Digital Shadows has been researching the cybercriminal response to the COVID-19 outbreak sweeping across the globe. We’ve been monitoring several dark web forums, looking for answers to questions including whether discussions of COVID-19 are as popular on the dark web as they are on the clear web and how in general cybercriminals are discussing COVID-19.
In summary, while we’ve seen cybercriminals attempting to capitalize on fear and uncertainty surrounding the COVID-19 pandemic, we’ve also observed some atypical discussions from users including:
- Discouraging other users from profiting off the pandemic
- Expressing solidarity with countries affected (particularly Italy)
- Providing health and safety information
The ongoing COVID-19 (aka coronavirus) pandemic has dominated the media over the past few weeks. Voluntary self-isolation and government-mandated restrictions of movement have significantly impacted the lives of millions. Over the past few weeks, cybercriminals have been attempting to capitalize on fear and uncertainty surrounding the COVID-19 pandemic by conducting phishing, selling fraudulent medical equipment, and spreading misinformation.
In January, we published a blog discussing how the dark web mirrors our everyday lives. While that now seems like forever ago, we decided to revisit this concept in the current climate with these questions in mind: Are discussions of COVID-19 as popular on the dark web as they are on the clear web? How are cybercriminals discussing COVID-19?
COVID-19 interest on the clear web vs. dark web
Google Trends analyzes the popularity of top search queries on Google Search and compares the volume of those queries over time across different regions. We chose a simple query of the search term “coronavirus” across all regions worldwide over the past 90 days.
But how does this compare to the dark web?
Unfortunately, there is no centralized search engine on the scale of Google that covers .onion domains. Instead, we used Digital Shadows’ Shadow Search to look for mentions of “COVID-19” OR “coronavirus” across dark web sources over the past 90 days.
(If you want to try this yourself, sign up for free 7 day access to our tool here.)
In the chart below, the purple line is the data from Google Trends, and the teal line is the dark web data from Shadow Search.
COVID-19 interest on the clear web vs. dark web
(Teal: Dark web results via Shadow Search; Purple: Clear web via Google Trends)
From this data, discussions of COVID-19 on the dark web have followed a very similar path to search queries on the clear web. In the past month alone, there has been a 738% increase in the number of COVID-19-related terms on dark web sources. This aligns with the spike in Google searches beginning around February 19.
It’s important to note that the Y-axis does not represent the total number of searches. Instead, as Google notes, these numbers represent search interest relative to the highest point on the chart for the given region and time. A value of 100 is the peak popularity of the search query, a value of 50 means that the query is half as popular, and a value of 0 means that there was not enough data available. The data pulled from Shadow Search consists of individual mentions of COVID-19-related terms and has been added over the Google Trends axes.
Another caveat is that dark web ≠ cybercriminality. While there are several examples of overt criminal activity, as discussed in our previous blog on COVID-19, not all mentions of COVID-19 on dark web sources are criminal. For example, some of these are likely from the dark web mirrors of legitimate social media and news sites.
COVID-19 article on The New York Times dark web mirror
This trend should not come as a surprise to anyone. It is expected that the popularity of searches for “coronavirus” will increase with media coverage and as governments address the pandemic.
COVID-19 discussions on cybercriminal forums
So what do some of the discussions about COVID-19 on cybercriminal forums look like? Similarly to how it has affected search popularity on the clear web, the COVID-19 pandemic has impacted the direction of discussions on the cybercriminal landscape, resulting in users creating posts off-topic to typical forum discussions.
On Torum, a popular English-language dark web cybercriminal forum, several users have taken to the forum to provide their perspectives on how the COVID-19 pandemic has affected them. One user, “L-47”, only recently joined the forum, seemingly with the express intent to provide first-hand information on the impact of the virus in Spain and Germany:
Another user appeared concerned about the supposed lack of activity from forum members.
On BlackHatWorld, an ethically-questionable clear web forum, users created similar posts recapping the current situation.
Likewise, on forums dedicated to the trade and sale of stolen accounts like Cracking King and Cracking Soul, users have created off-topic posts expressing solidarity for the situation in Italy, warning fellow forum members to take extra care of at-risk and elderly family members.
Unfortunately, there are still individuals that are overtly seeking to take advantage of the current situation for profit (See our blog How cybercriminals are taking advantage of COVID-19: Scams, fraud, and misinformation. But, in a seemingly atypical move for a cybercriminal forum, these attempts are not always well-received. For example, one user took to Torum to ask for advice on how best to take advantage of COVID-19, only to receive responses pleading them not to profit off the pandemic.
As we’ve seen time and time again, cybercriminals will find ways to take advantage of people’s fears and uncertainties in the wake of major disasters and emergencies. However, the gravity of the COVID-19 pandemic has shown some benevolent reasoning has emerged on some platforms that are typically used for crime: Users urging others to avoid taking advantage of an already dire situation.
To get instant search of dark web pages, criminal forums, threat feeds, and more + 200 threat intelligence profiles of actors, tools, and campaigns, sign up for our free 7 day Test Drive of SearchLight.