[Webinar Transcription] Expose & Enrich Intelligence Related to Front Companies and their Influence Operators

February 13, 2025

In this webinar, analysts demonstrated how to investigate and pivot on front company infrastructure, using Falkor and DarkOwl dark web data, to analyze and enumerate possible front companies and their employees.

Highlights:

Adversaries of the West are using front companies to obfuscate/hide their malign activities against the West
Sanctions and notable indictments from recent months
Enriching information using both Falkor and DarkOwl platforms
Investigating personnel, infrastructure, and other evidence linked to front companies

NOTE: Some content has been edited for length and clarity.

Ari: It’s a pleasure to be here with you. My name is Ari. I am an OSINT analyst here at Falkor responsible for integrating various tools like DarkOwl into Falkor, also general sales engineering, training, handling, any sort of client affairs that come up. You also may know me due to my blog, memeticwarfare, where I write about influence operations and investigating them, and a number of other ventures that I happen to be involved in. I’m very happy to be here with you today alongside with Steph, and we’ll let her introduce herself shortly as we show how you can utilize dark web and deep web data from DarkOwl in Falkor to investigate, in my opinion, very interesting Russian influence activity globally to uncover new front organizations from a few data points.

Steph, you wanna introduce yourself?

Steph: Absolutely, yeah. I second that this is going to be really interesting. I’m so excited to dive into it. So, hey everyone, I’m Steph Shample. I work here at DarkOwl. I used DarkOwl’s data before I became an employee, so I’ve got tool perspectives, very similar to Ari. I think once you’re an analyst, you just can’t get out of being pulled into everything. So, I also help with client training, use cases for how you might employ DarkOwl intelligence in your other day-to-day operations or your separate intelligence operations. And we’re going to get more into our company specifics as well. So, Ari, back to you.

Ari: So, Falkor is an interesting product. In my opinion, it’s kind of leading the next generation of what analysts are going to be using going forward. It’s an API forward analyst operating system, where in addition to carrying out all of your link analysis data visualization, querying of various tools or so on, you can connect all of your internal data sets, be they files, databases, any other REST APIs you happen t have, all into one place. And then, of course, to use OSINT sources like DarkOwl or whatever else you happen to have into Falkor to utilize all of it simultaneously and seamlessly.

There’s also, of course, a full collaboration suite, task management, management, case management, all those additional add-ons that you need to run a case effectively. We have built in AI capabilities, including an analyst investigative chatbot, digital profiling, real-time monitoring, and much, much more in what I may say is probably the most aesthetically pleasing dark mode first, analyst platform out there, which anybody here who works in this space knows just how important that is. I’ll let Steph introduce DarkOwl.

Steph: Yeah, thanks. I’ll take it for DarkOwl. So, we’ve been around for about 12 or 13 years, DarkOwl. We are the world’s leading provider in Darkint intelligence. We cover, of course, the dark and deep web. We also cover what we consider dark web adjacent platforms that is places like Telegram channels, Discord servers, and, of course, IRC chat. We consider them dark web adjacent because you’re gonna see now, especially since Telegram has entered the fold and become more popular in GEO political events, influence operations, and cybersecurity. It’s also cross-referencing, and actors are using both their onion platforms, their markets, their forums, to advertise on Telegram and vice versa, thus maximizing the potential for financial return or notoriety in their operations.

So, the image that’s on your screen here is of course we covered Tor, that’s the browser that you would download and use to access the dark web. We also have I2P and ZeroNet. We are definitely on discussion boards as more people share tactics techniques and procedures or TTPs, underground criminal forms and markets have touched on pretty self-explanatory. And then of course those chat platforms that I’ve referenced how they go back and forth.

Ari, real quick. Do you want me to go into the dark web and how it works now? Or do you want to save that?

Ari: No, absolutely. Absolutely. Let’s lay the foundation for sure.

Steph: Let’s lay it. I like it. So, Ari and I did want to be very clear, you know, for those who aren’t in this space, what is the dark web? What is the deep web? Everyone’s got their own definition. You’ll see all kinds of chatter and people contributing to that conversation. But let’s just keep it very simple. So, the surface web, you download a browser, right? Your choice, Chrome, Firefox, Brave, whatever that is. Very easy. Everything that you’re accessing, if you’re searching on there for recipes or how to, you know, sew or whatever that looks like, it’s attributable. You can find that information, several clicks, couple buttons, you’re good to go. It’s attributable, right? Every IP address and every website is mapped. They relate to one another. All activity is generally able to be observed. Where is this website hosted? Is it a Google domain, an Amazon domain or something else?

Whereas the dark web is meant and was built to be obfuscated. It is built to be more anonymous. It has more privacy features. So, you need special equipment to download it. When you access a .onion URL, you cannot put that .onion URL into, say, a Google or any kind of other browser. You’ve got to put it in Tor or there are a couple of other browsers. Some people work with tails as well. It is not indexed, so you really can’t search a lot on the dark web for recipes or any kind of thing. You have to know what you’re looking for and where that type of material is hosted. So, if you need something, say, if you had a ransomware incident, if you’re in this space, you’ve got to know how to access the ransomware blogs where they host them. If there’s an initial access broker that’s selling access to your company on the dark web, you’ve got to know maybe their name, how to get ahold of them, what market or forum they operate on. And again, it’s built for privacy, right? It is not going to easily give up information such as locations, IP addresses in Tor, you have three of them, you have a beginning IP address, a middle and an end, they change every approximately 10 minutes. It’s meant to be obfuscated. It is designed to be anonymous. So that’s our high level. What is the dark web? How do we access it? What are we doing? We welcome further questions on that if you’d like to put it in the chat or contact either one of us. No problem.

All right, Ari I’ll kick it back to you unless you have a question.

Ari: No, no, there’s just so much more to go with this stuff. I just say, again, everyone wants to know about how dark web URL resolution works, let us know later. But yeah, but alongside the dark web data, I think the most important thing that we’re going to bring up is the use of that in the conjunction with deep web data, Telegram in particular, but also other sources as well as they come up, right? And that’s, I think in my opinion, the real added value of what tools like dark, DarkOwl and other tools that provide similar data sources do that you can really have essentially all three layers in one setup.

So, with no further ado, let’s discuss the case that we’re going to be looking at today. The case that we’re going to be looking at today is the Center for Geopolitical Expertise. Now, you may have heard of this. They were sanctioned, I believe, about two months ago, maybe a bit less by the US Treasury Department. Here’s the statement. If you want, you can see that over here.

And we have the Moscow-based CGE, or Center for Geopolitical Expertise, founded by the OVAC -designated Alexander Dugan, and we’ll discuss briefly perhaps later on. And then, of course, the main person running a whole operation, Valery Mikhaylovich Korovin, and other relevant CGE personnel. So, we’re going to see how we can essentially investigate this organization, the CGE, by the way, as a side note, Russian front organizations love utilizing terms like geopolitical, whatever, and expertise and that sort of stuff, just a cultural thing that happened to really enjoy doing, and you’ll see that repeat itself in this space quite a bit. To see what we can essentially find out on this given organization, utilizing deep and dark web data, and then how we can expand upon that to find other signs of new front organizations and just better understand their general activity. So, we’ll cover not only dark web data, but also some investigative tips that you can utilize when investigating front activity on your own, and then we’ll conclude with a Q&A.

So, the most recent case that we have of the CGE was apparently, or they’re alleged I should say, and though it’s becoming increasingly well-founded in terms of the research, right? Was there organized election interference inside of the ongoing election interference, I would say, inside of the current German elections? They’ve also been quite active in Ukraine. They’ve ran probably the single most successful operation inside of the US called CopyCop, that was published on by Recorded Future. Great report, highly recommend, that you read it. And they utilize locals and other individuals to set up these AI -generated domains, targeting whether election or given country they happen to be targeting.

Here we have an example from News Guard over here of a various number of German language domains used to target Germans.

Now there hasn’t been much coverage of Corovan individually beyond the Gnida project. By the way, a great substack that I recommend that you follow. If you’re interested in tracking Russian influence operations internationally, they do a lot of great stuff. They’ve been the only ones to publish anything in depth on Korovin individually. There have been a few mentions here and there, but nothing really in depth. So, let’s see what else we can find on them. There we go. So, just to recap where we are so far and how we’re going to start our investigation, which by the way, I find to be often one of the most difficult places for analysts, especially new analysts, you know, to have it right when they get going, is where to even begin with looking into such sprawling types of activity.

We have the sanctions announced on this given group, and there have been past reporting on them from other individuals also as well. And we have the number one person of interest of POI, Valerie Korovin, and of course information on him published by the U.S. Department of Treasury, including the Russian tax ID over here, which is like their social security number, date of birth, general area, and of course, the registration information of the CGE also as well. I built a very humble little graph over here in Falkor’s link analysis, showing you essentially how these things work, how Korovin over here is essentially an agent of the GRU, right, he’s their liaison for the actual activity that the GRU, which is Russian military intelligence wants to carry out internationally. We have the awards for justice from the US government announcement over here, his affiliation with American John Mark Dougan, another activity, the Eurasia Organization, and other key individuals that we’ll get into in a little bit.

Just a quick word about Dougan if you haven’t heard of him. Dougan is the founder of the CGE and is a fascinating figure who we can dedicate multiple awareness to just for himself. But in short, he is a Russian far-right political polemicist with a very unique political philosophy and how the world works and how things should be, at the very least, founded on multi-polarism, meaning the world not being unipolar centered around the United States, and essentially Russian borderline fascism, if not fascism itself in many ways. So he’s a sanctioned individual known for his very, very, very extreme views. Now, thanks to Gnita, we also know about Natalia Makeeva, who is the senior official at the CGE and is the right hand of Korovin, but we can also find out more about her independently as part of our investigation. We don’t need a project just for that. So now we’re going to see how we can take these individuals and the basic data points that we have here, identify entities for investigation, further identify new relevant entities, and then keep going. Now one thing I do want to bring up and Steph do you want to enrich further astound upon this is the Russian dark will be some ecosystem in general, which is incredibly rich. So, if you have any words you want to add to that, I think that’d helpful.

Steph: I’m fully in agreement with you, you know, the Russians are, of course, not the only actors, APT or cybercrime focused on the dark web. But I would say they are the most frequent. They know what they’re doing. They’ve been using the dark web in their operations probably longer than any of our other adversaries. You will see Iran, China, Belarus and pick a country if their actors are on the dark web, you know, they are using it, but Russia is the most frequent and uses it in a variety, right? From ransomware to cyber-crime, to info ops, to all kinds of influence operations, Russians are all over the dark web. We have learned the most from them. Ari, so that’s a great point.

Ari: Absolutely, and the most important point for us is that that cuts both ways, right? So there are tons of data leaks on Russia, tons. I mean, perhaps the single mostly country I’ve ever seen articulately, in terms of sheer number of leaks and data available, and that’s how we’re going to utilize this information to keep investigating. So Just from doing a name search on Korovin and Falkor with this full name, which would give them the sanctions, we get a large number of interconnected results over here. And by the way, as an aside, if you’re interested in seeing the full investigation with other information from DarkOwl and Falkor, feel free to contact us separately. We’d be happy to schedule a demo to show you more of the in-depth information on this individual case.

Just from looking up his name, we find all these various interconnected data points. We find from leaks of data available on the dark web, a Facebook profile with a UID, a leaked telegram account, leaked Gmail entities appearing in a dark web post over here, and multiple other entities belonging to this individual.

Now, I see we’re getting questions in the chat, so I’m not going to refer to that now, but we’ll save that for the end. But if you do have any questions, feel free to send.

So, one thing I do want to bring up also is that one of the results that we get here is that Korovin has an additional email at the Eurasian organization, which we mentioned over here, which is another organization tied to Dougan. Okay, so that also came up in the results. Now if we look up the Eurasia.org organization, which is by the way another Russian instrument of influence headed by Dougan and active globally, looking at who is records, here we have from WhoXY, which is a great free tool, which is a side note by the way, highly recommend it, if you need a free tool for that, or of course the full suite of domain intelligence available in Falkor. We can see that in fact the person who registered Eurasia.org was Makeeva@Eurasia .org, Natalia Makeeva, the woman mentioned earlier, and she also registered the CGE domain over here as we can see as well. So, she’s a pretty central individual then having registered the domain for CGE. And then we can also see over here a very broad overview of the leak data available from the deep web on the actual Eurasia domain. So going back to that, just by querying essentially the domain itself in Falkor, we also have the Korovin’s individual email address over here. But here we have the full swath of results. I’m sorry, I try to fit a lot in on this slide.

I know we only have so much real estate over here. But you can see the sheer wealth of data that we have on the actual domain, which is somewhere over here in the middle, right, including the large number of actual individual posts in which the domain is mentioned, but also more interestingly, perhaps a leak total of 360 email addresses in leaked records originating from the domain. Of which, we have 28 unique ones. So, Steph, I know if you have anything you want to add to that on the dark web, on DarkOwl’s data enrichment features over here in terms of profiling.

Steph: Absolutely, we are a niche DarkOwl intelligence, but one of the tools that we have to get extremely granular is this bottom right image that Ari has been highlighting. So, when Ari and I were going back and forth saying, you know, what can we do? We want to talk about front companies, but it’s intimidating, it’s overwhelming to get started. There’s a lot to follow, there’s a lot of threads to pull, there’s a lot of misdirection that can happen. But when Ari gave the domains of some of the proven front companies, and we definitely source those from indictments and treasury, as we’ve mentioned, you can put any top-level domain into our tool, and of course in Falkor now that’s also using it, and get a pullback of, okay, here are the amounts of emails exposed, that’s that 360 numbers. There are 28 unique ones, because of course there’s going to be repeat breaches, accounts in certain pieces of information with the same password or exposed in the same place. So, it’s just really important to help flesh out your top level domain research, get the patterns. You know, what password does this individual use? Is it constantly exposed on the clear web, on social media, on the dark web? So it’s a really cool feature to kind of build this out and we use it heavily in our investigation.

Ari: Absolutely, then you can get it all visualized for you nicely inside of Falkor, giving you the clustering over here of what’s actually important. You can filter, of course, by degrees and so on and move on from there. But the point that you think you’re going to remember is that every one of these data points is essentially another pivot point that we can use as part of our investigation. So as we can see that certain clusters of activity here are more central, right, or more active in terms of relations to other entities, we can then take Falkor’s, say integrations with email and phone number lookup tools or people investigation tools, or social media enrichment, and then enrich those further to further investigate the in domain. Now the next thing to keep in mind, and this is especially relevant when investigating organizations of any kind, be they companies or front companies or whatever it happens to be, the leaks don’t lie at the end of the day, right?

Firstly, having no leaks is suspicious because almost every organization has an employee who utilizes some given company data point to register for some service. It’s rare to not have that happen at all. And then when they inevitably do, as we can see here, we can see who’s more active with their company email or other company assets online to find other relevant data points really easily. We have here, we have a number of individuals, including Makeeva, who was the single most popular leaker in terms of using her email address, which also hints to us that she’s probably a pretty active individual in the given organization. So, we can use DarkOwl data for investigations, right, for pivoting, but we can also utilize it to qualitatively understand and analyze what actually occurs with this given organization.

So, we can see here that Korovin’s email address appears in a dark web post taken from an onion site that we can see over here as well, which was actually a leaked copy of the internal information policy of the Lugansk People’s Republic. So, you know, occasionally you’ll see there’s some news article about a list of leaked data, you know, exposes this or leaked, you know, government reports say that, et cetera. One of the places you can easily find that data is in fact on DarkOwl because as Steph would say, you guys are constantly indexing all of the available posted and leaked data online. And here we can see, in fact, that Korovin and Eurasia are mentioned as key bodies for promoting Russian interests in the Lugansk People’s Republic, which is one of the breakaway regions of Eastern Ukraine, currently being fought over in the war. So, it has an official role in, say, promoting Russian interests there also as well, which was not publicly available data previously. Now, we can also then look at Korovin’s Twitter account, which is easily found publicly, but also easily found via breach web data. And then inside of Falkor’s social media enrichment, we can bring back followers posts and more. So, we can see that his followers globally, of course, make sense roughly what we would expect, mostly in Europe and Eastern Europe and, of course, Western Russia, some in the Middle East and other parts of Asia, Latin America, Africa, and the US a little bit. And we can use all these also for further investigation, especially when it comes to finding new organizations globally that might be following him that could be potentially related. And then we can also utilize the Falkor link analysis to better understand clusters. We have Korovin over here; that’s the original account over here. Then here we have one other account that he shares a large number of shared followers with.

And this is of course, who else but Natalia Makeeva. So even without the needed project telling us earlier that she’s a key individual and providing the receipts as we say, which we’ll see shortly, we can also find out, of course, also ourselves utilizing open source investigation. Now, if we begin to look her up by looking up her email address also in DarkOwl, we get another kind of dark web data that we can utilize quite effectively, which are actually leaked emails from between Makeeva and an individual affiliated with the pro-Russia and Novorossiya movement based also in, of course, Donbass, the eastern part of Ukraine that’s being fought over in the war. We can see here in these individual emails which I translated into English, they were of course sent originally in Russian, that they were coordinating sending over propaganda material from Dugan, of course, into that area. Now, one of the other things that DarkOwl does that Steph might want to explain briefly is tokenizing entities, and then I’ll describe how we do that in Falkor.

Steph: Absolutely. You can see in the bottom left image; we have that highlight once Ari shared the names of the individuals that we wanted to focus on for this investigation. I just ran that through our tool, and we highlight our results. We want to make it easier for our analysts, make it visually appealing. So Makeeva, we see her domain confirmed, she’s sending emails back and forth, so there’s a couple of things. We’re going to pull out that email address so that you can further pivot on that, build off of it, find passwords, find anything that you might want to find. We got very lucky in this instance that we had contacts for these emails. So then you can also, when need be, pivot to Gubarev at NovoRussia, you can take a look at NovoRussia’s top level domain, what’s exposed, what’s out there. You can try and see if that resolves to any IP address based on what, you know, Russia, how they’re setting up their operations. So, you have a whole bunch of different pivots and different pieces of analysis to add to just Natalia Makeeva and her email address, we built out a whole other graph that is evidenced in Ari’s image on the bottom, phone numbers, contacts, patterns of life, patterns of contact, and other people she’s working with. So yes, we pull that all out in DarkOwl for pivots.

Ari: Exactly. And then we can just easily right-click on that document in Falkor to extract those tokens as entities into entities for further investigation automatically. So, if you have this email address, instead of needing to copy and paste each individual email address or phone number or username or whatever happens to be, you just right click, you have it, and then you can right click and further enrich and investigate effectively. So just to recap where we are so far, we had the original CGE organization. By looking into it, we found the Eurasia group organization also unsurprisingly affiliated with this group. And now we see pretty close ties between the leader of the Nova Rocio community over here and of course, Nathalia Makeeva, indicating there might be other ties as well that we could investigate. Beyond the original organization, there’s also evidence from, of course, Gnida as well, that Korovin and Makeeva, who we can see here, this is Korovin, and this is Italian Makeeva, are active globally beyond Eastern Europe and Russia, involved in setting up the Fundación Fidel Castro para Desarrollo de las Aracenas Frusal Cubanas, the Fidel Castro Foundation for Promoting Russian-Cuban Relations, which they utilize essentially to promote Russian interests in Latin America and the Spanish-speaking world. And here we can then utilize Telegram. So, Steph, I’ll let you then describe perhaps how DarkOwl handles Telegram and Discord and other deep web sources before I describe what we’re seeing here.

Steph: Of course, no problem. So, once again, we kind of went on the name of Valery Korovin I wanted to do a search. We know that Russia is also avid users of Telegram. We saw that activity really increase where they were sharing battle plans, pictures, strategy on Telegram after Russia invaded Ukraine. But we also saw that pop up when the Afghan government fell in 2021 in the summer. So just to let you know that Telegram is all over. We pull everything down from a Telegram channel. So, we’re going to get the metadata, we’re going to get the channel ID, because this, you know, for right now, the title of this is called Amigos de Evesiones Fides. Tomorrow, that could be literally anything else. But if you have the Telegram number, the actual channel number, you can continuously track that no matter how many name changes there are. The same is true for those usernames. So, we pull that all down. We have the metadata for your investigation to share with your clients if you’re sharing intel with someone else. And then, of course, after we have Valery Korovin one name, now we have a whole spate of other identifiers that we can pivot on. So, we’ve got a Facebook group for this group as well as Twitter. We’ve got, of course, their Telegram. We’ve got a Yahoo address. So, it’s just a lot more information that we added. And it’s the same for Discord. We pull down server IDs, we make sure that we have the information that’s never going to change, even if a user handle or the title of a server or room does change.

Ari: Absolutely. And then we can start the actual hard work of investigating, right? At the end of the day, there are very few shortcuts in life. We’ve been lucky so far with these lead emails and other things that we come across. But sometimes you gotta, you know, put the elbow grease in there and really just look at all these various entities that come through and you can do that easily in Falkor by enriching them to bring back information on the domains, on the social media profiles and more to see if they are in fact front organizations or have any other types of relations to the actual individual that you’re looking at or not. We have other sources across Telegram also as well from parts of Latin America and even Italy and other global organizations that are promoting Thurovan and these front organizations that we can then look into further also. Now we’re going to conclude the investigative portion of this with one final tip that I would like to bring up. Gnida project brought this up also as well, but anybody could figure this out, that the Fidel Castro Foundation is registered at the same physical address as a few other interesting groups. Firstly, we have the Russian House of International and Scientific and Technical Cooperation. I haven’t looked into it myself yet, but who knows? It wouldn’t be the first time they’ve utilized scientific cooperation as a front for other sorts of activity. Eurasia itself is also based in that same building over here. The Russian influence outlet Geopolitika RU, which is very well known for anybody active in the space, you should recognize that immediately, is also of course registered and based out of the same, comparatively small building in Moscow, you can look it up in Google Maps, it’s not very big. Doesn’t make sense that it’d be hosting so many large organizations. And the lesson to keep in mind here, even though the CGE is registered by the way in a different address, is that threat actors always reuse for a variety of reasons right sometimes they don’t you know can’t afford to rent to different places they want to rent they want to buy domains they want to get new office space where it happens to be but they don’t and they did utilize the same thing over and over again. So, whether or not it’s digital or physical infrastructure if it’s being reused you can use that very effectively to find potential signs of a given organization being a front or otherwise uncover hidden ties right.

Now you have to be careful about that about that also as well of course if it’s a large office building it could be feasible, they’re all based in the same building as well, right? But if you can check it out on Google Maps quite easily, see whether or not it makes sense that you have multiple large organizations in a given, you know, three-story building, right, let’s say, and then from there make your own decisions. And then we’ll conclude also over here with the Falkor geo search, which has the ability to search this area for social media data, other data points also as well, and even connect other tools also to search if you have other geo -relevant data points too. So, on that note, let’s conclude, and I’ll let Steph also, if you have anything you want to add, let me know too, feel free to barge in here. dark web data is critical for investigation of all times, of all kinds, right? Beyond just looking up leaked data, leaked creds, threat actor chat, and that sort of thing, we can utilize it for things like profiling, finding leaked geopolitical data of any sort of interest, right? Government data, that sort of thing, and we can utilize that leaked data to expose ties to additional organizations very easily. This is often like the shortcut that I mentioned that we don’t often have earlier essentially, right? The leak data giving you that actual connecting point is what you can often utilize effectively. But there are other data points that we can utilize also, as well that we can find, right? Shared physical addresses, reutilizing digital infrastructure and more are critical. And deep web data really can’t, in my opinion shouldn’t be ignored for investigations of any kind, let alone influence investigations operations as well as looking into front groups. And we can utilize them to find with the low amount of investment, let’s say, or time invested in this, international activity very, very easily. So, Steph, if you want to add to that, let me know.

And if not, we think we can move them to Q &A.

Steph: Love to, just to repeat, front organizations are tricky. They’re a little difficult to follow to get started to know where to work with. But look, Ari and I started with one organization, one top level domain, two human beings. We then got their selectors on social media, on the dark web. We found two other organizations, we had a global investigation, but we had to pivot, we had to turn around, we hit some dead ends. When we were first talking about this webinar, we were gonna maybe focus on Iran or a different kind, but Ari did an excellent job of saying, no, let’s do this, this is good, and then really made something that’s intimidating and a little difficult and complicated, simple, seamless, and you can see all the information we ended up with after starting with just three entities, an organization and two humans. So, Ari hats off to you. Thank you for demonstrating how we can use deep web and telegram and Discord data. It’s absolutely amazing. And I look forward to reading what you do in the future, because it’s awesome.

Ari: Thanks. And there’s a lot more, by the way. So, if anyone wants to see more, feel free to contact us separately, like I said. All right, the final step that I would do here for a Falkor plug before we go under the Q&A is the monitoring dashboard. And this is also, of course, relevant for DarkOwl as well. Falkor is a full monitoring suite available so you can set up dark web data over here to be monitored right set up your keywords your Boolean queries and strings whatever you happen to have you can set those up over here I set one up for mentions of Eurasian.org and other mentions as well and then you’re going to get a live feed of new onion data discord data telegram data and more coming in relevant for that sort of data also here as well we also of course have a full alert mechanism set up through some of the keywords or things you want to be triggering rules for and that sort of thing, we can do that. And we also of course support social media. So, if you want to say follow Korovin’s Twitter account or follow any other individuals’ Twitter account for your investigations, you can do that also as well. And lastly, we also support RSS feeds. So, if you want to say track the OPAC RSS feed or any other RSS feed that you happen to have, no problem, you can throw it all in here and track all of those things in one pane of glass.

Steph: Super, super kudos to Falkor. There are so many tools out there and everything is very disparate, right? We’ve got RSS feeds and Slack and all of this, but what you guys have is a dashboard where you can truly have everything in one place, and that’s essential as an analyst. We’ve got enough information to deal with, so it’s an amazing, amazing product.

Ari: I’ll send that over to the development team. We’re very happy to hear that. I think we have some time then for Q&A.

Kathy: Yes, we do, and we’ve had some questions come in. The first one is in reference to Telegram, have we got any possibilities to follow a target if a Telegram account is closed and not open?

Steph: Yeah, we absolutely do. So, you know, you can build infrastructure to try and ask for permission to enter. You can run different personas or try to get people that work in your organization into a closed or private Telegram. There are a lot of different ways to do that. Strike up a common conversation, strike up investigations, and just kind of see how you can break that door down based on observing other activities surrounding it and knowing what the types of discussion are that’s happening inside those telegram channels. It’s not a perfect science, you might get denied, but you can get into closed ones if you play your cards right. Yes. Or anything to add to that on your end?

Ari: No, I mean, that’s that, listen, that’s, you know, like I said, sometimes there aren’t any shortcuts and you gotta just, you know, Do the cold approach and hope it works out, right?

Kathy: Okay, well, staying on the topic of Telegram, when considering Telegram provides encryption and privacy features, why do threat actors still choose to communicate there instead of using more anonymous platforms like I2P , TOX, or peer-to-peer encrypted channels?

Steph: Yeah, absolutely. So, we see actors talk, I mean, I’ve been all over the web, right? I’ve been in this game for a lot of years. I’m very old and I’ve seen a lot of trends. So actors are openly stating that Telegram is safer. It is a Russia-based tool, right? It was developed by a Russian. And so, they feel that in lieu of the dark web where they have openly identified, they feel that federal agents and law enforcement’s working to try to take down criminal operations, criminal infrastructure, actors still feel that the majority of the safest tools are things like Telegram and TOX. They are definitely active on TOX. They have moved away as ransomware groups fall, as markets are shut down, think Silk Road, think Alphabet. As all of those go away, they move to what they feel is safer. I do think that probably in the next two to four years here, we’re gonna see a migration away from Telegram because you know how that goes. Once things get very popular and are used frequently, pivots for investigations change, They probably will feel that law enforcement will move there, but we see that all the time first, you know, with cryptocurrency, for instance, Bitcoin was viewed as very safe. Now they’re saying Bitcoin is a tool of the United States, you know, intelligence agencies and federal investigations is their words and chats. So, they’re moving to Zcash, Litecoin, etc, etc. They openly espouse what they feel is safe versus what isn’t. And it’s our job as investigators to follow that. So that’s probably why, that’s definitely why they’re saying what they’re saying.

Ari: I have some points that I’d like to add to that. So, there are a few things to keep in mind because the much vaunted, let’s say, encryption of Telegram really isn’t quite as good or as quality as people say. We can get into it; it’s a whole separate thing. It’s not intent encrypted by default, which is what really matters for the average user. The reason people use it, in my opinion, is that it’s a really effective town square. You wanna sell your cyber crime services online or make sure your leaks get, you know, spread and amplified and that sort of thing. It’s an amazing place to be active and the barrier to entry is super low. You don’t need a computer. If you are a thought actor within a country that doesn’t have, you know, that in which GDP is low and you want to start scamming, you don’t have a hundred bucks in your pocket, you can do that, for example, right? It’s instead of buying a computer and download Tor and have a reliable, indirect connection and do that sort of thing. Telegram is much more accessible. You can buy a burner phone, remove the camera, microphone yourself if you’re that concerned and kind of get to work. And then like you said, also step regarding TOX, move to TOX, move to any sort of end-to-end encrypted solution that’s a bit more secure for actual communications, which is a very common trend also as well. So, there’s this town square market element of it that I think is incredibly appealing. And then it also has other features that make it appealing to threat actors as well. In fact, that it’s easy to use. In fact, there’s other content on there that’s also interesting. The built -in messaging experience is really seamless. There’s a lot of other reasons to use it also as well. And I think it’sa fascinating platform, but those who know me know I also have been a bias.

Steph: Great points.

Kathy: Great. Thank you. We’ve had another question about leaks in the darknet are not too old to use with efficiency?

Steph: Absolutely not. So human beings are creatures of pattern. They reuse passwords. They reuse their data. They can’t keep track of it. We do not have enough people. Think of your coworkers. Think of maybe older family members or something, they’re not using password keepers, like 1password, key password, et cetera, et cetera. They reuse something because it’s easy. So, if something is exposed and always out there, it’s very easy to keep reusing. We have had actors who have not changed their passwords since 2010, 2011. Not all of them. Some of them do have better opsec and cybersecurity, but it’s very, very simple to glom onto one password or one account or a handle or a username that an actor uses and then keeps going with minimal changes throughout the years. It’s foolish, but they do it. So no, data that’s old is not too old to use no matter where it’s from. There’s always a potential. Anything on your end for that, Ari?

Ari: No, that’s a great explanation. I mean, it depends also on your usage, right? I mean, if you’re just trying to protect, you know, if you want like those, you have some of the lead employee password from nine years ago, it’s probably not as bad as, say, something from last year. But, you know, for investigation purposes, It’s still quite as useful for pivoting. I don’t know that in terms of other stuff. So, it depends on what you’re doing, but yeah, I completely agree with you.

Kathy: We have one more question that came in. How else can dark and deep web data be used for investigations or attribution of influence operations?

Ari: And this is, I think, a really interesting topic because people love to talk about attributing influence cyber operations online effectively and the leaked data is one of the most effective ways to do so, like by far. Looking at past Twitter scrapes and Facebook leaks and that sort of thing, people manipulate the APIs, these platforms, and then post all this account information online. There have been cases where known influence operation accounts and entities have had their personal information exposed, be that say the registration IP or their last used IP or their password or that sort of thing, that you can utilize to very effectively either further investigate or even kind of on the spot, determine whether or not it’s an authentic account or not. So that’s one of the biggest things that I’d say that we see. And there have also been multiple cases of influence operators themselves experiencing leaks, right? So recently the SDA, the company behind doppelganger had a lot of data leaked on them, hasn’t really made it much onto the dark web for a variety of reasons, right? But essentially the data is still leaked and available to certain other individuals. And that’s another way that we can expose other actual operators themselves as we saw in this investigation. So, the leak data is in many cases the only way to investigate and attribute these activity, not a nice to have. Is that anything you want to add to that?

Steph: Yeah, and as far as just other data on the dark web, people, criminals, actors, they do feel that the dark web with its flaws and its security issues is still one of the safest places online. So, they’re still very open, they’re still very transparent. They might be cautious at first, but as they carry on more operations and build bigger networks and build a name for themselves, selling data, infiltrating companies, getting infrastructure, they open up more, right? The dark web is full mostly of criminals. They have an ego. They want to talk about who they got into. They want to build themselves up. And so, every piece of information, despite what you’re looking for, what you might be working, ransomware, info ops, DDoS planning, you know, anything. There’s always a piece of intel on there. It’s just that you have to look harder to find it. But as Ari and I have mentioned, schedule a demo with us. We’d like to take you deep. We also want to show you how you can enrich open source OSIN or social media information with dark web intelligence. It works really well to enrich too. So, there’s a bunch of different lines of investigation and tactics and we’d love to go deeper with you on that.

Kathy: Great. We do have a couple of minutes, and we had one more question come in. In other countries, considering that credit card details are frequently leaked on the darknet – does DarkOwl provide access to full credit card data to licensed companies or is the data redacted for compliance and ethical reasons? Additionally, how does DarkOwl ensure that security teams using its platform do not misuse such sensitive financial information?

Steph: Let me answer that in two parts. So, we do indeed have full credit card details. Listen, at DarkOwl we are GDPR compliant, we are DOJ compliant, we do not purchase stolen data. That data is out there openly available, whether it’s a forum where it’s sold or whether it’s a pay site where it’s hosted. It is open information that anybody who downloads the tools and knows how to access can. So, we do have that. As far as part two, we indeed have checks and balances. My CTO is always eager to jump on the phone and explain. I’m not going to get into those checks and balances here. Please do schedule a call for us, but we absolutely ensure that there is no misuse of sensitive information, whether that’s financial, PII, PHI, HIP, or protected. We absolutely have that a way to get around that, and I invite you to please get with us and we will explain that further in depth on the call, for sure.

Ari: The one thing I would add, the one thing I would add on top of that is in fact where there’s a full auditing capability, right? So, inside of the actual system admin users can go and audit all the actions taken by other users in the system to see that they’re utilizing all the data and sources they have appropriately and ethically.