DarkOwl, LLC

[DEVELOPING] Impacts of Ukraine Invasion Felt Across the Darknet

Written by DarkOwl Content Team on August 26, 2022. Posted in Blog.

Last updated: April 18 18:30 UTC

The DarkOwl team are actively tracking the fallout from Russia’s invasion of Ukraine. The effects of the kinetic military operation are causing ripples across the global cyber space including critical underground ecosystems across the deep and darknet.

18 April 2022 – 01:12 UTC

DDoSecrets Leaks 222GB of Data from Gazregion Collected by Anonymous Hacktivists

Three different hacktivist groups (Anonymous, nb65, and DepaixPorteur) submitted archives consisting of emails and sensitive corporate files from Gazregion, a Russian supplier specializing in gas pipelines construction with direct support to Gazprom.

There have been numerous claims of attacks against Gazprom since invasion of Ukraine by Anonymous and other cyber offensive groups. nb65 posted to social media they compromised SSK Gazregion on April 3rd with their version of CONTI ransomware.

18 April 2022 – 01:12 UTC

nb65 Claims Attack Against Russian JSC Bank PSCB with CONTI Ransomware

The Hacktivist group, Network Battalion 65 had claimed they successfully attacked JSC Bank PSCB in Russia and successfully encrypted their network with their version of CONTI ransomware.

The group stated they managed to exfiltrated over 1TB of data including financial statements, tokens, tax forms, client information, and sensitive databases before deleting all backups to prevent data and functionality restoration.

The hacktivists further taunted the bank stating how grateful they were the stored so many credentials in Chrome – a browser for which several emergency security patches have been recently released.

We’re very thankful that you store so many credentials in Chrome. Well done. It’s obvious that incident response has started. Good luck getting your data back without us.

15 April 2022 – 21:59 UTC

GhostSec Leaks Data from domain[.]ru Hosting Provider

The Hacktivist group, GhostSec claimed to target Russian internet domain registration provider, domain[.]ru in a cyberattack. The group managed to exfiltrate over 100MB of data including screenshots of sensitive files and excel spreadsheet data.

According to the README file in the data leak, during the breach, GhostSec identified over 4TB of SQL databases, but in all the excitement the team’s presence was caught by the company’s intrusion detection systems and kicked off the network before the SQL data could be harvested.

15 April 2022 – 17:52 UTC

nb65 Confirms Attack on Continent Express; DDoSecrets Leaks 400 GB of Russian Travel Agency’s Data

The attack on a Russian travel agency occurred several days ago and was shortly after confirmed by the organization. DDoSecrets assisted nb65 in leaking over 400GB of sensitive files and databases from the travel agency. The details of the leak have not been confirmed.

15 April 2022 – 14:32 UTC

Anonymous Takes Over Pro-Russian Discord Accounts

Hacktivists from the Anonymous Collective have successfully taken control of several pro-Russian accounts on the chat platform, Discord, and are now using these accounts to circulate pro-Ukrainian messaging. An Anonymous member @v0g3lsec – who has been extremely active in the #opRussia campaign – shared an image of a hacked account where they posted links and information about the information operations group, squad303 to share truths about the invasion via SMS, WhatsApp, and email with random Russian citizens.

14 April 2022 – 20:02 UTC

DDoSecrets Leaks Unprecedented Amount of Email Data from Russian Organizations

In the last three days, DDoSecrets uploaded archives for five (5) different organizations across Russia totaling 1.97 Million emails and 2 TBs of data.

230,000 emails from the Blagoveshchensk City Administration (Благове́щенск) – 150GB
230,000 emails from the Ministry of Culture of the Russian Federation (Министерство культуры Российской Федерации) responsible for state policy regarding art, cinematography, archives, copyright, cultural heritage, and censorship – 446 GB
250,000 emails from the Deptartment of Education of the Strezhevoy (Стрежево́й) City District Administration – 221GB
495,000 emails from the Russian firm Technotec, which has provided oil and gas field services along with chemical reagents used in oil production and transportation – 440GB
768,000 emails from Gazprom Linde Engineering, which specializes in designing gas and petrochemical processing facilities and oil refineries – 728GB

13 April 2022 – 17:09 UTC

CISA Issues Alert About Destructive Malware Targeting US Critical Infrastructure

A joint advisory issued by the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) details how nation state actors (likely sponsored by the Russian government) have demonstrated the capability to gain full system access to multiple industrial control system (ICS) and affiliated supervisory control and data acquisition (SCADA) devices. The critical alert indicated there is an immediate HIGH cybersecurity risk to critical infrastructure around the US. The devices include:

Schneider Electric programmable logic controllers (PLCs);
OMRON Sysmac NEX PLCs; and
Open Platform Communications Unified Architecture (OPC UA) servers.

For more information read the advisory along with recommended security mitigation measures here: https://www.cisa.gov/uscert/ncas/alerts/aa22-103a

12 April 2022 – 15:31 UTC

ATW | Blue Hornet Announces That They are a “State-Sponsored” Group

The “GOD” account representing AgainstTheWest (APT49) on the new BreachedForums (with many users from the now officially seized RaidForums) announced moments ago that they are indeed a “state-sponsored” cyber group with “direct instructions to infiltrate, attack and leak the country of China, Russia, Iran, North Korea & Belarus.” The group’s Twitter account was also blocked by Russia’s Kremlin account earlier this week and the notification of this block was included in the post.

There is no way to verify the accuracy of the statement posted and it’s unclear whether or not the group will continue their operations in support of Ukraine.

11 April 2022 – TIME UNKNOWN

CONTI Claims Responsibility for Cyberattack Against German Wind Turbine Company

On the 31st of March, Nordex wind turbine manufacturing company in Germany suffered a significant cyberattack. CONTI has claimed responsibility for the attack (over 10 days later) posting the company’s name to their public-facing Tor service of victims. We anticipate that sensitive corporate data will be leaked by the RaaS gang shortly.

11 April 2022 – 20:58 UTC

Anonymous Compromises Regional Government of Tver, Russia; Leaks 130,000 Emails from Governor’s Mail Server

Hacktivists from the Anonymous Collective using the monikers DepaixPorteur and wh1t3sh4d0w0x90 have compromised the domain tverreg[.]ru believed to be associated with the Regional Government of Tver, Russia. Tver is located 110 miles (180km) northwest of Moscow on the banks of the Volga River. The archive is over 116GB in size and consists of over 130,000 emails exfiltrated from Governor Igor Rudenya’s email system dating from 2016 through 2022. The governor was appointed by President Putin in 2016.

Anonymous shared a leak consisting of Russian regional governors on the darknet on 23 March 2022.

11 April 2022 – 14:35 UTC

Finland Suffers Cyberattack; Announces They Will Expedite Application for NATO Membership

On April 8th, the Finnish government confirmed many of its military, defense, and foreign affairs webservers experienced unsophisticated, yet concerted DDoS attacks likely originating from Russian threat actors. The cyberattacks coincidentally occurred just as Ukraine President Zelenskyy started to address the Finnish Parliament on the status of the war in Ukraine around 10:30 GMT.

On the same day, the Finnish Minstry of Defense confirmed, hours earlier, Russia state-owned aircraft also breached Finland’s airspace off Porvoo in the Gulf of Finland – the first time in over 2 years. The aircraft, an Ilyushin IL-96-300 cargo transport airplane, was traveling east to west and landed in Berlin.

Both Finland and Sweden have signaled they will be submitting applications to join NATO. According to open-source reporting, Finland will likely finalize their application during the month of May in time for a NATO summit scheduled in Madrid, Spain in June.

Kremlin spokesman, Dmitry Peskov stated that Russia would have to “rebalance the situation ” with its own measures should Sweden and Finland choose to join NATO.

09 April 2022 – 03:39 UTC

ATW | BH Group Leaks Data Stolen from Russian Temporary Work Agency and Recruitment Firm: Rabotut

AgainstTheWest (Blue Hornet) announced on their Telegram channel they have successfully targeted the domain (rabotut[.]ru) for Rabotut, a “federal scale service” supplier in Russia. According to the threat actor, the archive includes the organization’s entire backend and front end source code, API keys, and SSL keys. According to open-sources, Rabotut is a temporary workers agency and provides contract employees to a number of critical government and corporate businesses around the country.

Contents of leak are in the process of verification by Darkowl analysts.

08 April 2022 – 21:41 UTC

KelvinSecurity Team Targets Russian Cryotcurrency Scam Website: alfa-finrase

KelvinSec released data reportedly from the domain (alfa-finrase[.]com) known for trading in fraud data, e.g. passports, driver’s license, and other sensitve PII. The group claims to have exploited the website, shutdown a cryptocurrency scam, deleted 400GB from the site’s server, and exposed 1.4GB of customer data from the deep web store.

07 April 2022 – 19:30 UTC

DDoSecrets Leaks Over 400,000 Russian Organization Emails Exfiltrated by Anonymous Operations

The leak site, DDoSecrets once again assists Anonymous hactivist collective in distributing sensitive data exfiltrated from companies and organizations in Russia. Three archives were leaked – within minutes of each other – for three organizations: Petrofort, Aerogas, and Forest. The data from these corporate email archives date back over decades of commercial activitiy.

Petrofort: 244GB archive consisting of over 300,000 emails between employees and clients. Petrofort is one of the largest office spaces and business centers in Saint Petersburg.
Aerogas: 145GB archive consisting of over 100,000 emails between employees and clients. Aerogas is an engineering company supporting Russia’s critical oil and gas infrastructure and supports such as: Rosneft, NOVATEK, Volgagaz and Purneft.
Forest (Форест): 35GB archive consisting of over 37,000 emails between employees and clients. Forest is a Russian logging and wood manufacturing company associated with many high-valued construction projects across the company.

A representative from DDoSecrets earlier shared thoughts about the extraordinary volume of leak data coming out of Russia earlier this week in a social media post.

06 April 2022 – 21:42 UTC

Anonymous Claims to Attack Russian MAUK Cinema, Mirkino Belebey

Members of Anonymous using the aliases ShadowS3c and Anonfearless3c have allegedly targeted servers for the Russian cinema and movie theatre, Mirkino Belebey (domain:mirkino-belebey[.]ru). The Mirkino theatre is also known as the MAUK Cinema a.k.a. “World of cinema” in the Belebeevsky District of Russia.

The hacktivists have leaked screenshots with credential data from the breached database containing hundreds of usernames, email adresses, and passwords.

This entry will be updated if/when the leak contents can be confirmed.

06 April 2022 – 20:42 UTC

Hajun Project Identifies Russian Soldiers Who Sent Parcels from Belarus Back to Russia

On April 3rd, the Hajun Project published three hours of surveillance camera footage from a CDEK delivery service located in Mazyr, Belarus. The video shows several soldiers from the Russian Armed Forces sending, among other things, items stolen from Ukrainians, during their “special military operation.”

Using leaked personal data available across the darknet and deepweb, the Hajun Project further confirmed the identities of the Russian military consignors and have released the names and phone numbers for at least 50 of the servicemen that sent parcels around the same time as the published camera video.

The Hajun Project maintains a Telegram channel and Twitter account monitoring and tracking the movement of military land and air assets in Belarus.

05 April 2022 – 16:22 UTC

Ukraine’s Defense Intelligence Agency (GURMO) Conduct SCADA Attacks on Gazprom

Due to the sensitivities of on-going military operations, there is limited detail available on the nature of the attack, but it appears that offensive cyber units under the direction of Main Director of Intelligence for the Ministry of Defense of Ukraine conducted SCADA cyberattacks against Gazprom pipelines. The attacks began within 48 hours of a fire at an oil depot in Russia’s Belgorod region last Friday, that western media reported was the first time Ukrainian helicopters had been spotted going across the border.

The cyberattacks likely triggered an underground gas leak from a highly pressurized gas pipeline in the village of Verkhnevilyuysk; the leak was reported in Russian open sources. Shortly after this, an explosion occurred in a main gas pipeline “Urengoy-Center-2” that civilians captured on Russian social media platform, VK as a large fire occurred in the Lysvensky district of the Kama region near the village of Matveevo.

Over pressurizing gas lines through disrupting infrastructure industrial control systems (ICS) is a documented method for using cyber to cause kinetic damage to pipeline critical infrastructure. The Congressional Research Services detailed such security risks to ICS in their 2021 report.

05 April 2022 – 14:21 UTC

Anonymous Leaks Data from Russian Rations Supplier, Korolevskiy

The company, Korolevskiy (korolevskiy[.].ru) appears to supply Russian companies and organizations with grain, nuts, and confectionaries in addition to rations for the military. This cyberattack could impact the availability of some food ingredient supplies, such as sugar, which is already in short supply and skyrocketing in price across the country due to sanctions.

The data leak includes an 82GB archive containing thousands of emails exfiltrated from the company’s mail servers.

05 April 2022 – 12:29 UTC

nb65 Claims to Hack Civilian Travel Service in Retaliation for Bucha Massacre

Anonymous and hacktivists around the world step up their offensive against Russia after images of Russian soldiers’ war crimes and atrocities against civlians in Bucha emerged on Monday.

Network Battalion 65 (nb65) reportedly targeted Continent Express (continent[.]ru), a Russia-based travel and supply company, with Conti’s ransomware variant in retaliation for the crimes.

Continent Express is one of the largest agencies for travel in Russia and helps arrange tickets and accomodations. As of time of writing the public facing website for continent[.] is operational.

Details of the group’s threatening message posted to social media called out the company’s CEO Stanislav Kostyashkinis in the image below.

“Why, you ask? The answer is simple. We read and watched the coverage of Bucha with horror. The utter lack of humanity in the way Russian soldiers have treated the civilian population of Ukraine left us all in tears. The world has pleased with your country to put an end to this madness drive by the mind of a cowardly tyrant: your president.”

(Update 6 April 2022) Earlier today, Continent Express posted to their news section of the website acknowledging the cyberattack but stated that important data and booking systems were not affected.

04 April 2022 – 12:29 UTC

DDoSecrets Distributes Data Exfiltrated by nb65 From Russian Broadcasting Company

Earlier in the campaign, nb65 leaked a sample of files and emails from All-Russia’s State Television and Broadcasting Company (VGTRK / ВГТРК). The Russian state-owned broadcaster operates five national TV stations, two international networks, five radio stations, and over 80 regional TV and radio networks and has been heralded as essential for the “security of the state.”

According to former VGTRK employees, Kremlin officials have dictated how the news should be covered, and provided incendiary phrases meant to discredit Ukraine. According to the former employees, editors normally have freedom to make decisions, but “where big politics are concerned, war and peace, he has no freedom.”

The 786 GB archive contains over 900,000 emails and 4,000 files spanning 20 years of operations at the broadcaster.

04 April 2022 – 06:24 UTC

Anonymous Leaks List of Russian Soldiers Deployed in Bucha

Anonymous shared a PDF file containing the identities of the members Russia’s 64 Motor Rifle Brigade that was positioned in the Kyiv suburb of Bucha. Since Russia’s withdrawl from the village, the atrocities and war crimes carried out by members of the Brigade have come to light.

The PDF consists of 87 pages detailing the identities of over 1,600 members of the Bridage, including their full name, date of birth, and passport number.

The file most likely originated from the Ukrainian government or intelligence services.

03 April 2022 – 06:16 UTC

Anonymous Shares Data Leaked from Russian Federal Agency for State Property Management

Anonymous shared a single PostGreSQL database, presumably from the domain: rosim.gov.ru, containing over 785MB of logged domain Internet activity available via the domain user: kluser. Much of the data is several years old, including IP addresses, domains, user agents of site vistors. Without further analysis, the value of leaking this data other than psychological operations and information warfare is unclear.

03 April 2022 – 05:07 UTC

nb65 Claims to Compromise Russian Gas Pipeline Supplier: SSK Gazregion

nb65 shared on social media that they have successfully hacked SSK Gazregion LLC (domain: ssk-gaz.ru) – a prominent natural gas pipeline construction company – with an ‘improved’ version of Conti’s ransomware. They taunted the company’s IT department, claiming that they also deleted all backups and restoring services would be an issue for the department.

They also claim to have exfiltrated 110GB of sensitive files, emails, and company data during the operation and trolled the company further stating it took forever to steal the data with the “chincy ass soviet connection” they were using for Internet connectivity.

“Federal Government: This will stop as soon as you cease all activity in Ukraine. Until then, fuck you. Your Preisdent is a coward who sends Russian sons away to die for his own ego. War in Ukraine will gain your country nothing but death and more sanctions. none of your internet facing tech is off limits to us.”

“We won’t stop until you stop.”

03 April 2022 – 04:24 UTC

ATW Release Dox of KILLNET Member

Similar to the personal details shared for various APT cyber groups in China, Russia, and North Korea, ATW targeted the pro-Russian cyber group, KILLNET. They released a dox containing the Russian national’s personal information, his social media, contact information, and familial associations.

KILLNET claimed to launch cyberattacks against Polish government and financial networks in support of Putin’s invasion in Ukraine. Last week, KILLNET also reportedly conducted DDoS attacks against the International Cyber Police agency, CYBERPOL and hacked the ticketing system at Bradley International Airport in Connecticut.

02 April 2022 – 17:28 UTC

Darknet Threat Actor, spectre123 Releases Sensitive Databases for the Indian Government and Military

The threat actor is well-known for targeting governments and defence contractors and has been circulating sensitive government databases for some time. This weekend, they released a “mega leak” of Indian government data for the PM Modi adminsitration’s “turning a blind eye to the humanitarian crisis…. in Ukraine.”

Over 40 GB of data is included in 11 different archived files and includes classified (up to TOP SECRET) and Confidential government documents from the following sectors: ALISDA, DGAQA, MSQAA, DRDO, DDP, Joint Defence Secretary India, BSF, MOD and the Indian Navy.

“The Indian government has a remarkably twisted propensity towards turning a blind eye to the humanitarian crisis in their own nation and now as well in Ukraine. It continues to do business with Russia and refuses to speak on the war, all in an effort to maintain their shallow political interests. These documents have been released to show that there are consequences for taking such foolish decisions.”

02 April 2022 – 06:13 UTC

ATW | BH Claims to Leak Personal Details of Members of Nation State APT Cyber Groups: ATP3, APT40, APT38, & APT28

The AgainstTheWest group continued their offensive against Chinese, North Korean, and Russian nation state cyber groups. Releasing a dox-style text file on Telegram and the deep web forum, breached.co, the ATW group included the names, email addresses, socials and Github accounts, credit card data, front companies, and other identifying information about the group’s participants along with other shocking revelations. Some include:

APT38: China and North Korea have collaboratively had a mole inside the United States Congress since 2011.
APT3: Threat actors are closely aligned with employees from Tencent – the Chinese technological giant behind WeChat and QQ.
APT38/APT3: The alias “ph4nt0m” appears in information for both groups and is believed to be affiliated with APT17 from China.
APT40: Threat actors are randomly connected to employees of ByteDance, the parent company for TikTok.

We are unfortunately unable to corroberate the veracity of the information shared by ATW (Blue Hornet).

01 April 2022 – 20:13 UTC

Anonymous Attacks Russian S-300 Supplier: Lipetsk Mechanical Plant

Anonymous shared another large archive of data stolen from a prominent Russian defense manufacturing facility. The archive is nearly 27GB total and consists of company emails and sensitive documents.

Russia’s “Lipetsk Mechanical Plant” produces several defense products for the Russian military and industrial defense complex. Today, the plant is one of the leading and main manufacturers of modernized self-propelled tractors for S-300V4 anti-aircraft missile systems in Russia. The S-300 is one of Russia’s premier air-defense platforms.

01 April 2022 – 16:00 UTC

Anonymous Leaks Multiple Data Archives From Critical Moscow-Based Organizations

Coordinating today through DDoSecrets on distribution, Anonymous shared several highly significant archives, consisting of over 500GB total of emails, files, and databases from critical Russian organizations with close ties to the Russian government.

Department for Church Charity and Social Service of the Russian Orthodox Church: Database containing 57,500 emails from the Russian Orthodox Church’s charitable wing.
Capital Legal Services: 200,000 emails exfiltrated from a prominent Russian law firm includes an additional 89,000 emails are located in a “Purges” mailbox, consisting largely of bounced email notifications, cron jobs and other server notifications.
Mosekspertiza: Three archives consisting of a) 150,000 emails b) 8,200 files and c) multiple databases totally over 400GB of data. Mosekspertiza is a state-owned company setup by the Moscow Chamber of Commerce to provide expert services and consultations to Russian businesses.

1 April 2022 – 08:56 UTC

GhostSec Wreaks Additional Havoc on Alibaba

After ATW attacked Alibaba Cloud days before, Ghost Security has allegedly hacked and deleted Alibaba’s UAE branch’s ElasticSearch service database. They included a leak to the database extracted from the company on their Telegram channel.

We have also deleted everything and even cleared the backups so there is no recovery, and we left a little celebration from us <3

31 March 2022 – TIME UNKNOWN

German Wind Turbine Company Impacted by Cyberattack

A German-based wind turbine – Nordex – with over $6 billion dollars in global sales faced a cyberattack that incident responders caught “in the early stages.” It’s likely the attack is retaliation for Germany pausing on the Nord Stream 2 natural gas pipeline deal with Russia.

“Customers, employees, and other stakeholders may be affected by the shutdown of several IT systems. The Nordex Group will provide further updates when more information is available.”

In the early days of the cyberwar, a cyberattack on the satellite communications company Viasat caused 5,800 Enercon wind turbines in Germany to malfunction.

31 March 2022 – 19:43 UTC

Anonymous Leaks 62,000 Emails from Moscow-Based Marathon Group

Anonymous again targets associates of those closest to Putin launching recent cyberattacks against Marathon Group. The Marathon Group is an investment firm owned by Alexander Vinokurov. Vinokurov is the son-in-law of Russian Foreign Minister Sergei Larov and is under heavy sanctions by the EU for providing financial support to Russia. The leaked archive is over 51GB in size and is being distributed via DDoSecrets.

31 March 2022 – 14:31 UTC

Ukraine Government Sets Up Website for Whistleblower Reporting

The Ukrainian Prosecutor General’s Office in coordination with the National Agency on Corruption Prevention and Task Force Ukraine deployed the Whistleblower Portal on the Assets of Persons Involved in the Russian Aggression against Ukraine. The website is setup to provide a secure and anonymous method for the submission of tips and evidence of corruption any activities causing national harm. The website will ideally help in the “tracing, freezing, and confisicating of assets of those involved in Russia’s War Crimes.”

Many OSINT sleuths have identified Russian oligarchs’ and government officials’ assets, like super yachets parked in international ports and submitted photographs via posts on social media. This website could be used to officially report supporting information leading to the seizure of those assets or other correlative intelligence obtained through leaks shared by Anonymous.

30 March 2022 – 22:09 UTC

Database Containing the PII of 56 Million Ukrainian Citizens Leaked on Deep Web

A user on the forum breached.co leaked an arhive containing the personal identification information for over 56 Million citizens of Ukraine. The database includes the full name, dates of birth, and address for the individuals. Its unclear the origins of the data. Members of the forum stated it was the Ukrainian Tax Service and could be dated back to 2018.

30 March 2022 – 21:53 UTC

ATW Continues Offensive Against China, Leaks Alibaba Cloud & Ministry of Justice of PRC Data

The AgainstTheWest/Blue Hornet group have ramped up their attacks against Chinese targets and leaked the largest archive they have exfiltrated to date. ATW successfully breached the e-commerce company Alibaba and have dropped a 30GB archive consisting of Alibaba’s cloud endpoint environment, source code, and customer data. They also released a smaller database obtained from the Ministry of Justice of the People’s Republic of China. Both were shared to the deep web forum, breached.co.

30 March 2022 – 19:49 UTC

Anonymous Continues to Encourage SCADA Attacks; Leaks Default Credentials for COTS Hardware Suppliers

Members of the Anonymous Collective circulate spreadsheets and websites containing the default factory credentials for most commercial-off-the-shelf (COTS) vendor hardware. Hardware, that in turn, is often affiliated with and successfully exploited via SCADA-based industrial control system (ICS) cyberattacks.

One list includes 138 unique products including manufacturers such as Emerson, General Electric, Hirshmann, and Schneider Electric accompanied with default factory settings such as username: admin and password:default. Another resource is a surface web website (intentionally not included but available upon request) which lists 531 vendors and over 2,100 passwords deployed with hardware from the factory.

Sadly, most companies will rely on the default passwords upon installaton and do not bother with updating to a more robust credential security standard.

30 March 2022 – 18:19 UTC

Anonymous Leaks 5,500 Emails Stolen from Thozis Corporation

Anonymous successfully attacked Thozis Corporation – a Russian investment firm with links to Zakhar Smushkin of St. Petersburg. According to the Panama Papers, the company is registered in the British Virgin Islands. The firm is allegedly involved in one of the largest development projects in Russia, including a project to build a satellite city within St. Petersburg.

The trove of leaked emails likely include sensitive documents and agreements between the Russian government, its societal elite, and other international entites.

DDoSecrets assisted in the publication of the 5.9GB archive obtained by Anonymous.

30 March 2022 – 17:55 UTC

GhostSec Leaks Shambala Casino Network Data

GhostSec claimed a few days ago they had successfully attacked a prominent casino operator in Russia, known as Shambala.

The hacktivist group targeted the casino as they believed members of the Russian government used Russian casinos to move cash into different currencies besides the Ruble. At least 27 computers were reportedly compromised, data exfiltrated, systems locked, and files erased.

29 March 2022 – 06:12 UTC

Russian Aviation Sector Suffer Additional IT Operational Impacts

A post shared on the Russian Telegram channel, Авиаторщина, indicates that the aviation industry of Russia will have additional impacts to their IT support with the withdrawl of the Swiss-based company, SITA as of 29 March.

According to the Telegram post, SITA shutting down their operations will impact numerous systems utilized by the aviation industry and airlines across Russia.

[translated]

“Products for pilots such as AIRCOM Datalink, AIRCOM FlightMessenger, AIRCOM FlightTracker, and AIRCOM Flight Planning services will no longer be available. Such software is utilized by airlines and flight crews to plan, perform aeronautical calculations and track flights, and more accurately calculate remaining fuel, flight time, etc.”

The company – choosing to withdrawl from operating in Russia due to Putin’s invasion – suffered a significant cyberattack on 24 February, the same day as the invasion of Ukraine, resulting in the compromise of passenger data stored on their SITA Passenger Service System (US) Inc. servers. SITA supports numerous international air carriers.

This annoucement comes within days of the cyberattack against Rosaviatsiya (see below), Russia’s Federal Air Transport Authority.

(Update 30 March – 23:42 UTC) No alias associated with Anonymous has claimed credit for the 28 March cyberattacks against Rosaviatsiya which resulted in 65TB of lost agency data. Interestingly, new Anonymous groups have only recently joined the campaign, including RedCult, increasingly the likelihood that widespread industry sector attacks will continue across Russia.

28 March 2022 – 18:23 UTC

nb65 Claims to Hack JSC Mosexpertiza; Steals 450GB of Sensitive Data

In a social media post, nb65 hacktivist group claims they compromised Joint Stock Company (JSC) Mosexpertiza, Moscow’s independent center for expertise and certifications, via the domain mosekspertiza.ru.

They claim they also infected the domain with, none other than Conti’s “crypto-locking ransomware variant” – released earlier this month in the opRussia campaign. In the process of hacking the network nb65 also exfiltrated 450GB of emails, internal documents, and financial data.

28 March 2022 – 17:07 UTC

Anonymous Leaks 140,000 Emails from Russian Oil & Gas Company, MashOil

Distributed via DDoSecrets, the Anonymous hacktivist collective recently targeted MashOil, releasing over 140,000 sensitive corporate emails from the company.

Moscow-based, MashOil manufacturers equipment for hydraulic fracturing and enhanced oil recovery (EOR); injection, nitrogen and cementing equipment; top drive mobile drilling rigs; directional drilling equipment; and, ejector well clean-up.

Anonymous continues to target companies in Russia and any companies that continue to contribute to economic and financial viability for the Russian Federation.

28 March 2022 – 12:41 UTC

Anonymous Leaks Russian Document Ordering Propaganda Video Development

Knowing propaganda is widely circulated by both Ukrainian and Russian affiliated organizations, Anonymous has leaked an official Russian document, titled “On holding informational events on the Internet”, dated 21 March 2022, stating this was an official “order issued” by the Russian government to develop videos to discredit the Ukrainian military and their treatment of prisoners of war (POWs). The order was signed by the “Temporary Minister of Defense of the Russian Federation”, Dmitry Bulgakov and decrees:

Develop and distribute a series of video materials demonstrating the inhuman behavior of the military personnel of the Armed Forces of Ukraine and nationalist formations on the territory of Ukraine in relatinos to prisoners who showed a voluntary desire to surrender
Develop and distribute sermographic materials, evidence of the use of briefings by captured military personnel of the Armed Forces of the Russian Federation during the filming
Provide informational support for materials in the comments, the main argument is the violation of the Geneva Convention on the Treatment of Prisoners
To impose control over the implmtnation of this order on the head of the Information Warfare and Disguise Department of the Ministry of Defense of the Russian Federation

(UPDATE 29 March 2022 – 20:56 UTC) DarkOwl advises that recent open source intelligence research suggests this letter could be fake and disseminated as part of an information operations campaign. Researchers caught signature mismatches of the Russian official, Bulgakov. Such data is a reality in the the fog of asymmetric warfare.

28 March 2022 – 11:58 UTC

Ukrainian Defense Intelligence Doxxes 620 Russian FSB Agents

The Ukrainian Military Intelligence Agency of the Ministry of Defence of Ukraine, known simily as Defence Intelligence of Ukraine or GUR, has leaked the identities of over 600 Russian FSB spies. The database includes the agents’ full names, dates of birth, passport numbers, passport dates of issue, registration addresses as well as other identifying markers for the FSB employees.

Many of these agents may be conducting covert operations around the world and leaking their identities may compromise the success of their operations.

28 March 2022 – 11:05 UTC

ATW (BH) Targets Chinese Companys and Government Organizations

After a brief vacation announced on 23 March, the AgainstTheWest (Blue_Hornet) group returns with concerted attacks against a number of Chinese companies and government organizations. The group claims they successfully attacked the following:

The group also referenced a supply-chain software dependency attack, via a poisoned burgeon-r3 NPM package.

Fenglian Technology-Digital Ecological Platform Solution
Bluetopo China security development tool
China Pat Intellectual Property
Weipass
Ministry of Transport China
Freemud Software (supplier to Starbucks)
China Joint Convention Committee.

Shortly after the announcement and initial round of leaks, the group also released source code affiliated with China Guangfa Bank, along with associated Maven releases. The group also claims to have breached the Chinese social messaging platform, weChat.

We are still evaluating the data and determining the specific types of data compromised and released.

28 March 2022 – 03:22 UTC

Russian Federal Air Transport Agency, Rosaviatsiya Confirms CyberAttack; 65TB of Data Erased

The civil aviation agency Rosaviatsiyan responsible for air cargo transportation confirmed with a letter shared on the Russian Telegram channel, Авиаторщина that their website domain favt.ru was offline since Saturday due to a significant cyber attack. The attacks had severely impacted their ability to plan and conduct flight operations and the agency had resorted to pen-and-paper-based operations in the interim.

The notice stated that over 65TB of emails, files and critical documents had been allegedly erased along with the registry of aircraft and aviation personnel. There were no systems backups to restore from because according to the agency spokesperson, the Ministry of Finance had not allocated funds to purchase backups.

“All incoming and outgoing emails for 1.5 years have been lost. We don’t know how to work…”

“The attack occurred due to poor-quality performance of contractual obligations on the part of the company LLC ‘InfAvia’, which carries out the operation of the IT infrastructure of the Federal Air Transport Agency.”

27 March 2022 – 20:44 UTC

Anonymous Leaks 2.4GB of Emails from Russian Construction Company, RostProekt

Over the weekend, DDoSecrets helped Anonymous distribute over 2 gigabytes of sensitive company emails exfiltrated by breaching a prominent Russian construction company, RostProekt (in Russian: РостПроект). The company primarily operates in Russia, with the head office in Moscow Oblast. RostProekt is a primary contributor to Russia’s lumber and other construction materials merchant wholesalers sector. The breach may impact construction projects in the country.

As of time of writing, the website for the company is online.

25 March 2022 – 20:36 UTC

nb65 Leaks Sample Internal Data from the All-Russian State Television and Radio Broadcasting Company (VGTRK)

The nb65 hacktivist team targeted and released data affiliated with a state-sponsored propaganda broadcasting company of the Russian Federation, VGTRK. The All-Russia State Television and Radio Broadcasting Company, also known as Russian Television and Radio (native: Всероссийская государственная телевизионная и радиовещательная компания) owns and operates five national television stations, two international networks, five radio stations, and over 80 regional TV and radio networks. It also runs the information agency Rossiya Segodnya.

nb65 claims they have successfully compromised the organization’s network and exfiltrated over 750GB of data, much of which consists of employee email (.pst) files from the company’s email network. The group claims to be ‘watching’ for their ‘eventual incident response.’

The group continued to troll the organization…

“Your blue team kinda sucks. Hard to find good IT help when all your techies are fleeing the country, eh?”

25 March 2022 – 18:36 UTC

Anonymous Releases Files Exfiltrated from the Central Bank of Russia

Anonymous has released data the hacktivists collected while conducting attacks against the Central Bank of Russia. The archive, broken up into 10 separate parts consists of over 25GB of archived data consisting of over 35,000 files of sensitive bank data. Earlier in the campaign, we observed several posts containing targeting information, e.g. domains, IP addresses, etc for the bank on the deep web.

24 March 2022 – 20:49 UTC

GNG Claims to Hack Russian Mail Server, mail.ru

Georgia’s Society of Hackers (GNG) announced today they successfully attacked Russia’s equivalent to Gmail, mail.ru, including their maps.mail.ru subdomain. The hacktivist group is in process of exfiltrating the data and will provide the detailed data dump in the next few days.

As of time of writing this, the maps.mail.ru website is online and operational.

24 March 2022 – 14:11 UTC

Anonymous Shares Proof of Hacked ATMs in Russia

Earlier today, users at what appears to be a Sberbank ATM reportedly located in Russia experienced technical errors when selecting the Russian language on the screen. Upon selection, the ATM monitor quickly flashes to the Ukrainian flag and the words Glory to Ukraine (Слава Україні!). See the video captured video here.

ATM malware is widely circulated on the darknet and used extensively in the fraud and financial crime communities.

24 March 2022 – 10:43 UTC

Pro-Russian Killnet Launches Anonymous-Style Campaign Against Ukraine – Targets Poland and NATO

The pro-Russian cyber threat actor group, Killnet have been conducting attacks against Ukraine for several weeks and have stepped up their demands and threats against Ukraine and western Europe. Today, they released a video on social media, mirroring the ominous messaging of an Anonymous-style video with the Russian flag in the background. During the video, the group stated they would attack targets in Poland for their assistance to the Ukrainian government during the invasion. They recently also posted specific targeting information for the National Bank of Poland on their Telegram channel.

“…together with the Russian cyber army, we disabled 57 state websites of the Kiev regime, 19 websites of nationalist parties…”

The group also referred to the Colonial Pipeline attack in the US from May 2021.

[translated] “Let’s remember American gas company attack, which resulted in 40% paralyzed infrastructure of America for few days.”

23 March 2022 – 16:45 UTC

AnonGhost Claims to Hack Russian Street Lighting System and Drops Proofs of Access to Moxa Industrial Wireless Networking Infrastructure

AnonGhost known for their attacks against industrial control systems, continued their campaign against Russia by targeting МонтажРегионСтрой г. Рязань street light control system. They stated they successfully shutoff the street lights at 19:35 Moscow time and it was a “gorgeous show.”

Shortly before announcing the breach of the lighting contol panel, AnonGhost also provided proof of access to Moxa (moxa.com) industrial networking devices. They leaked proof of access to router information for a industrial wireless Moxa device, its associated OnCell specifications, along with defacement of the device’s name, description, and login message.

In addition to the proofs they linked to a pastebin file containing over 100 Russian Moxa IP addresses for additional targeting.

It’s unclear where the Moxa device compromise is physically located or whether the Moxa compromise provides direct access to the streetlight control system.

23 March 2022 – 02:44 UTC

BeeHive Cybersecurity Claims They Are Running Ransomware Campaigns Against Russian Targets

When one thought they only hijacked Discord users and trolled pro-Russian ‘hackers’ like @a_lead_1, BeeHive Cybersecurity claims they have been quiet because they are running ransomware operations against targets across Russia.

Oh, in case you guys were curious why we’ve been so quiet. May or may not have a new #ransomware operation running in Ru right now. Alas, we find allies quicker than Putin finds ways to invade Ukraine. We’ll have more details soon but…consider this the public disclosure.

This would not be the first Russia-specific ransomware variant to emerge. According to Trend Micro, RURansom was detected targeting Russian-specific devices with AES-CBC encryption and hard coded salt. Another ransomware variant recently detected, known as “Antiwar” appends the file extension, “putinwillburninhell” to encrypted files.

22 March 2022 – 19:14 UTC

ATW (Blue Hornet) Compromises Russia’s Hydrometeorology and Environmental Monitoring Service with Bitbucket

The AgainstTheWest / Blue Hornet team has recently leaked several internal documents from Russia’s Hydrometeorology and Environmental Monitoring service (spelled by the threat actors as ROSHYDRO). According to open sources, the monitoring service is hosted on the meteorf.ru domain. The data leaks consists of 45 PDF files containing historical software change descriptions and feature requests from the company’s internal software development tracking system. ATW refers to a superadmin account for the GIS FEB RAS Team on Bitbucket in the leak.

21 March 2022 – 22:44 UTC

ATW Returns to Campaign with Attacks Against Almaz-Antey

After a disruption in the ATW team’s cyber activities due to personal issues, the ATW/Blue Hornet team returns leaking a 9GB archive of data allegedly exfiltrated by breaching Almaz-Antey’s corporate networks. The data leak includes employee login data, multiple documents containing PII, confidential and classified intellectual property, schematics, and SQL database files.

Almaz-Antey (Russian: ОАО “Концерн ВКО “Алмаз-Антей”) is one of Russia’s largest defense and arms enterprises, known for the development of Russian anti-aircraft defense systems, cruise missiles, radar systems, artillery shells, and UAVs.

21 March 2022 – 15:26 UTC

Anonymous Targets Russian Software Developer, naumen.ru

Hacktivists from the Anonymous collective have leaked data exfiltrated from Naumen, a software vendor and cloud services provider in Moscow. The company markets itself as “world class IT solutions fully adapted to the Russian market” and lists several prominent international companies as partners. The leaked data consists of an SQL database containing thousands of usernames, email addresses, hashed passwords, and associated PII. The specific purpose and origins of the database from inside Naumen is unclear, but partner companies could experience supply chain / vendor risk issues.

21 March 2022 – 03:27 UTC

KelvinSec Targets Nestle for Continued Commercial Operations in Russia

The KelvinSec ‘hacking’ team have reportedly compromised Nestle in retaliation for continuing to operate and distribute their products in Russia. The group leaked multiple databases from Nestle consisting of customer entity data, orders, payment information, and passwords (10GB total). The group insisted its a “partial” database leak and more data may be released in the future.

Nestle defended its business decision after President Zelenskyy called the company out to protestors on Saturday night in Bern, Switzerland.

(Update 3/22 – 01:48 UTC) Anonymous issues warning and gives a number of US companies 48 hours notice to pull out of Russia or become targets of the #opRussia cyber offensive campaign. Example corporations include: Subway, Chevron, General Mills, Burger King, citrix, and CloudFlare.

20 March 2022 – 23:33 UTC

Anonymous Compromises Russian Social Media VK to Send Message to Millions

Anonymous accesses VK’s messaging platform and sends direct messages to over 12 million Russian users of the social media app. The message, written in Russian, speaks to the realities of the war in Ukraine, the demise of the Russian economy, and threatens that users using the Russian “Z” insignia on as their profile avatar will be targeted by international authorities.

VK users have shared proofs of the message received to confirm the campaign in VK occurred.

20 March 2022 – 15:32 UTC

GhostSec Leaks Military Asset Monitoring System and More from Russian Networks

The leak includes data exfiltrated from a military operational readiness monitoring website (orf-monitor.com), including inventory tracking of key Russian military assets; a leak of a Russian investment company that includes recent Chinese contract data; and lastly, technical data leaks from Russian Defense Contractor Kronshtadt, that includes computational specifications related to their UAVs, along with military operational doctrine, etc.

GhostSec teased on their Telegram channel they had more data coming and this archive they were sharing was a sample of a much bigger dataset.

20 March 2022 – 13:40 UTC

Honest Railworkers in Belarus Help Stop Lines Going to Ukraine

According to open source reporting and the hacktivist group known as Cyber Partisans, the railways going out of Belarus into Ukraine have stopped. Earlier in the campaign, Cyber Partisans disrupted rail operations in Belarus using cyber attacks against ticketing systems and switching systems; however, others report that the rails are inoperable due to “honest railworkers” who do not want to see Belarus military equipment transported into Ukraine for use in this war. (Source)

“I recently appealed to Belarusian railway workers not to carry out criminal orders and not transport Russian military forces in the direction of Ukraine. At the present moment, I can say that there is no railway connection between Ukraine and Belarus. I cannot discuss details, but I am grateful to Belarus’s railway workers for what they are doing” – Oleksandr Kamyshin, director of the Ukrzaliznytsya state railroad

20 March 2022 – 10:28 UTC

Arvin Club Takes Down STORMOUS Ransomware’s Tor Onion Service

Shortly after STORMOUS ransomware gang setup a Tor onion service, the Arvin Club ransomware group compromised their site and leaked SQL databases, information, and performance schemas. It’s unclear whether or not this attack occurred out of STORMOUS’s Russian allegiance or if Arvin merely wanted to teach the cyber criminals a lesson in setting up secure sites on the darknet.

The STORMOUS ransomware group had previously operated only on Telegram.

(UPDATE) As of 3/22 the Tor service is still offline.

20 March 2022 – 02:18 UTC

Anonymous Leaks Database from Russian Aerospace Company Utair

Hacktivists from the Anonymous collective have released the customer database for Russia’s Utair airlines. (Russian: ОАО «Авиакомпания «ЮТэйр»). The JSON database appears to have been collected long before the 2022 #opRussia campaign, as the MongoDB is dated 2019. There are records containing personal data for over 530,000 clients using Utair’s services.

18 March 2022 – 21:29 UTC

nB65 Leaks Data from Russian Space Agency

After a disappointing trolling exercise against Kaspersky, the nb65 hacktivist group returns with data leaks from Russia’s Space Agency, Roscosmos. The group claims they still have persistent access to the agency’s vehicle management system and leaked the IP of the compromised network to prove their access. The leaked data archive consists of over 360MB of user and operations manual, along with solar observatory logs.

Hours earlier, the group also claims to have compromised tensor.ru and leaked 1.6GB of compromised emails for a corporate mailbox for the Russian digital signature company.

18 March 2022 – 15:39 UTC

Russia Targets Ukraine Red Cross Website in Cyber Attack

The Ukrainian Red Cross reported their Internet web servers have been hacked, likely by Pro-Russian cyber threat actors. The website domain – redcross.org.ua – is currently offline with the statement “account disabled by administrator.”

The social media account for the Ukrainian Red Cross stated that no personal data of beneficiaries stored on the website were compromised by the cyber attack.

The Ukrainian Red Cross staff and volunteers are busy and actively providing medical aid and support to vulnerable and wounded Ukrainian civilians across the country as Russian military continue their barrage of cruise missile strikes.

17 March 2022 – 11:43 UTC

AnonGhost Leaks Screenshots of GNSS Satellite Hacks Along with IP Addresses

AnonGhost shared several screenshots as proof of attacks they conducted against Russia’s Trimble GNSS satellite interface. They claimed on social media that other “fake Anonymous” accounts had taken credit for the operation. They also leaked 48 unique IP addresses associated with the GNSS satellite systems. The group did not specify the nature of the attacks against the Russian assets.

17 March 2022 – 09:23 UTC

Anonymous Claims to Have Located Putin’s Bunker

Using OSINT analysis involving satellite imagery and topography and landmark comparisons like rivers and powerplants, the Anonymous community claims they have detected President Putin’s bunker. There no means to verify the accuracy of these assertions.

17 March 2022 – 03:58 UTC

Anonymous Leaks 79 GBs of Emails from R&D Department of Transneft – OMEGA

DDoSecrets released the data on behalf of Anonymous hackers operating in cyber campaigns against Russia. Anonymous compromised email inboxes of OMEGA Company, the R&D arm of Russia’s state-controlled pipeline company known as Transneft [Транснефть]. Transneft is the world’s largest oil pipeline company with over 70,000 kilometres (43,000 miles) of trunk pipelines and transports an estimated 80% of oil and 30% of oil products produced in Russia. The emails cover the accounts’ most recent activity, including after the introduction of US sanctions on February 25, 2022. Some of the emails reflect some of the effects of those sanctions.

16 March 2022 – 10:47 UTC

Russian Foreign Intelligence Service (SVR) Requests Information via Tor

Russia’s external intelligence agency has issued instructions on how to establish secure communcations via their Virutal Reception System (VRS) to relay any threats to the Russian Federation. The call for leads, found on svr.gov.ru, details how to install the Tor anonymous network, details the v3 .onion address of their secure communications system, and advises the informant using PGP in order to further encrypt the details of any messages provided.

“If you are outside Russia and have important information regarding urgent threats to the security of the Russian Federation, you can safely and anonymously share it with us via the virtual reception system (VRS) of the SVR over the TOR network.”

If you are in hostile environment and/or have reasons to worry about your security, do not use a device (smartphone, computer) registered to you or associated in any way with you or people from your personal settings for network access. Relate the importance of information you want to send us with the security measures you are taking to protect yourself!

15 March 2022 – 11:48 UTC

Pro-Russian Group Xaknet Threatens to Attack Critical Infrastructure Information Centers

“We cannot endlessly give you ‘lessons of politeness.’ We demand the cessation of hacker attacks against Russian infrastructures, we demand the cessation of the activities of information centers for the dissemination of fakes.

In case of refusal, we will be forced to use the most sophisticated methods, and reserve the right to act as the enemy does. Critical information infrastructure facilities will become a priority target for the group. All work will be aimed at the complete destablization of the activities of the aforementioned CIIs.”

It’s unclear from the threats what specific websites or services the cyber threat group considers critical infrastructure information services. The IT Army of Ukraine’s extensive information operations spread across most all social media platforms and information communication mediums across Russia.

15 March 2022 – 07:19 UTC

User on Telegram Leaks New Letter from FSB

A user on pro-Ukrainian Telegram channel (name redacted) has released a new letter, reportedly from an FSB agent, translated into English.

The temperature has really risen here, it’s hot and uncomfortable. I won’t be able to communicate for some time here in the future. I hope we can chat normally again in a few days. There are a lot of things that I have to share with you…
The questions are raised by the FSO (Federal Protective Service of the Russian Federation, aka Putin’s Praetorian Guard) and the DKVR (Russian Military Counterintelligence Department). It is precisely the DKVR that is mounted on horseback and is looking for “moles” and traitors here (FSB) and in the Genstaff (General Staff of the Armed Forces of the Russian Federation) regarding leaks of Russian column movements in Ukraine. Now the task of each structure is to transfer the fault to others and to make the guilt of others more visible. Almost all members of the FSB are busy with this task at the moment.

The focus is on us more than others at the moment, due to the hellish circumstances regarding the intra-political situation in Ukraine: We (the FSB) have released reports that at least 2,000 trained civilians in every major city of Ukraine were ready to overthrow Zelensky (President of Ukraine). And that at least 5,000 civilians were ready to come out with flags against Zelensky at the call of Russia. You want to laugh ? We (FSB) were supposed to be the judges to crown Ukrainian politicians who were supposed to start tearing each other apart arguing for the right to be called “Russia’s allies.” We even set criteria on how to select the brightest of the most competent (among Ukrainian politicians). Of course, some concerns have been raised about the possibility that we may not be able to attract a large number of people (Ukrainian politicians) to Western Ukraine, to small towns and to Lvov itself. What do we actually have? Berdyansk, Kherson, Mariupol, Kharkiv are the most populated pro-Russian areas (and there is no support for Russia even there). A plan can fall apart, a plan can be wrong. A plan can give a result of 90%, even 50%, or 10%. And that would be a total failure. Here it is 0.0%.

There is also a question: “How did this happen?” This question is actually a (misleading) trap. Because 0.0% is an estimate derived from many years of work by very serious (high-ranking) officials.
And now it turns out that they are either agents of the enemy or simply incomprehensible (according to the FSO / DKVR who are now looking for “moles” within the FSB).

But the question does not end there. If they are so bad, then who appointed them and who controlled their work? It turns out that they are people of the same quality but of a higher rank. And where does this pyramid of responsibilities stop? At the boss (Putin).
And this is where the evil games begin: Our dear Александр Васильевич (Alexander Vasilyevich Bortnikov – Director of the whole FSB) cannot fail to understand how badly he got caught. (Bortnikov realizes the deep mess he is in now)

And our evil spirits from the GRU (Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation) and the SVR (Foreign Intelligence Service – equivalent to the CIA) understand everything [and not only from these two organizations]. The situation is so bad that there are no limits to the possible variations (of events that will happen), but something extraordinary is going to happen.”

Shortly after a first letter from an FSB whistleblower surfaced around 5 March, Putin quietly placed his FSB chief, Sergei Beseda and his deputy on house arrest last Sunday. While telling the public he arrested them for embezzlement charges, according to open-source reports, the “real reason is unreliable, incomplete, and partially false information about the political situation in Ukraine” and Putin is holding them responsible for the Ukrainians’ success in the invasion thus far.

14 March 2022 – 12:00 UTC

Russian State Duma of the Federal Assembly Confirms Censorship of VPNs

Citing it was “a difficult task” Alexander Khinshtein, chairman of the State Duma Committee on Information Policy, commented that Russia’s media and propaganda agency, Roskomnadzor has been tasked with blocking over two dozen VPNs [virtual private networks] across Russia. (Source)

We anticipate that number to increase as Putin continues to crack down on Russian citizens’ media consumption.

VPNs have been targeted by Russian authorities since 2017, when an initial VPN law was passed. In 2019 many of the VPN providers across Russia received compliance demands from Roskomnadzor representatives via email – captured in the image below.

The demand for VPNs in the country has reportedly increased by over 2,000% in the last month. Users on Telegram encourage widespread use of anonymity tools like VPNs and Tor, and share links to VPN services still in operation and accessible in the region. Many of the VPNs are available via Telegram directly and offer free trial subscriptions to Russian users.

14 March 2022

Russian Cyber Actors Setup IT Army of Russia Group

The collective of cyber threat actors self identifies as the “IT Army of Russia”, mirroring the IT Army of Ukraine Telegram initiative, and claims it has targeted critical Ukrainian cyber services with DDoS attacks. The group has less than a 100 subscribers and many of the members are affiliated with the Killnet forum.

The group recently posted a detailed dox containing personal information for President Volodymyr Zelenskyy [in Ukrainian: Володимир Олександрович Зеленський]. The dossier contains specific information such as his date of birth, passport number, car registration details, and familial associations.

13 March 2022 – 09:31 UTC

Anonymous Germany Exfiltrates Data from Russian Rosneft Operations in Germany

An Anonymous hacktivist group from Germany, referring to themselves as “AnonLeaks” had access to the networks of Russia’s Rosneft subsidiary in Deutchland for almost two weeks and exfiltrated over 20 terrabytes of corporate data. According to a preliminary review, the data consists of laptop backups, virtual disk images, excel files, work instructions, and other operational information for the refinery.

Anonymous Germany emphasizes they did not have access to critical infrastructure in Germany, nor was the intent of their operation to access critical infrastructure for the refinery or compromise it in any way.

Rosneft is Germany’s third largest petroleum refinery company, processing roughly 12.5 million tons of crude oil per year.

(Update) Details of the leaked data has appeared on a dedicated Tor darknet service setup by the hacktivists.

13 March 2022 – 07:19 UTC

nB65 Claims to Be Jonathan Scott, a US-based Malware Researcher

Since the invasion, a social media account reportedly affiliated with the group nB65 was extremely active in sharing their leaks and targets across Russian networks – including claims of accessing Roscomos Space Agency. Most recently, they stated they had access to Kaspersky’s source code, with many teasers in the hours leading up to a what amassed to a disappointing dump of publicly available code from the Russian antivirus software developer. The group essentially trolled Kaspersky and received heavy criticism from members of the information security research community.

The owner of the group’s Twitter account claimed today they were in real life, Jonathan Scott, a US-based Computer Science PhD student researching mobile spyware and IoT malware. Shortly after, the Twitter account for the group was deleted.

11 March 2022 – 06:25 UTC

GhostSec Claims to Access, Shutdown, and Deface Control Panel of Russian ICS via SCADA Attack

GhostSec continues their offensive against Russian critical infrastructure with attacks affecting industrial controls systems. Today, they claimed they successfully accessed an unknown Russian industrial control system, deface the control panel, and shut the system down. They also stated they deleted the backups to make restoring services more challenging.

They included the screenshot below which appears to correlate to a typical ICS system. The name or location of the network was not identified.

11 March 2022 – 01:34 UTC

BeeHive Cybersecurity Enters Campaign and Targets Pro-Russian Discord Users

A pro-Ukrainian group, known as “BeeHive Cybersecurity” claims to have attacked over 2,700 pro-Russian Discord users, compromising their accounts and defacing their profiles with statements about the realities in Ukraine posted in English, Ukrainian, and Russian.

The group insinuates that they “CnC [command and control] the platforms of the ignorant” and use compromised devices to help combat disinformation.

10 March 2022 – 12:30 UTC

KelvinSec Leaks Private Chats from Darknet Tor Service: Database Market

KelvinSec, a pro-Ukrainian cyber threat actor on the darknet, has leaked 3,178 files containing the private chats from DATABASE Market. DATABSE is a relatively newly-launched service on Tor, where carding and fraud cyber-criminals congregate and transact.

The service is allegedly hosted by IT Resheniya on the IP address 45.155.204.178. KelvinSec reported they infilitrated the market via an insecure direct object reference vulnerability, commonly called “IDOR” which gives an attacker access to the website’s hidden information.

The compromised Tor service is still active as of time of writing.

10 March 2022 – 11:24 UTC

DDoSecrets Leaks Over 800GB of Data from Russian Media Censor, Roskomnadzor

The whistleblower leak site, DDoSecrets has obtained 360,000 files from Роскомнадзор (Roskomnadzor) via hacktivists from the Anonymous campaign against Russia. Roskomnadzor is a Russian state-controlled agency responsible for monitoring, controlling and censoring Russian mass media. The agency is responsible for the recent crackdowns on digital bans of Facebook, Twitter, and YouTube. The two part dataset totals over 800 GB including files, emails, and information critical about their operations.

10 March 2022 – 08:35 UTC

GhostSec Hits Hundreds of Printers Across Russia

GhostSec reportedly hacks hundreds of printers across Russia to spread the message about realities in Ukraine. They tagged on to the announcement an obscure 4chan meme, “Hey Russia do you liek mudkipz?” on their Telegram channel. The stated they are targeting Russian government and military networks for the printer exploit.

9 March 2022 – 20:05 UTC

Pro-Russian Group, devilix-EU Joins Campaign Against Ukraine and the US

Late last week, a new Pro-Russian persona appeared on social media and began sharing pro-Russia propaganda, Pro-Trump rhetoric, and counter #opRussia Anonymous content. Over the last five days, they’ve ramped up their attacks claiming to have compromised AWS instances, Microsoft IIS sysstems, and performed BGP hijacking with mentions of several US-based IP addresses.

The group makes further claims that they’re named after their own custom ransomware, “DEVILIX shark.”

DEVILIX named as me is one of the strongest viruses on the world DEVILIX shark is ransomware which can do anything we can create BotNet. where we want. Just a Simple but it’s not.

They most recently shared their thoughts about the cyber war in Russian, declaring that this was not about Ukraine and Russia, but the US and NATO and their intent to keep Russia and Ukraine divided.

Я вижу, что речь идет о двух сторонах, России и Украине. Почему мы разделены из-за политики? Разве вы не видите, что здесь делает Запад и хочет, чтобы мы были разделены. НАТО избежало конфликтов, и теперь привет! Слава России

[Google Translate]

I see that we are talking about two sides, Russia and Ukraine. Why are we divided because of politics? Don’t you see what the West is doing here and wants us to be divided. NATO has avoided conflicts, and now hello! Glory to Russia

8 March 2022 – 21:05 UTC

Anonymous Hacks Hundreds of Russian Security Cameras, Many Affiliated with Russian Government Ministries

Hacktivists from the Anonymous Collective successfully tapped the security camera feeds of hundreds of retail businesses, restaurants, schools, and government installations across Russia. They setup a website to share the leaked camera feeds — all to discover some where critical security offices. Anonymous also defaced security camera displays with the message:

Putin is killing children
352 Ukrainian civilians dead
Russia lied to 200rf.com
Slava Ukraini! Hacked by Anonymous

8 March 2022 – 18:34 UTC

nb65 Group Claims to Have Acquired Kaspersky’s Source Code

After keeping quiet for several days, the group sent out mysterious posts across social media claiming to have accessed Kaspersky source code and found “interesting relationships” in this code.

They also claimed it was “sloppier than Putin’s invasion.”

7 March 2022 – 17:31 UTC

22nd Member of Notorious TrickBot Gang Doxxed

The pro-Ukrainian affiliate of the Trickbot cybercriminal empire has leaked the personal identity of 22 key members of the gang along with private chats between group members. Since the 4th of March, DarkOwl has seen the following aliases mentioned: baget, strix, fire, liam, mushroom, manuel, verto, weldon, zulas, naned, angelo, basil, hector, frog, core, rocco, allen, cypher, flip, dar, and gabr.

7 March 2022 – 13:01 UTC

Digital Cobra Gang Claims 49 “A-Groups” Led by Conti and Cobra Are Attacking America Cyberspace

The Pro-Russian group entered the campaign shortly after Anonymous started #opRussia (28 Feb) with the statement:

“DIGITAL COBRA GANG DCG has officially declared cyber war on hackers who attacking Russia as well and to protect justice”

They’ve given little indication of success, other than inflated claims they have acquired over 92Tb data from US’s military personnel files but no proof has been published.

Earlier today, they posted that members of Conti were helping and 49 “A-team” groups were hacking Amera.

(9 March 2022) – US AWS and Azure cloud platforms have experienced higher than normal traffic on the network but no major disruptions.

7 March 2022 – 06:44 UTC

RedBanditsRU Leaks Russian Electrical Grid Source Code Data

The pro-Russian group, originally assembled to counter-hack Anonymous and cyber actors targeting Russian organizations, posted today that they are leaking the source code Rosseti Centre’s [mrsk-1[.]ru] electrical grid networking infrastructure. Rosseti Centre provides reliable electricity for more than 13 million people in the subjects of the Central Federal District of the Russian Federation.

The group is sharing this information because they believe Putin and his supporters are “leading this country to an apocalypse state.”

DarkOwl warns security researchers opening these archives should always use isolated sandbox environments in the event there is malware and viruses included in the leak.

7 March 2022 – 04:55 UTC

AgainstTheWest (ATW) Returns to the Fight and Drops Multiple Leaks of Russian Corporate Data

In the last 24 hours, ATW dropped URLs for at least 7 leaks corresponding to various Russian technical companies and organizations, reportedly breached by the cybercriminal group. ATW’s participation in the campaign has been controversial as they have had multiple dramatic departures and returns to the campaign and reports of “health issues” of some of the team’s members.

Security researchers reviewing the information from dataleaks last week calls into question the veracity of the information ATW is sharing. Checkpoint released analysis stating that after, “checking their claims deeper reveals that for many of the claims there are no solid proofs apart of very generic screenshots that are allegedly from the breached organizations.”

(Update 7 March 2022 – 18:36 UTC) The group also posted to their Telegram channel that they had successfully breached a Russian cybersecurity company that has been “hording” US-based government data, exposure of multiple SonarQube instances and requested someone get in touch with them immediately. It’s unclear if this is legitimate or just further ego inflation.

6 March 2022

Free Civilian Tor Service Leaks Entire DIIA Contents

Recently, the administrator of Free Civilian shared a post on their Tor service containing the entire Ukraine’s DIIA database of users. They stated the buyer of the database consented to the release, with the understanding some records were deleted. The downloads consist of 60+ archives containing gigabytes of data. The download links have been unstable since DarkOwl discovered them.

The administrator also expressed desire to have the ban on their “Vaticano” Raid Forums account lifted, claiming this leak proved the legitimacy of the information they shared back in January.

Recently, screenshots of an indictment for the alleged seizure of Raid Forums on VeriSign has been in circulation, after users spoke of rifts between pro-Ukrainian users and Russian hackers, potential FBI seizures, and the alleged hijacking the alias of former admin Omnipotent on Darknet World. Prominent users from the forum have setup RF2 and advised any old working Raidforums links are likely phishing logins for the FBI.

6 March 2022 – 18:43 UTC

Anonymous Continues Information Warfare Against Russian Media; Video Services Wink and ivi Stream Anti-War Messaging

After Putin’s overt authoritarian take on media sharing the realities of the war in Ukraine, Anonymous managed to hack Russian video services Wink and ivi to stream pro-Ukrainian messages and video of the conflict.

This weekend, Putin’s parliament passed a “fake-news” law imposing prison sentences for media using the words “war” or “invasion” prompting numerous western outlets to pull their journalists and suspend operation.

6 March 2022 – 15:39 UTC

AnonGhost Enters Campaign and Claims SCADA Attacks Against Multiple Russian Infrastructure Targets

This weekend, AnonGhost entered Anonymous’ #opRussia campaign with a vengence, and claims today they have hacked multiple Russian infrastructure control systems via SCADA attacks and “shut it down.”

They list the following targets:

Волховский РПУ> Volkhov RPU
Бокситогорский РПУ> Boksitogorsk RPU
Лужский РПУ> Luga RPU
Сланцевский РПУ> Slantsevsky RPU
Тихвинский РПУ> Tikhvinsky RPU
Выборгское РПУ> Vyborg RPU

This is after they leaked data from 9 Russian commercial servers hours earlier.

azovkomeks[.]ru
vserver24[.]ru
dvpt[.]ru
ach[.]gov[.]ru
itmo[.]ru
vpmt[.]ru
pvlt[.]ru
hwcompany[.]ru
corbina[.]ru

DarkOwl is in the process of pulling in this data to review and assess the contents of all of the databases.

The AnonGhost group is reportedly one of the more senior anonymous hacktivist teams in the underground, with reporting of the group going back to the early 2010s. According to open-source reporting, AnonGhost was led by Mauritania Attacker. In an online interview with a hacker’s blog in 2013, Mauritania Attacker claimed to be a 25 year old male from Mauritania who started hacking at a young age by joining TeaMp0isoN and ZCompany Hacking Crew (ZHC), two hacking groups known for their attacks of high-profile targets such as NATO, NASA, the UN, and Facebook. (Source)

For those who remember Stuxnet, SCADA type attacks are controversial as there is a fine line between disruption and destruction. Services knocked offline but able to be restored is disruptive and inconvient, causing delays in operation and psychological concern over the safety of such services. However, disruptions that lead to destructive events, e.g. hard disks wiped and unrecoverable, de-railed trains, power plant overheating resulting in explosions, & satellites falling out of the sky are considered serious and may be interpreted as an act of war and result in severe retaliation.

Yesterday, Putin declared western sanctions an act of war and uttered similar threats about hacking satellites earlier this week.

6 March 2022 – 14:52 UTC

GhostSec Returns with Leaks from Russia’s Joint Institute for Nuclear Research (JINR) and Department of Information (DOI) FTP Server Data

Hours ago, an archive consisting of several gigabyte emerged from GhostSec reportedly containing information from Russia’s nuclear research and disinformation activities. GhostSec has been silent for most the last week, perhaps busy with this activity.

According to their website (jinr.ru), the Joint Institute for Nuclear Research is an international intergovernmental organization established through the Convention signed on 26 March 1956 by eleven founding States and registered with the United Nations on 1 February 1957.

As of time of writing, the public facing website is online.

6 March 2022 – 12:34 UTC

Anonymous Dumps Leak of 139 Million Russian Email Addresses

An archive of over 139 Million email addresses, broken up into 15 separate files with mail_ru at the beginning of each file, lists the email addresses for presumed account holders for mail_ru services. VK (VKontakte) assimilated mail.ru email services into its internet services conglomerate in the fall of 2021.

The files included two additional HTML files with ominous warnings – possibly shared on the servers from which these leaks were obtained.

[image translation]

Russian soldiers!
If you think that you are going to an exercise, in fact you are being sent to Ukraine to DIE.

DarkOwl has not determined the veracity of this data, nor confirmed how these emails were obtained; some combolists of this nature are created as an aggregation of other leaked data.

As of time of writing, mail.ru’s public facing website is still online and operational.

5 March 2022 – 20:41 UTC

Anonymous Targets Russian FSB; Letter Appears from Possible FSB Whistleblower

The Federal Security Service (FSB) of the Russian Federation [Федеральная служба безопасности (ФСБ)] is the principal security and intelligence agency of Russia and the main successor agency to the Soviet Union’s KGB.

Earlier today, Anonymous hacktivists targeted the FSB (at the direction of the IT Army Ukraine) and managed to take the external facing website offline. Rumors on social media and chatrooms suggested Anonymous managed to “breach” the FSB’s server.

Shortly after the announcement of the website’s offline status (e.g. #TangoDown) a deep web paste emerged containing a list of 62 subdomains for the fsb.ru domain. This could be for additional targeting and exploitation.

The stability and alliances of members of the FSB are in question by threat intelligence and security researchers across the community. Last night, an alleged FSB whistle-blower letter surfaced (via the founder of http://gulagu.net) that damned Russia’s military performance in Ukraine and predicted a disaster for the RU in the next weeks and months. An English translation of the letter has appeared in the deep web (excerpt below).

To be honest, the Pandora’s box is open – a real global horror will begin by the summer – global famine is inevitable (Russia and Ukraine were the main suppliers of grain in the world, this year’s harvest will be smaller, and logistical problems will bring the catastrophe to a peak point). I can’t tell you what guided those at the top when deciding on the operation, but now they are methodically lowering all the dogs on us (the Service).

We are scolded for analytics – this is very in my profile, so I will explain what is wrong. Recently, we have been increasingly pressed to customize reports to the requirements of management – I once touched on this topic. All these political consultants, politicians and their retinue, influence teams – all this created chaos. Strong. Most importantly, no one knew that there would be such a war, they hid it from everyone.

And here’s an example for you: you are asked (conditionally) to calculate the possibility of human rights protection in different conditions, including the attack of prisons by meteorites. You specify about meteorites, they tell you – this is so, reinsurance for calculations, nothing like this will happen. You understand that the report will be just for show, but you need to write in a victorious style so that there are no questions, they say, why do you have so many problems, did you really work badly. In general, a report is being written that when a meteorite falls, we have everything to eliminate the consequences, we are great, everything is fine.

And you concentrate on tasks that are real – we don’t have enough strength anyway. And then suddenly they really throw meteorites and expect that everything will be according to your analytics, which was written from the bulldozer.

That is why we have a total piz_ets – I don’t even want to pick another word.

5 March 2022 – 16:37 UTC

Anonymous Claims to Breach Yandex (Russia’s Mail and Search Service); Leaks Account Credentials

DarkOwl discovered two leaks shared through the Anonymous hacktivist collective network consisting of over 5.2 Million user accounts’ email addresses and password combinations. We are in the process of analyzing this data leak to determine the veracity of its contents. 1.1 Million Yandex accounts were previously dumped in 2014. Many hackers are using #opRussia to opportunistically claim clout for breaches that did not occur, when in reality they are circulating old previously dumped data and/or verifying accounts by credential stuffing.

5 March 2022 – 15:23 UTC

Paypal Suspends Service in Russia

Paypal announced on LinkedIn they would be halting its operations in Russia; a statement released days after suspending signing up new users on the payment platform on Tuesday. Dan Schulman, CEO wrote:

We remain steadfast in our commitment to bring our unique capabilities and resources to bear to support humanitarian relief to those suffering in Ukraine who desperately need assistance. We will also continue to care for each other as a global employee community during this difficult and consequential time.

On Wednesday, 3 March, the IT Army of Ukraine launched a petition calling for all supporters to sign a petition on change.org:

[TRANSLATION]

While Ukraine protects its people and places, and Russia faces the radical consequences of its war crimes, the most popular payment service via PayPal is still available to the aggressor. This means that it also helps finance the bloody war against Ukraine through PayPal.

We are absolutely sure that modern technologies are a powerful response to tanks, grads and missiles. We call on the company to block its services in Russia via PayPal and launch them in Ukraine, as well as provide an opportunity to raise funds to restore justice and peace in our country and the world.

5 March 2022 – 15:03 UTC

Anonymous Leaks Private RocketChat Conversations from Russian Government Officials

Anonymous is targeting Russia by any means possible and managed to collect private chats between Russian officials on the messaging service, rocket.chat. After review, these chats are different from the ones dropped by @contileaks last week.

The chat includes the network ID, username, and “real name” of 14 members of the chat group. The domain associated with the leak corresponds to the official website of the Russian government and the Governor of the Moscow region.

5 March 2022 – 06:04 UTC

squad303 Sets Up SMS Messaging System to Text Random Russian Citizen Phone Numbers

With the lack of Russian media coverage of the invasion of Ukraine and the intentional misinformation spread by Putin’s disinformation agencies, a pro-Ukraine hacktivist collective, known as squad303 setup an SMS messaging system for citizens around the globe to use to randomly text Russian citizens a scripted message about the nature of world events.

The squad303 team also setup an API for more advanced users.

Update: As of 8AM UTC, 6 March 2022, the service had been used to send over 2 Million texts Russian mobile phone numbers.

The team also reports of suffering from heavy DDoS attacks from pro-Russian cyber actors.

5 March 2022 – 02:34 UTC

Anonymous Hackers Claim to Have Accessed Communication Data for a Russian Military Satellite

After nb65’s reported success accessing Roscosmos earlier this week, it appears that members of the Anonymous collective under the campaign #opRussia have ventured into breaching the communications of Russian military satellite for data collection. The satellite – designated COSMOS 2492 (aka glonass132) is likely active in geospatial intelligence collection over Ukraine for Russia. (note: the original indication of the connection occurred 4 March 2022 @ 09:35 by Anonymous collective member, @shadow_xor.)

DarkOwl also uncovered a leak shared by LulzSec member @shadow_xor titled, “Leak_RUSAT_shadow_xor.zip” which contains significant geopositioning data since the satellite’s launch in 2014. The hacker stated they could not change the coordinates of the satellite, but did capture orbital, passage, and communications data.

Our original reporting on this suggested the hackers were Russian-based, but further analysis only indicated that a number of Russian-based hackers supported the attack on COSMOS 2492.

4 March 2022 – 18:16 UTC

Putin Officially Bans Facebook in Russia

In order to combat the information operations campaign against them online, Putin ordered for ISPs to block Facebook servers and websites across Russia. Security researchers also note an uptick in Russian trolls on social media with bot accounts promoting Putin’s military operations in Ukraine.

Putin’s parliament also passed a law imposing prison terms of up to 15 years for individuals spreading intentionally “fake news” about the military. The terms “invasion” and “war” are no longer allowed in press and media coverage.

Several foreign and Western media outlets, including BBC, CNN, and Bloomberg, have temporarily suspended reporting on the war from Russia.

4 March 2022 – 09:44 UTC

NB65 Teases Information Security Community with Riddles on their Activities

NB65 – the pro-Ukrainian group who claimed responsibility for accessing and shutting down Russia’s spy satellites via SCADA vulnerabilities – teased the information security community that they been quiet cause they were parsing and analyzing numerous vulnerabilities in Russian cyber targets.

If we seem quiet, it’s because we have an olympic sized swimming pool worth of data and vulnerabilities. But here’s some fun that you can participate in…

DarkOwl discovered a post matching the target hidden in the riddle and the content suggests the group has access to RUNNET: Russia’s UNiversity Network.

4 March 2022

IT Army of Ukraine Calls for Volunteers to Support the Internet Forces of Ukraine

Ukraine’s Ministry of Digital Transformation steps up its information warfare against Putin’s propaganda by forming the Internet Forces of Ukraine (ITU). Forming a separate Telegram channel at the start of the month, the channel is dedicated to posting instructions and guidance for citizens around the world that want to aid Ukraine and lack an IT/cybersecurity background.

Друзі, наш ворог, окрім наявної війни у наших містах та селах, веде також інформаційну війну. Не вірте фейкам, не вірте брехні пропаганди путіна – ніякої капітуляції України НЕ БУДЕ!!! У нас потужна армія, ми сильні духом і нас підтримує весь світ! Тому, не ведіться на провокації і вірте в Україну. Поширюйте це серед рідних та близьких у соціальних мережах, щоб вони також не велись на нісенітниці кремля. Ми разом і ми переможемо!!🇺🇦

Friends, our enemy, in addition to the existing war in our cities and villages, is also waging an information war. Do not believe fakes, do not believe the lies of Putin’s propaganda – there will be no capitulation of Ukraine!!! We have a powerful army, we are strong in spirit and we are supported by the whole world! Therefore, do not be fooled by provocations and believe in Ukraine. Spread this to your family and friends on social networks, so that they also do not fall for the Kremlin’s nonsense. We are together and we will win!! 🇺🇦

4 March 2022 – 01:46 UTC

Trickbot Gang Members Doxxed and Links to FSB Confirmed

At 15:00 UTC, before DarkOwl could even finish analyzing the ContiLeaks, a Ukrainian-aligned underground account leaked details of key members of the infamous TrickBot gang. Over the course of the day at a cadence of every 2 hours, dossiers for the individuals appeared on social media. Private chats between members of the gang were included with each of the leaks. 7 male members and their aliases identified: baget, fire, strix, mushroom, manuel, verto, and liam. Twitter has since suspended the account.

3 March 2022 – 20:54 UTC

Russian-Aligned Hackers Target Anonymous Hacktivists in Canada

A pro-Russian cyber group using the name Digital Cobras, claims to have been targeting #opRussia hackers from the Anonymous collective across the US, UK, Greece, and Canada. Earlier today, they posted several names of individuals along with pictures of some of the alleged members of Anonymous.

They also claimed to have “hacked Anonymous’ servers” and downloaded over 260gb of their files and tools. They also claimed to have full access of the administration of Tor Project, including their crypto accounts.

Anonymous does not possess servers or centrally locate their information or tools as it is an organic decentralized collective of hacktivists around the world. Similarly, the Tor Project is run by a network of volunteers.

It is very likely this group is designed to spread disinformation and FUD.

3 March 2022

Size of Zeronet Anonymous Network Increases Since Invasion

In the week since the Putin launched an invasion against the Ukrainian people, DarkOwl has noticed an increase of 385 Zeronet domains in the last week and a near 20% increase in the network’s activity. Zeronet has been historically most heavily used by Chinese threat actors. The trend in “new domain” activity appears to have started on or about February 27th, within hours after the IT Army of Ukraine rallied the underground.

The Tor Project has reported significant increases in the number of unique addresses on Tor on the same day.

3 March 2022 – 17:10 UTC

Anonymous Leaks Database Containing Bank Account Holders Information

bkdr – member of the Anonymous hacktivist collective – released an Excel spreadsheet containing the personal information of over 8,700 business bank account holders in Russia. Full names, passport, DoBs, account standing, etc are included in the file.

3 March 2022 – 15:40 UTC

Pro-Russian Cyber Team, Killnet Claims To Hack Vodafone Services in Ukraine

Killnet, a Pro-Russian organized threat actor has claimed they were successful in attacking Vodafone’s telecommunications services across Ukraine. The group shared links to the vodafone.ua website (as offline) and network graphs proving the website suffered an outage.

The group also claims to have attacked “Anonymous” networks directly, prompting criticism as the Anonymous hacktivist has no central severs or repositories.

[Google Translate]

Cellular communication services under the Vodafone trademark on the territory of Ukraine are provided by the partner of Vodafone Group plc, PRO “VF Ukraine”

⚠ OUR ATTACK WAS REPELLED [REFLECTED] AFTER 4 HOURS.

3 March 2022 – 05:22 UTC

Anonymous Breaches Private Server in Roscosmos and Defaces Website

v0g3lSec – member of the Anonymous hacktivist collective – claims to have infiltrated private servers at the Russian Space Agency, Roscosmos and exfiltrated files from their Luna-Glob moon exploration missions. The archive consists of over 700 MBs. Many of the files are drawings, executables, and technical documents dating back to 2011. A scientific review of the content would be needed to assess the value of the information collected.

In addition the website for the Space Research Institute (IKI) Russian Academy of Sciences (RAN) was also defaced by the same group.

3 March 2022 – 01:11 UTC

Anonymous Leaks Data from Rosatom, Russia’s State Atomic Energy Corporation

According to DarkOwl’s preliminary review of the 74 files, the leak appears to be a mixture of budget data, conference materials, powerpoint presentations, and technical files dating back to 2013. There is random mixture of information included that it is unclear whether this was obtained directly from a breach of the corporation’s servers, an employee at the organization, or collected via OSINT and compiled for use in #opRussia.

“There is no place for dictators in this world. You can’t touch the innocent, Putin. No secret is safe. State Atomic Energy Corporation Rosatom has been hacked!”

2 March 2022 – 19:55 UTC

ATW Quits Campaign – Cites Conflict with Anonymous, Attribution, and Twitter Suspension

Drama in the group started yesterday with AgainstTheWest claiming Anonymous was taking credit for their successes in the cyber war against Russia. They briefly turned their attention to China announcing several new victims, including the Chinese Science, Technology and Industry for National Defence organization. After their suspension from Twitter earlier today, they announced retirement claiming they had no means for communicating with the public. (Analysts note rebrand to BlueHornet occurred shortly after their announcement)

2 March 2022 – 19:09 UTC

Conti Leak Source Code, Panel, Builder, Decrypter Appear on Darknet Forum

Less than 48 hours after a pro-Ukrainian leaked the infrastructure of the CONTI gang’s operation, including botnet IP addresses and source code executables, users begin circulating the ransomware gang’s critical data across popular darknet forums and discussion boards.

2 March 2022 – 16:35 UTC

Leak Documents Surface Proving War Against Ukraine was Approved on 18 January

Anonymous hackers released photographs of captured documents from Russian troops titled, “WORKING MAP”, and authored by the commander of Russia’s Bomb Battery of the Black Sea Fleet. The maps and documents affirm to the public that the invasion of Ukraine was approved on January 18th with intention to seize the country sometime between 20 February and 06 March 2022. Liveuamap, under intermittent DDoS since this started, confirmed the data.

2 March 2022 – 13:52 UTC

XSS Admin Reports XMPP Jabber Service Ransomed and Heavy DDoS Attacks

A darknet forum popular with the Russian-speaking community has been experiencing technical issues, suffering from Jabber service outages and heavy DDoS attacks. The forum is well known in the darknet for malware discussions and coordination of attacks. The admin shared a post that the jabber service was hit with ransomware and the contents of the chats wiped from the services. They nonchalently suggested users register and continue using the service.

[Translated]

The server didn’t work yesterday. Because of ransom (which, by the way, is prohibited here) we were listed in a spamhouse. Instead of reporting the violation, the “brilliant” spamhouse immediately leafed through us. In principle, for many years I got used to their “adequacy”. I’m not surprised at anything. We have more than 21,000 users, and no one is able to check everyone. To do this, in fact, they came up with feedback contacts (xmpp, e-mail), they are listed everywhere.

Why, I wonder, they don’t block gmail.com ? So many, so to speak, violators of law and order use it, and nothing, for some reason they are not immediately listed.

In parallel with this, a powerful DDoS attack was conducted on us.

Our XMPP project is not commercial, completely free and subsidized. I’ve never understood the point of attacking toads.

At the moment, the functionality has been restored.

An unpleasant moment. Backups according to the law of meanness turned out to be broken. The last one alive was a week ago. Suddenly someone has lost contacts or a toad has disappeared, re-register.

2 March 2022 – 10:33 UTC

Leak Appears with Russian Air Force Officer’s Information

Anonymous leaked another database containing the personal information for over 300,000 of Russia’s military personnel and civilian citizens. The archive, titled “Translated Base Database” contains 35 separate database files containing personal details of the individuals. Information includes: full name, date of birth, age, passport number, address, occupation, etc.

1 March 2022 – 20:46 UTC

Russian Criminal Gang TheRedBanditsRU Recruits on Social Media – Offers Payments for Affiliates

The RedBandits openly recruit “affiliates for certain jobs” stating they did not want white hats, but that they want to “speak to exploit Devloplers, Spammers (phishing skills, vishing etc), Pentesters. We’re building an army!” They incentivize skilled hackers to join their cause for monetary gain, claiming partners would be paid well and to apply directly via qTox.

Earlier today, the group claimed that they did not agree with Putin as a leader nor of his invasion of Ukraine, but will protect him as a citizen of Russia.

“War is good for no one, come, take my hand, make money help your family”

1 March 2022 – 12:57 UTC

STORMOUS Ransomware Group Aligns With Russia

The STORMOUS ransomware group, which has been targeting international victims with their ransomware strain for months, claimed their alliance with the Russian government and threatens greater attacks against Ukraine.

The STORMOUS team has officially announced its support for the Russian governments. And if any party in different parts of the world decides to organize a cyber-attack or cyber-attacks against Russia, we will be in the right direction and will make all our efforts to abandon the supplication of the West, especially the infrastructure. Perhaps the hacking operation that our team carried out for the government of Ukraine and a Ukrainian airline was just a simple operation but what is coming will be bigger.

1 March 2022 – 09:26 UTC

Ukrainian Paper Leaks Personal Data for 120,000 Russian Military Personnel

In an effort to target the Russian soldiers invading Ukraine, the Centre for Defence Strategies in Ukraine has acquired the names and personal data of 120,000 servicemen who are fighting in Ukraine. Ukrainian newspaper, Ukrayinska Pravda has leaked the details of the soldiers which could be one of the biggest information warfare campaigns using doxing mid-military conflict, ever seen.

The doxxed soldiers are likely to face increased engagement on social media and direct phishing attacks.

1 Mar 2022 – 00:38 UTC

NB65 Takes on Russia’s Satellite Technology

nB65 claims that they successfully accessed Russia’s Roscosmos Space Agency and deleted the WS02, ‘rotated’ the credentials and shut down the server. They did not provide any leaks with the social media announcement.

The Russian Space Agency sure does love their satellite imaging. Better yet they sure do love their Vehicle Monitoring System.

Network Battalion isn’t going to give you the IP, that would be too easy, now wouldn’t it? Have a nice Monday fixing your spying tech. Glory to Ukraine.

28 February 2022 – 23:54 UTC

ATW Targets Russia’s Electrical Grid

AgainstTheWest Leaks Information from Russia’s PromEngineering corporation. Archives of corporate emails between employees, clients, vendors, as well as blueprints and engineering documentation for power stations around Russia are included in the leak.

28 February 2022 – 22:00 UTC

CONTI’s Entire Infrastructure Leaked

Does this signal the end of CONTI’s reign as leading RaaS?

Ukrainian aligned affiliate decides to destroy CONTI ransomware gang’s operation by exfiltrating and sharing 141 additional JSON data files of private Jabber chats from 2020, details of their server architecture, their sendmail phishing campaign data information, command and control botnet architecture, and ransomware executables (password protected). Analysis confirms that the gang uses BazarLoader backdoor for installing persistent malware on infected machines.

DarkOwl analysts also noted from leaked Jabber messages that RaaS affiliates were persistent at determining how to evade AV/EDR protection systems like Sophos and Carbon Black. Stating that they had setup sales calls and demos with Carbon Black and Sophos AV providers’ sales teams using proxy companies to gain more information, test the product and attempt to find specifics of the product’s AV/EDR bypass mechanisms.

This reminds us all the importance of vetting and verifying all commercial in-bounds for requests for demos and sales information, especially when it might present an opportunity to learn critical corporate intelligence.

The affiliate leaking the details wrote how this war against their people and Ukraine was breaking their heart.

My comments are coming from the bottom of my heart which is breaking over my dear Ukraine and my people. Looking of what is happening to it breaks my heart and sometimes my heart wants to scream.

28 February 2022 – 21:41 UTC

STORMOUS Ransomware Hits Ministry of Foreign Affairs of Ukraine

The Pro-Russian STORMOUS ransomware gang claims to have attacked Ukraine’s Ministry of Foreign Affairs, mfa.gov.ua using their custom ransomware. The group posts victims’ information on their Telegram channel, posting in both English and Arabic. The group stated the Ukraine government network “fragile” and called for DDoS attacks them.

Their network is fragile – their various data has been stolen and distributed according to their phone numbers, email, accounts and national card numbers with an internal network hacked and access to most essential files. This is with placing denial attacks on their main site !

28 February 2022 – 18:00 UTC

China’s Huawei Steps in to Assist Russia with ISP Network Instability

According to Chinese deep web forums, Huawei is reportedly building a mobile broadband in Russia to help with internet outages. As of 26 February, at least 50,000 technical experts will be trained in networking and securty in Russia’s R&D centers.

28 February 2022 – 12:00 UTC

Russian Gas Station Pumps Hacked

Video of disabled electric vehicle (EV) charging stations in Russia surface, displaying error status and the following warning:

”Putin is a dick”, “Glory to Ukraine”, ”Glory to our heroes”,” death to our enemies”

27 February 2022 – 23:06 UTC

Anonymous for Ukraine Leaks Customer Data from Sberbank Russia

While Anonymous leaked the files, the credit for the hack goes to Hacktivist group, Georgia Hackers Society. The two text files (bygng.txt & bankmatbygng.txt) appear to be personal data from the financial institution with the bankmat file containing 4,568 records.

27 February 2022 – 21:00 UTC

CONTI RaaS Suffers for Professing Their Allegiance to the Russian Federation

DarkOwl just discovered 393 JSON files containing private Jabber chats from the ransomware group since January 2021 leaked online. Many of CONTI’s affiliates were displeased with the group’s alliance with Russia.

27 February 2022 – 19:00 UTC

ATW Claims to Take Down CoomingProject Ransomware Group

AgainstTheWest assesses “CoomingProject are actually one of the dumbest “threat” groups online.” AgainstTheWest statement on Twitter:

“RIP CoomingProject. All data on them is being passed to relevant authorities in France.”

27 February 2022 – 16:54 UTC

Cyberpartisans Take Belarusian Railway’s Data-Processing Network Offline

The hacktivist group of cyber specialists located in Belarus managed to force the railway switches to manual control mode, to significantly slow down the movement of trains. The webservers for the railway’s domains (pass.rw.by, portal.rw.by, rw.by) are also offline.

The rail services are being essentially held hostage until Russian troops leave Belarus and there is peace in Ukraine.

27 February 2022 – 11:00 UTC

AgainstTheWest Ransomware Gang Enters the Campaign

AgainstTheWest (ATW) claims to have attacked Russia’s Department of Digital Development and Communications of the Administration of the Pskov Region with their own custom “wiper” malware. All data has been reportedly saved and deleted.

27 February 2022 – 09:00 UTC

Anonymous Attacks Russian Critical Infrastructure

Tvingo Telecom offers fiber-optic networking, internet and satellite services. Tvingo Telecom is a major provider to Russian clients.

27 February 2022 – 00:00 UTC

GhostSec Leaks More Data and Claims Attacks Against Belarusian Cybercriminals, GhostWriter

GhostSec is active in the Anonymous cyber war against Russia and released a sample of databases stolen from additional government and municipality sites across Russia (economy.gov.ru and sudak.rk.gov.ru).

They state on their Telegram channel they have been conducting attacks against “Russian hackers” and the “hacker group GhostWriter” (a.k.a. UNC1151).

26 February 2022 – 18:00 UTC

IT ARMY of Ukraine Now Active on Telegram

A Telegram Channel titled “IT ARMY of Ukraine” appeared earlier today to help coordinate cyber activities against Russia. The channel has already accumulated over 96K followers. Posts are shared in Ukrainian and English containing target server IP addresses and media for mass distribution on social media.

Videos of what events are really happening across Ukraine have appeared on intercepted Russian State Television channels.

В найближчу годину буде одне із найголовніших завдань!

26 February 2022 – 16:00 UTC

Anonymous Hackers Interrupt Russian State Television

Multiple reports across underground chatrooms suggest Russian television was allegedly briefly interrupted to play Ukrainian music and display national images. (Source)

Ukraine’s telecommunications’ agency also announced that Russia’s media regulator’s site was down as well.

26 February 2022 – 09:00 UTC

Russia Restricts Facebook and Twitter to Control Information

Open source internet monitoring reporting organizations discovered Twitter has been blocked by multiple ISPs across Russia. Ukraine’s government is regularly posting on social media to show the Russian people they are still fighting in the invasion. Cybercriminals and hacktivist campaigns also disrupt Russia’s information operations by calling out disinformation bots and taking critical communications sites offline. Twitter has reportedly blocked account registrations from IPs originating in the Russian Federation.

Russia’s state-controlled television station, RT, is still offline.

26 February 2022 – 01:00 UTC

Hackers Leak Data from Belarusian Weapons Manufacturer Tetraedr on the Darknet

Anonymous Liberland and the Pwn-Bär Hack Team announce the start of #OpCyberBullyPutin and leak a two-part archive (200GB total) of confidential employee correspondences from prominent defense contractor and radar manufacturer, Tetraedr in Belarus. The first part is the most recent 1,000 emails from each employee inbox, in .EML format. The second part is a complete archive of each inbox in .PST format.

The hacktivists stated they successfully attacked the company through an unpatched ProxyLogon security vulnerability.

25 February 2022 – 23:30 UTC

Russian Military Radio Frequencies Hijacked

Ukrainian radio frequency (RF) hackers intercepted Russian military numbers stations UVB-76, frequency 4625KHz, and trolled Russia communications by playing Swedish pop group Caramella Girls’ Caramelldansen on top of the radio waves.

The group also successfully intercepted frequencies utilized by Russian strategic bomber planes.

25 February 2022

CoomingProject Ransomware Group Announces Support for Russia

Another ransomware gang sides with Russia officially declaring war against anyone conducting cyber attacks against the Russian government on their Telegram channel.

“Hello everyone this is a message we will help the Russian government if cyber attacks and conduct against Russia”

25 February 2022 – 21:00 UTC

Russia’s Gasprom Energy Corporation Knocked Offline

Headquartered in St. Petersburg, Gasprom (ПАО “Газпром”) is the largest natural gas transmission company in Eastern Russia. The company is mostly owned by the Russian government even though the shares are traded publicly.

The Anonymous hacktivist collective, operating their campaign against Russia via the hashtag #OpRussia, has claimed responsibility.

25 February 2022 – 20:00 UTC

Anonymous Hackers Leak Database for Russia’s Ministry of Defense (MoD)

Russia’s gov.ru and mil.ru website server authentication data, including hundreds of government email addresses and credentials, surface on transient deep web paste sites and Telegram channels. Another leak consisting of 60,000 Russian government email addresses is also now in circulation.

GhostSec, also participating in Anonymous’s cyberwar against Russia, #OpRussia, claimed all subdomains for Russia’s military webservers were offline hours earlier as of 11:00 UTC.

Over around 100+ subdomains for the russian military were hosted on this IP (you may check DNSdumpster for validation) now all downed. In Support of the people in Ukraine WE STAND BY YOU!

25 February 2022

CONTI’s decision to side with Russia has dire consequences for the RaaS Gang

The ransomware-as-a-service (RaaS) gang CONTI (a.k.a. CONTI News) has officially sided with the Russian Federation against “Western warmongers” in the conflict.

Many of their affiliate partners are reportedly in disagreement – siding with Ukraine – which became evident once certain private chats were leaked on their internal affiliate platform on social media. It’s uncertain how these political divisions will impact the effectiveness of the ransomware gang’s campaigns. Conti revised their WARNING statement claiming they do “not ally with any government and we condemn the ongoing war.”

25 February 2022 – 16:30 UTC

Hundreds of Russian IP Addresses Appear on Deep Web for Targeting

Over 600 IP addresses correlating to key Russian web services emerge on transient paste sites and underground hacker forums. (Source DarkOwl Vision)

25 February 2022 – 05:00 UTC

Anonymous Threatens to Take Russian Industrial Control Systems Hostage

The hacker group known as Anonymous stepped up its participation in defending Ukrainians through its cyber war with Russia. In an ominous video posted to Twitter, the group called for UN to establish a “neutral security belt” between NATO and Russia to ease tensions. They elevated their influence by threatening to “take hostage industrial control systems” against Russia. Expect Us. We do not forgive. We do not forget.

“If tensions continue to worsen in Ukraine, then we can take hostage… industrial control systems.” Expect us. Operation #Russia Engaged

24 February 2022 – 19:00 UTC

Free Civilian Tor Service Announces 54 New Ukrainian Government Database Leaks

The administrator of the Free Civilian Tor Service – who DarkOwl analysts believe is the Raid Forums threat actor, Vaticano – updated their database leaks service, stating they had confidential data for dozens of Ukrainian government services. DarkOwl analyzed these databases closely and confirmed the threat actor likely exfiltrated the data in December 2021. (Source)

24 February 2022 – 17:00 UTC

Russia’s FSB Warns of Potential Attacks against Critical Infrastructure as a result of Ukraine Operations

The National Coordination Center for Computer Incidents (NCSCI) released an official statement warning citizens of Russia of imminent cyber attacks and for the country to brace for the disruption of important digital information resources and services in response to the on-going special military operation in Ukraine.

“Attacks can be aimed at disrupting the functioning of important information resources and services, causing reputational damage, including for political purposes” – NCSCI

24 February 2022 – 05:00 UTC

Cryptocurrency Markets Crash in Wake of Invasion

Bitcoin cryptocurrency fell below $35,000 USD for the first time since January in reaction to the Russian troops crossing over the Ukraine border. Ethereum fell more than 12% in the last 24 hours.

According to open-source reporting, the collective cryptocurrency market has plummeted over $150 billion dollars in value since the tensions began.

beginning of post

[DEVELOPING] Darknet Economy Surges Around Abortion Rights

Written by DarkOwl Content Team on July 1, 2022. Posted in Blog.

SCOTUS members credit card information continues to be doxxed

July 1, 2022

The recent doxxing of Supreme Justices – presumably in retribution for the Roe v Wade rulings – has spread widely across social media platforms, including Twitter, Instagram, TikTok, and more.

While all members of the Supreme Court have been doxxed to some degree in the past, this latest round of public information sharing contains Credit Card information for at least four Justices.

Many posts circulating on the darknet, deep web, and paste sites include other associated PII (as pictured above), which together form a comprehensive doxx of the targeted Justices that could be exploited for social engineering attacks, fraud and more.

SIEGEDSEC Targets Pro-Life State Governments

27 June 2022

Over the weekend cyber hacktivists enraged about the SCOTUS decision, decided to direct their anger towards their keyboards and targeted the networks of pro-life state governments, e.g. Kentucky and Arkansas. The group claimed to have accessed and exfiltrated several gigabytes of sensitive data, including employee PII from state government servers. The cyber threat group, SiegedSec, who we featured earlier this month, has been recently emboldened by their involvement in the Russia-Ukraine cyber war and stated on their Telegram channel, the attacks against Kentucky and Arkansas are just the beginning with planned continued attacks against pro-life organizations and states with anti-abortion regulations.

“THE ATTACKS WILL CONTINUE!” – SiegedSec

Source: Telegram

SCOTUS Overturns Roe v. Wade

24 June 2022

On Friday morning, the U.S. Supreme Court uploaded their controversial decision on the case titled, DOBBS, STATE HEALTH OFFICER OF THE MISSISSIPPI DEPARTMENT OF HEALTH, ET AL. v. JACKSON WOMEN’S HEALTH ORGANIZATION ET AL; a decision which effectively removed one’s constitutional right to an abortion as provided by the long-standing 1973 Roe v. Wade precedent. The decision sparked widespread protests around the country and conflicts between activists and law enforcement.

Original Report

21 June 2022

As a result of the recent political landscape regarding Roe v. Wade, our analysts reviewed the topic of abortion and observed a surge in darknet economies providing abortion medications and home kits on underground marketplaces.

Background and Political Context

The historical January 1973 Roe v. Wade decision by the U.S. Supreme Court, which legally protected one’s rights to an abortion at the Federal level, is on a precipitous demise in a radical shift in political power across the United States. In a draft majority opinion that was leaked out of the Supreme Court to Politico in early May, the conservative majority of the Supreme Court justices are very likely to overturn the landmark Roe v. Wade and a subsequent 1992 decision — Planned Parenthood v. Casey, with Justice ALITO stating, “Roe was egregiously wrong from the start.”

Figure 1: Source POLITICO

If the position of the draft opinion goes ahead as written – which some legal experts predict might be officially published as early as this week – federal protections for one’s right to an abortion will immediately end and the issue will be tossed back for decision at the individual state level. With recent extreme state-legislative decisions such as the Texas Heartbeat Act criminalizing abortions any time after six weeks of pregnancy, 23 states have some form of restrictive abortion-related legislation in place. 19 states have protected the right to abortion by codifying it into their state laws, Colorado and California have established themselves as “sanctuary states” for women’s reproductive health.

According to the American Pregnancy Association, an abortion is defined as the early termination of a pregnancy and is induced by a clinical surgical procedure or the administration of drugs to remove the embryo and placenta from the female’s uterus. Two drugs associated with the “chemical abortion pill regimen” are oral Mifepristone (Mifeprex) and Misoprostol (Cytotec) used in conjunction to stop the production of pregnancy related hormones and induce contractions of the uterus to expel the embryo.

Impacts Seen on the Darknet

Within a week of the Supreme Court’s leaked draft opinion, DarkOwl analysts observed a noticeable volume of information related to medical abortions materialize – including offers for chemical abortion drugs for sale across the darknet.

Chatter on darknet discussion forums and deep-web adjacent chat platforms foster creating an online community to support US-based individuals’ access to abortion, calling it the “Underground Abortion Railroad” to help connect women with abortion and transportation providers and avoid criminal prosecution.

One forum user identified themselves from Europe and offered to stock up on abortion medications and emergency contraception pills such as “Plan B” from their local pharmacies, offering to ship them at fair market price to those in the United States who cannot access them legally through non-darknet sites.

Another user in a popular darknet forum mentioned a reliable marketplace selling Misoprostol, described as “28 Pills 200MG Safe Home Abortion Method.” The vendor of the marketplace commented on the thread that they don’t actually sell the pills anymore because there were not enough buyers, but would be willing to change their position and offer them again if there was demand.

Monitors on the darknet marketplace suggested has yet to offer a “Safe Home Abortion Method Kit” as mentioned in the thread or abortion-related pills on their site. The same vendor also offers a variety of illegal drugs and narcotics as well, including Cocaine, Percocet, Xanax, weight loss treatments, and Freebase.

Figure 2: Source Dread Darknet Discussion Forum

DarkOwl continues to observe other sources of underground abortion services on offer in its Vision database with multiple advertisements for Misoprostol and Mifeprex, and access to (purportedly) safe abortion services. One supplier recommended those in need of abortion pills contact them via XMPP with OMEMO for a direct, private sale.

Another classified-style advertisement describes the at-home abortion treatment in detail and the medications used, with pricing, ranging from $7 to $16 USD for the abortion-related medications. Multiple forms of contact information was also included.

Other drugs offered for sale on the same classified-advertisement forum have been affiliated with scammers that have no intention of providing the services or goods on offer. Tragically, there is increased risk that darknet scammers will exploit the current political abortion issue in the US for financial gain like they did during the COVID-19 pandemic.

Drugs offered for sale on darknet marketplaces

Figure 3: Source DarkOwl Vision

Some darknet forum users point readers to “offshore pharmacy sites” where abortion-related medication could be purchased, mentioning a clinic taking online consultations in India among others. A quick OSINT search revealed numerous Surface Web domains offering abortion-related medications for purchase. How those sites will operate regarding shipping the drugs to customers in states who have banned abortions once Roe is overturned is yet to be determined.

Overall, opinions on the darknet about abortion are mixed with strong opinions on both sides of the issue. Members of right-wing aligned Telegram channels spin abortion as murder and celebrate the Supreme Court’s position.

Figure 4: Source DarkOwl Vision

While other users support less government over individual choices regardless and view the decision as a potential turning point for the loss of other individual rights.

“I do believe everyone should have a choice, it’s a sensitive topic, but I will stand on democracy, taking peoples choices away is not democracy.” – Dread User

Figure 5: Source DarkOwl Vision

A controversial pro-choice group, Ruth Sent Us (RSU), named after late liberal Justice Ruth Bader Ginsburg, recently admitted to publishing on social media the home addresses of Chief Justice John Roberts alongside five other conservative associate justices: Samuel Alito, Clarence Thomas, Neil Gorsuch, Brett Kavanaugh and Amy Coney Barrett. The group claimed the information was publicly available and never encouraged violence against any of the justices.

The release of such information has fueled on-going deep web forum debates about the topic with some stating such information releases violates 18 USC 1503, which “prohibits ‘endeavors to influence, intimidate or impede… officers of [the] court’.” Despite the online debate, a 26-year old man, Nicholas John Roske, likely relied on such leaked information to target Justice Kavanaugh last week. Roske was arrested for attempted murder after arriving at Kavanuagh’s home with a Glock 17 handgun, ammunition, a knife, zip ties, pepper spray, and duct tape, that he told police he planned to use to break into Kavanaugh’s house and kill him. Other left-leaning U.S. politicians have also been targeted in their homes since the draft opinion leaks with users on Telegram calling them “pro-abortion death cult democrats.”

Figure 6: Source Telegram

DarkOwl analysts have not yet observed abortion pills such as Mifepristone and Misoprostol widely available on principal decentralized darknet markets, but they are available for purchase via threads in discussion forums, as well as classified-style advertisements on transient paste services.

Closing Thoughts

Users across darknet forums have voiced interest in abortion-related pills and services following the leaked Supreme Court documents and advocate for organized protests in support of and against the potential ruling. Once the U.S. Supreme Court officially issues their ruling, we anticipate a more concerted response from darknet marketplaces in offers for abortion related drugs and services. The darknet will also continue to be a resource for activists to organize political protests and circulate sensitive information related to the abortion debate.

Irrespective of which side of the debate one stands, the darknet will continue to fuel the controversy both in support of and criticism of a woman’s right to abortion. In a world of increased digital surveillance and the fundamental privacy-centric nature of Tor and similar anonymous platforms, individuals will seek out like-minded communities on the darknet for social activism related to the topic. DarkOwl predicts an increased use of Tor to organize political protests and circulate sensitive information related to the abortion debate.

Curious about darknet marketplaces or something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.

[Podcast Transcription] AI on the Record – Episode 2: Exploring the Dark Side of Technology

Written by kathy hoffman on January 22, 2026. Posted in Blog, Webinars.

January 22, 2026

Or, watch on YouTube

This podcast features DarkOwl Regional Director and OSINT expert, Lindsay Whyte, and Jennifer Woodard, Chief Product & Technology Officer at Logically.ai who discuss how AI is accelerating cybercrime by powering malicious large language models that generate phishing emails, malware, and ransomware with little user skill required. These tools dramatically scale attacks, leading to everything from personal account takeovers to multimillion‑dollar business email compromise and widespread ransomware incidents. While the threat is growing, Lindsay emphasizes that awareness, simple verification practices, strong security culture, and international cooperation can still meaningfully reduce risk — offering some optimism amid an increasingly complex cyber landscape.

Jennifer: Welcome back to AI on the Record, the podcast that brings together voices from media, policy, enterprise and civil society to explore where influence is heading, how AI is being governed and what decision makers should be paying attention to next. I’m Jennifer Woodard, your host.

Now, today, we’re going somewhere most of us don’t often go – into the darker side of technology, the shadowy corners of the internet and the world of cyber. And we’ll be looking at how AI is now intersecting with these spaces in ways that are both fascinating and, frankly, alarming. With me today is Lindsay White of OSINT UK. He’s an expert in open-source intelligence and cybercrime investigations. Let’s get into it.

So, with me today is Lindsay Whyte of OSINT UK. He’s an expert in open-source intelligence and cybercrime investigations. Lindsay, welcome to the show.

Lindsay: It’s a pleasure to be here. Thank you, even if the topic is somewhat a bit dark.

Jennifer: Indeed. Indeed, it is a little bit dark but thank you so much for being here. Could you just give us a quick intro into a little bit about your background and what you do?

Lindsay: Sure thing. So, I’m a former British soldier and now I’m the co-founder of the UK community, which is a volunteer run, not for profit seeking to bolster the UK’s intelligence capabilities by reintroducing in-person interactions into the world of security, but also at the same time crowdsourcing, new innovations in the rapidly growing world of open-source intelligence technology. My day job is working for DarkOwl, which is a leading darknet intelligence collections company, which was actually founded by the same person that founded the Tor Project itself. So, we illuminate darknet data for governments and security professionals around the world.

Jennifer: That’s very interesting. It’s incredible to hear. And, you know, as you’ve explored these spaces, I’m assuming you’ve seen technology evolve and now that we’re kind of in the age of AI. AI is coming into its own. AI is now part of this kind of cybercrime dark web story. Could you help us understand a little bit about how cyber criminals are using AI, and whether that’s something that we should actually be worried about?

Lindsay: Absolutely. I think it’s a great place to start because, you know, you and I know ChatGPT. I think most people have at least heard of ChatGPT by now. And that’s what, you know, we call a large language model. Basically, it’s a very sophisticated AI that can understand and generate human like text. Now, big companies like OpenAI and Anthropic, they build things which you call guardrails. So, these are rules that prevent their AI from helping you do bad things.

So, if you ask ChatGPT to hack someone’s bank account, it will politely refuse. But malicious large language models (LLMs) – they are the sort of evil twins and they’re built from scratch or modified specifically to remove those sorts of guardrails. They’ll happily help you craft phishing emails, write malware, generate ransomware code, ransomware notes, you name it. Really. So, what’s interesting, of course, is that already this sort of malicious LLM ecosystem, they’re already selling their software in subscription form, so you’ll be able to buy malicious LLM’S on a monthly plan, on an annual plan, a lifetime. I mean, there’ll probably be Christmas discounts, you know, before long. So, it’s basically cybercrime as a service, as the security industry have always known it. But now with that AI superpower. Yeah, I wish I was joking, but that’s the real reality of it.

And, I guess to understand how this matters, we need to talk about the dual use dilemma, which I know, Jennifer, you probably know a lot more about from that sort of policy perspective. But, you know, fundamentally, this dual use dilemma in AI is about, how you use the exact same technology for both good, but also for, you know, for harm and how it can get sort of weaponized for harm. You know, a little like nuclear physics. It’s something which can power a city for, for free and transform a society. But it can also be used in weapons to sort of level a city. So, AI kind of has to be thought of, I think, in the same kind of same kind of way. You know, it gives us the same capabilities, allow a company to automate customer support for the good, or help students, write better essays at university, but it also helps criminals scale up their tax. So even if the technology is neutral, the intent is not.

So, I guess this is where it gets pretty interesting because, you know, the same linguistic precision that makes AI great at, you know, university essays and helping write emails can also make incredibly convincing phishing emails. So, the same coding ability that helps developers debug software, can actually customize malware in the same amount of time, and that’s kind of what makes it tricky from a regulatory perspective. I guess for me, what really concerns me is the way that AI is now democratizing cybercrime, because it used to be that attacks required a certain level of skill. So, you know, language skills, a certain amount of coding knowledge, a deeper understanding of like social engineering per culture in which you’re trying to action this, this attack. This is now available to anyone. So, you know, we’re talking about a skill level between someone who maybe knows how to use Google and understands basic computer concepts. That’s all you need now. So, the days of being an expert coder or a wizard of some description to run a sophisticated attacker are over, you know, and that’s kind of the reality that we’re living with. You know, would you rather face, as someone said it to me once, you know, would you rather face one expert swordsman or a thousand people with guns and you know, these malicious LLMS, they are giving everyone a gun. It’s scale over skill, and from a perspective of cyber defense, that’s pretty terrifying because now attacks that used to take days of research, maybe weeks of research and hours of coding can now be done in minutes by someone who has no prior experience in the field.

Jennifer: Wow, that’s really jarring. And like you said, that’s the reality that we’re living in right now. These aren’t even hypothetical risks anymore. I mean, I remember years ago people talking about this might be on the horizon. What we’re actually living with this right now. It seems like it almost snuck up on us in some cases. So, the tools that you’re talking about to develop these, you know, types of malignant actions, they’re actively in use. Could you walk us through some examples of what those tools look like? I mean, what are they actually called. Are they methods. Could you just kind of walk us through that?

Lindsay: Yeah, yeah. Tragically, that is the case that these already do exist. So, two big names have emerged in the last few weeks are WormGDP, GPT, sorry, and KawaiiGPT. That’s actually wrong. Uh, WormGPT has been around for a while, but I’ll talk about WormGPT specifically because I think it really opens up everyone’s eyes because this is something that appeared, I think it was sort of summer 2023 on underground forums, like hack forums. For those who don’t know, hack forums is pretty much exactly as it sounds, not like friendly Reddit threads. These are places where cyber criminals congregate and share ideas. And WormGPT was being hawked, a bit like the latest smartphone. So, the marketing, I think, even included like a creepy little character with red eyes, it was like the most unsubtle kind of thing, but basically what they were advertising is an uncensored alternative to mainstream ChatGPT – no ethical boundaries whatsoever.

And it was built on open-source model. It was fine-tuned specifically against malicious data sites so malware code phishing email templates, exploit write ups and that sort of thing, and it directly trained itself on that model. So, it was mainly being used for business email compromise. So, that’s where criminals basically impersonate a CEO or a company supplier or something like that. And it tricks employees into sending sensitive information or wiring money outside of the company as part of a scam and normally with these business email compromise emails and messages that we receive, there were telltale signs that it was a scam. So, there would be weird grammar, it would be awkward phrasing, and that would sort of tip us off. But with WormGPT, it could, and it can, generate perfectly fluent professional sounding messages, which even the most savvy employee could fall for. And, and I guess, you know, ironically, WormGPT became a bit of a victim of its own success because the media exposure it got was so big that the creator actually shut it down quite soon after setting it up because it got so much heat. But of course, the problem with that is that the cat was already out of the bag, and it meant that a lot of copycat GPT appearing on the market and other versions started coming out. And, you know, currently you’re looking at sort of WormGPT4, which is more commercialized. It’s got a really slick website.

Remember, I’m talking about a malicious piece of technology here. They have a subscription pricing model. I think it’s like 50 bucks a month, a hundred bucks a year and 200 bucks for, like, lifetime access. So, it’s very affordable. It becomes very problematic. It’s got a big sort of telegram ecosystem that’s growing. It’s like running itself like a legitimate software company. And, you know, people have tested this. It can spit out ransomware notes, ransomware script, with encryption to infect computers. I think the ransomware note that it can generate gives you, it provides the level of detail where it’s instructing a victim how to buy Bitcoin to pay the ransom if they don’t already know how to do it and what sites to use. It’s very smart.

As I mentioned, there’s another one called Kawaii. I think I’m pronouncing that right – KawaiiGPT, basically just Google KawaiiGPT. And that takes a slightly different approach. It markets itself as like a friendly, playful chatbot but it’s, you know, it’s completely free. It was on GitHub until very recently. It may still be there and basically allows people to download it for free. Some security researchers have started to ask it to like, as in legitimately to see its power, test if it can write script for lateral movement. So lateral movement is where an attacker basically goes into one computer in a network and then crab walks into other computers on that network like dominoes falling. It’s able to do all of these things and is pretty terrifying, really, because all of this can be generated in a few seconds. So, yeah, I think overall, what’s worrying about both of these tools is that they’re creating, like any professional tool these days, an ecosystem of developers, of communities, of people, you know, giving feedback and then the product being improved. It’s like these telegram channels, they read a bit like LinkedIn for criminals. It’s pretty surreal.

Jennifer: Yeah, it’s democratization and the worst possible sense. Right? I mean, it’s really the ability to scale this like, never before. And the barrier to entry being so low that just about anybody has access to these types of tools. Anyone who wants to do, do harm. When you lay it out like that, it’s really, I mean, it’s really scary how big this impact is. So, you mentioned a little bit about the victims. You know, you referenced kind of like corporation CEOs. What happens to the victims of these types of attacks? What’s the aftermath of something like this happening?

Lindsay: Well, I mean, the impact does kind of range between, you know, the corporates that you mentioned, right down to sort of like individuals, who fall for this. It can be anything from just being really annoying to completely devastating and life destroying.

I mean, at the lower end, a successful phishing attack that compromises an individual account, you know, an email gets hacked or someone’s social media gets taken over. It’s embarrassing. It’s potentially financially damaging. It might be recoverable but, you know, people can lose their accounts for a while. They might lose their identity. So, it can be a real hassle. It may not necessarily be life destroying, but when you scale up the chain and you start then looking at business email compromise, which I said is the main focus initially of WormGPT, for example. That’s when it gets very serious because a company employee can get tricked into wiring money to a scammer’s account. We’re talking six, seven figures. I’m not exaggerating. I mean, companies have literally gone bankrupt because of successful business email compromise attacks. And imagine you’re the CFO and you get what looks like a legitimately urgent request from the CEO to wire funds for like, an acquisition or something else. That money is then gone. It’s irretrievable and you’re left kind of explaining to the Board how you just wired all of that money out of the business.

And then at the top end, you’ve got ransomware attacks where all of the cybercrime sort of focuses, I’d say right now, where an attacker gets into a network, they spread through the system, they encrypt everything, and demand payment to unlock it. And we’ve seen this happen to hospitals, you know, doctors not being able to access patient records, manufacturers shutting down operations for weeks and for manufacturers, operations being shut down is millions and millions of pounds lost in production. School districts not being able to access their pupil records or that kind of thing before exams. You know, the impact then isn’t just financial. It’s actually emotional as well. And that’s pretty immense. So, I mean, LMS (language models) are making all of these things easier – the sort of the improvements in how it generates convincing language for phishing emails, instant code generation for malware. These tools are accelerating every single phase of an attack. And as I said, what used to take a team, a skilled team, days and weeks can now be done by one person in a matter of hours. Again, imagine someone who is maybe a disgruntled former employee or a, I don’t like to say teenager stuck in their bedroom because that’s such a stereotype, but you don’t need much to trigger someone to then pay that $50 monthly subscription for one of these malicious GPTS. You know, you just need a fraction of these people paying and getting access, and then suddenly you’ve got an enormous, enormous problem on your hands. These aren’t, you know, the companies behind them, of course, you know, they’re not hobbyists themselves, that they are themselves very professional business operations with customer support and engineers and all this sort of thing. Just because you and I could use it and people without much knowledge can use it that does not reflect the level of sophistication on the other side of the fence. They are professional businesses. Right. That’s something that people often forget. These people really know what they’re doing. They’re very well organized. You know, they learn how businesses work. They’ve worked in legitimate businesses in the in the past more often than not.

Jennifer: And cutting edge, it sounds like cutting edge technology developers as well. They’re not just a mom-and-pop shop. Wow. That’s hard to hear, quite alarming. But, you know, in spite of all this, I assume that something is being done to mitigate these risks, right? This is a risk to every sector, every part of the globe. It’s risk to economies worldwide. What is happening on that front? Can these tools actually be stopped, or is this kind of a new reality that we need to adapt to?

Lindsay: This is the problem, I suppose, is that, it does get complicated because there is no silver bullet. If we look to the sort of legal and regulatory side of things, we are sort of in murky waters and you’ll probably know this, that – okay, the original say, WormGPT, this malicious LM was shut down voluntarily by its creator but then we do have other GPT’s, you know, on GitHub and still running. So, you’re going to have to ask like legitimate website, the hosting code that they have to police what kind of code people can share. And that opens up a whole can of worms, to pardon the pun because, you know, here’s the thing. You know, these exact same tools are crucial for legitimate penetration testing.

Penetration testing is an absolutely vital part of cybersecurity posture because essentially what penetration testers do, these are the good guys who are hired to break into a system to find vulnerabilities so that you can bolster your defenses. So again, we’re into that dual use dilemma. The tool itself is neutral and that makes regulatory regulation incredibly difficult in my opinion. Because how do you ban something that has a legitimate use. But I guess there are other approaches that need to happen. I mean, again, I’m not an expert on it, but developers of mainstream API models need to continue with their safety measures. So, making it harder to jailbreak these systems and that sort of thing. Law enforcement needs to get better at tracking the financial flows – so identifying the people behind these cryptocurrency flows, and pursuing them, because as part of my day job at DarkOwl, that’s what we spend our time doing is illuminating dark web forums and crypto currency. And then, I guess, most importantly, is promoting international cooperation on these subjects, because this means absolutely nothing if we don’t have some global approach to countering this because cybercrime is, in its nature, just borderless. You know, you’re always going to attack the jurisdiction that is far away from your own as possible, right? That’s just that’s just common sense if you’re a criminal. So that’s pretty important. Obviously, there’s other things on the side of sort of like the EU AI act, which I’m not quite as familiar with.

But for individuals, there’s quite a bit you can do. I want to be positive here and this is where I get optimistic because even the most convincing phishing email fails if people are trained to verify requests through secondary channels. If your CEO sends you an email asking for an urgent wire transfer, picking up the call, picking up the phone and calling them is what you need to do, and that’s where, you know, the AI model kind of fails because simple practices like this will defeat AI generated attacks in person and face to face options as well to kind of do this, you know, companies specifically. Yes, there’s sort of layered defenses. So, there’s various cybersecurity practices you can put in place good security practices, a healthy amount of skepticism. These are all things that will help. I mean, fundamentally, this is an ongoing arms race. Attackers are going to develop new tools, defenders are going to attack. Attackers are going to evolve. Defenders respond. It’s just going to keep going on and on. It’s been like that in cybersecurity forever. And so, nothing’s really changed.

Jennifer: Right? It’s about staying one step ahead of the bad guys. It’s the same type of a situation as in cyber, for the past, you know, 20, 30 years. Yeah. I’m glad that you bring a little bit of optimism into this, because I’d like to hear, you know, from a technology perspective, given how difficult this is, it sounds almost insurmountable. What is it? What is something that actually gives you hope? Something that makes you think from a technology perspective that we can actually kind of make a difference here?

Lindsay: Yeah, I think there is some hope. And just to sort of flesh out, you know, my optimism on this. Increased awareness does help things tremendously. You know, conversations like this where we’re educating people about these threats do make a real difference. As someone said, an informed public is the best defense. So, when people understand that emails can be generated by AI, you know that perfect grammar is no longer the guarantee of legitimacy, that verification is essential and that sort of thing. This really does change the game. You can have the most sophisticated technical defenses in the world, but if your employees know to pick up the phone and verify a wire transfer request you have just defeated there, and then a multi-billion-pound AI powered attack with a 30 second phone call.

It’s not necessarily about blocking specific tools. I think that’s a losing game. It’s about building systems and cultures to be resilient at scale, and understand the speed of how AI evolves. You know, bringing back human interactions. I’m a big believer in this, whether we do this with, with government or with our own companies – nothing can beat that human interaction to verify something 100%. I think one of the things I’ve always worried about is the way in which and, you know, one thing we haven’t really spoken about is the way in which nation state actors are and governments are actually funding and promoting a lot of this malicious LLM use. Sometimes I think democracies look to the digital world as a form of efficiency, and I think we’re entering into that, and that is right. I mean, it’s changed everything. It’s been revolutionary. But we may be entering into a period where it’s giving us diminishing returns, and we need to return to more in-person interactions, in-person verification. What that looks like, I’m not entirely sure, but you always have that. And I think, you know, understanding that and recognizing that we can’t just rely on digital systems for everything could be counterproductive.

There’s things that are sort of keeping me up at night. I think the accessibility, you know, something that used to need a lot of skill, doesn’t need a lot of skill. There aren’t those barriers anymore. But I think, you know, there is something that we can rely on. And that’s the sort of human element as both the, the biggest weakness, but also the greatest strength that we have.

Jennifer: Yeah, that is actually encouraging, reassuring. You brought up some topics that kind of bring back the optimism to the conversation. So, before we go, I’d like to ask our guests if listeners could take one thing away from today’s conversation about AI and cybercrime, you know what they really, really need to remember? What should it be?

Lindsay: What I would suggest people do is that they start to really think in a hybrid mindset when building technology, managing people, improving society. Don’t rely on technology to save you. Don’t rely and think likewise that technology is going to ruin you. The fact is, it is just another tool. Are we building a society and are you building a business I suppose that takes into account all of these various facets? Sorry, I can’t be more specific than that. I’m still learning a lot about AI. I can’t claim to know everything about how AI is being used within the cybercrime world. It is evolving every second but I think we need to understand and appreciate more the benefits of thinking holistically when talking about even the most digital of phenomena.

Jennifer: And that is a great way to end it, because that’s something that’s in our hands. It’s all about understanding awareness, educating ourselves, and kind of staying ahead of the curve. So, thank you so much, Lindsay Whyte, for joining me today on AI On the Record. It was a pleasure having you here. Even though the topic was a little bit dark, there is some hope for the future, it sounds like. And thank you so much for joining us.

Lindsay: It’s a pleasure, Jennifer. Thank you very much indeed.

Jennifer: That’s it for AI on the record. Thanks so much to Lindsay Whyte for scaring us a little but also adding a little hope in the struggle of good versus bad in the world of AI. If you found this conversation valuable, share it with someone who thinks deeply about tech, trust, and the future of information. Until next time, I’m Jennifer Woodard. Thanks for listening.

Questions? Contact us!

Threat Actor Spotlight: Scattered Lapsus$ Hunters

Written by kathy hoffman on January 20, 2026. Posted in Blog.

January 20, 2026

The Start

Scattered Lapsus$ Hunters, is reported to be a hybrid threat actor group forged from three separate groups, who collectively emerged onto the scene in 2025 and quickly made their mark on the cybersecurity world. Announcing their existence following ShinyHunters alleged social engineering campaign that purportedly resulted in the theft of 1.5 billion Salesforce records, the group consists of threat actors from ShinyHunters, Scattered Spider, and Lapsus$ extortion members.

The three factions were all heavily active in 2024, resulting in a series of arrests of members of the group Scattered Spider in 2024. The group remerged in April 2025 with an attack on UK retailers Marks and Spencer. Due to the significant attacks carried out by the individual groups in recent years, the convergence of their members has introduced even greater chaos into an already volatile landscape.

Salesforce October Deadline

On October 03, 2025,Scattered Lapsus$ Hunters launched a data leak site extorting 39 companies that were impacted by the Salesforce breaches. The companies extorted in the link include Disney/Hulu, FedEx, Google, McDonald’s and more. A separate entry on the site requested that Salesforce pay a ransom to prevent impacted customers (approximately 1 billion records containing personal information) from being released. The group set an October 10 deadline for Salesforce to pay the ransom, or for potentially affected companies to contact the group to secure their data. Salesforce refused to negotiate with the threat actors, believing their threats were unsubstantiated and offered support to any of their affected clients.

While the group had threatened to release all information if their demands were not met, eventually they only leaked data from six companies. The victims included Albertsons, Engie Resources, Fujifilm, Gap, Qantas, and Vietnam Airlines. Qantas and Vietnam Airlines each had more than five million customer records exposed. The group later announced on its Telegram channel that it would not release any additional information until 2026, stating that it was unable to leak further data, though no specific reason was provided. The limited amount of victim information leaked during the October extortion attack led some individuals to question the extent of the data the group possesses. This behavior appears to indicate the group believes it can still extract a substantial payment from Salesforce or the affected individuals.

Following the partial leak, Scattered Lapsus$ Hunters posted a Telegram announcement threatening the remaining victims and Salesforce. The statement urged Salesforce to “put down your pride/ego” or their next campaign will be more “destructive” and they have the time and resources to ensure this fate. They warn against policies that mirror Australia’s “Cyber Security Act of 2024” which introduced mandatory reporting of ransomware and cyber extortion payments, as well as strongly discouraging complying with threat actors demanding ransom. The group identified themselves as businesspeople and rejected the label of terrorists or attackers.

The post was signed “We will never stop, see you all in 2026” indicating the group will return with further activity in the new year.

Forecast

In November 2025, the group announced the development of a Ransomware-as-a-Service (RaaS) platform named, ShinySp1d3r. On a Telegram channel used by the group, they claimed the ransomware was in development and will be led by ShinyHunters but operated under the “Scattered Lapsus$ Hunters” brand. Previously, these threat actors have used ransomware encryptors such as Qilin, RansomHub, and DragonForce. Victims of ShinySp1d3r will receive a note that they have “three days to begin negotiations before the attack is made public on the data leak site”.

Samples of the ransomware have been uploaded to VirusTotal and show a mix of common features and new features developed by the group. The encrypted files will contain “information on what happened to a victim’s files, how to negotiate the ransom, and a TOX address for communications”.

ShinyHunters claims that organizations in the healthcare sector, including pharmaceutical companies, hospitals, clinics, and insurance providers, are excluded from being targeted by its encryptor. However, researchers report that many groups have made similar assurances in the past, only for those self-imposed restrictions to be routinely ignored or violated.

Conclusion

Scattered Lapsus$ Hunters are expected to remain active this year, leveraging both new and familiar tactics to cause disruption across the cyber landscape. The combination of the three groups demonstrates the shift for cybercriminal branding, appearing to highlight credibility and visibility. Given their broad range of targets, effective information sharing between organizations will be critical to countering this threat actor. To mitigate the risks posed by Scattered Lapsus$ Hunters and similar groups, organizations must prioritize monitoring these dark web activities.

To ensure your organization is taking the necessary steps to mitigate threats from these groups, contact us.

2025 – A Year of Constant Upheaval on the Dark Web

Written by kathy hoffman on January 15, 2026. Posted in Blog.

XSS, BreachForums, and the Age of Exit Scams

January 15, 2026

If you watched the dark web ecosystem in 2025, like DarkOwl does, you may have noticed that it seemed very unstable. While the dark web is notorious for being unstable with onion sites often going up and down, this year felt different – with more permanent changes to mature and established sites and a seemingly revolving door of admins.

Long-running drug markets vanished overnight in coordinated international operations. Fraud and hacking forums were seized and marked with law enforcement seals. Others simply went dark in classic exit scams, taking millions in crypto with them.

The most notable sites to be impacted this year were XSS – a long-standing Russian-language hub for exploits, access, and ransomware affiliates and BreachForums – the English-language epicenter of data breach leaks and credential trading, which has been subject to changes over many years but always seems to come back.

But they were only part of a much larger story that included major markets like Archetyp and Abacus, plus “shadow markets” on platforms like Telegram.

As 2026 begins, we wanted to delve into what happened in 2025: XSS, the ongoing BreachForums saga as well as review some of the major marketplace hits and exit scams, how exit scams and takedowns reshape trust in the underground and what all of this means for defenders and analysts.

XSS

For years, XSS (formerly DaMaGeLaB) was one of the most influential Russian-language cybercrime forums. It served as a marketplace for exploits, stolen access, and malware as well as a recruiting ground for ransomware crews. A well-established site, it fostered a high-trust environment among its users, who were able to trade tools and services. The site had been operating since 2013 and was estimated to have over 50,000 registered users.

However, in mid-2025, the XSS era effectively ended. Law enforcement agencies in France and Ukraine, supported by Europol, targeted XSS after a multi-year investigation which began in 2021. This led to the arrest of a 38-year-old suspect alleged to be the main XSS administrator in Kyiv. Shortly after, the XSS domain displayed a classic law enforcement seizure banner, signaling that authorities had taken control of infrastructure and likely obtained access to backend data and communications. This marked a change for law enforcement who have typically targeted English-speaking sites on the dark web with Russian sites usually being more difficult to infiltrate.

Figure 1: XSS Seizure Notice

For a forum that catered to serious actors, including affiliates of major ransomware groups, this was a significant blow. The value of the takedown wasn’t just the shutdown, but the potential intelligence gathered, thought to include database content, private messages, transaction details, and operational. It also initially appeared to leave a void of where these actors could interact and advertise.

However, as usual, the community did not vanish with the domain, which did reappear. Some members migrated to other Russian-language forums such as Exploit or RAMP. Exploit another well-established forum appeared to be the primary forum of choice. Others attempted to relaunch XSS under slightly different branding, trying to keep the reputation and user base intact. However, the registration for new users proved challenging, and many commentators online felt that XSS was now a honeypot run by law enforcement. It appeared that many in the community were reticent to continue using the updated site.

The net effect, XSS as a brand is fractured, but the underlying actors remain active and mobile on other forums. For cyber security analysts, the center of gravity moved, but the threat did not disappear. The game of wack-a-mole continues.

BreachForums

On the English-speaking side, BreachForums has been the high-profile home for many years, having launched around 2022 in the aftermath of the RaidForums seizure. The site was known primarily for selling and sharing data breach leaks, trades and giveaways of credential dumps as well as the discussion of hacks, access sales, and “clout” postings.

Since then, BreachForums has been stuck in a loop.

BreachForums v1 (breached / breached.vc, etc.) – launched after RaidForums was seized, was itself later taken offline after the arrest of its founder “Pompompurin” (Conor Fitzpatrick). Fitzpatrick was subsequently charged, and rumors swirled that the site was operating as a honeypot.

In September 2025, founder Conor Fitzpatrick was re-sentenced to a longer prison term after an appeals court deemed the original sentence too lenient. That move signaled that U.S. courts view BreachForums as a serious, high-impact cybercrime platform, not just a “kids swapping databases” site.

Subsequent versions of BreachForums followed the same pattern. New domains and infrastructure spun up (e.g., breachforums[.]st) quickly, claiming to be the successor and controlled by affiliates of previous versions. The community reconvened, often with familiar staff and leak actors (including groups like ShinyHunters). However, law enforcement seized infrastructure again, posting FBI banners on front-end domains and, in some cases, gaining access to backend data and user logs.

However, in 2025, a few milestones stood out as different to the pattern, and the activity appeared to occur much more rapidly than it had with previous iterations.

One BreachForums instance announced it was closing after operators claimed law enforcement had exploited a 0-day in MyBB (their forum software) to gain access. Whether this was accurate or an excuse, the result was the same: another dead forum, more scattered users. Yet another BreachForums-branded domain displayed an FBI seizure notice, underscoring that law enforcement was tracking the brand as much as the infrastructure.

Honeypot or Home?

Every new BreachForums revival faces the same dilemma, If it’s real, it’s a prime target. If it’s not real, it might be a honeypot or undercover operation. This creates a deep trust problem inside the community.

So, while BreachForums keeps coming back in some form, each iteration is more paranoid, more fragmented, and less trusted than the last. Because of that, similar to XSS we have seen the community seek other sites as refuge from the law enforcement action and fear of honeypots. In 2025, a clear front runner has been Dark Forums. However, this site has also already experienced changes in management as well as technical issues leading to downtime as well as changes in domains.

Seizures vs. Slow-Motion Exit Scams

Beyond forums, darknet marketplaces remain a central pillar of the underground economy, especially for drugs, fraud services, and stolen data. In 2025, they were hammered from both sides.

Archetyp Market

Archetyp Market was first seen in May 2020 and quickly became one of the largest drug markets operating. It specialized in the sale of drugs, including high risk substances such as fentanyl. The site required registration and accepted funds via the “privacy” cryptocurrency Monero. With over 600,000 users and 3,200 vendors, the market facilitated transactions involving cocaine, meth, MDMA, and other narcotics. By its final days, it had moved an estimated $250–290 million in illicit goods, making it a titan among darknet marketplaces.

From June 11–13, 2025, Operation Deep Sentinel, led by Germany’s BKA and supported by Europol, Eurojust, Homeland Security Investigation (HSI) and law enforcement from five other countries, executed a coordinated takedown. Servers were seized in the Netherlands, digital assets frozen, and the suspected site administrator, a 30-year-old German, was arrested in Barcelona. In addition, authorities confiscated millions in cryptocurrency, luxury vehicles, phones, and drugs in sweeping raids.

This followed a familiar pattern from earlier eras: Silk Road, AlphaBay, Hansa, Hydra. Each time, a flagship market becomes large and visible enough international law enforcement teams invest the time and resources to take it down.

Abacus Market

In contrast to Archetyp’s law enforcement takedown, Abacus Market appears to have chosen the exit-scam route. An exit scam occurs when the administrators of a site close it down and, in the process, steal funds that they are holding in escrow from their customers and vendors.

Abacus had, by many accounts, become one of the highest-earning Western darknet markets in 2025. Then the warning signs started; users began reporting withdrawal delays and stuck balances. At the time admins blamed technical problems, DDoS attacks (distributed denial of service attack), and onboarding chaos from refugees fleeing other shut-down markets.

However, over time, more evidence pointed to a classic rug pull: no seizure banner, no official statement—just vanished infrastructure and a lot of missing crypto.

By mid-2025, most analysts agreed Abacus had exit-scammed, likely taking a substantial share of user balances and escrowed payments with it.

Takedowns vs. Exit Scams

From the average user’s perspective, the result of both scenarios looks the same; one day the site works, the next day it doesn’t—and your coins are gone. However, the implications are very different.

In a Law enforcement takedown scenario. Agencies aim to identify operators, seize servers, and collect evidence. This means that you will often see official seizure banners on the site, indicating that it has been taken down and by who. Law enforcement wants the users of the site to know that they have acted and view it as a warning to others. Increasingly, law enforcement has accessed the registered users of these sites to warn them that they are participating in criminal activity to try and dissuade users from continuing this activity.

For participants, that means risk doesn’t end when the site goes down; it may only be starting. Data recovered in 2025 can fuel cases and investigations for many years.

In an exit scam, the admins’ primary objective is to take as much money as possible and disappear. Early warning signs can include:

“Temporary” withdrawal freezes
Sudden policy changes around escrow and wallet management
Increasingly vague or aggressive communication from staff

Unlike with law enforcement action, there is no public banner and usually no immediate arrests—just silence.

Legally, the admin’s exposure doesn’t change much: they were already running an illegal market. But for users, the fallout is more about financial loss and fractured trust, rather than immediate deanonymization through seized databases.

In both cases though, the users of the sites will have to find a new home to conduct their illegal trades and communities.

Beyond Tor: Platform Crackdowns and Shadow Markets

While Tor-based marketplaces and forums grab headlines, 2025 also highlighted another front, shadow markets built on mainstream platforms. DarkOwl will often refer to these sites as dark web adjacent, as they are used by the same actors for illegal activity but don’t actually exist on the dark web technology.

A notable example was the crackdown of channels associated with the underground ecosystem on Telegram. After the arrest of Telegram’s CEO in late 2024, the platform began to increase its moderation of the app, actively banning and suspending channels which it alleged were breaking their terms and conditions. This was not solely focused on markets on Telegram but was wide ranging.

These bans have had an impact on the market side of telegram particularly fraud services, laundering, and illicit financial services which were run via channels and bots.

Telegram’s enforcement actions—including mass bans and account purges—disrupted what analysts described as a multi-billion-dollar illicit economy.

This illustrates a broader trend – crime is platform-agnostic. When Tor markets are unstable, actors move to, encrypted messaging apps (Telegram, Signal, Threema), private Discord servers and niche forums and invite-only groups or even surface web sites. As TOR becomes more unstable and more likely to be disrupted by law enforcement action many actors favor a simpler way of setting up their businesses.

For cyber security analysts, focusing solely on .onion sites risks missing a big slice of activity that’s happening on “regular” platforms. This is why DarkOwl monitors not just the dark web but also dark web adjacent sites.

Is the Dark Web Still Important?

Given all the takedowns and scams, is the dark web actually shrinking?

The short answer is no, not really. There is still a huge amount of criminal activity taking place on the dark web and it is important to track and monitor this activity to protect yourself and your organization and to combat crime. However, it is also important to acknowledge that the dark web is becoming more fragmented, less stable, and much harder to trust and therefore harder to track.

Some key trends DarkOwl noted in 2025:

Shorter Lifespans

Long-lived giants like XSS and Archetyp are being removed or compromised. New markets and forums:

Launch quickly
Hit critical mass
Either get seized or exit-scam once the risk feels too high

That constant churn makes it harder to operate large-scale, long-term criminal infrastructure.

Exit Scams Are “Priced In”

Vendors and buyers increasingly assume every market will die. Meaning that they

They keep smaller balances in market wallets.
They distribute activity across multiple platforms.
They rely more heavily on out-of-band communication (e.g., direct contact over Telegram) and reputation that travels across sites.

Exit scams hurt, but they are no longer surprising.

Forums Are Critical—and Dangerous

Forums like XSS and BreachForums played a key role in:

Announcing new markets
Arbitrating disputes
Establishing trust and reputations

But this made them and sites like them prime targets for:

Seizure and infiltration
Undercover operations
Intelligence collection on active and prospective offenders

By 2025, many actors treat high-profile forums as necessary but risky.

Investigators Are Playing the Long Game

The XSS takedown and BreachForums sentencing are reminders that investigations often span multiple years before going public. Sentencing can be revisited and made harsher as courts and prosecutors recalibrate how serious digital crimes are. And that Law-enforcement agencies are increasingly comfortable with crypto tracing, infiltration, and complex international joint operations.

The underground can adapt quickly, but investigators are learning and iterating too.

Takeaways for Investigators, Researchers, and Policy Makers

If you follow this space for security, research, or policy, 2025 offers some clear lessons:

1. Follow Actors, Infrastructure and Money, Not Just Sites

Names like “XSS,” “BreachForums,” or “Abacus” come and go. But what does persist is the actors that are active on these sites, they are often working on multiple sites, and it is important to track how and if they continue to operate and what networks the operate within. One way of doing this is following the money and monitoring any wallet addresses shared and how these transactions operate across the blockchain. It is also possible to identify new an upcoming site by monitoring other sites and adjacent sites for chatter from actors, as well as identifying infrastructure patters such as hosting choices and tools used.

2. Treat Every Major Seizure as an Intelligence Event

Takedowns come with positives and negatives for investigators; on the one hand a source of intelligence has been removed. Sometimes we lose access to sites for which we have good access and are able to obtain a large amount of information that can assist with our investigations. Furthermore, the users of these sites tend to scatter, and it is a race to find the next site and where the actors we are most interested in have moved to.

On the other hand, it is great that illegal activity has been thwarted, usually leading to arrests and the seizure of infrastructure which decreases the activity. While we sometimes have to scramble to maintain oversite, the actors also have to scramble to find a new home which can really slow them down, plus they have the fear that they are now on the radar of law enforcement which may deter them fully from the activity. Furthermore, newly unsealed indictments can reveal OPSEC failures and tradecraft which can assist in future investigations, seizure notices and infrastructure details can feed your detections, and you can update risk assessments for actors tied to seized forums and markets.

3. Understand How Exit-Scam Risk Shapes Behavior

As exit scams become more common offenders tend to gravitate toward smaller, more “community-focused” markets. More trading moves into semi-closed spaces like invite-only Telegram channels and some actors may experiment with more robust escrow, multisig, and reputation mechanisms—but trust remains fragile. This means it can be more difficult to infiltrate and track the activity that is occurring. That has implications for everything from undercover operations to intelligence collection.

4. Look Beyond Tor

Serious illicit trade often uses a mix of different platforms, and it is important to have oversight of all of them which can include:

Tor markets and forums
Clearnet infrastructure (CDNs, bulletproof hosts, compromised servers)
Encrypted messaging platforms

A defensive strategy that stops at Tor is going to miss much of the real activity.

Conclusion

2025 didn’t “end” the dark web. But it did accelerate a shift that’s been visible for years:

Big, stable, centralized markets and forums are increasingly unsustainable.
Law enforcement is better at seizing infrastructure and tracing crypto.
Admins are quicker to pull the plug and disappear with user funds.
Users are more paranoid, more fragmented, and more willing to move between platforms.

For analysts, this is both good and challenging news. The chaos slows down some criminal operations—but it also pushes activity into smaller, harder-to-observe corners of the ecosystem. DarkOwl can assist in making sure you are able to monitor all areas where illicit activity is occurring and help you track actors as they react to takedowns and exit-scams. The dark web will continue but it will evolve and to mitigate risk it is important to closely track these changes.

Curious how DarkOwl can help? Contact us.

Four Inc. Partners with DarkOwl to Deliver Actionable Darknet Intelligence to the Public Sector

Written by kathy hoffman on January 14, 2026. Posted in Press Releases.

Herndon, VA – January 14, 2026

Four Inc. has been named a public sector technology provider for DarkOwl, the industry’s leading provider of darknet data. Under this agreement, DarkOwl will improve cybersecurity defense for the public sector through Four Inc.’s NASA Solutions for Enterprise-Wide Procurement (SEWPV), Information Technology Enterprise Solutions – Software 2 (ITES-SW2), and its network of channel partners. This collaboration combines Four Inc.’s expertise in delivering innovative solutions to the public sector with DarkOwl’s unique capability to identify, monitor, and analyze hidden online threats.

DarkOwl empowers public sector organizations with advanced darknet intelligence to support informed decision-making and rapid response. Its flagship platform, DarkOwl Vision, provides access to one of the world’s largest available databases of information collected from the darknet. DarkOwl automatically, continuously, and anonymously collects and indexes darknet, deep web, and high-risk surface net data, enabling agencies to uncover exposed credentials, monitor threat actor activity, and identify emerging risks before they impact operations. Supporting critical missions across national security, infrastructure protection, and law enforcement, DarkOwl delivers comprehensive data and powerful analytics to help public sector teams reduce exposure, strengthen defenses, and maintain operational readiness in an increasingly complex cyber threat environment.

DarkOwl’s Vision platform is available immediately via Four Inc.’s SEWPV & ITES-SW2 Contract Vehicles. For more information, contact Four Inc. at [email protected]

About DarkOwl

DarkOwl, founded in 2009, is the industry’s leading provider of darknet intelligence, delivering the world’s largest commercially available index of darknet, deep web, and high-risk surface web content.The company enables government and enterprise organizations to identify exposed data, monitor emerging threats, and assess risk using continuously collected data, advanced analytics, and scalable intelligence tools. Supporting defense, national security, law enforcement, and critical infrastructure missions, DarkOwl helps organizations strengthen cybersecurity posture, respond more effectively to threats, and protect mission-critical operations.

Learn more at: DarkOwl

About Four Inc.

Four Inc. is a respected Public Sector IT distributor and has earned a place on Washington Technology’s Top 100 Government Contractors list for ten consecutive years. With deep expertise in the federal IT contracting landscape and a well-established network of technology manufacturers and partners, Four Inc. consistently delivers the right solutions and services to meet government needs. Through their proven experience and dedication towards their core values, they have earned the IT community’s respect and trust.

Content, Content, Content: Top Blogs from DarkOwl in 2025

Written by DarkOwl Content Team on January 13, 2026. Posted in Blog.

January 13, 2026

Thanks to our analyst and content teams, DarkOwl published over 100 pieces of content last year. DarkOwl strives to provide value in every piece written, highlighting new darknet marketplaces and actors, trends observed across the darknet and adjacent platforms, exploring the role the darknet has in current events, and highlighting how DarkOwl’s product suite can benefit any security posture. Below you can find 10 of the top pieces published in 2025.

Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are published.

1. Telegram’s Crackdown: Why Accounts Are Getting Banned and What You Need to Know

The founder and CEO of Telegram, Pavel Durov, was arrested on August 24, 2024, at Paris-Le Bourget Airport. French authorities detained him as part of an investigation into Telegram’s alleged insufficient moderation of illegal activities on its platform, including child exploitation and drug trafficking. Following his arrest, Durov was indicted on multiple charges on August 28, 2024. He was placed under judicial supervision, prohibited from leaving France, and required to post bail of €5 million. As of February 2025, Durov remains under judicial supervision in France, awaiting further legal proceedings where he must appear at a police station twice a week. Should he be found guilty the most serious charge complicity in the administration of an online platform to enable organized crime and illicit transactions carries a maximum penalty of 10 years’ imprisonment, and a €500,000 ($521,000) fine.

In response to their CEO’s arrest Telegram announced plans to enhance its moderation policies and has expressed a willingness to cooperate more closely with law enforcement. They have been seeking to ensure that they are co-operating with authorities while claiming to continue to prioritize users’ privacy.

In this blog, we will explore what changes Telegram have said they have made, what effect DarkOwl analysts are seeing in response to these changes and what impact we expect to see in the future. Read blog here.

2. The State of Darknet Marketplaces in 2025: Trends, Metrics, and Insights

The darknet is a hidden part of the internet that operates beyond the reach of traditional search engines and mainstream platforms. Within this space, darknet marketplaces have emerged as virtual bazaars where anonymous buyers and sellers trade goods and services, often illicit, using privacy-focused technologies like Tor and cryptocurrencies such as Monero and Bitcoin. These markets are structured much like legitimate e-commerce sites, featuring product listings, vendor ratings, customer reviews, and even dispute resolution systems.

DarkOwl collects data from a wide range of marketplaces, capturing the breadth of listings, vendor activity, and community interactions. In this blog, we explore the state of darknet markets in 2025, highlighting which platforms lead in listings and vendor count, how products are distributed across categories, the flow of shipments around the world, and patterns of user engagement through reviews.

By examining these factors, we aim to provide a window into the scale, structure, and dynamics of this hidden economy, revealing both the major players and the underlying trends shaping the market landscape. Full blog here.

3. Extra! Extra! Read all about it! Archetyp Marketplace Takedown!

In a major blow to the online drug trade, law enforcement agencies across Europe and the U.S. have taken down Archetyp Market, one of the most active and profitable dark web drug markets of the past five years.

Launched in 2020, Archetyp wasn’t just another black market, it was the market. With over ~600,000 users and ~3,200 vendors, the platform facilitated transactions involving cocaine, meth, MDMA, and other narcotics. By its final days, it had moved an estimated $~250–290 million in illicit goods, making it a titan among darknet marketplaces. Read blog here.

4. BreachForums Disruption Sparks Copycat Domains and Darknet Chaos

BreachForums abruptly went offline, prompting a wave of opportunistic copycat domains and widespread confusion within the dark web community. The shutdown—now allegedly confirmed via a PGP-signed statement by former administrators—was attributed to a zero-day exploit targeting the MyBB forum software. This vulnerability was reportedly exploited either by law enforcement or rival threat actors. Read more.

5. Dark Web Pharmacy and Illegal PX Medication Sales

Dark web “pharmacies” have become a global black market for prescription medications and counterfeit drugs. These underground vendors operate on hidden parts of the internet, accessible only with special software like Tor, and sell everything from opioid painkillers and anxiety meds to fake pills. Recent international crackdowns have led to hundreds of arrests across multiple continents, showing just how far-reaching and organized this trade has become. By using encryption and anonymous networks, dark web drug sellers connect with buyers around the world while evading traditional law enforcement. This blog looks at where these rogue pharmacies are found and the platforms they use to move drugs outside the law. Check it out.

6. Threat Actor Spotlight: The Terrorgram Network: Origins, Operations, and Downfall

In April 2024 the UK took the unprecedented step to sanction a group known as Terrorgram as a terrorist organization. The UK was the first country to take this step, proscribing the group which consists of various Telegram channels which have been used to share and encourage extremist ideologies and methodologies. This marked the first time a group that is primarily organized on a messaging app has been declared a terrorist organization.

In this blog we will explore the origins of the group, how they operated and the current status of the organization. Read more.

7. Whistleblower Sites 101

In this blog, DarkOwl analysts provide a summary of the digital whistleblower landscape, outlining the role of the dark web and examining some noteworthy whistleblower platforms. Read blog here.

8. What is Doxing?

This blog aims to provide a comprehensive overview of doxing, its implications, and strategies to safeguard against it. Learn more.

9. Major Threats and Trends to Look Out for in 2025

As we entered 2025, we predicted what would be the major trends of the year. The ever-shifting landscape of cybercrime continues to evolve, with the darknet remaining a significant hub for illicit activities. From emerging technologies to shifting criminal tactics, understanding these trends is critical for cybersecurity professionals, law enforcement agencies, and the general public alike. Drawing on industry expertise, this post identified seven major threats and trends expected to shape the darknet.
Full blog here.

10. Is Your City on the Dark Web? What Local Agencies Need to Know

In 2023, investigators in a midsize U.S. city were tipped off to a darknet marketplace vendor offering “same-day delivery” of fentanyl-laced pills within specific zip codes. The listing named street corners and used coded references to local schools. It was not discovered by routine patrols or a community tip. It was found in an online space most local agencies never check: the dark web.

The dark web is not just a place for global cybercriminal networks. It is a sprawling ecosystem where local-level threats are planned, traded, and discussed. Understanding what is being said about your city, and acting on it, can mean stopping crime before it happens. Read blog here.

2025, That’s a Wrap!

Thank you to everyone who reads, shares and interacts with our content! Anything you would like to see more of, let us know by writing us at [email protected]. Can’t wait to see what 2026 brings! Don’t forget to subscribe to our newsletter below to get the latest research delivered straight to your inbox every Thursday.

Threat Intelligence RoundUp: December

Written by DarkOwl Content Team on January 6, 2026. Posted in Blog.

January 06, 2026

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Bloody Wolf Threat Actor Expands Activity Across Central Asia – InfoSecurity Magazine

The threat actor group, Bloody Wolf, has been observed using remote-access software to infiltrate government targets throughout Central Asia. Cybersecurity researchers claim the group has shifted from traditional malware to “a streamlined Java-based delivery method”. Reports claim the group has been operating a sustained campaign in Kyrgyzstan since June 2025 and recently began targeting Uzbekistan. By using counterfeit PDF documents, spoofed web domains, and fraudulent emails to pose as the country’s Ministry of Justice, the group has manufactured an air of legitimacy that has facilitated their access. Once a victim opens the downloaded JAR file, the loader retrieves additional components and installs NetSupport RAT for remote control. Read full article.

2. Poland arrests Ukrainians utilizing ‘advanced’ hacking equipment – Bleeping Computer

Three Ukrainians, claiming to be IT specialists, were arrested by Polish police while traveling through Europe. During a routine traffic stop, officers conducted a search of the threat actor’s vehicle, discovering suspicious items that could be “used to interfere with the country’s strategic IT systems, breaking into IT and telecommunications networks”. The seized equipment included “spy device detector, advanced FLIPPER hacking equipment, antennas, laptops, a large number of SIM cards, routers, portable hard drives, and cameras.” The data seized was encrypted but according to officers from Poland’s Central Bureau for Combating Cybercrime (CBZC) claim to have been able to collect evidence. Article here.

3. Chinese Hackers Have Started Exploiting the Newly Disclosed React2Shell Vulnerability – The Hacker News

Hours after CVE-2025-55182 was made public, Amazon Web Services (AWS) observed two different Chinese hacking groups, Earth Lamia and Jackpot Panda, beginning to weaponize the vulnerability. CVE-2025-55182, aka React2Shell, allows unauthenticated remote code execution in React Server Components (RSC). Using automated scanning tools, these threat actors have been observed exploiting additional vulnerabilities including CVE-2025-1338. AWS identified Earth Lamia due to the use of previously used infrastructure the group had demonstrated earlier in the year. This situation highlights threat actors systematic approach in abusing vulnerabilities quickly and learning to scan for common vulnerabilities. Read more here.

4. FCC Warns of Hackers Hijacking Radio Equipment For False Alerts – InfoSecurity Magazine

On November 26, the Federal Communications Commission (FCC) announced threat actors had been hijacking US radio transmission equipment and broadcasting fake emergency tones and offensive material. Several stations in Texas and Virginia were targeted, resulting in broadcasts being disrupted by emergency signals, alert tones, and obscene language. The threat actors targeted Barix network audio devices and reconfigured them to capture attacker-controlled streams. The FCC reports that the incidents stemmed from unsecured equipment, noting that some stations did not discover the compromise until after the attacks and were seemingly unaware as they unfolded. Read here.

5. CISA warns of Chinese “BrickStorm” malware attacks on VMware servers – Bleeping Computer

U.S. Cybersecurity and Infrastructure Security Agency (CISA) warn of Chinese hackers backdooring VMware vSphere servers with BrickStorm. Malware samples analyzed by the National Security Agency (NSA) and Canada’s Cyber Security Centre were found on victim networks in which the attackers had specifically targeted VMware vSphere environments. One of the incidents showed the threat actors compromising a web server in an organization’s demilitarized zone (DMZ) in April 2024, then moved laterally to an internal VMware vCenter server and deployed malware. Learn more.

6. Glassworm malware returns in third wave of malicious VS Code packages – Bleeping Computer

First emerging in October, the Glassworm campaign, has released 24 new packages distributing malware to OpenVSX and Microsoft Visual Studio. According to Koi Security, Glassworm malwares uses “invisible Unicode characters to hit its code”. Following previous detection, Glassworm evolved technically, using Rust-based implants packaged inside extensions as well as invisible Unicode. Once the malware is installed it attempts to steal GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data from 49 extensions. Additionally, the malware deploys a SOCKS proxy to route malicious traffic and give operators stealthy remote access. Read full article.

7. React2Shell flaw exploited to breach 30 orgs, 77k IP addresses vulnerable – Bleeping Computer

On December 03, React disclosed the vulnerability, CVE-2025-55182 aka React2Shell, detailing “that unsafe deserialization of client-controlled data inside React Server Components enables attackers to trigger remote, unauthenticated execution of arbitrary commands.” React2Shell is a security flaw that allows attackers to run code on a server without logging in. It can be triggered with just one HTTP request and affects any framework that uses React Server Components, including Next.js. Over 77K internet exposed IP addresses are vulnerable to React2Shell and researchers believe 30 organizations are already compromised. Read full article.

8. RomCom Uses SocGholish Fake Update Attacks to Deliver Mythic Agent Malware – The Hacker News

The malware group RomCom has been observed using the JavaScript loader, SocGholish, to target U.S. based civil engineering company. By targeting poorly secured websites, the group injects fake Google Chrome or Mozilla Firefox update alerts into otherwise legitimate but compromised pages. These alerts trick users into downloading malicious JavaScript that installs a loader, which then retrieves additional malware. According to Arctic Wolf researchers, this allowed the threat actors to execute commands on the compromised host through a reverse shell connected to the command-and-control (C2) server, enabling activities such as system reconnaissance and deployment of a custom Python backdoor known as VIPERTUNNEL. Learn more.

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

DarkOwl 2025 Recap: A Quick Reflection & Updates

Written by DarkOwl Content Team on December 30, 2025. Posted in Blog.

December 30, 2025

As 2025 draws to a close, as we do every year, our content and marketing teams are taking a moment to reflect on the exciting events, trends, and changes the DarkOwl team experienced throughout the year. From major product advancements to strategic partnerships and thought leadership in the darknet intelligence space, this year has been marked by progress and momentum. We’re grateful to our customers, partners, and community for your continued engagement and support — and we look forward to building on these successes in 2026!

We hope you continue to find the topics we explore valuable, enlightening, and engaging. One final marketing reminder for the year: be sure to sign up for our weekly newsletter to stay updated on the latest insights from our research and content teams!

Around the World & Across the Industry

In 2025, DarkOwl continued its commitment to engaging with the global cybersecurity community. The team was active at leading industry events, including the RSA Conference in San Francisco, where we showcased our platform capabilities and met with peers and customers to discuss the evolving threat landscape. Check out where we will be in 2026 and request time to meet here.

Beyond trade shows, DarkOwl shared insights through webinars and blog posts on cutting-edge topics — from artificial intelligence’s role in threat intelligence to emerging darknet trends — providing thought leadership to practitioners and analysts worldwide.

And don’t worry! The team also made time for some fun. This summer, in our annual company get-together, we got to meet our adopted owl. 3 years ago, we adopted an owl! He jumped early from his Michigan nest in 2015 and fractured his right wing in two places and was on the ground for about a week next to a barn before he was picked up by the landowners and brought to a rehabilitation center. He was sent to the Raptor Education Foundation in Denver in August, 2016 where he now lives. You can learn more about him on his dedicated adoption page.

RSA Conference in San Francisco, CA

The team at HQ in Denver, CO

ISS World Europe in Prague, Czech Republic

We love our #Pets!

Gotta show some pet love as well from our Pets Slack Channel (the best channel).😻

Yearly reminder: DarkOwl analysts and their pets recommend you never use your pet’s name in any password combination as it is a popular term for threat actors using brute force attacks.

Product Enhancements & Platform Innovations

Throughout 2025, our Product Team rolled out significant updates designed to empower analysts and security teams with deeper, more actionable darknet intelligence:

Enhanced Case Management: Vision UI now supports improved team workflows and collaboration with enhanced Case Findings features that include inline annotation and visual summary dashboards.
Leak Visualizations & Timeline Analytics: New visualizations help users grasp leak compositions and alert trends over time — enabling richer analysis and faster decision making.
Marketplace Intelligence: A major expansion of darknet marketplace capabilities incorporates rich structured data across dozens of fields — from vendor info to pricing and shipping — directly in Vision UI and API.
Universal Phone Query Builder & Export Flexibility: We introduced a Universal Phone Number Builder and expanded reporting formats — including Word export — to support a variety of operational needs.

These enhancements reflect our ongoing commitment to refining workflows, increasing visibility into complex data, and enabling faster, smarter insights for our users. These are just a few of the product updates made throughout the year! You can check out more in our quarterly blogs, starting here.

Community & Education: Sharing Knowledge

DarkOwl’s blog continued to be a hub for expert analysis on darknet intelligence, cyber threats, and cybersecurity trends. Notable posts from late 2025 included practical guides on cyber hygiene, explorations of how threat actors operate, and even insights into unique aspects of darknet ecosystems like vendor shipping choices.

In addition, DarkOwl was selected as the darknet technology of choice for Channel 4’s series Hunted, offering real-world demonstrations of how darknet intelligence supports investigative work.

Partnerships & Strategic Collaborations

2025 saw DarkOwl strengthen its global reach through a series of partnerships aimed at bringing darknet intelligence to more organizations:

Strategic Alliance with Ticura: A collaboration to simplify dark web monitoring workflows and broaden operational accessibility for security teams and MSSPs alike.
8com GmbH & Co. KG Partnership: 8com integrated DarkOwl’s Vision UI and Search API into its SOC workflows to enhance early detection of compromised data and proactive defense measures.
Global Reseller Partnerships: Authorized reseller agreements — including with Hottolink in Japan — expanded access to DarkOwl’s threat intelligence solutions across international markets.

These collaborations underline DarkOwl’s role as a trusted provider of darknet intelligence to enterprises, security practitioners, and service providers around the globe.

Looking Ahead to 2026

As we close out 2025, we are energized by the rapid evolution of both cybersecurity challenges and the tools needed to address them. DarkOwl is committed to pushing the frontier of darknet intelligence — delivering deeper insights, smarter workflows, and stronger partnerships that equip our customers to stay ahead of threats.

Thank you for being part of our 2025 journey. Stay connected by subscribing to our newsletter, engaging with our content, and joining us at events in the year ahead!

The State of Darknet Marketplaces in 2025: Trends, Metrics, and Insights

Written by kathy hoffman on December 18, 2025. Posted in Blog.

December 18, 2025

Top Darknet Marketplaces in 2025

In 2025, we collected unique listings from the leading darknet marketplaces, summarized in Figure 1(a). Vendor activity is shown separately in Figure 1(b).

Based on listing volume, the most active markets in our dataset were Black-Pyramid, Ares, Dark-Matter, Zelenka-Lolzteam, Nexus-Market, and Drughub. These platforms consistently generated high volumes of product posts across a wide range of categories, from narcotics and fraud services to digital goods and hacking tools. However, when ranking markets by the number of distinct vendors rather than total listings, a slightly different picture emerges. Zelenka-Lolzteam, Archetyp, Drughub, Dark-Matter, Blackopps, and Black-Pyramid attracted the largest number of sellers overall, illustrating how some markets excel at breadth of vendors even if they generate fewer listings per seller.

Market stability in 2025 remained a challenge, as several high-profile platforms experienced abrupt shutdowns. MGM-Grand, Archetyp, Abacus, and Elysium-Market all disappeared mid-year, either due to law enforcement intervention or suspected exit scams. Their closures caused sudden shifts in vendor migration patterns and contributed to the overall volatility of the ecosystem. These dynamics highlight the importance of tracking not just market size but also operational longevity, resilience, and community trust.

Figure 1: Top Markets by (a) Unique product listings and (b) unique vendors

Market reviews

Reviews play a crucial role in darknet marketplaces because they are one of the few publicly visible indicators of community engagement, trust, and transaction legitimacy. In environments where users operate anonymously and traditional reputation systems are absent, reviews help buyers gauge vendor reliability, product quality, and the likelihood of receiving what they paid for. They also offer insight into vendor longevity and buyer satisfaction—information that listing counts alone cannot provide.

On these markets, review activity becomes a broader marker of community health. Reviews show that buyers are active, transactions are taking place, and vendors are accumulating reputational signals that others can verify. When users take the time to leave feedback, it fosters a shared sense of accountability within an otherwise anonymous ecosystem. Markets with consistent review activity tend to feel more dynamic and trustworthy: buyers rely on collective experience to avoid scams, vendors depend on feedback to differentiate themselves, and the community becomes more informed and resilient. In this way, engagement acts as a stabilizing force, shaping user behavior and contributing to the long-term viability of a market. Measuring review activity, therefore, offers more than a participation metric—it provides a window into the social dynamics that influence market stability, consumer decision-making, and the overall trust architecture of the darknet ecosystem. Although it must also be considered that the reviews may be created by the vendors to make it appear as if they are active and deliver good services.

To quantify these dynamics, we examined review activity across markets. Overall, 68% of the markets we collected included some form of user review or feedback mechanism. Among those markets, 23% of listings had at least one review; across all markets (including those without review systems), 16% of listings received reviews. On markets that supported reviews, listings averaged 7 reviews per post, rising to 16 reviews when considering only listings that had reviews. Notably, ten of the fourteen top markets discussed above offered review functionality. Figure 2 shows the percentage of listings with reviews across these top markets, illustrating the varying levels of community engagement.

Figure 2: Markets with the highest customer engagement based on percentage of listings with reviews

Category Breakdown

In addition to examining overall activity and community engagement, we conducted a category-level analysis across the full DarkMart dataset, not just the top markets. Whenever markets provided category labels, we extracted and normalized them into 11 high-level categories to create a consistent taxonomy across platforms. For listings without explicit category metadata, we applied a clustering-based classification approach to assign them to the most likely category based on listing text and semantic similarity. This allowed us to produce a unified view of the thematic composition of the ecosystem.

Figure 3 presents the distribution of these categories across all markets in our dataset. The landscape is dominated by Drugs and Chemicals, which account for 68% of all listings. This aligns with longstanding trends in darknet commerce, where narcotics represent the bulk of transactional activity. The next largest categories are Fraud (13%) and Counterfeit Items (7%). The Fraud category encompasses offerings such as stolen payment-card data, phishing kits, account takeovers, and forged or altered identification documents. Counterfeit items include fake currency, imitation branded goods (e.g., luxury watches, designer bags), and various forged certificates or documentation.

Because drugs and chemicals dominate the darknet marketplace landscape, we took a closer look at the different types of products within this category. The right side of Figure 3 shows the distribution of subcategories, offering insight into the variety of goods vendors specialize in.

Cannabis leads the subcategories, accounting for 41% of listings, and includes traditional cannabis as well as THC-infused products. Following cannabis are opioids (14%), including powerful painkillers like Fentanyl and Heroin, which act on the body’s opioid receptors. Psychedelics (11%), including LSD, psilocybin mushrooms, and Ketamine, also make up a significant portion, designed to alter perception, mood, and cognition.

Stimulants (12%), including Methamphetamine, Cocaine, and other “speed” drugs, increase alertness and energy, while depressants (3%), such as Xanax and GHB, slow brain activity and are often prescribed for anxiety or sleep disorders. Party drugs (7%), such as MDMA and Ecstasy, are designed to enhance sociability and create feelings of empathy, often used in recreational settings. Finally, miscellaneous drugs (3%) cover a variety of specialized items, from hormonal treatments and sexual enhancement products to vaping-related substances.

Taken together, this subcategory breakdown illustrates not just the sheer volume of drug-related listings, but also the diversity of products and specialization among vendors. It shows how darknet marketplaces cater to a wide range of consumer needs, from medical and recreational to niche and experimental.

Figure 3: DarkMart category and subcategory breakdown (Drugs and Chemicals)

Shipping Breakdown

We also examined the shipping data available for our 2025 product listings. Figure 4 illustrates the flow of shipments from source countries to destination countries. For clarity, we excluded listings where the source or destination was listed as “worldwide” and aggregated countries into broader continents or regions.

Unsurprisingly, the bulk of shipments occur within North America. Europe follows a similar pattern, with many shipments staying within the continent, but European vendors also reach a wide range of international destinations. North America, too, sends products across the globe, including to regions like Africa—even though Africa itself contributes very few listings as a point of origin.

Some patterns are particularly striking. A small subset of products reportedly ships from and to Antarctica, highlighting the unusual and niche nature of certain listings. Asia exhibits a more modest version of Europe’s international reach, with most shipments staying regional but a smaller proportion traveling worldwide.

Overall, the shipping data reveals that while most transactions remain regional, darknet markets are capable of supporting truly global commerce. The map also underscores the asymmetry of trade: some regions are primarily exporters, others primarily importers, and a few see very limited activity despite being part of the network. These flows offer a window into how products, and by extension, vendors, connect distant parts of the world in a complex, global ecosystem.

Figure 4: Shipping flows within DarkMart

Conclusions

Our 2025 analysis of darknet marketplaces paints a picture of a highly active and evolving ecosystem. Some markets dominate in listings, while others attract the largest communities of vendors. Drug-related listings continue to account for most of the activity, with fraud and counterfeit items forming significant secondary categories. Shipping data highlights both regional concentration and surprising international reach, while review metrics reveal the importance of community engagement in fostering trust and reliability in an otherwise anonymous environment.

Taken together, these insights offer a comprehensive snapshot of the darknet economy, one that shows both the scale of activity and the social dynamics that sustain it. As markets rise, fall, and adapt, ongoing monitoring is essential to understand the forces shaping this hidden corner of global commerce.

Don’t miss any of our research! Follow us on LinkedIn.

Holiday Shopping on the Dark Web: The Myths vs. The Reality

Written by kathy hoffman on December 16, 2025. Posted in Blog.

December 16, 2025

The dark web often gets portrayed as a lawless digital bazaar where you can buy anything — from stolen identities to malware, services, how-to-guides, hit men and even human organs – as long as you know where to look. The assumption is that all illegal things are available to purchase on the dark web.

But how much of that reputation is true? Especially during the holiday season when sensational headlines tend to resurface and most are looking for a few stocking fillers! So, as we approach the holiday shopping season, we wanted to explore the myths and realities of dark web “holiday shopping,” what is truly available to criminals, how do they find it, and what can we do to combat this through dark web monitoring.

The Myth: “You Can Buy Absolutely Anything If You Know Where to Look”

This is the biggest misconception. Movies and tabloids love to exaggerate the dark web’s capabilities and the activities that take place there.

The Reality:

The dark web is messy, unreliable, and full of scams. Many “products” that criminal forums advertise are fake, recycled, or outright frauds designed to steal from other criminals. Law-enforcement stings, exit scams, and disappearing marketplaces happen constantly. And most things are not readily available. The criminals still require access to these goods – meaning they need a supply chain, and they have to have the means of sending these goods or services to their customers.

That is not to say that you can’t buy nefarious goods on the dark web – it is well known for its booming drug markets, and hacking and tools are readily available lowering the barrier to conducting some attacks. Furthermore, the sale of stolen data only continues to grow as we move into 2026.

The Myth: “Dark-Web Marketplaces Are Just Like Amazon”

Some people imagine a slick interface full of products and reviews.

The Reality:

This isn’t false. A lot of dark web marketplaces do model themselves after more mainstream commercial retail sites. Most marketplaces have listings, reviews, shipping time frames, and images of their listings. There is even a marketplace called Awazon!

That being said, most dark web markets are also unstable and can be confusing, slow, and filled with phishing mirrors. A lot of listings can also be scams, with vendors offering goods and accepting payments for goods they never intend to ship. Even the markets that try to mimic legitimate platforms collapse frequently — sometimes due to law enforcement, sometimes because operators run off with users’ funds. But this is not always the case – some markets are more mature and stable than others.

The Myth: “Holiday Specials Make It a Busy Time for Buyers”

You’ll occasionally see rumors about festive deals on illicit services or stolen data. Some markets will provide advertisements offering deals for things such as “Black Friday.”

The Reality:

Seasonal themes are mostly cosmetic. Some forums change banners or run small, informal “events,” but the idea of “Cybercriminal Black Friday Sales” is largely sensationalized. What does rise is scam activity — low-effort attempts to take advantage of distracted users. Usually “serious” vendors do not care what time of year it is – the price they set is based on the product they have and what they think people will pay for it. We have seen huge demands for stolen data in this last year – some of which have been paid either as a ransom or by other criminals hoping to use the data for their own gain.

The Myth: “Data Sold on the Dark Web Is Always New and Dangerous”

Headlines often imply a constant flow of fresh, highly sensitive data which is easily accessible to anyone who wants to access it.

The Reality:

Much of what circulates on dark web forums is outdated breach material, repackaged, and resold repeatedly. Combolists are known to pull data from multiple leaks which can be years old. Other threat actors may attempt to make more money by repackaging leaks which have already been sold.

Real, recent data is harder to obtain, tightly controlled, and often monitored by law-enforcement agencies. Ethically, this data should not be purchased; which makes it more difficult to access for those monitoring the leaks of these data sets for protection purposes. What’s more, just because there is a report of a data leak in the media does not mean that the data will be available on the dark web. Some threat actors steal data for their own personal use or negotiate within closed groups.

The Myth: “Everyone Accessing the Dark Web Is Up to Something Criminal”

Dark web content is frequently portrayed as exclusively illegal.

The Reality:

Not all dark web browsing is illicit. Whistleblowers, journalists, and privacy researchers use Tor for legitimate reasons. There are many legitimate sites on the dark web that help share true information and combat censorship. The technology is neutral — it’s the illegal marketplaces that create risk. Therefore, it is important to remember that whenever accessing dark markets to make sure you are doing so in a legal and ethical manner and never purchasing goods without legal authorization. This is why using DarkOwl to track the sale of these goods can be the safest way forward.

Why the Dark Web Can be Especially Dangerous During the Holidays

Phishing mirrors multiply as scammers impersonate well-known markets.
Pop-up marketplaces appear, then disappear with users’ money.
Fake “limited time” offers lure inexperienced users.
An increase in account-takeover attempts occurs as criminals hunt for holiday shopping creds to resell.

Cybercriminals know people are stressed, rushed, and spending more. It’s prime scamming season. This does not just apply to the dark web. All consumers should be hyper vigilant to scams during the festive time of year.

Final Thoughts

The festive season brings out the creativity — and opportunism — of cybercriminals. But most dark web holiday myths crumble under scrutiny. Understanding the reality helps prevent people from falling for exaggerated stories… and from stumbling into dangerous territory.

Check out our recent blog on Black Friday Scams.

Who’s Delivering the Darknet?

Written by kathy hoffman on December 11, 2025. Posted in Blog.

A Deep Dive into Shipping Choices on Illicit Marketplaces

December 11, 2025

When we think of darknet marketplaces, the focus is usually on the products: drugs, counterfeit goods, stolen data, and more (linked are just a few of the blogs where DarkOwl has covered these examples). But behind every transaction lies a critical question: how does it get delivered? Shipping choices aren’t just logistical; they reflect trust, risk, and strategy in the underground economy. In this blog, we explore which carriers dominate the darknet, how preferences differ across marketplaces, locations, and product categories, and what these patterns reveal about the hidden infrastructure supporting illicit trade.

Shipping Options

Shipping is the final connection between vendor and buyer, and on darknet markets the choice of carrier shapes how a transaction is carried out. Vendors consider factors such as reliability, delivery speed, risk of scrutiny, and whether the shipment is domestic or international.

Not all listings specify shipping information. In DarkOwl’s enhanced market dataset within its DarkMart data store, a little over half (55%) of listings collected between January 2025 and November 2025 include any shipping details at all. This suggests that many vendors either keep logistics flexible or negotiate them directly with buyers. Among those listings that do include shipping information, the level of detail varies widely. Some specify a particular carrier, while others use general terms like standard or express without naming a particular service. Listings may include multiple carrier options or alternative delivery methods such as dead drops or digital delivery (see Figure 1). In some cases, only shipping price or estimated delivery time is provided, with no carrier identified.

Figures 1 and 2: Example listings with varied shipping options

For consistency, our analysis focuses on the four major global shipping companies most frequently mentioned:

USPS – The United States Postal Service (USPS) is the primary postal operator in the U.S., handling nationwide mail and package delivery. Its widespread domestic network makes it a frequent option for shipments within the country. Because USPS handles so much daily mail volume, some vendors may view it as the safest way to blend in.
DHL – An international courier service headquartered in Germany. DHL maintains a strong global presence, particularly in Europe, and provides express and cross-border shipping to more than 220 countries and territories. DHL has a strong footprint in Europe and is known for smooth cross-border shipping, which makes it appealing for vendors sending goods overseas.
FedEx – A major U.S.-based courier service offering express, ground, and international delivery. FedEx operates an extensive global logistics network and is well known for its fast turnaround times. Its tight tracking and security can make some vendors hesitant, though others prefer it for speed of delivery.
UPS – Another large U.S.-based courier and logistics company with a broad ground and air network. UPS provides domestic and international parcel delivery, along with a wide range of supply-chain services. Vendors who want consistent delivery but don’t need overnight speed may lean toward UPS.

In addition to these major carriers, we also tracked references to regional postal services such as Deutsche Post, Royal Mail, and GLS, as well as nontraditional delivery methods like digital delivery and dead drops. While these alternative methods were less common than standard shipping, they illustrate the variety of strategies vendors use to move goods. Below, figure 3 shows the distribution of all delivery types.

Overall, USPS was the most frequently mentioned carrier mentioned in 34% of listings naming a shipping vendor, followed by DHL (24%), FedEx (14%), and UPS (7%). Royal Mail, dead drop, Deutsche post, and GLS appeared in a smaller subset of listings with a combined total of 8%. While we considered all these shipping methods in our analysis, the rest of this blog will focus specifically on the top four main carriers: USPS, DHL, FedEx, and UPS.

Figure 3: shipping type distribution, based on number of listings within DarkOwl’s DarkMart data store

Market Breakdown

Shipping patterns vary noticeably across darknet marketplaces. Some sites show clear loyalty to certain carriers, while others provide a mix of options. For example, MGM Grand, Dark Matter, Mars Market, and Velox Market are dominated by USPS listings, suggesting a preference for this domestic carrier. On the other hand, Crown Market, TorZon Market, and DrugHub display a more balanced mix, with FedEx and DHL appearing frequently. Certain markets, such as Courier Market, Halfbreed, and King Market, lean more heavily toward DHL, particularly for international shipments. Meanwhile, Revolution Market and Ares offer a fairly even spread across at least three of the four major carriers. Notably, UPS does not dominate in any marketplace, appearing more sporadically across listings. Figure 4 illustrates the distribution of shipping options across these top markets.

Figure 4: Distribution of shipping types across the top markets

Location Breakdown

Beyond marketplace-level trends, we also examined the origins and destinations of shipments for each major carrier. For this analysis, we focused on listings specifying country-to-country routes, rather than broader “country-to-worldwide” entries. Each country was mapped to its corresponding region or continent to simplify the view. Figure 5 presents these flows using Sankey diagrams, which visually show the volume of shipments between source and destination regions.

USPS listings show a heavy concentration of domestic deliveries within North America, along with a notable stream of transatlantic shipments to Europe. DHL’s activity is also centered around Europe, but it distinguishes itself as the primary carrier facilitating large volumes of shipments moving from Europe to Asia and Oceania. FedEx, by contrast, is dominated by routes from North America to Africa and Europe, with comparatively fewer packages staying within North America. UPS displays yet another pattern: most of its activity remains within Europe, with a smaller, though visible, share of shipments originating in North America and heading primarily to African destinations.

These patterns highlight the distinct regional footprints of each carrier. North American vendors rely heavily on USPS and FedEx for both domestic and transatlantic shipments, while European markets are served mainly by UPS and DHL. DHL’s broader international reach underscores its role in longer-distance trade, particularly to Asia and Oceania. Overall, the flow patterns reveal how vendors align carrier choice with both origin and destination regions, reflecting practical considerations like geographic coverage, shipping speed, and the global nature of darknet commerce.

Figure 5: Shipping to/from for (a) USPS ,(b) DHL, (c) Fedex, (b), and (d) UPS

Category Breakdown

We also reviewed which types of products were being shipped by each carrier. To do this, we looked at the product categories listed in each shipment and normalized them for consistency, focusing only on listings that included both a category and one of the major carriers. Figure 6 shows how each carrier is distributed across the top three categories.

Unsurprisingly, Drugs and Chemicals made up the largest share of shipments, followed by Fraud and Counterfeit items. Drugs and Chemicals include illicit narcotics, prescription medications, and psychoactive substances, as well as, precursor chemicals. Fraud includes items such as stolen credit card data, phishing kits, and fake IDs. While counterfeit items include counterfeit currency, fake branded goods (ie, watches, bags, etc..), and forged documents. USPS clearly dominates the drugs and chemicals category, with DHL and FedEx appearing less frequently. DHL stands out as the primary carrier for fraud and counterfeit goods.

Figure 6: Category shipping by type

These patterns hint at how vendors match products to carriers based on shipping needs. USPS’s prominence in drugs and chemicals suggests a focus on domestic or shorter-range shipments, whereas DHL’s role in fraud and counterfeit items highlights its reach for international deliveries. FedEx’s presence across multiple categories may indicate its flexibility for both speed and cross-border logistics. Overall, the distribution of products across carriers gives a window into the practical considerations shaping darknet shipping—showing how the type of product can influence both the choice of carrier and the geographic scope of the shipment.

Conclusion

Shipping on the darknet is far from random, it’s a carefully chosen part of the trade. Different carriers dominate specific markets, regions, and product types. USPS dominates deliveries within the U.S., especially for drugs and chemicals, while DHL and FedEx handle more international shipments and fraud-related goods. UPS shows up but rarely takes the lead. Across marketplaces, countries, and product types, clear patterns emerge: vendors align their carriers with the practical demands of each shipment, from speed and reliability to geographic reach. These trends reveal that even in illegal markets, logistics and strategy matter. By looking at how goods move, we gain a window into the hidden infrastructure that keeps darknet commerce running smoothly, an underground network that’s as much about moving packages as it is about managing risk and trust.