DarkOwl, LLC

[DEVELOPING] Impacts of Ukraine Invasion Felt Across the Darknet

Written by DarkOwl Content Team on August 26, 2022. Posted in Blog.

Last updated: April 18 18:30 UTC

The DarkOwl team are actively tracking the fallout from Russia’s invasion of Ukraine. The effects of the kinetic military operation are causing ripples across the global cyber space including critical underground ecosystems across the deep and darknet.

18 April 2022 – 01:12 UTC

DDoSecrets Leaks 222GB of Data from Gazregion Collected by Anonymous Hacktivists

Three different hacktivist groups (Anonymous, nb65, and DepaixPorteur) submitted archives consisting of emails and sensitive corporate files from Gazregion, a Russian supplier specializing in gas pipelines construction with direct support to Gazprom.

There have been numerous claims of attacks against Gazprom since invasion of Ukraine by Anonymous and other cyber offensive groups. nb65 posted to social media they compromised SSK Gazregion on April 3rd with their version of CONTI ransomware.

18 April 2022 – 01:12 UTC

nb65 Claims Attack Against Russian JSC Bank PSCB with CONTI Ransomware

The Hacktivist group, Network Battalion 65 had claimed they successfully attacked JSC Bank PSCB in Russia and successfully encrypted their network with their version of CONTI ransomware.

The group stated they managed to exfiltrated over 1TB of data including financial statements, tokens, tax forms, client information, and sensitive databases before deleting all backups to prevent data and functionality restoration.

The hacktivists further taunted the bank stating how grateful they were the stored so many credentials in Chrome – a browser for which several emergency security patches have been recently released.

We’re very thankful that you store so many credentials in Chrome. Well done. It’s obvious that incident response has started. Good luck getting your data back without us.

15 April 2022 – 21:59 UTC

GhostSec Leaks Data from domain[.]ru Hosting Provider

The Hacktivist group, GhostSec claimed to target Russian internet domain registration provider, domain[.]ru in a cyberattack. The group managed to exfiltrate over 100MB of data including screenshots of sensitive files and excel spreadsheet data.

According to the README file in the data leak, during the breach, GhostSec identified over 4TB of SQL databases, but in all the excitement the team’s presence was caught by the company’s intrusion detection systems and kicked off the network before the SQL data could be harvested.

15 April 2022 – 17:52 UTC

nb65 Confirms Attack on Continent Express; DDoSecrets Leaks 400 GB of Russian Travel Agency’s Data

The attack on a Russian travel agency occurred several days ago and was shortly after confirmed by the organization. DDoSecrets assisted nb65 in leaking over 400GB of sensitive files and databases from the travel agency. The details of the leak have not been confirmed.

15 April 2022 – 14:32 UTC

Anonymous Takes Over Pro-Russian Discord Accounts

Hacktivists from the Anonymous Collective have successfully taken control of several pro-Russian accounts on the chat platform, Discord, and are now using these accounts to circulate pro-Ukrainian messaging. An Anonymous member @v0g3lsec – who has been extremely active in the #opRussia campaign – shared an image of a hacked account where they posted links and information about the information operations group, squad303 to share truths about the invasion via SMS, WhatsApp, and email with random Russian citizens.

14 April 2022 – 20:02 UTC

DDoSecrets Leaks Unprecedented Amount of Email Data from Russian Organizations

In the last three days, DDoSecrets uploaded archives for five (5) different organizations across Russia totaling 1.97 Million emails and 2 TBs of data.

230,000 emails from the Blagoveshchensk City Administration (Благове́щенск) – 150GB
230,000 emails from the Ministry of Culture of the Russian Federation (Министерство культуры Российской Федерации) responsible for state policy regarding art, cinematography, archives, copyright, cultural heritage, and censorship – 446 GB
250,000 emails from the Deptartment of Education of the Strezhevoy (Стрежево́й) City District Administration – 221GB
495,000 emails from the Russian firm Technotec, which has provided oil and gas field services along with chemical reagents used in oil production and transportation – 440GB
768,000 emails from Gazprom Linde Engineering, which specializes in designing gas and petrochemical processing facilities and oil refineries – 728GB

13 April 2022 – 17:09 UTC

CISA Issues Alert About Destructive Malware Targeting US Critical Infrastructure

A joint advisory issued by the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) details how nation state actors (likely sponsored by the Russian government) have demonstrated the capability to gain full system access to multiple industrial control system (ICS) and affiliated supervisory control and data acquisition (SCADA) devices. The critical alert indicated there is an immediate HIGH cybersecurity risk to critical infrastructure around the US. The devices include:

Schneider Electric programmable logic controllers (PLCs);
OMRON Sysmac NEX PLCs; and
Open Platform Communications Unified Architecture (OPC UA) servers.

For more information read the advisory along with recommended security mitigation measures here: https://www.cisa.gov/uscert/ncas/alerts/aa22-103a

12 April 2022 – 15:31 UTC

ATW | Blue Hornet Announces That They are a “State-Sponsored” Group

The “GOD” account representing AgainstTheWest (APT49) on the new BreachedForums (with many users from the now officially seized RaidForums) announced moments ago that they are indeed a “state-sponsored” cyber group with “direct instructions to infiltrate, attack and leak the country of China, Russia, Iran, North Korea & Belarus.” The group’s Twitter account was also blocked by Russia’s Kremlin account earlier this week and the notification of this block was included in the post.

There is no way to verify the accuracy of the statement posted and it’s unclear whether or not the group will continue their operations in support of Ukraine.

11 April 2022 – TIME UNKNOWN

CONTI Claims Responsibility for Cyberattack Against German Wind Turbine Company

On the 31st of March, Nordex wind turbine manufacturing company in Germany suffered a significant cyberattack. CONTI has claimed responsibility for the attack (over 10 days later) posting the company’s name to their public-facing Tor service of victims. We anticipate that sensitive corporate data will be leaked by the RaaS gang shortly.

11 April 2022 – 20:58 UTC

Anonymous Compromises Regional Government of Tver, Russia; Leaks 130,000 Emails from Governor’s Mail Server

Hacktivists from the Anonymous Collective using the monikers DepaixPorteur and wh1t3sh4d0w0x90 have compromised the domain tverreg[.]ru believed to be associated with the Regional Government of Tver, Russia. Tver is located 110 miles (180km) northwest of Moscow on the banks of the Volga River. The archive is over 116GB in size and consists of over 130,000 emails exfiltrated from Governor Igor Rudenya’s email system dating from 2016 through 2022. The governor was appointed by President Putin in 2016.

Anonymous shared a leak consisting of Russian regional governors on the darknet on 23 March 2022.

11 April 2022 – 14:35 UTC

Finland Suffers Cyberattack; Announces They Will Expedite Application for NATO Membership

On April 8th, the Finnish government confirmed many of its military, defense, and foreign affairs webservers experienced unsophisticated, yet concerted DDoS attacks likely originating from Russian threat actors. The cyberattacks coincidentally occurred just as Ukraine President Zelenskyy started to address the Finnish Parliament on the status of the war in Ukraine around 10:30 GMT.

On the same day, the Finnish Minstry of Defense confirmed, hours earlier, Russia state-owned aircraft also breached Finland’s airspace off Porvoo in the Gulf of Finland – the first time in over 2 years. The aircraft, an Ilyushin IL-96-300 cargo transport airplane, was traveling east to west and landed in Berlin.

Both Finland and Sweden have signaled they will be submitting applications to join NATO. According to open-source reporting, Finland will likely finalize their application during the month of May in time for a NATO summit scheduled in Madrid, Spain in June.

Kremlin spokesman, Dmitry Peskov stated that Russia would have to “rebalance the situation ” with its own measures should Sweden and Finland choose to join NATO.

09 April 2022 – 03:39 UTC

ATW | BH Group Leaks Data Stolen from Russian Temporary Work Agency and Recruitment Firm: Rabotut

AgainstTheWest (Blue Hornet) announced on their Telegram channel they have successfully targeted the domain (rabotut[.]ru) for Rabotut, a “federal scale service” supplier in Russia. According to the threat actor, the archive includes the organization’s entire backend and front end source code, API keys, and SSL keys. According to open-sources, Rabotut is a temporary workers agency and provides contract employees to a number of critical government and corporate businesses around the country.

Contents of leak are in the process of verification by Darkowl analysts.

08 April 2022 – 21:41 UTC

KelvinSecurity Team Targets Russian Cryotcurrency Scam Website: alfa-finrase

KelvinSec released data reportedly from the domain (alfa-finrase[.]com) known for trading in fraud data, e.g. passports, driver’s license, and other sensitve PII. The group claims to have exploited the website, shutdown a cryptocurrency scam, deleted 400GB from the site’s server, and exposed 1.4GB of customer data from the deep web store.

07 April 2022 – 19:30 UTC

DDoSecrets Leaks Over 400,000 Russian Organization Emails Exfiltrated by Anonymous Operations

The leak site, DDoSecrets once again assists Anonymous hactivist collective in distributing sensitive data exfiltrated from companies and organizations in Russia. Three archives were leaked – within minutes of each other – for three organizations: Petrofort, Aerogas, and Forest. The data from these corporate email archives date back over decades of commercial activitiy.

Petrofort: 244GB archive consisting of over 300,000 emails between employees and clients. Petrofort is one of the largest office spaces and business centers in Saint Petersburg.
Aerogas: 145GB archive consisting of over 100,000 emails between employees and clients. Aerogas is an engineering company supporting Russia’s critical oil and gas infrastructure and supports such as: Rosneft, NOVATEK, Volgagaz and Purneft.
Forest (Форест): 35GB archive consisting of over 37,000 emails between employees and clients. Forest is a Russian logging and wood manufacturing company associated with many high-valued construction projects across the company.

A representative from DDoSecrets earlier shared thoughts about the extraordinary volume of leak data coming out of Russia earlier this week in a social media post.

06 April 2022 – 21:42 UTC

Anonymous Claims to Attack Russian MAUK Cinema, Mirkino Belebey

Members of Anonymous using the aliases ShadowS3c and Anonfearless3c have allegedly targeted servers for the Russian cinema and movie theatre, Mirkino Belebey (domain:mirkino-belebey[.]ru). The Mirkino theatre is also known as the MAUK Cinema a.k.a. “World of cinema” in the Belebeevsky District of Russia.

The hacktivists have leaked screenshots with credential data from the breached database containing hundreds of usernames, email adresses, and passwords.

This entry will be updated if/when the leak contents can be confirmed.

06 April 2022 – 20:42 UTC

Hajun Project Identifies Russian Soldiers Who Sent Parcels from Belarus Back to Russia

On April 3rd, the Hajun Project published three hours of surveillance camera footage from a CDEK delivery service located in Mazyr, Belarus. The video shows several soldiers from the Russian Armed Forces sending, among other things, items stolen from Ukrainians, during their “special military operation.”

Using leaked personal data available across the darknet and deepweb, the Hajun Project further confirmed the identities of the Russian military consignors and have released the names and phone numbers for at least 50 of the servicemen that sent parcels around the same time as the published camera video.

The Hajun Project maintains a Telegram channel and Twitter account monitoring and tracking the movement of military land and air assets in Belarus.

05 April 2022 – 16:22 UTC

Ukraine’s Defense Intelligence Agency (GURMO) Conduct SCADA Attacks on Gazprom

Due to the sensitivities of on-going military operations, there is limited detail available on the nature of the attack, but it appears that offensive cyber units under the direction of Main Director of Intelligence for the Ministry of Defense of Ukraine conducted SCADA cyberattacks against Gazprom pipelines. The attacks began within 48 hours of a fire at an oil depot in Russia’s Belgorod region last Friday, that western media reported was the first time Ukrainian helicopters had been spotted going across the border.

The cyberattacks likely triggered an underground gas leak from a highly pressurized gas pipeline in the village of Verkhnevilyuysk; the leak was reported in Russian open sources. Shortly after this, an explosion occurred in a main gas pipeline “Urengoy-Center-2” that civilians captured on Russian social media platform, VK as a large fire occurred in the Lysvensky district of the Kama region near the village of Matveevo.

Over pressurizing gas lines through disrupting infrastructure industrial control systems (ICS) is a documented method for using cyber to cause kinetic damage to pipeline critical infrastructure. The Congressional Research Services detailed such security risks to ICS in their 2021 report.

05 April 2022 – 14:21 UTC

Anonymous Leaks Data from Russian Rations Supplier, Korolevskiy

The company, Korolevskiy (korolevskiy[.].ru) appears to supply Russian companies and organizations with grain, nuts, and confectionaries in addition to rations for the military. This cyberattack could impact the availability of some food ingredient supplies, such as sugar, which is already in short supply and skyrocketing in price across the country due to sanctions.

The data leak includes an 82GB archive containing thousands of emails exfiltrated from the company’s mail servers.

05 April 2022 – 12:29 UTC

nb65 Claims to Hack Civilian Travel Service in Retaliation for Bucha Massacre

Anonymous and hacktivists around the world step up their offensive against Russia after images of Russian soldiers’ war crimes and atrocities against civlians in Bucha emerged on Monday.

Network Battalion 65 (nb65) reportedly targeted Continent Express (continent[.]ru), a Russia-based travel and supply company, with Conti’s ransomware variant in retaliation for the crimes.

Continent Express is one of the largest agencies for travel in Russia and helps arrange tickets and accomodations. As of time of writing the public facing website for continent[.] is operational.

Details of the group’s threatening message posted to social media called out the company’s CEO Stanislav Kostyashkinis in the image below.

“Why, you ask? The answer is simple. We read and watched the coverage of Bucha with horror. The utter lack of humanity in the way Russian soldiers have treated the civilian population of Ukraine left us all in tears. The world has pleased with your country to put an end to this madness drive by the mind of a cowardly tyrant: your president.”

(Update 6 April 2022) Earlier today, Continent Express posted to their news section of the website acknowledging the cyberattack but stated that important data and booking systems were not affected.

04 April 2022 – 12:29 UTC

DDoSecrets Distributes Data Exfiltrated by nb65 From Russian Broadcasting Company

Earlier in the campaign, nb65 leaked a sample of files and emails from All-Russia’s State Television and Broadcasting Company (VGTRK / ВГТРК). The Russian state-owned broadcaster operates five national TV stations, two international networks, five radio stations, and over 80 regional TV and radio networks and has been heralded as essential for the “security of the state.”

According to former VGTRK employees, Kremlin officials have dictated how the news should be covered, and provided incendiary phrases meant to discredit Ukraine. According to the former employees, editors normally have freedom to make decisions, but “where big politics are concerned, war and peace, he has no freedom.”

The 786 GB archive contains over 900,000 emails and 4,000 files spanning 20 years of operations at the broadcaster.

04 April 2022 – 06:24 UTC

Anonymous Leaks List of Russian Soldiers Deployed in Bucha

Anonymous shared a PDF file containing the identities of the members Russia’s 64 Motor Rifle Brigade that was positioned in the Kyiv suburb of Bucha. Since Russia’s withdrawl from the village, the atrocities and war crimes carried out by members of the Brigade have come to light.

The PDF consists of 87 pages detailing the identities of over 1,600 members of the Bridage, including their full name, date of birth, and passport number.

The file most likely originated from the Ukrainian government or intelligence services.

03 April 2022 – 06:16 UTC

Anonymous Shares Data Leaked from Russian Federal Agency for State Property Management

Anonymous shared a single PostGreSQL database, presumably from the domain: rosim.gov.ru, containing over 785MB of logged domain Internet activity available via the domain user: kluser. Much of the data is several years old, including IP addresses, domains, user agents of site vistors. Without further analysis, the value of leaking this data other than psychological operations and information warfare is unclear.

03 April 2022 – 05:07 UTC

nb65 Claims to Compromise Russian Gas Pipeline Supplier: SSK Gazregion

nb65 shared on social media that they have successfully hacked SSK Gazregion LLC (domain: ssk-gaz.ru) – a prominent natural gas pipeline construction company – with an ‘improved’ version of Conti’s ransomware. They taunted the company’s IT department, claiming that they also deleted all backups and restoring services would be an issue for the department.

They also claim to have exfiltrated 110GB of sensitive files, emails, and company data during the operation and trolled the company further stating it took forever to steal the data with the “chincy ass soviet connection” they were using for Internet connectivity.

“Federal Government: This will stop as soon as you cease all activity in Ukraine. Until then, fuck you. Your Preisdent is a coward who sends Russian sons away to die for his own ego. War in Ukraine will gain your country nothing but death and more sanctions. none of your internet facing tech is off limits to us.”

“We won’t stop until you stop.”

03 April 2022 – 04:24 UTC

ATW Release Dox of KILLNET Member

Similar to the personal details shared for various APT cyber groups in China, Russia, and North Korea, ATW targeted the pro-Russian cyber group, KILLNET. They released a dox containing the Russian national’s personal information, his social media, contact information, and familial associations.

KILLNET claimed to launch cyberattacks against Polish government and financial networks in support of Putin’s invasion in Ukraine. Last week, KILLNET also reportedly conducted DDoS attacks against the International Cyber Police agency, CYBERPOL and hacked the ticketing system at Bradley International Airport in Connecticut.

02 April 2022 – 17:28 UTC

Darknet Threat Actor, spectre123 Releases Sensitive Databases for the Indian Government and Military

The threat actor is well-known for targeting governments and defence contractors and has been circulating sensitive government databases for some time. This weekend, they released a “mega leak” of Indian government data for the PM Modi adminsitration’s “turning a blind eye to the humanitarian crisis…. in Ukraine.”

Over 40 GB of data is included in 11 different archived files and includes classified (up to TOP SECRET) and Confidential government documents from the following sectors: ALISDA, DGAQA, MSQAA, DRDO, DDP, Joint Defence Secretary India, BSF, MOD and the Indian Navy.

“The Indian government has a remarkably twisted propensity towards turning a blind eye to the humanitarian crisis in their own nation and now as well in Ukraine. It continues to do business with Russia and refuses to speak on the war, all in an effort to maintain their shallow political interests. These documents have been released to show that there are consequences for taking such foolish decisions.”

02 April 2022 – 06:13 UTC

ATW | BH Claims to Leak Personal Details of Members of Nation State APT Cyber Groups: ATP3, APT40, APT38, & APT28

The AgainstTheWest group continued their offensive against Chinese, North Korean, and Russian nation state cyber groups. Releasing a dox-style text file on Telegram and the deep web forum, breached.co, the ATW group included the names, email addresses, socials and Github accounts, credit card data, front companies, and other identifying information about the group’s participants along with other shocking revelations. Some include:

APT38: China and North Korea have collaboratively had a mole inside the United States Congress since 2011.
APT3: Threat actors are closely aligned with employees from Tencent – the Chinese technological giant behind WeChat and QQ.
APT38/APT3: The alias “ph4nt0m” appears in information for both groups and is believed to be affiliated with APT17 from China.
APT40: Threat actors are randomly connected to employees of ByteDance, the parent company for TikTok.

We are unfortunately unable to corroberate the veracity of the information shared by ATW (Blue Hornet).

01 April 2022 – 20:13 UTC

Anonymous Attacks Russian S-300 Supplier: Lipetsk Mechanical Plant

Anonymous shared another large archive of data stolen from a prominent Russian defense manufacturing facility. The archive is nearly 27GB total and consists of company emails and sensitive documents.

Russia’s “Lipetsk Mechanical Plant” produces several defense products for the Russian military and industrial defense complex. Today, the plant is one of the leading and main manufacturers of modernized self-propelled tractors for S-300V4 anti-aircraft missile systems in Russia. The S-300 is one of Russia’s premier air-defense platforms.

01 April 2022 – 16:00 UTC

Anonymous Leaks Multiple Data Archives From Critical Moscow-Based Organizations

Coordinating today through DDoSecrets on distribution, Anonymous shared several highly significant archives, consisting of over 500GB total of emails, files, and databases from critical Russian organizations with close ties to the Russian government.

Department for Church Charity and Social Service of the Russian Orthodox Church: Database containing 57,500 emails from the Russian Orthodox Church’s charitable wing.
Capital Legal Services: 200,000 emails exfiltrated from a prominent Russian law firm includes an additional 89,000 emails are located in a “Purges” mailbox, consisting largely of bounced email notifications, cron jobs and other server notifications.
Mosekspertiza: Three archives consisting of a) 150,000 emails b) 8,200 files and c) multiple databases totally over 400GB of data. Mosekspertiza is a state-owned company setup by the Moscow Chamber of Commerce to provide expert services and consultations to Russian businesses.

1 April 2022 – 08:56 UTC

GhostSec Wreaks Additional Havoc on Alibaba

After ATW attacked Alibaba Cloud days before, Ghost Security has allegedly hacked and deleted Alibaba’s UAE branch’s ElasticSearch service database. They included a leak to the database extracted from the company on their Telegram channel.

We have also deleted everything and even cleared the backups so there is no recovery, and we left a little celebration from us <3

31 March 2022 – TIME UNKNOWN

German Wind Turbine Company Impacted by Cyberattack

A German-based wind turbine – Nordex – with over $6 billion dollars in global sales faced a cyberattack that incident responders caught “in the early stages.” It’s likely the attack is retaliation for Germany pausing on the Nord Stream 2 natural gas pipeline deal with Russia.

“Customers, employees, and other stakeholders may be affected by the shutdown of several IT systems. The Nordex Group will provide further updates when more information is available.”

In the early days of the cyberwar, a cyberattack on the satellite communications company Viasat caused 5,800 Enercon wind turbines in Germany to malfunction.

31 March 2022 – 19:43 UTC

Anonymous Leaks 62,000 Emails from Moscow-Based Marathon Group

Anonymous again targets associates of those closest to Putin launching recent cyberattacks against Marathon Group. The Marathon Group is an investment firm owned by Alexander Vinokurov. Vinokurov is the son-in-law of Russian Foreign Minister Sergei Larov and is under heavy sanctions by the EU for providing financial support to Russia. The leaked archive is over 51GB in size and is being distributed via DDoSecrets.

31 March 2022 – 14:31 UTC

Ukraine Government Sets Up Website for Whistleblower Reporting

The Ukrainian Prosecutor General’s Office in coordination with the National Agency on Corruption Prevention and Task Force Ukraine deployed the Whistleblower Portal on the Assets of Persons Involved in the Russian Aggression against Ukraine. The website is setup to provide a secure and anonymous method for the submission of tips and evidence of corruption any activities causing national harm. The website will ideally help in the “tracing, freezing, and confisicating of assets of those involved in Russia’s War Crimes.”

Many OSINT sleuths have identified Russian oligarchs’ and government officials’ assets, like super yachets parked in international ports and submitted photographs via posts on social media. This website could be used to officially report supporting information leading to the seizure of those assets or other correlative intelligence obtained through leaks shared by Anonymous.

30 March 2022 – 22:09 UTC

Database Containing the PII of 56 Million Ukrainian Citizens Leaked on Deep Web

A user on the forum breached.co leaked an arhive containing the personal identification information for over 56 Million citizens of Ukraine. The database includes the full name, dates of birth, and address for the individuals. Its unclear the origins of the data. Members of the forum stated it was the Ukrainian Tax Service and could be dated back to 2018.

30 March 2022 – 21:53 UTC

ATW Continues Offensive Against China, Leaks Alibaba Cloud & Ministry of Justice of PRC Data

The AgainstTheWest/Blue Hornet group have ramped up their attacks against Chinese targets and leaked the largest archive they have exfiltrated to date. ATW successfully breached the e-commerce company Alibaba and have dropped a 30GB archive consisting of Alibaba’s cloud endpoint environment, source code, and customer data. They also released a smaller database obtained from the Ministry of Justice of the People’s Republic of China. Both were shared to the deep web forum, breached.co.

30 March 2022 – 19:49 UTC

Anonymous Continues to Encourage SCADA Attacks; Leaks Default Credentials for COTS Hardware Suppliers

Members of the Anonymous Collective circulate spreadsheets and websites containing the default factory credentials for most commercial-off-the-shelf (COTS) vendor hardware. Hardware, that in turn, is often affiliated with and successfully exploited via SCADA-based industrial control system (ICS) cyberattacks.

One list includes 138 unique products including manufacturers such as Emerson, General Electric, Hirshmann, and Schneider Electric accompanied with default factory settings such as username: admin and password:default. Another resource is a surface web website (intentionally not included but available upon request) which lists 531 vendors and over 2,100 passwords deployed with hardware from the factory.

Sadly, most companies will rely on the default passwords upon installaton and do not bother with updating to a more robust credential security standard.

30 March 2022 – 18:19 UTC

Anonymous Leaks 5,500 Emails Stolen from Thozis Corporation

Anonymous successfully attacked Thozis Corporation – a Russian investment firm with links to Zakhar Smushkin of St. Petersburg. According to the Panama Papers, the company is registered in the British Virgin Islands. The firm is allegedly involved in one of the largest development projects in Russia, including a project to build a satellite city within St. Petersburg.

The trove of leaked emails likely include sensitive documents and agreements between the Russian government, its societal elite, and other international entites.

DDoSecrets assisted in the publication of the 5.9GB archive obtained by Anonymous.

30 March 2022 – 17:55 UTC

GhostSec Leaks Shambala Casino Network Data

GhostSec claimed a few days ago they had successfully attacked a prominent casino operator in Russia, known as Shambala.

The hacktivist group targeted the casino as they believed members of the Russian government used Russian casinos to move cash into different currencies besides the Ruble. At least 27 computers were reportedly compromised, data exfiltrated, systems locked, and files erased.

29 March 2022 – 06:12 UTC

Russian Aviation Sector Suffer Additional IT Operational Impacts

A post shared on the Russian Telegram channel, Авиаторщина, indicates that the aviation industry of Russia will have additional impacts to their IT support with the withdrawl of the Swiss-based company, SITA as of 29 March.

According to the Telegram post, SITA shutting down their operations will impact numerous systems utilized by the aviation industry and airlines across Russia.

[translated]

“Products for pilots such as AIRCOM Datalink, AIRCOM FlightMessenger, AIRCOM FlightTracker, and AIRCOM Flight Planning services will no longer be available. Such software is utilized by airlines and flight crews to plan, perform aeronautical calculations and track flights, and more accurately calculate remaining fuel, flight time, etc.”

The company – choosing to withdrawl from operating in Russia due to Putin’s invasion – suffered a significant cyberattack on 24 February, the same day as the invasion of Ukraine, resulting in the compromise of passenger data stored on their SITA Passenger Service System (US) Inc. servers. SITA supports numerous international air carriers.

This annoucement comes within days of the cyberattack against Rosaviatsiya (see below), Russia’s Federal Air Transport Authority.

(Update 30 March – 23:42 UTC) No alias associated with Anonymous has claimed credit for the 28 March cyberattacks against Rosaviatsiya which resulted in 65TB of lost agency data. Interestingly, new Anonymous groups have only recently joined the campaign, including RedCult, increasingly the likelihood that widespread industry sector attacks will continue across Russia.

28 March 2022 – 18:23 UTC

nb65 Claims to Hack JSC Mosexpertiza; Steals 450GB of Sensitive Data

In a social media post, nb65 hacktivist group claims they compromised Joint Stock Company (JSC) Mosexpertiza, Moscow’s independent center for expertise and certifications, via the domain mosekspertiza.ru.

They claim they also infected the domain with, none other than Conti’s “crypto-locking ransomware variant” – released earlier this month in the opRussia campaign. In the process of hacking the network nb65 also exfiltrated 450GB of emails, internal documents, and financial data.

28 March 2022 – 17:07 UTC

Anonymous Leaks 140,000 Emails from Russian Oil & Gas Company, MashOil

Distributed via DDoSecrets, the Anonymous hacktivist collective recently targeted MashOil, releasing over 140,000 sensitive corporate emails from the company.

Moscow-based, MashOil manufacturers equipment for hydraulic fracturing and enhanced oil recovery (EOR); injection, nitrogen and cementing equipment; top drive mobile drilling rigs; directional drilling equipment; and, ejector well clean-up.

Anonymous continues to target companies in Russia and any companies that continue to contribute to economic and financial viability for the Russian Federation.

28 March 2022 – 12:41 UTC

Anonymous Leaks Russian Document Ordering Propaganda Video Development

Knowing propaganda is widely circulated by both Ukrainian and Russian affiliated organizations, Anonymous has leaked an official Russian document, titled “On holding informational events on the Internet”, dated 21 March 2022, stating this was an official “order issued” by the Russian government to develop videos to discredit the Ukrainian military and their treatment of prisoners of war (POWs). The order was signed by the “Temporary Minister of Defense of the Russian Federation”, Dmitry Bulgakov and decrees:

Develop and distribute a series of video materials demonstrating the inhuman behavior of the military personnel of the Armed Forces of Ukraine and nationalist formations on the territory of Ukraine in relatinos to prisoners who showed a voluntary desire to surrender
Develop and distribute sermographic materials, evidence of the use of briefings by captured military personnel of the Armed Forces of the Russian Federation during the filming
Provide informational support for materials in the comments, the main argument is the violation of the Geneva Convention on the Treatment of Prisoners
To impose control over the implmtnation of this order on the head of the Information Warfare and Disguise Department of the Ministry of Defense of the Russian Federation

(UPDATE 29 March 2022 – 20:56 UTC) DarkOwl advises that recent open source intelligence research suggests this letter could be fake and disseminated as part of an information operations campaign. Researchers caught signature mismatches of the Russian official, Bulgakov. Such data is a reality in the the fog of asymmetric warfare.

28 March 2022 – 11:58 UTC

Ukrainian Defense Intelligence Doxxes 620 Russian FSB Agents

The Ukrainian Military Intelligence Agency of the Ministry of Defence of Ukraine, known simily as Defence Intelligence of Ukraine or GUR, has leaked the identities of over 600 Russian FSB spies. The database includes the agents’ full names, dates of birth, passport numbers, passport dates of issue, registration addresses as well as other identifying markers for the FSB employees.

Many of these agents may be conducting covert operations around the world and leaking their identities may compromise the success of their operations.

28 March 2022 – 11:05 UTC

ATW (BH) Targets Chinese Companys and Government Organizations

After a brief vacation announced on 23 March, the AgainstTheWest (Blue_Hornet) group returns with concerted attacks against a number of Chinese companies and government organizations. The group claims they successfully attacked the following:

The group also referenced a supply-chain software dependency attack, via a poisoned burgeon-r3 NPM package.

Fenglian Technology-Digital Ecological Platform Solution
Bluetopo China security development tool
China Pat Intellectual Property
Weipass
Ministry of Transport China
Freemud Software (supplier to Starbucks)
China Joint Convention Committee.

Shortly after the announcement and initial round of leaks, the group also released source code affiliated with China Guangfa Bank, along with associated Maven releases. The group also claims to have breached the Chinese social messaging platform, weChat.

We are still evaluating the data and determining the specific types of data compromised and released.

28 March 2022 – 03:22 UTC

Russian Federal Air Transport Agency, Rosaviatsiya Confirms CyberAttack; 65TB of Data Erased

The civil aviation agency Rosaviatsiyan responsible for air cargo transportation confirmed with a letter shared on the Russian Telegram channel, Авиаторщина that their website domain favt.ru was offline since Saturday due to a significant cyber attack. The attacks had severely impacted their ability to plan and conduct flight operations and the agency had resorted to pen-and-paper-based operations in the interim.

The notice stated that over 65TB of emails, files and critical documents had been allegedly erased along with the registry of aircraft and aviation personnel. There were no systems backups to restore from because according to the agency spokesperson, the Ministry of Finance had not allocated funds to purchase backups.

“All incoming and outgoing emails for 1.5 years have been lost. We don’t know how to work…”

“The attack occurred due to poor-quality performance of contractual obligations on the part of the company LLC ‘InfAvia’, which carries out the operation of the IT infrastructure of the Federal Air Transport Agency.”

27 March 2022 – 20:44 UTC

Anonymous Leaks 2.4GB of Emails from Russian Construction Company, RostProekt

Over the weekend, DDoSecrets helped Anonymous distribute over 2 gigabytes of sensitive company emails exfiltrated by breaching a prominent Russian construction company, RostProekt (in Russian: РостПроект). The company primarily operates in Russia, with the head office in Moscow Oblast. RostProekt is a primary contributor to Russia’s lumber and other construction materials merchant wholesalers sector. The breach may impact construction projects in the country.

As of time of writing, the website for the company is online.

25 March 2022 – 20:36 UTC

nb65 Leaks Sample Internal Data from the All-Russian State Television and Radio Broadcasting Company (VGTRK)

The nb65 hacktivist team targeted and released data affiliated with a state-sponsored propaganda broadcasting company of the Russian Federation, VGTRK. The All-Russia State Television and Radio Broadcasting Company, also known as Russian Television and Radio (native: Всероссийская государственная телевизионная и радиовещательная компания) owns and operates five national television stations, two international networks, five radio stations, and over 80 regional TV and radio networks. It also runs the information agency Rossiya Segodnya.

nb65 claims they have successfully compromised the organization’s network and exfiltrated over 750GB of data, much of which consists of employee email (.pst) files from the company’s email network. The group claims to be ‘watching’ for their ‘eventual incident response.’

The group continued to troll the organization…

“Your blue team kinda sucks. Hard to find good IT help when all your techies are fleeing the country, eh?”

25 March 2022 – 18:36 UTC

Anonymous Releases Files Exfiltrated from the Central Bank of Russia

Anonymous has released data the hacktivists collected while conducting attacks against the Central Bank of Russia. The archive, broken up into 10 separate parts consists of over 25GB of archived data consisting of over 35,000 files of sensitive bank data. Earlier in the campaign, we observed several posts containing targeting information, e.g. domains, IP addresses, etc for the bank on the deep web.

24 March 2022 – 20:49 UTC

GNG Claims to Hack Russian Mail Server, mail.ru

Georgia’s Society of Hackers (GNG) announced today they successfully attacked Russia’s equivalent to Gmail, mail.ru, including their maps.mail.ru subdomain. The hacktivist group is in process of exfiltrating the data and will provide the detailed data dump in the next few days.

As of time of writing this, the maps.mail.ru website is online and operational.

24 March 2022 – 14:11 UTC

Anonymous Shares Proof of Hacked ATMs in Russia

Earlier today, users at what appears to be a Sberbank ATM reportedly located in Russia experienced technical errors when selecting the Russian language on the screen. Upon selection, the ATM monitor quickly flashes to the Ukrainian flag and the words Glory to Ukraine (Слава Україні!). See the video captured video here.

ATM malware is widely circulated on the darknet and used extensively in the fraud and financial crime communities.

24 March 2022 – 10:43 UTC

Pro-Russian Killnet Launches Anonymous-Style Campaign Against Ukraine – Targets Poland and NATO

The pro-Russian cyber threat actor group, Killnet have been conducting attacks against Ukraine for several weeks and have stepped up their demands and threats against Ukraine and western Europe. Today, they released a video on social media, mirroring the ominous messaging of an Anonymous-style video with the Russian flag in the background. During the video, the group stated they would attack targets in Poland for their assistance to the Ukrainian government during the invasion. They recently also posted specific targeting information for the National Bank of Poland on their Telegram channel.

“…together with the Russian cyber army, we disabled 57 state websites of the Kiev regime, 19 websites of nationalist parties…”

The group also referred to the Colonial Pipeline attack in the US from May 2021.

[translated] “Let’s remember American gas company attack, which resulted in 40% paralyzed infrastructure of America for few days.”

23 March 2022 – 16:45 UTC

AnonGhost Claims to Hack Russian Street Lighting System and Drops Proofs of Access to Moxa Industrial Wireless Networking Infrastructure

AnonGhost known for their attacks against industrial control systems, continued their campaign against Russia by targeting МонтажРегионСтрой г. Рязань street light control system. They stated they successfully shutoff the street lights at 19:35 Moscow time and it was a “gorgeous show.”

Shortly before announcing the breach of the lighting contol panel, AnonGhost also provided proof of access to Moxa (moxa.com) industrial networking devices. They leaked proof of access to router information for a industrial wireless Moxa device, its associated OnCell specifications, along with defacement of the device’s name, description, and login message.

In addition to the proofs they linked to a pastebin file containing over 100 Russian Moxa IP addresses for additional targeting.

It’s unclear where the Moxa device compromise is physically located or whether the Moxa compromise provides direct access to the streetlight control system.

23 March 2022 – 02:44 UTC

BeeHive Cybersecurity Claims They Are Running Ransomware Campaigns Against Russian Targets

When one thought they only hijacked Discord users and trolled pro-Russian ‘hackers’ like @a_lead_1, BeeHive Cybersecurity claims they have been quiet because they are running ransomware operations against targets across Russia.

Oh, in case you guys were curious why we’ve been so quiet. May or may not have a new #ransomware operation running in Ru right now. Alas, we find allies quicker than Putin finds ways to invade Ukraine. We’ll have more details soon but…consider this the public disclosure.

This would not be the first Russia-specific ransomware variant to emerge. According to Trend Micro, RURansom was detected targeting Russian-specific devices with AES-CBC encryption and hard coded salt. Another ransomware variant recently detected, known as “Antiwar” appends the file extension, “putinwillburninhell” to encrypted files.

22 March 2022 – 19:14 UTC

ATW (Blue Hornet) Compromises Russia’s Hydrometeorology and Environmental Monitoring Service with Bitbucket

The AgainstTheWest / Blue Hornet team has recently leaked several internal documents from Russia’s Hydrometeorology and Environmental Monitoring service (spelled by the threat actors as ROSHYDRO). According to open sources, the monitoring service is hosted on the meteorf.ru domain. The data leaks consists of 45 PDF files containing historical software change descriptions and feature requests from the company’s internal software development tracking system. ATW refers to a superadmin account for the GIS FEB RAS Team on Bitbucket in the leak.

21 March 2022 – 22:44 UTC

ATW Returns to Campaign with Attacks Against Almaz-Antey

After a disruption in the ATW team’s cyber activities due to personal issues, the ATW/Blue Hornet team returns leaking a 9GB archive of data allegedly exfiltrated by breaching Almaz-Antey’s corporate networks. The data leak includes employee login data, multiple documents containing PII, confidential and classified intellectual property, schematics, and SQL database files.

Almaz-Antey (Russian: ОАО “Концерн ВКО “Алмаз-Антей”) is one of Russia’s largest defense and arms enterprises, known for the development of Russian anti-aircraft defense systems, cruise missiles, radar systems, artillery shells, and UAVs.

21 March 2022 – 15:26 UTC

Anonymous Targets Russian Software Developer, naumen.ru

Hacktivists from the Anonymous collective have leaked data exfiltrated from Naumen, a software vendor and cloud services provider in Moscow. The company markets itself as “world class IT solutions fully adapted to the Russian market” and lists several prominent international companies as partners. The leaked data consists of an SQL database containing thousands of usernames, email addresses, hashed passwords, and associated PII. The specific purpose and origins of the database from inside Naumen is unclear, but partner companies could experience supply chain / vendor risk issues.

21 March 2022 – 03:27 UTC

KelvinSec Targets Nestle for Continued Commercial Operations in Russia

The KelvinSec ‘hacking’ team have reportedly compromised Nestle in retaliation for continuing to operate and distribute their products in Russia. The group leaked multiple databases from Nestle consisting of customer entity data, orders, payment information, and passwords (10GB total). The group insisted its a “partial” database leak and more data may be released in the future.

Nestle defended its business decision after President Zelenskyy called the company out to protestors on Saturday night in Bern, Switzerland.

(Update 3/22 – 01:48 UTC) Anonymous issues warning and gives a number of US companies 48 hours notice to pull out of Russia or become targets of the #opRussia cyber offensive campaign. Example corporations include: Subway, Chevron, General Mills, Burger King, citrix, and CloudFlare.

20 March 2022 – 23:33 UTC

Anonymous Compromises Russian Social Media VK to Send Message to Millions

Anonymous accesses VK’s messaging platform and sends direct messages to over 12 million Russian users of the social media app. The message, written in Russian, speaks to the realities of the war in Ukraine, the demise of the Russian economy, and threatens that users using the Russian “Z” insignia on as their profile avatar will be targeted by international authorities.

VK users have shared proofs of the message received to confirm the campaign in VK occurred.

20 March 2022 – 15:32 UTC

GhostSec Leaks Military Asset Monitoring System and More from Russian Networks

The leak includes data exfiltrated from a military operational readiness monitoring website (orf-monitor.com), including inventory tracking of key Russian military assets; a leak of a Russian investment company that includes recent Chinese contract data; and lastly, technical data leaks from Russian Defense Contractor Kronshtadt, that includes computational specifications related to their UAVs, along with military operational doctrine, etc.

GhostSec teased on their Telegram channel they had more data coming and this archive they were sharing was a sample of a much bigger dataset.

20 March 2022 – 13:40 UTC

Honest Railworkers in Belarus Help Stop Lines Going to Ukraine

According to open source reporting and the hacktivist group known as Cyber Partisans, the railways going out of Belarus into Ukraine have stopped. Earlier in the campaign, Cyber Partisans disrupted rail operations in Belarus using cyber attacks against ticketing systems and switching systems; however, others report that the rails are inoperable due to “honest railworkers” who do not want to see Belarus military equipment transported into Ukraine for use in this war. (Source)

“I recently appealed to Belarusian railway workers not to carry out criminal orders and not transport Russian military forces in the direction of Ukraine. At the present moment, I can say that there is no railway connection between Ukraine and Belarus. I cannot discuss details, but I am grateful to Belarus’s railway workers for what they are doing” – Oleksandr Kamyshin, director of the Ukrzaliznytsya state railroad

20 March 2022 – 10:28 UTC

Arvin Club Takes Down STORMOUS Ransomware’s Tor Onion Service

Shortly after STORMOUS ransomware gang setup a Tor onion service, the Arvin Club ransomware group compromised their site and leaked SQL databases, information, and performance schemas. It’s unclear whether or not this attack occurred out of STORMOUS’s Russian allegiance or if Arvin merely wanted to teach the cyber criminals a lesson in setting up secure sites on the darknet.

The STORMOUS ransomware group had previously operated only on Telegram.

(UPDATE) As of 3/22 the Tor service is still offline.

20 March 2022 – 02:18 UTC

Anonymous Leaks Database from Russian Aerospace Company Utair

Hacktivists from the Anonymous collective have released the customer database for Russia’s Utair airlines. (Russian: ОАО «Авиакомпания «ЮТэйр»). The JSON database appears to have been collected long before the 2022 #opRussia campaign, as the MongoDB is dated 2019. There are records containing personal data for over 530,000 clients using Utair’s services.

18 March 2022 – 21:29 UTC

nB65 Leaks Data from Russian Space Agency

After a disappointing trolling exercise against Kaspersky, the nb65 hacktivist group returns with data leaks from Russia’s Space Agency, Roscosmos. The group claims they still have persistent access to the agency’s vehicle management system and leaked the IP of the compromised network to prove their access. The leaked data archive consists of over 360MB of user and operations manual, along with solar observatory logs.

Hours earlier, the group also claims to have compromised tensor.ru and leaked 1.6GB of compromised emails for a corporate mailbox for the Russian digital signature company.

18 March 2022 – 15:39 UTC

Russia Targets Ukraine Red Cross Website in Cyber Attack

The Ukrainian Red Cross reported their Internet web servers have been hacked, likely by Pro-Russian cyber threat actors. The website domain – redcross.org.ua – is currently offline with the statement “account disabled by administrator.”

The social media account for the Ukrainian Red Cross stated that no personal data of beneficiaries stored on the website were compromised by the cyber attack.

The Ukrainian Red Cross staff and volunteers are busy and actively providing medical aid and support to vulnerable and wounded Ukrainian civilians across the country as Russian military continue their barrage of cruise missile strikes.

17 March 2022 – 11:43 UTC

AnonGhost Leaks Screenshots of GNSS Satellite Hacks Along with IP Addresses

AnonGhost shared several screenshots as proof of attacks they conducted against Russia’s Trimble GNSS satellite interface. They claimed on social media that other “fake Anonymous” accounts had taken credit for the operation. They also leaked 48 unique IP addresses associated with the GNSS satellite systems. The group did not specify the nature of the attacks against the Russian assets.

17 March 2022 – 09:23 UTC

Anonymous Claims to Have Located Putin’s Bunker

Using OSINT analysis involving satellite imagery and topography and landmark comparisons like rivers and powerplants, the Anonymous community claims they have detected President Putin’s bunker. There no means to verify the accuracy of these assertions.

17 March 2022 – 03:58 UTC

Anonymous Leaks 79 GBs of Emails from R&D Department of Transneft – OMEGA

DDoSecrets released the data on behalf of Anonymous hackers operating in cyber campaigns against Russia. Anonymous compromised email inboxes of OMEGA Company, the R&D arm of Russia’s state-controlled pipeline company known as Transneft [Транснефть]. Transneft is the world’s largest oil pipeline company with over 70,000 kilometres (43,000 miles) of trunk pipelines and transports an estimated 80% of oil and 30% of oil products produced in Russia. The emails cover the accounts’ most recent activity, including after the introduction of US sanctions on February 25, 2022. Some of the emails reflect some of the effects of those sanctions.

16 March 2022 – 10:47 UTC

Russian Foreign Intelligence Service (SVR) Requests Information via Tor

Russia’s external intelligence agency has issued instructions on how to establish secure communcations via their Virutal Reception System (VRS) to relay any threats to the Russian Federation. The call for leads, found on svr.gov.ru, details how to install the Tor anonymous network, details the v3 .onion address of their secure communications system, and advises the informant using PGP in order to further encrypt the details of any messages provided.

“If you are outside Russia and have important information regarding urgent threats to the security of the Russian Federation, you can safely and anonymously share it with us via the virtual reception system (VRS) of the SVR over the TOR network.”

If you are in hostile environment and/or have reasons to worry about your security, do not use a device (smartphone, computer) registered to you or associated in any way with you or people from your personal settings for network access. Relate the importance of information you want to send us with the security measures you are taking to protect yourself!

15 March 2022 – 11:48 UTC

Pro-Russian Group Xaknet Threatens to Attack Critical Infrastructure Information Centers

“We cannot endlessly give you ‘lessons of politeness.’ We demand the cessation of hacker attacks against Russian infrastructures, we demand the cessation of the activities of information centers for the dissemination of fakes.

In case of refusal, we will be forced to use the most sophisticated methods, and reserve the right to act as the enemy does. Critical information infrastructure facilities will become a priority target for the group. All work will be aimed at the complete destablization of the activities of the aforementioned CIIs.”

It’s unclear from the threats what specific websites or services the cyber threat group considers critical infrastructure information services. The IT Army of Ukraine’s extensive information operations spread across most all social media platforms and information communication mediums across Russia.

15 March 2022 – 07:19 UTC

User on Telegram Leaks New Letter from FSB

A user on pro-Ukrainian Telegram channel (name redacted) has released a new letter, reportedly from an FSB agent, translated into English.

The temperature has really risen here, it’s hot and uncomfortable. I won’t be able to communicate for some time here in the future. I hope we can chat normally again in a few days. There are a lot of things that I have to share with you…
The questions are raised by the FSO (Federal Protective Service of the Russian Federation, aka Putin’s Praetorian Guard) and the DKVR (Russian Military Counterintelligence Department). It is precisely the DKVR that is mounted on horseback and is looking for “moles” and traitors here (FSB) and in the Genstaff (General Staff of the Armed Forces of the Russian Federation) regarding leaks of Russian column movements in Ukraine. Now the task of each structure is to transfer the fault to others and to make the guilt of others more visible. Almost all members of the FSB are busy with this task at the moment.

The focus is on us more than others at the moment, due to the hellish circumstances regarding the intra-political situation in Ukraine: We (the FSB) have released reports that at least 2,000 trained civilians in every major city of Ukraine were ready to overthrow Zelensky (President of Ukraine). And that at least 5,000 civilians were ready to come out with flags against Zelensky at the call of Russia. You want to laugh ? We (FSB) were supposed to be the judges to crown Ukrainian politicians who were supposed to start tearing each other apart arguing for the right to be called “Russia’s allies.” We even set criteria on how to select the brightest of the most competent (among Ukrainian politicians). Of course, some concerns have been raised about the possibility that we may not be able to attract a large number of people (Ukrainian politicians) to Western Ukraine, to small towns and to Lvov itself. What do we actually have? Berdyansk, Kherson, Mariupol, Kharkiv are the most populated pro-Russian areas (and there is no support for Russia even there). A plan can fall apart, a plan can be wrong. A plan can give a result of 90%, even 50%, or 10%. And that would be a total failure. Here it is 0.0%.

There is also a question: “How did this happen?” This question is actually a (misleading) trap. Because 0.0% is an estimate derived from many years of work by very serious (high-ranking) officials.
And now it turns out that they are either agents of the enemy or simply incomprehensible (according to the FSO / DKVR who are now looking for “moles” within the FSB).

But the question does not end there. If they are so bad, then who appointed them and who controlled their work? It turns out that they are people of the same quality but of a higher rank. And where does this pyramid of responsibilities stop? At the boss (Putin).
And this is where the evil games begin: Our dear Александр Васильевич (Alexander Vasilyevich Bortnikov – Director of the whole FSB) cannot fail to understand how badly he got caught. (Bortnikov realizes the deep mess he is in now)

And our evil spirits from the GRU (Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation) and the SVR (Foreign Intelligence Service – equivalent to the CIA) understand everything [and not only from these two organizations]. The situation is so bad that there are no limits to the possible variations (of events that will happen), but something extraordinary is going to happen.”

Shortly after a first letter from an FSB whistleblower surfaced around 5 March, Putin quietly placed his FSB chief, Sergei Beseda and his deputy on house arrest last Sunday. While telling the public he arrested them for embezzlement charges, according to open-source reports, the “real reason is unreliable, incomplete, and partially false information about the political situation in Ukraine” and Putin is holding them responsible for the Ukrainians’ success in the invasion thus far.

14 March 2022 – 12:00 UTC

Russian State Duma of the Federal Assembly Confirms Censorship of VPNs

Citing it was “a difficult task” Alexander Khinshtein, chairman of the State Duma Committee on Information Policy, commented that Russia’s media and propaganda agency, Roskomnadzor has been tasked with blocking over two dozen VPNs [virtual private networks] across Russia. (Source)

We anticipate that number to increase as Putin continues to crack down on Russian citizens’ media consumption.

VPNs have been targeted by Russian authorities since 2017, when an initial VPN law was passed. In 2019 many of the VPN providers across Russia received compliance demands from Roskomnadzor representatives via email – captured in the image below.

The demand for VPNs in the country has reportedly increased by over 2,000% in the last month. Users on Telegram encourage widespread use of anonymity tools like VPNs and Tor, and share links to VPN services still in operation and accessible in the region. Many of the VPNs are available via Telegram directly and offer free trial subscriptions to Russian users.

14 March 2022

Russian Cyber Actors Setup IT Army of Russia Group

The collective of cyber threat actors self identifies as the “IT Army of Russia”, mirroring the IT Army of Ukraine Telegram initiative, and claims it has targeted critical Ukrainian cyber services with DDoS attacks. The group has less than a 100 subscribers and many of the members are affiliated with the Killnet forum.

The group recently posted a detailed dox containing personal information for President Volodymyr Zelenskyy [in Ukrainian: Володимир Олександрович Зеленський]. The dossier contains specific information such as his date of birth, passport number, car registration details, and familial associations.

13 March 2022 – 09:31 UTC

Anonymous Germany Exfiltrates Data from Russian Rosneft Operations in Germany

An Anonymous hacktivist group from Germany, referring to themselves as “AnonLeaks” had access to the networks of Russia’s Rosneft subsidiary in Deutchland for almost two weeks and exfiltrated over 20 terrabytes of corporate data. According to a preliminary review, the data consists of laptop backups, virtual disk images, excel files, work instructions, and other operational information for the refinery.

Anonymous Germany emphasizes they did not have access to critical infrastructure in Germany, nor was the intent of their operation to access critical infrastructure for the refinery or compromise it in any way.

Rosneft is Germany’s third largest petroleum refinery company, processing roughly 12.5 million tons of crude oil per year.

(Update) Details of the leaked data has appeared on a dedicated Tor darknet service setup by the hacktivists.

13 March 2022 – 07:19 UTC

nB65 Claims to Be Jonathan Scott, a US-based Malware Researcher

Since the invasion, a social media account reportedly affiliated with the group nB65 was extremely active in sharing their leaks and targets across Russian networks – including claims of accessing Roscomos Space Agency. Most recently, they stated they had access to Kaspersky’s source code, with many teasers in the hours leading up to a what amassed to a disappointing dump of publicly available code from the Russian antivirus software developer. The group essentially trolled Kaspersky and received heavy criticism from members of the information security research community.

The owner of the group’s Twitter account claimed today they were in real life, Jonathan Scott, a US-based Computer Science PhD student researching mobile spyware and IoT malware. Shortly after, the Twitter account for the group was deleted.

11 March 2022 – 06:25 UTC

GhostSec Claims to Access, Shutdown, and Deface Control Panel of Russian ICS via SCADA Attack

GhostSec continues their offensive against Russian critical infrastructure with attacks affecting industrial controls systems. Today, they claimed they successfully accessed an unknown Russian industrial control system, deface the control panel, and shut the system down. They also stated they deleted the backups to make restoring services more challenging.

They included the screenshot below which appears to correlate to a typical ICS system. The name or location of the network was not identified.

11 March 2022 – 01:34 UTC

BeeHive Cybersecurity Enters Campaign and Targets Pro-Russian Discord Users

A pro-Ukrainian group, known as “BeeHive Cybersecurity” claims to have attacked over 2,700 pro-Russian Discord users, compromising their accounts and defacing their profiles with statements about the realities in Ukraine posted in English, Ukrainian, and Russian.

The group insinuates that they “CnC [command and control] the platforms of the ignorant” and use compromised devices to help combat disinformation.

10 March 2022 – 12:30 UTC

KelvinSec Leaks Private Chats from Darknet Tor Service: Database Market

KelvinSec, a pro-Ukrainian cyber threat actor on the darknet, has leaked 3,178 files containing the private chats from DATABASE Market. DATABSE is a relatively newly-launched service on Tor, where carding and fraud cyber-criminals congregate and transact.

The service is allegedly hosted by IT Resheniya on the IP address 45.155.204.178. KelvinSec reported they infilitrated the market via an insecure direct object reference vulnerability, commonly called “IDOR” which gives an attacker access to the website’s hidden information.

The compromised Tor service is still active as of time of writing.

10 March 2022 – 11:24 UTC

DDoSecrets Leaks Over 800GB of Data from Russian Media Censor, Roskomnadzor

The whistleblower leak site, DDoSecrets has obtained 360,000 files from Роскомнадзор (Roskomnadzor) via hacktivists from the Anonymous campaign against Russia. Roskomnadzor is a Russian state-controlled agency responsible for monitoring, controlling and censoring Russian mass media. The agency is responsible for the recent crackdowns on digital bans of Facebook, Twitter, and YouTube. The two part dataset totals over 800 GB including files, emails, and information critical about their operations.

10 March 2022 – 08:35 UTC

GhostSec Hits Hundreds of Printers Across Russia

GhostSec reportedly hacks hundreds of printers across Russia to spread the message about realities in Ukraine. They tagged on to the announcement an obscure 4chan meme, “Hey Russia do you liek mudkipz?” on their Telegram channel. The stated they are targeting Russian government and military networks for the printer exploit.

9 March 2022 – 20:05 UTC

Pro-Russian Group, devilix-EU Joins Campaign Against Ukraine and the US

Late last week, a new Pro-Russian persona appeared on social media and began sharing pro-Russia propaganda, Pro-Trump rhetoric, and counter #opRussia Anonymous content. Over the last five days, they’ve ramped up their attacks claiming to have compromised AWS instances, Microsoft IIS sysstems, and performed BGP hijacking with mentions of several US-based IP addresses.

The group makes further claims that they’re named after their own custom ransomware, “DEVILIX shark.”

DEVILIX named as me is one of the strongest viruses on the world DEVILIX shark is ransomware which can do anything we can create BotNet. where we want. Just a Simple but it’s not.

They most recently shared their thoughts about the cyber war in Russian, declaring that this was not about Ukraine and Russia, but the US and NATO and their intent to keep Russia and Ukraine divided.

Я вижу, что речь идет о двух сторонах, России и Украине. Почему мы разделены из-за политики? Разве вы не видите, что здесь делает Запад и хочет, чтобы мы были разделены. НАТО избежало конфликтов, и теперь привет! Слава России

[Google Translate]

I see that we are talking about two sides, Russia and Ukraine. Why are we divided because of politics? Don’t you see what the West is doing here and wants us to be divided. NATO has avoided conflicts, and now hello! Glory to Russia

8 March 2022 – 21:05 UTC

Anonymous Hacks Hundreds of Russian Security Cameras, Many Affiliated with Russian Government Ministries

Hacktivists from the Anonymous Collective successfully tapped the security camera feeds of hundreds of retail businesses, restaurants, schools, and government installations across Russia. They setup a website to share the leaked camera feeds — all to discover some where critical security offices. Anonymous also defaced security camera displays with the message:

Putin is killing children
352 Ukrainian civilians dead
Russia lied to 200rf.com
Slava Ukraini! Hacked by Anonymous

8 March 2022 – 18:34 UTC

nb65 Group Claims to Have Acquired Kaspersky’s Source Code

After keeping quiet for several days, the group sent out mysterious posts across social media claiming to have accessed Kaspersky source code and found “interesting relationships” in this code.

They also claimed it was “sloppier than Putin’s invasion.”

7 March 2022 – 17:31 UTC

22nd Member of Notorious TrickBot Gang Doxxed

The pro-Ukrainian affiliate of the Trickbot cybercriminal empire has leaked the personal identity of 22 key members of the gang along with private chats between group members. Since the 4th of March, DarkOwl has seen the following aliases mentioned: baget, strix, fire, liam, mushroom, manuel, verto, weldon, zulas, naned, angelo, basil, hector, frog, core, rocco, allen, cypher, flip, dar, and gabr.

7 March 2022 – 13:01 UTC

Digital Cobra Gang Claims 49 “A-Groups” Led by Conti and Cobra Are Attacking America Cyberspace

The Pro-Russian group entered the campaign shortly after Anonymous started #opRussia (28 Feb) with the statement:

“DIGITAL COBRA GANG DCG has officially declared cyber war on hackers who attacking Russia as well and to protect justice”

They’ve given little indication of success, other than inflated claims they have acquired over 92Tb data from US’s military personnel files but no proof has been published.

Earlier today, they posted that members of Conti were helping and 49 “A-team” groups were hacking Amera.

(9 March 2022) – US AWS and Azure cloud platforms have experienced higher than normal traffic on the network but no major disruptions.

7 March 2022 – 06:44 UTC

RedBanditsRU Leaks Russian Electrical Grid Source Code Data

The pro-Russian group, originally assembled to counter-hack Anonymous and cyber actors targeting Russian organizations, posted today that they are leaking the source code Rosseti Centre’s [mrsk-1[.]ru] electrical grid networking infrastructure. Rosseti Centre provides reliable electricity for more than 13 million people in the subjects of the Central Federal District of the Russian Federation.

The group is sharing this information because they believe Putin and his supporters are “leading this country to an apocalypse state.”

DarkOwl warns security researchers opening these archives should always use isolated sandbox environments in the event there is malware and viruses included in the leak.

7 March 2022 – 04:55 UTC

AgainstTheWest (ATW) Returns to the Fight and Drops Multiple Leaks of Russian Corporate Data

In the last 24 hours, ATW dropped URLs for at least 7 leaks corresponding to various Russian technical companies and organizations, reportedly breached by the cybercriminal group. ATW’s participation in the campaign has been controversial as they have had multiple dramatic departures and returns to the campaign and reports of “health issues” of some of the team’s members.

Security researchers reviewing the information from dataleaks last week calls into question the veracity of the information ATW is sharing. Checkpoint released analysis stating that after, “checking their claims deeper reveals that for many of the claims there are no solid proofs apart of very generic screenshots that are allegedly from the breached organizations.”

(Update 7 March 2022 – 18:36 UTC) The group also posted to their Telegram channel that they had successfully breached a Russian cybersecurity company that has been “hording” US-based government data, exposure of multiple SonarQube instances and requested someone get in touch with them immediately. It’s unclear if this is legitimate or just further ego inflation.

6 March 2022

Free Civilian Tor Service Leaks Entire DIIA Contents

Recently, the administrator of Free Civilian shared a post on their Tor service containing the entire Ukraine’s DIIA database of users. They stated the buyer of the database consented to the release, with the understanding some records were deleted. The downloads consist of 60+ archives containing gigabytes of data. The download links have been unstable since DarkOwl discovered them.

The administrator also expressed desire to have the ban on their “Vaticano” Raid Forums account lifted, claiming this leak proved the legitimacy of the information they shared back in January.

Recently, screenshots of an indictment for the alleged seizure of Raid Forums on VeriSign has been in circulation, after users spoke of rifts between pro-Ukrainian users and Russian hackers, potential FBI seizures, and the alleged hijacking the alias of former admin Omnipotent on Darknet World. Prominent users from the forum have setup RF2 and advised any old working Raidforums links are likely phishing logins for the FBI.

6 March 2022 – 18:43 UTC

Anonymous Continues Information Warfare Against Russian Media; Video Services Wink and ivi Stream Anti-War Messaging

After Putin’s overt authoritarian take on media sharing the realities of the war in Ukraine, Anonymous managed to hack Russian video services Wink and ivi to stream pro-Ukrainian messages and video of the conflict.

This weekend, Putin’s parliament passed a “fake-news” law imposing prison sentences for media using the words “war” or “invasion” prompting numerous western outlets to pull their journalists and suspend operation.

6 March 2022 – 15:39 UTC

AnonGhost Enters Campaign and Claims SCADA Attacks Against Multiple Russian Infrastructure Targets

This weekend, AnonGhost entered Anonymous’ #opRussia campaign with a vengence, and claims today they have hacked multiple Russian infrastructure control systems via SCADA attacks and “shut it down.”

They list the following targets:

Волховский РПУ> Volkhov RPU
Бокситогорский РПУ> Boksitogorsk RPU
Лужский РПУ> Luga RPU
Сланцевский РПУ> Slantsevsky RPU
Тихвинский РПУ> Tikhvinsky RPU
Выборгское РПУ> Vyborg RPU

This is after they leaked data from 9 Russian commercial servers hours earlier.

azovkomeks[.]ru
vserver24[.]ru
dvpt[.]ru
ach[.]gov[.]ru
itmo[.]ru
vpmt[.]ru
pvlt[.]ru
hwcompany[.]ru
corbina[.]ru

DarkOwl is in the process of pulling in this data to review and assess the contents of all of the databases.

The AnonGhost group is reportedly one of the more senior anonymous hacktivist teams in the underground, with reporting of the group going back to the early 2010s. According to open-source reporting, AnonGhost was led by Mauritania Attacker. In an online interview with a hacker’s blog in 2013, Mauritania Attacker claimed to be a 25 year old male from Mauritania who started hacking at a young age by joining TeaMp0isoN and ZCompany Hacking Crew (ZHC), two hacking groups known for their attacks of high-profile targets such as NATO, NASA, the UN, and Facebook. (Source)

For those who remember Stuxnet, SCADA type attacks are controversial as there is a fine line between disruption and destruction. Services knocked offline but able to be restored is disruptive and inconvient, causing delays in operation and psychological concern over the safety of such services. However, disruptions that lead to destructive events, e.g. hard disks wiped and unrecoverable, de-railed trains, power plant overheating resulting in explosions, & satellites falling out of the sky are considered serious and may be interpreted as an act of war and result in severe retaliation.

Yesterday, Putin declared western sanctions an act of war and uttered similar threats about hacking satellites earlier this week.

6 March 2022 – 14:52 UTC

GhostSec Returns with Leaks from Russia’s Joint Institute for Nuclear Research (JINR) and Department of Information (DOI) FTP Server Data

Hours ago, an archive consisting of several gigabyte emerged from GhostSec reportedly containing information from Russia’s nuclear research and disinformation activities. GhostSec has been silent for most the last week, perhaps busy with this activity.

According to their website (jinr.ru), the Joint Institute for Nuclear Research is an international intergovernmental organization established through the Convention signed on 26 March 1956 by eleven founding States and registered with the United Nations on 1 February 1957.

As of time of writing, the public facing website is online.

6 March 2022 – 12:34 UTC

Anonymous Dumps Leak of 139 Million Russian Email Addresses

An archive of over 139 Million email addresses, broken up into 15 separate files with mail_ru at the beginning of each file, lists the email addresses for presumed account holders for mail_ru services. VK (VKontakte) assimilated mail.ru email services into its internet services conglomerate in the fall of 2021.

The files included two additional HTML files with ominous warnings – possibly shared on the servers from which these leaks were obtained.

[image translation]

Russian soldiers!
If you think that you are going to an exercise, in fact you are being sent to Ukraine to DIE.

DarkOwl has not determined the veracity of this data, nor confirmed how these emails were obtained; some combolists of this nature are created as an aggregation of other leaked data.

As of time of writing, mail.ru’s public facing website is still online and operational.

5 March 2022 – 20:41 UTC

Anonymous Targets Russian FSB; Letter Appears from Possible FSB Whistleblower

The Federal Security Service (FSB) of the Russian Federation [Федеральная служба безопасности (ФСБ)] is the principal security and intelligence agency of Russia and the main successor agency to the Soviet Union’s KGB.

Earlier today, Anonymous hacktivists targeted the FSB (at the direction of the IT Army Ukraine) and managed to take the external facing website offline. Rumors on social media and chatrooms suggested Anonymous managed to “breach” the FSB’s server.

Shortly after the announcement of the website’s offline status (e.g. #TangoDown) a deep web paste emerged containing a list of 62 subdomains for the fsb.ru domain. This could be for additional targeting and exploitation.

The stability and alliances of members of the FSB are in question by threat intelligence and security researchers across the community. Last night, an alleged FSB whistle-blower letter surfaced (via the founder of http://gulagu.net) that damned Russia’s military performance in Ukraine and predicted a disaster for the RU in the next weeks and months. An English translation of the letter has appeared in the deep web (excerpt below).

To be honest, the Pandora’s box is open – a real global horror will begin by the summer – global famine is inevitable (Russia and Ukraine were the main suppliers of grain in the world, this year’s harvest will be smaller, and logistical problems will bring the catastrophe to a peak point). I can’t tell you what guided those at the top when deciding on the operation, but now they are methodically lowering all the dogs on us (the Service).

We are scolded for analytics – this is very in my profile, so I will explain what is wrong. Recently, we have been increasingly pressed to customize reports to the requirements of management – I once touched on this topic. All these political consultants, politicians and their retinue, influence teams – all this created chaos. Strong. Most importantly, no one knew that there would be such a war, they hid it from everyone.

And here’s an example for you: you are asked (conditionally) to calculate the possibility of human rights protection in different conditions, including the attack of prisons by meteorites. You specify about meteorites, they tell you – this is so, reinsurance for calculations, nothing like this will happen. You understand that the report will be just for show, but you need to write in a victorious style so that there are no questions, they say, why do you have so many problems, did you really work badly. In general, a report is being written that when a meteorite falls, we have everything to eliminate the consequences, we are great, everything is fine.

And you concentrate on tasks that are real – we don’t have enough strength anyway. And then suddenly they really throw meteorites and expect that everything will be according to your analytics, which was written from the bulldozer.

That is why we have a total piz_ets – I don’t even want to pick another word.

5 March 2022 – 16:37 UTC

Anonymous Claims to Breach Yandex (Russia’s Mail and Search Service); Leaks Account Credentials

DarkOwl discovered two leaks shared through the Anonymous hacktivist collective network consisting of over 5.2 Million user accounts’ email addresses and password combinations. We are in the process of analyzing this data leak to determine the veracity of its contents. 1.1 Million Yandex accounts were previously dumped in 2014. Many hackers are using #opRussia to opportunistically claim clout for breaches that did not occur, when in reality they are circulating old previously dumped data and/or verifying accounts by credential stuffing.

5 March 2022 – 15:23 UTC

Paypal Suspends Service in Russia

Paypal announced on LinkedIn they would be halting its operations in Russia; a statement released days after suspending signing up new users on the payment platform on Tuesday. Dan Schulman, CEO wrote:

We remain steadfast in our commitment to bring our unique capabilities and resources to bear to support humanitarian relief to those suffering in Ukraine who desperately need assistance. We will also continue to care for each other as a global employee community during this difficult and consequential time.

On Wednesday, 3 March, the IT Army of Ukraine launched a petition calling for all supporters to sign a petition on change.org:

[TRANSLATION]

While Ukraine protects its people and places, and Russia faces the radical consequences of its war crimes, the most popular payment service via PayPal is still available to the aggressor. This means that it also helps finance the bloody war against Ukraine through PayPal.

We are absolutely sure that modern technologies are a powerful response to tanks, grads and missiles. We call on the company to block its services in Russia via PayPal and launch them in Ukraine, as well as provide an opportunity to raise funds to restore justice and peace in our country and the world.

5 March 2022 – 15:03 UTC

Anonymous Leaks Private RocketChat Conversations from Russian Government Officials

Anonymous is targeting Russia by any means possible and managed to collect private chats between Russian officials on the messaging service, rocket.chat. After review, these chats are different from the ones dropped by @contileaks last week.

The chat includes the network ID, username, and “real name” of 14 members of the chat group. The domain associated with the leak corresponds to the official website of the Russian government and the Governor of the Moscow region.

5 March 2022 – 06:04 UTC

squad303 Sets Up SMS Messaging System to Text Random Russian Citizen Phone Numbers

With the lack of Russian media coverage of the invasion of Ukraine and the intentional misinformation spread by Putin’s disinformation agencies, a pro-Ukraine hacktivist collective, known as squad303 setup an SMS messaging system for citizens around the globe to use to randomly text Russian citizens a scripted message about the nature of world events.

The squad303 team also setup an API for more advanced users.

Update: As of 8AM UTC, 6 March 2022, the service had been used to send over 2 Million texts Russian mobile phone numbers.

The team also reports of suffering from heavy DDoS attacks from pro-Russian cyber actors.

5 March 2022 – 02:34 UTC

Anonymous Hackers Claim to Have Accessed Communication Data for a Russian Military Satellite

After nb65’s reported success accessing Roscosmos earlier this week, it appears that members of the Anonymous collective under the campaign #opRussia have ventured into breaching the communications of Russian military satellite for data collection. The satellite – designated COSMOS 2492 (aka glonass132) is likely active in geospatial intelligence collection over Ukraine for Russia. (note: the original indication of the connection occurred 4 March 2022 @ 09:35 by Anonymous collective member, @shadow_xor.)

DarkOwl also uncovered a leak shared by LulzSec member @shadow_xor titled, “Leak_RUSAT_shadow_xor.zip” which contains significant geopositioning data since the satellite’s launch in 2014. The hacker stated they could not change the coordinates of the satellite, but did capture orbital, passage, and communications data.

Our original reporting on this suggested the hackers were Russian-based, but further analysis only indicated that a number of Russian-based hackers supported the attack on COSMOS 2492.

4 March 2022 – 18:16 UTC

Putin Officially Bans Facebook in Russia

In order to combat the information operations campaign against them online, Putin ordered for ISPs to block Facebook servers and websites across Russia. Security researchers also note an uptick in Russian trolls on social media with bot accounts promoting Putin’s military operations in Ukraine.

Putin’s parliament also passed a law imposing prison terms of up to 15 years for individuals spreading intentionally “fake news” about the military. The terms “invasion” and “war” are no longer allowed in press and media coverage.

Several foreign and Western media outlets, including BBC, CNN, and Bloomberg, have temporarily suspended reporting on the war from Russia.

4 March 2022 – 09:44 UTC

NB65 Teases Information Security Community with Riddles on their Activities

NB65 – the pro-Ukrainian group who claimed responsibility for accessing and shutting down Russia’s spy satellites via SCADA vulnerabilities – teased the information security community that they been quiet cause they were parsing and analyzing numerous vulnerabilities in Russian cyber targets.

If we seem quiet, it’s because we have an olympic sized swimming pool worth of data and vulnerabilities. But here’s some fun that you can participate in…

DarkOwl discovered a post matching the target hidden in the riddle and the content suggests the group has access to RUNNET: Russia’s UNiversity Network.

4 March 2022

IT Army of Ukraine Calls for Volunteers to Support the Internet Forces of Ukraine

Ukraine’s Ministry of Digital Transformation steps up its information warfare against Putin’s propaganda by forming the Internet Forces of Ukraine (ITU). Forming a separate Telegram channel at the start of the month, the channel is dedicated to posting instructions and guidance for citizens around the world that want to aid Ukraine and lack an IT/cybersecurity background.

Друзі, наш ворог, окрім наявної війни у наших містах та селах, веде також інформаційну війну. Не вірте фейкам, не вірте брехні пропаганди путіна – ніякої капітуляції України НЕ БУДЕ!!! У нас потужна армія, ми сильні духом і нас підтримує весь світ! Тому, не ведіться на провокації і вірте в Україну. Поширюйте це серед рідних та близьких у соціальних мережах, щоб вони також не велись на нісенітниці кремля. Ми разом і ми переможемо!!🇺🇦

Friends, our enemy, in addition to the existing war in our cities and villages, is also waging an information war. Do not believe fakes, do not believe the lies of Putin’s propaganda – there will be no capitulation of Ukraine!!! We have a powerful army, we are strong in spirit and we are supported by the whole world! Therefore, do not be fooled by provocations and believe in Ukraine. Spread this to your family and friends on social networks, so that they also do not fall for the Kremlin’s nonsense. We are together and we will win!! 🇺🇦

4 March 2022 – 01:46 UTC

Trickbot Gang Members Doxxed and Links to FSB Confirmed

At 15:00 UTC, before DarkOwl could even finish analyzing the ContiLeaks, a Ukrainian-aligned underground account leaked details of key members of the infamous TrickBot gang. Over the course of the day at a cadence of every 2 hours, dossiers for the individuals appeared on social media. Private chats between members of the gang were included with each of the leaks. 7 male members and their aliases identified: baget, fire, strix, mushroom, manuel, verto, and liam. Twitter has since suspended the account.

3 March 2022 – 20:54 UTC

Russian-Aligned Hackers Target Anonymous Hacktivists in Canada

A pro-Russian cyber group using the name Digital Cobras, claims to have been targeting #opRussia hackers from the Anonymous collective across the US, UK, Greece, and Canada. Earlier today, they posted several names of individuals along with pictures of some of the alleged members of Anonymous.

They also claimed to have “hacked Anonymous’ servers” and downloaded over 260gb of their files and tools. They also claimed to have full access of the administration of Tor Project, including their crypto accounts.

Anonymous does not possess servers or centrally locate their information or tools as it is an organic decentralized collective of hacktivists around the world. Similarly, the Tor Project is run by a network of volunteers.

It is very likely this group is designed to spread disinformation and FUD.

3 March 2022

Size of Zeronet Anonymous Network Increases Since Invasion

In the week since the Putin launched an invasion against the Ukrainian people, DarkOwl has noticed an increase of 385 Zeronet domains in the last week and a near 20% increase in the network’s activity. Zeronet has been historically most heavily used by Chinese threat actors. The trend in “new domain” activity appears to have started on or about February 27th, within hours after the IT Army of Ukraine rallied the underground.

The Tor Project has reported significant increases in the number of unique addresses on Tor on the same day.

3 March 2022 – 17:10 UTC

Anonymous Leaks Database Containing Bank Account Holders Information

bkdr – member of the Anonymous hacktivist collective – released an Excel spreadsheet containing the personal information of over 8,700 business bank account holders in Russia. Full names, passport, DoBs, account standing, etc are included in the file.

3 March 2022 – 15:40 UTC

Pro-Russian Cyber Team, Killnet Claims To Hack Vodafone Services in Ukraine

Killnet, a Pro-Russian organized threat actor has claimed they were successful in attacking Vodafone’s telecommunications services across Ukraine. The group shared links to the vodafone.ua website (as offline) and network graphs proving the website suffered an outage.

The group also claims to have attacked “Anonymous” networks directly, prompting criticism as the Anonymous hacktivist has no central severs or repositories.

[Google Translate]

Cellular communication services under the Vodafone trademark on the territory of Ukraine are provided by the partner of Vodafone Group plc, PRO “VF Ukraine”

⚠ OUR ATTACK WAS REPELLED [REFLECTED] AFTER 4 HOURS.

3 March 2022 – 05:22 UTC

Anonymous Breaches Private Server in Roscosmos and Defaces Website

v0g3lSec – member of the Anonymous hacktivist collective – claims to have infiltrated private servers at the Russian Space Agency, Roscosmos and exfiltrated files from their Luna-Glob moon exploration missions. The archive consists of over 700 MBs. Many of the files are drawings, executables, and technical documents dating back to 2011. A scientific review of the content would be needed to assess the value of the information collected.

In addition the website for the Space Research Institute (IKI) Russian Academy of Sciences (RAN) was also defaced by the same group.

3 March 2022 – 01:11 UTC

Anonymous Leaks Data from Rosatom, Russia’s State Atomic Energy Corporation

According to DarkOwl’s preliminary review of the 74 files, the leak appears to be a mixture of budget data, conference materials, powerpoint presentations, and technical files dating back to 2013. There is random mixture of information included that it is unclear whether this was obtained directly from a breach of the corporation’s servers, an employee at the organization, or collected via OSINT and compiled for use in #opRussia.

“There is no place for dictators in this world. You can’t touch the innocent, Putin. No secret is safe. State Atomic Energy Corporation Rosatom has been hacked!”

2 March 2022 – 19:55 UTC

ATW Quits Campaign – Cites Conflict with Anonymous, Attribution, and Twitter Suspension

Drama in the group started yesterday with AgainstTheWest claiming Anonymous was taking credit for their successes in the cyber war against Russia. They briefly turned their attention to China announcing several new victims, including the Chinese Science, Technology and Industry for National Defence organization. After their suspension from Twitter earlier today, they announced retirement claiming they had no means for communicating with the public. (Analysts note rebrand to BlueHornet occurred shortly after their announcement)

2 March 2022 – 19:09 UTC

Conti Leak Source Code, Panel, Builder, Decrypter Appear on Darknet Forum

Less than 48 hours after a pro-Ukrainian leaked the infrastructure of the CONTI gang’s operation, including botnet IP addresses and source code executables, users begin circulating the ransomware gang’s critical data across popular darknet forums and discussion boards.

2 March 2022 – 16:35 UTC

Leak Documents Surface Proving War Against Ukraine was Approved on 18 January

Anonymous hackers released photographs of captured documents from Russian troops titled, “WORKING MAP”, and authored by the commander of Russia’s Bomb Battery of the Black Sea Fleet. The maps and documents affirm to the public that the invasion of Ukraine was approved on January 18th with intention to seize the country sometime between 20 February and 06 March 2022. Liveuamap, under intermittent DDoS since this started, confirmed the data.

2 March 2022 – 13:52 UTC

XSS Admin Reports XMPP Jabber Service Ransomed and Heavy DDoS Attacks

A darknet forum popular with the Russian-speaking community has been experiencing technical issues, suffering from Jabber service outages and heavy DDoS attacks. The forum is well known in the darknet for malware discussions and coordination of attacks. The admin shared a post that the jabber service was hit with ransomware and the contents of the chats wiped from the services. They nonchalently suggested users register and continue using the service.

[Translated]

The server didn’t work yesterday. Because of ransom (which, by the way, is prohibited here) we were listed in a spamhouse. Instead of reporting the violation, the “brilliant” spamhouse immediately leafed through us. In principle, for many years I got used to their “adequacy”. I’m not surprised at anything. We have more than 21,000 users, and no one is able to check everyone. To do this, in fact, they came up with feedback contacts (xmpp, e-mail), they are listed everywhere.

Why, I wonder, they don’t block gmail.com ? So many, so to speak, violators of law and order use it, and nothing, for some reason they are not immediately listed.

In parallel with this, a powerful DDoS attack was conducted on us.

Our XMPP project is not commercial, completely free and subsidized. I’ve never understood the point of attacking toads.

At the moment, the functionality has been restored.

An unpleasant moment. Backups according to the law of meanness turned out to be broken. The last one alive was a week ago. Suddenly someone has lost contacts or a toad has disappeared, re-register.

2 March 2022 – 10:33 UTC

Leak Appears with Russian Air Force Officer’s Information

Anonymous leaked another database containing the personal information for over 300,000 of Russia’s military personnel and civilian citizens. The archive, titled “Translated Base Database” contains 35 separate database files containing personal details of the individuals. Information includes: full name, date of birth, age, passport number, address, occupation, etc.

1 March 2022 – 20:46 UTC

Russian Criminal Gang TheRedBanditsRU Recruits on Social Media – Offers Payments for Affiliates

The RedBandits openly recruit “affiliates for certain jobs” stating they did not want white hats, but that they want to “speak to exploit Devloplers, Spammers (phishing skills, vishing etc), Pentesters. We’re building an army!” They incentivize skilled hackers to join their cause for monetary gain, claiming partners would be paid well and to apply directly via qTox.

Earlier today, the group claimed that they did not agree with Putin as a leader nor of his invasion of Ukraine, but will protect him as a citizen of Russia.

“War is good for no one, come, take my hand, make money help your family”

1 March 2022 – 12:57 UTC

STORMOUS Ransomware Group Aligns With Russia

The STORMOUS ransomware group, which has been targeting international victims with their ransomware strain for months, claimed their alliance with the Russian government and threatens greater attacks against Ukraine.

The STORMOUS team has officially announced its support for the Russian governments. And if any party in different parts of the world decides to organize a cyber-attack or cyber-attacks against Russia, we will be in the right direction and will make all our efforts to abandon the supplication of the West, especially the infrastructure. Perhaps the hacking operation that our team carried out for the government of Ukraine and a Ukrainian airline was just a simple operation but what is coming will be bigger.

1 March 2022 – 09:26 UTC

Ukrainian Paper Leaks Personal Data for 120,000 Russian Military Personnel

In an effort to target the Russian soldiers invading Ukraine, the Centre for Defence Strategies in Ukraine has acquired the names and personal data of 120,000 servicemen who are fighting in Ukraine. Ukrainian newspaper, Ukrayinska Pravda has leaked the details of the soldiers which could be one of the biggest information warfare campaigns using doxing mid-military conflict, ever seen.

The doxxed soldiers are likely to face increased engagement on social media and direct phishing attacks.

1 Mar 2022 – 00:38 UTC

NB65 Takes on Russia’s Satellite Technology

nB65 claims that they successfully accessed Russia’s Roscosmos Space Agency and deleted the WS02, ‘rotated’ the credentials and shut down the server. They did not provide any leaks with the social media announcement.

The Russian Space Agency sure does love their satellite imaging. Better yet they sure do love their Vehicle Monitoring System.

Network Battalion isn’t going to give you the IP, that would be too easy, now wouldn’t it? Have a nice Monday fixing your spying tech. Glory to Ukraine.

28 February 2022 – 23:54 UTC

ATW Targets Russia’s Electrical Grid

AgainstTheWest Leaks Information from Russia’s PromEngineering corporation. Archives of corporate emails between employees, clients, vendors, as well as blueprints and engineering documentation for power stations around Russia are included in the leak.

28 February 2022 – 22:00 UTC

CONTI’s Entire Infrastructure Leaked

Does this signal the end of CONTI’s reign as leading RaaS?

Ukrainian aligned affiliate decides to destroy CONTI ransomware gang’s operation by exfiltrating and sharing 141 additional JSON data files of private Jabber chats from 2020, details of their server architecture, their sendmail phishing campaign data information, command and control botnet architecture, and ransomware executables (password protected). Analysis confirms that the gang uses BazarLoader backdoor for installing persistent malware on infected machines.

DarkOwl analysts also noted from leaked Jabber messages that RaaS affiliates were persistent at determining how to evade AV/EDR protection systems like Sophos and Carbon Black. Stating that they had setup sales calls and demos with Carbon Black and Sophos AV providers’ sales teams using proxy companies to gain more information, test the product and attempt to find specifics of the product’s AV/EDR bypass mechanisms.

This reminds us all the importance of vetting and verifying all commercial in-bounds for requests for demos and sales information, especially when it might present an opportunity to learn critical corporate intelligence.

The affiliate leaking the details wrote how this war against their people and Ukraine was breaking their heart.

My comments are coming from the bottom of my heart which is breaking over my dear Ukraine and my people. Looking of what is happening to it breaks my heart and sometimes my heart wants to scream.

28 February 2022 – 21:41 UTC

STORMOUS Ransomware Hits Ministry of Foreign Affairs of Ukraine

The Pro-Russian STORMOUS ransomware gang claims to have attacked Ukraine’s Ministry of Foreign Affairs, mfa.gov.ua using their custom ransomware. The group posts victims’ information on their Telegram channel, posting in both English and Arabic. The group stated the Ukraine government network “fragile” and called for DDoS attacks them.

Their network is fragile – their various data has been stolen and distributed according to their phone numbers, email, accounts and national card numbers with an internal network hacked and access to most essential files. This is with placing denial attacks on their main site !

28 February 2022 – 18:00 UTC

China’s Huawei Steps in to Assist Russia with ISP Network Instability

According to Chinese deep web forums, Huawei is reportedly building a mobile broadband in Russia to help with internet outages. As of 26 February, at least 50,000 technical experts will be trained in networking and securty in Russia’s R&D centers.

28 February 2022 – 12:00 UTC

Russian Gas Station Pumps Hacked

Video of disabled electric vehicle (EV) charging stations in Russia surface, displaying error status and the following warning:

”Putin is a dick”, “Glory to Ukraine”, ”Glory to our heroes”,” death to our enemies”

27 February 2022 – 23:06 UTC

Anonymous for Ukraine Leaks Customer Data from Sberbank Russia

While Anonymous leaked the files, the credit for the hack goes to Hacktivist group, Georgia Hackers Society. The two text files (bygng.txt & bankmatbygng.txt) appear to be personal data from the financial institution with the bankmat file containing 4,568 records.

27 February 2022 – 21:00 UTC

CONTI RaaS Suffers for Professing Their Allegiance to the Russian Federation

DarkOwl just discovered 393 JSON files containing private Jabber chats from the ransomware group since January 2021 leaked online. Many of CONTI’s affiliates were displeased with the group’s alliance with Russia.

27 February 2022 – 19:00 UTC

ATW Claims to Take Down CoomingProject Ransomware Group

AgainstTheWest assesses “CoomingProject are actually one of the dumbest “threat” groups online.” AgainstTheWest statement on Twitter:

“RIP CoomingProject. All data on them is being passed to relevant authorities in France.”

27 February 2022 – 16:54 UTC

Cyberpartisans Take Belarusian Railway’s Data-Processing Network Offline

The hacktivist group of cyber specialists located in Belarus managed to force the railway switches to manual control mode, to significantly slow down the movement of trains. The webservers for the railway’s domains (pass.rw.by, portal.rw.by, rw.by) are also offline.

The rail services are being essentially held hostage until Russian troops leave Belarus and there is peace in Ukraine.

27 February 2022 – 11:00 UTC

AgainstTheWest Ransomware Gang Enters the Campaign

AgainstTheWest (ATW) claims to have attacked Russia’s Department of Digital Development and Communications of the Administration of the Pskov Region with their own custom “wiper” malware. All data has been reportedly saved and deleted.

27 February 2022 – 09:00 UTC

Anonymous Attacks Russian Critical Infrastructure

Tvingo Telecom offers fiber-optic networking, internet and satellite services. Tvingo Telecom is a major provider to Russian clients.

27 February 2022 – 00:00 UTC

GhostSec Leaks More Data and Claims Attacks Against Belarusian Cybercriminals, GhostWriter

GhostSec is active in the Anonymous cyber war against Russia and released a sample of databases stolen from additional government and municipality sites across Russia (economy.gov.ru and sudak.rk.gov.ru).

They state on their Telegram channel they have been conducting attacks against “Russian hackers” and the “hacker group GhostWriter” (a.k.a. UNC1151).

26 February 2022 – 18:00 UTC

IT ARMY of Ukraine Now Active on Telegram

A Telegram Channel titled “IT ARMY of Ukraine” appeared earlier today to help coordinate cyber activities against Russia. The channel has already accumulated over 96K followers. Posts are shared in Ukrainian and English containing target server IP addresses and media for mass distribution on social media.

Videos of what events are really happening across Ukraine have appeared on intercepted Russian State Television channels.

В найближчу годину буде одне із найголовніших завдань!

26 February 2022 – 16:00 UTC

Anonymous Hackers Interrupt Russian State Television

Multiple reports across underground chatrooms suggest Russian television was allegedly briefly interrupted to play Ukrainian music and display national images. (Source)

Ukraine’s telecommunications’ agency also announced that Russia’s media regulator’s site was down as well.

26 February 2022 – 09:00 UTC

Russia Restricts Facebook and Twitter to Control Information

Open source internet monitoring reporting organizations discovered Twitter has been blocked by multiple ISPs across Russia. Ukraine’s government is regularly posting on social media to show the Russian people they are still fighting in the invasion. Cybercriminals and hacktivist campaigns also disrupt Russia’s information operations by calling out disinformation bots and taking critical communications sites offline. Twitter has reportedly blocked account registrations from IPs originating in the Russian Federation.

Russia’s state-controlled television station, RT, is still offline.

26 February 2022 – 01:00 UTC

Hackers Leak Data from Belarusian Weapons Manufacturer Tetraedr on the Darknet

Anonymous Liberland and the Pwn-Bär Hack Team announce the start of #OpCyberBullyPutin and leak a two-part archive (200GB total) of confidential employee correspondences from prominent defense contractor and radar manufacturer, Tetraedr in Belarus. The first part is the most recent 1,000 emails from each employee inbox, in .EML format. The second part is a complete archive of each inbox in .PST format.

The hacktivists stated they successfully attacked the company through an unpatched ProxyLogon security vulnerability.

25 February 2022 – 23:30 UTC

Russian Military Radio Frequencies Hijacked

Ukrainian radio frequency (RF) hackers intercepted Russian military numbers stations UVB-76, frequency 4625KHz, and trolled Russia communications by playing Swedish pop group Caramella Girls’ Caramelldansen on top of the radio waves.

The group also successfully intercepted frequencies utilized by Russian strategic bomber planes.

25 February 2022

CoomingProject Ransomware Group Announces Support for Russia

Another ransomware gang sides with Russia officially declaring war against anyone conducting cyber attacks against the Russian government on their Telegram channel.

“Hello everyone this is a message we will help the Russian government if cyber attacks and conduct against Russia”

25 February 2022 – 21:00 UTC

Russia’s Gasprom Energy Corporation Knocked Offline

Headquartered in St. Petersburg, Gasprom (ПАО “Газпром”) is the largest natural gas transmission company in Eastern Russia. The company is mostly owned by the Russian government even though the shares are traded publicly.

The Anonymous hacktivist collective, operating their campaign against Russia via the hashtag #OpRussia, has claimed responsibility.

25 February 2022 – 20:00 UTC

Anonymous Hackers Leak Database for Russia’s Ministry of Defense (MoD)

Russia’s gov.ru and mil.ru website server authentication data, including hundreds of government email addresses and credentials, surface on transient deep web paste sites and Telegram channels. Another leak consisting of 60,000 Russian government email addresses is also now in circulation.

GhostSec, also participating in Anonymous’s cyberwar against Russia, #OpRussia, claimed all subdomains for Russia’s military webservers were offline hours earlier as of 11:00 UTC.

Over around 100+ subdomains for the russian military were hosted on this IP (you may check DNSdumpster for validation) now all downed. In Support of the people in Ukraine WE STAND BY YOU!

25 February 2022

CONTI’s decision to side with Russia has dire consequences for the RaaS Gang

The ransomware-as-a-service (RaaS) gang CONTI (a.k.a. CONTI News) has officially sided with the Russian Federation against “Western warmongers” in the conflict.

Many of their affiliate partners are reportedly in disagreement – siding with Ukraine – which became evident once certain private chats were leaked on their internal affiliate platform on social media. It’s uncertain how these political divisions will impact the effectiveness of the ransomware gang’s campaigns. Conti revised their WARNING statement claiming they do “not ally with any government and we condemn the ongoing war.”

25 February 2022 – 16:30 UTC

Hundreds of Russian IP Addresses Appear on Deep Web for Targeting

Over 600 IP addresses correlating to key Russian web services emerge on transient paste sites and underground hacker forums. (Source DarkOwl Vision)

25 February 2022 – 05:00 UTC

Anonymous Threatens to Take Russian Industrial Control Systems Hostage

The hacker group known as Anonymous stepped up its participation in defending Ukrainians through its cyber war with Russia. In an ominous video posted to Twitter, the group called for UN to establish a “neutral security belt” between NATO and Russia to ease tensions. They elevated their influence by threatening to “take hostage industrial control systems” against Russia. Expect Us. We do not forgive. We do not forget.

“If tensions continue to worsen in Ukraine, then we can take hostage… industrial control systems.” Expect us. Operation #Russia Engaged

24 February 2022 – 19:00 UTC

Free Civilian Tor Service Announces 54 New Ukrainian Government Database Leaks

The administrator of the Free Civilian Tor Service – who DarkOwl analysts believe is the Raid Forums threat actor, Vaticano – updated their database leaks service, stating they had confidential data for dozens of Ukrainian government services. DarkOwl analyzed these databases closely and confirmed the threat actor likely exfiltrated the data in December 2021. (Source)

24 February 2022 – 17:00 UTC

Russia’s FSB Warns of Potential Attacks against Critical Infrastructure as a result of Ukraine Operations

The National Coordination Center for Computer Incidents (NCSCI) released an official statement warning citizens of Russia of imminent cyber attacks and for the country to brace for the disruption of important digital information resources and services in response to the on-going special military operation in Ukraine.

“Attacks can be aimed at disrupting the functioning of important information resources and services, causing reputational damage, including for political purposes” – NCSCI

24 February 2022 – 05:00 UTC

Cryptocurrency Markets Crash in Wake of Invasion

Bitcoin cryptocurrency fell below $35,000 USD for the first time since January in reaction to the Russian troops crossing over the Ukraine border. Ethereum fell more than 12% in the last 24 hours.

According to open-source reporting, the collective cryptocurrency market has plummeted over $150 billion dollars in value since the tensions began.

beginning of post

[DEVELOPING] Darknet Economy Surges Around Abortion Rights

Written by DarkOwl Content Team on July 1, 2022. Posted in Blog.

SCOTUS members credit card information continues to be doxxed

July 1, 2022

The recent doxxing of Supreme Justices – presumably in retribution for the Roe v Wade rulings – has spread widely across social media platforms, including Twitter, Instagram, TikTok, and more.

While all members of the Supreme Court have been doxxed to some degree in the past, this latest round of public information sharing contains Credit Card information for at least four Justices.

Many posts circulating on the darknet, deep web, and paste sites include other associated PII (as pictured above), which together form a comprehensive doxx of the targeted Justices that could be exploited for social engineering attacks, fraud and more.

SIEGEDSEC Targets Pro-Life State Governments

27 June 2022

Over the weekend cyber hacktivists enraged about the SCOTUS decision, decided to direct their anger towards their keyboards and targeted the networks of pro-life state governments, e.g. Kentucky and Arkansas. The group claimed to have accessed and exfiltrated several gigabytes of sensitive data, including employee PII from state government servers. The cyber threat group, SiegedSec, who we featured earlier this month, has been recently emboldened by their involvement in the Russia-Ukraine cyber war and stated on their Telegram channel, the attacks against Kentucky and Arkansas are just the beginning with planned continued attacks against pro-life organizations and states with anti-abortion regulations.

“THE ATTACKS WILL CONTINUE!” – SiegedSec

Source: Telegram

SCOTUS Overturns Roe v. Wade

24 June 2022

On Friday morning, the U.S. Supreme Court uploaded their controversial decision on the case titled, DOBBS, STATE HEALTH OFFICER OF THE MISSISSIPPI DEPARTMENT OF HEALTH, ET AL. v. JACKSON WOMEN’S HEALTH ORGANIZATION ET AL; a decision which effectively removed one’s constitutional right to an abortion as provided by the long-standing 1973 Roe v. Wade precedent. The decision sparked widespread protests around the country and conflicts between activists and law enforcement.

Original Report

21 June 2022

As a result of the recent political landscape regarding Roe v. Wade, our analysts reviewed the topic of abortion and observed a surge in darknet economies providing abortion medications and home kits on underground marketplaces.

Background and Political Context

The historical January 1973 Roe v. Wade decision by the U.S. Supreme Court, which legally protected one’s rights to an abortion at the Federal level, is on a precipitous demise in a radical shift in political power across the United States. In a draft majority opinion that was leaked out of the Supreme Court to Politico in early May, the conservative majority of the Supreme Court justices are very likely to overturn the landmark Roe v. Wade and a subsequent 1992 decision — Planned Parenthood v. Casey, with Justice ALITO stating, “Roe was egregiously wrong from the start.”

Figure 1: Source POLITICO

If the position of the draft opinion goes ahead as written – which some legal experts predict might be officially published as early as this week – federal protections for one’s right to an abortion will immediately end and the issue will be tossed back for decision at the individual state level. With recent extreme state-legislative decisions such as the Texas Heartbeat Act criminalizing abortions any time after six weeks of pregnancy, 23 states have some form of restrictive abortion-related legislation in place. 19 states have protected the right to abortion by codifying it into their state laws, Colorado and California have established themselves as “sanctuary states” for women’s reproductive health.

According to the American Pregnancy Association, an abortion is defined as the early termination of a pregnancy and is induced by a clinical surgical procedure or the administration of drugs to remove the embryo and placenta from the female’s uterus. Two drugs associated with the “chemical abortion pill regimen” are oral Mifepristone (Mifeprex) and Misoprostol (Cytotec) used in conjunction to stop the production of pregnancy related hormones and induce contractions of the uterus to expel the embryo.

Impacts Seen on the Darknet

Within a week of the Supreme Court’s leaked draft opinion, DarkOwl analysts observed a noticeable volume of information related to medical abortions materialize – including offers for chemical abortion drugs for sale across the darknet.

Chatter on darknet discussion forums and deep-web adjacent chat platforms foster creating an online community to support US-based individuals’ access to abortion, calling it the “Underground Abortion Railroad” to help connect women with abortion and transportation providers and avoid criminal prosecution.

One forum user identified themselves from Europe and offered to stock up on abortion medications and emergency contraception pills such as “Plan B” from their local pharmacies, offering to ship them at fair market price to those in the United States who cannot access them legally through non-darknet sites.

Another user in a popular darknet forum mentioned a reliable marketplace selling Misoprostol, described as “28 Pills 200MG Safe Home Abortion Method.” The vendor of the marketplace commented on the thread that they don’t actually sell the pills anymore because there were not enough buyers, but would be willing to change their position and offer them again if there was demand.

Monitors on the darknet marketplace suggested has yet to offer a “Safe Home Abortion Method Kit” as mentioned in the thread or abortion-related pills on their site. The same vendor also offers a variety of illegal drugs and narcotics as well, including Cocaine, Percocet, Xanax, weight loss treatments, and Freebase.

Figure 2: Source Dread Darknet Discussion Forum

DarkOwl continues to observe other sources of underground abortion services on offer in its Vision database with multiple advertisements for Misoprostol and Mifeprex, and access to (purportedly) safe abortion services. One supplier recommended those in need of abortion pills contact them via XMPP with OMEMO for a direct, private sale.

Another classified-style advertisement describes the at-home abortion treatment in detail and the medications used, with pricing, ranging from $7 to $16 USD for the abortion-related medications. Multiple forms of contact information was also included.

Other drugs offered for sale on the same classified-advertisement forum have been affiliated with scammers that have no intention of providing the services or goods on offer. Tragically, there is increased risk that darknet scammers will exploit the current political abortion issue in the US for financial gain like they did during the COVID-19 pandemic.

Drugs offered for sale on darknet marketplaces

Figure 3: Source DarkOwl Vision

Some darknet forum users point readers to “offshore pharmacy sites” where abortion-related medication could be purchased, mentioning a clinic taking online consultations in India among others. A quick OSINT search revealed numerous Surface Web domains offering abortion-related medications for purchase. How those sites will operate regarding shipping the drugs to customers in states who have banned abortions once Roe is overturned is yet to be determined.

Overall, opinions on the darknet about abortion are mixed with strong opinions on both sides of the issue. Members of right-wing aligned Telegram channels spin abortion as murder and celebrate the Supreme Court’s position.

Figure 4: Source DarkOwl Vision

While other users support less government over individual choices regardless and view the decision as a potential turning point for the loss of other individual rights.

“I do believe everyone should have a choice, it’s a sensitive topic, but I will stand on democracy, taking peoples choices away is not democracy.” – Dread User

Figure 5: Source DarkOwl Vision

A controversial pro-choice group, Ruth Sent Us (RSU), named after late liberal Justice Ruth Bader Ginsburg, recently admitted to publishing on social media the home addresses of Chief Justice John Roberts alongside five other conservative associate justices: Samuel Alito, Clarence Thomas, Neil Gorsuch, Brett Kavanaugh and Amy Coney Barrett. The group claimed the information was publicly available and never encouraged violence against any of the justices.

The release of such information has fueled on-going deep web forum debates about the topic with some stating such information releases violates 18 USC 1503, which “prohibits ‘endeavors to influence, intimidate or impede… officers of [the] court’.” Despite the online debate, a 26-year old man, Nicholas John Roske, likely relied on such leaked information to target Justice Kavanaugh last week. Roske was arrested for attempted murder after arriving at Kavanuagh’s home with a Glock 17 handgun, ammunition, a knife, zip ties, pepper spray, and duct tape, that he told police he planned to use to break into Kavanaugh’s house and kill him. Other left-leaning U.S. politicians have also been targeted in their homes since the draft opinion leaks with users on Telegram calling them “pro-abortion death cult democrats.”

Figure 6: Source Telegram

DarkOwl analysts have not yet observed abortion pills such as Mifepristone and Misoprostol widely available on principal decentralized darknet markets, but they are available for purchase via threads in discussion forums, as well as classified-style advertisements on transient paste services.

Closing Thoughts

Users across darknet forums have voiced interest in abortion-related pills and services following the leaked Supreme Court documents and advocate for organized protests in support of and against the potential ruling. Once the U.S. Supreme Court officially issues their ruling, we anticipate a more concerted response from darknet marketplaces in offers for abortion related drugs and services. The darknet will also continue to be a resource for activists to organize political protests and circulate sensitive information related to the abortion debate.

Irrespective of which side of the debate one stands, the darknet will continue to fuel the controversy both in support of and criticism of a woman’s right to abortion. In a world of increased digital surveillance and the fundamental privacy-centric nature of Tor and similar anonymous platforms, individuals will seek out like-minded communities on the darknet for social activism related to the topic. DarkOwl predicts an increased use of Tor to organize political protests and circulate sensitive information related to the abortion debate.

Curious about darknet marketplaces or something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.

Esports and Gaming Platforms: The Next Frontier for Dark Web Threats

Written by DarkOwl Content Team on August 14, 2025. Posted in Blog.

August 14, 2025

Esports has evolved from late-night gaming sessions to sold-out arenas, multi-million dollar prize pools, and sponsorships from global brands. But behind the glitz and glamour lies a growing problem: the esports industry is increasingly under threat from cyber-attacks to cheating scandals and even personal safety risks.

This isn’t just about players losing matches or teams missing out on prize money. These threats strike at the very integrity of competitive gaming and pose real dangers to people, organizations, and brands alike.

Esports: A New Cyber Battlefield

Esports platforms, streamers, and tournaments have become prime targets for cyberattacks. The reasons are simple: high visibility, massive online audiences, and often, poorly secured infrastructure.

A report from Control Risks explains that “the sheer popularity of esports, combined with lax security protocols in some areas, makes them an ideal target for DDoS attacks, credential theft, and extortion.” In fact, the report states that over 37% of all DDoS attacks are directed at online gaming and esports platforms.

These aren’t hypothetical threats. In recent years, major tournaments have been halted mid-stream due to attacks, players have been forced offline during crucial matches, and attackers have used ransomware to hold tournament servers hostage

Cheating, Match-Fixing, and Exploiting the Game

The competitive integrity of esports is under constant assault. Cheating isn’t limited to aimbots or wallhacks anymore. Today’s methods are more sophisticated—and more dangerous.

A 2023 study in the International Journal of Esports notes that, “The esports ecosystem is particularly susceptible to technological manipulation, including the use of third-party software, programmable peripherals, and real-time data exploits.”

Then there’s the issue of match-fixing and betting fraud, which can have far-reaching implications. One infamous case, the iBUYPOWER CS:GO scandal, involved players deliberately throwing a match in exchange for valuable in-game item bets. According to a summary on Wikipedia, the scandal “rocked the North American CS:GO scene and led to indefinite bans for several top players.”

The Esports Integrity Commission (ESIC) has since reported a sharp uptick in similar investigations, especially in lower-tier tournaments where regulation is weaker. As esports gambling grows, both legally and through black-market sites, so too does the incentive to manipulate outcomes.

“The lack of consistent regulation across regions and titles makes it difficult to maintain competitive fairness,” says one ESIC whitepaper. “Without centralized enforcement, threats like match-fixing go unchecked.”

Personal Safety: More Than Just a Game

Esports professionals, streamers, and even fans are increasingly becoming targets of doxing, harassment, and swatting; a dangerous trend where attackers send emergency services to someone’s home under false pretenses.

In a recent legal analysis by Clyde & Co., the authors noted:

“Esports professionals are now public figures, and the legal system has not yet caught up with the need to protect them from online threats that turn into real-world consequences.”

One well-documented case involved a professional Fortnite player being swatted during a live stream, a terrifying experience for the player and his family.

At live events, player safety is also a growing concern. As fan engagement increases, so do the risks associated with in-person appearances and meet-and-greets, especially without proper security measures.

Toxicity and Brand Risk

Toxic behavior in online gaming is nothing new—but in esports, where millions of dollars and high-profile sponsors are involved, it becomes a serious brand liability.

A research paper published on arXiv highlighted the scale of the issue:

“Toxicity in online team competition games is not only pervasive but also contagious. A single toxic player can create a ripple effect that damages team morale and community health.”

Publishers like Riot Games and Valve have begun using AI to monitor voice chat, text logs, and gameplay behavior in real-time but there’s no foolproof solution yet. Sponsors are increasingly wary of being associated with players or teams who become the face of online toxicity.

No Referee? The Regulatory Problem

Unlike traditional sports, esports doesn’t have a centralized governing body. Each game has its own rules, enforcement methods, and approach to discipline.

“This lack of standardized governance has left room for exploitation,” according to a literature review in the Journal of Gaming and Computer-Mediated Simulations. “From doping and cheating to match-fixing and harassment, the fragmented nature of esports oversight has created blind spots.”

Some groups, like ESIC and NASEF, are trying to build frameworks for integrity and accountability, but widespread adoption remains a challenge.

What Can Be Done?

Solving these problems won’t be easy—but there are clear paths forward:

Robust cybersecurity frameworks for tournaments, servers, and team infrastructures

Stronger industry-wide enforcement of cheating, match-fixing, and harassment violations

Support for player safety, both online and in person

Education and awareness campaigns for fans, sponsors, and players

Standardized governance models modeled after traditional sports regulators

Final Thoughts

Esports is thrilling, fast-paced, and full of opportunity but it’s not immune to threats. Whether it’s a rigged match, a hacked server, or a swatted player, these risks have real consequences.

As the industry continues to grow, we must ensure it grows safely. That means more transparency, better safeguards, and a willingness to tackle the hard problems head-on.

The future of esports is bright but only if we protect it.

Check out our previous blog on Gaming and the Darknet.

[Webinar Transcription] Unpacking the Dark Web, How Fraudsters Operate and Why It Matters

Written by DarkOwl Content Team on August 12, 2025. Posted in Blog, Webinars.

August 12, 2025

Or, watch on YouTube

Evan Blicker from DarkOwl explains the three types of internet (Surface Net, Deep Web, Dark Web) and the origins and workings of Tor. The session also covers common misconceptions about the dark web, types of information found there (e.g., PII, banking data, corporate data), and the importance of understanding it for cybersecurity. The speaker emphasizes operational security for investigators and introduces DarkOwl’s role in automating dark web data collection and analysis.

NOTE: Some content has been edited for length and clarity.

Good morning, everybody, and thank you for joining our iTOOsday. Today’s session was made possible by Leslie Cameron, who is the Managing Director of Alert Plus Technologies. Leslie is a seasoned IT professional with a long-standing career in technology, innovation and business solutions. His current focus is on cybersecurity and fraud prevention with a passion for helping individuals stay protected against identity theft as well as online threats. From DarkOwl, we will be joined by Evan Blicker. Evan is a cyber security professional with over a decade of experience in cyber threat intelligence, dark web investigations and digital forensics. He began his career at the Pasco Sheriff’s Office investigating cybercrime and internet crimes against children. He later served as a task force officer with Homeland Security Investigations, where he led transnational investigations focused on the dark web. His unique background bridges law enforcement with corporate security, and he has a deep expertise in OSINT, emerging threats and proactive intelligence strategies. For those of you who are unfamiliar with DarkOwl, they are the industry leading provider of dark net data, offering the world’s largest commercially available database of information collected from the dark net. With that, let’s jump into the conversation.

In today’s session, we are going to explore a side of the internet that very few people truly understand, yet it does impact us all, the dark web. Often sensationalized in media, the dark web is more than just a digital underworld. It’s a thriving ecosystem where stolen data, compromised credentials, cyber attack tools and illicit services are traded like currency. A cybercrime becomes increasingly organized, sophisticated and global, understanding what happens beneath the surface is essential for individuals and businesses looking to stay secure. I’m thrilled to be joined today by our expert, Evan from DarkOwl, which is one of the world’s leading providers in darknet intelligence. Over the next hour, we’ll uncover what’s really happening in the dark web, how it affects you, and as an organization and how you can effectively manage against it.

Evan: I’m a cyber threat investigator with DarkOwl. We’re here today to talk about the dark web, kind of unpacking it so we can get a better understanding of what it is, what type of data we can obtain from the dark web and how can we utilize that to better protect our clients, our organizations, and help make the internet and a little bit safer.

To start, we have a short disclaimer about this presentation being for informational purposes, only accessing the dark web manually can lead to security concerns if proper operational security is not followed. So, we want to make sure that this is understood that our presentation today is for informational purposes only.

We’re gonna cover some very awesome topics. We’re gonna go into how the dark web works, its origin, different things that we can find on there and the communities that operate on the dark web. The dark web very much is a community. Similar to any other community, whether you play sports or in the business community or volunteering. However that works, there’s always subsets, there’s always communities in there. So, we’re going to talk about some of those communities. And then we’re going to also go into a little bit about dark web investigations, right? How to utilize this information, how to take it from raw data to actionable intelligence. We’re going to cover a lot. It should be really fun. So, let’s get started.

What is the dark web? That is a question that gets asked a lot because we see movies, we see TV, it’s dramatized as this really cool person sitting in a basement wearing a hoodie, typing away at a black and green screen. And it’s not as cool as that, but it is still pretty interesting. So, there’s essentially three types of internets. The first one is the surface net – all of us here have used the surface net, right? That’s that sites that have been indexed by Google. So, if you have gone to any website like a news provider or to a you sports site or any of those other things. That’s the surface net, a website anybody can get to and you can find it through Google or one of the other search engines.

Now there’s also the deep web or deep net. We’ve all accessed this whether you’ve known it or not and this is any type of website that can’t be found without doing something else. So, for instance going to your banking site, you have to type in a login to get into your or your bank account information, that’s once you type in that login, you go to your bank account site, that itself is the deep web or the deep net. ‘Cause that’s not something that you would want to show up on Google. Could you imagine the world if you could just Google somebody’s bank account and see, it’d be a wild place.

And then we have the dark web or the darknet, and this is an internet that uses standard internet but requires special software. And this special software typically allows for anonymity. It also provides some level of security through encryption. It allows people to bypass maybe countries restriction on certain websites or whatever the case is. And that’s the dark web, which is what we’re going to be kind of focusing on today.

The dark web. It actually got its start by the U.S. Naval Research Laboratory. Onion Routing, it was designed to protect sensitive information for government communications. Then in about 2002, it was released as an open-source project to the public, where it remains as an open-source project, where lots of companies and organizations actually donate to keeping the project alive. So, it went away from its government excludability and went into average people, anybody being able to use it for their purposes. Because though when we hear the word dark web, we think cybercrime and criminals, there’s actually some very, very valid uses which we’ll touch into later related to the dark led. It has some good uses in this world. It’s used by a wide range of people seeking anonymity while they’re on the internet. They want some type of encryption for privacy concerns, but it is also involved into such a good complex ecosystem where you have not only people using it for negative purposes, but also people using it for good. The thing that I always kind of fall back on when talking about stuff on the internet is for everything good on the internet, there’s somebody there that’s able to take that good and use it for evil.

There are multiple dark web technologies. The one that we’re going to focus on and talk about today is Tor, because it is the most widely known dark web, but there are several others. So, these are logos from across the different one. The one in the upper left of the screen, that’s the onion routing, that’s TOR. That’s typically the one when somebody’s talking about the dark web, that’s what they’re referring to.

The onion router, TOR. It’s multi-layered encryption, right? It means data is wrapped into multiple layers of encryption and each node that you go through, I’ll explain this a little bit better in the next slide, encrypts only what it needs to, to pass the traffic onto the next thing. So, it typically goes through a minimum of three nodes. You have your entry node, you have your middle node, your exit node. The exit node is what sends your traffic onto your destination. And this allows for your data to be fully encrypted in through its path.

And this is its path. Now for any of those in the audience that maybe have a little bit more knowledge into the dark web, you don’t have to have a minimum of three notes. You can have seven, eight, nine, adding to your level of protection while using it. But this is typically how it goes standard, right? So, Alice needs to send the information to Bob. Bob’s a server. Alice’s traffic will go through three different nodes in a certain pattern. It’s a randomized pattern. And each one of those nodes, each one of those computers that the traffic passes through only has access to the information it needs to continue that packet onto its final destination. And then at which point it goes to Bob. The only time that that traffic is not encrypted is that final jump from the exit node to the target server. And this allows for that secure communication, right, allowing for that anonymity while using Tor.

Some of those features that we’ve already spoken about, anonymity, right, it gives you access to .onion websites. So, the Tor network doesn’t use .com or .net, they all end in .onion. It’s decentralized. The Tor project is actually really, really successful and really good at making sure one entity does not own too many nodes, right? Because I think it was mathematically calculated that if you owned 40% of the nodes, you can actually track somebody’s traffic across the Tor network. So, they do a really, really good job and so does the community as well as making sure that the people who are registering Tor nodes because anybody can do it, it’s a volunteer basis that they don’t own too many of them, right? Because we want to keep this decentralized. We want to make sure that the anonymity of what Tor provides us is there. And it also allows you to bypass censorship. Some countries censor the news and the media of what’s going on and this allows people and organizations in those countries to get valid news of what’s going on in the world. It allows for privacy and sensitive communications. So, take for instance, a journalist who is getting ready to break a big story with a whistleblower, this allows them to communicate in a manner which will protect the source and the story, right? And it has multi-platform support. So, you can be on your phone, you can be on your computer, whether it’s Mac, Windows, Linux, and still be able to access the Tor network.

It is downloadable at the torproject.org. There is a lot of very, very good information about the Tor project and the dark web on torproject.org. You can actually see all of the different nodes and things that are being used. They do a very, very good job. They also list who donates to them and how they support themselves. And if you are so inclined to believe so, you’re able to do that as well.

There are other types. The Zeronet is another big one. Freenet is one that isn’t really widely used anymore plus you have i2P and then the other ones listed. For the most part, Tor is your primary dark web network that is used today.

We have some common misconceptions, right, because those movies make the dark web look just so utterly fantastic and makes everyone feel like a hacker. We have some misconceptions that come along with the dark web. So, the first one, everyone on the dark web is a criminal and that’s not true. It hosts communities and some of these communities are just privacy focused people. Others are based in free speech. Others are trying to help prevent human trafficking or help, you know, refugees out of countries, whatever the case is. There are some very good uses for it, right? Some governments are extremely restrictive on the news and media that their citizens are allowed to see, and the dark web provides that access, right? And it allows journalists and whistleblowers and human rights activists to communicate in a manner in which they can try to help make the world a better place.

The next misconception is that exploring the dark web is illegal and it is not. Now there may be activities carried out on the dark web, which are illegal. And if you engage in those activities, then yes, now you’re committing a crime and that becomes illegal, but it is not inherently illegal to be on the dark web. There are many legitimate purposes. For instance, the New York Times, which is a very well-known news agency in the United States, they have their own dark web site, where they host their normal site on the dark web for people that are in oppressed countries. So, these are things to keep in mind.

And lastly, the dark web, it’s actually not lastly, but the dark web is completely anonymous, and that’s not 100% sure. There are tools that researchers and law enforcement and methods that can be used and implemented to extract information on threat actors, on people that are using the dark web for malicious purposes, right? Law enforcement also sees this dark web sites and they seize the servers which store information and that information can be used to track and determine who these threat actors are. So those supports extremely strong privacy protections. It’s not infallible because nothing is right. Locks only keep honest people honest, and so there’s always a chink in the armor somewhere.

And lastly, accessing the dark web is super difficult or super easy, and it’s not either or neither. There’s not one specific place to go – the dark web is made up of many hidden services, many different websites, multiple different platforms. Though there are technically dark web search engines, they’re not the same as Google or Bing or any of those other ones. So can accessing the dark web can be complex to find the information that you’re looking for, because you need to know the link. You need to know how to find a specific site. You need to know that that site actually exists, right? So, it’s the same as using the internet back in ’98, ’99 before search engines became really popular, you had to know where you were going in order to get there.

Some dark web concerns. Obviously cybercrime is a concern of dark web and it is used very prevalently by threat actors of many different facets of crime. From financial crime, to hacking, to ransomware, to narcotics trafficking, whatever the case is.

Also, misinformation campaigns happen – the spreading of disinformation and extremist content happens, stuff to try to destabilize public opinion and trust. And so, misinformation can happen. And then there’s also the illegal non-ethical surveillance of the dark web, right? Dark web monitoring needs to have ethics that are involved in it to protect the good people that are on the dark web, using the dark web for valid reasons. So, these are some of our dark web concerns.

We’ve talked about what the dark web is. We’ve talked about its nuts and bolts of where it was created, how it operates, how it keeps us safe. We talked about some of the misconceptions. So, let’s get to a little bit more of the interesting stuff. What is actually on the dark web? What type of information are we able to find that relates to what we’re trying to do? How are we able to protect our clients? How are we able to protect ourselves?

There are several different facets or avenues that we can do to try to find some information. There are Marketplaces where things are bought and sold similar to eBay or any other type of marketplace, Amazon that you go to where you can buy and sell different items in an unmoderated manner. There’s Forums where collaboration between threat actors happens where people ask questions, postings for sale, whatever the case is. Social media related stuff. Obviously, there’s Cryptocurrency information. There’s Leaks from companies. There’s also Leaks from government and then Ransomware related stuff. All of these things are found somewhere in some shape or form on the dark web.

There’s also dark web adjacent stuff. And this is the big thing that a lot of people don’t think about when they investigate the dark web. The dark web, like I said earlier, was a community and we got to look at that community and the community and any one of the communities that you’re a part of, you know, take your work community. So, when you go to work, you’re part of the community with your co-workers and you are talking about work at work. But you also talk about work elsewhere, right? So, a co-worker comes over to your house for dinner and you guys start gossiping about the you know stuff in the office, right? Things happen outside of your office related to what that community is about, which is work. The dark web is the same way. We have messaging apps, we have gaming apps, we even have surface web places. For instance, Reddit is a well-known social media site that has several places on there where they talk about dark web topics and issues and things along those lines. So, monitoring these things is just as important as monitoring the dark web to give you that kind of inclusive photo of what is going on. And a lot of the data on the dark web comes from many different things. So, a lot of the raw data, a lot of the raw data is your PII, your personal identifiable information from leaks. So, data birth, social security numbers, credit card numbers, addresses, things like that. Banking data, stolen bank accounts get sold on the dark web. Corporate data that has been taken maybe from a ransomware organization or from a hacker, whatever the case it is. Credentials and compromised accounts, whether it’s fake accounts to a social media site or accounts that have been taken over, being sold, as well as corporate accounts, personal, whatever the case is, plus there’s malware, there’s hacking tools, there’s ransomware, there’s a lot of different things. And then obviously on your forums, your marketplaces, tactics, ideas, how to do this stuff is there. You can buy guides and forms. And this all leads over to some of the biggest kind of risks that we’re kind of thinking about. So, DDoS attacks, right, data exfiltration inside or threat cyber-attacks, and then just, you know, anything from identity theft down to a much more personal level, right, of like somebody being doxxed on the dark web where their personal information is released.

So, let’s delve a little deeper into that type of data that can be found. That was a more high-level overview. let’s get into a little bit more of the nuts and bolts.

Ransomware. Most ransomware groups, which new ones are coming out every single day. It is a very successful business model, if you’re a threat actor. They have most of their sites are hosted on the dark web. Also, their chat sites, where you go to negotiate once you have been, once you have been compromised are typically .onion sites because it allows for that level of anonymity. So, some of these screenshots are a little older and the reason for that is that you can’t control necessarily what’s going to happen on a dark web site. So, if we went to it live, there’s a chance that there could be material that we wouldn’t want to see or produce. So, we try to capture screenshots. For instance, LockBit, which is now up to LockBit 3.0, their site is hosted on the dark web, several different ones, we’re constantly in a motion of tracking all of the new sites that are popping up from different ransomware groups.

I guess they like that business model. I don’t like it, though.

Markets. So, these are what essentially eBay would look like and a lot of them are based off of the same. So, this marketplace, Kerberos, has been taken down. There are several new ones that pop up and they will run until either one of two things happens. Either law enforcement takes down the marketplace or they do what is called an exit scam. And an exit scam is where the owners of the site take all of the money that’s been put into the site for making purchases and then they ride off into the sunset stealing everybody’s, all of their users’ money. Those are typically the only two things, but anything is purchasable through here. There are marketplaces that are specific to firearms. There are marketplaces that cover a wide range of things, from personal identifiable information to credit card numbers, social security numbers between narcotics and drugs, to hacking tools, whatever the case is. Some like to specialize, others like to be a little bit more broad to try to get as many users as possible.

It is kind of crazy some of the things that you can see on a dark web marketplace for sale. There are scam sites and things that pop up. So, for instance, you’re not going to really find a marketplace that’s, you know, human trafficking related. Also, you know, hitman services on the dark web are not real. That’s not how that works. But a lot of people will like to talk about that, especially in movies and TV and things like that. But those types of things are almost always scams. But you can buy just about everything else. You can buy cell phones, skimmer devices, the steel credit cards. The imagination is the limit for what marketplaces may or may not have. But they operate very well and they have better customer service than any company you probably know today because trust is a big part of the dark web. So, one of the things that they do is they hold an escrow service. So, you would actually put your money into the site. The site would hold it. And then once you have made a purchase and you’ve received your product, the site will then release the money. So that way there’s trust between vendor and purchaser. That’s where that exit scan comes in.

Financial crime. Financial crime is a big part of the dark web. You won’t find all of your financial fraudsters on the dark web, some don’t need it, but you will find a lot of information and a lot of stuff being sold because it’s a really easy product to sell on the dark web because you’re not shipping something from point A to point B, it’s a digital good. And we also have a little bit of that dark web adjacent. So, the two photos on the lower right, those are actually taken from telegram. Telegram was a very big hot spot as a dark web adjacent location. It’s since kind of cooled down because Telegram has changed their kind of trust and safety policy, so they’re cracking down on this a little bit more, but for a few years there it was very rampant that every dark web site or marketplace would also have a Telegram channel associated with it. But you can buy anything from credit card numbers as low as 10 cents to bulk credit card information, which will provide the credit card number, the number in the back of the card, the person’s name, address, location, everything that you needed to use that card in a manner to prevent you getting caught by law enforcement as well as information on how to commit fraud. It was a very big thing for the dark web.

There are drugs and gun sales as well on the dark web. A lot of sites, a lot of marketplaces do try to avoid firearm sales only because that gets a lot of American law enforcement involved. It kind of increases their profile. So, a lot will not allow sale of firearms, but they unfortunately, you know, everything done on the internet has a way to be used for bad and the people that sell these find a way to get their markets, their merchandise posted. And then as well as narcotics. Narcotics are a big sale item on dark web marketplaces and different sites from there. But the nice thing, at least for the good guys related to this type of stuff, is that they have to be shipped from point A to point B, and law enforcement does monitor those shipping avenues, and so do the private companies that do that as well. So, a lot of times, this type of stuff is able to hopefully be stopped before it gets anywhere.

Stolen data. This is going to be something that I’m sure this audience is going to be interested in and about, but stolen data from companies. A lot of organizations have their data stolen. Sometimes they’re not part of ransomware. Sometimes people just steal it to either try to sell it themselves or they post it. They post it for cloud reasons or reputational reasons to give it out to the community. These are screenshots from breach forms, which was recently shut down and potentially working its way on coming back that’s been an interesting saga. But you could go to the site at any point in time, search for a lot of different companies, and find stolen data from those companies. Now that’s obviously bad reputationally for those companies, but it could also be very good for the company’s competitors if they’re not operating in an ethical manner, right? They get that information and if that information contains confidential business secrets to the success of that business, now your competitors have your playbook. As well as the damage that could potentially happen to the clients of those companies if their personal information has been released.

Leaked data. So leaked data is different than stolen data. So leaked data, a lot of times, could involve an insider threat. It could be data that was able to be captured through a tool, for instance, being scraped from a deep website that a company owns, say, for instance, a social media site. You have to log in to access the stuff in the social media site, and then you start running custom tools to pull all of that information down, and then you release it. And then there’s also usernames and passwords that get leaked as well. This is actually a screenshot from our tool, which shows a lot of the leaked content that we are finding out there and are able to catch them. And there is a lot of leaked data that’s out there. It’s actually mind-blowing to understand how easy it is for your personal data to be leaked or your corporate data to be leaked onto the dark web.

Stealer logs. Stealer logs are a very big thing. They can affect corporations, but a lot of times they affect the more individual person. But stealer logs are logs from specific type of malware that when they affect the computer, their job is to pull down all of the usernames and passwords and text files and take a screenshot and get all of the information that they can about that computer. And then these logs are either posted for free or if they’re good logs, they typically get posted for sale. There’s a couple marketplaces on the dark web where one log will cost $10 USD and it will have a person’s entire password history on there, right? All of the passwords that are saved inside browsers, which you should never save your password in a browser due to Stealer Logs because it captures all of that. And then they’re able to access all of your information. And the biggest one that we want to protect is your email, especially if you have used two-factor authentication through email. But Stealer Logs are everywhere. And this is also something else that ends up being dark web adjacent. For instance, Alien Text Base, this one here, they still operate, but they operate mainly on telegram. Even though telegram is very active in trying to shut them down, you will typically find them on telegram releasing this service that they have here. And one month of unlimited amount of stealer logs is only $100, which is crazy. And $1,000 dollars is a lifetime access. So, if you are intentionally trying to hack somebody’s computer to pull down credit card information or to use it for other malicious purposes, that’s relatively a bargain.

And then we have our corporate data. And corporate data involves many different things. It could be our corporate secrets. It could be information related to a tax eminent to that corporation. It could be customer information, whatever the case is, right? And not everybody is immune, right? So, the FBI, federal government, American government agencies have been affected by corporate data issues. CloudStrike, LinkedIn, Facebook, all of your major social media companies at some point in time have had their corporate data leaked, and a lot of that can still be found on the dark web today, even if it’s old data. Just because it’s older data doesn’t mean it’s still not valid and still can’t be put to use. And then also, you know, in here in America, we have the United Healthcare CEO who was assassinated. And you can find corporate, you know, talk about those corporations and the CEO, for instance, this one here, which was posted on an anonymous message board, saying that the healthcare CEO being shot would be a long time coming and for people to stop defending them. So, there’s a lot of information, a lot of things that can break down here, right, from just corporate information to also threats to corporations and businesses. Things to monitor and different avenues to go down.

And the communities that bonds them. I’m very big in saying the dark web is a community, and we have several different communities on the dark web. So, one of the big ones is extremism. You can find a lot of extremist information on the dark web, from everything from terrorism all the way to racially motivated type stuff, to politically motivated things, it’s all on there.

Hacktivist groups. Hacktivists are hackers that claim that they are hacking for the correct reasons because they don’t agree with something, whether it’s a political mind, a political decision, or a business that didn’t do the right thing that they thought was ethically correct. Hacktivists go after them, which was made famous by Anonymous back in the 2000s initially. Hacktivist groups operate on the dark web all the time. They post information, they get together to share ideas, different things like that.

And then we have our ransomware groups. This is a screenshot from our tool showing a lot of the different groups that we are targeting or not targeting but monitoring and pulling information down. This list actually currently has 317 different ransomware groups and threat actors that we’re monitoring and trying to get as much information from it. And the number of ransomware groups that operate on the dark web is growing every single day. And that number never stays static.

And then obviously we have our hackers. What’s interesting about this slide and as we’re talking about hackers is this is how initial access is sold. So, most ransomware groups do not do their own happy. They typically purchase the access from somebody who did the access. And what will happen is in certain dark web forms, a user will post revenue, a companies’ revenue of around 25 million. They’ll say how many hosts the network has. So, in this one in the left by Benjamin Franklin, there’s 500 hosts on this network. They’re looking for $1,500 to purchase this. And then a ransomware group will purchase this access, install their ransomware, and then attempt to export the company when they’re able to. And this is how it gets post. They never necessarily post names. Sometimes they do, but they provide enough information that you can try to disseminate down who the target is in hopes of maybe preventing ransomware. That’s a really big thing for companies to use the dark web is to monitor the initial access side of the ransomware lifecycle. And if they’re able to see that they’re potentially popping up on initial access sale, they can go ahead and start doing extra tests and monitoring and finding where the hole is and hopefully able to plug it before anything bad happens. But hackers do operate on the dark web in many different facets.

And then we have our main APT groups, our advanced persistent threats. For instance, like North Korean groups, different things like that, Chinese groups that are constantly trying to break into things and hack things and gain information, which is another thing that this is a screenshot similar to the ransomware groups from our tool and where we curate information on them.

Why is the dark web important? I’ve touched on this a lot, but it really does allow us the opportunity to learn more from the threat actor to make better decisions as to what we need to do to protect ourselves. So, it gives better insight and allows us to learn from them. There are tools that you can capture and figure out how they work to prevent them from working on your network. There’s also tutorials in fraud, in hacking, in social engineering, whatever the case is, and we can learn directly from the threat actors and monitor that, and it can also give us an early warning sign before anything before anything goes happen.

The early detection of potential emergent threats. It’s a more proactive approach to cyber defense. We’re learning directly from the threat actors, and hopefully it allows us to prevent threats from escalating, which is why it’s important.

So how do we find things on the dark web? One, there are open source tools to help you, but you need to take into consideration the OPSEC considerations, the operational security considerations. There are websites, for instance, ransomlook.io, post information daily on new ransomware groups that are operating on the dark web. There’s also different monitoring stuff and blog posts and things along those lines. But there’s also command line based open-source tools for investigating it. It’s just, you really need to know the operational security side of it.

On the dark web, there are list sites or link sites or directories that will provide links to dark web sites. And they will monitor those links to determine if the site is online or offline. And then we use OSINT. OSINT is our best friend. OSINT, stands for open-source intelligence techniques and it is a way of finding and learning information that’s publicly available. So, whether it’s from the news, it’s from government publications, blogs. At DarkOwl, we post blogs pretty regularly from there. Social media accounts from influencers that specialize in this stuff and then academia and research as well provides good, insight into what is going on.

And then now the operational security concern of investigating the dark web, which our tool does definitely allow to help with this situation, and it is something that very regularly needs to be taken into consideration, right? So, it’s a process to prevent our adversaries from gaining information about us, our capabilities, so that we can identify who they are, right? We’re not trying to become the victim. We’re the investigator or the analyst trying to prevent this.

So, it’s important, right? It’s important for the investigator and the researcher’s safety. We want to make sure that their identity does not get released or known. It also prevents against retaliation and targeting and it ensures that safety during and after dark web investigations, right? We want to make sure that we protect our sensitive information exposure and to avoid data. For instance, downloading certain things off of the dark web because we need them for investigative purposes. If it’s not done correctly in a secure machine that doesn’t have network access, we could potentially be putting malware or ransomware into our own network, you know, and now becoming an actual victim of what is going on. It allows us to maintain that confidentiality and anonymity and does not compromise our investigations. It allows us to reduce detection and tracking by sophisticated adversaries, for instance, some of those APTs that are nation-state groups are very well-trained, have everything that they need, have many people to help them. So, we want to make sure that we reduce detection by them so that we can continue gathering information. And then we want to reduce risks associated with linking affiliate investigations and researchers. We want to try to keep that attribution down to a very low level. And OPSEC is one of the most important things that needs to– and it should be the primary thing that is kept into that mind of dark web investigations.

Six steps to OPSEC. We want to identify the critical information that we need and how we need to keep it secure. We want to analyze the threat. What are our adversaries? What are their capabilities? What are they able to do? We want to look for weaknesses and configurations and behaviors to make sure that we can protect ourselves, evaluate the likelihood and impact of those risks. We want to implement countermeasures, apply security practices. Do we need a machine that’s never connected to the company network, virtual machines, VPNs, things along those lines and we want to constantly reevaluate as we progress in that investigation to make sure that our operation security is providing what we need it to provide. It’s important for protecting investigator safety, securing that sensitive information, maintaining operational integrity for the surveillance and tracking purposes, and then attribution risks, right? We wanna make sure we keep those tools on minimum.

We have gone over a lot. We’ve gone from what the dark web is, to what type of information is on the dark web, to tools for investigating the dark web, open source and ARPS tool and things like that, and operation security. But what are the strategies, right? We have the information, or we need to get the information. What are the strategies to take that investigation and make it fruitful? So, darknet intelligence, right, is involves collecting and analyzing data, like any other investigation would. Going through these specialized tools that we need to get it and determining, right, the complex ecosystems where cyber criminals trade goods and services, right? We need to know is the information that we are looking for on a forum, marketplace, a chat group, whatever the case is.

The intelligence pyramid, everything in intelligence and investigations has some type of diagram or analogy or acronym. This is no different. We start at the bottom with our raw data. That is all of the data that we’ve collected that may be useful for us. We’ll take all of that and turn it into some type of information to figure out kind of the buckets it needs to be in, and then from there we’ll put that into our actual intelligence that we can make decisions on. Kind of weeding out the noise that we don’t need. And you’ll want to do that with dark web data because you will be able to find a lot of things, but not all of those things will matter to your current investigation or needs, right?

So, we’re going to start with the planning and direction through our intelligence life cycle. Once we have — this is what we’re worried about. This is kind of the information that we need to learn. This is our questions. We’ll work on those collections. Once we collect our information, then we’ll move to the analysis phase. Once we analyze all of our data, kind of go through that intelligence pyramid will move into production, write our reports, make our recommendations, and then disseminate that out and get feedback from your cross-functional partners or your clients or whoever the case is. And then we start that all over again for the next question that pops up, the next threat that we have to worry about.

Strategies for monitoring the dark web. You have to know what your intelligence requirement is. You’ve got to know what you want to achieve. Do you need to worry about a client being hacked? Do you need to worry about their data being stolen, whatever the case is. We want to identify the areas that most interest us. For instance, maybe we need to monitor for credit card information. Well, some of the best places to see a specific credit card information pops up are in those marketplaces, right? We want to make sure that we keep a way of monitoring those sources. Once we collect data, we want to analyze that data, see if we need to find more data. Sometimes you need to. There’s always language assessment. If you need to figure out if you need to translate the information that you’re getting, Google Translate Works, AI tools help with that. And then obviously the last thing that we want to do is report our findings to actually have our recommendations matter and help strengthen security posture, prevent cybercrime, and all of those fun things.

Just real quick – to touch on DarkOwl and what we do. DarkOwl is a darknet data technology company headquartered in Denver, Colorado. Our mission was to build automated technology to allow analysts to investigate and monitor the dark web without actually having to go to the dark web. And we have come a long way in producing that tool. We’re led by our CEO, Mark Turnage, and we have a very fantastic team of analysts and engineers to produce that. So, the information in our tool, you don’t ever actually have to go to the dark web to be able to access that information. And it’s all searchable, which is the best thing. So, you don’t actually have to know how to get to a certain forum or have an account on that forum. You’re able to get it yourself.

In our beginning in 2012, we pioneered dark net collection in relevant search, you know, we created our Vision UI tool, which allows you to have a graphical interface to search all of our data. But we also have API access as well. So, we can tie into tools like Maltego has a transform to where you can tie into dark web data. But it gives access to your analysts to have this information, find it, use it and also monitor it through cases or alerts in different things along those lines. So, layers of the surface even dark web that we go after, right? So some of these high-risk surface websites are like pay spin sites or discussion boards, you know, Reddit, social media sites as well. We monitor underground forums and marketplaces as well as Discord, Telegram, IRC. We’re always looking to move into new messaging platforms as we see the community shift, right? And then currently we are in Tor, I2P, and ZeroNet as dark web marketplaces, because those are the main places that threat actors operate, typically now in Tor. There was a little bit that I2P was gaining traction, but that has since lost its momentum. We’ve pull about 2 million documents off of the dark web in about a 24-hour period. And we are constantly pulling in new information every single day. Our information is relatively able to be real-time, depending on the site and how often we crawl it. I was actually just doing research the other day and literally had information that was within the last six hours into the tool. So, it is very successful and really does help in these types of investigations, and it solves your operational security problem. So, you don’t have to worry about that using our tool.

And then our ecosystem – we have the Vision UI, which has pretty much everything an analyst would need, but then we also have different things. And in our Vision UI, what’s really nice about it is that you can have exposures for us. So, we have an algorithm that we created to where you can put in some information and we can monitor a company’s exposure off of our algorithm inside of the tool. And then this is our contact information. I do have some questions that was brought up. I’m gonna touch on that real quick and then we can go ahead and end. So, one of the questions that was asked was what kind of data are most commonly traded or exposed on the dark web and how has that changed over the past few years? Which is a fantastic question. So, starting with the past few years and how that’s changed. So initially, you saw a lot of financial and drug-related stuff on the dark web, especially around the time where a former marketplace called Silk Road, which was one of the first law enforcement takedowns of the marketplace, there was a lot of financial-related and drug trafficking that was happening through the dark web. And as the years have progressed, we now see a lot more technologically based crimes. Ransomware, leaks, data being sold, personal information being sold. This has grown because more companies from five, six, ten, fifteen years ago, are putting anything and everything on technology and with this come budget cuts at times where security teams diminish. So, cybercrime goes up, hacking goes up, as well as we’re in a time where everything involves ground technology. This has become a very big topic on the dark web. A lot of that information is now available.

Question number two that we got: Are there specific industries or sectors that are more heavily targeted or discussed on the dark web? And there is. And it’s hard to quantify. Healthcare is one that is on it. That personal information, medical records, that type of information, because if a ransomware organization is able to a healthcare organization, they’re typically going to get paid. And most ransomware groups aren’t the most trustworthy people, so they still release the information after being paid. Financial services, bank access fraud opportunities, selling crypto accounts that have already bypassed KYC. So, a threat actor can purchase that account sell it so now or use it to where they can’t be attributed back to them and then your government and defense contractors are always something that pops up as well on the dark web but anybody can be a target. It just depends on if it’s your day or not. Critical infrastructure, that is another thing that can pop up if there’s talk related to that because those are things that typically the payments go through.

The next question we have is, “What are the early warning signs that a company’s data or credentials might be circulating on the dark web?” And that’s actually a very interesting topic and could probably warrant its own webinar in itself. But some of the quick things that we want to do is company credentials, appealing and of their logs in combo lists. So those numbers, if for instance, an employee of a company access their company’s portal from their personal computer, which isn’t monitored by the company’s IT, and it did get captured in stealer logs, that popping up is a definitely strong sign you may be attacked, ’cause it just takes one person to understand, hey, I have a company login. Let me go login and figure out what I want to do. Mention of the company’s domain or brand on dark web forms as that starts increasing, concerns should start populating. That’s more like your medium concerns. Leaked internal documents obviously are an issue. And then that initial access, if you start to see initial access postings that appear to match your organization, that is something that you want to take seriously. Even though it has the potential to be a false positive, we still want to take that seriously. And then, of course, ransomware sites announcing that they hacked you. That is a clear indication that there’s trouble ahead and that we need to monitor that. Because ransomware sites, a lot of times, will post that something is happening before it happens because they’ve already initialized what they were going to start with.

And then the last question I have is: “With the growing use of encrypted messaging platforms and private marketplaces, is the traditional dark web still the biggest threat or is the landscape evolving?” That’s a fantastic question. And yes, the dark web is still a very, very big threat, but we have to make sure that we monitor the adjacent. The thing with the dark web where encrypted messaging platforms won’t ever be able to overtake it is the ability for somebody to find that information, to be able to start the conversations or purchase whatever they need to be. For instance, Telegram was very, very big a few years ago. And even some marketplaces shutting down on the dark web to be in Telegram. Because it was still very easy to find those marketplaces by just using the search bar. There’s no real messaging application that takes that over. So, a lot of times what you’ll see is that things will start on the dark web. And then from there they may move conversations into encrypted messages or channels. That doesn’t mean that that information still can’t be obtained and used for intelligence purposes. But I don’t think messaging will ever be able to take away from the dark web. It’s just another adjacent place that needs to be monitored as the investigation and intelligence needs to develop.

Thank you so much for your time, everybody.

Questions? Contact us.

Far-Right Reactions to Israel-Iran-U.S. Conflict

Written by DarkOwl Content Team on August 5, 2025. Posted in Blog.

August 05, 2025

In previous blogs, DarkOwl has explored reactions from hacktivist groups on the deep and dark web in response to the Israel-Iran conflict and the U.S.’ attacks against nuclear sites in Iran. In addition to activity from hacktivist groups, analysts have also observed extensive online chatter within far-right spaces in response to the Israel-Iran-U.S. conflict. For this blog, DarkOwl specifically examined some of the most popular political far-right Telegram channels to determine which opinions and sentiments have been most prevalent within these groups.

Significantly, since the U.S. strike on Iranian nuclear sites on June 22, analysts observed a striking difference in opinion between vocal subscribers in multiple far-right Telegram channels. These channels are known for platforming misinformation and conspiracy theories and are characterized by a significant number of subscribers—in some cases as many as 200,000. In recent weeks, many of the articles posted by the channels on a daily basis have been regarding developments in the Israel-Iran conflict. Upon review, the discussions observed in response to these developments have been marked by disagreement and incoherence. Though this disconnect is not particularly unusual in and of itself, the Israel-Iran-U.S. conflict appears to have brought out inconsistencies within extreme right-wing circles even more so than before. Nonetheless, however, hatred remains a binding force between many of the members of these groups despite ideological or subideological differences.

Ideological Rifts

A review of multiple discussions within far-right Telegram channels since June 22 revealed significant ideological rifts. More specifically, opinions fell into a striking collection of not necessarily mutually exclusive categories: (1) pro-Israel; (2) pro-Trump; (3) anti-Israel; (4) anti-Israel and anti-Iran; (5) antisemitic and pro-Iran; (6) Islamophobic and pro-Israel (7) antisemitic AND Islamophobic (i.e. racist); (8) anti-U.S; etc. For instance, while some vehemently praised the Trump Administration’s response to the conflict—dubbing the president the “Moses of our Time”—others fiercely criticized the administration, arguing that the U.S. “will suffer a national humiliation” as a result (it is worth noting for context that these channels are generally known for consistently supporting the current administration). Meanwhile, while some actively advocated for intervention in the conflict, others strongly opposed any involvement. These ideological oppositions were even made evident in users’ emoji reactions to comments. In response to one individual referring to the U.S. as a terrorist state for targeting Iran, some responded negatively with “thumbs down” emojis, while others responded positively with “thumbs up.” Similar emoji breakdowns were also noted in other instances.

Furthermore, in addition to this wide variety of ideological differences, many individuals were also seen sharing conspiracy theories, misinformation, and disinformation. This included, for instance, some claiming that the “Deep State Cabal”—rather than Iran—poses a threat to the United States. This merging of conspiracy theories and disparate ideologies further conveyed the chaotic nature of this typically more homogenous information space.

Shared Hatred

In addition to a wide variety of contradicting opinions and ideologies, analysts noted an unsurprisingly significant amount of hatred directed at groups and individuals perceived as threats or adversaries to the current system. Among specific Israel-Iran-U.S. conflict updates, notably fierce comments were observed in response to two key events in recent weeks: the declaration of a fatwa against U.S. President Trump and reports that the U.S.’ strikes against Iran did not destroy the nation’s nuclear infrastructure.

A June 29 article regarding the issuing of a fatwa against President Trump by an Iranian cleric gained notable traction on Telegram, with numerous users calling for the assassination of Supreme Leader Ayatollah Ali Khamenei in response. In a reflection of the previously noted ideological disagreement between far-right users in the channels, some were observed calling for the end of U.S. involvement, suggesting the responsibility to address the conflict lies with Israel instead. Among these responses, however, one sentiment emerged as most dominant: Islamophobia. Though such rhetoric was not limited to fatwa-related discussions within the channel, it appeared even more frequently in this instance, with individuals sharing hateful, violent rhetoric directed at Iranians and Muslims broadly. Several users also called for the targeting and deportation of American Muslims (referred to by one individual as “savages in our society”), claiming that they “pose a threat.” This rampant hate is consistent with the observed increase in both Islamophobia and antisemitism since the escalation of the Israeli-Palestinian conflict in October, 2023. Indeed, the FBI found that anti-Muslim incidents rose by 300% in just two months following Hamas’ October 7 attack.

Similarly fervent responses were observed in response to an article addressing reports indicating that the U.S. did not destroy Iran’s nuclear capabilities—despite the administration’s assertions that the targeted sites were “obliterated.” The misleading article—which attempted to undermine the findings of U.S. intelligence officials—was repeatedly shared across far-right channels and gained more than 20,000 views. In response to the story, numerous users referred to the reporters who shared the findings as “traitors” and called for them to be jailed. One individual also called for charging a specific reporter with “espionage against the United States” and expressed disdain for the intelligence officers who compiled the report. Similar to Islamophobic rhetoric, this hate directed towards reporters and officials who share facts contradicting the administration’s claims is consistent with the persistent animosity towards reputable sources shared by far-right groups.

Conclusion

Overall, analysts observed nearly every possible combination of opinions within multiple far-right Telegram channel discussions in response to the Israel-Iran-U.S. conflict. This finding is significant in that it reflects what appears to be a fracturing of far-right ideology within this specific monitored ecosystem of large-scale Telegram channels. Even though pro-administration rhetoric appears to remain dominant, many users were observed criticizing one another—seemingly more fervently than in response to previous non-foreign policy-related discussions. Despite this noted difference in opinion, however, one fact remains consistent: regardless of specific ideology/ideologies, many of the individuals within these groups are linked by a hatred that transcends any ideological framework. Whether it’s hatred directed at journalists or members of targeted religious communities, the sentiment remains an overriding force within these communities.

Stay up to date. Follow DarkOwl on LinkedIn.

Threat Intelligence RoundUp: July

Written by DarkOwl Content Team on August 4, 2025. Posted in Blog.

August 04, 2025

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Ukraine arrests suspected admin of XSS Russian hacking forum – Bleeping Computer

In a July 23 press release, French authorities announced the arrest of the alleged administrator of the notorious, Russian cybercrime forum XSS. According to the announcement, the suspect was arrested in Kyiv, Ukraine, by Ukrainian authorities on July 22 in the presence of French police and with support from Europol. The investigation was launched four years ago, on July 2, 2021, by the cybercrime division of the Parquet de Paris (the Public Prosecutor’s Office). In addition to the arrest in Ukraine, authorities also seized the XSS.is domain. As noted by Hackread, following the action the site featured a seizure notice stating that the domain had been seized by French law enforcement. Read full article.

2. Android malware Anatsa infiltrates Google Play to target US banks – Bleeping Computer

Researchers at ThreatFabric have identified a new Android banking malware campaign which utilizes the Anatsa Android banking trojan. According to the report, the campaign is targeting North American users and posed as a PDF viewer app in the U.S. Google Play Store; it was downloaded over 50,000 times before being removed. The app was initially launched as a legitimate app before being “transformed into a malicious one approximately six weeks after release.” The latest campaign is notably characterized by a broadened target list including a range of American mobile banking apps. Article here.

Researchers at Morphisec have observed the resurgence of the Iranian-backed ransomware-as-a-service (RaaS) “Pay2Key.” The company’s report—released just a month after Israel launched attacks against Iran’s nuclear and military facilities—reveals that the scheme now operates as “Pay2Key.I2P” and offers a greater profit share to those who target Iranian adversaries. As noted by the researchers, “the group offers an 80% profit share (up from 70%) to affiliates supporting Iran or participating in attacks against the enemies of Iran, signaling their ideological commitment.” Read more here.

4. China-Based APTs Deploy Fake Dalai Lama Apps to Spy on Tibetan Community – The Hacker News

In a July 23 report published by Zscaler ThreatLabz, researchers attributed two cyberattack campaigns against the Tibetan community to a China-linked APT group. The two campaigns—dubbed Operation GhostChat and Operation PhantomPrayers—targeted Tibet with multi-stage infection chains deploying Ghost RAT and PhantomNet backdoors. These attacks capitalized on heightened online activity in the weeks leading up to Dalai Lama’s 90th birthday on July 6. The campaigns functioned by “leveraging multiple subdomains […] to impersonate legitimate platforms.” Read here.

5. CISA and FBI warn of escalating Interlock ransomware attacks – Bleeping Computer

On July 22, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a cybersecurity advisory warning of the ongoing threat posed by Interlock ransomware. According to the report, the relatively new ransomware operation has targeted a variety of sectors since it first emerged in September 2024. Targets have included “a wide range of business and critical infrastructure sectors in North America and Europe.” Learn more.

6. FBI seizes $2.4M in Bitcoin from new Chaos ransomware operation – Bleeping Computer

On July 28, Dallas FBI announced the seizure of over $1.7 million worth of cryptocurrency in mid-April 2025. According to the statement, the funds were “traced to a cryptocurrency address allegedly associated with a member of the Chaos ransomware group.” The seized amount has now been valued at over $2.4 million. The alleged member of Chaos has been tied to ransomware attacks carried out against Texas companies and other targets. Read full article.

7. Four arrested in UK over M&S, Co-op, Harrods cyberattacks – Bleeping Computer

In a July 10 press release, the U.K.’s National Crime Agency (NCA) announced the arrest of four individuals for their suspected involvement in a series of cyberattacks against three major retailers (Marks & Spencer, Co-op, and Harrods). According to the statement, the arrested individuals include two 19-year-olds, one 17-year-old, and a 20-year-old. They were arrested on suspicion of “Computer Misuse Act offences, blackmail, money laundering and participating in the activities of an organised crime group.” Read full article.

8. US sanctions North Korean firm, nationals behind IT worker schemes – Bleeping Computer

In a July 24 press release, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced the sanctioning of the North Korea-based Korea Sobaeksu Trading Company and three associated individuals for their participation in fraudulent remote IT worker schemes. As previously noted in DarkOwl’s Weekly Intelligence Summaries, the DPRK government uses these IT worker schemes to generate illicit revenue. The IT workers involved in the scheme use “fraudulent documents, stolen identities, and false personas to obfuscate their identities and infiltrate legitimate companies.” Learn more.

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

The Islamic State’s Propaganda Playbook

Written by DarkOwl Content Team on July 30, 2025. Posted in Whitepapers.

Digital Resilience, Recruitment, and Radicalization on the Darknet

This report examines the Islamic State’s (IS) evolving digital propaganda strategy, tracing its shift from centralized social media campaigns to a decentralized, multi-platform ecosystem spanning encrypted messaging apps and darknet infrastructure. Drawing on data from DarkOwl Vision and other intelligence sources, the report outlines how IS has adapted to deplatforming by leveraging Telegram, Rocket.Chat, Matrix, and Tor-based onion sites to distribute propaganda, recruit operatives, and maintain ideological influence. It highlights IS’s increasing use of multilingual content, operational security (OPSEC) training, and emerging technologies such as generative AI to sustain its global reach. The findings underscore the importance of persistent darknet monitoring and cross-platform intelligence to counter the group’s resilient digital footprint.

Curious to learn more? Contact us.

What are IoCs?

Written by DarkOwl Content Team on July 24, 2025. Posted in Blog.

July 24, 2025

Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, brute force attacks, zero-day exploits, doxing, and data harvesting. In this edition, we dive into indicators of compromise.

Indicators of Compromise (IoC) 101

Indicators of Compromise (IoCs) are pieces of forensic data or artifacts found on a network or operating system that, with high confidence, indicate a potential intrusion, breach, or malicious activity has already occurred. Think of them as the “digital fingerprints” or “clues” left behind by an attacker and help security be able to determine if an attack has taken place.

Indicators of compromise help security professions in several ways. They are essential for detecting both ongoing and past cyberattacks, even if the initial breach went unnoticed. Once an IoC is identified, it serves as a guide for incident response teams, helping them understand the full scope, nature, and methods of the attack. This understanding allows them to effectively contain the threat, eradicate the malicious presence, and recover compromised systems. Furthermore, by analyzing IoCs from previous incidents, organizations can proactively strengthen their defenses, updating security tools such as firewalls, intrusion detection systems, and antivirus software to prevent similar attacks in the future. Finally, sharing IoCs within the cybersecurity community is important to help other organizations defend against the same evolving threats, fostering a stronger collective defense across the digital landscape and keep up to date with the latest TTPs (tactics, techniques and procedures) of threat actors.

It’s important to distinguish IoCs from Indicators of Attack (IoAs). While IoCs tell you that a compromise has already happened, IoAs focus on the behaviors and tactics that suggest an attack is currently in progress or about to occur. Both are crucial for a comprehensive cybersecurity strategy. We will dive into IoAs in an upcoming blog.

IoCs in the Wild

Crowdstrike IoC list

Data purported to be from CrowdStrike was posted on BreachForum, a hacking forum, on July 28, 2024. According to the post, UsDoD claims to have the entire IoC (Indicator of Compromise) list from Crowdstrike but only released the first 100,000 records. Data exposed includes indicators, types of malware, actors, reports, kill chains, published dates, latest updates, and labels. Read more.

CISA and FBI: Ghost ransomware breached orgs in 70 countries

On February 19 this year, the Cybersecurity & Infrastructure Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint advisory detailing indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with Ghost (Cring) Ransomware. Since 2021, threat actors utilizing Ghost ransomware have targeted organizations in more than 70 countries. Victims have included organizations in a variety of sectors, including critical infrastructure, education, and healthcare.

SolarWinds

As was seen during the SolarWinds hack, monitoring the darknet for malicious discussions enables organizations to understand when and if they’re a target, and prepare accordingly. In the case of SolarWinds, we have evidence that they have been a target by hackers for a number of years. A few searches in DarkOwl Vision’s database of darknet content reveal glaring potential indicators of compromise that, when taken seriously, could have been leveraged by their customers as a cue to safeguard themselves against what ultimately resulted in the devastating hack that transpired this year.

DarkOwl Vision has collected 98 documents from a single popular zero-day marketplace with mentions of SolarWinds-specific vulnerabilities since February 2020 (shown below).

Tracking and Sharing IoCs

As shared above, sharing IoCs within the cybersecurity community is vital to developing collective defenses and sharing best practices. By keeping to date with IoCs in the wild, organizations can expand their understanding of current attack vectors, speed up their own incident response, avoid analyzing threats that have already been analyzed, and improve their overall security posture.

One way for tracking and sharing IoCs is through TIPs (Threat Intelligence Platforms). These specialized platforms are designed to collect, process, and disseminate crucial threat intelligence, including IoCs, to the wider community. To ensure efficient and interoperable sharing, IoCs are often exchanged using standardized formats and protocols. For instance, STIX (Structured Threat Information eXchange) provides a common language for representing and sharing cyber threat intelligence, encompassing not only IoCs but also threat actors and their tactics. The TAXII (Trusted Automated eXchange of Intelligence Information) protocol then facilitates the secure transmission of this STIX-formatted data between different organizations or security platforms.

Beyond specialized platforms, many cybersecurity vendors, research organizations, and government agencies provide Threat Intelligence Feeds. These feeds deliver real-time or near real-time updates of IoCs directly to an organization’s security tools. Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs) play a critical role as well. These sector-specific or cross-sector organizations create trusted environments for their members to share sensitive threat information, including IoCs, and collaborate on defense strategies. For example, there are dedicated ISACs for sectors like finance, energy, and healthcare. Governments also contribute significantly; many have Government Initiatives to facilitate threat intelligence sharing, such as CISA’s Automated Indicator Sharing (AIS) in the United States, which provides federal agencies and partners with machine-readable cyber threat indicators.

Finally, the broader Security Research and Open-Source Communities are invaluable contributors. Independent security researchers, ethical hackers, and open-source projects frequently discover and publish IoCs through various channels like blogs, online forums, GitHub repositories, and specialized websites.

Product Highlight: Entity API

Entity API enables the identification and contextualization of specific entities—such as email addresses, IP addresses, and domains—within DarkOwl’s darknet data. This tool is invaluable for incident responders and threat hunters seeking to correlate Indicators of Compromise (IOCs) and assess potential threats.

Investigators can gather IOCs from dark web sources and link them to threat actors or campaigns. This helps in profiling the activities, tactics, and techniques of adversaries, enabling proactive threat hunting and vulnerability assessments.

Emails and Domains

Email Address and Domain endpoints allow you to request all exposed information relating to a single email address or email domain. For example, you can request a list of all emails belonging to a particular domain, or see if a specific email address has been exposed with a hashed or plaintext password (if detected).

Credit Cards and BIN

Credit Card and Bank Identification Number (BIN) endpoints allow you to request to see information relating to a single credit card number or BIN. For example, end users can query all credit cards belonging to a specific BIN that have not expired or the URL source of the pages on which a specific credit card was posted.

Cryptocurrency Addresses

Cryptocurrency Address endpoints allow you to see if specific cryptocurrency addresses have been exposed. Sample response include: a contextual text fragment provided from the original source document.

IP Addresses

IP Address endpoints allow you to request to see information relating to a single IP address. For example, end-users can leverage search parameters to find: if a specific IP address has been posted on darknet forums.

One of the most prevalent use cases for insight into DarkOwl’s data is the recent persistent rise in cybercriminal activity as a whole, and specifically ransomware activity, which largely presents itself in the dark web. The global dark web intelligence market size is expected to raise at a CAGR rate of 22.3% by 2028, to the total of $1.3 billion.

Other recent reporting from Kaspersky maintains that the most common attack vector for all ransomware attacks continues to be via account takeover utilizing stolen or brute forced credentials. Entity API will empower threat intelligence teams with the tools to determine when such account information has been compromised, and take remediation steps accordingly.

Monitor Cryptocurrency Mentions Using Entity API

With Entity API, users have access highly-targeted, structured information from the largest commercially available collection of darknet and deep web sources. This includes Tor, I2P, Zeronet, Data Breaches, encrypted chats, IRC, and authenticated forums. Users can search for a crypto address that DarkOwl has captured from darknet sources including illegal marketplaces and vendor forums to detect wallets with problematic activity. Cryptocurrency address endpoints allow users to see if specific cryptocurrency addresses have been exposed.

Cryptocurrency types include:

Bitcoin
Ethereum
Monero
zCash
Litecoin
Dash

Figure 2: Request to see all instances of a specific cryptocurrency address appearing on the darknet (or other underground networks). Sample responses pictured above.

For those in charge of monitoring for critical information regarding their business or their customers, having access to DarkOwl’s darknet data means access to near real-time data from exclusive dark web sources including authenticated forums and emerging chat networks. Contact us to learn more.

Dark Web Threats to UK Councils

Written by DarkOwl Content Team on July 22, 2025. Posted in Blog.

July 22, 2025

In an increasingly volatile cyber security landscape, no organization is safe from cyber attacks. One group of organizations which has been increasingly targeted by ransomware groups and other threat actors is UK councils which are the local level of government in the UK.

In this blog we will explore what UK councils are and how they have been subjected to cyber attacks in recent times.

What are UK Councils?

Councils, which are also known as local authorities are the local level of government in the UK. They are responsible for delivering public services, which can range from social care and schools to roads and transport, trash collection and recycling, housing and planning permission as well as the management of parks, recreational areas and libraries. They are responsible for large swathes of local life in the UK, and all residents pay a council tax in order to receive and maintain services.

Councils are run by locally elected officials, who are responsible for making decisions on budgets, policies and the services that are provided. Often councils will have a lead, often the mayor who is either directly elected by local residents or selected from the councilors. There will also be non-political officers, or civil servants, that will run day to day operations.

There are also different types of councils depending on where they are located and the communities that they support. In England these form a tier system:

Two-tier system (mainly in shire counties like Kent or Hampshire):
- County Councils
  - Handle large-scale services like education, social care, and transport.
- District/Borough Councils
  - Handle local services like housing, waste collection, and planning.

Single-tier system (in cities and urban areas):
- Unitary Authorities
  - Handle all services.
- Metropolitan Boroughs
  - Do everything in large urban areas (e.g., Manchester, Birmingham).
- London Boroughs
  - Each borough (like Camden or Croydon) has its own council.
- Greater London Authority (GLA)
  - Oversees strategic issues like transport (TfL), policing, and planning.

UK councils face a wide range of cybersecurity threats due to the large volumes of sensitive data they manage (e.g. social services, housing, benefits, and education).

Cyber Security Threats

There are multiple types of cyber threats that can affect local councils, here we summarize some of the common attacks we have seen conducted.

Ransomware Attacks

Ransomware attacks happen when a threat group obtains access to a network and encrypts the data demanding a ransom to return the information to the owner. More and more these attacks also include the theft of data and making this available on Dark web sites. This can have very serious ramifications for councils given the services that they support. It can stop them being able to carry out these services as well as exposing sensitive personal information.

Data Breaches

A data breach can occur in many ways but ultimately is when sensitive or protected data is made publicly available when it should not be. Councils can fall victim to this either through bad security practices or because they are victim of a hacking attack.

Recently the Oxford City Council reported that attackers had been able to access PII data through a breach of some of their legacy systems. The information targeted largely related to individuals who had worked on local elections, including ballot counters and poll station workers.

Distributed Denial of Service (DDoS) Attacks

A Denial-of-Service attack is when a website or service is overloaded, making the services unavailable. This can lead to council websites, where many local residents will access services and obtain support can be unavailable. Recently hacktivist groups which are associated with countries involved in conflict such as Russia, Ukraine, Palestine, Iran and Israel have been known to conduct these DDoS attacks. In some cases, they have successfully targeted council websites.

Figure 2: Proof of DDOS against London Borough of Harrow from Palestinian affiliated hacktivist group

Real World Incident:

Perpetrator: Hacktivist group NoName057(16).
Targets: Multiple local councils including Blackburn with Darwen, Exeter, and Arun District Council.
Impact: Temporary website outages and service disruptions; attacks were politically motivated in response to the UK’s support for Ukraine

Misconfigured Systems and Insider Threats

Misconfiguration of systems can lead to public access to sensitive data due to poor configuration of databases or file-sharing platforms. When systems are not configured properly it may be possible for individuals who should not have access to this data. Similarly, an insider threat is where unintentional staff errors or malicious actors (disgruntled employees) can leak or share sensitive information or accesses.

Supply Chain Attacks

A supply chain attack is when an organization is targeted because of their position in the supply chain to another organization. This is usually because the targeted organization has less security and is an easier target – but can lead to information and data from other organizations in the chain being exposed.

Real World Incident:

Incident: Cyberattack on Locata, a housing service provider.
Impact: Disruption of housing services for Manchester, Salford, and Bolton councils; users received phishing emails attempting to harvest personal information

Phishing & Spear Phishing

Phishing attacks are when emails or other communications are sent to an individual in order to gain information. They can either “trick” individuals into sharing information they shouldn’t usually by posing as someone in the organization or containing malicious links which people inadvertently click on allowing hackers to gain access to networks.

Council members and staff are often targeted in these types of attacks. In February 2025 Hammersmith and Fulham Council reported that they face around 20,000 attempted cyber-attacks a day, and that the majority of these consist of phishing attempts.

Conclusion

Local authorities have become a popular target for cyber criminals in recent years, thanks to the large amount of valuable personal data they hold, often-outdated IT systems, and comparatively poor cybersecurity budgets. Councils need to take more proactive measures to combat the increasing threat. Some of the actions that can be taken:

Adopting advanced threat detection systems and regular security assessments.
Conducting cybersecurity awareness programs for staff to prevent phishing and other social engineering attacks.
Developing and regularly updating incident response plans to swiftly address breaches.
Working closely with national bodies to share intelligence and best practices. The NCSC is the point of contact for cyber incidents in the UK.

Curious to learn more? Contact us.

Q2 2025: Product Updates and Highlights

Written by DarkOwl Content Team on July 17, 2025. Posted in Blog.

July 17, 2025

Welcome to our Q2 roundup! This quarter, the DarkOwl Product Team doubled down on customer feedback, delivering powerful enhancements across Vision UI and API. From streamlined workflows to smarter site identification, here’s what’s new.

Major Product Updates

Case Findings: Faster, Smarter, More Visual

We’ve reimagined how users create and manage Findings in Vision UI.

Inline Annotation Workflow: Now you can label, snippet, and note your Findings directly from the Search Result or Alert—all without leaving your spot.
Summary View: A new visual dashboard gives you a quick snapshot of your Case’s Findings activity and attributes.
Customer-Driven Enhancements:
- Hyperlinks on the Case landing page for faster navigation
- Improved data handling when converting Alerts to Findings

Site Names and Aliases: Identification at a Glance

We’ve made it easier to identify and filter to website sources across our platform.

Enhanced Display: Site names now appear directly on Search Results and Alerts in Vision UI.
Lexicon Boost: Known aliases are now searchable, improving discoverability.
New API Features: Provide contextual information and targeted filtering options.

In Search API, a new siteId response field is returned with the response for identified websites in the DarkOwl Vision dataset. The siteId query parameter is a new option in Search API to filter to a particular site of interest, without having to know specific source domains or mirrors.

Additionally, to provide greater feature compatibility between Vision UI and API, we have launched two new endpoints within Context API: Site Context API and Site Summary API. Site Context provides supplemental information about named websites (sites) that have been identified in our dataset, and Site Summary provides programmatic access to the Vision UI Lexicon features.

Curious to learn more? Contact us.

Other Vision UI Updates

Universal Phone Number Builder

To better support our entire client base, the team removed the US-specific Phone Number builder in favor of a Universal Phone Number Query Builder. This new template allows you to enter in all the sections of a phone number – country code, area code, and local number – and then automatically structures the query for you.

Report Downloads in Word

Entity Explore and DARKINT Score Reports in Vision UI can now be downloaded in either PDF or Microsoft Word formats. With Word format, customers can then use the text with their own logos, branding, or other enrichment!

Collection Stats

Highlights

Quarter after quarter, our data collection team continues to astonish us with the quantity of data made available across DarkOwl products.

The team had astounding growth of 38% in data leak records. To break it down, the team had 16% growth in email addresses, 7% growth in credit card numbers, 12% increase in total collected ZeroNet documents, 3% growth in cryptocurrency addresses, 23% growth in total collected paste documents, and another 14% growth in total collected records from Telegram – just to highlight a few.

Leaks of Interest Collected

When your search results are from data leaks, users can review additional information curated by DarkOwl analysts, giving you enrichment on the data leak. The descriptions below are all available in our Leak Explore UI feature, or Leak Context API endpoint.

Orange.com and Orange.ro

Data purported to be from Orange was posted on BreachForums, a hacking, on February 25, 2025. According to the post, Orange experienced a significant data breach following their refusal to pay a ransom demanded by the threat actor, Rey. Data exposed includes customer records, source codes, internal documents, invoices, contracts, project details, tickets, user data, employee data, messages, credit card information, personally identifiable information (PII), and call logs.

The breach, primarily affecting Orange Romania but also impacting global divisions, resulted in the exposure of over 600,000 customer records, including 380,000 unique email addresses. Additionally, sensitive data such as source code, internal documents, financial records, project details, employee information, and confidential project plans were compromised

According to media reports, the threat actor, who is a member of the HellCat ransomware group, claimed to have exfiltrated approximately 6.5GB of data, consisting of nearly 12,000 files, by exploiting stolen credentials and vulnerabilities within Orange’s Jira and internal portals.

4chan

Data purported to be from 4chan was posted on Chicken Tikka Masala in /pol/ AnarchyLost edition, a Telegram Channel, on April 14, 2025. Data exposed includes email addresses, IP addresses, usernames, ident protocols, IRC chat messages and message board posts. Additionally, source code for the 4chan board was released. Review of the content indicates the leak contains private conversation of the janitors and moderators on the 4chan IRC channel and /j/ 4chan message board. According to media reports, the hack is suspected to have been carried out by individuals associated with the “Soyjak.party” community, who allegedly exploited vulnerabilities in outdated PHP code to gain access.

Lockbit Hack

On May 7, 2025, an unknown hacker defaced LockBit ransomware group’s data leak site with the message “Don’t do crime CRIME IS BAD xoxo from Prague” which linked to a file hosted on the LockBit domain. Data exposed is a MySQL database dump of Lockbit’s affiliate data containing bitcoin addresses, internal chats, build configurations and a users table. According to cybersecurity researchers, the SQL database is from the site affiliates panels and contains data timestamped from December 2024 through April 2025. The data includes 59,975 unique bitcoin addresses, a builds table with public keys and victim names, build configurations and 4,442 negotiation messages from their chats. Additionally, 75 admins credentials were exposed, with some plain text password exposure for the affiliate panel. LockBit claimed a hacker bypassed the authentication process for their automatic registration portal. The ransomware group asserted that while the database was compromised, no decryption tools or sensitive victim companies data were accessed. LockBit also offered a reward for information leading to the identification of the hacker responsible for the breach.

interpol.int

Data purported to be from INTERPOL was posted on DarkForums, a hacking forum, on May 2, 2025. According to the post, the threat actor converted the original SQL file into JSON format, to make the content easier to read. Data exposed includes email addresses, names, physical addresses, phone numbers, and IP addresses. The dataset includes references to hash types such as MD5 and SHA512, suggesting the potential presence of password hashes. However, at this time, it cannot be confirmed whether these values represent actual passwords, nor whether they are definitively linked to the associated email addresses or usernames.

Russian Medical Center 1.1M

Data purported to be from Russian Center of Aviation Medicine (TsAM) was posted on DarkForums, a hacking forum, on May 9, 2025. According to the post, the data was breached on April 4, 2025 and contains 1.1 million person records on aviation-related health screenings, pilot certification, and aerospace medical research. Data exposed includes medical records, names, dates of birth, genders, ethnicity, national ID numbers, passport numbers, tax identification numbers, physical addresses, email addresses, phone numbers, user identification number (UID), patient data, occupation, and cause of death. SNILS (СНИЛС in Cyrillic) stands for Individual Insurance Account Number in Russia. It’s a unique number issued and used by the Pension Fund of the Russian Federation to track residents’ social security accounts. The SNILS number consists of 9 unique digits that identify the individual, followed by 2 final digits that act as a checksum for validation.

Curious how these features and data can make your job easier? Get in touch!

What is Data Harvesting?

Written by DarkOwl Content Team on July 8, 2025. Posted in Blog.

July 08, 2025

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, brute force attacks, zero-day exploits, and doxing. In this edition, we dive into data harvesting.

Data Harvesting 101

Data harvesting refers to the automated collection of data from digital sources, such as websites, apps, APIs, databases, or public records, with the goal of drawing inferences. It’s often accomplished using tools like web scrapers, crawlers, or specialized software. There are legitimate reasons for data harvesting as well as nefarious purposes. We will dive into both.

The What and How

Data harvested without consent sourced from data breaches, phishing scams or malware – like personal information, login credentials, credit card numbers, location data, social data (such as likes, posts and connections), behavioral data (such as browsing history and habits), or medical records.

Data harvesting is carried out through various methods, each with different levels of transparency and legality. One of the most common tools is cookies and trackers, which are embedded in websites to monitor user behavior, such as browsing patterns, clicks, and time spent on pages. APIs and scrapers are also widely used to systematically extract data from online platforms, often automating the collection of vast amounts of information in a short time. Apps and connected devices can harvest data through user-granted permissions—or sometimes through hidden scripts—gathering information like contacts, location, and device usage. More maliciously, phishing campaigns and malware can deceive users into giving up sensitive information or infect their systems to extract data covertly, posing significant security and privacy risks.

Legitimate Reasons for Data Harvesting

Marketing and Advertising: Businesses use it to understand consumer behavior, market trends, competitor pricing, and product performance. Companies use this harvested data to build detailed consumer profiles and deliver targeted ads. By understanding your interests, habits, and demographics, advertisers can increase the chances of clicks and sales.
Lead Generation: Collecting contact information for sales and marketing outreach.
Research: Academics and researchers use it to gather data for studies in various fields, such as social science, economics, and healthcare. AI Training is another upcoming field – large datasets are fed into AI models for training. This includes data scraped from the web (like text, images, or behavior patterns) to build chatbots, recommendation engines, and facial recognition systems.
Content Aggregation: Collecting content from multiple sources to create news aggregators or comparison websites.
Improving User Experience: Understanding user preferences and behavior to enhance websites and applications. Organizations analyze the data to uncover trends, improve services, forecast demand, or enhance customer experience. For example, a retailer might use browsing and purchase data to optimize inventory or personalize recommendations.
Data Brokerage: Data brokers collect and aggregate data from many sources, then sell it to third parties—like marketers, insurers, employers, or political campaigns.

Nefarious Reasons for Data Harvesting

Identity Theft and Fraud: Harvesting personal information (names, addresses, email, payment details) to commit identity theft or fraudulent activities.
Spam: Collecting email addresses for mass unsolicited emails.
Intellectual Property Theft: Scraping proprietary content, product designs, or strategic plans from competitors.
Data Breaches: If harvested data is not adequately secured, it can be vulnerable to breaches, exposing sensitive information.

Harvested data is often sold on darknet marketplaces. Once the data is harvested by “harvesters,” they often will dump this data on the darknet and provide it for sale across different marketplaces, often with the idea of financial gain. Collected data could be used for blackmail, doxing or stalking. Data collected by political extremists or activist groups may use the data for targeted attacks and campaigns.

To the left we see an example of a combolist (a list of email addresses and password combinations that may be used in a brute force attempt or credential stuffing operations to gain unauthorized access to servers and services) that was leaked and posted on a darknet site. Databases from data harvesting will often include usernames and passwords, fullz (full identity profiles), financial records or health records. These are all often highly confidential or sensitive and can cause a lot of harm and headache when posted without consent.

Anonymity Encourages Abuse

The darknet is a layer of the internet that was designed specifically for anonymity. It is more difficult to access than the surface web, and is accessible with only via special tools and software – specifically browsers and other protocols. You cannot access the darknet by simply typing a dark web address into your web browser. There are also darknet-adjacent networks, such as instant messaging platforms like Telegram, the deep web, some high-risk surface websites. Because of the anonymous nature of the darknet, data harvesters are able to go undetected, monetize data without revealing their identity and collaborate with others on the darknet.

Doxing Example

The darknet site, Doxbin, facilitates doxing by allowing users to upload text-based content related to individuals. The site claims to restrict content that is spam, child explicit material (CSAM), or violates the hosting country’s jurisdictional laws. However, in practice, there is minimal moderation, and information is often shared with the intent to target individuals.

The exposure of PII on Doxbin can lead to severe consequences for victims, including harassment, identity theft, and threats to personal safety. Victims may also be subjected to harassment through prank calls, spam emails, and cyberbullying on social media.

DarkOwl’s Use of Data Harvesting

DarkOwl data harvesting involves collecting information from the darknet, deep web, and high-risk surface web to provide intelligence to their customers. This data is used to identify threat actors, monitor cyber breaches, analyze darknet trends, and more. DarkOwl’s data collection process includes automated AI and manual analysis, with the goal of delivering high-quality, relevant, and timely intelligence.

What DarkOwl Collects

Darknet Data: The darknet is a layer of the Internet that cannot be accessed by traditional browsers and often requires specialized technology (proxies) – as well as a certain level of technical sophistication – to access. While the darknet is comprised of various darknets, Tor (or The Onion Router) is by far the most common. In addition to Tor, DarkOwl also scrapes content from peer-to-peer networks like I2P and Zeronet.
Deep Web Data: The deep web is technically part of the surface web and can be best described as any content with a surface web that is not indexed or searchable via traditional search engines. This includes surface web paste sites and websites that we discovered via authenticated means, e.g. websites with a surface-level that require user registration and/or a login to access meaningful information from the site. DarkOwl has hundreds of ‘deep web’ sites including marketplaces and forums, from which a mixture of authenticated and manual crawlers obtain information.
High-Risk Surface Web: Surface web content consists of anything on the “regular” internet that is public facing with a surface web top-level domain (TLD) and could be organically crawled/scraped by Google. This includes the landing pages and/or preview content for forums that DarkOwl also has curated deep web access to (i.e., registrations and authentication).
Chat Platforms: Chat platforms are any website (be it on the deep web or darknet), app, or service that’s primary purpose is for instant messaging. This includes message exchanges between individual users or groups of users who interact in topic based channels and groups. Some chats are collected from Tor services that are enabled with real-time anonymous chat features, others from specialized instant messaging or proprietary protocols like IRC andTelegram.
Breach Content: Data breaches are aggregate data files of information obtained without the owners’ consent. This can consist of commercial data leaks by threat actors (TAs) either after discovery of a non-secured database or misconfigured server, or by targeted malicious cybersecurity incident (direct breach). Such leaks include internal sensitive email records, usernames and passwords, personally identifiable information (PII), financial records, and more. Data breaches are often sold for profit on the darknet, although they are sometimes posted and leveraged by criminal actors for means other than financial gain or in the fallout of cyber warfare between nation-state sponsored cyber powers and hacktivists.
Other Sources: DarkOwl also has limited documents in its Vision database collected from misconfigured FTP and alternative DNS servers, as well as open public S3 buckets. Collection from these sources is less real-time and intentional as the other data sources described above.

How DarkOwl Collects Data

Automated AI: Automated tools and AI-powered engines to collect and process data in near real-time.
Manual Analysis: Human analysts augment automated collection, ensuring the quality and relevance of the data.

How DarkOwl Processes and Structures Data

Unstructured Data: DarkOwl collects data in its original, raw-text format.
Data Cleaning and Storage: Collected data is processed, cleaned, and stored in a secure environment.
Entity Extraction: DarkOwl identifies and extracts entities like email addresses, Social Security numbers, and cryptocurrencies.
Metadata and Context: Included metadata and source content provide context and allow users to quickly identify important data.

Why DarkOwl’s Data is Valuable:

Threat Intelligence: DarkOwl’s data can help organizations identify and understand emerging threats, including cyber breaches, ransomware attacks, and fraud.
OSINT Investigations: Darknet data is a vital part of OSINT (open-source intelligence) investigations to gather insights into specific individuals or groups, including their usernames, aliases, and online activity.
Digital Risk Assessment: DarkOwl’s data can help organizations assess their digital risk posture and identify vulnerabilities by seeing what information concerning them is available on the darknet.

How to Protect Yourself

Use privacy browsers and ad blockers
Regularly clear cookies and cache
Limit app permissions
Use strong, unique passwords and do not repeat password use
Use a password manager
Enable 2 factor authentication
Be cautious of phishing attempts

Curious to learn more? Contact us.

Threat Intelligence RoundUp: June

Written by DarkOwl Content Team on July 1, 2025. Posted in Blog.

July 01, 2025

1. Police arrests 20 suspects for distributing child sexual abuse content – Bleeping Computer

In a June 6 press release, INTERPOL announced the arrest of 20 suspects involved in the production and distribution of child sexual abuse material (CSAM). The international operation was led by the Spanish National Police, which initiated the investigation in late 2024 when it discovered several instant messaging groups dedicated to the circulation of CSAM. Seven of the identified suspects were arrested by Spanish authorities, 10 were arrested across seven Latin American countries, and “the remaining suspects were arrested elsewhere in Europe and the United States.” Read full article.

2. Police seizes Archetyp Market drug marketplace, arrests admin- Bleeping Computer

In a June 16 press release, Europol announced the disruption of the infamous darknet marketplace Archetyp Market in an international operation dubbed “Operation Deep Sentinel.” According to the statement, Germany, the Netherlands, Romania, Spain, and Sweden participated in a series of coordinated actions between June 11 and 13 “targeting the platform’s administrator, moderators, key vendors, and technical infrastructure.” The site’s suspected administrator—a 30-year-old German national—was also arrested in Barcelona. Article here.

3. FIN6 hackers pose as job seekers to backdoor recruiters’ devices – Bleeping Computer

Researchers have identified social engineering attacks carried out by the hacking group FIN6 (also known as Skeleton Spider) targeting recruiters by posing as job seekers. In 2019, the cybercrime group initially known for financial fraud expanded its operations to include ransomware attacks. Since then, the group has increasingly focused on social engineering campaigns. Its most recent campaigns have been used to deliver the JavaScript-based backdoor “more eggs,” which “facilitates credential theft, system access, and follow-on attacks, including ransomware deployment.” Read more here.

4. Russian hackers bypass Gmail MFA using stolen app passwords – Bleeping Computer

Researchers at Google Threat Intelligence Group (GTIG) have observed a suspected Russian state-sponsored threat actor impersonating U.S. Department of State officials. From April through June 2025, the threat actor has targeted “prominent academics and critics of Russia, often using extensive rapport building and tailored lures to convince the target to set up application specific passwords (ASPs).” After setting up the ASPs, the victims were instructed to share the ASP passcodes, thereby providing the threat actors with access to their emails. Read here.

5. New PathWiper Data Wiper Malware Disrupts Ukrainian Critical Infrastructure in 2025 Attack – The Hacker News

Researchers at Cisco Talos have observed a newly identified data wiper malware dubbed “PathWiper” targeting a critical infrastructure entity in Ukraine. According to the report, “the attack was instrumented via a legitimate endpoint administration framework,” suggesting that the attackers had access to the administrative console “that was then used to issue malicious commands and deploy PathWiper across connected endpoints.” Based on the observed tactics, techniques, and procedures (TTPs), it is assessed with high confidence that the attack was carried out by a Russia-nexus advanced persistent threat (APT) actor. Learn more.

6. Hackers switch to targeting U.S. insurance companies – Bleeping Computer

Researchers at Google Threat Intelligence Group (GTIG) have warned of hackers targeting insurance companies based in the U.S. GTIG is aware of multiple breaches impacting American companies “which bear all the hallmarks of Scattered Spider activity.” As highlighted by BleepingComputer, Scattered Spider is known for its sector-by-sector focus; the recent targeting of insurance companies signals that “the insurance industry should be on high alert.” Prior to the recent insurance industry breaches, Scattered Spider was observed targeting retail organizations in both the U.K. and U.S. Read full article.

7. Iranian man pleads guilty in US to 2019 Baltimore ransomware attack – Reuters

An Iranian national pled guilty to participating in a ransomware attack using the Robinhood variant between 2019 and 2024. Sina Gholinejad, 37, was arrested in January 2025 at Raleigh-Durham International Airport. In a statement the DOJ stated that one of the attacks against Baltimore city “cost the city more than $19 million from damage to computer networks and disruptions to city services including the processing of property taxes, water bills, parking citations and other revenue-generating functions lasting many months. Read full article.

8. BidenCash carding market domains seized in international operation – Bleeping Computer

On June 04, the U.S. Department of Justice (DOJ) announced the seizure of “approximately 145 darknet and traditional internet domains, and cryptocurrency funds associated with the BidenCash marketplace.” As highlighted by BleepingComputer, the domains were seized as part of an operation led by the United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI), with support from the Dutch National Police. The marketplace’s domain currently redirects to a U.S. law enforcement-controlled server. Learn more.