Examine our research from the last year in the ReliaQuest 2024 Annual Cyber-Threat Report
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 26, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Gaining access to dark web and deep web sources can be extremely powerful— if you focus on relevant use cases. The most successful strategies we observe have clear requirements, such as fraud detection, threat monitoring, and finding exposed credentials.
However, monitoring these sources is challenging, and few solutions have sophisticated coverage. “Deep and dark web” spans a huge range of potential sources; marketplaces, closed forums, messaging apps, and paste sites. Few companies span all these sources; fewer still have capabilities to go beyond simple scraping of sites.
Unfortunately, there is a lot of ear, uncertainty, and doubt (FUD) concerning the dark web. Iceberg analogies have been common for several years, ostensibly demonstrating the deep and dark web is significantly larger than the open web. In truth, the dark web only contributes to a small chunk of cybercrime—we must consider additional sources to get a truer sense of the threat landscape.
The dark web is an area of the internet that is only accessible with specific browser software, such as Tor or I2P. It is a web of anonymity where users’ identities and locations are protected by encryption technology that routes user data through many servers across the globe – making it extremely difficult to track users.
The anonymity of the dark web makes it an attractive technology for illegal purposes. Unfortunately, gaining visibility into criminal locations is difficult: it requires specialized knowledge, access to closed sources, and technology that’s capable of monitoring these sources for misuses of your data.
However, let’s first dispel some misconceptions about the dark web.
Differences between the surface, deep, and dark web
Simply because it isn’t accessible by a traditional search engine, it does not mean the deep web is necessarily interesting. Most of the data on the deep web is mundane or “normal”; for example, email or Facebook accounts might fall under this definition as they require registration to see the content. While some deep and dark web sites are valuable sources, you need to know what you’re looking for, otherwise it’s easy to waste time and resources.
In July of 2017, United States and Dutch law enforcement launched Operation Bayonet where they seized and disabled two of the most prominent dark web marketplaces, AlphaBay and Hansa. United States Attorney General Jeff Sessions described the operation as:
“One of the most important criminal investigations of the year…because of this operation, the American people are safer – safer from the threat of identity fraud and malware, and safer from deadly drugs.”
Before Operation Bayonet, English-speaking cybercriminal activity mainly took place on online dark web marketplaces such as Alpha Bay and Hansa, where hundreds of thousands of vendors and buyers were doing an estimate of over $1 billion in illegal trade.
Law enforcement action didn’t stop there – on May 7, 2019 an internationally coordinated operation led to the takedowns of two more dark web marketplaces, Wall Street Marketplace and Valhalla Marketplace (Silkkitie). In the same operation, law enforcement simultaneously disabled one popular dark web news source and review page, DeepDotWeb. DeepDotWeb did not sell contraband; instead, administrators profited from promoting criminal sites and marketplaces through affiliate links. Its recent seizure displayed law enforcement’s willingness to target more of the illegal trade network beyond the marketplaces – including promoters and launderers.
Notification of Hans and AlpaBay markets’ takedown
In our dark web research report, Seize and Desist: The State of Cybercrime in the Post-AlphaBay and Hansa Age, we explored the impact of these dark web marketplace seizures. While a large chunk of cybercrime (especially Russian-speaking) was largely undisrupted, a breach of trust occurred in dark web criminal trade. This breach of trust caused criminals to consider new ways for generating trust in the underground.
While dark web markets, such as Tochka and Empire, certainly still exist, no market has yet risen to the prominence of Silk Road, AlphaBay, or Hansa. New criminal marketplaces continue to crop up, but they struggle to grow or decide to tread lightly with the growing fears of law enforcement disruptions and takedowns. To grow, these criminal marketplaces need a solid reputation, financing to scale, security to maintain current users, and trust to gain more traction.
There are some interesting candidates, however. Market.ms Marketplace, run by the former administrator of the prestigious Exploit[.]in hacking forum, who coincidentally now leads the emerging XSS forum (formerly Damagelab), is an up and comer in the dark web market. Focused purely on cybercrime; MarketMS is near peerless.
MarketMS screencapture
Cybercriminals will not rely on just one site and instead have presence across many of these sources – ensuring their name is well-known to any potential buyers. However, the presence of escrow services on marketplaces creates an understandable incentive to trade on these particular platforms. As a result, it’s important to note that these new dark web markets exist alongside Telegram and Jabber, which co-exist to obtain proofs, negotiate deals, and agree on a final price.
Despite law enforcement action targeting dark web marketplaces, cyber activity continues apace. For example, Automated Vending Carts (AVCs) are criminal pages that trade credit cards, credentials and accesses – their trade has been largely unaffected by the recent seizures (aside from the seizure of xDedic in January 2019). Joker’s Stash, a prominent AVC used to purchase stolen credit card, continues to operate while also experimenting with new technologies like blockchain DNS.
Another AVC, Enigma market, is quickly gaining notoriety amongst cybercriminals as it has doubled its listings since February of 2019. The founder, a credential stuffing actor with the alias Stackz420, has recently been promoting his AVC across criminal forums and marketplaces and it’s been gaining traction. The AVC initially offered 11,000 hacked credentials and now lists around 20,000 and shows no signs of slowing. With an increased number of listings and a notorious administrator, this AVC is primed to grow in size and significance.
Read more on MarketMS taking the throne after AlphaBay and Hansa’s demise , How cybercriminals are using blockchain DNS to secure market sites, and coverage of Enigma: the new AVC on the block.
Law enforcement is not the only force looking to disrupt the criminal community; their peers can be just as adversarial.
The Olympus Marketplace, an emerging dark web marketplace, ceased operations as the administrators reportedly conducted an exit scam – stealing user funds in the process. When AlphaBay and Hansa were seized, Olympus was a reputable, English-speaking marketplace that was expected by many to fill the void, but being the main marketplace comes with a hefty price. Time, money, and fear of getting caught loom too large for vendors and administrators who are continually choosing security over greed.
Dream Market, a main competitor of AlphaBay and Hansa, also ceased its operations after repeated DDoS attacks. Attackers seized control of accounts because of common password reuse amongst marketplace goers. It is widely believed these account attacks were conducted by While, the police did not gain full control of the site, breaching accounts of users was enough to cause administrators to abandon operations completely.
This recent fall in reputable marketplaces has exacerbated criminal-on-criminal fraud throughout the dark web. Cybercriminals create phishing kits of real dark web marketplaces to steal from other dark web users looking to trade and profit from illicit trade. Since Tor links tend to be longer and more complex than clear web links, cybercriminals utilize typo squats – replacing “m” with “rn” or rearranging complex character strings in the link – to phish and defraud other dark web users scanning through marketplaces.
These specific fraud actors that target other cybercriminals are labeled in the cyber world as “rippers.” For example, services have emerged within Russian-speaking communities to protect their sites against these rippers like Ripper[.]cc –a comprehensive database of all the known rippers targeting marketplaces. It’s important to remember cybercriminals do not act alone and need services to provide security and safety to their ecosystem.
Read more on the Olympus Market Fallout, Dark Web Typosquatting: cybercriminal scamming each other , and Reducing risk from “rippers”
Ripper[.]cc is just one example of a broad ecosystem of cybercriminal support services that exist on the deep and dark web. The truth is that cybercriminals do not act alone – it is simply not feasible for them to do so. They are supported by a rich and developed range of support services, including money laundering, malware, and infrastructure.
Outsourcing their money laundering enables cybercriminals to process and generate financial profits. Services in this realm include e-currencies, exchangers, transfer specialists, and mules. AlphaBay had mixer (an online laundering service) included within the site, but nowadays cybercriminals and fraudsters may turn to external services to clean their money.
Cybercriminals must also have malware to access. This includes its development and deployment, but also crypting services and exploit kits. While at their zenith in 2016, exploit kits have declined in popularity more recently. Nevertheless, they are still used to deliver some types of malware – most recently the delivery of Nemty ransomware through the RIG exploit kit.
Finally, infrastructure is required to protect their operations. Typical services include bulletproof hosting, counter-AV services, and anonymity services. These services are extremely popular as they reduce the risk of criminal sites becoming seized and allow cybercriminals to continue running away from law enforcement. One of the main services criminals rely on is bulletproof hosting services.
Bulletproof hosting is arguably more important than a Tor browser for conducting illegal trade online. Bulletproof hosting provides a protected internet structure for people or groups that is generally used for illicit purposes. This infrastructure is hosted on servers in countries where cyber-oversight is difficult and western law enforcement access is limited – enabling users to bypass internet content and service laws that restrict certain content and its distribution.
Some argue in favor of bulletproof hosting for civil rights as it promotes freedom of expression, press, anonymity, and privacy. In reality, these services are a vital aspect of cybercrime as they provide protection from law enforcement. We see two criminal sides of the bulletproof hosting operations – providers who supply bulletproof services and clients who buy their services to host illegal pages.
On the providers side we see users setting up bulletproof hosting on their servers in countries like China, Russia, and countries which were part of the former Soviet Union. The world’s biggest bulletproof provider operates under the alias “Yalishanda”, meaning Alexander in Mandarin. Security officials have been able to track his real identity and whereabouts but are unable to apprehend him as he is protected by his residency in Russia.
On the hosting side, we see users buying or renting these servers from upstream providers anywhere in the world. Hosts commonly utilized bulletproof hosting to host criminal services such as phishing, malware, forums, and exposed credentials. For example, Magecart groups – banking information thieves – are using servers from Ukraine to operate their credential trade.
Bulletproof VPS viewed in ShadowSearch
Though difficult, law enforcement still seeks to target these bulletproof hosting providers. In a historical case, US law enforcement worked with Romanian law enforcement to arrest a man for his role in providing bulletproof hosting to the banking malware Gozi.
As displayed by this case, dark web takedowns extend beyond the headlines of criminal sites. Law enforcement perform tactical takedowns of counter antivirus sites, bulletproof hosting providers, and other services that are essential to the criminal ecosystem.
As the criminal ecosystem evolves around the strategies and tactics of law enforcement, so do the criminals as they are continually finding new and innovative ways to profit off of their expertise, including teaching. Former fraudsters and credential traders have set up their own cybercrime courses where they teach other cybercriminals all the skills from basic carding techniques, currency laundering, cash withdrawal schemes, social engineering, botnet creation, and use of exploits.
They post introductory lectures for free on dark web peer-to-peer networks like Telegram or Jabber that advertise their class and specific dark web marketplaces and AVCs for trading. Young cybercriminals can buy these lectures 75,000 Rubles ($1,100 USD), payable in bitcoin that gives them access to many more courses, lectures, and resources – including tutors. This is a dangerous development for organizations and consumers as amateur actors now have the resources and training to embark on a cybercriminal career.
Building an effective dark web monitoring capability is extremely difficult. It requires a knowledge of the criminal landscape, access to closed sources, and technology that is capable of monitoring those sources.
Source coverage can be a very challenging issue with dark web monitoring. You need to diagnose the Tor and I2P sites that are of interest – and pose a threat – as well as IRC and Telegram channel chats, criminal forums, and paste sites that are not limited to the dark web sites.
There are several technologies who provide this visibility into the dark web. OnionScan provides this visibility to help researchers and investigators identify and track all these dark web sites.
However, visibility isn’t solely enough.
To efficiently monitor the dark web, you need to filter out the irrelevant sources that do not pose imminent threats to your business. With the remaining sources, depending on your threat model, you need to monitor and find the specific counterfeits, mentions of your assets, and exposed credentials. This can require intensive human labor or a technology that can automate the process.
Furthermore, to gain access to higher-value criminal forums, organizations may need additional expertise to understand the nuances of different languages, how to access certain locations, and launch investigation into finding your exposed data. Some sites even require specific tradecraft to enter, which can relate to IP, webmail service whitelisting/blacklisting, and other requirements. To do all of this requires a lot of effort, expertise, time, and money. If not done effectively, it can be difficult to derive value for your organization.
In our work with organizations, we find that there are three key use cases when we talk about dark web monitoring:
By focusing on these, it helps to make dark web monitoring more time-efficient, and more relevant to you.
Even with great coverage, organizations struggle with their dark web monitoring capabilities as it can be noisy and irrelevant.
However, dark web monitoring can be extremely valuable to a business when you know where to look, and what to look for. We have identified three use cases – threat actors, credentials, and fraud – that make dark web monitoring more risk-based, efficient, and effective.
Use Case 1: Tracking Threats
The first use case is understanding the threat actors that target your company, VIPs, and brand. Effective investigation of these sources can bring insight to adversaries’ tools, tactics, techniques, procedures, and motives – which you can then apply to your security strategy.
More specifically you need to understand these personas and how established and reputable these threat actors are – which requires an understanding of their forum handles, their reputations, what they do, how they market, where they operate, and their overall MO. Continually collecting and tracking this data helps to apply context to these actors and better predict and detect attacks, enabling organizations to prepare defense strategies.
Similarly, insiders with valuable data or privileged access can use online forums and marketplaces to sell your valuable data. These insider threats are difficult to remediate quickly and pose a major challenge to any security team.
A “threat” isn’t just an actor, and it can also apply to a tool or malware. Tracking for developments here can be highly valuable. This may be a new piece of malware exploiting a new CVE, or an updated ransomware variant (as shown below).
Updated ransomware variant alert in ShadowSearch
Applying this context of threat actors and knowledge of the dark web landscape to tracking can allow you to proactively uncover threat actors targeting your company, VIP, and brand.
Read our overview and contribution to Forrester’s Defend Your Data As Insiders Monetize Their Access.
Use Case 2: Credentials
Another common dark web monitoring use case is protection from exposed data and credential stuffing. Since password reuse is so common, credential stuffing has developed into a popular tactic to gain access to sites and sensitive data. Credentials from data breaches are sold in bulk on the dark web to other threat actors. These threat actors take the usernames and passwords and automate an overhaul login in an attempt to gain valuable assets. Our own tool and service, Search Light (now ReliaQuest GreyMatter Digital Risk Protection), has detected 14 billion of these exposed credentials online to help prevent you and those in your digital footprint from being susceptible to targeted attacks.
Recently, we have seen more than just exposed credentials being compiled and sold. One gated market, Genesis Store, sells bots that bypass fingerprinting controls – providing customers with fingerprints, cookies, logs, saved passwords, and other personal information to emulate users and bypass security systems. This is an interesting development, enabling cybercriminals to bypass traditional anti-fraud controls. This trend has further developed from the Genesis Market, with another service – Richlogs – recently emerging to compete for users.
A screen capture of Genesis botnet
Read more about the Genesis botnet.
Use Case 3: Fraud
One application of these stolen credentials is to commit fraud – whether that is trading payment card details, selling counterfeit goods, or phishing. One of the benefits of Genesis market taking this approach to collect credentials is they can have a more novel and effective way to impersonate users online for fraudulent purposes.
Phishing and other fraudulent techniques are used by actors to entice victims into sharing their sensitive data. Phishing kits look akin to the original websites and possess the ability to block certain IP addresses of known security companies to prevent timely remediation. Identifying fraudulent sites, products, or activities promotes better security practices.
Gift card fraud is another common activity conducted by online fraudsters. Over the past six months, there have been thousands of gift cards traded across criminal forums, dark web markets, dark web pages, IRC, and Telegram.
Gift card fraud activity across the dark web from Mar-Sep 2019
Approaches to fraud are adapting, for example, a trending Telegram Market called “OL1MP” utilizes a bot to automate the browsing for items – holidays, hotels, taxis, driver’s licenses, and documents. OL1MP utilizes the privacy and encryption of the telegram chat but is an automated marketplace so buyers can chat with a reputable dealer without running the risk of getting scammed.
However, OL1MP is a single example of the many criminal chat platforms used to contraband trade. Encrypted chatting services like Telegram and Discord host numerous chat channels that promote illicit practices. We identified roughly 5,000 mentions or advertisements to Telegram pages post- AlphaBay and Hansa takedowns. Dark web crime is adapting to the fall of AlphaBay and Hansa and continuing to pose threats to legitimate corporations and people – you need to be able to track the latest, hottest means and markets to protect your assets.
ReliaQuest provides dark web monitoring technology with Digital Risk Protection, so you can protect your exposed data when it appears on the deep and dark web. Digital Risk Protection continually monitors and indexes hundreds of millions of dark web pages, pastes, criminal forums, Telegram, IRC, and I2P pages and is programmed to look for specific risks to your organization.
Dark web pages— Over 50 million indexed Tor and I2P pages
Our proprietary spider crawls Tor and I2P pages, identifying new content, and sources of value.
IRC and Telegram channels— More than 30 million conversations
Our technology monitors services used by groups and individuals to chat on themes ranging from threat campaigns, fraud, tactics and techniques, and technical topics.
Criminal forums—More than 23 million indexed forums
We have focused, automated custom collection on high-value forums where we identify a wide variety of activity – from exploit kits to the sale of breached data. Some of these are hosted on Tor or I2P, but many are not. Our closed sources team provides the direction and persona development to gain access to new forums.
Paste sites—Approximately 60 million indexed pastes
Another sources that isn’t strictly limited to the dark web – there are many types of paste sites that exist across the clear and dark web. Malicious actors use these sites to share breached data and create target lists.
Dark web marketplaces—Approximately 1 million indexed marketplace listings
Specific collection for marketplaces hosted on the dark web. Since the demise of AlphaBay and Hansa, there has been a proliferation of marketplaces. While their longevity has been dented by LEA success is in disruptions, new marketplaces continue to emerge, such as MarketMS: marketed by respected figures from the Russian scene.
In addition to the industry leading technology (don’t take our word for it – Forrester named us a leader in their report here), our closed sources team works to gain new access, develop personas, and produce intelligence reports on the latest cybercriminal trends.
Digital Risk Protection capabilities also put the power in your hands by allowing you to search across our indexed data to track threat actors, campaigns, and instances of fraud.
Check it out for yourself. Register for a demo now.
Dark web monitoring can be intimidating for organizations – to see if your data is exposed on criminal sites and to find and remediate it – but it doesn’t have to be.
“Good” dark web monitoring entails constantly accessing new sources. Technology does the heavy lifting in collection by focusing on the key use cases and undercover security experts continually develop personas, socialize with criminals, and access these trickier places to provide proper source coverage and visibility into the darkest areas of the criminal landscape. This dual source coverage empowers you to quickly detect insider threats, identify fraud, find counterfeits, and instantly detect exposed credentials that are not easily visible to you.
Dark web monitoring can have a real business impact; it can protect you from compliance issues, financial implications, and reputational impacts that can occur if your assets are not properly monitored. Here at ReliaQuest, we work with you to develop a plan to make sure your data is not being exploited on the open, deep, or dark web and ensure you stay ahead of the cat-and-mouse game.