August 12, 2025

Or, watch on YouTube

Evan Blicker from DarkOwl explains the three types of internet (Surface Net, Deep Web, Dark Web) and the origins and workings of Tor. The session also covers common misconceptions about the dark web, types of information found there (e.g., PII, banking data, corporate data), and the importance of understanding it for cybersecurity. The speaker emphasizes operational security for investigators and introduces DarkOwl’s role in automating dark web data collection and analysis.

NOTE: Some content has been edited for length and clarity.

---

Good morning, everybody, and thank you for joining our iTOOsday. Today’s session was made possible by Leslie Cameron, who is the Managing Director of Alert Plus Technologies. Leslie is a seasoned IT professional with a long-standing career in technology, innovation and business solutions. His current focus is on cybersecurity and fraud prevention with a passion for helping individuals stay protected against identity theft as well as online threats. From DarkOwl, we will be joined by Evan Blicker. Evan is a cyber security professional with over a decade of experience in cyber threat intelligence, dark web investigations and digital forensics. He began his career at the Pasco Sheriff’s Office investigating cybercrime and internet crimes against children. He later served as a task force officer with Homeland Security Investigations, where he led transnational investigations focused on the dark web. His unique background bridges law enforcement with corporate security, and he has a deep expertise in OSINT, emerging threats and proactive intelligence strategies. For those of you who are unfamiliar with DarkOwl, they are the industry leading provider of dark net data, offering the world’s largest commercially available database of information collected from the dark net. With that, let’s jump into the conversation.

In today’s session, we are going to explore a side of the internet that very few people truly understand, yet it does impact us all, the dark web. Often sensationalized in media, the dark web is more than just a digital underworld. It’s a thriving ecosystem where stolen data, compromised credentials, cyber attack tools and illicit services are traded like currency. A cybercrime becomes increasingly organized, sophisticated and global, understanding what happens beneath the surface is essential for individuals and businesses looking to stay secure. I’m thrilled to be joined today by our expert, Evan from DarkOwl, which is one of the world’s leading providers in darknet intelligence. Over the next hour, we’ll uncover what’s really happening in the dark web, how it affects you, and as an organization and how you can effectively manage against it.

Evan: I’m a cyber threat investigator with DarkOwl. We’re here today to talk about the dark web, kind of unpacking it so we can get a better understanding of what it is, what type of data we can obtain from the dark web and how can we utilize that to better protect our clients, our organizations, and help make the internet and a little bit safer.

To start, we have a short disclaimer about this presentation being for informational purposes, only accessing the dark web manually can lead to security concerns if proper operational security is not followed. So, we want to make sure that this is understood that our presentation today is for informational purposes only.

We’re gonna cover some very awesome topics. We’re gonna go into how the dark web works, its origin, different things that we can find on there and the communities that operate on the dark web. The dark web very much is a community. Similar to any other community, whether you play sports or in the business community or volunteering. However that works, there’s always subsets, there’s always communities in there. So, we’re going to talk about some of those communities. And then we’re going to also go into a little bit about dark web investigations, right? How to utilize this information, how to take it from raw data to actionable intelligence. We’re going to cover a lot. It should be really fun. So, let’s get started.

What is the dark web? That is a question that gets asked a lot because we see movies, we see TV, it’s dramatized as this really cool person sitting in a basement wearing a hoodie, typing away at a black and green screen. And it’s not as cool as that, but it is still pretty interesting. So, there’s essentially three types of internets. The first one is the surface net – all of us here have used the surface net, right? That’s that sites that have been indexed by Google. So, if you have gone to any website like a news provider or to a you sports site or any of those other things. That’s the surface net, a website anybody can get to and you can find it through Google or one of the other search engines.

Now there’s also the deep web or deep net. We’ve all accessed this whether you’ve known it or not and this is any type of website that can’t be found without doing something else. So, for instance going to your banking site, you have to type in a login to get into your or your bank account information, that’s once you type in that login, you go to your bank account site, that itself is the deep web or the deep net. ‘Cause that’s not something that you would want to show up on Google. Could you imagine the world if you could just Google somebody’s bank account and see, it’d be a wild place.

And then we have the dark web or the darknet, and this is an internet that uses standard internet but requires special software. And this special software typically allows for anonymity. It also provides some level of security through encryption. It allows people to bypass maybe countries restriction on certain websites or whatever the case is. And that’s the dark web, which is what we’re going to be kind of focusing on today.

The dark web. It actually got its start by the U.S. Naval Research Laboratory. Onion Routing, it was designed to protect sensitive information for government communications. Then in about 2002, it was released as an open-source project to the public, where it remains as an open-source project, where lots of companies and organizations actually donate to keeping the project alive. So, it went away from its government excludability and went into average people, anybody being able to use it for their purposes. Because though when we hear the word dark web, we think cybercrime and criminals, there’s actually some very, very valid uses which we’ll touch into later related to the dark led. It has some good uses in this world. It’s used by a wide range of people seeking anonymity while they’re on the internet. They want some type of encryption for privacy concerns, but it is also involved into such a good complex ecosystem where you have not only people using it for negative purposes, but also people using it for good. The thing that I always kind of fall back on when talking about stuff on the internet is for everything good on the internet, there’s somebody there that’s able to take that good and use it for evil.

There are multiple dark web technologies. The one that we’re going to focus on and talk about today is Tor, because it is the most widely known dark web, but there are several others. So, these are logos from across the different one. The one in the upper left of the screen, that’s the onion routing, that’s TOR. That’s typically the one when somebody’s talking about the dark web, that’s what they’re referring to.

The onion router, TOR. It’s multi-layered encryption, right? It means data is wrapped into multiple layers of encryption and each node that you go through, I’ll explain this a little bit better in the next slide, encrypts only what it needs to, to pass the traffic onto the next thing. So, it typically goes through a minimum of three nodes. You have your entry node, you have your middle node, your exit node. The exit node is what sends your traffic onto your destination. And this allows for your data to be fully encrypted in through its path.

And this is its path. Now for any of those in the audience that maybe have a little bit more knowledge into the dark web, you don’t have to have a minimum of three notes. You can have seven, eight, nine, adding to your level of protection while using it. But this is typically how it goes standard, right? So, Alice needs to send the information to Bob. Bob’s a server. Alice’s traffic will go through three different nodes in a certain pattern. It’s a randomized pattern. And each one of those nodes, each one of those computers that the traffic passes through only has access to the information it needs to continue that packet onto its final destination. And then at which point it goes to Bob. The only time that that traffic is not encrypted is that final jump from the exit node to the target server. And this allows for that secure communication, right, allowing for that anonymity while using Tor.

Some of those features that we’ve already spoken about, anonymity, right, it gives you access to .onion websites. So, the Tor network doesn’t use .com or .net, they all end in .onion. It’s decentralized. The Tor project is actually really, really successful and really good at making sure one entity does not own too many nodes, right? Because I think it was mathematically calculated that if you owned 40% of the nodes, you can actually track somebody’s traffic across the Tor network. So, they do a really, really good job and so does the community as well as making sure that the people who are registering Tor nodes because anybody can do it, it’s a volunteer basis that they don’t own too many of them, right? Because we want to keep this decentralized. We want to make sure that the anonymity of what Tor provides us is there. And it also allows you to bypass censorship. Some countries censor the news and the media of what’s going on and this allows people and organizations in those countries to get valid news of what’s going on in the world. It allows for privacy and sensitive communications. So, take for instance, a journalist who is getting ready to break a big story with a whistleblower, this allows them to communicate in a manner which will protect the source and the story, right? And it has multi-platform support. So, you can be on your phone, you can be on your computer, whether it’s Mac, Windows, Linux, and still be able to access the Tor network.

It is downloadable at the torproject.org. There is a lot of very, very good information about the Tor project and the dark web on torproject.org. You can actually see all of the different nodes and things that are being used. They do a very, very good job. They also list who donates to them and how they support themselves. And if you are so inclined to believe so, you’re able to do that as well.

There are other types. The Zeronet is another big one. Freenet is one that isn’t really widely used anymore plus you have i2P and then the other ones listed. For the most part, Tor is your primary dark web network that is used today.

We have some common misconceptions, right, because those movies make the dark web look just so utterly fantastic and makes everyone feel like a hacker. We have some misconceptions that come along with the dark web. So, the first one, everyone on the dark web is a criminal and that’s not true. It hosts communities and some of these communities are just privacy focused people. Others are based in free speech. Others are trying to help prevent human trafficking or help, you know, refugees out of countries, whatever the case is. There are some very good uses for it, right? Some governments are extremely restrictive on the news and media that their citizens are allowed to see, and the dark web provides that access, right? And it allows journalists and whistleblowers and human rights activists to communicate in a manner in which they can try to help make the world a better place.

The next misconception is that exploring the dark web is illegal and it is not. Now there may be activities carried out on the dark web, which are illegal. And if you engage in those activities, then yes, now you’re committing a crime and that becomes illegal, but it is not inherently illegal to be on the dark web. There are many legitimate purposes. For instance, the New York Times, which is a very well-known news agency in the United States, they have their own dark web site, where they host their normal site on the dark web for people that are in oppressed countries. So, these are things to keep in mind.

And lastly, the dark web, it’s actually not lastly, but the dark web is completely anonymous, and that’s not 100% sure. There are tools that researchers and law enforcement and methods that can be used and implemented to extract information on threat actors, on people that are using the dark web for malicious purposes, right? Law enforcement also sees this dark web sites and they seize the servers which store information and that information can be used to track and determine who these threat actors are. So those supports extremely strong privacy protections. It’s not infallible because nothing is right. Locks only keep honest people honest, and so there’s always a chink in the armor somewhere.

And lastly, accessing the dark web is super difficult or super easy, and it’s not either or neither. There’s not one specific place to go – the dark web is made up of many hidden services, many different websites, multiple different platforms. Though there are technically dark web search engines, they’re not the same as Google or Bing or any of those other ones. So can accessing the dark web can be complex to find the information that you’re looking for, because you need to know the link. You need to know how to find a specific site. You need to know that that site actually exists, right? So, it’s the same as using the internet back in ’98, ’99 before search engines became really popular, you had to know where you were going in order to get there.

Some dark web concerns. Obviously cybercrime is a concern of dark web and it is used very prevalently by threat actors of many different facets of crime. From financial crime, to hacking, to ransomware, to narcotics trafficking, whatever the case is.

Also, misinformation campaigns happen – the spreading of disinformation and extremist content happens, stuff to try to destabilize public opinion and trust. And so, misinformation can happen. And then there’s also the illegal non-ethical surveillance of the dark web, right? Dark web monitoring needs to have ethics that are involved in it to protect the good people that are on the dark web, using the dark web for valid reasons. So, these are some of our dark web concerns.

We’ve talked about what the dark web is. We’ve talked about its nuts and bolts of where it was created, how it operates, how it keeps us safe. We talked about some of the misconceptions. So, let’s get to a little bit more of the interesting stuff. What is actually on the dark web? What type of information are we able to find that relates to what we’re trying to do? How are we able to protect our clients? How are we able to protect ourselves?

There are several different facets or avenues that we can do to try to find some information. There are Marketplaces where things are bought and sold similar to eBay or any other type of marketplace, Amazon that you go to where you can buy and sell different items in an unmoderated manner. There’s Forums where collaboration between threat actors happens where people ask questions, postings for sale, whatever the case is. Social media related stuff. Obviously, there’s Cryptocurrency information. There’s Leaks from companies. There’s also Leaks from government and then Ransomware related stuff. All of these things are found somewhere in some shape or form on the dark web.

There’s also dark web adjacent stuff. And this is the big thing that a lot of people don’t think about when they investigate the dark web. The dark web, like I said earlier, was a community and we got to look at that community and the community and any one of the communities that you’re a part of, you know, take your work community. So, when you go to work, you’re part of the community with your co-workers and you are talking about work at work. But you also talk about work elsewhere, right? So, a co-worker comes over to your house for dinner and you guys start gossiping about the you know stuff in the office, right? Things happen outside of your office related to what that community is about, which is work. The dark web is the same way. We have messaging apps, we have gaming apps, we even have surface web places. For instance, Reddit is a well-known social media site that has several places on there where they talk about dark web topics and issues and things along those lines. So, monitoring these things is just as important as monitoring the dark web to give you that kind of inclusive photo of what is going on. And a lot of the data on the dark web comes from many different things. So, a lot of the raw data, a lot of the raw data is your PII, your personal identifiable information from leaks. So, data birth, social security numbers, credit card numbers, addresses, things like that. Banking data, stolen bank accounts get sold on the dark web. Corporate data that has been taken maybe from a ransomware organization or from a hacker, whatever the case it is. Credentials and compromised accounts, whether it’s fake accounts to a social media site or accounts that have been taken over, being sold, as well as corporate accounts, personal, whatever the case is, plus there’s malware, there’s hacking tools, there’s ransomware, there’s a lot of different things. And then obviously on your forums, your marketplaces, tactics, ideas, how to do this stuff is there. You can buy guides and forms. And this all leads over to some of the biggest kind of risks that we’re kind of thinking about. So, DDoS attacks, right, data exfiltration inside or threat cyber-attacks, and then just, you know, anything from identity theft down to a much more personal level, right, of like somebody being doxxed on the dark web where their personal information is released.

So, let’s delve a little deeper into that type of data that can be found. That was a more high-level overview. let’s get into a little bit more of the nuts and bolts.

Ransomware. Most ransomware groups, which new ones are coming out every single day. It is a very successful business model, if you’re a threat actor. They have most of their sites are hosted on the dark web. Also, their chat sites, where you go to negotiate once you have been, once you have been compromised are typically .onion sites because it allows for that level of anonymity. So, some of these screenshots are a little older and the reason for that is that you can’t control necessarily what’s going to happen on a dark web site. So, if we went to it live, there’s a chance that there could be material that we wouldn’t want to see or produce. So, we try to capture screenshots. For instance, LockBit, which is now up to LockBit 3.0, their site is hosted on the dark web, several different ones, we’re constantly in a motion of tracking all of the new sites that are popping up from different ransomware groups.

I guess they like that business model. I don’t like it, though.

Markets. So, these are what essentially eBay would look like and a lot of them are based off of the same. So, this marketplace, Kerberos, has been taken down. There are several new ones that pop up and they will run until either one of two things happens. Either law enforcement takes down the marketplace or they do what is called an exit scam. And an exit scam is where the owners of the site take all of the money that’s been put into the site for making purchases and then they ride off into the sunset stealing everybody’s, all of their users’ money. Those are typically the only two things, but anything is purchasable through here. There are marketplaces that are specific to firearms. There are marketplaces that cover a wide range of things, from personal identifiable information to credit card numbers, social security numbers between narcotics and drugs, to hacking tools, whatever the case is. Some like to specialize, others like to be a little bit more broad to try to get as many users as possible.

It is kind of crazy some of the things that you can see on a dark web marketplace for sale. There are scam sites and things that pop up. So, for instance, you’re not going to really find a marketplace that’s, you know, human trafficking related. Also, you know, hitman services on the dark web are not real. That’s not how that works. But a lot of people will like to talk about that, especially in movies and TV and things like that. But those types of things are almost always scams. But you can buy just about everything else. You can buy cell phones, skimmer devices, the steel credit cards. The imagination is the limit for what marketplaces may or may not have. But they operate very well and they have better customer service than any company you probably know today because trust is a big part of the dark web. So, one of the things that they do is they hold an escrow service. So, you would actually put your money into the site. The site would hold it. And then once you have made a purchase and you’ve received your product, the site will then release the money. So that way there’s trust between vendor and purchaser. That’s where that exit scan comes in.

Financial crime. Financial crime is a big part of the dark web. You won’t find all of your financial fraudsters on the dark web, some don’t need it, but you will find a lot of information and a lot of stuff being sold because it’s a really easy product to sell on the dark web because you’re not shipping something from point A to point B, it’s a digital good. And we also have a little bit of that dark web adjacent. So, the two photos on the lower right, those are actually taken from telegram. Telegram was a very big hot spot as a dark web adjacent location. It’s since kind of cooled down because Telegram has changed their kind of trust and safety policy, so they’re cracking down on this a little bit more, but for a few years there it was very rampant that every dark web site or marketplace would also have a Telegram channel associated with it. But you can buy anything from credit card numbers as low as 10 cents to bulk credit card information, which will provide the credit card number, the number in the back of the card, the person’s name, address, location, everything that you needed to use that card in a manner to prevent you getting caught by law enforcement as well as information on how to commit fraud. It was a very big thing for the dark web.

There are drugs and gun sales as well on the dark web. A lot of sites, a lot of marketplaces do try to avoid firearm sales only because that gets a lot of American law enforcement involved. It kind of increases their profile. So, a lot will not allow sale of firearms, but they unfortunately, you know, everything done on the internet has a way to be used for bad and the people that sell these find a way to get their markets, their merchandise posted. And then as well as narcotics. Narcotics are a big sale item on dark web marketplaces and different sites from there. But the nice thing, at least for the good guys related to this type of stuff, is that they have to be shipped from point A to point B, and law enforcement does monitor those shipping avenues, and so do the private companies that do that as well. So, a lot of times, this type of stuff is able to hopefully be stopped before it gets anywhere.

Stolen data. This is going to be something that I’m sure this audience is going to be interested in and about, but stolen data from companies. A lot of organizations have their data stolen. Sometimes they’re not part of ransomware. Sometimes people just steal it to either try to sell it themselves or they post it. They post it for cloud reasons or reputational reasons to give it out to the community. These are screenshots from breach forms, which was recently shut down and potentially working its way on coming back that’s been an interesting saga. But you could go to the site at any point in time, search for a lot of different companies, and find stolen data from those companies. Now that’s obviously bad reputationally for those companies, but it could also be very good for the company’s competitors if they’re not operating in an ethical manner, right? They get that information and if that information contains confidential business secrets to the success of that business, now your competitors have your playbook. As well as the damage that could potentially happen to the clients of those companies if their personal information has been released.

Leaked data. So leaked data is different than stolen data. So leaked data, a lot of times, could involve an insider threat. It could be data that was able to be captured through a tool, for instance, being scraped from a deep website that a company owns, say, for instance, a social media site. You have to log in to access the stuff in the social media site, and then you start running custom tools to pull all of that information down, and then you release it. And then there’s also usernames and passwords that get leaked as well. This is actually a screenshot from our tool, which shows a lot of the leaked content that we are finding out there and are able to catch them. And there is a lot of leaked data that’s out there. It’s actually mind-blowing to understand how easy it is for your personal data to be leaked or your corporate data to be leaked onto the dark web.

Stealer logs. Stealer logs are a very big thing. They can affect corporations, but a lot of times they affect the more individual person. But stealer logs are logs from specific type of malware that when they affect the computer, their job is to pull down all of the usernames and passwords and text files and take a screenshot and get all of the information that they can about that computer. And then these logs are either posted for free or if they’re good logs, they typically get posted for sale. There’s a couple marketplaces on the dark web where one log will cost $10 USD and it will have a person’s entire password history on there, right? All of the passwords that are saved inside browsers, which you should never save your password in a browser due to Stealer Logs because it captures all of that. And then they’re able to access all of your information. And the biggest one that we want to protect is your email, especially if you have used two-factor authentication through email. But Stealer Logs are everywhere. And this is also something else that ends up being dark web adjacent. For instance, Alien Text Base, this one here, they still operate, but they operate mainly on telegram. Even though telegram is very active in trying to shut them down, you will typically find them on telegram releasing this service that they have here. And one month of unlimited amount of stealer logs is only $100, which is crazy. And $1,000 dollars is a lifetime access. So, if you are intentionally trying to hack somebody’s computer to pull down credit card information or to use it for other malicious purposes, that’s relatively a bargain.

And then we have our corporate data. And corporate data involves many different things. It could be our corporate secrets. It could be information related to a tax eminent to that corporation. It could be customer information, whatever the case is, right? And not everybody is immune, right? So, the FBI, federal government, American government agencies have been affected by corporate data issues. CloudStrike, LinkedIn, Facebook, all of your major social media companies at some point in time have had their corporate data leaked, and a lot of that can still be found on the dark web today, even if it’s old data. Just because it’s older data doesn’t mean it’s still not valid and still can’t be put to use. And then also, you know, in here in America, we have the United Healthcare CEO who was assassinated. And you can find corporate, you know, talk about those corporations and the CEO, for instance, this one here, which was posted on an anonymous message board, saying that the healthcare CEO being shot would be a long time coming and for people to stop defending them. So, there’s a lot of information, a lot of things that can break down here, right, from just corporate information to also threats to corporations and businesses. Things to monitor and different avenues to go down.

And the communities that bonds them. I’m very big in saying the dark web is a community, and we have several different communities on the dark web. So, one of the big ones is extremism. You can find a lot of extremist information on the dark web, from everything from terrorism all the way to racially motivated type stuff, to politically motivated things, it’s all on there.

Hacktivist groups. Hacktivists are hackers that claim that they are hacking for the correct reasons because they don’t agree with something, whether it’s a political mind, a political decision, or a business that didn’t do the right thing that they thought was ethically correct. Hacktivists go after them, which was made famous by Anonymous back in the 2000s initially. Hacktivist groups operate on the dark web all the time. They post information, they get together to share ideas, different things like that.

And then we have our ransomware groups. This is a screenshot from our tool showing a lot of the different groups that we are targeting or not targeting but monitoring and pulling information down. This list actually currently has 317 different ransomware groups and threat actors that we’re monitoring and trying to get as much information from it. And the number of ransomware groups that operate on the dark web is growing every single day. And that number never stays static.

And then obviously we have our hackers. What’s interesting about this slide and as we’re talking about hackers is this is how initial access is sold. So, most ransomware groups do not do their own happy. They typically purchase the access from somebody who did the access. And what will happen is in certain dark web forms, a user will post revenue, a companies’ revenue of around 25 million. They’ll say how many hosts the network has. So, in this one in the left by Benjamin Franklin, there’s 500 hosts on this network. They’re looking for $1,500 to purchase this. And then a ransomware group will purchase this access, install their ransomware, and then attempt to export the company when they’re able to. And this is how it gets post. They never necessarily post names. Sometimes they do, but they provide enough information that you can try to disseminate down who the target is in hopes of maybe preventing ransomware. That’s a really big thing for companies to use the dark web is to monitor the initial access side of the ransomware lifecycle. And if they’re able to see that they’re potentially popping up on initial access sale, they can go ahead and start doing extra tests and monitoring and finding where the hole is and hopefully able to plug it before anything bad happens. But hackers do operate on the dark web in many different facets.

And then we have our main APT groups, our advanced persistent threats. For instance, like North Korean groups, different things like that, Chinese groups that are constantly trying to break into things and hack things and gain information, which is another thing that this is a screenshot similar to the ransomware groups from our tool and where we curate information on them.

Why is the dark web important? I’ve touched on this a lot, but it really does allow us the opportunity to learn more from the threat actor to make better decisions as to what we need to do to protect ourselves. So, it gives better insight and allows us to learn from them. There are tools that you can capture and figure out how they work to prevent them from working on your network. There’s also tutorials in fraud, in hacking, in social engineering, whatever the case is, and we can learn directly from the threat actors and monitor that, and it can also give us an early warning sign before anything before anything goes happen.

The early detection of potential emergent threats. It’s a more proactive approach to cyber defense. We’re learning directly from the threat actors, and hopefully it allows us to prevent threats from escalating, which is why it’s important.

So how do we find things on the dark web? One, there are open source tools to help you, but you need to take into consideration the OPSEC considerations, the operational security considerations. There are websites, for instance, ransomlook.io, post information daily on new ransomware groups that are operating on the dark web. There’s also different monitoring stuff and blog posts and things along those lines. But there’s also command line based open-source tools for investigating it. It’s just, you really need to know the operational security side of it.

On the dark web, there are list sites or link sites or directories that will provide links to dark web sites. And they will monitor those links to determine if the site is online or offline. And then we use OSINT. OSINT is our best friend. OSINT, stands for open-source intelligence techniques and it is a way of finding and learning information that’s publicly available. So, whether it’s from the news, it’s from government publications, blogs. At DarkOwl, we post blogs pretty regularly from there. Social media accounts from influencers that specialize in this stuff and then academia and research as well provides good, insight into what is going on.

And then now the operational security concern of investigating the dark web, which our tool does definitely allow to help with this situation, and it is something that very regularly needs to be taken into consideration, right? So, it’s a process to prevent our adversaries from gaining information about us, our capabilities, so that we can identify who they are, right? We’re not trying to become the victim. We’re the investigator or the analyst trying to prevent this.

So, it’s important, right? It’s important for the investigator and the researcher’s safety. We want to make sure that their identity does not get released or known. It also prevents against retaliation and targeting and it ensures that safety during and after dark web investigations, right? We want to make sure that we protect our sensitive information exposure and to avoid data. For instance, downloading certain things off of the dark web because we need them for investigative purposes. If it’s not done correctly in a secure machine that doesn’t have network access, we could potentially be putting malware or ransomware into our own network, you know, and now becoming an actual victim of what is going on. It allows us to maintain that confidentiality and anonymity and does not compromise our investigations. It allows us to reduce detection and tracking by sophisticated adversaries, for instance, some of those APTs that are nation-state groups are very well-trained, have everything that they need, have many people to help them. So, we want to make sure that we reduce detection by them so that we can continue gathering information. And then we want to reduce risks associated with linking affiliate investigations and researchers. We want to try to keep that attribution down to a very low level. And OPSEC is one of the most important things that needs to– and it should be the primary thing that is kept into that mind of dark web investigations.

Six steps to OPSEC. We want to identify the critical information that we need and how we need to keep it secure. We want to analyze the threat. What are our adversaries? What are their capabilities? What are they able to do? We want to look for weaknesses and configurations and behaviors to make sure that we can protect ourselves, evaluate the likelihood and impact of those risks. We want to implement countermeasures, apply security practices. Do we need a machine that’s never connected to the company network, virtual machines, VPNs, things along those lines and we want to constantly reevaluate as we progress in that investigation to make sure that our operation security is providing what we need it to provide. It’s important for protecting investigator safety, securing that sensitive information, maintaining operational integrity for the surveillance and tracking purposes, and then attribution risks, right? We wanna make sure we keep those tools on minimum.

We have gone over a lot. We’ve gone from what the dark web is, to what type of information is on the dark web, to tools for investigating the dark web, open source and ARPS tool and things like that, and operation security. But what are the strategies, right? We have the information, or we need to get the information. What are the strategies to take that investigation and make it fruitful? So, darknet intelligence, right, is involves collecting and analyzing data, like any other investigation would. Going through these specialized tools that we need to get it and determining, right, the complex ecosystems where cyber criminals trade goods and services, right? We need to know is the information that we are looking for on a forum, marketplace, a chat group, whatever the case is.

The intelligence pyramid, everything in intelligence and investigations has some type of diagram or analogy or acronym. This is no different. We start at the bottom with our raw data. That is all of the data that we’ve collected that may be useful for us. We’ll take all of that and turn it into some type of information to figure out kind of the buckets it needs to be in, and then from there we’ll put that into our actual intelligence that we can make decisions on. Kind of weeding out the noise that we don’t need. And you’ll want to do that with dark web data because you will be able to find a lot of things, but not all of those things will matter to your current investigation or needs, right?

So, we’re going to start with the planning and direction through our intelligence life cycle. Once we have — this is what we’re worried about. This is kind of the information that we need to learn. This is our questions. We’ll work on those collections. Once we collect our information, then we’ll move to the analysis phase. Once we analyze all of our data, kind of go through that intelligence pyramid will move into production, write our reports, make our recommendations, and then disseminate that out and get feedback from your cross-functional partners or your clients or whoever the case is. And then we start that all over again for the next question that pops up, the next threat that we have to worry about.

Strategies for monitoring the dark web. You have to know what your intelligence requirement is. You’ve got to know what you want to achieve. Do you need to worry about a client being hacked? Do you need to worry about their data being stolen, whatever the case is. We want to identify the areas that most interest us. For instance, maybe we need to monitor for credit card information. Well, some of the best places to see a specific credit card information pops up are in those marketplaces, right? We want to make sure that we keep a way of monitoring those sources. Once we collect data, we want to analyze that data, see if we need to find more data. Sometimes you need to. There’s always language assessment. If you need to figure out if you need to translate the information that you’re getting, Google Translate Works, AI tools help with that. And then obviously the last thing that we want to do is report our findings to actually have our recommendations matter and help strengthen security posture, prevent cybercrime, and all of those fun things.

Just real quick – to touch on DarkOwl and what we do. DarkOwl is a darknet data technology company headquartered in Denver, Colorado. Our mission was to build automated technology to allow analysts to investigate and monitor the dark web without actually having to go to the dark web. And we have come a long way in producing that tool. We’re led by our CEO, Mark Turnage, and we have a very fantastic team of analysts and engineers to produce that. So, the information in our tool, you don’t ever actually have to go to the dark web to be able to access that information. And it’s all searchable, which is the best thing. So, you don’t actually have to know how to get to a certain forum or have an account on that forum. You’re able to get it yourself.

In our beginning in 2012, we pioneered dark net collection in relevant search, you know, we created our Vision UI tool, which allows you to have a graphical interface to search all of our data. But we also have API access as well. So, we can tie into tools like Maltego has a transform to where you can tie into dark web data. But it gives access to your analysts to have this information, find it, use it and also monitor it through cases or alerts in different things along those lines. So, layers of the surface even dark web that we go after, right? So some of these high-risk surface websites are like pay spin sites or discussion boards, you know, Reddit, social media sites as well. We monitor underground forums and marketplaces as well as Discord, Telegram, IRC. We’re always looking to move into new messaging platforms as we see the community shift, right? And then currently we are in Tor, I2P, and ZeroNet as dark web marketplaces, because those are the main places that threat actors operate, typically now in Tor. There was a little bit that I2P was gaining traction, but that has since lost its momentum. We’ve pull about 2 million documents off of the dark web in about a 24-hour period. And we are constantly pulling in new information every single day. Our information is relatively able to be real-time, depending on the site and how often we crawl it. I was actually just doing research the other day and literally had information that was within the last six hours into the tool. So, it is very successful and really does help in these types of investigations, and it solves your operational security problem. So, you don’t have to worry about that using our tool.

And then our ecosystem – we have the Vision UI, which has pretty much everything an analyst would need, but then we also have different things. And in our Vision UI, what’s really nice about it is that you can have exposures for us. So, we have an algorithm that we created to where you can put in some information and we can monitor a company’s exposure off of our algorithm inside of the tool. And then this is our contact information. I do have some questions that was brought up. I’m gonna touch on that real quick and then we can go ahead and end. So, one of the questions that was asked was what kind of data are most commonly traded or exposed on the dark web and how has that changed over the past few years? Which is a fantastic question. So, starting with the past few years and how that’s changed. So initially, you saw a lot of financial and drug-related stuff on the dark web, especially around the time where a former marketplace called Silk Road, which was one of the first law enforcement takedowns of the marketplace, there was a lot of financial-related and drug trafficking that was happening through the dark web. And as the years have progressed, we now see a lot more technologically based crimes. Ransomware, leaks, data being sold, personal information being sold. This has grown because more companies from five, six, ten, fifteen years ago, are putting anything and everything on technology and with this come budget cuts at times where security teams diminish. So, cybercrime goes up, hacking goes up, as well as we’re in a time where everything involves ground technology. This has become a very big topic on the dark web. A lot of that information is now available.

Question number two that we got: Are there specific industries or sectors that are more heavily targeted or discussed on the dark web? And there is. And it’s hard to quantify. Healthcare is one that is on it. That personal information, medical records, that type of information, because if a ransomware organization is able to a healthcare organization, they’re typically going to get paid. And most ransomware groups aren’t the most trustworthy people, so they still release the information after being paid. Financial services, bank access fraud opportunities, selling crypto accounts that have already bypassed KYC. So, a threat actor can purchase that account sell it so now or use it to where they can’t be attributed back to them and then your government and defense contractors are always something that pops up as well on the dark web but anybody can be a target. It just depends on if it’s your day or not. Critical infrastructure, that is another thing that can pop up if there’s talk related to that because those are things that typically the payments go through.

The next question we have is, “What are the early warning signs that a company’s data or credentials might be circulating on the dark web?” And that’s actually a very interesting topic and could probably warrant its own webinar in itself. But some of the quick things that we want to do is company credentials, appealing and of their logs in combo lists. So those numbers, if for instance, an employee of a company access their company’s portal from their personal computer, which isn’t monitored by the company’s IT, and it did get captured in stealer logs, that popping up is a definitely strong sign you may be attacked, ’cause it just takes one person to understand, hey, I have a company login. Let me go login and figure out what I want to do. Mention of the company’s domain or brand on dark web forms as that starts increasing, concerns should start populating. That’s more like your medium concerns. Leaked internal documents obviously are an issue. And then that initial access, if you start to see initial access postings that appear to match your organization, that is something that you want to take seriously. Even though it has the potential to be a false positive, we still want to take that seriously. And then, of course, ransomware sites announcing that they hacked you. That is a clear indication that there’s trouble ahead and that we need to monitor that. Because ransomware sites, a lot of times, will post that something is happening before it happens because they’ve already initialized what they were going to start with.

And then the last question I have is: “With the growing use of encrypted messaging platforms and private marketplaces, is the traditional dark web still the biggest threat or is the landscape evolving?” That’s a fantastic question. And yes, the dark web is still a very, very big threat, but we have to make sure that we monitor the adjacent. The thing with the dark web where encrypted messaging platforms won’t ever be able to overtake it is the ability for somebody to find that information, to be able to start the conversations or purchase whatever they need to be. For instance, Telegram was very, very big a few years ago. And even some marketplaces shutting down on the dark web to be in Telegram. Because it was still very easy to find those marketplaces by just using the search bar. There’s no real messaging application that takes that over. So, a lot of times what you’ll see is that things will start on the dark web. And then from there they may move conversations into encrypted messages or channels. That doesn’t mean that that information still can’t be obtained and used for intelligence purposes. But I don’t think messaging will ever be able to take away from the dark web. It’s just another adjacent place that needs to be monitored as the investigation and intelligence needs to develop.

Thank you so much for your time, everybody.

---

Questions? Contact us.

March 21, 2025

Or, watch on YouTube

Attendees of this webinar, hosted with Carahsoft, learned about how in today’s world, Open Source Intelligence (OSINT) plays a critical role in uncovering threats and mitigating risks by leveraging publicly available information. This webinar dove deep into the practical side of OSINT investigations, focusing on how dark web data can be strategically utilized to enhance threat detection and risk assessment for organizations.

During this webinar, the Director of Intelligence of Collections at DarkOwl, demonstrated the power of DarkOwl Vision through real-world examples, including:

• Tracking stolen credentials from a recent data breach
• Monitoring dark web marketplaces for insider threats
• Identifying emerging cybercrime trends
• Analyzing chatter on forums to predict potential attacks
• Protecting executives and high-profile individuals

Participants gained hands-on insights into gathering, analyzing, and interpreting OSINT data, with a focus on applying dark web intelligence to solve real challenges.

NOTE: Some content has been edited for length and clarity.

---

Erin: Hi everybody. I am the Director of Intelligence and Collections at DarkOwl and I’m going to talk you through some background on the dark web and some OSINT investigations.

What we’re going to cover today, I’m going to give you a little bit of background on who DarkOwl are, what the dark web is, why it’s important, how we can use it in OSINT. And I’m going to do a couple of use cases and walk you through some examples of what we see on the dark web and how you might be able to use it for OSINT.

A bit of background about DarkOwl. We’ve been around since 2014, but collecting data I would say from the dark web in earnest since around 2017-2018. So, our goal is to collect data from the dark web so people are able to use that data for their investigations and to protect their organizations. We allow people to do that in a number of different ways, so you can access data through our platform Vision, which I’ll be showing you how to use today, but we also have APIs and data feeds which allow you to access dark web data, and the idea really is challenging to access the dark web, and also it can be against policies and violations to access it. It’s not easy to access and there are things on there that you might want to avoid. So we allow you to access that data in a secure way.

What kind of data do we have? We have layers of the deep and dark web as well as some surface web, although we are primarily a dark web company. Everything that you see here in red is something that we do collect from. We’re always looking to increase our coverage though and look at other areas where we see criminals, cyber threat actors, insider threats, people proposing violence, operating. So, we’re always on the lookout for other areas that we can collect from. But as I said, we’re primarily dark web, TOR, onion sites is where we get most of our data from, but we do also collect some surface websites, things like Doxbin, paste sites, certain forums where we see extremist activity being discussed, as well as underground criminal forums and markets and discussion boards. We also collect from Telegram and Discord. We see a lot of criminal activity operating in those areas. And this just gives you a breakdown of the volume of data that we have.

I believe there’s a polling question up on the board for you now. And that’s just to highlight, are there any messaging apps you’re seeing as part of your investigations at the moment that you would like to have more coverage of. As I mentioned, we do cover Telegram and Discord, but we’re always looking for other options. So please fill that in. You can have multiple choices. But going back to the slides, you’ll see that we’ve got a large volume of data that we collect. We have been collecting since 2017, and we do not remove any historical data because that can still be important to your recent investigations. And so, you can see the numbers that we have here. We also extract particular entities, so email addresses, IP addresses, credit cards and crypto addresses that can help you with your recent investigations. And we also have a large volume of data leak records that we’ll talk about in a little bit more detail.

And this is just to give you an overview of how our ecosystem works. We do have the Vision UI where you can access all of our data as well as APIs. We have several API products that allow you to generate scores and risk assessments based on the exposure that an individual has as well as context information about our data leaks.

And we also provide darknet services. So, for those that don’t have the resources and/or do not have the experience working with the dark web, we are able to do investigations and OSINT investigations on your behalf and produce reports regarding whichever you’re investigating. So, this is our Vision UI, it supports Boolean logic, it has darknet data within it, and it can also be used for alerting, but I will go through that in a lot more detail later in the presentation. But so, just so that we’re on the same page, let’s start with talking about what is the dark web.

No OSINT presentation is complete without an iceberg slide so this is our obligatory iceberg slide which breaks down the surface net, the deep net and the darknet.

We really do focus on the darknet you know collecting from onion sites, TOR, ITP, ZeroNet that is specific software that you need to download to access that and also, it’s not indexed so you need to know the URL that you are going to in order to find that information. So, it makes it a lot more difficult to navigate and identify sources that are going to be beneficial to you as part of your recent investigations. And that’s one of the things that we assist with. We, you know, have broad coverage across the dark web. We’re always looking to identify new sites and new areas where individuals are communicating or buying and selling goods. And so that allows you to be able to search that information. We also do do the deep net. So, this is not indexed by search engines, usually behind a firewall of some kind or password protected. It’s not easy to access, but it’s easier to access than the dark web. You can still do it using your usual browser. And there are a lot of forums and marketplaces and vendor shops, et cetera, that sit on the deep net. And then you also have the surface net. So this is, you know, the internet we’re all used to. It’s indexed by search engines. So, you can, you know, go to Google, go to Yahoo and find a site that you’re looking for and it’s all open. I would say more and more we are seeing fights on the surface web that are also engaging in criminal activity. People seem to be less concerned about obfuscating what they’re doing then they had traditionally been and also, I think law enforcement’s been quite successful in taking down some dark net sites and that has kind of moved people onto the surface net so that’s an interesting trend that we’re seeing at the moment and that’s why we cover those areas as well as just the dark net.

To give you a little bit of history on the darknet, It started in around 2000. The Darknet Tor project itself was actually created by the US Navy as a means of secure communications for their operations. And then they decided to make it an open source tool. The Tor project is a not-for-profit that runs Tor and the onion sites and the bridges, et cetera. It’s always worth noting that there are fully legitimate reasons for using the dark web for those that live in countries where communications may be limited and, you know, they may not be able to access mainstream media, things like that. Tor can be used for that. And also, people who do really want privacy. They can use the dark web to enable that privacy. I’m not going to go through everything here on this slide obviously it goes up to 2020, but you can see that there’s been a lot of things that have happened in the darknet, things like cryptocurrency becoming more prevalent and being a semi-private way of people transacting and law enforcement operating on the dark web to take down sites has been a game changer as well. But there’s a lot of things that have happened on the dark web ecosystem and continue to happen to this day.

Okay, so why is dark web data important? I’ve kind of touched on this, but a lot of criminals operate on the dark web. So, we see people communicating on the dark web in forums, in messaging apps, having conversations, but we also see people selling and buying goods. We see people offering services. There is a lot of activity that happens on the dark web that can be useful to your investigations. And there’s also sites where people’s data is released. So, data leaks, stealer logs will go into in a little bit of detail, as well as things like DoxBin where people’s information is released. So, it can really help you in your investigations identifying information about individuals, but also can help you to kind of protect individuals from an executive protection perspective and we’ll talk about that in a bit more detail as well.

While we’re level setting on dark web, hopefully everyone on this webinar is aware of what OSINT is, but it’s basically the collection analysis and dissemination of information that is gathered from publicly accessible sources and these are a couple the sources that are out there that I think are familiar to most people doing OSINT investigations. But people don’t always think of the dark net. I think some people think it’s scary. There are questions about whether or not it’s truly open. But it is in fact open. It’s harder to access, but all of the data is out there for people to go and view if they choose to. So, I like to think of it as a tool in the toolbox that an OSIN investigator has. you know, you should be looking at social media, you should be looking at public records, you should be looking at, you know, other mainstream websites that are out there, things like the Wayback Machine, but the dark web is an important element of that investigation and gives you kind of a broader overview of information that you might not get from other sources. I feel like, again, I have the obligatory iceberg slide, this is my obligatory AI generated image. You can see that it’s AI generated because it’s the Dark Wab and not Dark Web. It seems that when you give it a few too many prompts, it gets confused, but this is my obligatory AI image.

Okay, so but what things do we see on the dark web? So hopefully people are familiar with some of these. I think some are more well known but marketplaces are definitely, you know, a mainstream and one of the things that first started in the kind of criminal ecosystem of the dark web with things like Silk Road, which was not the first market, I believe, Farm was, but, you know, marketplaces for buying and selling drugs, illicit goods, hacking tools, tutorials. You can purchase hitmen, you can purchase all manner of strange things, whether or not that’s legitimate or not is something that we can also discuss.

There’s also a wide range of forums, so people kind of talking about things that interest them. Breach forums is probably one of the most famous forums out there that works in buying and selling data and sharing data. But there’s also extremist forums out there, things like the in-sell community, right-wing extremists operating on forums too or people just discussing general things not all of the forums are bad. There are some social media sites that are on the dark web too. There are mirrors of things like Facebook and Twitter that appear on the dark web so people can access them in countries where there might be censorship so that that’s one of the more legitimate areas and also we  talk about social media and I’ll go onto this in the next slide as a dark web adjacent area where we do see criminals operating on mainstream social media as well.

Cryptocurrency obviously is the currency of the dark web. We still see bitcoin as the largest currency being used but things like Monero and Zcash and more of the privacy coins are also popular. You you know, wallet explorers, there are dark web wallets, there are tumblers, mixers, et cetera. So a lot of cryptocurrency activity can occur on the dark web as well as being, you know, again, perfectly legitimate information, there are a lot of new sites that are on the dark web. The BBC has a new site. I believe CNN has a new site. And there’s also just kind of other sites that share information. These can be kind of data repositories, you know, when information is leaked by whistleblowers that can sometimes appear on the dark web as well. And then we have data leaks. So rather than kind of whistleblowers, that’s more stolen data and data that’s been taken illegally. And in that vein, we also have ransomware. So, a lot of ransomware groups have leak sites on the dark web where they will kind of shame their victims into paying the ransom by saying that they are a victim and they’re gonna release the data. If the victim does not pay the ransom where they do usually then release that data which is downloadable on the dark web.

But as I mentioned, there’s also some things that we refer to as dark web adjacent. Oh, there’s a poll question. So, what areas of the dark web are of most use to you. So I’ve gone through some of them, but it’d be really interesting to know from your perspective what is most beneficial for you and your investigations and your day-to-day job. But in that thing we also have some dark web adjacent. That’s what we refer to as sites that aren’t or messaging apps or platforms that aren’t exactly on the dark web, but they’re still being used by the same community of people, i.e. usually criminals or extremists or some form of bad guy for one of the better phrase. Things like Telegram, ICQ, Jabber, Discord is a gaming site as is Twitch, where we see people are sharing classified information, they’re making threats. A lot of the so-called gore community are very active on places like Discord tends to be younger generations and people that are into gaming, as you would expect. But these are all areas that we think it’s important to also have coverage of in order to, you know, have a full coverage of these communities and these groups and how they’re interacting. Obviously, I would say there’s been some changes in Telegram. In recent months, but that we are still seeing a huge amount of people operating on Telegram in a malicious way.  And then the surface web, marketplaces, vendor shops, forums, as I mentioned before, excuse me, we are seeing some people that are operating in the same way they operate on the dark web on the surface web. You can find those vendor stores and those marketplaces, which I think is an interesting evolution and how these communities are operating.

Okay, so there is a lot of data on the dark web as well. So, we’ve kind of talked about the general themes and the types of sites that there are, but there’s also a lot of different types of data and a lot of different types of information. So, a huge amount of PII appears in data leaks and is discussed on some of the sites as well. Financial information, There’s a huge ecosystem of financial fraud, people selling credit card data, selling banking information, selling details of how to operate in a financial fraud way. So, we see a lot of people doing tutorials and giving guidance about how to conduct some of these scams. There’s also a huge, as you would expect, cyber and hacking community. So, people trading malware, and exploits, and different tools that you can use, you know, the phrase script kiddies, individuals who aren’t necessarily that sophisticated enough to build code or build these vulnerabilities, but they can purchase them and execute them and still kind of use them for criminal activity. So, we see a lot of trading of those kind of things, drugs, obviously, and cryptocurrency I’ve also mentioned. There’s a lot of activity that can come from this kind of data. We see cyber-attacks. We see data exfiltration and hacking. There’s also cyber espionage. I mean, APT groups are hard to identify, but they’re definitely operating in some of these places. And insider threats as well, people, you know, talking about sharing information that they should not be sharing or making threats to their organization. These are all the types of things that we see on the dark web.

Let’s dive in a little bit more into what data we actually see and kind of try to look at it from an OSINT perspective where possible.  Ransomware I have already mentioned. This is two examples of ransomware leak sites, one is LockBit, the other one, I actually don’t remember which ransomware site it is, but you can see like they will share the information about the company that has been victim of a ransomware attack.

But you can see they’re also operating the yellow image. You see that they have a Telegram channel. They are on Twitter and they are on Facebook. So they have a dark website where they share this information, but they’re also operating on kind of more of the mainstream areas. And that can be really useful for you as part of an OSINT investigation. If you’re trying to identify more information about these, you’re building that kind of what we call darknet footprint and digital footprint for these groups and how they’re operating. So, you know, their sites can give you information about them that can help with understanding how they operate. But also, you know, the information that they share while stolen and really should not be shared can be used as part of investigations as well. Especially if you’re concerned about supply chain or third party risk, understanding what data has been released about an organization can help you protect your organization if, you if one of your supply chain vendors is in there, or if you are the person that has been leaked, sorry, had been ransomed, knowing what of your data has been released and is out there for other criminals to kind of delve into, is an important thing to know. And I think some people get concerned about this data and it’s stolen data, but the thing I think people need to understand is criminals have access to this data, threat actors have access to this data and they will use it to conduct more criminal attacks, so it’s important to know what is out there from a risk perspective so you can better protect yourself.

Financial crime I’ve mentioned, we see a lot of marketplaces but also places like Telegram being used as a market for people to sell financial information. So, you can see here there’s stimulus checks being sold, there’s people selling plain credit cards, there’s other things that they’re making available on here, cash apps, etc. So there is a huge ecosystem of this financial crime.

And in the theme of markets, we also see people selling drugs and weapons on the dark web as well.

You’ll see that a lot of these markets look similar to what you would expect to see from, you know, a commerce website on the surface web as well. They provide pricing, they provide images, they also provide reviews. And that can be really useful for us from an OSINT perspective. So, you know, things that you might want to look into on these markets that can give you some clues that you can go and look through in more traditional sources. So, you know, you’ve got OSINT, sorry, you’ve got reviews, as I just mentioned. So, these are some examples of reviews. I don’t know that they are legitimate to be honest, but you’ve got the username, you’ve got the date that they purchase, And sometimes they give some information in there, like, you know, it arrived really promptly that could give you ideas about, you know, where are they based? Where are they purchasing from? And, you know, how it operates. We’ve also got here, like, more descriptions about the drugs that they’re selling. So, they’re telling you the type of drug. It’s a pressed pill. They’re made in-house. So that’s something that they’re, you know, Again, you can never really trust a threat actor, but they might be operating this themselves. That’s something to go on. And they’re also saying that we ship worldwide.

We’ve got other examples where they tell you where they’re shipping from. So, this is actually counterfeit money that they’re shipping. And they’re telling you kind of how they operate it, what techniques they have in terms of producing this counterfeit money, but also they say they’re shipping from Romania. It’s a pretty good starting point that they could be operating in Romania and that they’rei ndividuals based in that country. Again, with OSINT, you also always have to verify everything. You can’t take anything at face value, but these are data points that I think it’s important that you pull out.

And this one is a little bit maybe harder to read, but I thought it was important because they’re giving them details and almost like TTPs of how they’re operating. So they’re telling you they ship it in an envelope that it uses anti-extra bags and if it’s inspected, it will get through it. And they’re actually saying that the National Post Service is the safest way to order it and that they also use express shipping. So, if you’re doing an investigation into kind of the methodology of someone selling these drugs or counterfeit goods, I think I believe this one was still a counterfeit money. You can get from these marketplaces and from these sites information about how they are actually operating, which can really help you in your investigation and maybe where you wanna focus to identify things from other sources that are out there.

Stolen data is also a big one. I’m not really going to show real examples here because I don’t want to expose people’s PII, there’s some of that. But these are, this is Breach Forums and I believe LeapBase. These are sites that appear on the dark web where people are sharing data. And again, we get a lot of questions about is this open? I would say predominantly on these sites; the data is shared freely. Sometimes you need credits, so you need to have a reputation on the sites and that have built kind of some of that persona. But by and large, this is freely available data that again, criminals are going to have access to and it’s something to be aware of.

This gives you an idea. This is a breakdown from data that’s in our platform and Vision.

I looked at the last 90 days and it gives you a breakdown of some of the PII that is available in these leaks. So, you know, names and email addresses you’d expect, but you’re also seeing identification numbers, information about people’s genders, information about companies, phone numbers, dates of birth. You know, there’s kind of two use cases for this kind of data, I think, in the OSINT realm. One is, you know, attribution of looking at threat actors. There’s so much leaked data out there now, but threat actor information is going to appear in there as well as, you know, legitimate people’s data. So, it can really help you with that kind of attribution use case but also from a risk analysis perspective understanding what information is out there about yourself or your employees or you know individuals that you might seek to protect. This lets you know kind of what level of risk they have, what level of exposure they have and how criminals might be able to target them.

Stealer Logs is something that we’ve seen a huge rise in. They’re not new, but they just seem to be a lot more prevalent in the last year or two than they were previously. This is an example. ALIEN TXTBASE is a group that have been sharing not full stealer logs, actually, but what we would call combo stealer logs, where it has the URL, the password, and the username of an individual. And they’re making that available on Telegram. So, you know, this is great for criminals in terms of they are able to log into accounts, do account takeover attacks, depending on what URLs appear here, it could be access into someone’s network. But CELA logs are basically malware that exists on your computer or a victim’s computer and steal things like cookies like your auto fills on your browser, your passwords, and your usernames. It can also steal things like cryptocurrency wallet addresses, basically anything you’re doing on the internet, it can hoover up and we have some good blogs that I would recommend about stealer logs and how they work and how they operate and the different types of them. But they have a huge wealth of data in them.

And again, threat actors have been victims of these as well as legitimate citizens. And we’ve seen a lot of research where you are able to search for places like XXS or exploit, you know, dark web forums and see people’s user information and that can really help with attribution, but also knowing that risk of your password and your username is out there and that can be used for a variety of different attacks is really important and also because the cookies are in there it can help threat actors get past two-factor authentication and OTP codes as well, so that’s something to bear in mind. Again, I said I wasn’t going to share actual data, so I wanted to give a really basic description of how some of this data can be useful. But if you have an email address for a threat actor or someone you’re interested in understanding more about, you can search for that in leak data, and it might appear and show that it’s linked to a password. Depending on how unique that password is, you might be able to identify other accounts that they’re using because we all reuse passwords. We shouldn’t and we get told not to all the time, but most people do. So, you might be able to identify other email addresses and then you can use other OSINT techniques to find more information linked to that. There are tools out there that will allow you to search for an email address and using open-source techniques can find things like telephone numbers that link to social media accounts, that link to things like Cash App and Venmo that can give you access to the real identity of an individual. So, this is a very basic, simplistic way of talking about the workflow, but you can definitely use information and data leaks to be able to investigate individuals. I see it as another tool in the toolkit of data that’s open that you can use as part of your investigation.

We also see a lot of extremist activity on the dark web and on particularly Telegram. So, these are some images that we identified related to ISIS but we also have things on there that are you know right-wing, extremist, racist information that’s being shared and it’s important to monitor these because they can lead to real world threats and so we need to identify what is being done. You can see with the ISIS threats these were around some sporting events where they were encouraging people to target the sporting events and they were giving specific areas that they should do that and this is something we’ve definitely seen an increase of is using the dark web using things like telegram to incite violence in others and create loan actor attacks. So, it’s definitely something that needs to be monitored.

Executive protection is also a use case that we’re seeing more and more active on the dark web or the data on the dark web helping with that use case I should say. So here I’ve got and I apologize for some of the language in this, but just to highlight, on the left-hand side, we’ve got a post from DoxBin where they’re talking about X FBI agent, whether this information is accurate, I don’t know, but you can see they’re providing things like date of birth, address,] telephone number, his wife’s information, what their role was. He’s also got their daughter’s information. So, huge amounts of data are being shared about individuals on Doxbin. If you’re not monitoring that, then that’s going to be an issue because, you know, a lot of when people’s information is shared here, it can lead to real -world attacks, like things like swatting attacks. A lot of that information would come from Doxbin. You can also see we’ve got a data leak here that specifically mentioned CrowdStrike employees. Again, I haven’t provided any of the actual data, but you’ve got first name, last name, email, where they’re located, their phone number, their job title. So, this is information that’s being released about employees. And again, why you need to kind of be monitoring data leaks for your employee’s information being shared. And I think it’s really important as well that you do that from a corporate perspective of looking at corporate email addresses, but to do this completely you also need to have access to personal information too. And then the the one with the not great language so apologies again for that is it’s from 4Chan and it is an example of a particular individual that I have blanked out being threatened and being said he will be shot, shot like the healthcare CEO and it’s a long time coming. So, we can see kind of chatter and rhetoric of people making threats against individual on dark websites as well. And it’s really important to analyze those and make a judgment about, you know, the risk that these individuals pose and then using OSINT techniques to see if you can identify who these individuals are so you can have a bigger picture. 4chan unfortunately, is a difficult one to do that with because it’s anonymous, but it’s so important to know what people are discussing.

And then you can also do threat actor investigations and attribution. So, this is a bit of a historic one, but Pompompouren was the admin of Breach Forums previously. He was also on raid forums, and you know, from analyzing the data, we were able to look at the username and see that he was active on all of these different dark web forums. We were really able to build that footprint of how he’s operating, but you’ll see he was also, on Discord. And so, it really allows you to kind of understand how this person’s operating, and obviously you can analyze their language and what they’re talking about. And if there’s any clues within those forums to location and information. But I highlighted the DoxBin for executives through Actors Get Docks all the time as well. So, this is an example of information relating to him that was shared online. Several people doxed this individual. So, it’s clear now that Pompompouren was Conor Bryant Fitzpatrick. He was subsequently arrested. So, using the data, and again, this is a very simplified version, but you’re able to identify a real person based on a username and kind of how people are interacting in the community. And from that, we were able to identify telephone numbers that they use that you can do further research on IP addresses that we use. And I believe one of the IP addresses that was associated with of Fitzpatrick was actually where he was hosting breach forums, and the FBI were able to use that. He is now or he was incarcerated, he was charged. So using the data and the information online can really help you doing investigations into threat actors as well.

Okay, and we have a third question. So what use cases are most important to you? I think it’s important to understand what use cases people are working on so we can best identify kind of the data that’s going to support that from the dark web.

But with that said, I’m going to move on to a couple of quick demos to show you real world examples of how we can find data using the Vision platform (see recording for demo portion).

---

Interested in your own demo? Request one.

February 19, 2025

Or, watch on YouTube

Executives are increasingly targeted by activists of all types, posing significant threats to them personally and risks to their organizations. Many of these attacks can be detected or even predicted by monitoring exposure of the executives in the darknet, including leaked and stolen PII, credentials, chatter around the executives, and in some cases direct threats.

Despite utilizing various security tools, many organizations lack a dedicated executive protection service to monitor and alert on potential threats or negative chatter targeting executives. Addressing this challenge might seem complex, but the stakes have never been higher.

In this webinar, attendees learned how to effectively baseline, monitor, and alert on organizational and executive threats using Dark Owl’s Vision platform. Discover practical steps to safeguard your executives and your organization against these evolving threats.

NOTE: Some content has been edited for length and clarity.

---

Kathy: Today’s webinar will be held as a fireside chat with Mark Turnage, DarkOwl’s CEO as our moderator. Before we begin, we’d like to give each company a moment to introduce themselves.

Brandon, would you like to tell us a little about Ascent Solutions?

Brandon: Absolutely. So, if you’ve never heard of us before, we are Ascent Solutions. We’re an award-winning Microsoft Solutions partner that specializes in the Microsoft security stack. We offer a wide range of cybersecurity services to include advisory, professional services, as well as managed services, including Cyber Threat Intelligence, Security Operations Center, and Threat and Vulnerability Management as a service, just to name a few.

Kathy: Mark, would you like to tell us about DarkOwl and then start our chat?

Mark: I’d love to. My name is Mark Turnage. I’m the CEO of DarkOwl and Co-founder of DarkOwl. DarkOwl is a company that was established for the sole purpose of monitoring the darknet and what we call darknet adjacent networks for criminal activity and underground activity on behalf of our clients. We monitor over tens of thousands of sites a day and they include everything from the traditional TOR network all the way to Telegram channels where threat actors are now, are now active. Our product is, our data is available via a number of different ways, UI, APIs, data transfers, and we number many of the world’s largest cybersecurity companies as our customers.

It’s a pleasure to be here today with Brandon, and I’m going to just let Erin introduce herself really quickly, and let’s start with questions.

Erin: Hi, everybody, I’m Erin. I’m the Director of Intelligence and Collections at DarkOwl, so responsible for the data that we collect as well as doing investigations on behalf of our customers.

Mark: Great, let me go ahead and start. I’m going to direct this question first at Brandon and then at Erin. Can you give us the basics of executive protection? What is it and why is it important?

Brandon: Well at Ascent Solutions we offer what we call digital executive protection monitoring and alerting services that succinctly tie in with our team’s approach to continuous threat exposure management. Our approach to executive protection is actually rather simple. We provide enhanced monitoring of the dark web that specifically focuses on key executives and organizational leadership, so alerts that we recognize that alerts specifically pertaining to these individuals and key personnel could require a more tailored and of course timely approach with additional requirements actions activities and engagement beyond just the regular security team.

Mark: Great. Thank you. And Erin. Why is it important to monitor specifically, executives’ data online?

Erin: Executives tend to be the most visible people in any company. So, their information is out there, they’re doing things like webinars, they’re putting press releases out, et cetera. And so that makes them more of a target to individuals. And I think historically we’ve thought about physical threats and that’s still a concern obviously in terms of people being targeted, but more and more we’re seeing with cyber threat actors is that they’re using the information that they can obtain in the digital realm in order to target those quite visible people. And they can do this in a number of ways and this is why it’s important to monitor digital activities from different perspectives because there’s information that can be leaked about executives which can lead to information that threat actors can use and they can get their credentials and get access things that way. But there’s also a social engineering aspect to this, you know, if people are putting a lot of information out there on social media about their movements, about their hobbies, about how they operate, that makes it a lot easier for threat actors to impersonate them or use them to target members of the company. And we see that a lot with phishing attacks. So, I think it’s really important to understand, especially for executives, but probably for all employees and individuals, you know, what information is out there about you and what steps can you take to protect your digital footprint.

Mark: And I’m gonna go off script here, so I’m gonna cause our hostess Kathy to have a heart attack.

You know, I have heard through the years and have seen it, we’ve seen a little bit of it ourselves that oftentimes not only are executives the most visible members of a company, but also, they’re the least cautious. It’s the C -suite. Have you guys found that to be the case in some cases? I don’t want you to bad mouth your clients or our clients, but do you find that to be the case?

Brandon: I’d say it depends on the executive when it comes to that, but I’d say that there’s some consistency with that, Mark.

Erin: Yeah, I would say anecdotally, that does seem to happen. But I feel like maybe it makes bigger splash when it’s the C -suite that’s messed up. But you know, people, I think as well, like it could be, you know, a generational thing as well. C -suite tend to be older. They tend to be less tech savvy. They tend to not think about social engineering attacks or how the information that they’re providing could be used. But then in the same vein, younger people put way too much information on social media, in my opinion, so it’s a balance.

Mark: Sure. I mean, I’ve been subject to phishing attacks myself. Some of them quite sophisticated. And all of them, all of the most sophisticated ones tried to take advantage of the fact that I was the CEO. They had a message or a sender that I would pay attention to. They were quite sophisticated.

Brandon: Yeah, I would love to add to this one too big time. Multiple vendors throughout 2024 identified that threat actors are increasingly targeting executives basically to get a foothold into their organization causing reputational damage or just picking an insidious activity. This is also actually quite consistent with what we’ve mentioned about what we’ve seen in our SOC and we have to keep in mind that executives often have access to the organization’s most critical business functions that threat actors can have used to gain the foothold. We don’t exactly, to Erin’s point, make it very hard either. We feature our executives, in some cases, we feature the contact information, direct contact information for these folks and stuff out there as well. So, putting it all together, we basically roll out a red carpet for these folks to attack our most senior folks.

Erin: I think it’s what you have to think about the senior folks being impersonated as well. So, you know, employees are much more likely to respond to a phishing email if they think that it’s coming directly from an executive. And, you know, with things like AI now, you can generate an executive’s voice. If an executive is out there doing a lot of press webinars, their voices on the internet, you can impersonate that and use that against their employees. So there’s aspects of it as well.

Mark: We’re gonna come onto that. And the question I had for you, Brandon, was what is it about now? What’s different about now that makes monitoring this type of data more important than ever?

Brandon: Well, I think threat actors are getting more creative every day. And we’re seeing them attack and exploit things that are often on the periphery, especially since throughout 2024, we watched a lot of different vendors, third party vendors and stuff that have access into different environments get hit and whatnot. So, I do think that most of the time, when we get dark web monitoring and learning services, it’s specifically monitoring your email domain. But we need to open up the aperture on that, in my opinion, we need to be monitoring the organizational and any mentions of the organization, obviously email domains and credentials. But specifically with executives, sometimes a lot of these executives’ link some of their non-business email addresses or contact information to their business email contact information as well. So, with that, we got to be mindful of threat actors exploiting these fringe and these periphery things and stuff to get access. Their goal remains the same, causes much damage, get access, sell access, etc. We’ve got to be cognizant of that.

Mark: And Erin, what’s different about the dark web as opposed to more social media sites? Give us some sense of that difference.

Erin: Yeah, I think people on the dark web have a bit more of a sense of they can do whatever they want. So, you know, we see things like doxing, where threat actors will just provide information about individuals, and it will basically be a dossier of that individual, all the information that they can find about them. We don’t tend to see that shared as much on things like social media. And also, just the sheer breadth of kind of leak and stolen data and Stealer Logs is something that we’re seeing, a huge surge in and the dark web is where they buy and sell that information.

And I think everyone needs to be cognizant of this. You can be as careful as you want about your digital data and your footprint, but you don’t have any control over the third parties that you’re putting your information into. And if they get breached, your information is out there. So you can be pretty savvy, you can have limited social media profiles, you can have all the privacy settings, etc. But if you have my fitness power, my fitness power gets leaked, your information is out there. So that’s on the dark web. So, I think it’s very important to be aware of that.

And then kind of moving to some of the dark web adjacent sites that we monitor as well, things like Telegram and Discord. We see a lot of individuals talking about targeting or talking about accessing particular companies or just geopolitical events that their lives and you know are hitting on organizations and companies so I think just monitoring that rhetoric as well, stepping slightly away from specific executive protection but just kind of general organizational protection and reputational risk there are a lot of individuals out there that you know making anti-Semitic comments making violent comments you know making threats against executives and against organizations. And I will say social media has probably changed slightly in the last year or so where some people feel that they can do that on that open web as much as they can on the dark web, but it’s certainly something we’ve seen in the dark web, you know, over the last few years increasing.

Mark: And Brandon, give us some examples of some of the threats and risks that you guys have found and maybe talk about a unique case that you’ve you’ve come across.

Brandon: I think most commonly we see stolen credentials, data breaches ransomware posts, threat actors discussing sharing proofs of concepts or just the sale of weaponized exploit code targeting specifically vulnerabilities amongst many other different nefarious things. So, we got a couple of I think the most consistent one that we see, I would say more than often is, you know, we, our customers ask us, well, why, why are my executives, my leadership the most phished? Well, it’s like, well, look at your website, man, you got the contact information right up there. And, or, it’s something as like, your boss keeps signing up for all these random newsletters that continue to get hit, you know, with his business email, which is why he’s on X amount of different data of different data breaches. That’s the most common, the most consistent. But I think the most bizarre case that we ever had to respond to, we had a customer that had just moved organizations and went to an organization that recently got hit by a threat actor. And he had called us in to give him a hand and some assistance. Specifically, my part was to monitor the dark web, kind of get a good idea of what their presence really looked like on the dark web as well, which was very important for him, obviously. So built a couple of different cases, a couple of different cases, specifically watching for organizational mentions, email domains, or just anything and all things related to the victim company. And sure enough, the threat actor wanted to gloat about his ill -begotten gains, and he threw up a post detailing exactly what he had stolen from the company at that point took that handed it over to the team that was investigating the situation and it kind of gave them a better idea of where this threat actor could have been. So, continuing to monitor updating as needed you know especially the posts and stuff as the thread grew on there and I guess the threat actor made some enemies of his own kind, and they decided to dox him.

Mark: Oh my god.

Brandon: After they doxed him, they basically put it out there like this is who he is, thisis where he lives, this is his home address, this is where his parents work, here’s all his socials, these are all his data repositories, this is where he stores his data. And they basically stripped this threat actor, all this anonymity and then immediately I turn that over to the team and I would like to believe they finally adjudicated him. I haven’t seen a post from him since. So, it could be that, well, let’s hope.

Mark: That’s very, very interesting. Erin, give us a sense of what trends you’re seeing in terms of threats in the current environment.

Erin: Yeah, I just want to jump onto what Brandon was saying there. I always find it really interesting, like I think we focus very much on, “let’s protect our executives and our organizations,” or it’s absolutely we should be doing but I love the fact that the data that we have in leaks and from doxing and stealer logs helps us to attribute who is actually doing this so we can kind of use what they’re using against us back against them and it really helps to know kind of why someone’s doing something and what their motivation is because it allows you to assess the threat you know a lot better you know there’s a difference between armchair trolls that are just making threats because they’ve got nothing better to do and someone that is going to follow through on that threat. So, I think it’s really interesting to have that motivation.

In terms of trends, we’re just seeing a huge mass of data, it’s just growing and growing. We’re not seeing that diminishing in any way in terms of data leaks. I think stealer logs, they’re not new, but they definitely seem more prominent in this sector in terms of people being able to use those, the amount of credentials that are stolen and how people can use that to access things. I think we’ve definitely as well seen a lot more sophisticated social engineering, I think particularly some threat actor groups in terms of targeting call centers and targeting help desks of organizations as well as the executives and CEOs, and being pretty convincing based on the information that they’re able to find on both the dark web and the surface web to put that out there. Brandon’s already mentioned phishing as well, you know, not a new trend, but phishing is not going anywhere. I think as long as your email address is out there, it’s a technique that works. I mean, you look at things like colonial pipeline that was, you know, really basic phishing and lead to credential attack that, you know, led to the shutdown of the colonial pipeline. So, I think those are the things that we continue to see and that we have to continue to mitigate against.

And then I guess the other thing that I’ve kind of already touched on that we see in terms of threats being made against executives or organizations, I feel like anecdotally, people are less concerned about the threats that they’re making there. They’re not trying to obfuscate who they are as much as they used to. I think people feel a little bit braver about what they can and can’t say. And you know, part of that’s people on the internet, they’re sitting behind a screen, you know, they think they’re untouchable. But also, I think it’s just kind of the way things are developing geopolitically, people have a sense that they can do things and take action. And I think, you know, we’d be remiss in an executive protection webinar not to talk about the United Health Care assassination. You know, that individual, as far as we know from reports, obviously, I wasn’t involved in that investigation in any way, didn’t have a huge amount of rhetoric online, you know, thinking about doing that. But I think it really just highlights, you know, when people have pain points, and they’re talking about those pain points, you need to kind of pay attention to them. And that the digital world and the digital things that people are talking about and the exposure that people have, you know, he had to know that that executive was going to that hotel at that time, and that was probably from his digital footprint. And so there can be real world, you know, real world impacts outside of, you know, hacking and, you know, network things that I think it’s important to be aware of as well.

Mark: And can I ask you both a question when you’re monitoring an executive take me as an example you’re monitoring Mark Turnage. How often do you pay attention to Mark Turnage’s is spouse or partner and family. Have you seen that as an attack vector by threat actors?

Erin: I would say it’s definitely an attack vector. Again, executives will get education through their security, through their SOC, whoever telling them what they shouldn’t do and they can improve that. Whereas kids might post where they’re going on holiday and things like that, and it can make them more vulnerable. What I would say about that, though, is that it’s really up to the organization and the executive whether they want to extend the monitoring that wide. A lot of people for very legitimate reasons don’t want to share the more personal side of their information, their family, their personal emails, etc. I would caution against that because, you know, you need to look at things in the whole when it’s looking at this. But yeah, that does tend to be an issue is the privacy concerns around that.

Brandon: Yeah, I grouped that with the periphery as well.

Mark: We’ve seen one or two cases where the social, as Erin said, the social media posts of children were a primary attack vector because they could follow an executive’s family around. And as Erin said, it’s a choice for the executives and the organization to make.

Give me a sense, Brandon, what practical steps can be taken to baseline an organization and then monitor it? And how have you used DarkOwl to monitor and alert to these threats?

Brandon: Yeah, absolutely. Well, one thing I learned after 20 years in the Marine Corp., is collection planning is key for any different type of operation. So, what we do for Digital Executive Protection Monitoring and Learning Services, we have a whole menu of different things that we offer our different customers and stuff who wish to subscribe to this. So, it’s up to them. From there, we pump that stuff into DarkOwl to specifically monitor for those different things. And the great thing about DarkOwl is you’re able to build a case and stuff where it’s gonna go out and fetch whatever frequency that you want it to. This is the information that you ask it to go look for on various different things. If I wanna specifically look in extremist forums or just other threat actor-based forums, I can have it look specifically for these different things and stuff there. Or if I just wanna focus on email domains or email addresses or all that in these different forums, like – Yeah, absolutely, I’m gonna go do that. Most consistently, as far as our basic package goes, what we do is we monitor the organization, organizational email domain, and the names and the business email addresses, and in some cases, personal email addresses that are joined to the network environment of the different executives, and we build a case around that. So anytime something does pop up, it’s I get a notification and then we handle it accordingly.

Mark: So great. And and those can be in relatively real time, you know, within a minute of a post being posted.

Brandon: Yup.

Mark: Erin, give me a sense of what mitigations companies can take to protect their executives. I mean, it sounds like there’s this Wild West world where data is being spilled out there or doxed out there, you know, what kind of company or an organization really do to mitigate the risk to their executives and to the organization itself?

Erin: Yeah, so I think one is doing this kind of monitoring and being able to baseline what is already out there because there’s no way that there isn’t something out there to begin with. So, you want to have that and you want to be able to see for any changes. But basic steps that organizations can take is giving people cybersecurity training on phishing attempts and what to look out for, giving people advice on what they shouldn’t share on social media and how they should set their privacy settings, etc. I think having a really strong password policy leaks are going to happen, but if you’re not using the same password on every account, it really reduces the risk that it has to your overall footprint. I think using things like password managers can really help with that.

And then I think being cognizant of what data is out there, you know, there are ways to remove some of that data, not on the dark web, unfortunately. So if your data is on the dark web, your data is out there. But there are a lot of kind of data brokers and other organizations that will hoover information up from public records and from social media and you can legally ask for that information to be removed. So that’s something that you should probably look at doing as well.

And I think just being generally vigilant, making sure that your employees are trained and know what to look out for, but also know what they should and shouldn’t do. Like, don’t post too much information on social media. Don’t mix your personal and your business email addresses on accounts like don’t use your business account for your hotel bookings and things like that because that’s the way that threat actors can you know piece together your life and do those kind of doxes that Brandon was talking about. So, I think it’s just having good cyber hygiene and having good education to try and mitigate and reduce the risks as much as possible. I think everyone needs to be aware that you can’t remove the risk. You know, there’s steps you can take. We can do this monitoring. We can be looking out for that. We can be as vigilant as possible. That we can’t protect all third parties where we’ve put our data. And so, you just need to be very vigilant for these types of attacks.

Mark: And you must get this question all the time, Brandon. What do we do about this? Can I take darknet data off the darknet? Can I take my data?

Brandon: No.

Mark: You must get this asked this all the time by your clients.

Brandon: All the time. Adding to what Erin said, I think enacting a continuous monitoring of your executives on the dark web and integrate custom alerting into your SIM to identify and respond to potential security threats. I think that’s awesome, which is why we bring that into our continuous threat exposure management, modest operandi here at Ascent Solutions. We bring this all in together. And I think it’s important having the sufficient processes in place and stuff to monitor for these specific things. DarkOwl enables a lot of that. And there’s a lot of science that goes after that when these things happen, which is why I’m just very graceful to have such an awesome SOC team that I’m a part of.

Mark: And we haven’t talked about this. Let me ask this question. How deep in an organization is it? Have you monitored for executive protection below the C-suite level, senior management as well, or do you tend to focus on just the C-suite?

Brandon: I think it depends on the organization and where they have determined their most critical business functions are. So, although this person is a mid-level part of the organization, this person is in charge of all these different industrial control system equipment here, and they have a public-facing presence that interfaces with the OT environment and the IOT environment. So yeah, that’s definitely a high-valued individual. It depends on the organization to answer your question, but yes.

Mark: Yeah, I was thinking about system administrators, for example, they’re not as sweet, but they’re very, very important people and in organization.

Erin: Yeah, I think it can depend on the role. Again, it depends on the organization, their size and their appetite for this kind of thing. But there are certain roles that you definitely need to kind of be aware of. But I think it’s also, I think to Brandon’s point, what public exposure those individuals have, the bigger footprint that they have out there, the more likely they are to become a target. So, you might be someone that has a really important role, but you’re very discreet and kept quite quiet and not publicly listed on the website or anything like that. And that’s not to say you shouldn’t want to say for them, but it’s probably less risky.

Brandon: Correct.

Mark: I’ve never heard of a company like ours or yours doing this, Brandon, but you might want to do a social media audit of all the employees to see who has the most social media exposure. Because I mean…

Erin: There’s a direct correlation with that, right? Like, so Mark, you were talking earlier about how you get phished all the time. And I know other people in our company have received those phishing emails. I never get them. And my hypothesis is, because I’m not on LinkedIn. So, you know, you can make yourself less of a target by protecting your digital footprint in certain ways. I know anecdotally of a case going back to what you were saying of family members and like checking social media and things. They had an executive who was pretty careful and pretty secure, but their wife had uploaded a review that included locational information. So, you know, it’s what people put out there.

Mark: Yeah. I have seen CISOs, system administrators, and other cybersecurity professionals very active on social media, which is an interesting tension given their roles. We’ve talked a little bit about use cases, but if you guys could both finish with sort of – one of the most unique cases that you’ve seen using the tool, that’d be, I think it’d be informative for our listeners here.

Brandon: I think the one that we specifically talked about with the other company with the threat actor getting doxed, like that was the absolute most unique case that I’ve ever seen. You know, and that’s definitely in the Hall of Fame for as far as DarkOwl for the win moments for our company.

Erin: I’m trying to think I don’t know that I can think of something that’s particularly unique. But I mean, we definitely see impersonations of executives on telegram and other areas, threats being made, a lot of memes being used for that kind of activity. And then I just think that the doxing thing is such an interesting area of data set that we collect from. I’ve seen everything from executives to FBI agents having their information released. And once that information is out there, there’s very little that you can do about that, but you need to know that it’s out there. So having that monitoring capability to know what of your information is out there and how you can be vulnerable. But as I said, I think turning that back, the threat actors do this themselves to each other. And so, it’s very helpful. I mean, there’s a lot of threat actors out there that are involved in things like swatting, they’ll swat executives and other famous people’s homes or schools or universities. And they make a kind of a game out of that. But because they’re interacting with each other, they, you know, they anger each other and that causes their information to be doxed, which helps us as an investigator to find out who is doing this. And as I said, that important part of motivation, which I think some security people, they just wanna stop an incident, they just wanna stop data being stolen. But I think it’s always really important to look at that motivation piece as well.

Mark: And Brandon and Erin, do you see any trends and threats to executives that are sort of based on geopolitical events. Something happens geopolitically or politically here in the US or something like this shooting, this tragic shooting of the United Health Care CEO. Do you see risks go up or chatter go up or does it tend to be fairly flat line throughout?

Brandon: From a geopolitical perspective, absolutely. We got to go back in time for this one a bit. But when Russia was getting sanctioned a lot by a lot of different commercial vendors and stuff, that kind of set off a red flag for a lot of the Russian-based e-crime actors and stuff to start going after and specifically targeting these companies because of the Russia-Ukrainian war and stuff. So that really prompted a lot of these folks and stuff to start going after them. So yeah, it really depends. It really depends on the situation, you know, and what the and what the atmospherics are surrounding that situation as well.

Erin: Yeah, I mean, we’ve definitely seen, I think the most recent one off the top of my head that I can think of is the Israel Hamas conflict. That definitely caused a lot of individuals that were Jewish to be targeted, and Palestinians to be targeted, so you definitely see those trends in relation to big geopolitical events, and I think that’s something that executives and organizations need to be aware of as well as posturing around these types of events. I would say with the main trend I’ve seen with the United Health Care incident was executives are more concerned. they’re taking more of a proactive approach to maybe looking at their footprint. And I think a lot of people were very surprised by the response to that from a lot of individuals on social media, on things like Telegram, where there wasn’t a lot of disgust at what the alleged assassin had done, and more concern about, you know, we don’t like these executives. There was one individual on social media who produced a deck of cards with different CEOs’ faces on them as targets. So there’s definitely that kind of rhetoric, whether that leads to actual threats or it’s just people talking. You know, it’s hard to say, and that’s again why that motivation point is important. But yeah, I think there’s definitely trends and activities that happen that have an impact on all of this kind of thing.

Brandon: It’s never a dull day in the life of a threat intelligence manager in a cyber security.

---

Check our blog on Executive Protection and the Darknet. Read Here

February 13, 2025

Or, watch on YouTube

In this webinar, analysts demonstrated how to investigate and pivot on front company infrastructure, using Falkor and DarkOwl dark web data, to analyze and enumerate possible front companies and their employees.

Highlights:

• Adversaries of the West are using front companies to obfuscate/hide their malign activities against the West
• Sanctions and notable indictments from recent months
• Enriching information using both Falkor and DarkOwl platforms
• Investigating personnel, infrastructure, and other evidence linked to front companies

NOTE: Some content has been edited for length and clarity.

---

Ari: It’s a pleasure to be here with you. My name is Ari. I am an OSINT analyst here at Falkor responsible for integrating various tools like DarkOwl into Falkor, also general sales engineering, training, handling, any sort of client affairs that come up. You also may know me due to my blog, memeticwarfare, where I write about influence operations and investigating them, and a number of other ventures that I happen to be involved in. I’m very happy to be here with you today alongside with Steph, and we’ll let her introduce herself shortly as we show how you can utilize dark web and deep web data from DarkOwl in Falkor to investigate, in my opinion, very interesting Russian influence activity globally to uncover new front organizations from a few data points.

Steph, you wanna introduce yourself?

Steph: Absolutely, yeah. I second that this is going to be really interesting. I’m so excited to dive into it. So, hey everyone, I’m Steph Shample. I work here at DarkOwl. I used DarkOwl’s data before I became an employee, so I’ve got tool perspectives, very similar to Ari. I think once you’re an analyst, you just can’t get out of being pulled into everything. So, I also help with client training, use cases for how you might employ DarkOwl intelligence in your other day-to-day operations or your separate intelligence operations. And we’re going to get more into our company specifics as well. So, Ari, back to you.

Ari: So, Falkor is an interesting product. In my opinion, it’s kind of leading the next generation of what analysts are going to be using going forward. It’s an API forward analyst operating system, where in addition to carrying out all of your link analysis data visualization, querying of various tools or so on, you can connect all of your internal data sets, be they files, databases, any other REST APIs you happen t have, all into one place. And then, of course, to use OSINT sources like DarkOwl or whatever else you happen to have into Falkor to utilize all of it simultaneously and seamlessly.

There’s also, of course, a full collaboration suite, task management, management, case management, all those additional add-ons that you need to run a case effectively. We have built in AI capabilities, including an analyst investigative chatbot, digital profiling, real-time monitoring, and much, much more in what I may say is probably the most aesthetically pleasing dark mode first, analyst platform out there, which anybody here who works in this space knows just how important that is. I’ll let Steph introduce DarkOwl.

Steph: Yeah, thanks. I’ll take it for DarkOwl. So, we’ve been around for about 12 or 13 years, DarkOwl. We are the world’s leading provider in Darkint intelligence. We cover, of course, the dark and deep web. We also cover what we consider dark web adjacent platforms that is places like Telegram channels, Discord servers, and, of course, IRC chat. We consider them dark web adjacent because you’re gonna see now, especially since Telegram has entered the fold and become more popular in GEO political events, influence operations, and cybersecurity. It’s also cross-referencing, and actors are using both their onion platforms, their markets, their forums, to advertise on Telegram and vice versa, thus maximizing the potential for financial return or notoriety in their operations.

So, the image that’s on your screen here is of course we covered Tor, that’s the browser that you would download and use to access the dark web. We also have I2P and ZeroNet. We are definitely on discussion boards as more people share tactics techniques and procedures or TTPs, underground criminal forms and markets have touched on pretty self-explanatory. And then of course those chat platforms that I’ve referenced how they go back and forth.

Ari, real quick. Do you want me to go into the dark web and how it works now? Or do you want to save that?

Ari: No, absolutely. Absolutely. Let’s lay the foundation for sure.

Steph: Let’s lay it. I like it. So, Ari and I did want to be very clear, you know, for those who aren’t in this space, what is the dark web? What is the deep web? Everyone’s got their own definition. You’ll see all kinds of chatter and people contributing to that conversation. But let’s just keep it very simple. So, the surface web, you download a browser, right? Your choice, Chrome, Firefox, Brave, whatever that is. Very easy. Everything that you’re accessing, if you’re searching on there for recipes or how to, you know, sew or whatever that looks like, it’s attributable. You can find that information, several clicks, couple buttons, you’re good to go. It’s attributable, right? Every IP address and every website is mapped. They relate to one another. All activity is generally able to be observed. Where is this website hosted? Is it a Google domain, an Amazon domain or something else?

Whereas the dark web is meant and was built to be obfuscated. It is built to be more anonymous. It has more privacy features. So, you need special equipment to download it. When you access a .onion URL, you cannot put that .onion URL into, say, a Google or any kind of other browser. You’ve got to put it in Tor or there are a couple of other browsers. Some people work with tails as well. It is not indexed, so you really can’t search a lot on the dark web for recipes or any kind of thing. You have to know what you’re looking for and where that type of material is hosted. So, if you need something, say, if you had a ransomware incident, if you’re in this space, you’ve got to know how to access the ransomware blogs where they host them. If there’s an initial access broker that’s selling access to your company on the dark web, you’ve got to know maybe their name, how to get ahold of them, what market or forum they operate on. And again, it’s built for privacy, right? It is not going to easily give up information such as locations, IP addresses in Tor, you have three of them, you have a beginning IP address, a middle and an end, they change every approximately 10 minutes. It’s meant to be obfuscated. It is designed to be anonymous. So that’s our high level. What is the dark web? How do we access it? What are we doing? We welcome further questions on that if you’d like to put it in the chat or contact either one of us. No problem.

All right, Ari I’ll kick it back to you unless you have a question.

Ari: No, no, there’s just so much more to go with this stuff. I just say, again, everyone wants to know about how dark web URL resolution works, let us know later. But yeah, but alongside the dark web data, I think the most important thing that we’re going to bring up is the use of that in the conjunction with deep web data, Telegram in particular, but also other sources as well as they come up, right? And that’s, I think in my opinion, the real added value of what tools like dark, DarkOwl and other tools that provide similar data sources do that you can really have essentially all three layers in one setup.

So, with no further ado, let’s discuss the case that we’re going to be looking at today. The case that we’re going to be looking at today is the Center for Geopolitical Expertise. Now, you may have heard of this. They were sanctioned, I believe, about two months ago, maybe a bit less by the US Treasury Department. Here’s the statement. If you want, you can see that over here.

And we have the Moscow-based CGE, or Center for Geopolitical Expertise, founded by the OVAC -designated Alexander Dugan, and we’ll discuss briefly perhaps later on. And then, of course, the main person running a whole operation, Valery Mikhaylovich Korovin, and other relevant CGE personnel. So, we’re going to see how we can essentially investigate this organization, the CGE, by the way, as a side note, Russian front organizations love utilizing terms like geopolitical, whatever, and expertise and that sort of stuff, just a cultural thing that happened to really enjoy doing, and you’ll see that repeat itself in this space quite a bit. To see what we can essentially find out on this given organization, utilizing deep and dark web data, and then how we can expand upon that to find other signs of new front organizations and just better understand their general activity. So, we’ll cover not only dark web data, but also some investigative tips that you can utilize when investigating front activity on your own, and then we’ll conclude with a Q&A.

So, the most recent case that we have of the CGE was apparently, or they’re alleged I should say, and though it’s becoming increasingly well-founded in terms of the research, right? Was there organized election interference inside of the ongoing election interference, I would say, inside of the current German elections? They’ve also been quite active in Ukraine. They’ve ran probably the single most successful operation inside of the US called CopyCop, that was published on by Recorded Future. Great report, highly recommend, that you read it. And they utilize locals and other individuals to set up these AI -generated domains, targeting whether election or given country they happen to be targeting.

Here we have an example from News Guard over here of a various number of German language domains used to target Germans.

Now there hasn’t been much coverage of Corovan individually beyond the Gnida project. By the way, a great substack that I recommend that you follow. If you’re interested in tracking Russian influence operations internationally, they do a lot of great stuff. They’ve been the only ones to publish anything in depth on Korovin individually. There have been a few mentions here and there, but nothing really in depth. So, let’s see what else we can find on them. There we go. So, just to recap where we are so far and how we’re going to start our investigation, which by the way, I find to be often one of the most difficult places for analysts, especially new analysts, you know, to have it right when they get going, is where to even begin with looking into such sprawling types of activity.

We have the sanctions announced on this given group, and there have been past reporting on them from other individuals also as well. And we have the number one person of interest of POI, Valerie Korovin, and of course information on him published by the U.S. Department of Treasury, including the Russian tax ID over here, which is like their social security number, date of birth, general area, and of course, the registration information of the CGE also as well. I built a very humble little graph over here in Falkor’s link analysis, showing you essentially how these things work, how Korovin over here is essentially an agent of the GRU, right, he’s their liaison for the actual activity that the GRU, which is Russian military intelligence wants to carry out internationally. We have the awards for justice from the US government announcement over here, his affiliation with American John Mark Dougan, another activity, the Eurasia Organization, and other key individuals that we’ll get into in a little bit.

Just a quick word about Dougan if you haven’t heard of him. Dougan is the founder of the CGE and is a fascinating figure who we can dedicate multiple awareness to just for himself. But in short, he is a Russian far-right political polemicist with a very unique political philosophy and how the world works and how things should be, at the very least, founded on multi-polarism, meaning the world not being unipolar centered around the United States, and essentially Russian borderline fascism, if not fascism itself in many ways. So he’s a sanctioned individual known for his very, very, very extreme views. Now, thanks to Gnita, we also know about Natalia Makeeva, who is the senior official at the CGE and is the right hand of Korovin, but we can also find out more about her independently as part of our investigation. We don’t need a project just for that. So now we’re going to see how we can take these individuals and the basic data points that we have here, identify entities for investigation, further identify new relevant entities, and then keep going. Now one thing I do want to bring up and Steph do you want to enrich further astound upon this is the Russian dark will be some ecosystem in general, which is incredibly rich. So, if you have any words you want to add to that, I think that’d helpful.

Steph: I’m fully in agreement with you, you know, the Russians are, of course, not the only actors, APT or cybercrime focused on the dark web. But I would say they are the most frequent. They know what they’re doing. They’ve been using the dark web in their operations probably longer than any of our other adversaries. You will see Iran, China, Belarus and pick a country if their actors are on the dark web, you know, they are using it, but Russia is the most frequent and uses it in a variety, right? From ransomware to cyber-crime, to info ops, to all kinds of influence operations, Russians are all over the dark web. We have learned the most from them. Ari, so that’s a great point.

Ari: Absolutely, and the most important point for us is that that cuts both ways, right? So there are tons of data leaks on Russia, tons. I mean, perhaps the single mostly country I’ve ever seen articulately, in terms of sheer number of leaks and data available, and that’s how we’re going to utilize this information to keep investigating. So Just from doing a name search on Korovin and Falkor with this full name, which would give them the sanctions, we get a large number of interconnected results over here. And by the way, as an aside, if you’re interested in seeing the full investigation with other information from DarkOwl and Falkor, feel free to contact us separately. We’d be happy to schedule a demo to show you more of the in-depth information on this individual case.

Just from looking up his name, we find all these various interconnected data points. We find from leaks of data available on the dark web, a Facebook profile with a UID, a leaked telegram account, leaked Gmail entities appearing in a dark web post over here, and multiple other entities belonging to this individual.

Now, I see we’re getting questions in the chat, so I’m not going to refer to that now, but we’ll save that for the end. But if you do have any questions, feel free to send.

So, one thing I do want to bring up also is that one of the results that we get here is that Korovin has an additional email at the Eurasian organization, which we mentioned over here, which is another organization tied to Dougan. Okay, so that also came up in the results. Now if we look up the Eurasia.org organization, which is by the way another Russian instrument of influence headed by Dougan and active globally, looking at who is records, here we have from WhoXY, which is a great free tool, which is a side note by the way, highly recommend it, if you need a free tool for that, or of course the full suite of domain intelligence available in Falkor. We can see that in fact the person who registered Eurasia.org was Makeeva@Eurasia .org, Natalia Makeeva, the woman mentioned earlier, and she also registered the CGE domain over here as we can see as well. So, she’s a pretty central individual then having registered the domain for CGE. And then we can also see over here a very broad overview of the leak data available from the deep web on the actual Eurasia domain. So going back to that, just by querying essentially the domain itself in Falkor, we also have the Korovin’s individual email address over here. But here we have the full swath of results. I’m sorry, I try to fit a lot in on this slide.

I know we only have so much real estate over here. But you can see the sheer wealth of data that we have on the actual domain, which is somewhere over here in the middle, right, including the large number of actual individual posts in which the domain is mentioned, but also more interestingly, perhaps a leak total of 360 email addresses in leaked records originating from the domain.  Of which, we have 28 unique ones. So, Steph, I know if you have anything you want to add to that on the dark web, on DarkOwl’s data enrichment features over here in terms of profiling.

Steph: Absolutely, we are a niche DarkOwl intelligence, but one of the tools that we have to get extremely granular is this bottom right image that Ari has been highlighting. So, when Ari and I were going back and forth saying, you know, what can we do? We want to talk about front companies, but it’s intimidating, it’s overwhelming to get started. There’s a lot to follow, there’s a lot of threads to pull, there’s a lot of misdirection that can happen. But when Ari gave the domains of some of the proven front companies, and we definitely source those from indictments and treasury, as we’ve mentioned, you can put any top-level domain into our tool, and of course in Falkor now that’s also using it, and get a pullback of, okay, here are the amounts of emails exposed, that’s that 360 numbers. There are 28 unique ones, because of course there’s going to be repeat breaches, accounts in certain pieces of information with the same password or exposed in the same place. So, it’s just really important to help flesh out your top level domain research, get the patterns. You know, what password does this individual use? Is it constantly exposed on the clear web, on social media, on the dark web? So it’s a really cool feature to kind of build this out and we use it heavily in our investigation.

Ari: Absolutely, then you can get it all visualized for you nicely inside of Falkor, giving you the clustering over here of what’s actually important. You can filter, of course, by degrees and so on and move on from there. But the point that you think you’re going to remember is that every one of these data points is essentially another pivot point that we can use as part of our investigation. So as we can see that certain clusters of activity here are more central, right, or more active in terms of relations to other entities, we can then take Falkor’s, say integrations with email and phone number lookup tools or people investigation tools, or social media enrichment, and then enrich those further to further investigate the in domain. Now the next thing to keep in mind, and this is especially relevant when investigating organizations of any kind, be they companies or front companies or whatever it happens to be, the leaks don’t lie at the end of the day, right?

Firstly, having no leaks is suspicious because almost every organization has an employee who utilizes some given company data point to register for some service. It’s rare to not have that happen at all. And then when they inevitably do, as we can see here, we can see who’s more active with their company email or other company assets online to find other relevant data points really easily. We have here, we have a number of individuals, including Makeeva, who was the single most popular leaker in terms of using her email address, which also hints to us that she’s probably a pretty active individual in the given organization. So, we can use DarkOwl data for investigations, right, for pivoting, but we can also utilize it to qualitatively understand and analyze what actually occurs with this given organization.

So, we can see here that Korovin’s email address appears in a dark web post taken from an onion site that we can see over here as well, which was actually a leaked copy of the internal information policy of the Lugansk People’s Republic. So, you know, occasionally you’ll see there’s some news article about a list of leaked data, you know, exposes this or leaked, you know, government reports say that, et cetera. One of the places you can easily find that data is in fact on DarkOwl because as Steph would say, you guys are constantly indexing all of the available posted and leaked data online. And here we can see, in fact, that Korovin and Eurasia are mentioned as key bodies for promoting Russian interests in the Lugansk People’s Republic, which is one of the breakaway regions of Eastern Ukraine, currently being fought over in the war. So, it has an official role in, say, promoting Russian interests there also as well, which was not publicly available data previously. Now, we can also then look at Korovin’s Twitter account, which is easily found publicly, but also easily found via breach web data. And then inside of Falkor’s social media enrichment, we can bring back followers posts and more. So, we can see that his followers globally, of course, make sense roughly what we would expect, mostly in Europe and Eastern Europe and, of course, Western Russia, some in the Middle East and other parts of Asia, Latin America, Africa, and the US a little bit. And we can use all these also for further investigation, especially when it comes to finding new organizations globally that might be following him that could be potentially related. And then we can also utilize the Falkor link analysis to better understand clusters. We have Korovin over here; that’s the original account over here. Then here we have one other account that he shares a large number of shared followers with.

And this is of course, who else but Natalia Makeeva. So even without the needed project telling us earlier that she’s a key individual and providing the receipts as we say, which we’ll see shortly, we can also find out, of course, also ourselves utilizing open source investigation. Now, if we begin to look her up by looking up her email address also in DarkOwl, we get another kind of dark web data that we can utilize quite effectively, which are actually leaked emails from between Makeeva and an individual affiliated with the pro-Russia and Novorossiya movement based also in, of course, Donbass, the eastern part of Ukraine that’s being fought over in the war. We can see here in these individual emails which I translated into English, they were of course sent originally in Russian, that they were coordinating sending over propaganda material from Dugan, of course, into that area. Now, one of the other things that DarkOwl does that Steph might want to explain briefly is tokenizing entities, and then I’ll describe how we do that in Falkor.

Steph: Absolutely. You can see in the bottom left image; we have that highlight once Ari shared the names of the individuals that we wanted to focus on for this investigation. I just ran that through our tool, and we highlight our results. We want to make it easier for our analysts, make it visually appealing. So Makeeva, we see her domain confirmed, she’s sending emails back and forth, so there’s a couple of things. We’re going to pull out that email address so that you can further pivot on that, build off of it, find passwords, find anything that you might want to find. We got very lucky in this instance that we had contacts for these emails. So then you can also, when need be, pivot to Gubarev at NovoRussia, you can take a look at NovoRussia’s top level domain, what’s exposed, what’s out there. You can try and see if that resolves to any IP address based on what, you know, Russia, how they’re setting up their operations. So, you have a whole bunch of different pivots and different pieces of analysis to add to just Natalia Makeeva and her email address, we built out a whole other graph that is evidenced in Ari’s image on the bottom, phone numbers, contacts, patterns of life, patterns of contact, and other people she’s working with. So yes, we pull that all out in DarkOwl for pivots.

Ari: Exactly. And then we can just easily right-click on that document in Falkor to extract those tokens as entities into entities for further investigation automatically. So, if you have this email address, instead of needing to copy and paste each individual email address or phone number or username or whatever happens to be, you just right click, you have it, and then you can right click and further enrich and investigate effectively. So just to recap where we are so far, we had the original CGE organization. By looking into it, we found the Eurasia group organization also unsurprisingly affiliated with this group. And now we see pretty close ties between the leader of the Nova Rocio community over here and of course, Nathalia Makeeva, indicating there might be other ties as well that we could investigate. Beyond the original organization, there’s also evidence from, of course, Gnida as well, that Korovin and Makeeva, who we can see here, this is Korovin, and this is Italian Makeeva, are active globally beyond Eastern Europe and Russia, involved in setting up the Fundación Fidel Castro para Desarrollo de las Aracenas Frusal Cubanas, the Fidel Castro Foundation for Promoting Russian-Cuban Relations, which they utilize essentially to promote Russian interests in Latin America and the Spanish-speaking world. And here we can then utilize Telegram. So, Steph, I’ll let you then describe perhaps how DarkOwl handles Telegram and Discord and other deep web sources before I describe what we’re seeing here.

Steph: Of course, no problem. So, once again, we kind of went on the name of Valery Korovin I wanted to do a search. We know that Russia is also avid users of Telegram. We saw that activity really increase where they were sharing battle plans, pictures, strategy on Telegram after Russia invaded Ukraine. But we also saw that pop up when the Afghan government fell in 2021 in the summer. So just to let you know that Telegram is all over. We pull everything down from a Telegram channel. So, we’re going to get the metadata, we’re going to get the channel ID, because this, you know, for right now, the title of this is called Amigos de Evesiones Fides. Tomorrow, that could be literally anything else. But if you have the Telegram number, the actual channel number, you can continuously track that no matter how many name changes there are. The same is true for those usernames. So, we pull that all down. We have the metadata for your investigation to share with your clients if you’re sharing intel with someone else. And then, of course, after we have Valery Korovin one name, now we have a whole spate of other identifiers that we can pivot on. So, we’ve got a Facebook group for this group as well as Twitter. We’ve got, of course, their Telegram. We’ve got a Yahoo address. So, it’s just a lot more information that we added. And it’s the same for Discord. We pull down server IDs, we make sure that we have the information that’s never going to change, even if a user handle or the title of a server or room does change.

Ari: Absolutely. And then we can start the actual hard work of investigating, right? At the end of the day, there are very few shortcuts in life. We’ve been lucky so far with these lead emails and other things that we come across. But sometimes you gotta, you know, put the elbow grease in there and really just look at all these various entities that come through and you can do that easily in Falkor by enriching them to bring back information on the domains, on the social media profiles and more to see if they are in fact front organizations or have any other types of relations to the actual individual that you’re looking at or not. We have other sources across Telegram also as well from parts of Latin America and even Italy and other global organizations that are promoting Thurovan and these front organizations that we can then look into further also. Now we’re going to conclude the investigative portion of this with one final tip that I would like to bring up. Gnida project brought this up also as well, but anybody could figure this out, that the Fidel Castro Foundation is registered at the same physical address as a few other interesting groups. Firstly, we have the Russian House of International and Scientific and Technical Cooperation. I haven’t looked into it myself yet, but who knows? It wouldn’t be the first time they’ve utilized scientific cooperation as a front for other sorts of activity. Eurasia itself is also based in that same building over here. The Russian influence outlet Geopolitika RU, which is very well known for anybody active in the space, you should recognize that immediately, is also of course registered and based out of the same, comparatively small building in Moscow, you can look it up in Google Maps, it’s not very big. Doesn’t make sense that it’d be hosting so many large organizations. And the lesson to keep in mind here, even though the CGE is registered by the way in a different address, is that threat actors always reuse for a variety of reasons right sometimes they don’t you know can’t afford to rent to different places they want to rent they want to buy domains they want to get new office space where it happens to be but they don’t and they did utilize the same thing over and over again. So, whether or not it’s digital or physical infrastructure if it’s being reused you can use that very effectively to find potential signs of a given organization being a front or otherwise uncover hidden ties right.

Now you have to be careful about that about that also as well of course if it’s a large office building it could be feasible, they’re all based in the same building as well, right? But if you can check it out on Google Maps quite easily, see whether or not it makes sense that you have multiple large organizations in a given, you know, three-story building, right, let’s say, and then from there make your own decisions. And then we’ll conclude also over here with the Falkor geo search, which has the ability to search this area for social media data, other data points also as well, and even connect other tools also to search if you have other geo -relevant data points too. So, on that note, let’s conclude, and I’ll let Steph also, if you have anything you want to add, let me know too, feel free to barge in here. dark web data is critical for investigation of all times, of all kinds, right? Beyond just looking up leaked data, leaked creds, threat actor chat, and that sort of thing, we can utilize it for things like profiling, finding leaked geopolitical data of any sort of interest, right? Government data, that sort of thing, and we can utilize that leaked data to expose ties to additional organizations very easily. This is often like the shortcut that I mentioned that we don’t often have earlier essentially, right? The leak data giving you that actual connecting point is what you can often utilize effectively. But there are other data points that we can utilize also, as well that we can find, right? Shared physical addresses, reutilizing digital infrastructure and more are critical. And deep web data really can’t, in my opinion shouldn’t be ignored for investigations of any kind, let alone influence investigations operations as well as looking into front groups. And we can utilize them to find with the low amount of investment, let’s say, or time invested in this, international activity very, very easily. So, Steph, if you want to add to that, let me know.

And if not, we think we can move them to Q &A.

Steph: Love to, just to repeat, front organizations are tricky. They’re a little difficult to follow to get started to know where to work with. But look, Ari and I started with one organization, one top level domain, two human beings. We then got their selectors on social media, on the dark web. We found two other organizations, we had a global investigation, but we had to pivot, we had to turn around, we hit some dead ends. When we were first talking about this webinar, we were gonna maybe focus on Iran or a different kind, but Ari did an excellent job of saying, no, let’s do this, this is good, and then really made something that’s intimidating and a little difficult and complicated, simple, seamless, and you can see all the information we ended up with after starting with just three entities, an organization and two humans. So, Ari hats off to you. Thank you for demonstrating how we can use deep web and telegram and Discord data. It’s absolutely amazing. And I look forward to reading what you do in the future, because it’s awesome.

Ari: Thanks. And there’s a lot more, by the way. So, if anyone wants to see more, feel free to contact us separately, like I said. All right, the final step that I would do here for a Falkor plug before we go under the Q&A is the monitoring dashboard. And this is also, of course, relevant for DarkOwl as well. Falkor is a full monitoring suite available so you can set up dark web data over here to be monitored right set up your keywords your Boolean queries and strings whatever you happen to have you can set those up over here I set one up for mentions of Eurasian.org and other mentions as well and then you’re going to get a live feed of new onion data discord data telegram data and more coming in relevant for that sort of data also here as well we also of course have a full alert mechanism set up through some of the keywords or things you want to be triggering rules for and that sort of thing, we can do that. And we also of course support social media. So, if you want to say follow Korovin’s Twitter account or follow any other individuals’ Twitter account for your investigations, you can do that also as well. And lastly, we also support RSS feeds. So, if you want to say track the OPAC RSS feed or any other RSS feed that you happen to have, no problem, you can throw it all in here and track all of those things in one pane of glass.

Steph: Super, super kudos to Falkor. There are so many tools out there and everything is very disparate, right? We’ve got RSS feeds and Slack and all of this, but what you guys have is a dashboard where you can truly have everything in one place, and that’s essential as an analyst. We’ve got enough information to deal with, so it’s an amazing, amazing product.

Ari: I’ll send that over to the development team. We’re very happy to hear that. I think we have some time then for Q&A.

Kathy: Yes, we do, and we’ve had some questions come in. The first one is in reference to Telegram, have we got any possibilities to follow a target if a Telegram account is closed and not open?

Steph: Yeah, we absolutely do. So, you know, you can build infrastructure to try and ask for permission to enter. You can run different personas or try to get people that work in your organization into a closed or private Telegram. There are a lot of different ways to do that. Strike up a common conversation, strike up investigations, and just kind of see how you can break that door down based on observing other activities surrounding it and knowing what the types of discussion are that’s happening inside those telegram channels. It’s not a perfect science, you might get denied, but you can get into closed ones if you play your cards right. Yes. Or anything to add to that on your end?

Ari: No, I mean, that’s that, listen, that’s, you know, like I said, sometimes there aren’t any shortcuts and you gotta just, you know, Do the cold approach and hope it works out, right?

Kathy: Okay, well, staying on the topic of Telegram, when considering Telegram provides encryption and privacy features, why do threat actors still choose to communicate there instead of using more anonymous platforms like I2P , TOX, or peer-to-peer encrypted channels?

Steph: Yeah, absolutely. So, we see actors talk, I mean, I’ve been all over the web, right? I’ve been in this game for a lot of years. I’m very old and I’ve seen a lot of trends. So actors are openly stating that Telegram is safer. It is a Russia-based tool, right? It was developed by a Russian. And so, they feel that in lieu of the dark web where they have openly identified, they feel that federal agents and law enforcement’s working to try to take down criminal operations, criminal infrastructure, actors still feel that the majority of the safest tools are things like Telegram and TOX. They are definitely active on TOX. They have moved away as ransomware groups fall, as markets are shut down, think Silk Road, think Alphabet. As all of those go away, they move to what they feel is safer. I do think that probably in the next two to four years here, we’re gonna see a migration away from Telegram because you know how that goes. Once things get very popular and are used frequently, pivots for investigations change, They probably will feel that law enforcement will move there, but we see that all the time first, you know, with cryptocurrency, for instance, Bitcoin was viewed as very safe. Now they’re saying Bitcoin is a tool of the United States, you know, intelligence agencies and federal investigations is their words and chats. So, they’re moving to Zcash, Litecoin, etc, etc. They openly espouse what they feel is safe versus what isn’t. And it’s our job as investigators to follow that. So that’s probably why, that’s definitely why they’re saying what they’re saying.

Ari: I have some points that I’d like to add to that. So, there are a few things to keep in mind because the much vaunted, let’s say, encryption of Telegram really isn’t quite as good or as quality as people say. We can get into it; it’s a whole separate thing. It’s not intent encrypted by default, which is what really matters for the average user. The reason people use it, in my opinion, is that it’s a really effective town square. You wanna sell your cyber crime services online or make sure your leaks get, you know, spread and amplified and that sort of thing. It’s an amazing place to be active and the barrier to entry is super low. You don’t need a computer. If you are a thought actor within a country that doesn’t have, you know, that in which GDP is low and you want to start scamming, you don’t have a hundred bucks in your pocket, you can do that, for example, right? It’s instead of buying a computer and download Tor and have a reliable, indirect connection and do that sort of thing. Telegram is much more accessible. You can buy a burner phone, remove the camera, microphone yourself if you’re that concerned and kind of get to work. And then like you said, also step regarding TOX, move to TOX, move to any sort of end-to-end encrypted solution that’s a bit more secure for actual communications, which is a very common trend also as well. So, there’s this town square market element of it that I think is incredibly appealing. And then it also has other features that make it appealing to threat actors as well. In fact, that it’s easy to use. In fact, there’s other content on there that’s also interesting. The built -in messaging experience is really seamless. There’s a lot of other reasons to use it also as well. And I think it’sa fascinating platform, but those who know me know I also have been a bias.

Steph: Great points.

Kathy: Great. Thank you. We’ve had another question about leaks in the darknet are not too old to use with efficiency?

Steph: Absolutely not. So human beings are creatures of pattern. They reuse passwords. They reuse their data. They can’t keep track of it. We do not have enough people. Think of your coworkers. Think of maybe older family members or something, they’re not using password keepers, like 1password, key password, et cetera, et cetera. They reuse something because it’s easy. So, if something is exposed and always out there, it’s very easy to keep reusing. We have had actors who have not changed their passwords since 2010, 2011. Not all of them. Some of them do have better opsec and cybersecurity, but it’s very, very simple to glom onto one password or one account or a handle or a username that an actor uses and then keeps going with minimal changes throughout the years. It’s foolish, but they do it. So no, data that’s old is not too old to use no matter where it’s from. There’s always a potential. Anything on your end for that, Ari?

Ari: No, that’s a great explanation. I mean, it depends also on your usage, right? I mean, if you’re just trying to protect, you know, if you want like those, you have some of the lead employee password from nine years ago, it’s probably not as bad as, say, something from last year. But, you know, for investigation purposes, It’s still quite as useful for pivoting. I don’t know that in terms of other stuff. So, it depends on what you’re doing, but yeah, I completely agree with you.

Kathy: We have one more question that came in. How else can dark and deep web data be used for investigations or attribution of influence operations?

Ari: And this is, I think, a really interesting topic because people love to talk about attributing influence cyber operations online effectively and the leaked data is one of the most effective ways to do so, like by far. Looking at past Twitter scrapes and Facebook leaks and that sort of thing, people manipulate the APIs, these platforms, and then post all this account information online. There have been cases where known influence operation accounts and entities have had their personal information exposed, be that say the registration IP or their last used IP or their password or that sort of thing, that you can utilize to very effectively either further investigate or even kind of on the spot, determine whether or not it’s an authentic account or not. So that’s one of the biggest things that I’d say that we see. And there have also been multiple cases of influence operators themselves experiencing leaks, right? So recently the SDA, the company behind doppelganger had a lot of data leaked on them, hasn’t really made it much onto the dark web for a variety of reasons, right? But essentially the data is still leaked and available to certain other individuals. And that’s another way that we can expose other actual operators themselves as we saw in this investigation. So, the leak data is in many cases the only way to investigate and attribute these activity, not a nice to have. Is that anything you want to add to that?

Steph: Yeah, and as far as just other data on the dark web, people, criminals, actors, they do feel that the dark web with its flaws and its security issues is still one of the safest places online. So, they’re still very open, they’re still very transparent. They might be cautious at first, but as they carry on more operations and build bigger networks and build a name for themselves, selling data, infiltrating companies, getting infrastructure, they open up more, right? The dark web is full mostly of criminals. They have an ego. They want to talk about who they got into. They want to build themselves up. And so, every piece of information, despite what you’re looking for, what you might be working, ransomware, info ops, DDoS planning, you know, anything. There’s always a piece of intel on there. It’s just that you have to look harder to find it. But as Ari and I have mentioned, schedule a demo with us. We’d like to take you deep. We also want to show you how you can enrich open source OSIN or social media information with dark web intelligence. It works really well to enrich too. So, there’s a bunch of different lines of investigation and tactics and we’d love to go deeper with you on that.

Kathy: Great. We do have a couple of minutes, and we had one more question come in. In other countries, considering that credit card details are frequently leaked on the darknet – does DarkOwl provide access to full credit card data to licensed companies or is the data redacted for compliance and ethical reasons? Additionally, how does DarkOwl ensure that security teams using its platform do not misuse such sensitive financial information?

Steph: Let me answer that in two parts. So, we do indeed have full credit card details. Listen, at DarkOwl we are GDPR compliant, we are DOJ compliant, we do not purchase stolen data. That data is out there openly available, whether it’s a forum where it’s sold or whether it’s a pay site where it’s hosted. It is open information that anybody who downloads the tools and knows how to access can. So, we do have that. As far as part two, we indeed have checks and balances. My CTO is always eager to jump on the phone and explain. I’m not going to get into those checks and balances here. Please do schedule a call for us, but we absolutely ensure that there is no misuse of sensitive information, whether that’s financial, PII, PHI, HIP, or protected. We absolutely have that a way to get around that, and I invite you to please get with us and we will explain that further in depth on the call, for sure.

Ari: The one thing I would add, the one thing I would add on top of that is in fact where there’s a full auditing capability, right? So, inside of the actual system admin users can go and audit all the actions taken by other users in the system to see that they’re utilizing all the data and sources they have appropriately and ethically.

---

Interested in chatting? Contact Us.

October 25, 2024

Or, watch on YouTube

In this webinar, DarkOwl analysts explore the disinformation landscape on the dark web in the context of the upcoming U.S. presidential election. What emerges is a complex, multifaceted online space characterized by a variety of actors, ranging from nation states to American citizens and U.S.-based conspiratorial political movements. All of the above play key roles in both creating and amplifying mis- and disinformation which has seeped from the deep and dark web onto the surface web, and vice versa. As a number of prominent social media platforms maintain policies of limited disinformation regulation, false narratives previously concentrated on the dark web and alternative social media platforms have become mainstream, thereby gaining traction and reaching greater audiences. Combined, these factors reflect a complex environment in the lead up to the election and highlight the importance of identifying and combatting mis- and disinformation.

Make sure to check out our full report on this topic.

NOTE: Some content has been edited for length and clarity.

---

Erin: We’re excited to kind of talk about this topic. I’m Erin, I’m the Director of Collections and Intelligence at DarkOwl, and I’m joined by my colleague Bianca who works on all of our investigations and services and has been digging into this topic quite a bit. So obviously, it’s November next week, which I find insane. And we’re just about two weeks out from the election. And there’s a lot of things going on out there on mainstream media, obviously. But we wanted to take a deep dive and see what we’re seeing from our side of things on the dark web. So, with that being said, I think we can dive right in and Bianca, I guess the first question would be:

Why is it important that we’re looking at the dark web in this election cycle?

Bianca: Well, during this election period, as with previous elections and recent years, particularly since 2016, we’re seeing disinformation narratives gaining pretty significant traction. And disinformation, as we know, can play quite a significant role in influencing voters. And much of these false narratives that we’re seeing are originating on the dark web and dark web adjacent spaces, especially Telegram. And so, because of that, in order to get a comprehensive picture of the online disinformation landscape and the role it can play influencing voters, it really is vital to examine the role that the dark web plays in spreading that disinformation.

Who are probably the main groups that we should be concerned about them that we’re seeing kind of having, spreading this kind of disinformation and misinformation?

I think you can basically broadly divide the main groups into two categories. And I’d say that the first one is nation states and then you also have domestic actors. So, starting off with the nation states, two of the main actors we’re seeing are Russia and Iran. Russia of course has a history of leading influence operations against the US as we’ve seen since 2016. Russia’s strategy this year though, it’s worth noting, does seem quite different compared to previous years. Most notably, they really seem to be taking advantage of domestically produced conspiracy theories more and more really this year, as opposed to, as we’ve seen previously from them – creating their own false narratives and then sharing and disseminating those narratives. And I think that shift in tactics is a reflection of the domestic disinformation landscape that we’re seeing right now, where you have these absurd conspiracy theories entering the mainstream and then being viewed by millions of people online. So really, nation states like Russia that are leading these foreign influence operations are recognizing that that’s unfortunately something they can take advantage of these domestically produced conspiracy theories.

Other than Russia moving on with these nation -state actors, we are of course seeing Iran emerging as a key player right now in election influence operations. In the lead-up to November 5th, Iran has already carried out cyber-attacks against election campaigns with the DOJ – just recently announcing the indictment of, I believe, three Iranian hackers for targeting former President Donald Trump’s campaign. Importantly though, Iran is also actively sharing content that like Russia’s, is aimed at sowing discord in the US. And that’s something we’ve seen from Russia, of course, since 2016, increasingly. And for Iran, Microsoft researchers in particular identified these websites associated with Iran that are basically posing as American sources and spreading in disinformation.

So we’ve got Russia, Iran, and continuing on with nation states, we really shouldn’t forget China was also leading its own election -focused influence operations. One of its influence operation campaigns has been active since 2017. And we’ve recently been seeing increased activity from that campaign. But I do want to highlight that researchers do seem to believe that China’s efforts likely will be more restrained compared to Russia and Iran. And they don’t really seem to be aiming to undermine one campaign over another. So whereas you see Russia attempting to undermine Vice President Kamala Harris’s campaign and Iran attempting to undermine former President Donald Trump’s campaign, we’re not really seeing that lean or favoring from China to the same extent. So those are the main nation-state actors.
 
Erin: It’s interesting as well, sorry to interrupt you, but how the landscape has changed since 2016, right? So I saw some reporting with Russia as well that they didn’t necessarily get what they wanted maybe out of the Trump presidency and is that impacting what their goals are and how they’re reacting now. So it seems like as you were just saying, that they’re more trying to focus on just creating that conflict internally in the US, as well as still, promoting Trump, but it’s interesting how they’ve changed their tactic.
 
Bianca: Yeah, that’s a great point. And they’re just continuing to so discord, like that seems to be the number one priority, really, and undermining faith in the election process and undermining faith in democracy. So that’s something we’re still seeing from them. Those are the main nation-state actors to answer your question that are kind of the main players right now in the disinformation landscape.

But I do also want to highlight that second bucket I mentioned that’s domestic actors. And there are US-based individuals and political movements that are generating disinformation related to the election and candidates that we’re seeing right now. For instance, the far-right conspiratorial movement, QAnon in particular, which first appeared in 2017, they seem to have effectively entered the mainstream at this point, and their conspiracy theories are seen across the surface web. And that’s a lot of the disinformation that we’re seeing in the current landscape is coming from these far-right conspiratorial
movements. To answer your question, I’d say those are the two main buckets, the nation-states, but then also domestic actors.

What are the most common types of disinformation narratives that we’re currently seeing being circulated?

I’d say broadly you can group the main narratives into two groups, two categories. So those that are questioning election integrity and then you have those that are targeting presidential candidates. So, for the first category, you have essentially all of the disinformation that’s questioning election integrity. So unfounded claims of voter fraud, which of course was also a very dominant narrative in 2020, and we’ve seen that narrative persist and enter the mainstream increasingly. And some of those narratives are being amplified by foreign actors, but American citizens themselves are also responsible, I think, for a lot of that amplification. That’s the first category and then the second category broadly is disinformation aimed at undermining either Vice President Kamala Harris’ campaign or former President Donald Trump’s campaign. To give an example, you have Russia spreading disinformation that’s again meant to support Trump and undermine Harris and then at the same time Iran spreading disinformation meant to support Harris and undermine Trump. To give a more specific example, one of the most recent examples of disinformation aimed at undermining a candidacy was this staged video that was created by Russia that falsely accused Governor Tim Walz of sexual misconduct. And that was a story in the news this week. The video has already been debunked, but it nonetheless gained hundreds of thousands of views on Twitter and has been shared on the dark web and on groups in Telegram. So, I’d say those are really the two main categories that we’re seeing right now.
 
Erin: I think with AI and things, it really highlights how videos can be made relatively easily these days that can be shared. And by the time that they’re debunked or shown to be false, the damage is almost done, the genie’s out of the bottle. So definitely concerning, but you just touched on the dark web and Telegram.

How are we seeing it being shared on the dark web and how are apps like Telegram being utilized?

Well, to address Telegram, right now we are seeing lots of groups on Telegram, especially far-right ones, that are basically spreading disinformation meant to sway voters. And again, some of that disinformation is coming from nation states. There are Russian news bots in a lot of these channels that are sharing headlines and articles that, again, are false and have no basis in fact. So, like you’ll see RT news, Russian bots, RT news, of course, being Russian funded propaganda. And then you’ll also have some of these same Telegram groups and channels sharing disinformation that’s originating from U.S. based individuals and again, conspiratorial movements like QAnon. So going back to this, the role that domestic actors are playing in addition to nation-states. It’s really interesting that a lot of the conspiratorial content that we’re seeing on spaces like Telegram, a lot of that content is leaking into the surface web. And vice versa, there is a lot of content overlap. And that’s concerning given that there used to be a much clearer distinction between the surface web and platforms, dark web adjacent platforms like Telegram. So, you’re seeing a lot of interaction in terms of the content we’re seeing on both spaces.
 
Erin: I think that’s an interesting point, right? Because we tend to think of the dark web, some dark web adjacent platforms like Telegram where there’s limited oversight, although obviously that seems to be changing at the moment, where people want to hide their intentions and stay anonymous. And with this, we’re really seeing people like move over and have less concern about hiding their identity. Like, how do you see that happening and why do you think that’s happening?
 
Bianca: I think it’s not surprising that we’re seeing, you know, anonymity being weaponized to spread this information, right? It’s more difficult to attribute this disinformation to a specific group, even a nation state or an individual, if they’re remaining anonymous, and that’s not just on the dark web, you know, we’re also seeing the anonymity on the surface web with users on Twitter, now X, spreading disinformation, but kind of hiding their true identity. And that’s become a lot easier on Twitter, especially where the verified checkmarks don’t signify reputability anymore that you just buy the checkmark. And it’s easier to kind of stay anonymous and sell yourself as this reputable source.

I did want to touch back about Telegram, though. I think it’s not surprising that we’re seeing a lot of disinformation there, of course, wanting to flag that just a few months ago in August, the app’s founder was arrested and charged in France in relation to an investigation into criminal activity on Telegram. So, it’s really not just disinformation being shared on the platform. The main concern right now also is violent extremist content and child sexual abuse material that we’re seeing on Telegram. But in terms of disinformation, I think it’s worth highlighting that one of the main concerns about Telegram is the sheer size of the groups and channels there. So, channels don’t have a limit on the number of subscribers and groups can have, I think as many as 200,000 members, which is massive, right? And that scale means that disinformation can very quickly reach large audiences and then gets shared and amplified by these massive groups in over and over and over again. So overall, Telegram is absolutely hosting a lot of the disinformation we’re seeing regarding the election, whether that’s false claims of voter fraud or also disinformation targeting presidential candidates. And that’s definitely something to be concerned
about.
 
Erin: Yeah, and I think we’ve definitely seen Telegram being used in other arenas in that way as well. Israel Hamas is an excellent example of disinformation being shared and even actual news information being shared quicker on Telegram than it is on mainstream media. And someone was asking me earlier this week, actually, if I think what’s next after Telegram now that the CEO’s been arrested and moved on
and I was like, honestly, I don’t think people are going to move or not quickly because there’s too many people in too many groups and they’re too well established that I think it will be difficult for them to move and create that with any of the other apps that are out there, but it’s definitely having an impact I think on
a lot of the things that are going on. So that’s a really interesting insight.

There’s a lot of conspiracy theories going around and some conspiracy theories have even been shared by the candidates themselves. How do you think that’s impacting the information that’s being shared and how viral those things are getting?

Bianca: Conspiracy theories are effectively significantly distorting the information landscape
right now, in the lead up to the election. And as you noted, a lot of them are gaining a lot of traction. And I think, you know, to give an example, a good example of the prominence of conspiracy theories right now is the information landscape we saw during Hurricane Helene and Milton. So you had far-right groups and individuals who were spreading disinformation claiming that the US government was using weather control technology so that the hurricane would be steered towards Republican voters. And you had, as you noted, of course, prominent figures reiterating these theories. There were politicians and public figures amplifying that conspiracy theory. Former President Donald Trump claimed that hurricane relief funds were being spent on illegal migrants, so having public figures reiterate those conspiracy theories lend them more credence, right, and makes it easier for them to gain traction, even though they are completely false. A lot of these conspiracy theories gained millions of views on Twitter and were reshared by more prominent figures in the Republican Party and also by Twitter’s own CEO, Elon Musk. And a lot of the most viral posts were from far-right individuals sharing often xenophobic and racist conspiracy theories. And so, I think the fact that there are millions of people engaging with this content, on Twitter especially, and amplifying and agreeing with the conspiracy theories is very concerning. And it’s ultimately a reflection of the divisiveness that we’re seeing ahead of the election. What we saw with Hurricane Helene and Milton was effectively the weaponization of tragic events, right? To influence voters ahead of the election. And that weaponization unfortunately worked and reached a massive audience. And it of course also had unfortunately real world implications with meteorologists receiving death threats. So absolutely conspiracy theories are playing a key part in this disinformation landscape right now.

What are we seeing from the far left or from others? Is it quite a similar activity or is it different?

Well, that’s a really interesting question because, of course, no political party is immune to conspiracy theories. But based on the research we’re doing right now, far-right individuals, including public figures or Republican members of Congress are dominating the disinformation landscape right now on the dark web and also on the surface web, importantly, and like I said, there is a lot of overlap in terms of content in both of those places. A lot of the dominant conspiracy theories we are seeing right now are rooted in far-right ideas. So again, for the Hurricane Helene and Hurricane Milton response and information landscape, we saw a lot of conspiracy theories and disinformation aimed at undermining the Biden-Harris administration and the Harris Walz presidential campaign. And on dark web adjacent platforms like Telegram, far-right groups are also dominant in terms of election disinformation. The group spreading significant disinformation and with the largest numbers of subscribers are our right groups as we’ve seen up until now. And that’s consistent with findings as well that that type of disinformation does tend to be particularly prevalent and toxic in that far-right online space.

Turning to left-wing conspiracies, the most prominent one I’d say that we’ve seen up until now was the baseless claim that the July 13th assassination attempt against former President Donald Trump in Pennsylvania was staged by the Trump campaign. And a lot of that chatter surrounding that unfounded conspiracy theory, interestingly enough, was on Twitter, X, rather than on the dark web. Ultimately, no political movement is free of conspiracy theories. But the ones gaining the most traction right now do appear to be far right conspiracy theories.
 
Erin: Yeah, I feel like it seems like the far right are just a lot better at organizing and weaponizing things like social media and telegram and etc. because we did a lot of work to try and balance and see what we could find left-wing group that’s thought of out there talking and you know maybe they’re just better at hiding what they’re saying or maybe they’re not you know doing it in the same way but it’s interesting how it does always seem to lean to that far-right side.

I know there was a recent arrest a couple of weeks back of an individual in Oklahoma that the FBI stated had intentions to attack voters. This is a very real-world impact. Can you talk about how that was linked to Telegram and how we’re seeing that thing being spoken about on dark web adjacent sites?

Bianca: Yes, absolutely. For more context, earlier this month, the DOJ announced that they had arrested this Afghan national who was based in Oklahoma City. Like you said, for plotting an attack on election day on behalf of ISIS. And then he was arrested by the FBI for purchasing two AK 37s with his brother-in-law, who was an accomplice, and the suspect admitted that he was going to carry out the attack on election day and expected to die in that attack and go down as a martyr. In terms of his connections to Telegram, the suspect interestingly was very active in pro-ISIS telegram groups and allegedly saved ISIS propaganda, as was noted in the indictment document, to his iCloud account and I believe also to his Google account. So, ISIS propaganda from Telegram. He had also been in contact with an ISIS associate via Telegram who was giving him guidance regarding the upcoming attack that he was plotting. So definitely Telegram connections there and it’s ultimately not that surprising given that Telegram is notorious for being a hotbed or extremist activity, particularly for ISIS. There are lots of pro-ISIS groups there. And not just, of course, pro-ISIS groups, unfortunately, a lot of domestic extremist groups, as I noted, that being one of the main issues leading to the CEO’s arrest recently in France. But absolutely,
the individual had ties to individuals in ISIS,and those connections were through Telegram.
 
Erin: Yeah, it’s interesting how we see this group for really being used in Telegram and how the arrest of the CEO may impact that. I mean, we definitely saw after the announcements that Telegram are going to cooperate with law enforcement and individuals talking about moving to other messaging platforms. As I said, I’m not sure, that they’re all going to move, but I think it’s interesting that they’re having those conversations because Telegram really has been that hotbed and obviously, we’re talking about elections now, but I think you can go to any big event that’s happened or any kind of extremist group and find some kind of telegram footprint for them at the moment.

How do you think things are comparing to the disinformation and what we were seeing in the 2016 campaign?

Well, in 2016, we, of course, had Russia leading extensive disinformation operations against the U.S., also in an effort to interfere with the presidential election, and, as you mentioned, the aim of those campaigns was to sow discord and undermine American democracy, and they used bots and intelligence officers that were masquerading as American citizens to spread this information and again exacerbate divisions. And these operations have not stopped, right? We’re still seeing that activity today. But what’s different now, in 2024 compared to 2016, is that other nation-states have significantly ramped up their influence operations as well, you know, as I mentioned, particularly Iran, and they’re engaging in similar large-scale campaigns, you know, Iran in this election has really emerged as a prominent actor in the current disinformation landscape in the lead-up to November 5th. They’ve already carried out cyber-attacks against presidential candidates, campaigns, they’ve actively disseminated disinformation meant to sow discord among American voters like Russia did in 2016. And you know, as I mentioned, we’ve also seen China similarly amplifying divisive rhetoric and there are Chinese linked influence operations
and campaigns that are spreading disinformation and conspiracy theories.

So, to answer your question, ultimately, this year is quite different from 2016, just in terms of the variety of actors that we’re seeing engaging in large scale influence operations. But also importantly, I think that what’s particularly concerning right now, and especially different from 2016 is the way that, as I’ve noted, conspiracy theories have effectively become mainstream. And that’s really not to say that 2016 was devoid of conspiracy theories. There were, of course, conspiracy theories in 2016 and there will always be conspiracy theories. But the scale of their reach today is on a completely different level. As I mentioned, there are mainstream platforms, particularly X, so not just the dark web, where false claims about presidential candidates and regarding the validity of the election, these conspiracy theories are gaining millions of views. And part of the reason that their It is so significant is that you have US prominent US based individuals that are amplifying those conspiracy theories and allowing it to gain even more traction. And because of that, these conspiracy theories have entered the mainstream and are
not just in the dark corners of the internet anymore. So, I think that’s really the the main difference between 2016 and 2024.
 
Erin: Yeah, I feel like domestically, people are just more emboldened to share their views regardless of if they’re conspiracy theories or even if they’re not, they’re just, I think people are less concerned about the impact that that’s going to have as you say, because on both sides, so many politicians are backing that kind of rhetoric. And as you say, it’s interesting, obviously, we focus on the dark web and
dark web adjacent, that it’s kind of impossible to look at this topic these days without looking at social media, because there’s such an overlap and they interact so much, like the things that are shared on Twitter, and then immediately put onto Telegram and vice versa. And there’s no one policing that or checking that. And the likes of Facebook and Instagram will try and say, this isn’t true or this isn’t verified or read this at your own cost, but Twitter seems to have moved away from doing that a little bit in recent years. And yeah, I think it’s very difficult with the amount of information that individuals are receiving to make sense of everything that’s going around and just the pure, as you say, the sheer size of data and conspiracy theories and things that are being shared now compared to previously. I can see why it’s difficult for people to make a judgment. And as I said earlier, like once these things are out there, it’s really hard to walk them back. There’s a lot of people that however many times you tell them something isn’t true and it’s been debunked, aren’t going to believe you.

Do you think we should expect a shift, as I said at the outset, we’re just over two weeks away from election day. So are we expecting any shift as we move closer to the election day?

Yes, absolutely. It’s very likely that we’ll see a pretty significant increase in disinformation targeting American voters as we get closer to November 5th. Russia, Iran and China are well aware of the fact that their influence operations can have a greater impact closer to the date of the election when they can influence voters. And as individuals have already begun to vote. And US intelligence officials are actually already warning of this increase. There were reports stating that influence operations targeting specific political campaigns have already increased. I think it’s really important to note, though, that foreign influence operations aren’t going to stop after November 5th. And the ODNI actually just released a report, I think yesterday, warning that Russia, China, and Iran are all expected to continue their influence operations well through inauguration day. And it’s very likely that they’ll continue spreading disinformation again meant to sow discord among Americans and to undermine trust in the election process. And that’s something we already saw with the presidential election in 2020. Election officials and intelligence officials have particularly warned that there’s a possibility that Russia, Iran and China could actually try to stoke post-election violence. So that’s something that definitely needs to be closely monitored. But yes, we’re expecting to see an increase in that kind of activity leading up to November
5th, but also well after November 5th up until inauguration day.

We’ve mainly been talking about all the concerning things that are happening in this run up to the election, but I want to touch on what steps can individuals and organizations take to try and combat some of this election related disinformation.

I think the most important step and the quickest one, at least for individuals, to combat disinformation and this it seems very simple but it’s to verify sources. So before sharing or reposting anything online, just taking a few minutes to check the credibility of the source and also take the time to cross reference and see if you can find another source that’s also a reputable or sharing the same information. So if you can cross-reference, there’s a greater likelihood that that information is valid. For organizations, I’d say carrying out fact-checking initiatives already is vital. Social media platforms, it’s worth noting, have the ability to give users the opportunity to report disinformation. And that’s huge. But Twitter, again, coming back to Twitter unfortunately removed a feature that allowed users to report misinformation and disinformation. So, bringing that back that feature, I think, and for other organizations and social media platforms implementing that features is a pretty vital first step to combat election related disinformation.
But yeah, fact checking in general and verifying your sources is the way to go.
 
Erin: I think knowing where something came from and make sure that it’s not just circular reporting. Everything is coming from one place. Usually, you know, a place that may not be that legitimate is such an important thing to do. And I think having discussions about that. So just going back to the dark web briefly, I think we’ve talked about how there’s a lot of crossover that’s going to mainstream social media sites. Would you say that there’s anything specific on the dark web relating to elections? I know like in the past, we’ve seen things related to like voting machines and hacking. And you know, DEF CON is famous for having their hacking village. Have we seen an increase in that kind of discussion or not really? Absolutely, seeing a lot of narratives about kind of questioning election integrity, like you said, voting systems.
 
Bianca: Absolutely, a lot of that on the dark web and on telegram channels, especially in a lot of these channels that have as many as, you know, and groups that have as many as 200,000 subscribers. Again, a lot of them are aimed at undermining confidence in the election process in the U.S. and sowing discord. So definitely seeing those conspiracy theories dominant on Telegram, but as you noted as well, you really can’t look at it in the vacuum, right, because a lot of those disinformation narratives are also being seen on mainstream platforms. So, it’s interesting that we’re seeing this kind of dialogue between the two spaces and that theories that previously would have probably been limited to the corners of the internet as it were are now very much so in the mainstream. And it’s sometimes even hard to identify where they first originated? Just because of the fact that we’re seeing them all over the place, all these
conspiracy theories.
 
Erin: Yeah, absolutely. And I think that’s the thing I think on the dark web, the more things that we see are the traditional dark web things that you see people doing, like talking about hacking, or talking about, you know, leaking voter information or information that could be used relating to voters. That’s the dark web bread and butter whereas you know outside of things like Telegram I’m not sure that people are using the dark web for those kinds of conversations because they don’t need to they can do it on mainstream platforms without fear of you know reprisal so it’s a really interesting shift I think that you’re highlighting.

Any final thoughts that you wanted to share?

Well, just highlighting again I’m glad that you asked the question about things people can do to combat disinformation and just flagging again the importance of verifying sources. There are lots of great sources online as well from CISA on step selection officials can take to ensure to ensure that we’re combating disinformation right now. Organizations and individuals can do a lot to combat this rise in misinformation and disinformation that we’re seeing right now. Thank you all for joining this webinar.
 
Erin: That just made me think as well – I was at some sessions recently where I feel like you can’t have a dark web or an OSINT or a chat these days about mentioning AI. And I just feel like these days with the way AI is improving and deep fakes in terms of generating stories and generating videos and generating images is just something people that need to be so aware of and goes back to your point about really validating those sources because things can look so believable these days in a way that they couldn’t several years ago. So I think that’s an interesting point as well.

---

Interested in reading more on this topic? Check Out Our Research Report.

June 12, 2024

Francis Rose of Fed Gov Today, recently sat down with DarkOwl CEO and Co-Founder, Mark Turnage, to discuss the current state of open-source intelligence (OSINT) in government. You can check out the article from Fed Gov Today here.

The link to the YouTube video, and the transcription can be found below.

NOTE: Some content has been edited for length and clarity.

---

Francis: Mark Turnage, Welcome. It’s great to talk to you. What’s the current state, do you think, of the government getting the data that it needs and deciding what sources it’s going to draw that data from, open sources, proprietary information and so on?

Mark: That’s a great question. And you know, I think there’s been a big change in the government in their approach to OSINT in general, and frankly, their understanding of the need for OSINT and the value of OSINT. And we live in an environment where data, broadly speaking, and OSINT, broadly speaking, is growing dramatically. The amount of data, the types of data, and so the government, in some respects, is playing catch up in trying to understand how to use it, how to aggregate it, how to analyze it. And that’s a big change that is underway. But gaps, gaps in the government’s collection. We’re [DarkOwl] a darknet data collection company. We collect data from 30,000 plus sites a day in the darknet, and we provide that to the government and other commercial users. And just that one tiny sliver of OSINT alone can tax any organization’s ability to integrate data, store it, and then manage it. So that’s it. That’s a tiny little example of some of the challenges that the government faces.

Francis: One of the things I think has been interesting about tracking this over time is that organizations, for example, like NGA, have not fought the change in the lines of delineation what used to be open or what used to be proprietary is now open-source and so on they’ve kind of said we have to get with the game and them and go with it. Has that helped, do you think, organizations in government to go through this change?

Mark: I think it’s been a big culture shift for them. I mean, NGA in particular, but other organizations as well. Take the examples of satellite data, satellite imagery. What’s available today commercially is better than what was available, on the high side, 10 years ago. And that is only going to keep happening. Using a cell phone, you can get battlefield information on the front lines in the Ukraine that’s far more detailed and far more timely than what is what then what our analysts have access to here in the US, you know from high-side data. So, I think any organization that understands that, then has to embrace it fully and start to use those commercial sources and integrate them fully into their with their high-side data. And then they’ll, then they have the best of both worlds, to be honest.

Francis: Take me farther into that definition of embracing that fully. What does that mean to those organizations to do from a tactical perspective?

Mark: Well, first of all, there’s a culture shift. I’m not sure that’s tactical, but there’s a, there’s a cultural shift that’s necessary. But once that cultural shift, once they actually understand it and get it in their DNA, I think there’s a couple of things. Number one, don’t fear it. Don’t fear open-source data. Embrace it. Buy it. Integrate it. Use it. And by the way, part of that is also staying on top of what open-source data is out there and available because it changes and it shifts dramatically as time goes on. Secondly, integrate it with your high-side data. Look at them side by side. Understand that that data, sometimes that commercially available data is better than what you have and sometimes it’s very complementary to what you have. It makes your analyst team far more powerful looking at both sets of data and correlating them together. But embracing, I think, means buying, understanding it, buying it, integrating it.

Francis: That integration process, it sounds like when you use the term changes and shifts dramatically, it sounds like that integration process may be the key factor to all of the ones that you just laid out there. Is that a fair read?

Mark: That is an absolutely fair statement. I think understanding what that technology or that tech stack is that you need to build and maintain to integrate open-source data is a journey that all the federal agencies we work with are on right now.

Francis: What does the technological underpinning of this infrastructure underpinning? And is that changing over time as well?

Mark: It’s likely to change over time, but the technological underpinning is you have to have the ability to integrate extremely large data streams, parse those data streams, store them in a secure environment, and then make them available through whatever interface or tools to your analysts that are available. You make them available in live time to your analysts. So, there are off the shelf products that allow you to do that. And obviously there are cloud data storage capability available to the government through a number of different avenues. The one interesting thing that is a challenge for many of these agencies is how do you integrate open-source data coming from the low side with high-side data? How do you cross that chasm? Because taking OSINT intelligence into a skiff, and then trying to correlate it with high-side data becomes a real challenge, you would rather have them on the same screen. So that creates a completely different technological challenge, I think, for many of these organizations.

Francis: I want to come back to that idea, but you talked about analysts and the importance of the analysts a number of times in this conversation already. What does the skill set for the analyst of the future look like potentially compared to the analyst of today given the advances that you’ve discussed?

Mark: That’s a really good question. And obviously, AI is front and center in that process. I would say that the analyst of the future needs to be able to contextualize the intelligence that they are getting. And in fact, a good chunk of that data of that intelligence they’re getting is going to be AI generated. But they have to contextualize it, and they also have to be able to keep it honest. When you have AI hallucination and other things, and you don’t have a trained analyst who doesn’t understand the context in which this is being done, you could go down a rat hole pretty quickly. So, the world of the future is going to be divided between, broadly, between people who can use AI to be more productive and those who can’t. And that’s the new social split that we’re coming to as a society, that’s no different with an analyst. They have to understand how AI works. They have to understand the data AI is looking at. They have to understand the output, and they have to then stress test that output.

Francis: You mentioned the desire to mash up high-side data with open-source data. What is the challenge potentially, if any, to maintaining, I guess, tagging is the best word I can think of, so that one knows throughout the entire data stream this piece is just for us to see and this stuff is okay for others to see when you’re combining?

Mark: When you combine those datasets, you have to tag it, you have to give them metadata so that an analyst a month out or a year out or five years out knows where that data came from, knows the source, knows the provenance of the data, and obviously can distinguish between a sentence which may have been come from high-side and a sentence that’s right, immediately adjacent to it, that came from the open-source. So that’s obviously a real challenge, but there are technical, that’s actually, I think that’s relatively solvable with metadata and tagging that’s available. If you don’t pay attention to it, going to be an analyst down the road in five years who’s going to get himself in real trouble or herself in real trouble.

Francis: Mark, it’s great to talk to you. Thanks for your time.

Mark: Really nice to talk to you as well.

---

Interested in learning more? Contact us.

March 28, 2024

Or, watch on YouTube

The government, along with Law Enforcement, is heavily impacted by ever-evolving technology and there is a multitude of malicious actors conducting espionage, stealing data, attempting to infiltrate, and shut down systems critical to everyday life.

These malicious actors with a proven state-sponsored tie are often called Advanced Persistent Threats (APTs). The digital realm is heavily involved in geopolitical conflict, and its role and that of adversarial actors must be explored.

In this session, we will dive into the big 4 cyber adversaries:

• Explain how cyber experts are trained
• Explore the use of front companies and technology to online activities
• Examine ties to their governments
• Cover common offensive and defensive capabilities
• Glimpse into the possible future with AI used in operations

For those that would rather read the presentation, we have transcribed it below.

NOTE: Some content has been edited for length and clarity.

---

Mark: My name is Mark Turnage, I’m the CEO and Co-Founder of DarkOwl and with me, I have Erin Brown, who’s our Director of Intelligence. We’re pleased that you joined us here this morning. I’m just going to make some introductory remarks, and we’re going to conduct this webinar as a sort of fireside chat between me and Erin and talk about four cyber countries – powerful cyber countries: Iran, North Korea, China, and Russia.  

Just a couple of introductory remarks from me, we live in very interesting times. It’s a very famous Chinese curse and I think it’s fair to say that over the last several years, the world has become considerably more uncertain and more unstable. We have wars being waged in Ukraine, in the Middle East, we have a considerable amount of tension in East Asia, between China and Taiwan, and against that backdrop, there are a number of elections taking place this year around the world, including here in the United States, our presidential election. All that means that the cyber sphere has become even more important and more deserving of our attention as we think about that instability and how to better manage that instability. And against that background, four countries are continually mentioned: Iran, Russia, China, North Korea. Interestingly enough, two of those, China and Russia, are quite large countries and powerful in their own right. Two of them, North Korea and Iran, are cyber superpowers, in spite of being relatively small and in the case certainly of North Korea, having quite a small economy.  So, we thought it would be useful to talk, to have a conversation about those four countries and talk about their cyber capabilities and how they use the cyber sphere, both for their own purposes and to sow instability and discord. So, with that, I’m going to just start asking Erin some questions.

What are the main cyber threats posed by these four countries?

Erin: There are a lot of different threats that they’re posing, and it really depends on what they’re trying to achieve. We see them conducting cyber espionage, we see intellectual property theft, attacks on infrastructure. It really depends on what their motivations are and they have many groups within their countries that are conducting these types of attacks – but most of them, all four of them, I would say, have a joint desire to advance their global influence. They all want to be the superpower of the world and they want to do that in both the digital and the physical world. We’re seeing that overlap, as you just mentioned in your introduction, as there’s more and more real-world conflicts happening. We’re seeing a huge cyber element to that. But then they do have their own distinct motivations as well in terms of what operations they’re conducting. North Korea, for example, we’ve seen them conducting a lot of attacks that lead to financial gain because they’re using those funds to finance other operations that they’re doing and things that they’re doing within the country.  So, they all pose a huge amount of risk to both countries and organizations in terms of what they’re trying to achieve to advance their global power, basically.

And is it fair to say that of those four, North Korea is the most quote unquote, financially oriented in terms of their cyber activities? Or is the same true, say, of Russia?

I would say so. I think we know North Korea from a government perspective, is doing that financial motivation and gain. I think with Russia, especially and Iran, to a certain extent as well, we see that overlap and bleeding between who is the state-sanctioned, state-sponsored groups, and those actors that maybe the state is allowing them to operate. So obviously, you know, the ransomware gangs in Russia are making a huge amount of money off of corporations worldwide and there are suggestions that they’re at least allowed to conduct their activities by the Russian government. One could infer from that that the Russian government may be getting kickbacks from them and from that type of activity, but we don’t see necessarily the state-sponsored groups that are the military groups necessarily having that financial motivation and other countries. But Iran and Russia certainly have that criminal overlap.

Which brings us to the question of how these countries actually organize their cyber operations. You mentioned that some of them may or may not incorporate private actors in those operations, and others are more official. So, how do they organize their operations?

It’s quite a complex makeup across all the different countries and they all do it slightly differently. You do get those differences between what is state-sponsored, what is state-sanctioned, what is state-allowed. So, there are all of these distinctions within how you group them, but primarily, we see that the countries have military and civilian intelligence services. So, they’ll have military operators that are part of their armed forces that are going out and conducting these cyberattacks, and then you’ll also have intelligence agencies. So similar to how we have the CIA in the US, they have their equivalents that will also be conducting cyber operations on their behalf as well and depending on who’s conducting the attack, you’ll see different types of attacks and different victims as well in terms of what they’re trying to achieve.

But then we do also see civilians that are somewhat separated from the government being utilized. So, we do see a lot of front companies being used by these countries. This will be a seemingly legitimate company that is set up in country that has government backing behind it. That’s not necessarily obvious, so that they can have that air of conducting activity and not being linked to the government, even though they are. Then also we do see, as we just mentioned, with the financial motivation, we do see in especially North Korea, around countries that don’t have as much stability and financial security. We’ll see these actors that are doing a day job with the government and then in the evening, they’ll be using those skills that they’ve learned with the government to conduct cyber activities and criminal activities. So, it’s a murky infrastructure in terms of how these are set up but I would say is all of these countries do have set up groups and organizations that are there to conduct cyber espionage and cyberattacks on other countries.

Mark: This odd mixture of official and unofficial criminal gangs must make attribution really difficult when you’re looking at an activity, trying to attribute who the actor is who is behind the actual action.

Erin: Yeah, it’s incredibly difficult. And I would say it’s probably more difficult for people like ourselves that are outside of the government remit to identify that information because it’s very noisy in terms of what’s being conducted, who’s doing what attacks, and then things like the malware that they use. A lot of countries will use off the shelf malware, but lots of other groups use that as well. So, just because a malware is being used doesn’t mean that it’s attributed to one particular group. Even if that group invented it. For instance, Stuxnet is a good example of that – it was developed by the US and the Israelis, but it has been utilized far and wide by other nation-states, and by criminal actors since then. So, it’s really difficult to know who is conducting these activities and mistakes are made in terms of these attributions as well between different groups. Whenever we’re looking at this attribution, whenever we’re looking at this activity, the attacks that are happening, we’ll make assumptions about what we think that’s connected to you don’t really know unless you’re in those groups and being able to see that. So attribution is incredibly difficult and when we’re talking about APTs and we’re talking about nation-states, we’re talking about probably the most sophisticated cyber actors that are out there, that most of the time are trying very hard to obfuscate their activities and obfuscate who they are and who is conducting them. It’s a very tricky thing to be able to attribute that activity. So, one of the things I would say about it is it’s more about knowing what the techniques are than knowing who is doing it so that you can protect yourself from those techniques and those vulnerabilities within your organization. I guess some might say it doesn’t really matter who’s doing it when it comes down to attribution, it just matters that you stop it. So, it’s an interesting balance.

Mark: Yeah. Although, if you’re a foreign leader, say, the president of the United States, the Prime Minister of Great Britain, the President of France, and your country is in some fashion attacked by a cyber operator, attribution becomes important in terms of how you respond. So that’s a challenge I’m sure that many leaders face.

Let me switch gears a little bit and talk specifically about China. The Great Firewall of China – what’s the impact of that on both their capabilities and on the ability of outsiders to see what’s happening in China?

Erin: For those who don’t know, I’m sure most people do, but the Great Firewall is what we refer to as the operations that China put in place to silo their internet from the rest of the world. So, it means that most of their citizens aren’t able to access the internet in the same way that we do and they’re not allowed to access certain things. So, it means that the government can really lock down the messaging and the news that citizens are being able to access. And as part of that, they do also have their own apps and search engines and things like that. A lot of social media like Facebook and Instagram and WhatsApp can’t be accessed in China. Instead, they have WeChat and WeChen and Weibo and other ways that they’re, doing that. It always from the outside is seen as a way of controlling the citizens and the messaging that they’re getting and what they’re able to do, but it does also highlight the sophistication that the Chinese government have in terms of cyber activities, in terms of how they’re able to monitor their own citizens and lock down that information and how sophisticated their surveillance and censorship is. So, it really highlights some of the skills that they have. It’s the same cyber operators influencing the Great Firewall as conducting some of these attacks that are happening, and it shows how they want to have their world order and what some of their motivations are in terms of the cyber operations that they’re targeting.

It’s worth mentioning that they aren’t the only country that’s doing that. Russia has Runet – they are expanding and trying to lock down what their citizens are able to see. And Iran and North Korea have very similar methodologies in place. I would say with North Korea, we know even less about that, just because of the isolationist way that North Korea operates. It’s very hard to know how that functions but I think it just demonstrates the sophistication that they have and the abilities that they have of surveillance and censorship that they utilize outside of the firewall as well as inside it.

Mark: So, from an adversarial perspective, we’re in an environment where these four countries have unencumbered access to the world’s internet. It’s open. We’ve made it open deliberately, but we have very limited access, on a variable basis to their internal country networks and I would put, you would put China at the top of that at the top of that list.

Erin: Yeah, definitely. So, it’s very hard as analysts. Going back to that attribution point as well, to know what’s going on inside of that firewall because they’re locking down that information. What messages are they sharing? What is it that they’re putting out about adversaries when there is a campaign that is publicly reported or Chinese actors are indicted, which has happened several times? What is the messaging that they’re putting inside internally? And I think, with Russia, we’ve seen this with the Ukraine war and the messaging that they’ve put forward about Ukraine to their citizens in terms of “they’re saving the country, it’s not a war, it’s a defensive position,” like very different to what we’re seeing outside of, of that realm. So, it definitely impacts on that attribution and what we’re able to understand about what they’re doing. One thing I would mention, just as well, because we’re a dark web company, but this is one of the ways that Tor can be used in a very legitimate way. I think we tend to focus on the dark web being a bad thing for criminal activities, but it’s a way that a lot of citizens are in these countries that have lockdown internet, are able to access Western and outside media and this is the reason that a lot of social media companies will have mirrors on the dark web. X, formerly Twitter, has it, Facebook has it, some governments have websites on the dark web. So, people are able to access that information. It’s a useful way for people to be able to get that outside information as well.

Can you talk about some of the notable cyber campaigns that have been conducted by these four countries?

Sure. There are a lot, and as we’ve already covered attribution is tricky in terms of how we associate particular campaigns that we’re seeing to particular countries and the groups within them. China has had some very significant operations in recent years targeting a lot of countries in their region. We’ve seen them spying on Cambodia, the Philippines, South Korea, and they do this using phishing techniques to gain access. So, you know, they are using some of the same techniques that we’re seeing criminals using that we’re all warned about at our companies in terms of “don’t click on a link.” Those sophisticated users are using those methodologies as well and we have seen things like when they recently targeted Japan’s space agency and one of the things that China is well known for is targeting companies in stealing intellectual property, and then taking that information back and using it to develop their own technologies and issue patents on their technologies. So, that is a thing that they continue to do in terms of expanding their power and what they have access to. That’s something that we’ve seen China doing a lot of recently. 

With Russia, probably the most significant one that is fairly recent was that they targeted Microsoft’s corporate systems. They targeted the executives and I believe the legal team and were able to access some emails and documents, and they did this again with fairly simple methodology. It was a password spray attack. So basically, they just took lots of different ways that people might use a password and put it across all of their systems. This really highlights why you need to have good password hygiene across your corporation, and governments everywhere because that is a way, not just with nation-states, but across the whole adversarial cyber field that we’re seeing people get access is through credentials.  So, it’s a really important thing to identify. And then I think you can’t talk about Russia’s activities without mentioning the war in Ukraine, because there definitely is a cyber war going on as well as the on the ground war. One of the things we’ve seen fairly recently was they hacked into webcams in Kiev, so that they could look at what air defenses were being used in the city and they did that ahead of a missile attack. They wanted to see where their missiles would be defended and where they wouldn’t. That is a real-world example of how the cyber and the real world are linked together and they’re utilizing cyber tools to help them with military campaigns.

In terms of Iran, there is a group known as, Mint Sandstorm.  So again, using phishing techniques, but social engineering as well. This is something we see a lot with Iranian actors – utilizing social media and fake social media accounts to lure people into giving them what they want. We saw them on a large recruitment and job networking sites that were creating these accounts, creating several levels of personas that knew each other to make them look as, as real as possible and then we’re using that to identify people that they wanted to target as part of the Israel-Gaza conflict. They were using this as an espionage dash intelligence gathering campaign. With these campaigns, it’s not just about disruptive action or getting access, sometimes it’s just understanding things that are going on to help them with other areas.

Then North Korea, again, is a trickier one just because of their isolationism and the groups that we see. Probably the most prominent group that’s been mentioned in recent years, and they have been around for a long time now is Lazarus. They have been involved in significant financial thefts as well as espionage. So, a lot of cryptocurrency, ransomware attacks, etc. They were responsible for the Sony hack way back when, I believe it was 2016, but as recently as this year, they’re still operating. They were seen conducting cyber espionage campaigns, targeting defense technologies, again creating fake social media profiles, and then deploying malware once they’ve got access to individuals. So, you know, there’s a range of activities that are going on and that very much is a high-level overview of some of the activities. There’s probably a lot more going on that we don’t know about, and a lot more going on that we do know about, but it hopefully gives you a sense of the types of campaigns that they’re conducting and also the variety of people that they’re targeting. I think you said earlier about governments obviously care about attribution, and they should, and their governments hopefully are better at attribution, but I think there’s an old world view that nation-states and spying and espionage is a thing between governments and these days with cyber, it just isn’t like everyone is vulnerable to attacks.  Everyone has information worth stealing, so everyone has to be vigilant.

Mark: It’s notable that in your answer, in talking about the various cyber campaigns conducted by these countries that many, if not most of them, are using basic password access, phishing, social engineering, as opposed to, Zero-day exploits that they have access to on an exclusive basis. That’s quite notable.

Erin: Zero-day exploits are really hard to develop and they’re really expensive to develop. If you don’t need them, because you can get in by a weak link of a person clicking on a link or believing a phishing email, then then why waste your time and infrastructure? I would say they still definitely do utilize those Zero-day attacks and that is something that’s developed, especially Russia and China, but those are the ones that it’s harder to hear about, right? Those are the ones that they don’t want people to know what that capability is and who they’re targeting. And they would save that for their most important victims.

Mark: We, in the cyber security industry, live in evolving times. There’s a lot of changes in technologies and I would include in that, by the way, artificial intelligence, the rise of artificial intelligence. How does that affect how these four countries are both organizing themselves and conducting their cyber operations?

Erin: I think in the same way that the rest of us are, right, they’re still learning. They’re still coming to grips with these new technologies and how they can utilize them and how they’re going to work, but they definitely are. I think they definitely want to utilize them and there is a growing sophistication. We have seen particular countries trying to target AI companies. I think there was an article, a month or two ago about OpenAI reporting, I think it was 4 or 5 specific APT actors that they had kicked off of their site and they were using AI to do the things that a lot of other people are doing, like help them with their work, but also create phishing emails and ask it questions to do research for them about the capabilities that other countries and their victims have. So, we know that they’re using AI, we know that that’s happening.

There are also, I believe it was China, I’m trying to remember – it was either China or North Korea, but they’re actually investing in companies that are developing AI in certain areas of the world so that they can own that technology for themselves as well. What I would say with AI and those technologies is the US and Europe and the likes of OpenAI, oh, I can’t their name is escaping me.  But, you know, the prominent AI providers at the moment, they are far and above, ahead of Russia, and China at the moment. But I was actually at a talk with someone from those companies a couple of weeks ago, and they were saying, we’re only a couple of months ahead and they are going to catch up, like it is going to happen. So, it’s something that everyone needs to be aware of and needs to be vigilant about. I think the takeaway point from that is that they are using it. They are keeping an eye on emerging technologies. They themselves as well have to constantly evolve to remain relevant and successful because people’s defense gets better all the time. So, you need to constantly evolve to get around those defenses and those ways of operating. It’s definitely something that they focus on.

Mark: You mentioned earlier, by the way we’re a darknet company and we cover the darknets, and we cover darknet adjacent sites. You mentioned earlier in one of your answers the use of the darknet by citizens in countries which are behind firewalls or where they have limited access to the outside internet. But how do the countries themselves use darknet and these other online platforms in their own operations?

Erin: Yeah, that’s a difficult one and it’s a bit murky. Again, going back to that attribution problem and especially on the dark web where everyone is trying to stay as anonymous as possible to know who is doing what. We know that they definitely do utilize it. We know that there are probably actors on there that are sowing disinformation and details on the dark web and sharing them. But, you know, one of the things that we’ve seen more in recent years and is a bit more obvious is hacktivist groups and criminal groups that are associated or in somewhat sanctioned by governments. So, we’ve seen this with Killnet in Russia and a handful of other groups that came out in support of Russia when the invasion of Ukraine happened, and they are very active on things like Telegram. They will say who they’re targeting. They will say why they’re targeting them. They’re often going after NATO participants. They will show evidence of defacements or DDoS attacks. So, they’re very vocal and they want people to know what they’re doing, and they do have those links or at least a nationalist fervor that is very clear. And we see that other groups linked to North Korea and Iran also have telegram channels and other channels that are very vocal. One of the interesting things that we’ve seen, though, that is less how they’re operating but gives us more insight into how they’re operating, is we have seen a lot of data leaks relating to some of these countries and their governments. Everyone’s falling victim to data leaks in recent years. It’s big business on the dark web – selling that data, but there’s been a huge increase in the last probably 6 to 9 months, especially for China in terms of government data being leaked. There was a huge leak of the Shanghai police late last year that was assessed to be one of the biggest breaches ever, data breaches ever, and it had a huge amount of information about their law enforcement, but also their tools that they were using to target their citizens. So, it gave security analysts insight into what they’re doing that the governments wouldn’t necessarily want them to have and there was another recent one as well on a GitHub repository. So slightly not the dark web, but where it was one of the front companies that was conducting cyberattacks on behalf of China. All of their information was released, and we’ve seen large scale releases of Russian data, Israeli data as well, talking about those conflicts. There is information like that and while we’re all looking at that dark web data and saying, oh, this is giving us insights into these countries that we don’t know as much about. You can believe that they are also doing the same. So, when there are leaks of US, UK, European data, those countries are definitely going to have individuals that are on those dark websites collecting that data and reviewing it as well.

What do we do about this?  It’s not like these four countries are going to wake up tomorrow and become parliamentary democracies and decide to conform to rules of international law. So, what do we do?  What do we do about this?

Erin: I think it’s points we’ve already mentioned. You just have to be vigilant, and you have to have as much security as possible. I think there’s education that needs to happen to people about how you should operate, as you said, like these phishing techniques, password spray attacks, things like that. They’re fairly simple and they’re things that we can educate people about and I think we’ve been too focused in recent years on; okay, people know that if you get a bad email that you shouldn’t click on it, hopefully most of the time, but we’re seeing more and more smishing attacks, so text messaging and with the advent of AI, you can develop someone’s voice and get them to say anything you want them to say.  So, you can get like a voicemail from your boss telling you to send you money or to click on a link. Things are becoming way more sophisticated in terms of how attacks can be conducted and therefore, our education to people about how to combat those attacks needs to be more sophisticated and I think it’s just staying up to date with what these threat actors are doing and this isn’t just the nation-states, it’s across the board, like what tools and techniques are being utilized, and are your systems set up to protect against those vulnerabilities? So I think it’s trying to be as proactive as possible and not just reacting when attacks happen.

---

Interested in reading more on this topic? Check Out Our Research Report.

March 05, 2024

Or, watch on YouTube

The internet is a vast realm that extends far beyond the surface web we commonly explore. Beneath the surface lies the darknet, a hidden network that poses significant challenges but also holds immense potential for open-source intelligence (OSINT) investigations. Join DarkOwl’s Director of Intelligence to learn how the darknet expands the scope of information available to researchers and analysts.

In this 30-minute session, Erin covers how darknet data:

• Enhances OSINT investigations by unveiling hidden information
• Strengthens our ability to combat cybercrime and protect individuals and organizations
• Enhances threat intelligence and helps maintain a safer digital ecosystem
• Is utilized in identity theft, fraud, compromised accounts and other real world examples

For those that would rather read the presentation, we have transcribed it below.

NOTE: Some content has been edited for length and clarity.

---

Erin: Good morning or good afternoon, everyone. I’m going to do a quick high-level talk today of what darknet data is, why it’s important and how it can fit into your investigations. Please do ask any questions that you have throughout, and I’d be more than happy to answer those. So, what we’re going to cover today is what is the dark web? A really quick intro, what is OSINT? Again, very high level. Why is dark web important? And then what I really want to focus in on are some use cases and hopefully show you how we can integrate dark web and OSINT together to find some really interesting things in our investigations.

The obligatory who am I side… as any good analyst, I hate having any details about me on the internet, so I’m going to keep it brief, but my name is Erin. I’m the Director of Collections and Intelligence here at DarkOwl, and I’ve been an intelligence analyst for over 12 years now.

Another obligatory slide is the iceberg, you can’t really have an OSINT presentation without including an iceberg of some kind in here. This is to highlight the different areas of the internet. They’re all open-source, so they all form part of open-source investigations but obviously at DarkOwl, and me personally at the moment, focus on the darknet, but it’s always important to see the whole view and look at everything that’s going on. You want to be able to look at sources that are on the deep net and the surface net as well to make sure you’re getting as much information as possible and that you’re able to validate that information as well.

Diving into the dark web, hopefully most of you that are listening are familiar, but I’ll just give a very quick background of what the dark web is and what can be found there.  I’m not going to read everything on this slide, but you can see that it’s been around since the 2000, so we’ve got about 20 years now and there’s a lot of things that have happened in terms of the access, the marketplaces that are emerging and forums, breaches starting to occur, terrorists using the information, etc. There’s been a lot of uses of the dark web, and I would like to say that it isn’t just there for illicit uses. There are a lot of legitimate uses for the dark web. I think one of the best things is allowing some individuals that might not have open access to the internet in the countries that they live in are able to access a lot of websites, social media sites, etc. using the dark web that they wouldn’t otherwise be able to access. There are legitimate purposes, but obviously a lot of nefarious actors also use it and take advantage of the anonymity that they believe exists there.

What is on the Dark Web? What can you find there?

Marketplaces, people selling goods. These are usually illicit goods, usually, hacking tools, malware, data, drugs, weapons, counterfeit goods. We see all of those being sold on a regular basis. We also see forums – people chatting and talking to each other but also usually selling some kind of information or sharing information, some of it’s not all for sale. We do also see a lot of extremists, forums, people talking about, information that’s not great, but also getting together, planning events, things like that. As I just mentioned, there are also social media sites on there. There are mirrors of Twitter or X or Facebook, Reddit.  All that can be accessed from the dark web. There are cryptocurrency exchanges, mixers, other forms of things. Cryptocurrency is the currency of the dark web. Really, that’s the main way that people transact. The full ecosystem for cryptocurrency also exists on the dark web. You also get news media, news sources. A lot of the main media outlets and newspapers will also have dark web mirrors. The CIA has a dark web mirror. There are a lot of legitimate sites out there. And then of course, everyone is aware of data leaks, that is the main place that they are shared and ransomware. A lot of ransomware groups will have leak sites where they will have a shame board of all their victims, which they will put on the dark web for people to go and view. If the company doesn’t pay their ransom, then that information will be released there and can be downloaded. I should say with the leaks as well, it’s usually advertised on the dark web, but the dark web is very slow in terms of downloading information. Often a downloading service or a torrent will be used if the files are quite large.

This is just to give you kind of an idea of what the dark web looks like. These are some sites selling counterfeit goods, organs, drugs, cash apps and accounts. Then also we’ve got some of the advertisements that are shown here. 

You can see the different marketplaces that exist with the different areas, we’ve got people selling Social Security numbers, malware, botnets, different types of drugs. There really is this booming commercial aspect to the dark web and a lot of different stores that have been set up either for niche things or sell a huge amount of goods. And as I said, cryptocurrency is the currency of choice. You can see in that middle image: Monero, Bitcoin, Dogecoin, Litecoin are just some of the ones that are accepted. But it is a variety of cryptocurrencies that are usually accepted these days.

There are quite a lot of challenges, though, with collecting from the dark web. I mean, the first one is you’ve got to know where to look. You don’t have the nice URLs that you would get on the surface web. You also don’t have Google to help you. There are search engines on the dark web, but the majority of sites are not indexed and therefore not easy to find. You need to know where to look, and need to be into networks where that information is being shared. You also, in most cases, need a login to access the pages. So, you need to create personas and you need to do that in a secure way. The threat actors that set up these sites and maintain these sites are very against bots. They’re very against DDoS, all of the things that they’re very familiar with but also, they don’t want people going in and crawling the data. They don’t want people to access it that aren’t there for the purposes that they’ve set it up for. I would say the dark web has some of the most sophisticated captures I have ever seen. I can spend quite a bit of my day just trying to solve math issues or see letters in squiggly lines or putting images together. It is quite difficult to get into those. There is a lot of bot traps on the dark web and a lot of human interaction that is required to get into it. It’s not easy but there is a huge amount of data and intelligence to be found once you do get into those sites.

I also just wanted to touch on before I get into some of what that data is what we call at DarkOwl dark web adjacent sites. These are things that are not necessarily on the dark web. They’re not on Tor or I2P or ZeroNet, or some of the other dark web services that are out there but they are used by the same types of people. They are used in the same kind of way. Telegram is a huge one where we do see a huge amount of marketplaces. We see a lot of fraud being conducted. We see a lot of hacking operations. There’s a lot of hacktivist channels, extremist channels, etc. That’s something that you need to be aware of as well when you’re doing these dark web and OSINT investigations. I’ve also mentioned ICQ and Jabber. But there are other things like Rocket, Tocket.io, Tox and things like that where people are communicating. We also see it on gaming apps. Discord got a lot of publicity last year with the leaks from the Pentagon leak. I believe he was just sentenced, actually, this week. In terms of leaking that information on there, but generally, a lot of threat actors are on Discord actively. It is a gaming site, but you can set up different servers and different channels. And so, we see a lot of people sharing and operating there as well. Then a lot of threat actors these days aren’t as worried about anonymity as they perhaps used to be. There’s been a lot of instances where dark web forums and marketplaces have been taken down by law enforcement action. So, some threat actors, I think, think, why should I go to all of this effort of having a Tor node and a Tor site and setting this up when I could just do it on the surface web with the same risks, almost. There are marketplaces that are vendor shops that are forums that sit on the surface web that’s still used by the same kind of actors for the same kind of use cases. We’re very much monitoring and looking at those as well.

To give you an idea of some of the things that we’re able to find from the darknet. A lot of data comes from the darknet, so we see things, huge amounts of personal data, PII. That is the currency of the dark web at the moment. I would say we see a huge amount of issues being stolen, email addresses, passwords, Social Security numbers, social media accounts, stealer logs becoming really prevalent in the last year or two. There’s cookies in there. There’s two factor authentication sign-ins. There’s key questions, etc. So, there’s a huge amount there. We also see a lot of banking information and fraud. There’s a lot of corporate data, especially with ransomware attacks which are only increasing. I’ve mentioned malware and then also risks. There’s a lot of threat actors on the dark web that are very good at what they do. There’s a lot of cyberattacks. There’s a lot of education, actually, on the dark web about how you can conduct those cyberattacks, leaks, etc. There’s a huge amount of information out there if you know where to look.

Will you be discussing during this webinar the uptick in Drainer as a service (DaaS) or explaining it to those new to dark web marketplaces?

No, that is not in the presentation, but I can definitely get to that at the end.

OSINT 101

OSINT is open-source intelligence. It’s information that’s been found from open-sources. Any information found on the dark web does count as OSINT information but obviously it’s a lot broader than that. These are just some of the sources and information that’s out there that you can use as part of OSINT to find information for whatever kind of investigation you’re trying to conduct.

I did want to highlight some tips in terms of doing OSINT. This is true of looking on social media or looking on the dark web. I created my little AI generated sock puppet. That’s what that’s supposed to be if no one can tell but always use the sock puppet. Always have a persona, always ensure that you’re doing this in a secure way – using VPN or proxies. Use a virtual machine, use burner phones. Don’t use any of your own equipment to do any of these investigations. You should never cross over your real-life persona with what you’re doing online ensuring that you’re recording all of the information you find. I mean, it really depends on if you’re doing this for law enforcement or internally. But I would say most people you need to record what you’re finding with the dates, the timestamp so you are able to validate the data is accurate as of the time that you found it. Because obviously all of these things can change, and particularly with the dark web sites go up and down all of the time. What you find today might not be there tomorrow. It might not be there an hour from now. There are a lot of open-source tools out there that can help you with doing that kind of collection. So I would recommend looking into those and if anyone has any questions, I’m more than happy to share some of the, the tools that I’m aware of that can help you with that collection. There’s lots of other OSINT tips and tricks out there. There’s a huge amount of resources, online and for anyone who’s new to the area, I would recommend having a look at those.

Why is Dark Web Important to OSINT Investigations

Basically, there’s a lot of illicit information and activity that’s happening on the dark web, so it can be a really good starting point for investigations in terms of finding out what’s going on. You can see what people are discussing, you can see trends, you can see victims, you can see how things are operating. Then moving into more surface web OSINT investigations, you can sometimes expand on that and build out a really big picture. I would say they’re very complementary of each other and especially if you’re looking at fraud or extremism or drugs or weapons trafficking or human trafficking, the dark web is going to be a really valuable source for you to find information and data points to help you in your investigation.

LockBit

Now I’m hopefully going to go on to some of the interesting bits and walk you through a couple of recent case studies that we have. I’m going to start with Lockbit. Obviously, this has been in the news a lot recently. Kathy is going to share in the chat a blog that we recently did on Lockbit. I think it’s been about two weeks now, Lockbit leak site was taken down by law enforcement. Really interestingly, I thought, rather than just seizing the site as they usually do, they actually had fun with it and started posting on the leak site things about the Lockbit group themselves. One of the things that they did share was that there were two Lockbit affiliates that they had sanctioned and put indictments against. This is after the fact, but I wanted to highlight how you can get really good information from government sources and official sources about threat actors, and then use that and pivot into other data.

So here we have this individual, Ivan, I’m not going to attempt to say, but Vassalord. We’ve got all his usernames and things that he’s using here, and we can pivot in our own data. We were able to identify that he was active on a number of dark web Russian speaking forums. Here we can see him, this is in Russian, I haven’t translated it, but he is selling malware. He is giving people advice on different malware and also selling it within the group. So, through looking at this you know obviously it’s after the fact, but we can see what his activity was. We can see this dates back to 2022, but we can also see who he was interacting with. We can see kind of what tools he was operating, and we can see more information about him. You can also then take that information and put it into social media tools. This is What’s My Name app, where you can put in usernames, and it will search across social media sites and identify if an account exists. So here we can see that there’s some old Twitter accounts. There’s a telegram account which I already mentioned. The threat actors are very active on. We’ve got a Roblox account. You know, threat actors love gaming.  It’s giving you these other areas to go and look and to go and research and investigate and can give you more information to build that picture about that individual.

One thing I was just going to highlight, just because I thought it was kind of funny, was that Lockbit actually put something out a few months ago, I believe it’s a few months ago. It might have been a bit longer, saying they would pay anyone who got Lockbit tattooed on them, and several people did it. And they shared that online, and we were able to see those tattoos, which they probably regret quite a lot now.

There was a second Lockbit affiliate, also that I wanted to highlight. This is just highlighting the usefulness of leaked data. We collect data breaches and leaked information and have that within our system. Here you can see there’s two separate leaks. One includes an email address with the full name of the individual. If you only knew this email address was linked to someone who was doing bad things, you could put that into a leak and see if you can get more information about them. And here we’ve got their full name in Cyrillic, which I’ve translated, and also their telephone number. And then pivoting on that telephone number, we’re able to see another leak, which I believe is linked to Yandex app for ordering food. So, you can see kind of the payments information. You can see his name again in Cyrillic as Arthur, you’ve got the phone number there. But also interestingly, you’ve got the iOS version.

So, there’s a lot of information that you can find within these leaks with information about threat actors. And then what I’ve shown below is again, using open-source tools, these are two freely available Python tools that you can use, where you can search on the email address or on the phone number, and it will go and look across social media sites to see if they appear there. And it won’t share that information with the email or the phone number holder. So, you still have OpSec, but here you can see that email address. It has a LastPass account, it has a Nike account, it has a Twitter account so you can start to see where this individual is operating.

Cryptocurrency and Extremism

Another use case I just wanted to highlight. I mentioned cryptocurrencies are used extensively on the dark web. I also wanted to highlight some of the extremist activity that we see. I’m not going to highlight any particular threads on this page because I personally don’t find them to be, I don’t agree with their point of view, but Kiwi Farms is an open forum where people share information about different things. It’s similar to a chan. It does have, some not so nice threads on it but just highlighting that with our Vision platform you’re able to find that information and then also view it through our direct to darknet feature as it would look on the site, and you can see this is their homepage. But one of the things that Kiwi Farms do is they have a donation address, so the people that maintain the account are asking individuals to provide them money to keep the site going. So I wanted to see if I could find out anything about that cryptocurrency address and how the funds are being used. I used an open-source blockchain explorer. This is called breadcrumbs; you can get a basic free account and it allows you to do some kind of network analysis. You can see we’ve got the Kiwi Farms bitcoin address right at the beginning with some of the people that are paying into that. But I was more interested in seeing where that money went and a lot of it was circling back. I have removed some of the nodes on this just to make it a little bit more visually easy to see but a lot of it was going back into Kiwi’s Farm, but then I was able to find areas where it was being cashed out; Kraken, Binance. And then Bravada, were some of the areas where we were seeing that the funds were actually being cashed out. And you can see that the site, breadcrumbs, does also give you an overview of the Bitcoin address and how much funds have gone in and out. You can see it’s quite a high volume and it’s been active for the last three years. You can also see that it plugs into bitcoin abuse. Bitcoin abuse, which I believe its name has changed now to Chain abuse, but it’s another really good source for looking at any cryptocurrency addresses you come across and seeing if they’ve previously been reported as linked to nefarious activity. One of the addresses in the Bravada exchange is actually been reported to be linked to terrorism and sponsoring groups in Russia. It’s interesting that an extremist forum, Kiwi Farms is utilizing and sending funds out that way. Obviously, I can’t say for definite that that’s what’s happening, but we can see that those funds are being trickled out that area and it’s another area for us to investigate and look into.

Israel-Hamas Conflict

The Israel-Hamas conflict has obviously been ongoing for a while now and it’s been all over telegram. So, as I mentioned, telegram is a really useful place to see a lot of hacktivism, a lot of threat groups. There’s also marketing there, but it’s also being used more and more as a new source and whether that news is factually accurate or is disinformation is always up for debate, but it’s been a really good source of being able to see what is happening on both sides of the conflict. Actually, on October 7th, it was one of the first places that anyone saw that something was happening. You can see one of the images here is them going through the wall into Israel.

This was on telegram almost immediately and anecdotally; I know that people in Israel were watching telegram for news updates because they were coming through quicker than they were on traditional media sources. But as I said, there’s also been a lot of information that’s been shared there that is probably not accurate. There were definitely videos that were being posted at the beginning of the conflict that actually came from video games and things like that but there’s also been a lot of the hacktivist groups on both sides, saying who they’re going to target or saying that they have successfully targeted someone showing evidence of DDoS attacks, showing evidence of defacement attacks, showing documents that have been stolen and leaks. A huge amount of leaks are being shared on telegram but one of the things I wanted to highlight, and I don’t necessarily have a good example here, but you definitely can do it, is taking some of these images and the videos that are being shared. Telegram, unlike Facebook, Instagram, Snapchat doesn’t always strip out the metadata on the images.  There are a lot of open-source tools that can kind of help you to see what the metadata is, and if there is any Exif data that’s going to help you there but also you can get hints of where things are occurring and what’s happening by looking at the images and matching them up with satellite imagery or previous images that have been shared as well.

Scattered Spider

I’m conscious I’m running out of time, so I’m going to go quickly. Scattered spider is another group, threat actor group that we’ve been monitoring. They are a financial crime group. Scattered spider is the name that’s been given to them by one of the cyber security threat actors, but they’ve been responsible for some very high-profile attacks in recent years, including taking down Vegas with the MGM and Caesars Palace ransomware attacks. They do a lot of social engineering and phishing techniques; we expect those to probably increase in sophistication. Not that they aren’t already, but we know that AI is being used to assist with those attacks but they are very active on telegram and discord and part of what is known within the community as the comm. We’re doing some analysis on who is active in those groups, who is interacting with each other, and what information can we find out about them. So, there’s a lot you can do with the data that’s in telegram to do analysis, to do that link analysis to, to find out who the individuals are and of course the main ones you can go and look in other sources to see if they have other social media profiles or other areas that you would want to be looking into.

Conclusion and Questions

So, I ran through that really, really quickly.  I’ll just leave the key takeaways up here for people to read.  Hopefully, that’s what you’ve taken away from it. I think the question about the Drainer service highlights that there’s a huge amount of things that you could cover here. This is very much designed to be an initial overview and an introduction but if there’s topics and interests that people would like to know more about, please put those into the chat and we can look at providing more information on that in the future. 

But with that being said I just wanted to highlight we do provide investigation services at DarkOwl for dark web and OSINT investigations so we can assist you with any investigations that you currently have. With that, I will open it up for questions.

What data sources are considered dark web?

Dark web traditionally is sites that are accessed through Tor, so the Onion router, but you also have things like I2P and ZeroNet, which are also dark web providers and there’s a few more out there, but they’re not as used as regularly, such as Magnesium. As I mentioned in the presentation, we also view things as dark web adjacent when it’s the same kind of use case and the same kind of individuals that are operating. So, we definitely consider that to be Telegram, to be Discord, ICQ and then some surface websites as well which are there. So, I think it’s open to interpretation. It depends how narrow you want to be but I think with OSINT Investigations you always need to be open to all of the information that’s out there and being able to validate it against different sources. So, the more data points that you have, the more likely that you’ll be able to do that.

How do you locate and identify new groups on Telegram or Onion sites?

Manually is the main way. So, telegram you can do searches in the global search or telegram on the desktop app. If you have a keyword or a search that you’re aware of, you can put that in and see what you would find. I would also look at the groups that you’re already tracking and monitoring and search for the links. If you click on the channel page, you can go to links and it will show you other telegram channels that have been shared. I will also sometimes look at other social media sources – people on Twitter or other forums will sometimes say, let’s take this conversation to telegram and they will share an invite link there. You can also use Google Dorking to search telegram, which is quite useful, but I would say it’s a keyword phrase. If you’ve got a particular topic you’re interested in, um, search for that. And then also if you’re looking at individuals in other countries, do you use the native language? So if you’re looking at Russian threat actors search for your turn and Cyrillic as well as in Roman characters because you’ll find more information that way. Onion sites, again, it’s similar. We are already monitoring the major forums and marketplaces, and they will share other areas that they’re accessing. There are sites out there that will track new onion sites that have been created and what they’re being used for. So we can look at those. It is kind of just kind of pulling through the different links that are being found and then reviewing them to make sure that they have actually got useful information on them.

Does DarkOwl have copies of entire sites that can be walked through. For example, could one walk through Silk Road and see the listings and users that were active back then?

Yes and no. We have our data, it goes back to 2016 in earnest. So, we do have all of that information, but we store it in documents and pages. You could search Silk Road and go through it. But one of the things that we don’t do is collect images due to legalities around CSAM material. You would be able to see the postings, you would be able to see the usernames and all of that information from any site that we’ve been collecting since 2016 but it wouldn’t be a walk through in terms of – it wouldn’t look like the site. You couldn’t click on buttons and things like that, but the data is all there.

Other than breadcrumbs and chainabuse, what are some other great sources for tracking crypto and blockchain across the deep and dark web?

I think there’s so many sources out there. Breadcrumbs is the one that I like to use just because it’s free. I mean obviously there’s paid services out there that are very, very good. I’m not aware of many others, especially not on the dark web. They’re not there for tracking purposes. I think one I heard of that I’m not familiar with but was recommended to me recently was Qlue – that is supposed to be quite good for cryptocurrency, monitoring but it really depends if you want to do a paid service or open-source.

---

Don’t miss our next webinar on Big 4 Cyber Adversaries > Register here.

February 09, 2024

Or, watch on YouTube

Due to the layer of anonymity the darknet provides, it is often a hub for illegal activity. The technology DarkOwl leverages to collect and index, 24/7/365 in near real time, hidden digital undergrounds is key in obtaining crucial data and situational awareness for intelligence and government agencies, and law enforcement.

DarkOwl, the leading provider of darknet data, reviews how darknet can be used to:

• Track illicit sales of drugs, human trafficking, and cyber weapons
• Detect potential threats and monitor persons of interest
• Stay one step ahead of foreign Nation-State adversarial activity and attacks
• Learn the latest tactics, techniques, and procedures of threat actors to better prevent future cyberattacks on critical infrastructure

For those that would rather read the presentation, we have transcribed it below.

NOTE: Some content has been edited for length and clarity.

---

Alison: Thank you Carahsoft for putting this together. Thank you all for logging on. I’m going to jump right in. I have a lot of content to cover. And as Erin mentioned, we will field some questions at the end.

So I’m going to go over a little DarkOwl history, specifically dig into why this data set is so crucial for so many areas of the US government and other government partners. We’re going to look at some data examples off of the darknet. It’s always fun to do. So I’m then going to end with the current events that have recently elevated the darknet data set just in a more global way. And then if there’s time, we’ll walk through an interesting data leak that we uncovered. Before I launch in, I did want to mention that DarkOwl will be at the AFCEA West conference, which is in San Diego next week. I would love meet anyone going there.

So history on DarkOWl. We’re based out here in Denver, Colorado. We have been doing darknet collection for over ten years. Essentially we 24 – 7 coverage of collecting data, pulling it off the darknet, parking it in our database, and then we give our clients access to that. Obviously, there’s a bunch of different formats that that can take. We have a user interface, there’s a bunch of different API endpoints. And like everything, the devil’s in the details. And I think the one thing I want all of you to walk away with today is, when we think about darknet collection, by definition, if you were to go out and take a look at, you know, a handful of Tor pages a couple times a month and store those in a database, you are, in fact, a darknet collector. That said, I would argue that DarkOwl’s strength is in how we define the darknet and what our collection efforts are focused on. And I think we do a really good job of walking the line of both automation. You can’t get the scale of data that’s going to be valuable if you’re trying to do this entirely manually. That said, if you’re doing it entirely automated, you’re not going to get into the hard to find sites or be able to maintain personas and get into forums and marketplaces. So we use both those techniques. If you’re looking at this slide here, I know this is a little noisy.

Everything in red is our data sources that we collect from. DarkOwl obviously we’ve been collecting from Tor forever, that’s been our bread and butter. We have really focused in the last year or so on a lot of the peer to peer networks. I’m getting so many questions from law enforcement, government, commercial on telegram collections. So we’re going to go into that a little bit further on. But you can see here telegram, discord, I2P, ZeroNet. Our collection team is always trying to figure out what the next platform is – where can we start to collect? And all these take different efforts from a collection standpoint. A lot of skill behind the behind the scenes here in navigating all of these, regardless of where we get it, it’s all parked in our database. And then you’re able to access it as a DarkOwl client.

So this slides this is just kind of a visualization of how the data flows through.

So as I mentioned, we’re doing all the collection. We park it in our database. And then as we bring that data in, we’re trying to tokenize and add as much structure and value as we can to make the searching and finding from all of your end a more streamlined process. We we will tokenize information such as email addresses, IPS, crypto wallets, credit cards, usernames. And then depending on what that tokenization looks like, the bottom line here is the product set that we, DarkOwl, spit out of that data. So on the far left hand side is our user interface. So that’s going to be an analyst dashboard. And then we have a lot of different API endpoints ranging from you know Scores which we call DarkSonar, which is a relative risk measurement of an organization or an agency or a government group’s presence on the dark web just numerically represented all the way down to DataFeeds, where we are just pushing data every couple of minutes to clients. So it runs the gamut. But the important takeaway here is that the collections is done by us. We do the tokenization, and then we let you search and filter that depending on what information you’re specifically looking for.

On the left hand side – these are our these are our sources. And as you can see by the numbers, we’re really trying to scale at all times. These numbers were just updated – 28 million records from telegram channels. All of these documents are coming in, being tokenized, and then and then accessible. And, you know, at the end of the day, I feel like we’re solving two problems. Number one, there is no reason any of you can’t go out and do this on your own. You can download Tor, you can have a burner device. It’s just extremely inefficient. Right? It’s going to take time for you to do that. Collection sites go up and down. So it’s an efficiency play. And then number two, especially in looking at the attendee list here, I know most of you are US government. There’s a real safety feature here in that DarkOwl has done the collection. You are only playing in the DarkOwl data set so you don’t run the risk of exposing your own organization or burning a persona. We’re doing all of that in the backend, so it’s efficiency and safety at the end of the day.

So thinking about the the darknet in regards to US government use cases.

And I kind of boiled it down to three here. I’m sure all of you can can come up with more, but the first one I think of is just the force protection side – looking out for our own exposure, monitoring for email exposure, looking for PII of prominent folks and alerting them and making sure that we have an understanding as a government of what potential vulnerabilities are out there. And that could run the gamut from exposed PII for someone in a senior position to military part numbers being sold or darknet forums discussing ways to penetrate organizations.

The middle one here – identity management. So I think of that as the investigation side of it – really using the data set to conduct research, to look into identities. How are people talking about this? What can we find? What can we correlate? Who can we associate with this? A lot of red team activities.

And then on the right hand side here, targeting and thinking about what can this data set tell us about nation states and other folks, threat actors, what’s trending, ransomware, there’s so much content out there that is powerful to be in the know on how that’s being talked about and presented.

So without further ado, let’s jump into some data data examples. And again, I highlighted before we do that, why is this data set so challenging to get your hands on. Part of it is just the time and effort that it takes to do this, these sites go up and down all the time, they move locations. Access to these forums and marketplaces – it’s not as simple as just signing in and you can’t scrape page one, scrape page two and park it in a database. You need to be very strategic about how you do that. So these are some of the skills that we possess and have been doing for a long time. CAPTCHAs. And I’m not going to do a live demo today, but I do continue to fail CAPTCHAs on the darknet. They are extremely hard. I’m always laughing at that piece. So we’re doing these collection efforts in the background and basically taking that time suck and that risk off of all of you. Then the evolution of where people are moving to, I mentioned these peer to peer networks. You know, we’ve seen such popularity there, especially with the start of the Russia conflict breaking out in Russia and Ukraine. Following those trends is something that we’re always staying on top of as well.

Alright. Darknet data. What’s out there? Um, I just pulled together some slides of examples that I thought might be compelling for some of you on the phone, and to just give you a sense for what we’re looking for. So, no surprise, a ton of PII, all sorts of banking and transaction data, credit cards for sale, exploit kits, malware. And remember, by definition, the reason to be on the darknet is to remain anonymous. So anyone trying to sell or transact or trade in any illegal goods or services is going to be attracted to that. So there’s forums and marketplaces on how to do these things. It’s a it’s a colorful space.

The next bunch of slides are going to be screenshots from our platform, which we call Vision. And I’ll highlight just some of the findings here.

So I know it’s a little small on the background here, but if you look up at the top in caps it says DHS traders home addresses. So this is a hacker that’s uncovered some PII and is posting it out there, maybe in anger, unclear. And they’ve listed everything from title, home address, phone numbers. This is just someone posting this on a Tor page and we were able to capture that. And then this is a result right out of DarkOwl Vision.

Here’s another one. This is someone who is promoting their skills around making custom IDs, utility bills, bank statements and other documents, passports for sale. You can see the price here in in Bitcoin. This is this is very, very common – people trying to gain business and sell IDs and everything you can think of.

So here’s one that, um, I thought would be good for today.

This is a counterfeit item. They’re selling DOD ID cards and editable templates. You can even choose your own name and picture.

Alright, moving along – event and personnel protection. I looked at the registration list and I think some of you are tasked with some of these directives.

These are screenshots here of folks that, this one in the middle is actually a telegram group. You can see there’s 32,893 members in it. It’s entitled the Ultra Patriot Voice. You can see some words down here at the bottom. So these may be channels that would be worth monitoring. We’re collecting from them on an ongoing basis. We’re able to identify what users are are in those telegram channels, what their ID is, what their username is. And then, given some of our other sources, we can oftentimes back that into an actual person.

It wouldn’t be a good darknet presentation without the talk of ransomware. This is such a such a prominent thing for all of us.

Our commercial clients are are always very concerned about this. This is a screenshot of what we would see on the darknet side. So this is not what the victim would see on their own network. It’s important to understand here that the ransomware actors are hosting this content and they call them shame sites. So they’re posting this and saying, hey, and in this case, it was actually a, um, this is actually a grocery chain. And they were saying, you know, here’s the information we have. But why this is so critical is because this is where we can assess and figure out what actual data has been exposed. So monitoring these sites and being able to be there in real time is important.

This is a fun slide.

This was actually an investigation that DarkOwl had done where we identified and tracked a Portuguese speaking threat actor. They were involved in a mobile device malware issue. If you look kind of towards the bottom here, we were able to confirm that the suspect’s activities were in a bunch of these communities and the black part at the bottom here where it says steam, where you can see where it’s grayed out there. That was actually a leaked IP address that we were able to get a potential physical location for this gentleman that was in the Brazil area. I like to highlight this one because I think the first thought a lot of folks have in regards to the darknet is that there’s no geographical location because everyone has obfuscated their identity and their location. That said, there’s enough breadcrumbs in there that you can often back into it. So this was a case where we were able to do so.

Insider threats. So we see a lot of posts in regards to this. This is actually someone who’s looking to recruit insiders. You can see that this site toggles back and forth between English and Russian on the right hand side here towards the bottom – they talk about my team will lock, exfiltrate and pivot with your access keys and with your access, and you’ll keep a percentage of the money for giving access. So they’re recruiting folks to try and get in. This could be government related, commercial related and or both. So insider threat, no surprise there.

Drug and gun sales on the darknet isvery prominent. We see it all the time. There’s marketplaces dedicated to it.

I think there’s some folks on the on the phone from the DEA. Kudos to you guys. It is an uphill battle. And I know you’re fighting this daily. There’s so much and we’ve improved. One of the things we’ve done at DarkOwl very recently, is going into a lot of these forums and marketplaces and really dissecting how the chats are happening. So what I mean by that is looking at timestamps and who’s talking to who and trying to build out these networks so we can try and get to the bottom of some of these. There have been some really great use cases where our clients were able to use this data to solve a case.

One question we get often is what do we do with images, right? There is a lot of content on the darknet that none of us want to have eyes on. And so what we do at DarkOwl is we ingest all of the text into our database.

So on the left hand side here, you see a screenshot from Vision. That’s our platform. And I simply ran a search and said, I think my specific search was “glock”, and then the word “sale”, and I think I put in “Miami” as well, because I was talking to some folks in Florida and this page came up. So you can see we list where it came from, you can see the dot onion and then all of the text here. So if you’re sitting in the DarkOwl platform, you do not need to be concerned about coming across any child exploitation photos or anything in that regard. That said, sometimes the images that are captured can be quite compelling. So we have recently added what we are calling Direct to Darknet. You can see in the middle of the screen, there’s a little light blue bubble there. So if you click that button within the DarkOwl tool, it opens a new window. You’re in a safe, secure sandbox environment. I do it all the time off my DarkOwl laptop. This is not a burner device or anything. And up comes the actual page. And in this case, I’ve taken a screenshot off of the page, and you can see that the bracelet this person’s wearing, to me would help maybe frame the persona of who’s using this. We also have, if you see in the original text, they’ve provided a telegram handle here. So, you know, starting to gather a couple pieces of information that I think could be pretty compelling for an investigation here. So, again, the images won’t be pulled directly into the DarkOwl database intentionally, but you can go back out and capture those if needed.

Alright, I’m going to switch gears a little bit. A lot of the examples I’ve provided are ones that folks are pretty aware of – trading, selling, transacting in illegal goods and services is and has been what the darknet has been used for forever. What’s been interesting in the last year or two is really the political climate and how there’s been such an increase in real time chat applications and encrypted communication platforms for people to collaborate both for good and evil. We’ve seen a huge growth in telegram use and therefore the request for telegram data. There’s a lot of these invite only and pay to play architecture that’s been spun up. It’s just such an evolving space. So it’s been really interesting to follow that evolution and start to do some of our collection from these peer to peer networks. So there’s a lot changing. And I would say that one of the catalysts for that was absolutely the Ukraine Russian war. I think our actual data database, so just DarkOwl’s data went up by maybe 10% to 20% just within the first couple months of that. Half a million hacktivists and gray hats were taking on Russia and their allies. We saw just a huge influx of data and communication. It’s been really compelling and interesting to see that evolution in the modern warfare today. In a similar vein, if we think about the Israel-Hamas conflict, very much the same, there’s been a lot of data leaked on both sides.

These images here on the right, the bottom one is, is an attempt to map some of the hacktivist groups that are working together. These top ones are actually images that were shared on a telegram channel. This is this is a whole new way to engage and it’s been just eye opening for us to see the amount of data that’s coming onto the darknet in regards to these conflicts and wars.

Telegram is coming up again and again. There’s so much information being passed through that. We had a concerted effort, right when the conflict broke out, to try and join a lot of these groups, we were able to get 320 of them into our collection efforts that were specific to the conflict. And we actually have a really awesome blog on our website – it’s worth the read.

Russians on the darknet. Interestingly, the second most represented language in our database is Russian. Their ransomware groups are very prominent, very sophisticated. There’s a lot of content that that we have found. I’m actually going to show a couple examples in the next couple slides.

In regards to this was an interesting leak where there was Bushehr nuclear power plant, sometimes referred to as the NPPD leak, came out on a telegram channel. This was a hacktivist group that had come out after the death of that woman and they had posted all of these, download the entire email server and posted a lot of these pictures on a telegram channel. We, DarkOwl, were able to go in and capture some of those. It was posted in a bunch of different parts, but the compelling piece here for you to take away is we were able to go in, we were able to grab these images and, and capture this. And this is the kind of stuff that, given the line of work that you all are in, can be pretty compelling to help with investigations. So these were some internal photos. You can see all of the metadata is captured there as well. Historically this has been a plant that I don’t think folks have had eyes, or at least, you know, we in the US, on the inside.

These were a bunch of passports. So everyone that came in and out of that plant had to submit a passport. All of that was being passed through email communications. And because they had downloaded or had taken down that whole email server, every single itinerary of people that had been in and out of that plant in the last couple of years was captured. So again compelling for anyone that was needing to do research in this area or learn more about what was going on here.

You can see the flag here in the over on the right. This is obviously a Russian aircraft, some equipment, being delivered to this plant. So, again, just compelling information that would not have been able or clearly was not meant to be out into the public had been exposed on this telegram channel, and we were able to capture it and bring it into our data set.

So I’m going to pause there and wanted to take a couple questions.

Knowing that you folks cover Telegram and Discord channels/servers. What are the types of servers and channels that you usually collect from? E.g., are they solely reach groups, criminal groups, or a mixture?

Alison: Great question. So DarkOwl serves both a commercial client base and a government client base. So right now, our telegram and discord collection is focused on what our specific client use cases are. For instance, we had a client join a couple months ago that was concerned about some financial fraud that they were combating, so we joined a bunch of telegram channels on their behalf. So the short answer is it depends on our client’s use case, but I would say the ones that you referenced are all a part of our collection. We also love to do collection by demand. So what I mean is, as we bring on new clients, we always sit down during that onboarding and say, you know what’s of interest to you? What telegram groups can we join on your behalf? What is your use case? So a lot of that collection is customized to what our clients are looking for.

GEOs from the IP. Are you getting IP registration goes through a service like Maxmind or is it a GPS geo from a device using that IP.

Alison: So if you’re referencing the slide where I was talking about that actual investigation, we pulled the the actual IP address off of a post that we saw and then that we couldn’t we weren’t geo locating that within our tool so that that would have to be done outside of the Vision tool.

If Tor sites are always going up and down, how do you track this and find the news sites/markets?

Alison: I talked about this early in the presentation. It’s a combination of both manual and automated. So if we’re on a Tor site and crawling that and we see that there’s links to other pages, we will immediately spider and go to those pages and start collection there. Sometimes we’ll use one of our analysts to find a forum or marketplace. And oftentimes if those forums or marketplaces go down, they’ll post, hey, we’re moving it to this, or this has been taken down by law enforcement, we’re going to stand it up here. So it’s a combination of both spidering within the pages we collect and following those links, and then also our analysts just knowing the space and navigating to new forums and marketplaces. And the nice thing is, once we’ve captured the information, it’s retained in our data set. So if we were on a marketplace last week and we pulled down all the listings for, Glocks for sale in Miami, and then that site were to go down today, if you went into DarkOwl Vision, it would still be there. So there’s a nice lookback feature here because we don’t age off any data. So that’s, that’s where the capturing and looking back can be helpful.

Our unit’s focus is the commercial exploitation of children in the US, specifically California. How is your coverage of that topic?

Alison: We should talk because we actually have a partnership with a couple nonprofits that are in a similar line of work as you. We’re collecting this information at scale. So I guarantee we are going to have some sites of interest for you. The piece that would be important for you is that direct to darknet piece, where you would probably have to go out and actually capture some images there. I would want you to sit with our product team and walk through what that looks like. But my guess is we do have content that would help you with your work.

If we are looking for a particular chat, such as those including child exploitation, will your company actively search topics or is it only the data that has already been pulled available?

Alison: No, we will actively search sites if for some reason there’s a site that we are not already collecting from, whether that be a telegram group of discord server, a dot onion. We will go out and collect from it, per your request, as long as we’re able to do so.

What data sources are considered dark web?

Alison: It depends on your definition. I feel like everyone’s definition of dark web is a little different. We at DarkOwl consider that to be, Tor, I2P, ZeroNet. And then, as I mentioned, we collect from a lot of these dark web adjacent peer to peer networks. So telegram, discord, and some others. But the short answer is I think the definition of dark web can vary depending on who you ask. Ours is fairly broad, and we try and collect from a lot of adjacent sites as well.

How do you legally collect all this information? Is it Osint?

I’ll answer the first part – legally everything that we collect at DarkOwl is considered Osint, so open source we are able to do so with the right skill set. Any of you could go and find this information. A couple lines we will not cross. We will not purchase data. We won’t go behind firewalls. We follow very strictly the Department of Justice guidelines around data. Everything is done ethically. And again, we’re not purchasing data and or going behind firewalls. So we’re able to collect it because it’s open source information.

Can we search the data you collect by name, date of birth, etc.? Can you show how the application works live?

I can absolutely show how the application works live, not on this webinar because they’re recording it and going to be sending it out. I’d be happy to give you a demo outside of this webinar to answer the first part of your question. You can search for anything in our data set. Think of it as the Google of the darknet. So there’s a big search bar you can type in a term, an email address, a phrase, and hit search. And we’re going to show you all the results that are relevant to that, that have come out of all these varied collection sources. So yes, you can search for a date of birth, you can search for Social Security number, a phrase, whatever you want.

What are upcoming trends security practitioners should be looking out for?

I’m definitely not the best person to answer that question, but I would tell you that our collection team is always trying to stay ahead of what’s coming up next. And a lot of these forums and groups are talking about what the next technique is. I think the best we can do is all come together. Those of us that are on the the right side of the coin here and share what we’re seeing and hope that by sharing those practices and sharing what each of us is coming up against, we can make some headway. But I feel like I’m not the best one at DarkOwl to to field that question.

Do you have a newsletter, an email of examples of cases which were sought and closed and how they were investigated and the outcome?

Absolutely. We have a extremely comprehensive blog that we put out and there are white papers. I will tell you that if this topic is of interest in any capacity, any of the slides I showed, whether it’s in regards to some of the recent conflicts or very specific drug sales. Our blog is incredible. There’s so much information in there. All of those pieces were months and months of research.

Would you be able to say if any departments in new Jersey are currently using Dark Owl? I just want to see if this is something that would be beneficial to our detectives.

Off the top of my head, I don’t I don’t think we have any New Jersey specific clients, but I will tell you that we absolutely have state agencies and state departments that are using this. We have both federal clients and a lot of SLEDs. So I’m happy to make a referral to another state that is using it and see if that would be helpful to talk to them and learn more about their use case.

---

Don’t miss our next webinar on Big 4 Cyber Adversaries > Register here.

January 30, 2024

Or, watch on YouTube

Iran continues to quickly gain sophistication in Cyber. Its state sponsored (military and civilian) and cybercriminal operations have worldwide impact and deserve attention. Iran’s relationships with other adversaries like China and Russia will continue to strengthen its cyber capabilities, but also its general position in world conflict, including its efforts in hybrid warfare. These are already witnessed in Ukraine, Belarus, Israel, Syria, Yemen, and other high-conflict areas.

In this webinar, we covered:

• Evolution of the Iranian cyber program and it’s current state
• Iranian state sponsored activities
• Cybercrime activities that occur on the dark web and adjacent platforms
• Geopolitical events and relationships that influence Iranian cyber actors
• Why Iran needs to be taken seriously as a digital threat

For those that would rather read the presentation, we have transcribed it below.

NOTE: Some content has been edited for length and clarity.

---

Steph: Welcome to everybody and thank you all for joining. I am a 20 year Iran follower, I speak Farsi, I am former military and former Department of Defense, and Iran and Afghanistan has been my target area for the past two decades, if not more. I am thrilled to speak about them today. I’m always thrilled to speak about them. I’ve done this talk publicly for probably five years and there’s always so much to learn. There’s always something new to cover and track, and I’m really excited to do this for you today, so let’s dive in with that.

So let’s address the elephant in the room, which is Iran’s physical activities and proxy activities all over the Middle East. The point of today, especially because we have limited time, is their cyber program. Past, present and future – is how I like to organize it. But we cannot go without addressing, especially after last night’s drone attack, the obvious physical attacks and the incidents and the tension that is definitely increasing day to day on the ground. I wanted to give this audience some way to empower all of you to research and take a look at yourselves, because I have followed more of the cyber activity versus the physical and the Iranian military. So please, I invite you to familiarize yourself. Go to Centcom directly – centcom.mil has a ton of wonderful blogs. Their analysts are top notch. Get the information from there yourself. Centcom Central Command, located in Tampa, Florida, controls the entire US military activity in all of the Middle East, Iran and everything surfacing. All of the borders, all of the bases. Anything that’s of interest, you will get your answers from there.

The other two sources I’d really love to highlight for you are think tanks and just wonderful CTI research firms. Overall, Atlantic Council has an amazing, amazing body of literature on all of Iran to include present day conflict and Sibylline, a UK firm is also absolutely amazing. So lots of attacks going on. We are going to show and demonstrate how the cyber gets into the physical attacks and how this lends itself to working together, as well as an emerging trend which is hybrid attacks. That is where, you know, maybe Iran has something going on, maybe they’re conducting a DDoS or ransomware attack or any kind of online activity to distract people in one corner and then in another area of the world, let’s say, you know, there’s a drone attack on a supply chain and along the border of Lebanon and Syria, or there’s a physical incident against a US base in Iraq or anywhere else in the region, right, Bahrain or anywhere else. So please do take the time, if you are interested, to look at these sources that really focus on physical contact.

And with that, let’s get into the cyber of Iran. I like to do a timeline. For the past 20 years, Iran has always been kind of floating in the background. A lot of people attribute Russia to being more sophisticated and our major adversary in cyber. A lot of people look to China, who’s also incredibly sophisticated and very powerful as a Western adversary. Iran is not to be discounted. And I think that, unfortunately, this current conflict in the Middle East is probably showing just how strong they are.

I’d like to go back to 2009, which is when the major Iranian cyber activity started in the way that the outside world could observe it. Right? Iran is a lockdown isolated country. They fault the West for that. Prior to 2009, they had cyber entities. They were doing defacements, they were doing hacking, hacktivism, just putting political messages. But it wasn’t anything sophisticated. Cut to the internal Green Revolution, which is where the Iranian population stood up and one of the first times they really tried to go against the Ayatollahs and the regime to change it, as we all know, the authoritarian theocracy that Iran is absolutely will not tolerate that. So the Ayatollahs and the government and the IRGC and the MO

MOIS, which we will also get into, started monitoring their population with their own apps, their own GPS, all of the cyber and technical tools that kind of reveal locations today. The Green Revolution brought that about internally.

I likely don’t have to tell anybody on this webinar about the 2010 Stuxnet response. When Iran understood that their nuclear program had been compromised, they understood that they needed a wide, wide, wide defense to protect their internal infrastructure networks and etc.. So the Stuxnet response really prompted them to have an offensive and defensive cyber capability. And if you go from 2012 up to right now, 2024, look at these activities that they’ve all done, right. Posing as LinkedIn researchers, they’ve had several successful ransomware campaigns, espionage and IP theft is a very constant activity for Iran as well. Election interference, not just the US. They’ve also meddled in European ones in 2020. This is every threat actor, right? As the pandemic raged and everybody worked from home or remote, VPN exploitation and spreading malware was of course, extremely common and rampant. Iran participated in targeting industrial control systems. I’m sure that you’ve seen if you follow cyber or any Iranian news, they go after the PLCs, programable logic controllers. They are going after anything SCADA ICS any fear of disruption to the daily life that the Western world takes for granted.

I can’t highlight this enough, and you’ll see it in this presentation that Iran really wants to disrupt water supplies, power supplies, banking, the financial systems, because they know that fear is a powerful motivator. They also know that they can’t physically do these things. It’s much more difficult. Restricted travel – Iranians are not welcome in a lot of places in the world, so they go after it digitally, and that’s one way that they can definitely get to the psyche of American and European politicians, leaders, government. Then let’s go to, of course, more cyber espionage. Muddy water was extremely active in 2022, and in 23 and 24 we saw front company involvements, which we’re going to get into detail. Of course, the Ukraine and Mena conflict. Iran has personnel on the ground in Belarus. They’ve conducted disruptive cyber attacks on behalf of Russia, targeting anyone who’s sympathetic or encouraging to Ukraine. And 2024, we are just about a month in. We have global conflicts everywhere, right? We have the latest in the Middle East. We have global elections. A lot, a lot of countries are going to the polls this year, and Iran is one of those countries. So they have domestic elections guaranteed that they will continue spying on their population. The Iranian president is a placeholder, not an actual person of power. So I highlight all of this to say that in, you know, 12, 15 years, Iran has strongly emerged, bettered and improved and made some really key allies such as Russia and China, to only better and improve their technology and their cyber programs. It’s very important to realize that.

What are their motivations? Why are they doing this? First and foremost? Again, I’ve mentioned that Iran is isolated. They want to become a recognized global power. They feel that teaming up with Russia and China will do that, because they fault the West, Europe and the United States for having isolated them since 1979 sanctions, keeping them out of important world meetings and world organizations. They’re extremely bitter about the isolation that they faced. Revenge for Qassem Soleimani is still a tagline. While experts tried to claim that part of the October 7th, 2023 attack was for Qassem Soleimani, Iran put that message out. That has been disputed. But all of their other actions in cyberspace, as well as physically, they’re extremely upset about Soleimani espionage.

Iran cannot partake in normal business operations due to the aforementioned sanctions. So how do they get their information? They take a page from China’s book and conduct IP theft, espionage, get all of the information, whether that’s to improve their age, fleet of weapons, planes, cars, anything, you name it. They just want to take all of the information and better themselves. And this new this last one is kind of a newly emerging one that they’ve publicly spoke about eradicating Western influence throughout the Middle East, creating that new world order. They’ve wanted this for a long time. But now that tensions with China and the US are increasing as well as globally with Russia now, they really feel that this is the time to move forward, use their cyber, use their strength to eradicate the Western influence. They’re going to start in the Middle East and try to keep going, to keep expanding.

The cyber bodies of Iran, their organization, it’s really not that different from anything you might be familiar with.

They, of course have a civilian and a military component. The MOIS is their civilian component. It’s the Ministry of Intelligence. These are the civilians that have long standing careers working for the Iranian government. And then the IRGC is the Iranian Revolutionary Guard Corps. The besieged special forces are subordinate to the IRGC, as is the Iran Cyber Army. And I also have some university GIS that are down below. So Iran has mandatory conscription. You can fulfill that mandatory 18 months to two years as a cyber actor. You don’t have to do anything physical. You don’t have to do infantry or artillery or anything like that. You can truly go through any of the controlled universities which are listed below, and learn and get your initial skills fulfilling your conscription. And then you can do a couple of things. You can stay in the IRGC, you can serve there. You can transfer over to the MOIS and go from a military personnel to a civilian. The important thing is, and what Iran wants to do is control all of their cyber power and their cyber training and their curriculum to keep that talent. Those people that they train internal too often they’ve seen in the past, especially even sons and daughters of government officials, will go to Western universities in Europe or in the United States and then choose to not come back to Iran. Iran has made a concentrated effort, the MOIS and the IRGC to keep that cyber talent within the country because they know how absolutely essential it is, not only right now, but for their future.

So let’s get into a little bit more of the MOIS versus the IRGC. It is extremely important to note this for the concept of attribution in cyber. I personally, as a researcher of 20 years and having been military and government and now fully private civilian, as well as doing a couple of years at a think tank in academia, I do not believe there is anyone that should be doing attribution in cyber unless it’s a government, European, American or anything. There are too many obfuscation tactics. There are too many ways to hide actual parties, hands on the keyboard. Can you say that traffic comes from Iran? Can you say that it’s definitely linked to a pattern of Iranian influence? Can you evaluate source code of Iranian tools and malware? Absolutely. Can you determine who is doing it? I, MOIS versus IRGC, know why they have a long standing competition and hierarchy. So both of these bodies are very cyber capable, have active, active campaigns going on right now. The MOIS is thought to be a little bit more sophisticated because of the lifelong training and techniques and polishing of their employees. They’re very, very good. They’re very sophisticated. They’re very well trained. The IRGC is thought to be a little bit more sloppy. They have accidentally left hallmarks of Iranian work in their source code and they’ve left artifacts open. This is different from when they want that to happen. There are times that Iran, both the IRGC and the MOIS, purposefully leaves comments and source code. They will taunt Saudi Arabia, they will taunt companies and say, you know how we’ve infiltrated your systems. But the IRGC has also made multiple mistakes and did not intend to reveal that they were behind it. And so you have to consider that as well.

Another active competition that goes on for them right now, not just in cyber but worldwide. So the MOIS only recently came to be the favored organization when the Ayatollahs took over in 79 and all throughout the 80s. Do you see? Iran is an authoritarian theocratic state. The military controls everything citizens activities, online activities. So the IRGC was favored and was always sought after for online cyber operations. In 2009, Rouhani came to power as the Iranian president and for whatever reason, changed and started to favor the MOIS and use them for operations, consult with them, use them for intelligence and especially a cyber program. So right now, the MOIS remains in favor from 2009. And what that means and what I have seen over and over, and anybody in the community has, is they will pit and intimidate one another. So the MOIS might say, I don’t know who that activity was. It wasn’t us. You should probably talk to the IRGC and vice versa, right? So they pit one another against each other. They try to cover their tracks by framing one another. There absolutely have been operations hands on the keyboard, where it’s MOIS actors who pose as IRGC actors and impersonate and again, vice versa. So it’s important to recognize that, yes, we can track activity coming from Iran, we can track VPNs and all of the obvious obfuscation techniques, but I don’t think we can get as granular as saying this is an MOIS officer versus an IRGC, especially with all the tools that cyber has.

So just keeping that in mind moving forward, as you evaluate campaigns and malicious activity, it’s incredibly important to note the MOIS and IRGC rivalry impersonation and how they move forward, especially in digital operations.

We’ll get into the APTs and cover them quickly, so APTs have been around for a long time. It’s advanced persistent threat. These are generally actors who are financed, sponsored and supported by a government. These are fully government attributed actors. Iran has right now 32 active APT groups, of course, with varying levels of sophistication and skill. So we will cover them. But I think it’s too important, especially right now. And we’re going to see why with front companies, with ransomware and with cybercrime. And that is what DarkOwl specializes in. You have to look at the other groups. It’s no longer only apts out there, public acting and attacking, right and APT actors, as well as governments of our adversaries have caught on to, oh, I can blur activities or I can, you know, have plausible cover if I use a cybercriminal group or if I employ somebody or pay them to do that. So APT is still very active.

APT is absolutely on the dark web, absolutely using Telegram. But they’re not the only force to be reckoned with. And I think that’s an important change as we move forward, especially as global conflicts erupt and people take sides, criminal actors are going to come more into play. Really important to note. So 33 and 34 I want to highlight, you know, they have their own malware. They have their own ttps for APT 34 is thought to be more sophisticated technically, while 33 and 35, as you’ll see, are more of the social engineering. So APT 33 is going to impersonate people – reach out as a researcher, a journalist, an academic, send invites for conferences or for paperwork, and use social engineering to get information or espionage. Whereas APT 34 and some of the other more well known Iranian groups, custom malware that they improve upon test in the Middle East and then use elsewhere. Why? I’ve highlighted Mimikatz for all of these, and this is a good opportunity to go to the next one.

APT 35 and 39. You will also see Mimikatz still highlighted. Credentials and data are everything right? That is what we see on the dark web. Selling credentials, selling passwords, hashes, emails with accompanying data or solo. Iran uses Mimikatz in almost every single operation, and that’s APT as well as cybercriminals. And this is really important to note, because the hallmark of cyber actors is, you know, they can do bad with good things. So Mimikatz is an open source tool that you can just get and use, which they do in their operations. It’s similar with GitHub. Everybody uses GitHub, keeps their repositories there. And malicious actors have pivoted to trying to crack GitHub and take open source tools there and improve and use for malicious purposes. So Mimikatz has been a constant on the APTs for Iran for over 15 years, and we’re seeing a lot of credential use and theft by Iranian cyber criminals. We’re seeing the chatter, the sales on telegram, we’re seeing them talk to one another.

So this is just another line blurring between cyber criminals and Iranian state sponsored, government sponsored actors. And I think that’s really important to note. In addition to custom malware, custom backdoors, and all of the other ways that they go after anyone or anything online, there are some other groups as well. Of course, anyone following Iran knows that the the kittens is what they’re called rampant kitten, pioneer kitten, and static. I’ve highlighted them because they are some of the most active and more recently active. At once, so these are important to note. In addition to the apts of the 30 series, for instance Rampant Kitten, I would like to highlight that they actually breached Keepass, the password keeper a two years ago. So it’s just important to note that that was a sophisticated impact. A lot of a lot of change came after they hit Keepass. They’re talking about all of this online as well. Sharing https in telegram, sharing how they get in, what’s the best VPN to use to do their operations? They often share that information among the Apts and the cybercriminals. And it’s also important to note that Iran is very active in ransomware, which we will get into later as well. Go into more detail. I’m going to pause there because that kind of completes the apt part of it.

Okay, let’s talk about malware. For the more technically sophisticated in this audience, Iran is is very talented with creating their own custom malware and using them in operations. I have highlighted some of the older ones because it’s important to note their evolution and the overlap and source code. So we go back to Shamoon. Shamoon was was very, very prevalent, especially after Stuxnet. Iran really came onto the scene with Shamoon hardcore. My observations of 20 years is and this was true with Shamoon, both versions one and two. And this was also true with Zerocleare. Iran uses countries like Saudi Arabia and Bahrain almost as a testing ground. Shamoon went very, very heavily into the Saudi Aramco systems in the years that it was active. Then Shamoon two did the same thing. You’ll see, Saudi Arabia was a repeat victim. Shamoon two was, of course, updated from its first version, namely that there were no pre-programed credentials needed to operate. Shamoon two. That’s just an interesting thing to note, because I just talked about Mimikatz and how Iran does rely on credentials so much, but they evolve the second version of their malware to actually not use credentials. Again, just demonstrating a change in TTPs and that they are able to work both ways. Zerocleare has a lot of resemblance to Shamoon. If you look at the source code, again, lots of overlap, very, very clear. But it is a separate malware. And I do invite you to please use VirusTotal, AlienVault, Shodan any of your online tools that you choose Misp. You know, please go and look these up and look for yourself if you have those capabilities. Iran does offer sophisticated malware and still uses them after they test in places like Saudi Arabia as well as Bahrain, and they fix what they need to fix or tweak anything that they feel enables better operations, they then expand and use this malware in their campaigns in Europe, North and South America or in Asia. So important to note that they keep track of their malware, use it internally. And by internally I mean within the Middle East region, Saudi is a favorite. And then they go bigger, they go harder and they go to external telecom.

SCADA again, all of those companies that they want to use, they go external after they’ve tested it inside the Middle East region. The 2024 update for malware, oil check and Oil Booster have evolved and are using cloud providers for their command and control their C2, as well as some email based C2 abilities. And that’s using Microsoft, which I think is very important to highlight. We need to be aware of this malware in 2024, especially with all of the elections that I mentioned. And this is being used by APT 34 as well. But there are samples of both oil check and oil booster in the wild that have been used by non Iranian government cyber groups. So definitely confirm that this malware is in use and we need to keep an eye on it. As 2024 progresses, both elections, the global conflicts, targeting everything, everything and anything that is going on this year with malware and especially what new malware will they create. Because it’s very early in this year, will we see maybe hallmarks of a Juiceman 2.0? Will new malware surface? It’s important to be aware of what they’re currently using, the cloud and email based providers, versus what they have in the past, so that we can measure what they’re going to look like this year moving forward.

Where is Iran going to go? We are now in the present day of this slide. So terrorism and fringe group operations, I do not need to tell anybody on this audience that Hezbollah, Hamas, and, you know, everything going on in the Middle East, they are very clearly being supported by Iran. Again, this has been a pattern for two decades. The only difference now is that more and more people are paying attention, and it is more public. We can trace the blockchain for cryptocurrency transactions that are conducted by Hamas or Hezbollah or Houthi officials or actors, notable partnerships. I always talked about and highlighted how that new axis of evil on the digital realm was coming to play. So Iran and China had signed a 25 year agreement for cooperation. In the first two years, there was no actual tangible activity. It seemed just like a lot of news conferences and opportunities that has since changed. Um, China is helping Iran with some oil production. They are giving them some improvement in flight technologies to improve their aviation. There is now some more tangible results that we’re seeing come from the China and Iran Partnership, Russia and Iran. I want to note that it’s difficult to monitor their communications. While there are plenty of Russians and Chinese and Iranian actors and officials open and speaking on telegram and dark web forums, there’s obviously a part that the open world is missing.

We saw that with the Hamas attack on October 7th, they are using more old school technology, phone calls, in-person meetings, to keep hard core operations that are very sensitive underground and prevent them from being discovered. This is true in the digital realm as well. Russia and Iran and China also all have their own equivalents of, say, Facebook, Twitter and messaging platforms. All of their governments have created their very own applications and tried to draw their citizens to using those for a multitude of reasons. One it is government protection, right? If you’re Russia, Iran or China and have plans, you don’t want those leaking out because somebody has an ego on telegram or somebody is using WhatsApp and sharing it, right. And second, it’s just easier to monitor your own citizens if you have your own applications as well. Right? So it’s a it’s a win win for them. They monitor their own citizens. They keep their own information close hold. And again we’re seeing more and more of this. So it’s a balance between observing public information on messaging apps such as telegram and WhatsApp. Discerning what’s true. You know, is this real? Is this a false flag operation? And then we also have to talk about cryptocurrency and crypto mining, which leads to front companies, which we will get into because this is very important. So Hamas and Hezbollah and the Houthis all have cryptocurrency. There’s an underground infrastructure of it. It’s not just, uh, cyber operations that fuel their cryptocurrency profits. It’s selling drugs, it’s selling weapons. It’s human trafficking. All of these activities that happen in the physical world are then converted to using cryptocurrency again for obfuscation, for privacy.

It’s important to note that Iran used Bitcoin in their older operations. I would say anywhere between 2010 and 2016 or 17. And then they made a market change and decided that their cyber actors, and they have openly talked about this on telegram and other internal Iranian apps. Iran feels that Bitcoin is no longer safe. They feel that there are too many law enforcement and global policing officials using Bitcoin. So Iran has changed to light cash, Zcash and a couple of other lower popularity cryptocurrencies believing that they’re safer. This means that Russia and China also kind of use those as well. When doing business with Iran. Again, we’re hiding communications, we’re hiding funding, we’re hiding money. So it’s important to just note how this works as an overall infrastructure empowering these actors.

Let’s talk about the big three. Hezbollah, Houthis and Hamas, supported by Iran again, have been for two decades, mainly Hezbollah. I mean, Iran basically created them. Iran has trained, empowered them, financed them, given weapons, given time, given everything. Open, secret, actually just open. Not a secret. The Houthis as well. I’ve seen Iran also support the Houthis, especially when they took over Yemen. Iran has lent the how to control your population and how to control what the outside world sees using social media and distributing propaganda. Right? Iranian government controls everything in the country. So do the Houthis in Yemen. So there are definitely playbooks overlapping there, using social media to spread the message of success in every conflict of their capabilities, of how their drones are taking out. You know, last night’s unfortunate incident was was three US soldiers, Kia. And they might inflate these numbers when it doesn’t make news just to keep their populations supporting them. You know, instead of three members, Iranian or Houthi, Hamas, Hezbollah propaganda might say, we killed eight, we killed ten, we killed 20 right there. Very, very good at inflating numbers and statistics and always have been. So it’s really important to note that even when these groups are blocked from Facebook or their Instagram and TikTok accounts are deactivated, a couple things happen. One, they move platforms. They’re going to go to Q talks chat, right. Because if they’re doing digital operations, talks is viewed still as safe and more private. They’re going to go to telegram because an openly Iran has stated that they would rather the Russian government understand and see what the Iranians are doing versus the US government. Telegram is a Russian platform. This is why they feel that it’s safer to use being that Russia is an ally of Iran. So just because they’re banned and and removed from the major social media platforms, it doesn’t stop them. They just change. I think that’s really important to talk about. They plan or discuss, you know, the outcomes and the positive of operations on their to keep people encouraged for recruitment efforts to grow the forces. They put out false stats to keep their population contained and say that they’re winning. And, you know, again, these things can be harder to monitor. Direct messages on telegram. Direct messages on WhatsApp. They’re not as easy to intercept. You can’t see them. And so there is a gap there for cyber officials and for a lot of other entities. And so they use those to bolster their operations, bolster their supplies, and just put out what they feel they need to put out, paint the picture, take over the narrative using social media and continuing with propaganda. I mentioned telegram because and I want to show more. I am a Farsi speaker. I am not an Arabic speaker. There are tons of Arabic language channels. You can see them. But what I did was just take some an example.

Small example of some of the Hezbollah, Houthi and Hamas telegram channels that have emerged since this conflict. This was true in Russia as well. I think that telegram really came on the map with the Russia and Ukraine conflict, and it is still there, and Russia is leading the way using telegram, whether it’s false information, real information, selling data, selling malware every malicious actor and again apt. I stand by in cyber criminals. They’re on telegram in addition to other platforms. It is incredible how much information that some of these actors will reveal once you fact check something and say, oh, this, this actually checks out. So they are sharing information again. They recruit, they are discussing the outcome of physical and cyber operations. They’re fundraising. We are unfortunately seeing them pose as you know, charities who are supporting charities who are supporting Ukraine, charities who are supporting Palestinians or Israelis. Right. They are making up that they are affiliated with a charity soliciting donations in cryptocurrency and using that platform to expand operations. Of course, that money goes directly to their war and physical attack efforts. They are not actually charities. There are all kinds of ways that they take advantage of of populations on telegram as well as other messaging platforms. Really important to note that they’re going to continue to use these in their operations as they move forward, not just go, not just the global conflict and the actual physical wars. But this is a very, very ingrained part of all of their operations infiltrating think tanks, academia, attempted government infiltration. Right. You can pose as anybody online, and it’s harder to validate on platforms like telegram and some of the other ones that they’ve moved to. So it is incredibly crucial to continue to monitor this, monitor the talking and see how this shapes up as these conflicts continue and as anybody can pose as anyone else online.

Something to really think about and really keep in mind as you research and as you form your opinions and form your interest in cyber. I’d like to talk about front companies too. This is absolutely essential.

So Iran has perfected the front company game, establishing something as a legitimate entity, registering it, making an LLC, filling out the business paperwork, you name it. They have really, really perfected their game with this. One of the earlier, um, examples of this was the Magnet Institute. This was a 2018 event. It was about nine people that were active, and Mapna was supposedly a think tank, an Iranian think tank that was anti the government of Iran wanted to work with the Western world, wanted to be linked with them. And what they were actually doing was intellectual property theft from over 200 US and European and Australian universities. So very successful. We’re talking terabytes of information stolen. Again, all of this information was used for weapons improvement, technology improvement, updating their fleet of airplanes.

Rana is another one. Rana is on the right screen here. This was APT 39. It was linked to them. So that’s really interesting. And this was just another campaign that targeted Iranian dissidents, that targeted journalists internationally. And just a bunch of companies worldwide who were anti the Iranian government. So they posed as tech professionals, pose as journalists and got in and got a lot of information about entities that were anti the Iranian government before it was tied to the Iranian government itself, which was clearly using this information to take out dissidents, suppress dissent and not allow the opinion of being anti-iran anti the ayatollahs to go any more public than it had to be.

This is the latest one. Our company, DarkOwl did it did a write up on the front companies clouds surfaced in 2023 and I want to shout out Halcyon. I have to recognize them for they’re calling this out. Halcyon broke the news that Cloudzy was masquerading as a as a network hosting company in New York, and in reality, it was headquartered in Tehran and run by 6 or 7 different Iranians who had created fake biographies, a completely fake everything on Iranian internet, on the Iranian media, which then spread to the US media.

This is their actual page, which is still very live up and running. I checked it as of yesterday. Cloudzy did not respond to takedown requests, and not only was clouds supporting the ransomware operations of all of our adversaries the big four China, Iran, North Korea and Russia, but we had Vietnamese actors, Indian actors, cyber criminal conglomerates. This infrastructure was being abused for years by all of the malicious actors. And again, it’s still up and running. And even after the Halcyon Report, Cloudzy issued no statements. You can see that they have a blog section up top called the issued nothing they didn’t write about. They didn’t refute any claims. They just kind of continued on with business as usual since the news broke in August of 2023. Interestingly enough, “the executives”, I say in air quotes, of Cloudzy and their their biographies, they were taken down and their LinkedIn pages changed. Iran loves to abuse LinkedIn, which we’re going to get into as well. But this is just yet another front company that was facilitating bad actors and ignoring requests, ignoring abuse, and is still functioning. So it’s very, very interesting that this continues. And Iran is not alone in this. Russia does it, China does it. A lot of adversaries do it. But Iran has definitely had some very, very successful varying operations. IP theft to hosting ransomware. Extremely interesting. And it’s the full spectrum of operations.

Iran is a heavy ransomware actor. So you’re going to see at the at the end of this webinar, we do have a deeper one coming up on the big four actors that’s going to be in March of this year, and we’re going to go more in depth on Iran in their current ransomware operations, but highlighting how powerful Iran is and how they use telegram, as well as the dark web for their ops. Iran has a history of ransomware, and we do not expect that to stop. Samsam was one of their biggest campaigns. The actors made $6 million, which is no small feat in the Iranian economy. Dharma was another Iranian ransomware activated one. It was unsophisticated. You can see that again using those OSINT tools, right? Those open source tools that anybody can procure and use. And it was delivered via RDP. Again, very typical delivery operation delivery mechanism. And then BitLocker was 2020 to 2022. BitLocker is Decryptor Key has been released. I do not believe they are still active, but we’re going to see what Iran does with ransomware this year. Again, I think if I had to to hazard a guess right now, their ransomware operations are not as active because they are so involved with global conflicts, again, posing as journalists or aid workers for Palestine, Israel, Ukraine, trying to get information that relates to global conflicts, as well as managing the proxy events in Syria, Lebanon, etc.. But I do expect as this year proceeds and as really important, crucial global elections happen, we are going to see a lot more Iranian ransomware campaigns as well as their custom malware. So look forward to that in March when we have our next deep dive on the big four actors.

It is essential to talk about cryptocurrency as well anywhere in cyber right now. So Iran is a big crypto user in a country where the economy is essentially ground level, right? It’s been terrible for years. A lot of poverty. The only people who are profiting are, of course, those higher up in the government, Iranians who could circumvent the Iranian government’s internet controls have turned to cryptocurrency. You can make money with it. You can start a side hustle and it’s harder for them to track. So cryptocurrency is extremely popular in Iran and always has been. In 2019, the Iranian government banned crypto mining, which is also a way that Iran works with China. So crypto mining to be very, very short about it. You need a lot of network power, but you also have to control weather and temperature. For obvious reasons, the Caspian Sea region in Iran is extremely valuable for crypto mining. So China helped Iran set up crypto mining farms in the Caspian Sea region. The public caught on to this because again, it’s a small population. Word travels and they you know, if they’re watching anti-government or if they are anti Iranian government, they want to know what’s going on. So the Iranian government banned crypto mining for personal individuals. Right. You could not have a personal individual conducting crypto mining operations. Then they reverse that ban in July of 2022, implemented a paid license that the personal individual had to get from the Iranian government. So they turned it into moneymaking. So Iranian government’s making money personal individuals, non-government affiliated or crypto mining. China’s helped in this. And voila, we have Iranian crypto. I’ve mentioned that they’ve shied away from Bitcoin, that a lot of them still won’t use it, thinking that internationally it can be traced. And one example of where they’re shifting as well, in the latest conflict between Gaza and and Israel, they are using Tron, which is a decentralized blockchain. It’s a different blockchain, but they’re openly talking about Tron on social media as well as telegram, because it is not as common in the West, and they don’t feel that it has been infiltrated by Interpol, Europol or other Western government officials. I also want to highlight, and this is dark out data we see constantly. So Hezbollah, in addition to laundering money, spreading money around and, you know, using it for weapons and drugs and etc., Hezbollah has also run a very successful counterfeit campaign. You can see an example right there of the $100 bill of the United States. They’ve done it for euros. They’ve done it for other Middle Eastern countries as well. So cryptocurrency is a booming operation not only for the Iranian government, but also for their proxies like Hezbollah, the Houthis and Hamas as well.

That takes me to the end of this. I am very happy to share any IOCs. Everything I’ve talked about today is a is a preview. There’s obviously always more. There’s granular details. Please reach out to [email protected] with any questions or updates. Always happy to share more sources. Always happy to hear of an update that maybe I missed. These I really feel are wonderful sources and references that I refer back to and constantly use and update.

---

Don’t miss our next webinar on Big 4 Cyber Adversaries > Register here.