digital or physical infrastructure if it’s being reused you can use that very effectively to find potential signs of a given organization being a front or otherwise uncover hidden ties right.

Now you have to be careful about that about that also as well of course if it’s a large office building it could be feasible, they’re all based in the same building as well, right? But if you can check it out on Google Maps quite easily, see whether or not it makes sense that you have multiple large organizations in a given, you know, three-story building, right, let’s say, and then from there make your own decisions. And then we’ll conclude also over here with the Falkor geo search, which has the ability to search this area for social media data, other data points also as well, and even connect other tools also to search if you have other geo -relevant data points too. So, on that note, let’s conclude, and I’ll let Steph also, if you have anything you want to add, let me know too, feel free to barge in here. dark web data is critical for investigation of all times, of all kinds, right? Beyond just looking up leaked data, leaked creds, threat actor chat, and that sort of thing, we can utilize it for things like profiling, finding leaked geopolitical data of any sort of interest, right? Government data, that sort of thing, and we can utilize that leaked data to expose ties to additional organizations very easily. This is often like the shortcut that I mentioned that we don’t often have earlier essentially, right? The leak data giving you that actual connecting point is what you can often utilize effectively. But there are other data points that we can utilize also, as well that we can find, right? Shared physical addresses, reutilizing digital infrastructure and more are critical. And deep web data really can’t, in my opinion shouldn’t be ignored for investigations of any kind, let alone influence investigations operations as well as looking into front groups. And we can utilize them to find with the low amount of investment, let’s say, or time invested in this, international activity very, very easily. So, Steph, if you want to add to that, let me know.

And if not, we think we can move them to Q &A.

Steph: Love to, just to repeat, front organizations are tricky. They’re a little difficult to follow to get started to know where to work with. But look, Ari and I started with one organization, one top level domain, two human beings. We then got their selectors on social media, on the dark web. We found two other organizations, we had a global investigation, but we had to pivot, we had to turn around, we hit some dead ends. When we were first talking about this webinar, we were gonna maybe focus on Iran or a different kind, but Ari did an excellent job of saying, no, let’s do this, this is good, and then really made something that’s intimidating and a little difficult and complicated, simple, seamless, and you can see all the information we ended up with after starting with just three entities, an organization and two humans. So, Ari hats off to you. Thank you for demonstrating how we can use deep web and telegram and Discord data. It’s absolutely amazing. And I look forward to reading what you do in the future, because it’s awesome.

Ari: Thanks. And there’s a lot more, by the way. So, if anyone wants to see more, feel free to contact us separately, like I said. All right, the final step that I would do here for a Falkor plug before we go under the Q&A is the monitoring dashboard. And this is also, of course, relevant for DarkOwl as well. Falkor is a full monitoring suite available so you can set up dark web data over here to be monitored right set up your keywords your Boolean queries and strings whatever you happen to have you can set those up over here I set one up for mentions of Eurasian.org and other mentions as well and then you’re going to get a live feed of new onion data discord data telegram data and more coming in relevant for that sort of data also here as well we also of course have a full alert mechanism set up through some of the keywords or things you want to be triggering rules for and that sort of thing, we can do that. And we also of course support social media. So, if you want to say follow Korovin’s Twitter account or follow any other individuals’ Twitter account for your investigations, you can do that also as well. And lastly, we also support RSS feeds. So, if you want to say track the OPAC RSS feed or any other RSS feed that you happen to have, no problem, you can throw it all in here and track all of those things in one pane of glass.

Steph: Super, super kudos to Falkor. There are so many tools out there and everything is very disparate, right? We’ve got RSS feeds and Slack and all of this, but what you guys have is a dashboard where you can truly have everything in one place, and that’s essential as an analyst. We’ve got enough information to deal with, so it’s an amazing, amazing product.

Ari: I’ll send that over to the development team. We’re very happy to hear that. I think we have some time then for Q&A.

Kathy: Yes, we do, and we’ve had some questions come in. The first one is in reference to Telegram, have we got any possibilities to follow a target if a Telegram account is closed and not open?

Steph: Yeah, we absolutely do. So, you know, you can build infrastructure to try and ask for permission to enter. You can run different personas or try to get people that work in your organization into a closed or private Telegram. There are a lot of different ways to do that. Strike up a common conversation, strike up investigations, and just kind of see how you can break that door down based on observing other activities surrounding it and knowing what the types of discussion are that’s happening inside those telegram channels. It’s not a perfect science, you might get denied, but you can get into closed ones if you play your cards right. Yes. Or anything to add to that on your end?

Ari: No, I mean, that’s that, listen, that’s, you know, like I said, sometimes there aren’t any shortcuts and you gotta just, you know, Do the cold approach and hope it works out, right?

Kathy: Okay, well, staying on the topic of Telegram, when considering Telegram provides encryption and privacy features, why do threat actors still choose to communicate there instead of using more anonymous platforms like I2P , TOX, or peer-to-peer encrypted channels?

Steph: Yeah, absolutely. So, we see actors talk, I mean, I’ve been all over the web, right? I’ve been in this game for a lot of years. I’m very old and I’ve seen a lot of trends. So actors are openly stating that Telegram is safer. It is a Russia-based tool, right? It was developed by a Russian. And so, they feel that in lieu of the dark web where they have openly identified, they feel that federal agents and law enforcement’s working to try to take down criminal operations, criminal infrastructure, actors still feel that the majority of the safest tools are things like Telegram and TOX. They are definitely active on TOX. They have moved away as ransomware groups fall, as markets are shut down, think Silk Road, think Alphabet. As all of those go away, they move to what they feel is safer. I do think that probably in the next two to four years here, we’re gonna see a migration away from Telegram because you know how that goes. Once things get very popular and are used frequently, pivots for investigations change, They probably will feel that law enforcement will move there, but we see that all the time first, you know, with cryptocurrency, for instance, Bitcoin was viewed as very safe. Now they’re saying Bitcoin is a tool of the United States, you know, intelligence agencies and federal investigations is their words and chats. So, they’re moving to Zcash, Litecoin, etc, etc. They openly espouse what they feel is safe versus what isn’t. And it’s our job as investigators to follow that. So that’s probably why, that’s definitely why they’re saying what they’re saying.

Ari: I have some points that I’d like to add to that. So, there are a few things to keep in mind because the much vaunted, let’s say, encryption of Telegram really isn’t quite as good or as quality as people say. We can get into it; it’s a whole separate thing. It’s not intent encrypted by default, which is what really matters for the average user. The reason people use it, in my opinion, is that it’s a really effective town square. You wanna sell your cyber crime services online or make sure your leaks get, you know, spread and amplified and that sort of thing. It’s an amazing place to be active and the barrier to entry is super low. You don’t need a computer. If you are a thought actor within a country that doesn’t have, you know, that in which GDP is low and you want to start scamming, you don’t have a hundred bucks in your pocket, you can do that, for example, right? It’s instead of buying a computer and download Tor and have a reliable, indirect connection and do that sort of thing. Telegram is much more accessible. You can buy a burner phone, remove the camera, microphone yourself if you’re that concerned and kind of get to work. And then like you said, also step regarding TOX, move to TOX, move to any sort of end-to-end encrypted solution that’s a bit more secure for actual communications, which is a very common trend also as well. So, there’s this town square market element of it that I think is incredibly appealing. And then it also has other features that make it appealing to threat actors as well. In fact, that it’s easy to use. In fact, there’s other content on there that’s also interesting. The built -in messaging experience is really seamless. There’s a lot of other reasons to use it also as well. And I think it’sa fascinating platform, but those who know me know I also have been a bias.

Steph: Great points.

Kathy: Great. Thank you. We’ve had another question about leaks in the darknet are not too old to use with efficiency?

Steph: Absolutely not. So human beings are creatures of pattern. They reuse passwords. They reuse their data. They can’t keep track of it. We do not have enough people. Think of your coworkers. Think of maybe older family members or something, they’re not using password keepers, like 1password, key password, et cetera, et cetera. They reuse something because it’s easy. So, if something is exposed and always out there, it’s very easy to keep reusing. We have had actors who have not changed their passwords since 2010, 2011. Not all of them. Some of them do have better opsec and cybersecurity, but it’s very, very simple to glom onto one password or one account or a handle or a username that an actor uses and then keeps going with minimal changes throughout the years. It’s foolish, but they do it. So no, data that’s old is not too old to use no matter where it’s from. There’s always a potential. Anything on your end for that, Ari?

Ari: No, that’s a great explanation. I mean, it depends also on your usage, right? I mean, if you’re just trying to protect, you know, if you want like those, you have some of the lead employee password from nine years ago, it’s probably not as bad as, say, something from last year. But, you know, for investigation purposes, It’s still quite as useful for pivoting. I don’t know that in terms of other stuff. So, it depends on what you’re doing, but yeah, I completely agree with you.

Kathy: We have one more question that came in. How else can dark and deep web data be used for investigations or attribution of influence operations?

Ari: And this is, I think, a really interesting topic because people love to talk about attributing influence cyber operations online effectively and the leaked data is one of the most effective ways to do so, like by far. Looking at past Twitter scrapes and Facebook leaks and that sort of thing, people manipulate the APIs, these platforms, and then post all this account information online. There have been cases where known influence operation accounts and entities have had their personal information exposed, be that say the registration IP or their last used IP or their password or that sort of thing, that you can utilize to very effectively either further investigate or even kind of on the spot, determine whether or not it’s an authentic account or not. So that’s one of the biggest things that I’d say that we see. And there have also been multiple cases of influence operators themselves experiencing leaks, right? So recently the SDA, the company behind doppelganger had a lot of data leaked on them, hasn’t really made it much onto the dark web for a variety of reasons, right? But essentially the data is still leaked and available to certain other individuals. And that’s another way that we can expose other actual operators themselves as we saw in this investigation. So, the leak data is in many cases the only way to investigate and attribute these activity, not a nice to have. Is that anything you want to add to that?

Steph: Yeah, and as far as just other data on the dark web, people, criminals, actors, they do feel that the dark web with its flaws and its security issues is still one of the safest places online. So, they’re still very open, they’re still very transparent. They might be cautious at first, but as they carry on more operations and build bigger networks and build a name for themselves, selling data, infiltrating companies, getting infrastructure, they open up more, right? The dark web is full mostly of criminals. They have an ego. They want to talk about who they got into. They want to build themselves up. And so, every piece of information, despite what you’re looking for, what you might be working, ransomware, info ops, DDoS planning, you know, anything. There’s always a piece of intel on there. It’s just that you have to look harder to find it. But as Ari and I have mentioned, schedule a demo with us. We’d like to take you deep. We also want to show you how you can enrich open source OSIN or social media information with dark web intelligence. It works really well to enrich too. So, there’s a bunch of different lines of investigation and tactics and we’d love to go deeper with you on that.

Kathy: Great. We do have a couple of minutes, and we had one more question come in. In other countries, considering that credit card details are frequently leaked on the darknet – does DarkOwl provide access to full credit card data to licensed companies or is the data redacted for compliance and ethical reasons? Additionally, how does DarkOwl ensure that security teams using its platform do not misuse such sensitive financial information?

Steph: Let me answer that in two parts. So, we do indeed have full credit card details. Listen, at DarkOwl we are GDPR compliant, we are DOJ compliant, we do not purchase stolen data. That data is out there openly available, whether it’s a forum where it’s sold or whether it’s a pay site where it’s hosted. It is open information that anybody who downloads the tools and knows how to access can. So, we do have that. As far as part two, we indeed have checks and balances. My CTO is always eager to jump on the phone and explain. I’m not going to get into those checks and balances here. Please do schedule a call for us, but we absolutely ensure that there is no misuse of sensitive information, whether that’s financial, PII, PHI, HIP, or protected. We absolutely have that a way to get around that, and I invite you to please get with us and we will explain that further in depth on the call, for sure.

Ari: The one thing I would add, the one thing I would add on top of that is in fact where there’s a full auditing capability, right? So, inside of the actual system admin users can go and audit all the actions taken by other users in the system to see that they’re utilizing all the data and sources they have appropriately and ethically.

Interested in chatting? Contact Us.

[Webinar Transcription] Dark Web Influence on the 2024 US Presidential Election

Written by DarkOwl Content Team on October 25, 2024. Posted in Blog, Webinars.

October 25, 2024

Or, watch on YouTube

In this webinar, DarkOwl analysts explore the disinformation landscape on the dark web in the context of the upcoming U.S. presidential election. What emerges is a complex, multifaceted online space characterized by a variety of actors, ranging from nation states to American citizens and U.S.-based conspiratorial political movements. All of the above play key roles in both creating and amplifying mis- and disinformation which has seeped from the deep and dark web onto the surface web, and vice versa. As a number of prominent social media platforms maintain policies of limited disinformation regulation, false narratives previously concentrated on the dark web and alternative social media platforms have become mainstream, thereby gaining traction and reaching greater audiences. Combined, these factors reflect a complex environment in the lead up to the election and highlight the importance of identifying and combatting mis- and disinformation.

Make sure to check out our full report on this topic.

NOTE: Some content has been edited for length and clarity.

Erin: We’re excited to kind of talk about this topic. I’m Erin, I’m the Director of Collections and Intelligence at DarkOwl, and I’m joined by my colleague Bianca who works on all of our investigations and services and has been digging into this topic quite a bit. So obviously, it’s November next week, which I find insane. And we’re just about two weeks out from the election. And there’s a lot of things going on out there on mainstream media, obviously. But we wanted to take a deep dive and see what we’re seeing from our side of things on the dark web. So, with that being said, I think we can dive right in and Bianca, I guess the first question would be:

Why is it important that we’re looking at the dark web in this election cycle?

Bianca: Well, during this election period, as with previous elections and recent years, particularly since 2016, we’re seeing disinformation narratives gaining pretty significant traction. And disinformation, as we know, can play quite a significant role in influencing voters. And much of these false narratives that we’re seeing are originating on the dark web and dark web adjacent spaces, especially Telegram. And so, because of that, in order to get a comprehensive picture of the online disinformation landscape and the role it can play influencing voters, it really is vital to examine the role that the dark web plays in spreading that disinformation.

Who are probably the main groups that we should be concerned about them that we’re seeing kind of having, spreading this kind of disinformation and misinformation?

I think you can basically broadly divide the main groups into two categories. And I’d say that the first one is nation states and then you also have domestic actors. So, starting off with the nation states, two of the main actors we’re seeing are Russia and Iran. Russia of course has a history of leading influence operations against the US as we’ve seen since 2016. Russia’s strategy this year though, it’s worth noting, does seem quite different compared to previous years. Most notably, they really seem to be taking advantage of domestically produced conspiracy theories more and more really this year, as opposed to, as we’ve seen previously from them – creating their own false narratives and then sharing and disseminating those narratives. And I think that shift in tactics is a reflection of the domestic disinformation landscape that we’re seeing right now, where you have these absurd conspiracy theories entering the mainstream and then being viewed by millions of people online. So really, nation states like Russia that are leading these foreign influence operations are recognizing that that’s unfortunately something they can take advantage of these domestically produced conspiracy theories.

Other than Russia moving on with these nation -state actors, we are of course seeing Iran emerging as a key player right now in election influence operations. In the lead-up to November 5th, Iran has already carried out cyber-attacks against election campaigns with the DOJ – just recently announcing the indictment of, I believe, three Iranian hackers for targeting former President Donald Trump’s campaign. Importantly though, Iran is also actively sharing content that like Russia’s, is aimed at sowing discord in the US. And that’s something we’ve seen from Russia, of course, since 2016, increasingly. And for Iran, Microsoft researchers in particular identified these websites associated with Iran that are basically posing as American sources and spreading in disinformation.

So we’ve got Russia, Iran, and continuing on with nation states, we really shouldn’t forget China was also leading its own election -focused influence operations. One of its influence operation campaigns has been active since 2017. And we’ve recently been seeing increased activity from that campaign. But I do want to highlight that researchers do seem to believe that China’s efforts likely will be more restrained compared to Russia and Iran. And they don’t really seem to be aiming to undermine one campaign over another. So whereas you see Russia attempting to undermine Vice President Kamala Harris’s campaign and Iran attempting to undermine former President Donald Trump’s campaign, we’re not really seeing that lean or favoring from China to the same extent. So those are the main nation-state actors.

Erin: It’s interesting as well, sorry to interrupt you, but how the landscape has changed since 2016, right? So I saw some reporting with Russia as well that they didn’t necessarily get what they wanted maybe out of the Trump presidency and is that impacting what their goals are and how they’re reacting now. So it seems like as you were just saying, that they’re more trying to focus on just creating that conflict internally in the US, as well as still, promoting Trump, but it’s interesting how they’ve changed their tactic.

Bianca: Yeah, that’s a great point. And they’re just continuing to so discord, like that seems to be the number one priority, really, and undermining faith in the election process and undermining faith in democracy. So that’s something we’re still seeing from them. Those are the main nation-state actors to answer your question that are kind of the main players right now in the disinformation landscape.

But I do also want to highlight that second bucket I mentioned that’s domestic actors. And there are US-based individuals and political movements that are generating disinformation related to the election and candidates that we’re seeing right now. For instance, the far-right conspiratorial movement, QAnon in particular, which first appeared in 2017, they seem to have effectively entered the mainstream at this point, and their conspiracy theories are seen across the surface web. And that’s a lot of the disinformation that we’re seeing in the current landscape is coming from these far-right conspiratorial
movements. To answer your question, I’d say those are the two main buckets, the nation-states, but then also domestic actors.

What are the most common types of disinformation narratives that we’re currently seeing being circulated?

I’d say broadly you can group the main narratives into two groups, two categories. So those that are questioning election integrity and then you have those that are targeting presidential candidates. So, for the first category, you have essentially all of the disinformation that’s questioning election integrity. So unfounded claims of voter fraud, which of course was also a very dominant narrative in 2020, and we’ve seen that narrative persist and enter the mainstream increasingly. And some of those narratives are being amplified by foreign actors, but American citizens themselves are also responsible, I think, for a lot of that amplification. That’s the first category and then the second category broadly is disinformation aimed at undermining either Vice President Kamala Harris’ campaign or former President Donald Trump’s campaign. To give an example, you have Russia spreading disinformation that’s again meant to support Trump and undermine Harris and then at the same time Iran spreading disinformation meant to support Harris and undermine Trump. To give a more specific example, one of the most recent examples of disinformation aimed at undermining a candidacy was this staged video that was created by Russia that falsely accused Governor Tim Walz of sexual misconduct. And that was a story in the news this week. The video has already been debunked, but it nonetheless gained hundreds of thousands of views on Twitter and has been shared on the dark web and on groups in Telegram. So, I’d say those are really the two main categories that we’re seeing right now.

Erin: I think with AI and things, it really highlights how videos can be made relatively easily these days that can be shared. And by the time that they’re debunked or shown to be false, the damage is almost done, the genie’s out of the bottle. So definitely concerning, but you just touched on the dark web and Telegram.

How are we seeing it being shared on the dark web and how are apps like Telegram being utilized?

Well, to address Telegram, right now we are seeing lots of groups on Telegram, especially far-right ones, that are basically spreading disinformation meant to sway voters. And again, some of that disinformation is coming from nation states. There are Russian news bots in a lot of these channels that are sharing headlines and articles that, again, are false and have no basis in fact. So, like you’ll see RT news, Russian bots, RT news, of course, being Russian funded propaganda. And then you’ll also have some of these same Telegram groups and channels sharing disinformation that’s originating from U.S. based individuals and again, conspiratorial movements like QAnon. So going back to this, the role that domestic actors are playing in addition to nation-states. It’s really interesting that a lot of the conspiratorial content that we’re seeing on spaces like Telegram, a lot of that content is leaking into the surface web. And vice versa, there is a lot of content overlap. And that’s concerning given that there used to be a much clearer distinction between the surface web and platforms, dark web adjacent platforms like Telegram. So, you’re seeing a lot of interaction in terms of the content we’re seeing on both spaces.

Erin: I think that’s an interesting point, right? Because we tend to think of the dark web, some dark web adjacent platforms like Telegram where there’s limited oversight, although obviously that seems to be changing at the moment, where people want to hide their intentions and stay anonymous. And with this, we’re really seeing people like move over and have less concern about hiding their identity. Like, how do you see that happening and why do you think that’s happening?

Bianca: I think it’s not surprising that we’re seeing, you know, anonymity being weaponized to spread this information, right? It’s more difficult to attribute this disinformation to a specific group, even a nation state or an individual, if they’re remaining anonymous, and that’s not just on the dark web, you know, we’re also seeing the anonymity on the surface web with users on Twitter, now X, spreading disinformation, but kind of hiding their true identity. And that’s become a lot easier on Twitter, especially where the verified checkmarks don’t signify reputability anymore that you just buy the checkmark. And it’s easier to kind of stay anonymous and sell yourself as this reputable source.

I did want to touch back about Telegram, though. I think it’s not surprising that we’re seeing a lot of disinformation there, of course, wanting to flag that just a few months ago in August, the app’s founder was arrested and charged in France in relation to an investigation into criminal activity on Telegram. So, it’s really not just disinformation being shared on the platform. The main concern right now also is violent extremist content and child sexual abuse material that we’re seeing on Telegram. But in terms of disinformation, I think it’s worth highlighting that one of the main concerns about Telegram is the sheer size of the groups and channels there. So, channels don’t have a limit on the number of subscribers and groups can have, I think as many as 200,000 members, which is massive, right? And that scale means that disinformation can very quickly reach large audiences and then gets shared and amplified by these massive groups in over and over and over again. So overall, Telegram is absolutely hosting a lot of the disinformation we’re seeing regarding the election, whether that’s false claims of voter fraud or also disinformation targeting presidential candidates. And that’s definitely something to be concerned
about.

Erin: Yeah, and I think we’ve definitely seen Telegram being used in other arenas in that way as well. Israel Hamas is an excellent example of disinformation being shared and even actual news information being shared quicker on Telegram than it is on mainstream media. And someone was asking me earlier this week, actually, if I think what’s next after Telegram now that the CEO’s been arrested and moved on
and I was like, honestly, I don’t think people are going to move or not quickly because there’s too many people in too many groups and they’re too well established that I think it will be difficult for them to move and create that with any of the other apps that are out there, but it’s definitely having an impact I think on
a lot of the things that are going on. So that’s a really interesting insight.

There’s a lot of conspiracy theories going around and some conspiracy theories have even been shared by the candidates themselves. How do you think that’s impacting the information that’s being shared and how viral those things are getting?

Bianca: Conspiracy theories are effectively significantly distorting the information landscape
right now, in the lead up to the election. And as you noted, a lot of them are gaining a lot of traction. And I think, you know, to give an example, a good example of the prominence of conspiracy theories right now is the information landscape we saw during Hurricane Helene and Milton. So you had far-right groups and individuals who were spreading disinformation claiming that the US government was using weather control technology so that the hurricane would be steered towards Republican voters. And you had, as you noted, of course, prominent figures reiterating these theories. There were politicians and public figures amplifying that conspiracy theory. Former President Donald Trump claimed that hurricane relief funds were being spent on illegal migrants, so having public figures reiterate those conspiracy theories lend them more credence, right, and makes it easier for them to gain traction, even though they are completely false. A lot of these conspiracy theories gained millions of views on Twitter and were reshared by more prominent figures in the Republican Party and also by Twitter’s own CEO, Elon Musk. And a lot of the most viral posts were from far-right individuals sharing often xenophobic and racist conspiracy theories. And so, I think the fact that there are millions of people engaging with this content, on Twitter especially, and amplifying and agreeing with the conspiracy theories is very concerning. And it’s ultimately a reflection of the divisiveness that we’re seeing ahead of the election. What we saw with Hurricane Helene and Milton was effectively the weaponization of tragic events, right? To influence voters ahead of the election. And that weaponization unfortunately worked and reached a massive audience. And it of course also had unfortunately real world implications with meteorologists receiving death threats. So absolutely conspiracy theories are playing a key part in this disinformation landscape right now.

What are we seeing from the far left or from others? Is it quite a similar activity or is it different?

Well, that’s a really interesting question because, of course, no political party is immune to conspiracy theories. But based on the research we’re doing right now, far-right individuals, including public figures or Republican members of Congress are dominating the disinformation landscape right now on the dark web and also on the surface web, importantly, and like I said, there is a lot of overlap in terms of content in both of those places. A lot of the dominant conspiracy theories we are seeing right now are rooted in far-right ideas. So again, for the Hurricane Helene and Hurricane Milton response and information landscape, we saw a lot of conspiracy theories and disinformation aimed at undermining the Biden-Harris administration and the Harris Walz presidential campaign. And on dark web adjacent platforms like Telegram, far-right groups are also dominant in terms of election disinformation. The group spreading significant disinformation and with the largest numbers of subscribers are our right groups as we’ve seen up until now. And that’s consistent with findings as well that that type of disinformation does tend to be particularly prevalent and toxic in that far-right online space.

Turning to left-wing conspiracies, the most prominent one I’d say that we’ve seen up until now was the baseless claim that the July 13th assassination attempt against former President Donald Trump in Pennsylvania was staged by the Trump campaign. And a lot of that chatter surrounding that unfounded conspiracy theory, interestingly enough, was on Twitter, X, rather than on the dark web. Ultimately, no political movement is free of conspiracy theories. But the ones gaining the most traction right now do appear to be far right conspiracy theories.

Erin: Yeah, I feel like it seems like the far right are just a lot better at organizing and weaponizing things like social media and telegram and etc. because we did a lot of work to try and balance and see what we could find left-wing group that’s thought of out there talking and you know maybe they’re just better at hiding what they’re saying or maybe they’re not you know doing it in the same way but it’s interesting how it does always seem to lean to that far-right side.

I know there was a recent arrest a couple of weeks back of an individual in Oklahoma that the FBI stated had intentions to attack voters. This is a very real-world impact. Can you talk about how that was linked to Telegram and how we’re seeing that thing being spoken about on dark web adjacent sites?

Bianca: Yes, absolutely. For more context, earlier this month, the DOJ announced that they had arrested this Afghan national who was based in Oklahoma City. Like you said, for plotting an attack on election day on behalf of ISIS. And then he was arrested by the FBI for purchasing two AK 37s with his brother-in-law, who was an accomplice, and the suspect admitted that he was going to carry out the attack on election day and expected to die in that attack and go down as a martyr. In terms of his connections to Telegram, the suspect interestingly was very active in pro-ISIS telegram groups and allegedly saved ISIS propaganda, as was noted in the indictment document, to his iCloud account and I believe also to his Google account. So, ISIS propaganda from Telegram. He had also been in contact with an ISIS associate via Telegram who was giving him guidance regarding the upcoming attack that he was plotting. So definitely Telegram connections there and it’s ultimately not that surprising given that Telegram is notorious for being a hotbed or extremist activity, particularly for ISIS. There are lots of pro-ISIS groups there. And not just, of course, pro-ISIS groups, unfortunately, a lot of domestic extremist groups, as I noted, that being one of the main issues leading to the CEO’s arrest recently in France. But absolutely,
the individual had ties to individuals in ISIS,and those connections were through Telegram.

Erin: Yeah, it’s interesting how we see this group for really being used in Telegram and how the arrest of the CEO may impact that. I mean, we definitely saw after the announcements that Telegram are going to cooperate with law enforcement and individuals talking about moving to other messaging platforms. As I said, I’m not sure, that they’re all going to move, but I think it’s interesting that they’re having those conversations because Telegram really has been that hotbed and obviously, we’re talking about elections now, but I think you can go to any big event that’s happened or any kind of extremist group and find some kind of telegram footprint for them at the moment.

How do you think things are comparing to the disinformation and what we were seeing in the 2016 campaign?

Well, in 2016, we, of course, had Russia leading extensive disinformation operations against the U.S., also in an effort to interfere with the presidential election, and, as you mentioned, the aim of those campaigns was to sow discord and undermine American democracy, and they used bots and intelligence officers that were masquerading as American citizens to spread this information and again exacerbate divisions. And these operations have not stopped, right? We’re still seeing that activity today. But what’s different now, in 2024 compared to 2016, is that other nation-states have significantly ramped up their influence operations as well, you know, as I mentioned, particularly Iran, and they’re engaging in similar large-scale campaigns, you know, Iran in this election has really emerged as a prominent actor in the current disinformation landscape in the lead-up to November 5th. They’ve already carried out cyber-attacks against presidential candidates, campaigns, they’ve actively disseminated disinformation meant to sow discord among American voters like Russia did in 2016. And you know, as I mentioned, we’ve also seen China similarly amplifying divisive rhetoric and there are Chinese linked influence operations
and campaigns that are spreading disinformation and conspiracy theories.

So, to answer your question, ultimately, this year is quite different from 2016, just in terms of the variety of actors that we’re seeing engaging in large scale influence operations. But also importantly, I think that what’s particularly concerning right now, and especially different from 2016 is the way that, as I’ve noted, conspiracy theories have effectively become mainstream. And that’s really not to say that 2016 was devoid of conspiracy theories. There were, of course, conspiracy theories in 2016 and there will always be conspiracy theories. But the scale of their reach today is on a completely different level. As I mentioned, there are mainstream platforms, particularly X, so not just the dark web, where false claims about presidential candidates and regarding the validity of the election, these conspiracy theories are gaining millions of views. And part of the reason that their It is so significant is that you have US prominent US based individuals that are amplifying those conspiracy theories and allowing it to gain even more traction. And because of that, these conspiracy theories have entered the mainstream and are
not just in the dark corners of the internet anymore. So, I think that’s really the the main difference between 2016 and 2024.

Erin: Yeah, I feel like domestically, people are just more emboldened to share their views regardless of if they’re conspiracy theories or even if they’re not, they’re just, I think people are less concerned about the impact that that’s going to have as you say, because on both sides, so many politicians are backing that kind of rhetoric. And as you say, it’s interesting, obviously, we focus on the dark web and
dark web adjacent, that it’s kind of impossible to look at this topic these days without looking at social media, because there’s such an overlap and they interact so much, like the things that are shared on Twitter, and then immediately put onto Telegram and vice versa. And there’s no one policing that or checking that. And the likes of Facebook and Instagram will try and say, this isn’t true or this isn’t verified or read this at your own cost, but Twitter seems to have moved away from doing that a little bit in recent years. And yeah, I think it’s very difficult with the amount of information that individuals are receiving to make sense of everything that’s going around and just the pure, as you say, the sheer size of data and conspiracy theories and things that are being shared now compared to previously. I can see why it’s difficult for people to make a judgment. And as I said earlier, like once these things are out there, it’s really hard to walk them back. There’s a lot of people that however many times you tell them something isn’t true and it’s been debunked, aren’t going to believe you.

Do you think we should expect a shift, as I said at the outset, we’re just over two weeks away from election day. So are we expecting any shift as we move closer to the election day?

Yes, absolutely. It’s very likely that we’ll see a pretty significant increase in disinformation targeting American voters as we get closer to November 5th. Russia, Iran and China are well aware of the fact that their influence operations can have a greater impact closer to the date of the election when they can influence voters. And as individuals have already begun to vote. And US intelligence officials are actually already warning of this increase. There were reports stating that influence operations targeting specific political campaigns have already increased. I think it’s really important to note, though, that foreign influence operations aren’t going to stop after November 5th. And the ODNI actually just released a report, I think yesterday, warning that Russia, China, and Iran are all expected to continue their influence operations well through inauguration day. And it’s very likely that they’ll continue spreading disinformation again meant to sow discord among Americans and to undermine trust in the election process. And that’s something we already saw with the presidential election in 2020. Election officials and intelligence officials have particularly warned that there’s a possibility that Russia, Iran and China could actually try to stoke post-election violence. So that’s something that definitely needs to be closely monitored. But yes, we’re expecting to see an increase in that kind of activity leading up to November
5th, but also well after November 5th up until inauguration day.

We’ve mainly been talking about all the concerning things that are happening in this run up to the election, but I want to touch on what steps can individuals and organizations take to try and combat some of this election related disinformation.

I think the most important step and the quickest one, at least for individuals, to combat disinformation and this it seems very simple but it’s to verify sources. So before sharing or reposting anything online, just taking a few minutes to check the credibility of the source and also take the time to cross reference and see if you can find another source that’s also a reputable or sharing the same information. So if you can cross-reference, there’s a greater likelihood that that information is valid. For organizations, I’d say carrying out fact-checking initiatives already is vital. Social media platforms, it’s worth noting, have the ability to give users the opportunity to report disinformation. And that’s huge. But Twitter, again, coming back to Twitter unfortunately removed a feature that allowed users to report misinformation and disinformation. So, bringing that back that feature, I think, and for other organizations and social media platforms implementing that features is a pretty vital first step to combat election related disinformation.
But yeah, fact checking in general and verifying your sources is the way to go.

Erin: I think knowing where something came from and make sure that it’s not just circular reporting. Everything is coming from one place. Usually, you know, a place that may not be that legitimate is such an important thing to do. And I think having discussions about that. So just going back to the dark web briefly, I think we’ve talked about how there’s a lot of crossover that’s going to mainstream social media sites. Would you say that there’s anything specific on the dark web relating to elections? I know like in the past, we’ve seen things related to like voting machines and hacking. And you know, DEF CON is famous for having their hacking village. Have we seen an increase in that kind of discussion or not really? Absolutely, seeing a lot of narratives about kind of questioning election integrity, like you said, voting systems.

Bianca: Absolutely, a lot of that on the dark web and on telegram channels, especially in a lot of these channels that have as many as, you know, and groups that have as many as 200,000 subscribers. Again, a lot of them are aimed at undermining confidence in the election process in the U.S. and sowing discord. So definitely seeing those conspiracy theories dominant on Telegram, but as you noted as well, you really can’t look at it in the vacuum, right, because a lot of those disinformation narratives are also being seen on mainstream platforms. So, it’s interesting that we’re seeing this kind of dialogue between the two spaces and that theories that previously would have probably been limited to the corners of the internet as it were are now very much so in the mainstream. And it’s sometimes even hard to identify where they first originated? Just because of the fact that we’re seeing them all over the place, all these
conspiracy theories.

Erin: Yeah, absolutely. And I think that’s the thing I think on the dark web, the more things that we see are the traditional dark web things that you see people doing, like talking about hacking, or talking about, you know, leaking voter information or information that could be used relating to voters. That’s the dark web bread and butter whereas you know outside of things like Telegram I’m not sure that people are using the dark web for those kinds of conversations because they don’t need to they can do it on mainstream platforms without fear of you know reprisal so it’s a really interesting shift I think that you’re highlighting.

Any final thoughts that you wanted to share?

Well, just highlighting again I’m glad that you asked the question about things people can do to combat disinformation and just flagging again the importance of verifying sources. There are lots of great sources online as well from CISA on step selection officials can take to ensure to ensure that we’re combating disinformation right now. Organizations and individuals can do a lot to combat this rise in misinformation and disinformation that we’re seeing right now. Thank you all for joining this webinar.

Erin: That just made me think as well – I was at some sessions recently where I feel like you can’t have a dark web or an OSINT or a chat these days about mentioning AI. And I just feel like these days with the way AI is improving and deep fakes in terms of generating stories and generating videos and generating images is just something people that need to be so aware of and goes back to your point about really validating those sources because things can look so believable these days in a way that they couldn’t several years ago. So I think that’s an interesting point as well.

Interested in reading more on this topic? Check Out Our Research Report.

[Interview Transcription] OSINT in Government: Industry Insights on Challenges and Opportunities

Written by DarkOwl Content Team on June 12, 2024. Posted in Blog, Webinars.

June 12, 2024

Francis Rose of Fed Gov Today, recently sat down with DarkOwl CEO and Co-Founder, Mark Turnage, to discuss the current state of open-source intelligence (OSINT) in government. You can check out the article from Fed Gov Today here.

The link to the YouTube video, and the transcription can be found below.

NOTE: Some content has been edited for length and clarity.

Francis: Mark Turnage, Welcome. It’s great to talk to you. What’s the current state, do you think, of the government getting the data that it needs and deciding what sources it’s going to draw that data from, open sources, proprietary information and so on?

Mark: That’s a great question. And you know, I think there’s been a big change in the government in their approach to OSINT in general, and frankly, their understanding of the need for OSINT and the value of OSINT. And we live in an environment where data, broadly speaking, and OSINT, broadly speaking, is growing dramatically. The amount of data, the types of data, and so the government, in some respects, is playing catch up in trying to understand how to use it, how to aggregate it, how to analyze it. And that’s a big change that is underway. But gaps, gaps in the government’s collection. We’re [DarkOwl] a darknet data collection company. We collect data from 30,000 plus sites a day in the darknet, and we provide that to the government and other commercial users. And just that one tiny sliver of OSINT alone can tax any organization’s ability to integrate data, store it, and then manage it. So that’s it. That’s a tiny little example of some of the challenges that the government faces.

Francis: One of the things I think has been interesting about tracking this over time is that organizations, for example, like NGA, have not fought the change in the lines of delineation what used to be open or what used to be proprietary is now open-source and so on they’ve kind of said we have to get with the game and them and go with it. Has that helped, do you think, organizations in government to go through this change?

Mark: I think it’s been a big culture shift for them. I mean, NGA in particular, but other organizations as well. Take the examples of satellite data, satellite imagery. What’s available today commercially is better than what was available, on the high side, 10 years ago. And that is only going to keep happening. Using a cell phone, you can get battlefield information on the front lines in the Ukraine that’s far more detailed and far more timely than what is what then what our analysts have access to here in the US, you know from high-side data. So, I think any organization that understands that, then has to embrace it fully and start to use those commercial sources and integrate them fully into their with their high-side data. And then they’ll, then they have the best of both worlds, to be honest.

Francis: Take me farther into that definition of embracing that fully. What does that mean to those organizations to do from a tactical perspective?

Mark: Well, first of all, there’s a culture shift. I’m not sure that’s tactical, but there’s a, there’s a cultural shift that’s necessary. But once that cultural shift, once they actually understand it and get it in their DNA, I think there’s a couple of things. Number one, don’t fear it. Don’t fear open-source data. Embrace it. Buy it. Integrate it. Use it. And by the way, part of that is also staying on top of what open-source data is out there and available because it changes and it shifts dramatically as time goes on. Secondly, integrate it with your high-side data. Look at them side by side. Understand that that data, sometimes that commercially available data is better than what you have and sometimes it’s very complementary to what you have. It makes your analyst team far more powerful looking at both sets of data and correlating them together. But embracing, I think, means buying, understanding it, buying it, integrating it.

Francis: That integration process, it sounds like when you use the term changes and shifts dramatically, it sounds like that integration process may be the key factor to all of the ones that you just laid out there. Is that a fair read?

Mark: That is an absolutely fair statement. I think understanding what that technology or that tech stack is that you need to build and maintain to integrate open-source data is a journey that all the federal agencies we work with are on right now.

Francis: What does the technological underpinning of this infrastructure underpinning? And is that changing over time as well?

Mark: It’s likely to change over time, but the technological underpinning is you have to have the ability to integrate extremely large data streams, parse those data streams, store them in a secure environment, and then make them available through whatever interface or tools to your analysts that are available. You make them available in live time to your analysts. So, there are off the shelf products that allow you to do that. And obviously there are cloud data storage capability available to the government through a number of different avenues. The one interesting thing that is a challenge for many of these agencies is how do you integrate open-source data coming from the low side with high-side data? How do you cross that chasm? Because taking OSINT intelligence into a skiff, and then trying to correlate it with high-side data becomes a real challenge, you would rather have them on the same screen. So that creates a completely different technological challenge, I think, for many of these organizations.

Francis: I want to come back to that idea, but you talked about analysts and the importance of the analysts a number of times in this conversation already. What does the skill set for the analyst of the future look like potentially compared to the analyst of today given the advances that you’ve discussed?

Mark: That’s a really good question. And obviously, AI is front and center in that process. I would say that the analyst of the future needs to be able to contextualize the intelligence that they are getting. And in fact, a good chunk of that data of that intelligence they’re getting is going to be AI generated. But they have to contextualize it, and they also have to be able to keep it honest. When you have AI hallucination and other things, and you don’t have a trained analyst who doesn’t understand the context in which this is being done, you could go down a rat hole pretty quickly. So, the world of the future is going to be divided between, broadly, between people who can use AI to be more productive and those who can’t. And that’s the new social split that we’re coming to as a society, that’s no different with an analyst. They have to understand how AI works. They have to understand the data AI is looking at. They have to understand the output, and they have to then stress test that output.

Francis: You mentioned the desire to mash up high-side data with open-source data. What is the challenge potentially, if any, to maintaining, I guess, tagging is the best word I can think of, so that one knows throughout the entire data stream this piece is just for us to see and this stuff is okay for others to see when you’re combining?

Mark: When you combine those datasets, you have to tag it, you have to give them metadata so that an analyst a month out or a year out or five years out knows where that data came from, knows the source, knows the provenance of the data, and obviously can distinguish between a sentence which may have been come from high-side and a sentence that’s right, immediately adjacent to it, that came from the open-source. So that’s obviously a real challenge, but there are technical, that’s actually, I think that’s relatively solvable with metadata and tagging that’s available. If you don’t pay attention to it, going to be an analyst down the road in five years who’s going to get himself in real trouble or herself in real trouble.

Francis: Mark, it’s great to talk to you. Thanks for your time.

Mark: Really nice to talk to you as well.

Interested in learning more? Contact us.

[Webinar Transcription] Navigating the Cyber Landscape: Strategies and Capabilities of Iran, China, North Korea and Russia

Written by DarkOwl Content Team on March 28, 2024. Posted in Blog, Webinars.

March 28, 2024

Or, watch on YouTube

The government, along with Law Enforcement, is heavily impacted by ever-evolving technology and there is a multitude of malicious actors conducting espionage, stealing data, attempting to infiltrate, and shut down systems critical to everyday life.

These malicious actors with a proven state-sponsored tie are often called Advanced Persistent Threats (APTs). The digital realm is heavily involved in geopolitical conflict, and its role and that of adversarial actors must be explored.

In this session, we will dive into the big 4 cyber adversaries:

Explain how cyber experts are trained
Explore the use of front companies and technology to online activities
Examine ties to their governments
Cover common offensive and defensive capabilities
Glimpse into the possible future with AI used in operations

For those that would rather read the presentation, we have transcribed it below.

NOTE: Some content has been edited for length and clarity.

Mark: My name is Mark Turnage, I’m the CEO and Co-Founder of DarkOwl and with me, I have Erin Brown, who’s our Director of Intelligence. We’re pleased that you joined us here this morning. I’m just going to make some introductory remarks, and we’re going to conduct this webinar as a sort of fireside chat between me and Erin and talk about four cyber countries – powerful cyber countries: Iran, North Korea, China, and Russia.

Just a couple of introductory remarks from me, we live in very interesting times. It’s a very famous Chinese curse and I think it’s fair to say that over the last several years, the world has become considerably more uncertain and more unstable. We have wars being waged in Ukraine, in the Middle East, we have a considerable amount of tension in East Asia, between China and Taiwan, and against that backdrop, there are a number of elections taking place this year around the world, including here in the United States, our presidential election. All that means that the cyber sphere has become even more important and more deserving of our attention as we think about that instability and how to better manage that instability. And against that background, four countries are continually mentioned: Iran, Russia, China, North Korea. Interestingly enough, two of those, China and Russia, are quite large countries and powerful in their own right. Two of them, North Korea and Iran, are cyber superpowers, in spite of being relatively small and in the case certainly of North Korea, having quite a small economy. So, we thought it would be useful to talk, to have a conversation about those four countries and talk about their cyber capabilities and how they use the cyber sphere, both for their own purposes and to sow instability and discord. So, with that, I’m going to just start asking Erin some questions.

What are the main cyber threats posed by these four countries?

Erin: There are a lot of different threats that they’re posing, and it really depends on what they’re trying to achieve. We see them conducting cyber espionage, we see intellectual property theft, attacks on infrastructure. It really depends on what their motivations are and they have many groups within their countries that are conducting these types of attacks – but most of them, all four of them, I would say, have a joint desire to advance their global influence. They all want to be the superpower of the world and they want to do that in both the digital and the physical world. We’re seeing that overlap, as you just mentioned in your introduction, as there’s more and more real-world conflicts happening. We’re seeing a huge cyber element to that. But then they do have their own distinct motivations as well in terms of what operations they’re conducting. North Korea, for example, we’ve seen them conducting a lot of attacks that lead to financial gain because they’re using those funds to finance other operations that they’re doing and things that they’re doing within the country. So, they all pose a huge amount of risk to both countries and organizations in terms of what they’re trying to achieve to advance their global power, basically.

And is it fair to say that of those four, North Korea is the most quote unquote, financially oriented in terms of their cyber activities? Or is the same true, say, of Russia?

I would say so. I think we know North Korea from a government perspective, is doing that financial motivation and gain. I think with Russia, especially and Iran, to a certain extent as well, we see that overlap and bleeding between who is the state-sanctioned, state-sponsored groups, and those actors that maybe the state is allowing them to operate. So obviously, you know, the ransomware gangs in Russia are making a huge amount of money off of corporations worldwide and there are suggestions that they’re at least allowed to conduct their activities by the Russian government. One could infer from that that the Russian government may be getting kickbacks from them and from that type of activity, but we don’t see necessarily the state-sponsored groups that are the military groups necessarily having that financial motivation and other countries. But Iran and Russia certainly have that criminal overlap.

Which brings us to the question of how these countries actually organize their cyber operations. You mentioned that some of them may or may not incorporate private actors in those operations, and others are more official. So, how do they organize their operations?

It’s quite a complex makeup across all the different countries and they all do it slightly differently. You do get those differences between what is state-sponsored, what is state-sanctioned, what is state-allowed. So, there are all of these distinctions within how you group them, but primarily, we see that the countries have military and civilian intelligence services. So, they’ll have military operators that are part of their armed forces that are going out and conducting these cyberattacks, and then you’ll also have intelligence agencies. So similar to how we have the CIA in the US, they have their equivalents that will also be conducting cyber operations on their behalf as well and depending on who’s conducting the attack, you’ll see different types of attacks and different victims as well in terms of what they’re trying to achieve.

But then we do also see civilians that are somewhat separated from the government being utilized. So, we do see a lot of front companies being used by these countries. This will be a seemingly legitimate company that is set up in country that has government backing behind it. That’s not necessarily obvious, so that they can have that air of conducting activity and not being linked to the government, even though they are. Then also we do see, as we just mentioned, with the financial motivation, we do see in especially North Korea, around countries that don’t have as much stability and financial security. We’ll see these actors that are doing a day job with the government and then in the evening, they’ll be using those skills that they’ve learned with the government to conduct cyber activities and criminal activities. So, it’s a murky infrastructure in terms of how these are set up but I would say is all of these countries do have set up groups and organizations that are there to conduct cyber espionage and cyberattacks on other countries.

Mark: This odd mixture of official and unofficial criminal gangs must make attribution really difficult when you’re looking at an activity, trying to attribute who the actor is who is behind the actual action.

Erin: Yeah, it’s incredibly difficult. And I would say it’s probably more difficult for people like ourselves that are outside of the government remit to identify that information because it’s very noisy in terms of what’s being conducted, who’s doing what attacks, and then things like the malware that they use. A lot of countries will use off the shelf malware, but lots of other groups use that as well. So, just because a malware is being used doesn’t mean that it’s attributed to one particular group. Even if that group invented it. For instance, Stuxnet is a good example of that – it was developed by the US and the Israelis, but it has been utilized far and wide by other nation-states, and by criminal actors since then. So, it’s really difficult to know who is conducting these activities and mistakes are made in terms of these attributions as well between different groups. Whenever we’re looking at this attribution, whenever we’re looking at this activity, the attacks that are happening, we’ll make assumptions about what we think that’s connected to you don’t really know unless you’re in those groups and being able to see that. So attribution is incredibly difficult and when we’re talking about APTs and we’re talking about nation-states, we’re talking about probably the most sophisticated cyber actors that are out there, that most of the time are trying very hard to obfuscate their activities and obfuscate who they are and who is conducting them. It’s a very tricky thing to be able to attribute that activity. So, one of the things I would say about it is it’s more about knowing what the techniques are than knowing who is doing it so that you can protect yourself from those techniques and those vulnerabilities within your organization. I guess some might say it doesn’t really matter who’s doing it when it comes down to attribution, it just matters that you stop it. So, it’s an interesting balance.

Mark: Yeah. Although, if you’re a foreign leader, say, the president of the United States, the Prime Minister of Great Britain, the President of France, and your country is in some fashion attacked by a cyber operator, attribution becomes important in terms of how you respond. So that’s a challenge I’m sure that many leaders face.

Let me switch gears a little bit and talk specifically about China. The Great Firewall of China – what’s the impact of that on both their capabilities and on the ability of outsiders to see what’s happening in China?

Erin: For those who don’t know, I’m sure most people do, but the Great Firewall is what we refer to as the operations that China put in place to silo their internet from the rest of the world. So, it means that most of their citizens aren’t able to access the internet in the same way that we do and they’re not allowed to access certain things. So, it means that the government can really lock down the messaging and the news that citizens are being able to access. And as part of that, they do also have their own apps and search engines and things like that. A lot of social media like Facebook and Instagram and WhatsApp can’t be accessed in China. Instead, they have WeChat and WeChen and Weibo and other ways that they’re, doing that. It always from the outside is seen as a way of controlling the citizens and the messaging that they’re getting and what they’re able to do, but it does also highlight the sophistication that the Chinese government have in terms of cyber activities, in terms of how they’re able to monitor their own citizens and lock down that information and how sophisticated their surveillance and censorship is. So, it really highlights some of the skills that they have. It’s the same cyber operators influencing the Great Firewall as conducting some of these attacks that are happening, and it shows how they want to have their world order and what some of their motivations are in terms of the cyber operations that they’re targeting.

It’s worth mentioning that they aren’t the only country that’s doing that. Russia has Runet – they are expanding and trying to lock down what their citizens are able to see. And Iran and North Korea have very similar methodologies in place. I would say with North Korea, we know even less about that, just because of the isolationist way that North Korea operates. It’s very hard to know how that functions but I think it just demonstrates the sophistication that they have and the abilities that they have of surveillance and censorship that they utilize outside of the firewall as well as inside it.

Mark: So, from an adversarial perspective, we’re in an environment where these four countries have unencumbered access to the world’s internet. It’s open. We’ve made it open deliberately, but we have very limited access, on a variable basis to their internal country networks and I would put, you would put China at the top of that at the top of that list.

Erin: Yeah, definitely. So, it’s very hard as analysts. Going back to that attribution point as well, to know what’s going on inside of that firewall because they’re locking down that information. What messages are they sharing? What is it that they’re putting out about adversaries when there is a campaign that is publicly reported or Chinese actors are indicted, which has happened several times? What is the messaging that they’re putting inside internally? And I think, with Russia, we’ve seen this with the Ukraine war and the messaging that they’ve put forward about Ukraine to their citizens in terms of “they’re saving the country, it’s not a war, it’s a defensive position,” like very different to what we’re seeing outside of, of that realm. So, it definitely impacts on that attribution and what we’re able to understand about what they’re doing. One thing I would mention, just as well, because we’re a dark web company, but this is one of the ways that Tor can be used in a very legitimate way. I think we tend to focus on the dark web being a bad thing for criminal activities, but it’s a way that a lot of citizens are in these countries that have lockdown internet, are able to access Western and outside media and this is the reason that a lot of social media companies will have mirrors on the dark web. X, formerly Twitter, has it, Facebook has it, some governments have websites on the dark web. So, people are able to access that information. It’s a useful way for people to be able to get that outside information as well.

Can you talk about some of the notable cyber campaigns that have been conducted by these four countries?

Sure. There are a lot, and as we’ve already covered attribution is tricky in terms of how we associate particular campaigns that we’re seeing to particular countries and the groups within them. China has had some very significant operations in recent years targeting a lot of countries in their region. We’ve seen them spying on Cambodia, the Philippines, South Korea, and they do this using phishing techniques to gain access. So, you know, they are using some of the same techniques that we’re seeing criminals using that we’re all warned about at our companies in terms of “don’t click on a link.” Those sophisticated users are using those methodologies as well and we have seen things like when they recently targeted Japan’s space agency and one of the things that China is well known for is targeting companies in stealing intellectual property, and then taking that information back and using it to develop their own technologies and issue patents on their technologies. So, that is a thing that they continue to do in terms of expanding their power and what they have access to. That’s something that we’ve seen China doing a lot of recently.

With Russia, probably the most significant one that is fairly recent was that they targeted Microsoft’s corporate systems. They targeted the executives and I believe the legal team and were able to access some emails and documents, and they did this again with fairly simple methodology. It was a password spray attack. So basically, they just took lots of different ways that people might use a password and put it across all of their systems. This really highlights why you need to have good password hygiene across your corporation, and governments everywhere because that is a way, not just with nation-states, but across the whole adversarial cyber field that we’re seeing people get access is through credentials. So, it’s a really important thing to identify. And then I think you can’t talk about Russia’s activities without mentioning the war in Ukraine, because there definitely is a cyber war going on as well as the on the ground war. One of the things we’ve seen fairly recently was they hacked into webcams in Kiev, so that they could look at what air defenses were being used in the city and they did that ahead of a missile attack. They wanted to see where their missiles would be defended and where they wouldn’t. That is a real-world example of how the cyber and the real world are linked together and they’re utilizing cyber tools to help them with military campaigns.

In terms of Iran, there is a group known as, Mint Sandstorm. So again, using phishing techniques, but social engineering as well. This is something we see a lot with Iranian actors – utilizing social media and fake social media accounts to lure people into giving them what they want. We saw them on a large recruitment and job networking sites that were creating these accounts, creating several levels of personas that knew each other to make them look as, as real as possible and then we’re using that to identify people that they wanted to target as part of the Israel-Gaza conflict. They were using this as an espionage dash intelligence gathering campaign. With these campaigns, it’s not just about disruptive action or getting access, sometimes it’s just understanding things that are going on to help them with other areas.

Then North Korea, again, is a trickier one just because of their isolationism and the groups that we see. Probably the most prominent group that’s been mentioned in recent years, and they have been around for a long time now is Lazarus. They have been involved in significant financial thefts as well as espionage. So, a lot of cryptocurrency, ransomware attacks, etc. They were responsible for the Sony hack way back when, I believe it was 2016, but as recently as this year, they’re still operating. They were seen conducting cyber espionage campaigns, targeting defense technologies, again creating fake social media profiles, and then deploying malware once they’ve got access to individuals. So, you know, there’s a range of activities that are going on and that very much is a high-level overview of some of the activities. There’s probably a lot more going on that we don’t know about, and a lot more going on that we do know about, but it hopefully gives you a sense of the types of campaigns that they’re conducting and also the variety of people that they’re targeting. I think you said earlier about governments obviously care about attribution, and they should, and their governments hopefully are better at attribution, but I think there’s an old world view that nation-states and spying and espionage is a thing between governments and these days with cyber, it just isn’t like everyone is vulnerable to attacks. Everyone has information worth stealing, so everyone has to be vigilant.

Mark: It’s notable that in your answer, in talking about the various cyber campaigns conducted by these countries that many, if not most of them, are using basic password access, phishing, social engineering, as opposed to, Zero-day exploits that they have access to on an exclusive basis. That’s quite notable.

Erin: Zero-day exploits are really hard to develop and they’re really expensive to develop. If you don’t need them, because you can get in by a weak link of a person clicking on a link or believing a phishing email, then then why waste your time and infrastructure? I would say they still definitely do utilize those Zero-day attacks and that is something that’s developed, especially Russia and China, but those are the ones that it’s harder to hear about, right? Those are the ones that they don’t want people to know what that capability is and who they’re targeting. And they would save that for their most important victims.

Mark: We, in the cyber security industry, live in evolving times. There’s a lot of changes in technologies and I would include in that, by the way, artificial intelligence, the rise of artificial intelligence. How does that affect how these four countries are both organizing themselves and conducting their cyber operations?

Erin: I think in the same way that the rest of us are, right, they’re still learning. They’re still coming to grips with these new technologies and how they can utilize them and how they’re going to work, but they definitely are. I think they definitely want to utilize them and there is a growing sophistication. We have seen particular countries trying to target AI companies. I think there was an article, a month or two ago about OpenAI reporting, I think it was 4 or 5 specific APT actors that they had kicked off of their site and they were using AI to do the things that a lot of other people are doing, like help them with their work, but also create phishing emails and ask it questions to do research for them about the capabilities that other countries and their victims have. So, we know that they’re using AI, we know that that’s happening.

There are also, I believe it was China, I’m trying to remember – it was either China or North Korea, but they’re actually investing in companies that are developing AI in certain areas of the world so that they can own that technology for themselves as well. What I would say with AI and those technologies is the US and Europe and the likes of OpenAI, oh, I can’t their name is escaping me. But, you know, the prominent AI providers at the moment, they are far and above, ahead of Russia, and China at the moment. But I was actually at a talk with someone from those companies a couple of weeks ago, and they were saying, we’re only a couple of months ahead and they are going to catch up, like it is going to happen. So, it’s something that everyone needs to be aware of and needs to be vigilant about. I think the takeaway point from that is that they are using it. They are keeping an eye on emerging technologies. They themselves as well have to constantly evolve to remain relevant and successful because people’s defense gets better all the time. So, you need to constantly evolve to get around those defenses and those ways of operating. It’s definitely something that they focus on.

Mark: You mentioned earlier, by the way we’re a darknet company and we cover the darknets, and we cover darknet adjacent sites. You mentioned earlier in one of your answers the use of the darknet by citizens in countries which are behind firewalls or where they have limited access to the outside internet. But how do the countries themselves use darknet and these other online platforms in their own operations?

Erin: Yeah, that’s a difficult one and it’s a bit murky. Again, going back to that attribution problem and especially on the dark web where everyone is trying to stay as anonymous as possible to know who is doing what. We know that they definitely do utilize it. We know that there are probably actors on there that are sowing disinformation and details on the dark web and sharing them. But, you know, one of the things that we’ve seen more in recent years and is a bit more obvious is hacktivist groups and criminal groups that are associated or in somewhat sanctioned by governments. So, we’ve seen this with Killnet in Russia and a handful of other groups that came out in support of Russia when the invasion of Ukraine happened, and they are very active on things like Telegram. They will say who they’re targeting. They will say why they’re targeting them. They’re often going after NATO participants. They will show evidence of defacements or DDoS attacks. So, they’re very vocal and they want people to know what they’re doing, and they do have those links or at least a nationalist fervor that is very clear. And we see that other groups linked to North Korea and Iran also have telegram channels and other channels that are very vocal. One of the interesting things that we’ve seen, though, that is less how they’re operating but gives us more insight into how they’re operating, is we have seen a lot of data leaks relating to some of these countries and their governments. Everyone’s falling victim to data leaks in recent years. It’s big business on the dark web – selling that data, but there’s been a huge increase in the last probably 6 to 9 months, especially for China in terms of government data being leaked. There was a huge leak of the Shanghai police late last year that was assessed to be one of the biggest breaches ever, data breaches ever, and it had a huge amount of information about their law enforcement, but also their tools that they were using to target their citizens. So, it gave security analysts insight into what they’re doing that the governments wouldn’t necessarily want them to have and there was another recent one as well on a GitHub repository. So slightly not the dark web, but where it was one of the front companies that was conducting cyberattacks on behalf of China. All of their information was released, and we’ve seen large scale releases of Russian data, Israeli data as well, talking about those conflicts. There is information like that and while we’re all looking at that dark web data and saying, oh, this is giving us insights into these countries that we don’t know as much about. You can believe that they are also doing the same. So, when there are leaks of US, UK, European data, those countries are definitely going to have individuals that are on those dark websites collecting that data and reviewing it as well.

What do we do about this? It’s not like these four countries are going to wake up tomorrow and become parliamentary democracies and decide to conform to rules of international law. So, what do we do? What do we do about this?

Erin: I think it’s points we’ve already mentioned. You just have to be vigilant, and you have to have as much security as possible. I think there’s education that needs to happen to people about how you should operate, as you said, like these phishing techniques, password spray attacks, things like that. They’re fairly simple and they’re things that we can educate people about and I think we’ve been too focused in recent years on; okay, people know that if you get a bad email that you shouldn’t click on it, hopefully most of the time, but we’re seeing more and more smishing attacks, so text messaging and with the advent of AI, you can develop someone’s voice and get them to say anything you want them to say. So, you can get like a voicemail from your boss telling you to send you money or to click on a link. Things are becoming way more sophisticated in terms of how attacks can be conducted and therefore, our education to people about how to combat those attacks needs to be more sophisticated and I think it’s just staying up to date with what these threat actors are doing and this isn’t just the nation-states, it’s across the board, like what tools and techniques are being utilized, and are your systems set up to protect against those vulnerabilities? So I think it’s trying to be as proactive as possible and not just reacting when attacks happen.

Interested in reading more on this topic? Check Out Our Research Report.

[Webinar Transcription] Why Darknet Data is an Integral Part of OSINT Investigations

Written by DarkOwl Content Team on March 5, 2024. Posted in Blog, Webinars.

March 05, 2024

Or, watch on YouTube

The internet is a vast realm that extends far beyond the surface web we commonly explore. Beneath the surface lies the darknet, a hidden network that poses significant challenges but also holds immense potential for open-source intelligence (OSINT) investigations. Join DarkOwl’s Director of Intelligence to learn how the darknet expands the scope of information available to researchers and analysts.

In this 30-minute session, Erin covers how darknet data:

Enhances OSINT investigations by unveiling hidden information
Strengthens our ability to combat cybercrime and protect individuals and organizations
Enhances threat intelligence and helps maintain a safer digital ecosystem
Is utilized in identity theft, fraud, compromised accounts and other real world examples

For those that would rather read the presentation, we have transcribed it below.

NOTE: Some content has been edited for length and clarity.

Erin: Good morning or good afternoon, everyone. I’m going to do a quick high-level talk today of what darknet data is, why it’s important and how it can fit into your investigations. Please do ask any questions that you have throughout, and I’d be more than happy to answer those. So, what we’re going to cover today is what is the dark web? A really quick intro, what is OSINT? Again, very high level. Why is dark web important? And then what I really want to focus in on are some use cases and hopefully show you how we can integrate dark web and OSINT together to find some really interesting things in our investigations.

The obligatory who am I side… as any good analyst, I hate having any details about me on the internet, so I’m going to keep it brief, but my name is Erin. I’m the Director of Collections and Intelligence here at DarkOwl, and I’ve been an intelligence analyst for over 12 years now.

Another obligatory slide is the iceberg, you can’t really have an OSINT presentation without including an iceberg of some kind in here. This is to highlight the different areas of the internet. They’re all open-source, so they all form part of open-source investigations but obviously at DarkOwl, and me personally at the moment, focus on the darknet, but it’s always important to see the whole view and look at everything that’s going on. You want to be able to look at sources that are on the deep net and the surface net as well to make sure you’re getting as much information as possible and that you’re able to validate that information as well.

Diving into the dark web, hopefully most of you that are listening are familiar, but I’ll just give a very quick background of what the dark web is and what can be found there. I’m not going to read everything on this slide, but you can see that it’s been around since the 2000, so we’ve got about 20 years now and there’s a lot of things that have happened in terms of the access, the marketplaces that are emerging and forums, breaches starting to occur, terrorists using the information, etc. There’s been a lot of uses of the dark web, and I would like to say that it isn’t just there for illicit uses. There are a lot of legitimate uses for the dark web. I think one of the best things is allowing some individuals that might not have open access to the internet in the countries that they live in are able to access a lot of websites, social media sites, etc. using the dark web that they wouldn’t otherwise be able to access. There are legitimate purposes, but obviously a lot of nefarious actors also use it and take advantage of the anonymity that they believe exists there.

What is on the Dark Web? What can you find there?

Marketplaces, people selling goods. These are usually illicit goods, usually, hacking tools, malware, data, drugs, weapons, counterfeit goods. We see all of those being sold on a regular basis. We also see forums – people chatting and talking to each other but also usually selling some kind of information or sharing information, some of it’s not all for sale. We do also see a lot of extremists, forums, people talking about, information that’s not great, but also getting together, planning events, things like that. As I just mentioned, there are also social media sites on there. There are mirrors of Twitter or X or Facebook, Reddit. All that can be accessed from the dark web. There are cryptocurrency exchanges, mixers, other forms of things. Cryptocurrency is the currency of the dark web. Really, that’s the main way that people transact. The full ecosystem for cryptocurrency also exists on the dark web. You also get news media, news sources. A lot of the main media outlets and newspapers will also have dark web mirrors. The CIA has a dark web mirror. There are a lot of legitimate sites out there. And then of course, everyone is aware of data leaks, that is the main place that they are shared and ransomware. A lot of ransomware groups will have leak sites where they will have a shame board of all their victims, which they will put on the dark web for people to go and view. If the company doesn’t pay their ransom, then that information will be released there and can be downloaded. I should say with the leaks as well, it’s usually advertised on the dark web, but the dark web is very slow in terms of downloading information. Often a downloading service or a torrent will be used if the files are quite large.

This is just to give you kind of an idea of what the dark web looks like. These are some sites selling counterfeit goods, organs, drugs, cash apps and accounts. Then also we’ve got some of the advertisements that are shown here.

You can see the different marketplaces that exist with the different areas, we’ve got people selling Social Security numbers, malware, botnets, different types of drugs. There really is this booming commercial aspect to the dark web and a lot of different stores that have been set up either for niche things or sell a huge amount of goods. And as I said, cryptocurrency is the currency of choice. You can see in that middle image: Monero, Bitcoin, Dogecoin, Litecoin are just some of the ones that are accepted. But it is a variety of cryptocurrencies that are usually accepted these days.

There are quite a lot of challenges, though, with collecting from the dark web. I mean, the first one is you’ve got to know where to look. You don’t have the nice URLs that you would get on the surface web. You also don’t have Google to help you. There are search engines on the dark web, but the majority of sites are not indexed and therefore not easy to find. You need to know where to look, and need to be into networks where that information is being shared. You also, in most cases, need a login to access the pages. So, you need to create personas and you need to do that in a secure way. The threat actors that set up these sites and maintain these sites are very against bots. They’re very against DDoS, all of the things that they’re very familiar with but also, they don’t want people going in and crawling the data. They don’t want people to access it that aren’t there for the purposes that they’ve set it up for. I would say the dark web has some of the most sophisticated captures I have ever seen. I can spend quite a bit of my day just trying to solve math issues or see letters in squiggly lines or putting images together. It is quite difficult to get into those. There is a lot of bot traps on the dark web and a lot of human interaction that is required to get into it. It’s not easy but there is a huge amount of data and intelligence to be found once you do get into those sites.

I also just wanted to touch on before I get into some of what that data is what we call at DarkOwl dark web adjacent sites. These are things that are not necessarily on the dark web. They’re not on Tor or I2P or ZeroNet, or some of the other dark web services that are out there but they are used by the same types of people. They are used in the same kind of way. Telegram is a huge one where we do see a huge amount of marketplaces. We see a lot of fraud being conducted. We see a lot of hacking operations. There’s a lot of hacktivist channels, extremist channels, etc. That’s something that you need to be aware of as well when you’re doing these dark web and OSINT investigations. I’ve also mentioned ICQ and Jabber. But there are other things like Rocket, Tocket.io, Tox and things like that where people are communicating. We also see it on gaming apps. Discord got a lot of publicity last year with the leaks from the Pentagon leak. I believe he was just sentenced, actually, this week. In terms of leaking that information on there, but generally, a lot of threat actors are on Discord actively. It is a gaming site, but you can set up different servers and different channels. And so, we see a lot of people sharing and operating there as well. Then a lot of threat actors these days aren’t as worried about anonymity as they perhaps used to be. There’s been a lot of instances where dark web forums and marketplaces have been taken down by law enforcement action. So, some threat actors, I think, think, why should I go to all of this effort of having a Tor node and a Tor site and setting this up when I could just do it on the surface web with the same risks, almost. There are marketplaces that are vendor shops that are forums that sit on the surface web that’s still used by the same kind of actors for the same kind of use cases. We’re very much monitoring and looking at those as well.

To give you an idea of some of the things that we’re able to find from the darknet. A lot of data comes from the darknet, so we see things, huge amounts of personal data, PII. That is the currency of the dark web at the moment. I would say we see a huge amount of issues being stolen, email addresses, passwords, Social Security numbers, social media accounts, stealer logs becoming really prevalent in the last year or two. There’s cookies in there. There’s two factor authentication sign-ins. There’s key questions, etc. So, there’s a huge amount there. We also see a lot of banking information and fraud. There’s a lot of corporate data, especially with ransomware attacks which are only increasing. I’ve mentioned malware and then also risks. There’s a lot of threat actors on the dark web that are very good at what they do. There’s a lot of cyberattacks. There’s a lot of education, actually, on the dark web about how you can conduct those cyberattacks, leaks, etc. There’s a huge amount of information out there if you know where to look.

Will you be discussing during this webinar the uptick in Drainer as a service (DaaS) or explaining it to those new to dark web marketplaces?

No, that is not in the presentation, but I can definitely get to that at the end.

OSINT 101

OSINT is open-source intelligence. It’s information that’s been found from open-sources. Any information found on the dark web does count as OSINT information but obviously it’s a lot broader than that. These are just some of the sources and information that’s out there that you can use as part of OSINT to find information for whatever kind of investigation you’re trying to conduct.

I did want to highlight some tips in terms of doing OSINT. This is true of looking on social media or looking on the dark web. I created my little AI generated sock puppet. That’s what that’s supposed to be if no one can tell but always use the sock puppet. Always have a persona, always ensure that you’re doing this in a secure way – using VPN or proxies. Use a virtual machine, use burner phones. Don’t use any of your own equipment to do any of these investigations. You should never cross over your real-life persona with what you’re doing online ensuring that you’re recording all of the information you find. I mean, it really depends on if you’re doing this for law enforcement or internally. But I would say most people you need to record what you’re finding with the dates, the timestamp so you are able to validate the data is accurate as of the time that you found it. Because obviously all of these things can change, and particularly with the dark web sites go up and down all of the time. What you find today might not be there tomorrow. It might not be there an hour from now. There are a lot of open-source tools out there that can help you with doing that kind of collection. So I would recommend looking into those and if anyone has any questions, I’m more than happy to share some of the, the tools that I’m aware of that can help you with that collection. There’s lots of other OSINT tips and tricks out there. There’s a huge amount of resources, online and for anyone who’s new to the area, I would recommend having a look at those.

Why is Dark Web Important to OSINT Investigations

Basically, there’s a lot of illicit information and activity that’s happening on the dark web, so it can be a really good starting point for investigations in terms of finding out what’s going on. You can see what people are discussing, you can see trends, you can see victims, you can see how things are operating. Then moving into more surface web OSINT investigations, you can sometimes expand on that and build out a really big picture. I would say they’re very complementary of each other and especially if you’re looking at fraud or extremism or drugs or weapons trafficking or human trafficking, the dark web is going to be a really valuable source for you to find information and data points to help you in your investigation.

LockBit

Now I’m hopefully going to go on to some of the interesting bits and walk you through a couple of recent case studies that we have. I’m going to start with Lockbit. Obviously, this has been in the news a lot recently. Kathy is going to share in the chat a blog that we recently did on Lockbit. I think it’s been about two weeks now, Lockbit leak site was taken down by law enforcement. Really interestingly, I thought, rather than just seizing the site as they usually do, they actually had fun with it and started posting on the leak site things about the Lockbit group themselves. One of the things that they did share was that there were two Lockbit affiliates that they had sanctioned and put indictments against. This is after the fact, but I wanted to highlight how you can get really good information from government sources and official sources about threat actors, and then use that and pivot into other data.

So here we have this individual, Ivan, I’m not going to attempt to say, but Vassalord. We’ve got all his usernames and things that he’s using here, and we can pivot in our own data. We were able to identify that he was active on a number of dark web Russian speaking forums. Here we can see him, this is in Russian, I haven’t translated it, but he is selling malware. He is giving people advice on different malware and also selling it within the group. So, through looking at this you know obviously it’s after the fact, but we can see what his activity was. We can see this dates back to 2022, but we can also see who he was interacting with. We can see kind of what tools he was operating, and we can see more information about him. You can also then take that information and put it into social media tools. This is What’s My Name app, where you can put in usernames, and it will search across social media sites and identify if an account exists. So here we can see that there’s some old Twitter accounts. There’s a telegram account which I already mentioned. The threat actors are very active on. We’ve got a Roblox account. You know, threat actors love gaming. It’s giving you these other areas to go and look and to go and research and investigate and can give you more information to build that picture about that individual.

One thing I was just going to highlight, just because I thought it was kind of funny, was that Lockbit actually put something out a few months ago, I believe it’s a few months ago. It might have been a bit longer, saying they would pay anyone who got Lockbit tattooed on them, and several people did it. And they shared that online, and we were able to see those tattoos, which they probably regret quite a lot now.

There was a second Lockbit affiliate, also that I wanted to highlight. This is just highlighting the usefulness of leaked data. We collect data breaches and leaked information and have that within our system. Here you can see there’s two separate leaks. One includes an email address with the full name of the individual. If you only knew this email address was linked to someone who was doing bad things, you could put that into a leak and see if you can get more information about them. And here we’ve got their full name in Cyrillic, which I’ve translated, and also their telephone number. And then pivoting on that telephone number, we’re able to see another leak, which I believe is linked to Yandex app for ordering food. So, you can see kind of the payments information. You can see his name again in Cyrillic as Arthur, you’ve got the phone number there. But also interestingly, you’ve got the iOS version.

So, there’s a lot of information that you can find within these leaks with information about threat actors. And then what I’ve shown below is again, using open-source tools, these are two freely available Python tools that you can use, where you can search on the email address or on the phone number, and it will go and look across social media sites to see if they appear there. And it won’t share that information with the email or the phone number holder. So, you still have OpSec, but here you can see that email address. It has a LastPass account, it has a Nike account, it has a Twitter account so you can start to see where this individual is operating.

Cryptocurrency and Extremism

Another use case I just wanted to highlight. I mentioned cryptocurrencies are used extensively on the dark web. I also wanted to highlight some of the extremist activity that we see. I’m not going to highlight any particular threads on this page because I personally don’t find them to be, I don’t agree with their point of view, but Kiwi Farms is an open forum where people share information about different things. It’s similar to a chan. It does have, some not so nice threads on it but just highlighting that with our Vision platform you’re able to find that information and then also view it through our direct to darknet feature as it would look on the site, and you can see this is their homepage. But one of the things that Kiwi Farms do is they have a donation address, so the people that maintain the account are asking individuals to provide them money to keep the site going. So I wanted to see if I could find out anything about that cryptocurrency address and how the funds are being used. I used an open-source blockchain explorer. This is called breadcrumbs; you can get a basic free account and it allows you to do some kind of network analysis. You can see we’ve got the Kiwi Farms bitcoin address right at the beginning with some of the people that are paying into that. But I was more interested in seeing where that money went and a lot of it was circling back. I have removed some of the nodes on this just to make it a little bit more visually easy to see but a lot of it was going back into Kiwi’s Farm, but then I was able to find areas where it was being cashed out; Kraken, Binance. And then Bravada, were some of the areas where we were seeing that the funds were actually being cashed out. And you can see that the site, breadcrumbs, does also give you an overview of the Bitcoin address and how much funds have gone in and out. You can see it’s quite a high volume and it’s been active for the last three years. You can also see that it plugs into bitcoin abuse. Bitcoin abuse, which I believe its name has changed now to Chain abuse, but it’s another really good source for looking at any cryptocurrency addresses you come across and seeing if they’ve previously been reported as linked to nefarious activity. One of the addresses in the Bravada exchange is actually been reported to be linked to terrorism and sponsoring groups in Russia. It’s interesting that an extremist forum, Kiwi Farms is utilizing and sending funds out that way. Obviously, I can’t say for definite that that’s what’s happening, but we can see that those funds are being trickled out that area and it’s another area for us to investigate and look into.

Israel-Hamas Conflict

The Israel-Hamas conflict has obviously been ongoing for a while now and it’s been all over telegram. So, as I mentioned, telegram is a really useful place to see a lot of hacktivism, a lot of threat groups. There’s also marketing there, but it’s also being used more and more as a new source and whether that news is factually accurate or is disinformation is always up for debate, but it’s been a really good source of being able to see what is happening on both sides of the conflict. Actually, on October 7th, it was one of the first places that anyone saw that something was happening. You can see one of the images here is them going through the wall into Israel.

This was on telegram almost immediately and anecdotally; I know that people in Israel were watching telegram for news updates because they were coming through quicker than they were on traditional media sources. But as I said, there’s also been a lot of information that’s been shared there that is probably not accurate. There were definitely videos that were being posted at the beginning of the conflict that actually came from video games and things like that but there’s also been a lot of the hacktivist groups on both sides, saying who they’re going to target or saying that they have successfully targeted someone showing evidence of DDoS attacks, showing evidence of defacement attacks, showing documents that have been stolen and leaks. A huge amount of leaks are being shared on telegram but one of the things I wanted to highlight, and I don’t necessarily have a good example here, but you definitely can do it, is taking some of these images and the videos that are being shared. Telegram, unlike Facebook, Instagram, Snapchat doesn’t always strip out the metadata on the images. There are a lot of open-source tools that can kind of help you to see what the metadata is, and if there is any Exif data that’s going to help you there but also you can get hints of where things are occurring and what’s happening by looking at the images and matching them up with satellite imagery or previous images that have been shared as well.

Scattered Spider

I’m conscious I’m running out of time, so I’m going to go quickly. Scattered spider is another group, threat actor group that we’ve been monitoring. They are a financial crime group. Scattered spider is the name that’s been given to them by one of the cyber security threat actors, but they’ve been responsible for some very high-profile attacks in recent years, including taking down Vegas with the MGM and Caesars Palace ransomware attacks. They do a lot of social engineering and phishing techniques; we expect those to probably increase in sophistication. Not that they aren’t already, but we know that AI is being used to assist with those attacks but they are very active on telegram and discord and part of what is known within the community as the comm. We’re doing some analysis on who is active in those groups, who is interacting with each other, and what information can we find out about them. So, there’s a lot you can do with the data that’s in telegram to do analysis, to do that link analysis to, to find out who the individuals are and of course the main ones you can go and look in other sources to see if they have other social media profiles or other areas that you would want to be looking into.

Conclusion and Questions

So, I ran through that really, really quickly. I’ll just leave the key takeaways up here for people to read. Hopefully, that’s what you’ve taken away from it. I think the question about the Drainer service highlights that there’s a huge amount of things that you could cover here. This is very much designed to be an initial overview and an introduction but if there’s topics and interests that people would like to know more about, please put those into the chat and we can look at providing more information on that in the future.

But with that being said I just wanted to highlight we do provide investigation services at DarkOwl for dark web and OSINT investigations so we can assist you with any investigations that you currently have. With that, I will open it up for questions.

What data sources are considered dark web?

Dark web traditionally is sites that are accessed through Tor, so the Onion router, but you also have things like I2P and ZeroNet, which are also dark web providers and there’s a few more out there, but they’re not as used as regularly, such as Magnesium. As I mentioned in the presentation, we also view things as dark web adjacent when it’s the same kind of use case and the same kind of individuals that are operating. So, we definitely consider that to be Telegram, to be Discord, ICQ and then some surface websites as well which are there. So, I think it’s open to interpretation. It depends how narrow you want to be but I think with OSINT Investigations you always need to be open to all of the information that’s out there and being able to validate it against different sources. So, the more data points that you have, the more likely that you’ll be able to do that.

How do you locate and identify new groups on Telegram or Onion sites?

Manually is the main way. So, telegram you can do searches in the global search or telegram on the desktop app. If you have a keyword or a search that you’re aware of, you can put that in and see what you would find. I would also look at the groups that you’re already tracking and monitoring and search for the links. If you click on the channel page, you can go to links and it will show you other telegram channels that have been shared. I will also sometimes look at other social media sources – people on Twitter or other forums will sometimes say, let’s take this conversation to telegram and they will share an invite link there. You can also use Google Dorking to search telegram, which is quite useful, but I would say it’s a keyword phrase. If you’ve got a particular topic you’re interested in, um, search for that. And then also if you’re looking at individuals in other countries, do you use the native language? So if you’re looking at Russian threat actors search for your turn and Cyrillic as well as in Roman characters because you’ll find more information that way. Onion sites, again, it’s similar. We are already monitoring the major forums and marketplaces, and they will share other areas that they’re accessing. There are sites out there that will track new onion sites that have been created and what they’re being used for. So we can look at those. It is kind of just kind of pulling through the different links that are being found and then reviewing them to make sure that they have actually got useful information on them.

Does DarkOwl have copies of entire sites that can be walked through. For example, could one walk through Silk Road and see the listings and users that were active back then?

Yes and no. We have our data, it goes back to 2016 in earnest. So, we do have all of that information, but we store it in documents and pages. You could search Silk Road and go through it. But one of the things that we don’t do is collect images due to legalities around CSAM material. You would be able to see the postings, you would be able to see the usernames and all of that information from any site that we’ve been collecting since 2016 but it wouldn’t be a walk through in terms of – it wouldn’t look like the site. You couldn’t click on buttons and things like that, but the data is all there.

Other than breadcrumbs and chainabuse, what are some other great sources for tracking crypto and blockchain across the deep and dark web?

I think there’s so many sources out there. Breadcrumbs is the one that I like to use just because it’s free. I mean obviously there’s paid services out there that are very, very good. I’m not aware of many others, especially not on the dark web. They’re not there for tracking purposes. I think one I heard of that I’m not familiar with but was recommended to me recently was Qlue – that is supposed to be quite good for cryptocurrency, monitoring but it really depends if you want to do a paid service or open-source.

Don’t miss our next webinar on Big 4 Cyber Adversaries > Register here.

[Webinar Transcription] Illuminating the Darknet for Government Agencies and Law Enforcement

Written by DarkOwl Content Team on February 9, 2024. Posted in Blog, Webinars.

February 09, 2024

Or, watch on YouTube

Due to the layer of anonymity the darknet provides, it is often a hub for illegal activity. The technology DarkOwl leverages to collect and index, 24/7/365 in near real time, hidden digital undergrounds is key in obtaining crucial data and situational awareness for intelligence and government agencies, and law enforcement.

DarkOwl, the leading provider of darknet data, reviews how darknet can be used to:

Track illicit sales of drugs, human trafficking, and cyber weapons
Detect potential threats and monitor persons of interest
Stay one step ahead of foreign Nation-State adversarial activity and attacks
Learn the latest tactics, techniques, and procedures of threat actors to better prevent future cyberattacks on critical infrastructure

For those that would rather read the presentation, we have transcribed it below.

NOTE: Some content has been edited for length and clarity.

Alison: Thank you Carahsoft for putting this together. Thank you all for logging on. I’m going to jump right in. I have a lot of content to cover. And as Erin mentioned, we will field some questions at the end.

So I’m going to go over a little DarkOwl history, specifically dig into why this data set is so crucial for so many areas of the US government and other government partners. We’re going to look at some data examples off of the darknet. It’s always fun to do. So I’m then going to end with the current events that have recently elevated the darknet data set just in a more global way. And then if there’s time, we’ll walk through an interesting data leak that we uncovered. Before I launch in, I did want to mention that DarkOwl will be at the AFCEA West conference, which is in San Diego next week. I would love meet anyone going there.

So history on DarkOWl. We’re based out here in Denver, Colorado. We have been doing darknet collection for over ten years. Essentially we 24 – 7 coverage of collecting data, pulling it off the darknet, parking it in our database, and then we give our clients access to that. Obviously, there’s a bunch of different formats that that can take. We have a user interface, there’s a bunch of different API endpoints. And like everything, the devil’s in the details. And I think the one thing I want all of you to walk away with today is, when we think about darknet collection, by definition, if you were to go out and take a look at, you know, a handful of Tor pages a couple times a month and store those in a database, you are, in fact, a darknet collector. That said, I would argue that DarkOwl’s strength is in how we define the darknet and what our collection efforts are focused on. And I think we do a really good job of walking the line of both automation. You can’t get the scale of data that’s going to be valuable if you’re trying to do this entirely manually. That said, if you’re doing it entirely automated, you’re not going to get into the hard to find sites or be able to maintain personas and get into forums and marketplaces. So we use both those techniques. If you’re looking at this slide here, I know this is a little noisy.

Everything in red is our data sources that we collect from. DarkOwl obviously we’ve been collecting from Tor forever, that’s been our bread and butter. We have really focused in the last year or so on a lot of the peer to peer networks. I’m getting so many questions from law enforcement, government, commercial on telegram collections. So we’re going to go into that a little bit further on. But you can see here telegram, discord, I2P, ZeroNet. Our collection team is always trying to figure out what the next platform is – where can we start to collect? And all these take different efforts from a collection standpoint. A lot of skill behind the behind the scenes here in navigating all of these, regardless of where we get it, it’s all parked in our database. And then you’re able to access it as a DarkOwl client.

So this slides this is just kind of a visualization of how the data flows through.

So as I mentioned, we’re doing all the collection. We park it in our database. And then as we bring that data in, we’re trying to tokenize and add as much structure and value as we can to make the searching and finding from all of your end a more streamlined process. We we will tokenize information such as email addresses, IPS, crypto wallets, credit cards, usernames. And then depending on what that tokenization looks like, the bottom line here is the product set that we, DarkOwl, spit out of that data. So on the far left hand side is our user interface. So that’s going to be an analyst dashboard. And then we have a lot of different API endpoints ranging from you know Scores which we call DarkSonar, which is a relative risk measurement of an organization or an agency or a government group’s presence on the dark web just numerically represented all the way down to DataFeeds, where we are just pushing data every couple of minutes to clients. So it runs the gamut. But the important takeaway here is that the collections is done by us. We do the tokenization, and then we let you search and filter that depending on what information you’re specifically looking for.

On the left hand side – these are our these are our sources. And as you can see by the numbers, we’re really trying to scale at all times. These numbers were just updated – 28 million records from telegram channels. All of these documents are coming in, being tokenized, and then and then accessible. And, you know, at the end of the day, I feel like we’re solving two problems. Number one, there is no reason any of you can’t go out and do this on your own. You can download Tor, you can have a burner device. It’s just extremely inefficient. Right? It’s going to take time for you to do that. Collection sites go up and down. So it’s an efficiency play. And then number two, especially in looking at the attendee list here, I know most of you are US government. There’s a real safety feature here in that DarkOwl has done the collection. You are only playing in the DarkOwl data set so you don’t run the risk of exposing your own organization or burning a persona. We’re doing all of that in the backend, so it’s efficiency and safety at the end of the day.

So thinking about the the darknet in regards to US government use cases.

And I kind of boiled it down to three here. I’m sure all of you can can come up with more, but the first one I think of is just the force protection side – looking out for our own exposure, monitoring for email exposure, looking for PII of prominent folks and alerting them and making sure that we have an understanding as a government of what potential vulnerabilities are out there. And that could run the gamut from exposed PII for someone in a senior position to military part numbers being sold or darknet forums discussing ways to penetrate organizations.

The middle one here – identity management. So I think of that as the investigation side of it – really using the data set to conduct research, to look into identities. How are people talking about this? What can we find? What can we correlate? Who can we associate with this? A lot of red team activities.

And then on the right hand side here, targeting and thinking about what can this data set tell us about nation states and other folks, threat actors, what’s trending, ransomware, there’s so much content out there that is powerful to be in the know on how that’s being talked about and presented.

So without further ado, let’s jump into some data data examples. And again, I highlighted before we do that, why is this data set so challenging to get your hands on. Part of it is just the time and effort that it takes to do this, these sites go up and down all the time, they move locations. Access to these forums and marketplaces – it’s not as simple as just signing in and you can’t scrape page one, scrape page two and park it in a database. You need to be very strategic about how you do that. So these are some of the skills that we possess and have been doing for a long time. CAPTCHAs. And I’m not going to do a live demo today, but I do continue to fail CAPTCHAs on the darknet. They are extremely hard. I’m always laughing at that piece. So we’re doing these collection efforts in the background and basically taking that time suck and that risk off of all of you. Then the evolution of where people are moving to, I mentioned these peer to peer networks. You know, we’ve seen such popularity there, especially with the start of the Russia conflict breaking out in Russia and Ukraine. Following those trends is something that we’re always staying on top of as well.

Alright. Darknet data. What’s out there? Um, I just pulled together some slides of examples that I thought might be compelling for some of you on the phone, and to just give you a sense for what we’re looking for. So, no surprise, a ton of PII, all sorts of banking and transaction data, credit cards for sale, exploit kits, malware. And remember, by definition, the reason to be on the darknet is to remain anonymous. So anyone trying to sell or transact or trade in any illegal goods or services is going to be attracted to that. So there’s forums and marketplaces on how to do these things. It’s a it’s a colorful space.

The next bunch of slides are going to be screenshots from our platform, which we call Vision. And I’ll highlight just some of the findings here.

So I know it’s a little small on the background here, but if you look up at the top in caps it says DHS traders home addresses. So this is a hacker that’s uncovered some PII and is posting it out there, maybe in anger, unclear. And they’ve listed everything from title, home address, phone numbers. This is just someone posting this on a Tor page and we were able to capture that. And then this is a result right out of DarkOwl Vision.

Here’s another one. This is someone who is promoting their skills around making custom IDs, utility bills, bank statements and other documents, passports for sale. You can see the price here in in Bitcoin. This is this is very, very common – people trying to gain business and sell IDs and everything you can think of.

So here’s one that, um, I thought would be good for today.

This is a counterfeit item. They’re selling DOD ID cards and editable templates. You can even choose your own name and picture.

Alright, moving along – event and personnel protection. I looked at the registration list and I think some of you are tasked with some of these directives.

These are screenshots here of folks that, this one in the middle is actually a telegram group. You can see there’s 32,893 members in it. It’s entitled the Ultra Patriot Voice. You can see some words down here at the bottom. So these may be channels that would be worth monitoring. We’re collecting from them on an ongoing basis. We’re able to identify what users are are in those telegram channels, what their ID is, what their username is. And then, given some of our other sources, we can oftentimes back that into an actual person.

It wouldn’t be a good darknet presentation without the talk of ransomware. This is such a such a prominent thing for all of us.

Our commercial clients are are always very concerned about this. This is a screenshot of what we would see on the darknet side. So this is not what the victim would see on their own network. It’s important to understand here that the ransomware actors are hosting this content and they call them shame sites. So they’re posting this and saying, hey, and in this case, it was actually a, um, this is actually a grocery chain. And they were saying, you know, here’s the information we have. But why this is so critical is because this is where we can assess and figure out what actual data has been exposed. So monitoring these sites and being able to be there in real time is important.

This is a fun slide.

This was actually an investigation that DarkOwl had done where we identified and tracked a Portuguese speaking threat actor. They were involved in a mobile device malware issue. If you look kind of towards the bottom here, we were able to confirm that the suspect’s activities were in a bunch of these communities and the black part at the bottom here where it says steam, where you can see where it’s grayed out there. That was actually a leaked IP address that we were able to get a potential physical location for this gentleman that was in the Brazil area. I like to highlight this one because I think the first thought a lot of folks have in regards to the darknet is that there’s no geographical location because everyone has obfuscated their identity and their location. That said, there’s enough breadcrumbs in there that you can often back into it. So this was a case where we were able to do so.

Insider threats. So we see a lot of posts in regards to this. This is actually someone who’s looking to recruit insiders. You can see that this site toggles back and forth between English and Russian on the right hand side here towards the bottom – they talk about my team will lock, exfiltrate and pivot with your access keys and with your access, and you’ll keep a percentage of the money for giving access. So they’re recruiting folks to try and get in. This could be government related, commercial related and or both. So insider threat, no surprise there.

Drug and gun sales on the darknet isvery prominent. We see it all the time. There’s marketplaces dedicated to it.

I think there’s some folks on the on the phone from the DEA. Kudos to you guys. It is an uphill battle. And I know you’re fighting this daily. There’s so much and we’ve improved. One of the things we’ve done at DarkOwl very recently, is going into a lot of these forums and marketplaces and really dissecting how the chats are happening. So what I mean by that is looking at timestamps and who’s talking to who and trying to build out these networks so we can try and get to the bottom of some of these. There have been some really great use cases where our clients were able to use this data to solve a case.

One question we get often is what do we do with images, right? There is a lot of content on the darknet that none of us want to have eyes on. And so what we do at DarkOwl is we ingest all of the text into our database.

So on the left hand side here, you see a screenshot from Vision. That’s our platform. And I simply ran a search and said, I think my specific search was “glock”, and then the word “sale”, and I think I put in “Miami” as well, because I was talking to some folks in Florida and this page came up. So you can see we list where it came from, you can see the dot onion and then all of the text here. So if you’re sitting in the DarkOwl platform, you do not need to be concerned about coming across any child exploitation photos or anything in that regard. That said, sometimes the images that are captured can be quite compelling. So we have recently added what we are calling Direct to Darknet. You can see in the middle of the screen, there’s a little light blue bubble there. So if you click that button within the DarkOwl tool, it opens a new window. You’re in a safe, secure sandbox environment. I do it all the time off my DarkOwl laptop. This is not a burner device or anything. And up comes the actual page. And in this case, I’ve taken a screenshot off of the page, and you can see that the bracelet this person’s wearing, to me would help maybe frame the persona of who’s using this. We also have, if you see in the original text, they’ve provided a telegram handle here. So, you know, starting to gather a couple pieces of information that I think could be pretty compelling for an investigation here. So, again, the images won’t be pulled directly into the DarkOwl database intentionally, but you can go back out and capture those if needed.

Alright, I’m going to switch gears a little bit. A lot of the examples I’ve provided are ones that folks are pretty aware of – trading, selling, transacting in illegal goods and services is and has been what the darknet has been used for forever. What’s been interesting in the last year or two is really the political climate and how there’s been such an increase in real time chat applications and encrypted communication platforms for people to collaborate both for good and evil. We’ve seen a huge growth in telegram use and therefore the request for telegram data. There’s a lot of these invite only and pay to play architecture that’s been spun up. It’s just such an evolving space. So it’s been really interesting to follow that evolution and start to do some of our collection from these peer to peer networks. So there’s a lot changing. And I would say that one of the catalysts for that was absolutely the Ukraine Russian war. I think our actual data database, so just DarkOwl’s data went up by maybe 10% to 20% just within the first couple months of that. Half a million hacktivists and gray hats were taking on Russia and their allies. We saw just a huge influx of data and communication. It’s been really compelling and interesting to see that evolution in the modern warfare today. In a similar vein, if we think about the Israel-Hamas conflict, very much the same, there’s been a lot of data leaked on both sides.

These images here on the right, the bottom one is, is an attempt to map some of the hacktivist groups that are working together. These top ones are actually images that were shared on a telegram channel. This is this is a whole new way to engage and it’s been just eye opening for us to see the amount of data that’s coming onto the darknet in regards to these conflicts and wars.

Telegram is coming up again and again. There’s so much information being passed through that. We had a concerted effort, right when the conflict broke out, to try and join a lot of these groups, we were able to get 320 of them into our collection efforts that were specific to the conflict. And we actually have a really awesome blog on our website – it’s worth the read.

Russians on the darknet. Interestingly, the second most represented language in our database is Russian. Their ransomware groups are very prominent, very sophisticated. There’s a lot of content that that we have found. I’m actually going to show a couple examples in the next couple slides.

In regards to this was an interesting leak where there was Bushehr nuclear power plant, sometimes referred to as the NPPD leak, came out on a telegram channel. This was a hacktivist group that had come out after the death of that woman and they had posted all of these, download the entire email server and posted a lot of these pictures on a telegram channel. We, DarkOwl, were able to go in and capture some of those. It was posted in a bunch of different parts, but the compelling piece here for you to take away is we were able to go in, we were able to grab these images and, and capture this. And this is the kind of stuff that, given the line of work that you all are in, can be pretty compelling to help with investigations. So these were some internal photos. You can see all of the metadata is captured there as well. Historically this has been a plant that I don’t think folks have had eyes, or at least, you know, we in the US, on the inside.

These were a bunch of passports. So everyone that came in and out of that plant had to submit a passport. All of that was being passed through email communications. And because they had downloaded or had taken down that whole email server, every single itinerary of people that had been in and out of that plant in the last couple of years was captured. So again compelling for anyone that was needing to do research in this area or learn more about what was going on here.

You can see the flag here in the over on the right. This is obviously a Russian aircraft, some equipment, being delivered to this plant. So, again, just compelling information that would not have been able or clearly was not meant to be out into the public had been exposed on this telegram channel, and we were able to capture it and bring it into our data set.

So I’m going to pause there and wanted to take a couple questions.

Knowing that you folks cover Telegram and Discord channels/servers. What are the types of servers and channels that you usually collect from? E.g., are they solely reach groups, criminal groups, or a mixture?

Alison: Great question. So DarkOwl serves both a commercial client base and a government client base. So right now, our telegram and discord collection is focused on what our specific client use cases are. For instance, we had a client join a couple months ago that was concerned about some financial fraud that they were combating, so we joined a bunch of telegram channels on their behalf. So the short answer is it depends on our client’s use case, but I would say the ones that you referenced are all a part of our collection. We also love to do collection by demand. So what I mean is, as we bring on new clients, we always sit down during that onboarding and say, you know what’s of interest to you? What telegram groups can we join on your behalf? What is your use case? So a lot of that collection is customized to what our clients are looking for.

GEOs from the IP. Are you getting IP registration goes through a service like Maxmind or is it a GPS geo from a device using that IP.

Alison: So if you’re referencing the slide where I was talking about that actual investigation, we pulled the the actual IP address off of a post that we saw and then that we couldn’t we weren’t geo locating that within our tool so that that would have to be done outside of the Vision tool.

If Tor sites are always going up and down, how do you track this and find the news sites/markets?

Alison: I talked about this early in the presentation. It’s a combination of both manual and automated. So if we’re on a Tor site and crawling that and we see that there’s links to other pages, we will immediately spider and go to those pages and start collection there. Sometimes we’ll use one of our analysts to find a forum or marketplace. And oftentimes if those forums or marketplaces go down, they’ll post, hey, we’re moving it to this, or this has been taken down by law enforcement, we’re going to stand it up here. So it’s a combination of both spidering within the pages we collect and following those links, and then also our analysts just knowing the space and navigating to new forums and marketplaces. And the nice thing is, once we’ve captured the information, it’s retained in our data set. So if we were on a marketplace last week and we pulled down all the listings for, Glocks for sale in Miami, and then that site were to go down today, if you went into DarkOwl Vision, it would still be there. So there’s a nice lookback feature here because we don’t age off any data. So that’s, that’s where the capturing and looking back can be helpful.

Our unit’s focus is the commercial exploitation of children in the US, specifically California. How is your coverage of that topic?

Alison: We should talk because we actually have a partnership with a couple nonprofits that are in a similar line of work as you. We’re collecting this information at scale. So I guarantee we are going to have some sites of interest for you. The piece that would be important for you is that direct to darknet piece, where you would probably have to go out and actually capture some images there. I would want you to sit with our product team and walk through what that looks like. But my guess is we do have content that would help you with your work.

If we are looking for a particular chat, such as those including child exploitation, will your company actively search topics or is it only the data that has already been pulled available?

Alison: No, we will actively search sites if for some reason there’s a site that we are not already collecting from, whether that be a telegram group of discord server, a dot onion. We will go out and collect from it, per your request, as long as we’re able to do so.

What data sources are considered dark web?

Alison: It depends on your definition. I feel like everyone’s definition of dark web is a little different. We at DarkOwl consider that to be, Tor, I2P, ZeroNet. And then, as I mentioned, we collect from a lot of these dark web adjacent peer to peer networks. So telegram, discord, and some others. But the short answer is I think the definition of dark web can vary depending on who you ask. Ours is fairly broad, and we try and collect from a lot of adjacent sites as well.

How do you legally collect all this information? Is it Osint?

I’ll answer the first part – legally everything that we collect at DarkOwl is considered Osint, so open source we are able to do so with the right skill set. Any of you could go and find this information. A couple lines we will not cross. We will not purchase data. We won’t go behind firewalls. We follow very strictly the Department of Justice guidelines around data. Everything is done ethically. And again, we’re not purchasing data and or going behind firewalls. So we’re able to collect it because it’s open source information.

Can we search the data you collect by name, date of birth, etc.? Can you show how the application works live?

I can absolutely show how the application works live, not on this webinar because they’re recording it and going to be sending it out. I’d be happy to give you a demo outside of this webinar to answer the first part of your question. You can search for anything in our data set. Think of it as the Google of the darknet. So there’s a big search bar you can type in a term, an email address, a phrase, and hit search. And we’re going to show you all the results that are relevant to that, that have come out of all these varied collection sources. So yes, you can search for a date of birth, you can search for Social Security number, a phrase, whatever you want.

What are upcoming trends security practitioners should be looking out for?

I’m definitely not the best person to answer that question, but I would tell you that our collection team is always trying to stay ahead of what’s coming up next. And a lot of these forums and groups are talking about what the next technique is. I think the best we can do is all come together. Those of us that are on the the right side of the coin here and share what we’re seeing and hope that by sharing those practices and sharing what each of us is coming up against, we can make some headway. But I feel like I’m not the best one at DarkOwl to to field that question.

Do you have a newsletter, an email of examples of cases which were sought and closed and how they were investigated and the outcome?

Absolutely. We have a extremely comprehensive blog that we put out and there are white papers. I will tell you that if this topic is of interest in any capacity, any of the slides I showed, whether it’s in regards to some of the recent conflicts or very specific drug sales. Our blog is incredible. There’s so much information in there. All of those pieces were months and months of research.

Would you be able to say if any departments in new Jersey are currently using Dark Owl? I just want to see if this is something that would be beneficial to our detectives.

Off the top of my head, I don’t I don’t think we have any New Jersey specific clients, but I will tell you that we absolutely have state agencies and state departments that are using this. We have both federal clients and a lot of SLEDs. So I’m happy to make a referral to another state that is using it and see if that would be helpful to talk to them and learn more about their use case.

Don’t miss our next webinar on Big 4 Cyber Adversaries > Register here.

[Webinar Transcription] Iran: A Top Tier Threat Actor

Written by DarkOwl Content Team on January 30, 2024. Posted in Blog, Webinars.

January 30, 2024

Or, watch on YouTube

Iran continues to quickly gain sophistication in Cyber. Its state sponsored (military and civilian) and cybercriminal operations have worldwide impact and deserve attention. Iran’s relationships with other adversaries like China and Russia will continue to strengthen its cyber capabilities, but also its general position in world conflict, including its efforts in hybrid warfare. These are already witnessed in Ukraine, Belarus, Israel, Syria, Yemen, and other high-conflict areas.

In this webinar, we covered:

Evolution of the Iranian cyber program and it’s current state
Iranian state sponsored activities
Cybercrime activities that occur on the dark web and adjacent platforms
Geopolitical events and relationships that influence Iranian cyber actors
Why Iran needs to be taken seriously as a digital threat

For those that would rather read the presentation, we have transcribed it below.

NOTE: Some content has been edited for length and clarity.

Steph: Welcome to everybody and thank you all for joining. I am a 20 year Iran follower, I speak Farsi, I am former military and former Department of Defense, and Iran and Afghanistan has been my target area for the past two decades, if not more. I am thrilled to speak about them today. I’m always thrilled to speak about them. I’ve done this talk publicly for probably five years and there’s always so much to learn. There’s always something new to cover and track, and I’m really excited to do this for you today, so let’s dive in with that.

So let’s address the elephant in the room, which is Iran’s physical activities and proxy activities all over the Middle East. The point of today, especially because we have limited time, is their cyber program. Past, present and future – is how I like to organize it. But we cannot go without addressing, especially after last night’s drone attack, the obvious physical attacks and the incidents and the tension that is definitely increasing day to day on the ground. I wanted to give this audience some way to empower all of you to research and take a look at yourselves, because I have followed more of the cyber activity versus the physical and the Iranian military. So please, I invite you to familiarize yourself. Go to Centcom directly – centcom.mil has a ton of wonderful blogs. Their analysts are top notch. Get the information from there yourself. Centcom Central Command, located in Tampa, Florida, controls the entire US military activity in all of the Middle East, Iran and everything surfacing. All of the borders, all of the bases. Anything that’s of interest, you will get your answers from there.

The other two sources I’d really love to highlight for you are think tanks and just wonderful CTI research firms. Overall, Atlantic Council has an amazing, amazing body of literature on all of Iran to include present day conflict and Sibylline, a UK firm is also absolutely amazing. So lots of attacks going on. We are going to show and demonstrate how the cyber gets into the physical attacks and how this lends itself to working together, as well as an emerging trend which is hybrid attacks. That is where, you know, maybe Iran has something going on, maybe they’re conducting a DDoS or ransomware attack or any kind of online activity to distract people in one corner and then in another area of the world, let’s say, you know, there’s a drone attack on a supply chain and along the border of Lebanon and Syria, or there’s a physical incident against a US base in Iraq or anywhere else in the region, right, Bahrain or anywhere else. So please do take the time, if you are interested, to look at these sources that really focus on physical contact.

And with that, let’s get into the cyber of Iran. I like to do a timeline. For the past 20 years, Iran has always been kind of floating in the background. A lot of people attribute Russia to being more sophisticated and our major adversary in cyber. A lot of people look to China, who’s also incredibly sophisticated and very powerful as a Western adversary. Iran is not to be discounted. And I think that, unfortunately, this current conflict in the Middle East is probably showing just how strong they are.

I’d like to go back to 2009, which is when the major Iranian cyber activity started in the way that the outside world could observe it. Right? Iran is a lockdown isolated country. They fault the West for that. Prior to 2009, they had cyber entities. They were doing defacements, they were doing hacking, hacktivism, just putting political messages. But it wasn’t anything sophisticated. Cut to the internal Green Revolution, which is where the Iranian population stood up and one of the first times they really tried to go against the Ayatollahs and the regime to change it, as we all know, the authoritarian theocracy that Iran is absolutely will not tolerate that. So the Ayatollahs and the government and the IRGC and the MO

MOIS, which we will also get into, started monitoring their population with their own apps, their own GPS, all of the cyber and technical tools that kind of reveal locations today. The Green Revolution brought that about internally.

I likely don’t have to tell anybody on this webinar about the 2010 Stuxnet response. When Iran understood that their nuclear program had been compromised, they understood that they needed a wide, wide, wide defense to protect their internal infrastructure networks and etc.. So the Stuxnet response really prompted them to have an offensive and defensive cyber capability. And if you go from 2012 up to right now, 2024, look at these activities that they’ve all done, right. Posing as LinkedIn researchers, they’ve had several successful ransomware campaigns, espionage and IP theft is a very constant activity for Iran as well. Election interference, not just the US. They’ve also meddled in European ones in 2020. This is every threat actor, right? As the pandemic raged and everybody worked from home or remote, VPN exploitation and spreading malware was of course, extremely common and rampant. Iran participated in targeting industrial control systems. I’m sure that you’ve seen if you follow cyber or any Iranian news, they go after the PLCs, programable logic controllers. They are going after anything SCADA ICS any fear of disruption to the daily life that the Western world takes for granted.

I can’t highlight this enough, and you’ll see it in this presentation that Iran really wants to disrupt water supplies, power supplies, banking, the financial systems, because they know that fear is a powerful motivator. They also know that they can’t physically do these things. It’s much more difficult. Restricted travel – Iranians are not welcome in a lot of places in the world, so they go after it digitally, and that’s one way that they can definitely get to the psyche of American and European politicians, leaders, government. Then let’s go to, of course, more cyber espionage. Muddy water was extremely active in 2022, and in 23 and 24 we saw front company involvements, which we’re going to get into detail. Of course, the Ukraine and Mena conflict. Iran has personnel on the ground in Belarus. They’ve conducted disruptive cyber attacks on behalf of Russia, targeting anyone who’s sympathetic or encouraging to Ukraine. And 2024, we are just about a month in. We have global conflicts everywhere, right? We have the latest in the Middle East. We have global elections. A lot, a lot of countries are going to the polls this year, and Iran is one of those countries. So they have domestic elections guaranteed that they will continue spying on their population. The Iranian president is a placeholder, not an actual person of power. So I highlight all of this to say that in, you know, 12, 15 years, Iran has strongly emerged, bettered and improved and made some really key allies such as Russia and China, to only better and improve their technology and their cyber programs. It’s very important to realize that.

What are their motivations? Why are they doing this? First and foremost? Again, I’ve mentioned that Iran is isolated. They want to become a recognized global power. They feel that teaming up with Russia and China will do that, because they fault the West, Europe and the United States for having isolated them since 1979 sanctions, keeping them out of important world meetings and world organizations. They’re extremely bitter about the isolation that they faced. Revenge for Qassem Soleimani is still a tagline. While experts tried to claim that part of the October 7th, 2023 attack was for Qassem Soleimani, Iran put that message out. That has been disputed. But all of their other actions in cyberspace, as well as physically, they’re extremely upset about Soleimani espionage.

Iran cannot partake in normal business operations due to the aforementioned sanctions. So how do they get their information? They take a page from China’s book and conduct IP theft, espionage, get all of the information, whether that’s to improve their age, fleet of weapons, planes, cars, anything, you name it. They just want to take all of the information and better themselves. And this new this last one is kind of a newly emerging one that they’ve publicly spoke about eradicating Western influence throughout the Middle East, creating that new world order. They’ve wanted this for a long time. But now that tensions with China and the US are increasing as well as globally with Russia now, they really feel that this is the time to move forward, use their cyber, use their strength to eradicate the Western influence. They’re going to start in the Middle East and try to keep going, to keep expanding.

The cyber bodies of Iran, their organization, it’s really not that different from anything you might be familiar with.

They, of course have a civilian and a military component. The MOIS is their civilian component. It’s the Ministry of Intelligence. These are the civilians that have long standing careers working for the Iranian government. And then the IRGC is the Iranian Revolutionary Guard Corps. The besieged special forces are subordinate to the IRGC, as is the Iran Cyber Army. And I also have some university GIS that are down below. So Iran has mandatory conscription. You can fulfill that mandatory 18 months to two years as a cyber actor. You don’t have to do anything physical. You don’t have to do infantry or artillery or anything like that. You can truly go through any of the controlled universities which are listed below, and learn and get your initial skills fulfilling your conscription. And then you can do a couple of things. You can stay in the IRGC, you can serve there. You can transfer over to the MOIS and go from a military personnel to a civilian. The important thing is, and what Iran wants to do is control all of their cyber power and their cyber training and their curriculum to keep that talent. Those people that they train internal too often they’ve seen in the past, especially even sons and daughters of government officials, will go to Western universities in Europe or in the United States and then choose to not come back to Iran. Iran has made a concentrated effort, the MOIS and the IRGC to keep that cyber talent within the country because they know how absolutely essential it is, not only right now, but for their future.

So let’s get into a little bit more of the MOIS versus the IRGC. It is extremely important to note this for the concept of attribution in cyber. I personally, as a researcher of 20 years and having been military and government and now fully private civilian, as well as doing a couple of years at a think tank in academia, I do not believe there is anyone that should be doing attribution in cyber unless it’s a government, European, American or anything. There are too many obfuscation tactics. There are too many ways to hide actual parties, hands on the keyboard. Can you say that traffic comes from Iran? Can you say that it’s definitely linked to a pattern of Iranian influence? Can you evaluate source code of Iranian tools and malware? Absolutely. Can you determine who is doing it? I, MOIS versus IRGC, know why they have a long standing competition and hierarchy. So both of these bodies are very cyber capable, have active, active campaigns going on right now. The MOIS is thought to be a little bit more sophisticated because of the lifelong training and techniques and polishing of their employees. They’re very, very good. They’re very sophisticated. They’re very well trained. The IRGC is thought to be a little bit more sloppy. They have accidentally left hallmarks of Iranian work in their source code and they’ve left artifacts open. This is different from when they want that to happen. There are times that Iran, both the IRGC and the MOIS, purposefully leaves comments and source code. They will taunt Saudi Arabia, they will taunt companies and say, you know how we’ve infiltrated your systems. But the IRGC has also made multiple mistakes and did not intend to reveal that they were behind it. And so you have to consider that as well.

Another active competition that goes on for them right now, not just in cyber but worldwide. So the MOIS only recently came to be the favored organization when the Ayatollahs took over in 79 and all throughout the 80s. Do you see? Iran is an authoritarian theocratic state. The military controls everything citizens activities, online activities. So the IRGC was favored and was always sought after for online cyber operations. In 2009, Rouhani came to power as the Iranian president and for whatever reason, changed and started to favor the MOIS and use them for operations, consult with them, use them for intelligence and especially a cyber program. So right now, the MOIS remains in favor from 2009. And what that means and what I have seen over and over, and anybody in the community has, is they will pit and intimidate one another. So the MOIS might say, I don’t know who that activity was. It wasn’t us. You should probably talk to the IRGC and vice versa, right? So they pit one another against each other. They try to cover their tracks by framing one another. There absolutely have been operations hands on the keyboard, where it’s MOIS actors who pose as IRGC actors and impersonate and again, vice versa. So it’s important to recognize that, yes, we can track activity coming from Iran, we can track VPNs and all of the obvious obfuscation techniques, but I don’t think we can get as granular as saying this is an MOIS officer versus an IRGC, especially with all the tools that cyber has.

So just keeping that in mind moving forward, as you evaluate campaigns and malicious activity, it’s incredibly important to note the MOIS and IRGC rivalry impersonation and how they move forward, especially in digital operations.

We’ll get into the APTs and cover them quickly, so APTs have been around for a long time. It’s advanced persistent threat. These are generally actors who are financed, sponsored and supported by a government. These are fully government attributed actors. Iran has right now 32 active APT groups, of course, with varying levels of sophistication and skill. So we will cover them. But I think it’s too important, especially right now. And we’re going to see why with front companies, with ransomware and with cybercrime. And that is what DarkOwl specializes in. You have to look at the other groups. It’s no longer only apts out there, public acting and attacking, right and APT actors, as well as governments of our adversaries have caught on to, oh, I can blur activities or I can, you know, have plausible cover if I use a cybercriminal group or if I employ somebody or pay them to do that. So APT is still very active.

APT is absolutely on the dark web, absolutely using Telegram. But they’re not the only force to be reckoned with. And I think that’s an important change as we move forward, especially as global conflicts erupt and people take sides, criminal actors are going to come more into play. Really important to note. So 33 and 34 I want to highlight, you know, they have their own malware. They have their own ttps for APT 34 is thought to be more sophisticated technically, while 33 and 35, as you’ll see, are more of the social engineering. So APT 33 is going to impersonate people – reach out as a researcher, a journalist, an academic, send invites for conferences or for paperwork, and use social engineering to get information or espionage. Whereas APT 34 and some of the other more well known Iranian groups, custom malware that they improve upon test in the Middle East and then use elsewhere. Why? I’ve highlighted Mimikatz for all of these, and this is a good opportunity to go to the next one.

APT 35 and 39. You will also see Mimikatz still highlighted. Credentials and data are everything right? That is what we see on the dark web. Selling credentials, selling passwords, hashes, emails with accompanying data or solo. Iran uses Mimikatz in almost every single operation, and that’s APT as well as cybercriminals. And this is really important to note, because the hallmark of cyber actors is, you know, they can do bad with good things. So Mimikatz is an open source tool that you can just get and use, which they do in their operations. It’s similar with GitHub. Everybody uses GitHub, keeps their repositories there. And malicious actors have pivoted to trying to crack GitHub and take open source tools there and improve and use for malicious purposes. So Mimikatz has been a constant on the APTs for Iran for over 15 years, and we’re seeing a lot of credential use and theft by Iranian cyber criminals. We’re seeing the chatter, the sales on telegram, we’re seeing them talk to one another.

So this is just another line blurring between cyber criminals and Iranian state sponsored, government sponsored actors. And I think that’s really important to note. In addition to custom malware, custom backdoors, and all of the other ways that they go after anyone or anything online, there are some other groups as well. Of course, anyone following Iran knows that the the kittens is what they’re called rampant kitten, pioneer kitten, and static. I’ve highlighted them because they are some of the most active and more recently active. At once, so these are important to note. In addition to the apts of the 30 series, for instance Rampant Kitten, I would like to highlight that they actually breached Keepass, the password keeper a two years ago. So it’s just important to note that that was a sophisticated impact. A lot of a lot of change came after they hit Keepass. They’re talking about all of this online as well. Sharing https in telegram, sharing how they get in, what’s the best VPN to use to do their operations? They often share that information among the Apts and the cybercriminals. And it’s also important to note that Iran is very active in ransomware, which we will get into later as well. Go into more detail. I’m going to pause there because that kind of completes the apt part of it.

Okay, let’s talk about malware. For the more technically sophisticated in this audience, Iran is is very talented with creating their own custom malware and using them in operations. I have highlighted some of the older ones because it’s important to note their evolution and the overlap and source code. So we go back to Shamoon. Shamoon was was very, very prevalent, especially after Stuxnet. Iran really came onto the scene with Shamoon hardcore. My observations of 20 years is and this was true with Shamoon, both versions one and two. And this was also true with Zerocleare. Iran uses countries like Saudi Arabia and Bahrain almost as a testing ground. Shamoon went very, very heavily into the Saudi Aramco systems in the years that it was active. Then Shamoon two did the same thing. You’ll see, Saudi Arabia was a repeat victim. Shamoon two was, of course, updated from its first version, namely that there were no pre-programed credentials needed to operate. Shamoon two. That’s just an interesting thing to note, because I just talked about Mimikatz and how Iran does rely on credentials so much, but they evolve the second version of their malware to actually not use credentials. Again, just demonstrating a change in TTPs and that they are able to work both ways. Zerocleare has a lot of resemblance to Shamoon. If you look at the source code, again, lots of overlap, very, very clear. But it is a separate malware. And I do invite you to please use VirusTotal, AlienVault, Shodan any of your online tools that you choose Misp. You know, please go and look these up and look for yourself if you have those capabilities. Iran does offer sophisticated malware and still uses them after they test in places like Saudi Arabia as well as Bahrain, and they fix what they need to fix or tweak anything that they feel enables better operations, they then expand and use this malware in their campaigns in Europe, North and South America or in Asia. So important to note that they keep track of their malware, use it internally. And by internally I mean within the Middle East region, Saudi is a favorite. And then they go bigger, they go harder and they go to external telecom.

SCADA again, all of those companies that they want to use, they go external after they’ve tested it inside the Middle East region. The 2024 update for malware, oil check and Oil Booster have evolved and are using cloud providers for their command and control their C2, as well as some email based C2 abilities. And that’s using Microsoft, which I think is very important to highlight. We need to be aware of this malware in 2024, especially with all of the elections that I mentioned. And this is being used by APT 34 as well. But there are samples of both oil check and oil booster in the wild that have been used by non Iranian government cyber groups. So definitely confirm that this malware is in use and we need to keep an eye on it. As 2024 progresses, both elections, the global conflicts, targeting everything, everything and anything that is going on this year with malware and especially what new malware will they create. Because it’s very early in this year, will we see maybe hallmarks of a Juiceman 2.0? Will new malware surface? It’s important to be aware of what they’re currently using, the cloud and email based providers, versus what they have in the past, so that we can measure what they’re going to look like this year moving forward.

Where is Iran going to go? We are now in the present day of this slide. So terrorism and fringe group operations, I do not need to tell anybody on this audience that Hezbollah, Hamas, and, you know, everything going on in the Middle East, they are very clearly being supported by Iran. Again, this has been a pattern for two decades. The only difference now is that more and more people are paying attention, and it is more public. We can trace the blockchain for cryptocurrency transactions that are conducted by Hamas or Hezbollah or Houthi officials or actors, notable partnerships. I always talked about and highlighted how that new axis of evil on the digital realm was coming to play. So Iran and China had signed a 25 year agreement for cooperation. In the first two years, there was no actual tangible activity. It seemed just like a lot of news conferences and opportunities that has since changed. Um, China is helping Iran with some oil production. They are giving them some improvement in flight technologies to improve their aviation. There is now some more tangible results that we’re seeing come from the China and Iran Partnership, Russia and Iran. I want to note that it’s difficult to monitor their communications. While there are plenty of Russians and Chinese and Iranian actors and officials open and speaking on telegram and dark web forums, there’s obviously a part that the open world is missing.

We saw that with the Hamas attack on October 7th, they are using more old school technology, phone calls, in-person meetings, to keep hard core operations that are very sensitive underground and prevent them from being discovered. This is true in the digital realm as well. Russia and Iran and China also all have their own equivalents of, say, Facebook, Twitter and messaging platforms. All of their governments have created their very own applications and tried to draw their citizens to using those for a multitude of reasons. One it is government protection, right? If you’re Russia, Iran or China and have plans, you don’t want those leaking out because somebody has an ego on telegram or somebody is using WhatsApp and sharing it, right. And second, it’s just easier to monitor your own citizens if you have your own applications as well. Right? So it’s a it’s a win win for them. They monitor their own citizens. They keep their own information close hold. And again we’re seeing more and more of this. So it’s a balance between observing public information on messaging apps such as telegram and WhatsApp. Discerning what’s true. You know, is this real? Is this a false flag operation? And then we also have to talk about cryptocurrency and crypto mining, which leads to front companies, which we will get into because this is very important. So Hamas and Hezbollah and the Houthis all have cryptocurrency. There’s an underground infrastructure of it. It’s not just, uh, cyber operations that fuel their cryptocurrency profits. It’s selling drugs, it’s selling weapons. It’s human trafficking. All of these activities that happen in the physical world are then converted to using cryptocurrency again for obfuscation, for privacy.

It’s important to note that Iran used Bitcoin in their older operations. I would say anywhere between 2010 and 2016 or 17. And then they made a market change and decided that their cyber actors, and they have openly talked about this on telegram and other internal Iranian apps. Iran feels that Bitcoin is no longer safe. They feel that there are too many law enforcement and global policing officials using Bitcoin. So Iran has changed to light cash, Zcash and a couple of other lower popularity cryptocurrencies believing that they’re safer. This means that Russia and China also kind of use those as well. When doing business with Iran. Again, we’re hiding communications, we’re hiding funding, we’re hiding money. So it’s important to just note how this works as an overall infrastructure empowering these actors.

Let’s talk about the big three. Hezbollah, Houthis and Hamas, supported by Iran again, have been for two decades, mainly Hezbollah. I mean, Iran basically created them. Iran has trained, empowered them, financed them, given weapons, given time, given everything. Open, secret, actually just open. Not a secret. The Houthis as well. I’ve seen Iran also support the Houthis, especially when they took over Yemen. Iran has lent the how to control your population and how to control what the outside world sees using social media and distributing propaganda. Right? Iranian government controls everything in the country. So do the Houthis in Yemen. So there are definitely playbooks overlapping there, using social media to spread the message of success in every conflict of their capabilities, of how their drones are taking out. You know, last night’s unfortunate incident was was three US soldiers, Kia. And they might inflate these numbers when it doesn’t make news just to keep their populations supporting them. You know, instead of three members, Iranian or Houthi, Hamas, Hezbollah propaganda might say, we killed eight, we killed ten, we killed 20 right there. Very, very good at inflating numbers and statistics and always have been. So it’s really important to note that even when these groups are blocked from Facebook or their Instagram and TikTok accounts are deactivated, a couple things happen. One, they move platforms. They’re going to go to Q talks chat, right. Because if they’re doing digital operations, talks is viewed still as safe and more private. They’re going to go to telegram because an openly Iran has stated that they would rather the Russian government understand and see what the Iranians are doing versus the US government. Telegram is a Russian platform. This is why they feel that it’s safer to use being that Russia is an ally of Iran. So just because they’re banned and and removed from the major social media platforms, it doesn’t stop them. They just change. I think that’s really important to talk about. They plan or discuss, you know, the outcomes and the positive of operations on their to keep people encouraged for recruitment efforts to grow the forces. They put out false stats to keep their population contained and say that they’re winning. And, you know, again, these things can be harder to monitor. Direct messages on telegram. Direct messages on WhatsApp. They’re not as easy to intercept. You can’t see them. And so there is a gap there for cyber officials and for a lot of other entities. And so they use those to bolster their operations, bolster their supplies, and just put out what they feel they need to put out, paint the picture, take over the narrative using social media and continuing with propaganda. I mentioned telegram because and I want to show more. I am a Farsi speaker. I am not an Arabic speaker. There are tons of Arabic language channels. You can see them. But what I did was just take some an example.

Small example of some of the Hezbollah, Houthi and Hamas telegram channels that have emerged since this conflict. This was true in Russia as well. I think that telegram really came on the map with the Russia and Ukraine conflict, and it is still there, and Russia is leading the way using telegram, whether it’s false information, real information, selling data, selling malware every malicious actor and again apt. I stand by in cyber criminals. They’re on telegram in addition to other platforms. It is incredible how much information that some of these actors will reveal once you fact check something and say, oh, this, this actually checks out. So they are sharing information again. They recruit, they are discussing the outcome of physical and cyber operations. They’re fundraising. We are unfortunately seeing them pose as you know, charities who are supporting charities who are supporting Ukraine, charities who are supporting Palestinians or Israelis. Right. They are making up that they are affiliated with a charity soliciting donations in cryptocurrency and using that platform to expand operations. Of course, that money goes directly to their war and physical attack efforts. They are not actually charities. There are all kinds of ways that they take advantage of of populations on telegram as well as other messaging platforms. Really important to note that they’re going to continue to use these in their operations as they move forward, not just go, not just the global conflict and the actual physical wars. But this is a very, very ingrained part of all of their operations infiltrating think tanks, academia, attempted government infiltration. Right. You can pose as anybody online, and it’s harder to validate on platforms like telegram and some of the other ones that they’ve moved to. So it is incredibly crucial to continue to monitor this, monitor the talking and see how this shapes up as these conflicts continue and as anybody can pose as anyone else online.

Something to really think about and really keep in mind as you research and as you form your opinions and form your interest in cyber. I’d like to talk about front companies too. This is absolutely essential.

So Iran has perfected the front company game, establishing something as a legitimate entity, registering it, making an LLC, filling out the business paperwork, you name it. They have really, really perfected their game with this. One of the earlier, um, examples of this was the Magnet Institute. This was a 2018 event. It was about nine people that were active, and Mapna was supposedly a think tank, an Iranian think tank that was anti the government of Iran wanted to work with the Western world, wanted to be linked with them. And what they were actually doing was intellectual property theft from over 200 US and European and Australian universities. So very successful. We’re talking terabytes of information stolen. Again, all of this information was used for weapons improvement, technology improvement, updating their fleet of airplanes.

Rana is another one. Rana is on the right screen here. This was APT 39. It was linked to them. So that’s really interesting. And this was just another campaign that targeted Iranian dissidents, that targeted journalists internationally. And just a bunch of companies worldwide who were anti the Iranian government. So they posed as tech professionals, pose as journalists and got in and got a lot of information about entities that were anti the Iranian government before it was tied to the Iranian government itself, which was clearly using this information to take out dissidents, suppress dissent and not allow the opinion of being anti-iran anti the ayatollahs to go any more public than it had to be.

This is the latest one. Our company, DarkOwl did it did a write up on the front companies clouds surfaced in 2023 and I want to shout out Halcyon. I have to recognize them for they’re calling this out. Halcyon broke the news that Cloudzy was masquerading as a as a network hosting company in New York, and in reality, it was headquartered in Tehran and run by 6 or 7 different Iranians who had created fake biographies, a completely fake everything on Iranian internet, on the Iranian media, which then spread to the US media.

This is their actual page, which is still very live up and running. I checked it as of yesterday. Cloudzy did not respond to takedown requests, and not only was clouds supporting the ransomware operations of all of our adversaries the big four China, Iran, North Korea and Russia, but we had Vietnamese actors, Indian actors, cyber criminal conglomerates. This infrastructure was being abused for years by all of the malicious actors. And again, it’s still up and running. And even after the Halcyon Report, Cloudzy issued no statements. You can see that they have a blog section up top called the issued nothing they didn’t write about. They didn’t refute any claims. They just kind of continued on with business as usual since the news broke in August of 2023. Interestingly enough, “the executives”, I say in air quotes, of Cloudzy and their their biographies, they were taken down and their LinkedIn pages changed. Iran loves to abuse LinkedIn, which we’re going to get into as well. But this is just yet another front company that was facilitating bad actors and ignoring requests, ignoring abuse, and is still functioning. So it’s very, very interesting that this continues. And Iran is not alone in this. Russia does it, China does it. A lot of adversaries do it. But Iran has definitely had some very, very successful varying operations. IP theft to hosting ransomware. Extremely interesting. And it’s the full spectrum of operations.

Iran is a heavy ransomware actor. So you’re going to see at the at the end of this webinar, we do have a deeper one coming up on the big four actors that’s going to be in March of this year, and we’re going to go more in depth on Iran in their current ransomware operations, but highlighting how powerful Iran is and how they use telegram, as well as the dark web for their ops. Iran has a history of ransomware, and we do not expect that to stop. Samsam was one of their biggest campaigns. The actors made $6 million, which is no small feat in the Iranian economy. Dharma was another Iranian ransomware activated one. It was unsophisticated. You can see that again using those OSINT tools, right? Those open source tools that anybody can procure and use. And it was delivered via RDP. Again, very typical delivery operation delivery mechanism. And then BitLocker was 2020 to 2022. BitLocker is Decryptor Key has been released. I do not believe they are still active, but we’re going to see what Iran does with ransomware this year. Again, I think if I had to to hazard a guess right now, their ransomware operations are not as active because they are so involved with global conflicts, again, posing as journalists or aid workers for Palestine, Israel, Ukraine, trying to get information that relates to global conflicts, as well as managing the proxy events in Syria, Lebanon, etc.. But I do expect as this year proceeds and as really important, crucial global elections happen, we are going to see a lot more Iranian ransomware campaigns as well as their custom malware. So look forward to that in March when we have our next deep dive on the big four actors.

It is essential to talk about cryptocurrency as well anywhere in cyber right now. So Iran is a big crypto user in a country where the economy is essentially ground level, right? It’s been terrible for years. A lot of poverty. The only people who are profiting are, of course, those higher up in the government, Iranians who could circumvent the Iranian government’s internet controls have turned to cryptocurrency. You can make money with it. You can start a side hustle and it’s harder for them to track. So cryptocurrency is extremely popular in Iran and always has been. In 2019, the Iranian government banned crypto mining, which is also a way that Iran works with China. So crypto mining to be very, very short about it. You need a lot of network power, but you also have to control weather and temperature. For obvious reasons, the Caspian Sea region in Iran is extremely valuable for crypto mining. So China helped Iran set up crypto mining farms in the Caspian Sea region. The public caught on to this because again, it’s a small population. Word travels and they you know, if they’re watching anti-government or if they are anti Iranian government, they want to know what’s going on. So the Iranian government banned crypto mining for personal individuals. Right. You could not have a personal individual conducting crypto mining operations. Then they reverse that ban in July of 2022, implemented a paid license that the personal individual had to get from the Iranian government. So they turned it into moneymaking. So Iranian government’s making money personal individuals, non-government affiliated or crypto mining. China’s helped in this. And voila, we have Iranian crypto. I’ve mentioned that they’ve shied away from Bitcoin, that a lot of them still won’t use it, thinking that internationally it can be traced. And one example of where they’re shifting as well, in the latest conflict between Gaza and and Israel, they are using Tron, which is a decentralized blockchain. It’s a different blockchain, but they’re openly talking about Tron on social media as well as telegram, because it is not as common in the West, and they don’t feel that it has been infiltrated by Interpol, Europol or other Western government officials. I also want to highlight, and this is dark out data we see constantly. So Hezbollah, in addition to laundering money, spreading money around and, you know, using it for weapons and drugs and etc., Hezbollah has also run a very successful counterfeit campaign. You can see an example right there of the $100 bill of the United States. They’ve done it for euros. They’ve done it for other Middle Eastern countries as well. So cryptocurrency is a booming operation not only for the Iranian government, but also for their proxies like Hezbollah, the Houthis and Hamas as well.

That takes me to the end of this. I am very happy to share any IOCs. Everything I’ve talked about today is a is a preview. There’s obviously always more. There’s granular details. Please reach out to [email protected] with any questions or updates. Always happy to share more sources. Always happy to hear of an update that maybe I missed. These I really feel are wonderful sources and references that I refer back to and constantly use and update.

Don’t miss our next webinar on Big 4 Cyber Adversaries > Register here.

[Webinar Transcription] Online Targeting of Minors & Child Extortion

Written by DarkOwl Content Team on November 28, 2023. Posted in Blog, Webinars.

November 28, 2023

Or, watch on YouTube

As the holiday season approaches and kids and young adults spend more time online, there is never too much to do to ensure they remain safe. In this webinar, DarkOwl and Mr. Bill Wacker share how a close family member of his was exploited online.

As the leader in dark web intelligence, DarkOwl constantly sees:

Solicitation of minors and children, asking for pictures, personal information, and more
Blackmailing the youth, threatening to extort them or reveal personal information about them or their families if they don’t comply with the requests of the actor
Malicious actors posing as a younger individual in the hopes of luring children to meetup in person in order to carry out abduction or kidnapping operations

Mr. Wacker details his personal story about the family member who went through this, how he helped them, and what you and your family can do to keep children safe in an ever connected world that preys on them.

For those that would rather read the presentation, we have transcribed it below.

NOTE: Some content has been edited for length and clarity.

Bill: My name is Bill Wacker, I live in the Cleveland Ohio area and my daughter was affected by an almost child abduction. I wanted to talk about it because I don’t want this to happen to anyone else and would love to try to figure out ways to prevent this. If we can save one kid, that’s the goal for today and to inform everyone that it can be you, I know people say “not my kid, no way,” but it could be your kid, for sure.

Steph: I’m Steph Sample. I have 18 years of experience in various roles of cybersecurity. I started off focusing on the Iranian states as well as their allies in the cyber world, their cyber program, their developments, and then moved into all things criminal because the criminal world, as you’re about to find out, never ceases to stop, is always malicious, is always active, and we can do a little bit more and learn a little bit more to share with partners in the criminal world. So Bill again, cannot thank you enough for being here today. This is such an absolutely amazing story. So I think let’s jump right in so that we can educate our audience and share your incredible story that has a happy ending.

Let’s do that. So Bill, how was your family member approached? Can you please name specifically what social media platform? I think that’s important.

Bill: So it was Instagram. My daughter was involved. She’s always been a kid that didn’t have friends perse. She’s always struggled with her peer group. She’s never had trouble finding friends that are, you know, younger or hanging out with adults. It’s always bothered me and my inner mother. We’d catch her just talking to people here and there, and we just did our best to monitor it. But one day I was taking her back to her mom’s, and my partner at the time said, hey, I noticed something on Madeline’s phone that she was showing people and I would look at it if I were you. So I did. So we were driving home and not being a very good driver, I decided to look at the texting and Instagram exchange, and it only took a about three sentences for me to know that this was very serious, and I literally just did a U-turn and went right to the police station. I can tell you that the content… it was so awful. Use your imagination about the worst possible thing you could read from a sexual perspective, a sick sexual perspective. And think about it being said to a 12 year old kid.

Steph: That’s really important perspective. Because let’s be serious, the online world, whether it’s social media, gaming platforms, all of it is used and in a good way can help kids find people if they don’t relate at school, if they don’t have their peer group, that’s why they gravitate towards it. But then there’s these incidents and that’s absolutely atrocious.

Okay, so you had the observation – great vigilance on your on your partner’s part and getting involved. Did you approach your daughter about it? Did you message with the app?

Bill: Well, so she was with me in the car, literally. I asked her for the phone and she looked at me like, why? Because she knew something was up. And I said, I’ve heard that there’s some stuff on your phone that’s alarming, and I have to look at it. And I said, just please give it to me. Literally once I saw it, it’s the first couple sentences, it was off to the police station and getting them involved ASAP. I didn’t read everything, but what the police told me is it went down like a dialog. As they looked at the exchange, the next step was that this person wanted to meet her at a place called Crocker Park. It’s the largest shopping area in the Cleveland metro area, and it’s also a large child trafficking hotspot, which I didn’t know either until the police told us. It’s because of its location, proximity to the highway. It’s an outdoor mall. So the next step was he was trying to coerce her to meeting somewhere at Crocker. And I can’t, four years later, I still can’t believe it was that close. And it was just, it was a miracle we caught it. It really was.

The police got very involved, but they never caught him. They got an IP address. They worked on it for about four months, it just never worked out. We also had some visibility with the event with local channel 19. Tiffany Tucker was the anchor. She was a marvelous. She was so helpful, very involved, wanted to help out, wanted to bring the message to people in Cleveland. She’s fantastic. It’s a happy ending because nothing happened to her. But, you know, there’s trauma for her, there’s trauma for us. But we got over it. It’s. We’re just very lucky. I just want to make sure everybody knows that could happen to them. They’re tricky. They’re clever. They’re master psychologists. They know what they’re doing. You just got to be vigilant. And it will probably make your kids angry, but it just doesn’t matter. It’s a messed up world, as you’ll show later with some of the things that you’re going to bring up as slides.

Steph: So about how long, if you can give a ballpark, did the actors start speaking to your family member versus when you discovered it? Can you estimate?

Bill: Keep in mind, it’s like four years ago and I didn’t have the ability to go track the messaging, but I would say it was about a two month process.

Steph: It’s not that long, not a long time. And let’s be clear to your daughter was under 13, so she was a pre-teen, right? And you’re exactly right. That’s how these actors work. They know to go for younger, you know, the cognitive functions aren’t there. The social and the IQ not quite there. They’re just not developed. They [cyber actors] know what they’re doing.

So do you think that your daughter would have gone to meet in person?

Bill: Yes, absolutely. Well, let me take a step back. I mean, she’s 12 years old. But she would have had to figure out a way to get there. But she would have, because she’s very clever and she would have gotten what she wanted somehow. I’m just thankful that it never came to that. But yeah, I think she would have tried to figure out a way to meet.

Steph: You said that the location that the actor chose, the outdoor mall, is commonly used for child and human trafficking operations. Do you feel that there’s more awareness surrounding this venue now in your area, or would you like to call further attention to these which exist in every city?

Bill: I think that is a great question, and I don’t, I think the answer is probably no. People tend to forget these stories pretty quickly, unfortunately. I mean, with everything like gun control, everything it’s like goes away. We have so much coming at us. But yeah, I think it needs to definitely be brought up more. I don’t know how a mall like that would feel about putting fliers or signs up to, you know, if you feel like you’re in danger, call this number. That type of thing or text this if you feel like you’re being approached or I don’t know what to do.

Steph: That’s a really great point because airports have that, right. Let’s be serious. They’re usually in the restrooms or they’re in lounges, you know, a human trafficking number. Here’s something to call. Here’s a sign you can take.

So you mentioned that you you went to the police, which is great. Got the authorities involved. And you went to media, which I think is also great for calling attention. Do you have any recommendations as far as software monitoring for younger kids? I know there’s a privacy discussion, but look at what’s happening. Do you have suggestions on parental controls and monitoring?

Bill: I don’t at this point because we did have those tools and I guess we didn’t… I think the tool is only as effective as how you implement it or use it. And I’ll take the blame. I mean, she’s only with me a couple of days a week because we are divorced, but yeah, we just didn’t catch it and still have trauma. I beat myself up about it still, but we were able to catch her. But yeah, we did.

Steph: This is not to to beat yourself up over. This is important to reflect, to teach lessons. Because Bill, four years ago tech and social media weren’t what they are now. Let’s be serious. You know, there were issues. Of course we’re seeing that. But it evolves so much. And these kids, we just talked about how clever, how resilient, how intelligent they are. But, you know, parents have to try to stay one step ahead. And that’s impossible. So this is the point of this webinar, why we’re sharing what we want to educate.

How about her school Bill? We didn’t touch on that. Did you talk to her school afterwards? Did you share this news with other kids? How’s the school doing in this role?

Bill: School really didn’t do much. We told them, we notified them, but we really got nothing else out of them. I know the police were very frustrated that they just couldn’t find the perpetrator because the police that read the messages – you could just see the rage in their face, like when they read the whole thing. But no, we didn’t really get much out of the school. I think there’s talks at Westlake all the time about this. So not say that Westlake is not educated because they certainly have parent led discussions to prevent this from happening. But as far as this particular incident, I think there’s also a lot of shame, embarrassment, maybe from both parents and not telling many people outside law enforcement, you know, outside a particular close group of friends.

Steph: See, that’s another issue that we need to fix with public education because parents are not omnipresent. They can’t be everywhere. Neither is law enforcement. Neither are schools. Again, this is not a finger pointing exercise. It just goes to show with how quickly tech moves and how available it is, especially to kids. You know, we have to try to stay on top of it. We have to share our notes. We have to share our groups and share our resources because no one can do this alone, no one at all. So what would you hope the takeaway message is? Now having spoken to the media, law enforcement, the venue, schools, what do you want to tell our audience as far as how to address this in the future? Monitor their current kids activity. What are your thoughts there?

Bill: So I would sit down with your kid and and just have a just discussion about it. I would try to get educated as much as you can about what’s out there, what people are doing, and just have a discussion and just say, hey, have you ever had anything like this happen? Have you been approached? You’re the parents, parents know their kids better than anyone. And when something like this happens, make sure your kids are aware of it. Make sure your family is aware of it and your friends are aware of it. I don’t think there’s any silver bullet, right answer, I just think it’s really awareness. I think it’s trying to be involved as much as you can with your child, and then knowing that something might be off. You don’t know what it is, but you sense something’s off and you act upon that. That’s what happened here. That’s what saved us, is that something just seemed awry, off. And it’s you know, the analogy I use is everybody has a, you know, a pet. You know, when your pet’s sick, you just know something’s off with them. It doesn’t matter what. And I think the same is with your kid. You know something’s bothering them, on their mind if you have a good relationship. But it’s also embarrassing for them and scary for them. So I think the other thing is you have to make sure that whatever you tell them, whatever is going on, you’re a parent. We love you. We want to protect you. We want to help you. There’s nothing to be embarrassed about. These things happen. These people know what they’re doing. They’re psychopaths, sick people. And that’s all I can do. The biggest thing, Steph, is I wish I had better answers, but it’s just, it can happen to any of us. It can happen to any parent. It doesn’t matter.

I was hoping just to build a little bit more awareness, and I’m more than welcome to talk to anybody on this call if they want to just talk to me one on one, I’m more than happy. You can give them my contact information. But yeah, I just want to save a kid and prevent this from happening. It’s so awful for the family. It’s just it’s still tough to talk about four years later.

Steph: I believe it, I believe it, and that’s why we have to be thankful that you are here. You know, we talk to our kids about everything, right? There’s nothing else we haven’t done. So you have sex, drugs, alcohol, smoking. Now we have active shooter drills in schools. Right. So maybe there is something to be said there that we could get cyber drills in schools. It’s got to maybe start to be part of the curriculum because these kids have devices sometimes before they’re even out of the womb. They have social media accounts. And again, that’s not malicious activity on the part of the parents or family members, but they don’t know what they’re setting their kids up for. And you’re so right that awareness and education is the most essential part. So on that I have some slides I’d like to share.

Kathy: Before we move on, there’s a question for Bill. Now that your daughter is 16, how is your relationship about privacy and transparency between you, your co-parent and your daughter?

Bill: That’s a good question. I mean, obviously she’s 17, she’s a teenager. And communication can be tough. But I think she learned. We constantly talk to her about it because she’s still not socially mature for a 17 year old. So we have to be very, very careful about monitoring her still. And like I said, I’m only with her a couple of days a week, so it’s harder. And unfortunately it’s on her mom and mom’s busy as heck too, so it’s just really having the constant conversations. Fortunately, I don’t think fortunately is the best word to use, but she almost was taken and she got a second chance. Most kids don’t. And so it’s just keeping her aware, monitoring her very closely with my son who’s 12, the same age when it happened. It’s not a non-issue. It’s like he doesn’t have anything to do with this stuff. He’s got his circle of friends. That’s all he cares about. But he’s still, you know, aware and remembers what happened. I hope that answers the question.

Steph: So I pulled this news article up. Bill, you and I have discussed this before. This happened in Atlanta. It sounds a little bit similar in that it was the targeting of an underage girl.

The difference on this one, being in the huge part is that this individual was part of the parents social network approved, right? So they were friends on Facebook. They knew each other from a religious gathering. They thought that they knew what this guy was all about. And in reality, he was combing the parents accounts, the pictures of their daughter, her locations, to attempt to sell her online. There’s a dark web market. Obviously, we are DarkOwl – we know the dark web very well. The market is called slave market. It sells children from all over the world. It is not just the United States. So this is an example. Bill, you know, you talked about how when we see this, we have some headlines and then they go away. And you’re right because this was earlier in the summer of 2023. It was June. This little girl was also saved. She’s fine too. Happy ending like you Bill, her mom speaking out to the Atlanta press. But I think it’s more important to draw attention to that. And with that, I want to segue.

So again, DarkOwl, we comb telegram, discord. We are on the dark web. This is what we see and deal with all day. This is not easy subject matter.

My top screenshot is this individual who’s offering how to get kids social media accounts and sell them on telegram. Why? Because kids, even if you’re not going to physically go after them, right? Attempt to kidnaping, attempt to procure them, if you will. Kids social media is easy to steal their PII (personal identifiable information), passwords, credentials, because kids don’t have job histories, credit scores, all the complications that adults do. So this telegram channel is talking about how kids accounts are clean, and to steal an identity or start a criminal ring. That is what this actor is doing. He’s going after children.

You can see the middle one, which is again from the summer of 2023. We’ve got a child slave market. This is an offering on a dark web site. This is absolutely live. This was only a few months back. This is still happening.

And then we have a May 2023 article about certain tech marketplaces, platforms, all of it that are unfortunately criminals misusing to recruit, trap, approach and then attempt to buy and sell children, whether that’s kidnaping or another way. We’re not saying this is the tech giant’s fault. It’s just that this is happening everywhere, on every platform to kids as young as seven, eight, when they can start typing.

The final data and slide that I have here, which I thought was also really pertinent. Again, not going after physically attacking children or kidnaping them or taking them. This is a different dark market advertisement. Again, from 2023, you can see that the children’s social security numbers and dates of birth are available.

Fools in the cyber criminal world means that it’s a record with complete information. It means it’s the highest chance that you have to steal someone’s information. So these fools are going to have not only what the actor is listing, they will have locations, metadata, coordinates where they attend school, what sports they play, anything that can really help provide a complete picture for children for that identity theft. You can also see that they specified the dates of birth for these children are 1999 to 2020, again targeting those younger ages, those people who do not have the fully developed cognitive skills, who aren’t going to be able to understand that somebody online messaging them might not be who they say they are. And the final part of that post is you can also see that the guardians information, whether parent or other family member, other legal guardian is there, further allowing for a criminal actor to potentially impersonate a guardian and do further harm to that child or other children.

These are just some of the examples that we pulled. Again, we wanted to keep this focused on Bill and his family and the educational part of this, but we have to share how essential it is to protect your children online. Yes, everybody wants to share pictures and vacations and milestones. That is what unites us as human beings. We get it. But there is a dark, nefarious side to this. And unfortunately, criminal actors have really caught on how to quickly and efficiently and effectively make money off of innocent children or innocent families and do further harm. So I thought these were really important recent examples to share. Bill, anything else on these examples that you wanted to add? Did they approach her with any of this, or use any terms that you’d like to share as well? Lingo is important too.

Bill: No, I wish I knew. I just reading that and the other examples. It’s just horrendous. I just am speechless about the stuff that’s out there. I had no idea. I think it’s awareness. Like you said, technology has changed a lot in four years. Things change so quickly. So then it’s like you have to educate yourself on, well, all right, so this has changed. What am I going to do now? Keep pace I guess. I wish I knew what the answer was in terms of how to stop these people and how to find them. That would be, I would hope, our next breakthrough. I really thought we’d find that other person. We did not, I was surprised, actually.

Steph: It’s interesting that the actor wasn’t found because, you know that a lot of time and effort was spent on that. But it also goes to show that using location hiding software obfuscation techniques and then disposable infrastructure. Right now that we have cloud IP addresses, they’re ephemeral, you can change them. So these actors really do know that. And it’s terrifying how quickly they can disappear. We know they’re going somewhere else, we know they’re re-appearing elsewhere. So all right we’re going to try to get some schools and educations involved. We’re going to keep talking to the media. We’re always going to go to our respected law enforcement. Let them know. I think that vocabulary is one way that we can do this. You know, there are definite repeated terms that criminal actors will use. After we publish this, let’s have it in writing for people so that they can copy paste, put them into their parenting software, implement them live right. And then we can kind of keep a running list and also gain feedback from the audience. Undoubtedly, there are parents and cyber professionals in our audience who are going to watch this. So let’s keep that a growing task and list, which also facilitates continued conversation. We don’t want this to fall apart, fall away. We want to keep it visual.

Kathy: Bill, someone would like to know what was the response from Instagram. Did you get a chance to speak to them about the problem?

Bill: That’s a great question. I know we alerted them. I know the police took care of that. It made them aware of the problem. I can find out what Instagram went back and said. I know that they they did some things on their end, and I know the police were involved to try to figure out how to find them. That’s really all I know about what Instagram did. I kind of took my hands off it and let the police just do their job, as much as I wanted to take over.

Steph: That had to be hard to sit back and let someone else take action on this. But again, they were probably well versed, you know, so that had to be really difficult. And I think that’s a good point to share. There’s nothing about this process that’s going to be easy. It’s uncomfortable. It’s terrifying. It’s traumatic. So let’s focus on that too. And just really, you know, talk to your families about it, talk to mental health professionals too.

Kathy: Did the police have a cyber unit or only traditional investigation?

Bill: That’s a good question, too. Traditional investigation.

Steph: I want to highlight that should the FBI ever become involved, because these are definite cases for the FBI and your local law enforcement. But the FBI has a cybercrime not only unit and specialist, but they also have a reporting forum. You can use the hotline, you can use an anonymous email address. And I think that’s also important to share too. So that can be another thing that we provide in our follow up resources is not only your local law enforcement, but the FBI as well. Because if we have more eyes on this problem, we have just a little bit more monitoring and a movement towards a solution.

Kathy: I’m sure it may be difficult to have the data to confirm, but how often are these bad actors caught on the dark web in these instances?

Steph: I will be honest, not enough. I, in my almost two decade long career, know I’ve seen more ransomware, DDoS, more of the technical actors that are taking down, say, your critical infrastructure and I am not seeing enough attention given to nationally or internationally human trafficking efforts, kidnaping efforts that happen frequently online. And one thing I should highlight there, too, is the actors are also smart, right? So they are moving from the more common public forums on the dark web. They’re moving more towards one on one communications. So like in Bill’s instance, of course, it was private messaging on Instagram. What we’re seeing is a general trend is that they will advertise those keywords like you just saw in those slides I had. They will say children, they will say slave market, etcetera , etcetera. But there’s no further context or detail, and they entice people to message them directly, which of course hinders law enforcement operations. You can’t get into private messaging. So no, data’s not perfect. Maybe we can get some input from law enforcement too as we continue to drive awareness, but they are not being taken offline as quickly or as as needed.

Bill: And why is that? I was just going to say. Why do you think that? What do you think? What needs to be done to, in your opinion, to find these perpetrators or what other steps can we do? Because like you said, it’s hard to get them. We didn’t get the guy for my daughter. I know that dark web is very mean with Tor and everything is really hard, but I don’t know what your suggestions are.

Steph: It’s unfortunate that technology is is neutral, right? Technology is only good or bad, depending on whose hands it’s in. And like you said, it’s unfortunate that you didn’t catch yours. But like I detailed, they’re using all these hidden softwares, all of these obfuscation techniques, again, not just for human trafficking but criminal operations writ large. And that is unfortunately a really dark and nefarious side of technology, that if somebody is very sharp and knows what they’re doing, you can’t nab them, you can’t remove them. So I think all we can honestly do as hard or as ineffective as it might sound, because we’re people of action is continue talking about it, raising awareness, giving lingo, headbutting into your kid’s life. Right? Like, hey, who are you talking to? Who is that? Do you know that’s who that is? You’re not going to meet them in person, are you? Do it. There’s a really common thing in cyber where we do tabletop drills. So we do. All right. You got a DDoS attack. How do you bring your system back online? Go. Okay, you’ve got ransomware. Same situation. And unfortunately, it sounds like we’re just going to have to keep doing this with kids. Again, I think that curriculum in schools could be a good place to start. Do an impersonation in school off this, a person approached me online. He said this. He said that he asked for pictures and just try at age appropriate levels to make your kids aware in addition to parents, teachers and community members.

Kathy: Does DarkOwl help with detection of these issues?

Steph: Oh, my gosh, we certainly do. I mean, one of the numerous reasons I’m absolutely privileged to work here, not only do we contribute to criminal operations and stuff, but we also donate our platform to anti-human trafficking efforts. We have all of our coworkers who generally work nights and weekends to do that, because our executives feel it’s important. We at the analyst level feel it’s essential. I mean, look at what we just talked about, so we contribute to it. We will pass a tip information, we also love to share with other members of the cyber community. It takes everybody for the more technical criminals to be identified. We have partners that we would go to and say, what can you tell me about this IP address? Can you geo it? What can you do here? What can you tell me about this handle? Are they using a ProtonMail, an anonymous mail? Are they using Gmail? Do we have a chance to track it? Are they on any other platform aside from Instagram? Can you give me their handles on steam, Twitch, any gaming situations, right. So DarkOwl is definitely in the fight and that’s one of the reasons I’m just so unbelievably happy to be here and privileged to be speaking about this.

Kathy: Steph, you touched upon it a little bit, but interested in how this takes place in our public education curriculum. Back in the day, we were teaching Stranger Danger, and the participant is wondering if, you know, are we bringing these critical dangers from social media into the school setting?

Steph: You know, I don’t have kids in a school setting or a system. I don’t want to speak writ large to that. I’m sure that there are various areas of the country that are trying to take the don’t talk to strangers, don’t go into a white van, don’t take candy from strangers. I am sure that those efforts at certain levels are occurring, but what we need is a national, united one, right? We need a formal mandate to have this curriculum and have these teaching incidents in schools as well as, you know, a church, a mosque, a synagogue. Maybe you could touch on those community places on weekends or nights. Boy Scouts, Girl Scouts, I mean, the opportunities for education are endless. I don’t know of anyone that’s doing them minus individual grassroot efforts, but let’s build on it. That’s the point of this.

Bill: Going to the schools I mean, doing a national mandate. I don’t even know how to get started with that. But a local school, would you do a presentation, say to a school to talk?

Steph: Absolutely. We have parents here at DarkOwl who are definitely well versed and unfortunately are going to probably see these slides and lose a little bit of sleep. But yeah, I think starting at schools petitioning, you know, politicians to change the curriculum, implement these things, these are all potential ideas that we have. And whatever the community comes up with to add to and make them more robust, we’re all ears. Absolutely.

Kathy: In the dark web are there only sightings of individuals partaking in human trafficking? Or have you also seen movements by bigger criminal networks?

Steph: Oh, there are entire networks. There are absolutely networks. Generally speaking, what happens is much like every criminal conglomerate, they are set up like a business. So your lower level affiliates who maybe have that knack for speaking to younger children and attracting them, are sent out to recruit them. But then, you know, it’s horrible to say, but I have to say, you know, those lower level associates essentially have numbers that they have to hit. They have to get five kids a month, ten kids a month, right? Or else they face repercussions. So that’s the desperation into the criminal chain. One thing I’d really like to highlight is that internationally, because again, this is not just a United States problem. People from war zones are unfortunately horribly targeted, and that is generally by criminal networks. So they will say, okay, for $5,000, I will get you out of X war zone. Okay, here’s your passport. Here are your documents. Meet me at this location and we will transport you out. That is obviously not legitimate. It’s a huge criminal conglomerate. And I want to say that the money from human trafficking is only part of the criminal supply chain. The money that they pay for humans, children, women, boys, you name it, you know, they get that money from, say, online operations like ransomware, selling weapons in some cases. We’ve seen that in the Middle East and Africa. The funds from drugs, the funds from IEDs. Right. I mean, I spent two years in Afghanistan and was former military, and we’ve seen this criminal supply chain, and it is not any different than human trafficking is just another cog in that wheel. It is definitely networks, but it starts small with one individual going after their target and then it builds up.

Kathy: This may seem a little strange, but would you recommend that children say they are 18 on social media when they fill out the birthday sections? Would that make a difference or deter potential predators? If there are accounts that they’re older than they are, or would that be more harmful?

Steph: I would like Bill to take this one too. My input on that to start is that I don’t think they should misrepresent any ages because, listen, young women 20, 25, 18 are still victims of human trafficking. Very much so. It might change the way that they are approached, but I don’t think it’s going to deter them. Again, those actors have mandates and numbers to hit. And I don’t think that saying you’re 18 or 19, if you’re 13 or 14 is going to make a difference. Bill, how about you?

Bill: I don’t think it matters whatsoever. I think they don’t care, as Steph said. I mean, you know, you see signs everywhere about abduction in college bars. There’s signs everywhere that give a text code that if you feel like you’re in danger. But no, I don’t think it matters what age they have on Instagram. I mean, face it, my daughter should never have had this happen based on our age in the first place. I don’t think it matters at all.

Kathy: We hear that TikTok is being used very actively for targeting children. Do we have monitoring as part of this?

Steph: I can’t with with TikTok, I absolutely cannot – from where the data flows through to all of the dangers that have been identified to the types of media that’s on there. That is a personal choice. I scream at my nieces and nephews and brothers and sisters-in-law to get off TikTok. But that is a personal choice. And so that would have to be monitoring on the part of the parents guardians, etcetera, etcetera.

Bill: But what do you say to them to get them off? It’s like everybody. I’ve never used it. What do you say to them to prevent them? I mean, they’re kids. The peer pressure is intense just to share videos and such. It’s just that’s a tough one.

Steph: That’s a very tough one. DarkOwl does not work on TikTok as of right now. That would be part of social media, which we don’t really cover. So I would love to collaborate and have ideas as far as TikTok and how to protect its users, but that’s a that’s a really big conversation that’s happening in places. Right? I think there were a couple of efforts to block TikTok. They’ve gone back and forth. You know, obviously there’s some privacy issues there. Citizens would be up in arms. That is a very hard question, but it needs to be discussed. Absolutely.

Kathy: And our last question, Bill, kind of leads in a little bit to the peer pressure and the support. Thank you for your courage to share your story. How did your daughter’s friends react and support her and support themselves? Curious of the support?

Bill: It’s a great question because they didn’t know. They didn’t. We didn’t tell them. I’d say primarily because she really, at that time especially, did not have many friends, her age group. We definitely talked to my ex-wife’s closest friends. I know that they knew about it so they could talk to their kids privately. But yeah, it was a very private issue. It was very traumatic for her. It’s just having those conversations like organically as opposed to doing a big broadcast about it just because of the nature of it. She didn’t really have any friends to discuss it with. Just to be frank.

Steph: Bill, how about your you know, you mentioned your ex-wife’s friends in that community. And how about just the adults in your community? The adults at the school, were they more interested in paying attention after they found out what happened? The ones that you shared it with.

Bill: I don’t know because they’re not my friend group anymore. I would say knowing the women, I know they would have cared greatly and did everything they can to make sure that their kids and then their friends with their kids. I mean, they’re all good people. Everybody was horrified by it.

Steph: Yeah, and I think you’ve made a lot of new friends and garnered a lot of interest on this, Bill. So again, cannot thank you enough. Thank you for sharing your story.

Bill: I appreciate that. I hope I’ve answered all the questions. Well, I guess it’s four years ago and I feel kind of inept as I’m answering some of these questions because some of the details are kind of, it’s been a while and it’s kind of like blocked it off and now comes all roaring back. But I’m glad to do it just because I just want to help anybody I can. And I know you and Kathy, and Dustin’s mission is the same, so I’m more than happy to do this anytime and help anybody I can. If anybody ever wants to talk to me about it, just please let me know.

Steph: I’m going to wrap with, just thank you to everyone, Bill and the audience included. We are very much open to, you know, please contact us on LinkedIn, emails or anything. We want to continue this conversation. We want to have a follow up. And thank you for your time on a difficult subject for sure, but the holidays are coming up. This is why we timed it this way. When kids are off school and on their devices, let’s all just open our eyes a little bit more. So thank you all so much.

March 21, 2025

Interested in your own demo? Request one.

February 19, 2025

Check our blog on Executive Protection and the Darknet. Read Here

February 13, 2025

Interested in chatting? Contact Us.

October 25, 2024

Why is it important that we’re looking at the dark web in this election cycle?

Who are probably the main groups that we should be concerned about them that we’re seeing kind of having, spreading this kind of disinformation and misinformation?

What are the most common types of disinformation narratives that we’re currently seeing being circulated?

How are we seeing it being shared on the dark web and how are apps like Telegram being utilized?

There’s a lot of conspiracy theories going around and some conspiracy theories have even been shared by the candidates themselves. How do you think that’s impacting the information that’s being shared and how viral those things are getting?

What are we seeing from the far left or from others? Is it quite a similar activity or is it different?

How do you think things are comparing to the disinformation and what we were seeing in the 2016 campaign?

Do you think we should expect a shift, as I said at the outset, we’re just over two weeks away from election day. So are we expecting any shift as we move closer to the election day?

We’ve mainly been talking about all the concerning things that are happening in this run up to the election, but I want to touch on what steps can individuals and organizations take to try and combat some of this election related disinformation.

Any final thoughts that you wanted to share?

Interested in reading more on this topic? Check Out Our Research Report.

June 12, 2024

Interested in learning more? Contact us.

March 28, 2024

Interested in reading more on this topic? Check Out Our Research Report.

March 05, 2024

What is on the Dark Web? What can you find there?

OSINT 101

Why is Dark Web Important to OSINT Investigations

LockBit

Cryptocurrency and Extremism

Israel-Hamas Conflict

Scattered Spider

Conclusion and Questions

Don’t miss our next webinar on Big 4 Cyber Adversaries > Register here.

February 09, 2024

Don’t miss our next webinar on Big 4 Cyber Adversaries > Register here.

January 30, 2024

Don’t miss our next webinar on Big 4 Cyber Adversaries > Register here.

November 28, 2023

Dealing with a similar issue? Contact the FBI.

Copyright © 2024 DarkOwl, LLC All rights reserved.