Dark Web Monitoring: The Good, The Bad, and The Ugly

Dark Web Monitoring: The Good, The Bad, and The Ugly
Photon Research Team
Read More From Photon Research Team
September 11, 2019 | 20 Min Read

Dark Web Monitoring Overview

Gaining access to dark web and deep web sources can be extremely powerful – if you focus on relevant use cases. The most successful strategies we observe have clear requirements, such as fraud detection, threat monitoring, and finding exposed credentials.

However, monitoring these sources is challenging, and few solutions have sophisticated coverage. “Deep and dark web” spans a huge range of potential sources; marketplaces, closed forums, messaging apps, and paste sites. Few companies span all these sources; fewer still have capabilities to go beyond simple scraping of sites.

Unfortunately, there is a lot of FUD (fear, uncertainty, and doubt) concerning the dark web.  Iceberg analogies have been common for several years, ostensibly demonstrating the deep and dark web is significantly larger than the open web. In truth, the dark web only contributes to a small chunk of cybercrime – we must consider additional sources to get a truer sense of the threat landscape.

What is the Dark Web?

The dark web is an area of the internet that is only accessible with specific browser software, such as Tor or I2P. It is a web of anonymity where users’ identities and locations are protected by encryption technology that routes user data through many servers across the globe – making it extremely difficult to track users.

The anonymity of the dark web makes it an attractive technology for illegal purposes. Unfortunately, gaining visibility into criminal locations is difficult: it requires specialized knowledge, access to closed sources, and technology that’s capable of monitoring these sources for misuses of your data.

However, let’s first dispel some misconceptions about the dark web. 

  1. Assumption 1: The dark web is synonymous with the criminal internet. While the dark web is home to lots of crime, it also hosts many legitimate companies like New York Times and Facebook who offer Tor-based services, as well as generally benign content. The dark web is not synonymous with cybercrime.
  2. Assumption 2: The dark web is the same thing as the deep web. To clarify, the deep web is broadly defined as anything that is not indexed by traditional search engines. Unsurprisingly, the deep web is also home to criminality – but so too is the clear web. The dark web does not monopolize cybercrime.

what is the dark web

Simply because it isn’t accessible by a traditional search engine, it does not mean the deep web is necessarily interesting. Most of the data on the deep web is mundane or “normal”; for example, email or Facebook accounts might fall under this definition as they require registration to see the content. While some deep and dark web sites are valuable sources, you need to know what you’re looking for, otherwise it’s easy to waste time and resources.

The Fight Over Dark Web Marketplaces

In July of 2017, United States and Dutch law enforcement launched Operation Bayonet where they seized and disabled two of the most prominent dark web marketplaces, AlphaBay and Hansa. United States Attorney General Jeff Sessions described the operation as:

 “one of the most important criminal investigations of the year…because of this operation, the American people are safer – safer from the threat of identity fraud and malware, and safer from deadly drugs.”

Before Operation Bayonet, English-speaking cybercriminal activity mainly took place on online dark web marketplaces such as Alpha Bay and Hansa, where hundreds of thousands of vendors and buyers were doing an estimate of over $1 billion in illegal trade.

Law enforcement action didn’t stop there – on May 7, 2019 an internationally coordinated operation led to the takedowns of two more dark web marketplaces, Wall Street Marketplace and Valhalla Marketplace (Silkkitie). In the same operation, law enforcement simultaneously disabled one popular dark web news source and review page, DeepDotWeb.  DeepDotWeb did not sell contraband; instead, administrators profited from promoting criminal sites and marketplaces through affiliate links. Its recent seizure displayed law enforcement’s willingness to target more of the illegal trade network beyond the marketplaces – including promoters and launderers.

Hansa and AlphaBay dark web markets

In our dark web research report, Seize and Desist: The State of Cybercrime in the Post-AlphaBay and Hansa Age, we explored the impact of these dark web marketplace seizures. While a large chunk of cybercrime (especially Russian-speaking) was largely undisrupted, a breach of trust occurred in dark web criminal trade. This breach of trust caused criminals to consider new ways for generating trust in the underground.

While dark web markets, such as Tochka and Empire, certainly still exist, no market has yet risen to the prominence of Silk Road, AlphaBay, or Hansa. New criminal marketplaces continue to crop up, but they struggle to grow or decide to tread lightly with the growing fears of law enforcement disruptions and takedowns. To grow, these criminal marketplaces need a solid reputation, financing to scale, security to maintain current users, and trust to gain more traction.

There are some interesting candidates, however. Market.ms Marketplace, run by the former administrator of the prestigious Exploit[.]in hacking forum, who coincidentally now leads the emerging XSS forum (formerly Damagelab), is an up and comer in the dark web market. Focused purely on cybercrime; MarketMS is near peerless.

market ms marketplace dark web

Cybercriminals will not rely on just one site and instead have presence across many of these sources – ensuring their name is well-known to any potential buyers. However, the presence of escrow services on marketplaces creates an understandable incentive to trade on these particular platforms. As a result, it’s important to note that these new dark web markets exist alongside Telegram and Jabber, which co-exist to obtain proofs, negotiate deals, and agree on a final price.

Continual Cybercrime and Criminal Innovation

Despite law enforcement action targeting dark web marketplaces, cyber activity continues apace. For example, Automated Vending Carts (AVCs) are criminal pages that trade credit cards, credentials and accesses – their trade has been largely unaffected by the recent seizures (aside from the seizure of xDedic in January 2019). Joker’s Stash, a prominent AVC used to purchase stolen credit card, continues to operate while also experimenting with new technologies like blockchain DNS.

Another AVC, Enigma market, is quickly gaining notoriety amongst cybercriminals as it has doubled its listings since February of 2019. The founder, a credential stuffing actor with the alias Stackz420, has recently been promoting his AVC across criminal forums and marketplaces and it’s been gaining traction. The AVC initially offered 11,000 hacked credentials and now lists around 20,000 and shows no signs of slowing. With an increased number of listings and a notorious administrator, this AVC is primed to grow in size and significance.

Additional Reading

https://www.digitalshadows.com/blog-and-research/market-ms-heir-to-the-alphabay-and-hansa-throne/

https://www.digitalshadows.com/blog-and-research/how-cybercriminals-are-using-blockchain-dns-from-the-market-to-the-bazar/

https://www.digitalshadows.com/blog-and-research/a-growing-enigma-new-avc-on-the-block/

 

Building Trust in the Underground: Checks and Balances

Law enforcement is not the only force looking to disrupt the criminal community; their peers can be just as adversarial.

The Olympus Marketplace, an emerging dark web marketplace, ceased operations as the administrators reportedly conducted an exit scam – stealing user funds in the process. When AlphaBay and Hansa were seized, Olympus was a reputable, English-speaking marketplace that was expected by many to fill the void, but being the main marketplace comes with a hefty price.  Time, money, and fear of getting caught loom too large for vendors and administrators who are continually choosing security over greed.

Olympus dark web marketplace

Dream Market, a main competitor of AlphaBay and Hansa, also ceased its operations after repeated DDoS attacks. Attackers seized control of accounts because of common password reuse amongst marketplace goers. It is widely believed these account attacks were conducted by While, the police did not gain full control of the site, breaching accounts of users was enough to cause administrators to abandon operations completely.

This recent fall in reputable marketplaces has exacerbated criminal-on-criminal fraud throughout the dark web. Cybercriminals create phishing kits of real dark web marketplaces to steal from other dark web users looking to trade and profit from illicit trade. Since Tor links tend to be longer and more complex than clear web links, cybercriminals utilize typo squats – replacing “m” with “rn” or rearranging complex character strings in the link – to phish and defraud other dark web users scanning through marketplaces.

These specific fraud actors that target other cybercriminals are labeled in the cyber world as “rippers.” For example, services have emerged within Russian-speaking communities to protect their sites against these rippers like Ripper[.]cc – a comprehensive database of all the known rippers targeting marketplaces. It’s important to remember cybercriminals do not act alone and need services to provide security and safety to their ecosystem.

Additional Reading

Olympus Market Fallout https://www.digitalshadows.com/blog-and-research/cybercriminal-marketplaces-olympus-has-fallen/

Scamming each other: https://www.digitalshadows.com/blog-and-research/dark-web-typosquatting-scammers-v-tor/

Ripper fraud: https://www.digitalshadows.com/blog-and-research/innovation-in-the-underworld-reducing-the-risk-of-ripper-fraud/

A Rich Ecosystem: Criminal Support Services

Ripper[.]cc is just one example of a broad ecosystem of cybercriminal support services that exist on the deep and dark web. The truth is that cybercriminals do not act alone – it is simply not feasible for them to do so. They are supported by a rich and developed range of support services, including money laundering, malware, and infrastructure.

Outsourcing their money laundering enables cybercriminals to process and generate financial profits. Services in this realm include e-currencies, exchangers, transfer specialists, and mules. AlphaBay had mixer (an online laundering service) included within the site, but nowadays cybercriminals and fraudsters may turn to external services to clean their money.

Cybercriminals must also have malware to access. This includes its development and deployment, but also crypting services and exploit kits. While at their zenith in 2016, exploit kits have declined in popularity more recently. Nevertheless, they are still used to deliver some types of malware – most recently the delivery of Nemty ransomware through the RIG exploit kit.

Finally, infrastructure is required to protect their operations. Typical services include bulletproof hosting, counter-AV services, and anonymity services. These services are extremely popular as they reduce the risk of criminal sites becoming seized and allow cybercriminals to continue running away from law enforcement. One of the main services criminals rely on is bulletproof hosting services.

Bulletproof hosting is arguably more important than a Tor browser for conducting illegal trade online. Bulletproof hosting provides a protected internet structure for people or groups that is generally used for illicit purposes. This infrastructure is hosted on servers in countries where cyber-oversight is difficult and western law enforcement access is limited – enabling users to bypass internet content and service laws that restrict certain content and its distribution.

Some argue in favor of bulletproof hosting for civil rights as it promotes freedom of expression, press, anonymity, and privacy. In reality, these services are a vital aspect of cybercrime as they provide protection from law enforcement. We see two criminal sides of the bulletproof hosting operations – providers who supply bulletproof services and clients who buy their services to host illegal pages.

On the providers side we see users setting up bulletproof hosting on their servers in countries like China, Russia, and countries which were part of the former Soviet Union. The world’s biggest bulletproof provider operates under the alias “Yalishanda”, meaning Alexander in Mandarin. Security officials have been able to track his real identity and whereabouts but are unable to apprehend him as he is protected by his residency in Russia.

On the hosting side, we see users buying or renting these servers from upstream providers anywhere in the world. Hosts commonly utilized bulletproof hosting to host criminal services such as phishing, malware, forums, and exposed credentials. For example, Magecart groups – banking information thieves – are using servers from Ukraine to operate their credential trade.

bulletproof hosting dark web

Though difficult, law enforcement still seeks to target these bulletproof hosting providers. In a historical case, US law enforcement worked with Romanian law enforcement to arrest a man for his role in providing bulletproof hosting to the banking malware Gozi.

As displayed by this case, dark web takedowns extend beyond the headlines of criminal sites. Law enforcement perform tactical takedowns of counter antivirus sites, bulletproof hosting providers, and other services that are essential to the criminal ecosystem.

As the criminal ecosystem evolves around the strategies and tactics of law enforcement, so do the criminals as they are continually finding new and innovative ways to profit off of their expertise, including teaching.  Former fraudsters and credential traders have set up their own cybercrime courses where they teach other cybercriminals all the skills from basic carding techniques, currency laundering, cash withdrawal schemes, social engineering, botnet creation, and use of exploits.

They post introductory lectures for free on dark web peer-to-peer networks like Telegram or Jabber that advertise their class and specific dark web marketplaces and AVCs for trading.  Young cybercriminals can buy these lectures 75,000 Rubles ($1,100 USD), payable in bitcoin that gives them access to many more courses, lectures, and resources – including tutors. This is a dangerous development for organizations and consumers as amateur actors now have the resources and training to embark on a cybercriminal career.

How to Build a Dark Web Monitoring Capability

Building an effective dark web monitoring capability is extremely difficult. It requires a knowledge of the criminal landscape, access to closed sources, and technology that is capable of monitoring those sources.

Source coverage can be a very challenging issue with dark web monitoring. You need to diagnose the Tor and I2P sites that are of interest – and pose a threat – as well as IRC and Telegram channel chats, criminal forums, and paste sites that are not limited to the dark web sites.

There are several technologies who provide this visibility into the dark web. OnionScan provides this visibility to help researchers and investigators identify and track all these dark web sites. At Digital Shadows, we give a free 7 day access to search across these sources.

However, visibility isn’t solely enough.

To efficiently monitor the dark web, you need to filter out the irrelevant sources that do not pose imminent threats to your business. With the remaining sources, depending on your threat model, you need to monitor and find the specific counterfeits, mentions of your assets, and exposed credentials. This can require intensive human labor or a technology that can automate the process.

Furthermore, to gain access to higher-value criminal forums, organizations may need additional expertise to understand the nuances of different languages, how to access certain locations, and launch investigation into finding your exposed data. Some sites even require specific tradecraft to enter, which can relate to IP, webmail service whitelisting/blacklisting, and other requirements. To do all of this requires a lot of effort, expertise, time, and money. If not done effectively, it can be difficult to derive value for your organization.

In our work with organizations, we find that there are three key use cases when we talk about dark web monitoring:

  1. Tracking threats
  2. Identifying exposed credentials
  3. Detecting fraud

By focusing on these, it helps to make dark web monitoring more time-efficient, and more relevant to you. 

Dark Web Monitoring For Business

Even with great coverage, organizations struggle with their dark web monitoring capabilities as it can be noisy and irrelevant.

However, dark web monitoring can be extremely valuable to a business when you know where to look, and what to look for. We have identified three use cases – threat actors, credentials, and fraud – that make dark web monitoring more risk-based, efficient, and effective.

Tracking Threats

The first use case is understanding the threat actors that target your company, VIPs, and brand. Effective investigation of these sources can bring insight to adversaries’ tools, tactics, techniques, procedures, and motives – which you can then apply to your security strategy.

More specifically you need to understand these personas and how established and reputable these threat actors are – which requires an understanding of their forum handles, their reputations, what they do, how they market, where they operate, and their overall MO. Continually collecting and tracking this data helps to apply context to these actors and better predict and detect attacks, enabling organizations to prepare defense strategies.

Similarly, insiders with valuable data or privileged access can use online forums and marketplaces to sell your valuable data. These insider threats are difficult to remediate quickly and pose a major challenge to any security team.

A “threat” isn’t just an actor, and it can also apply to a tool or malware. Tracking for developments here can be highly valuable. This may be a new piece of malware exploiting a new CVE, or an updated ransomware variant (as shown below).

tracking dark web threats

Applying this context of threat actors and knowledge of the dark web landscape to tracking can allow you to proactively uncover threat actors targeting your company, VIP, and brand.

For further reading on this, check out https://www.digitalshadows.com/blog-and-research/digital-shadows-contributes-to-insider-threat-research/

Credentials

Another common dark web monitoring use case is protection from exposed data and credential stuffing. Since password reuse is so common, credential stuffing has developed into a popular tactic to gain access to sites and sensitive data. Credentials from data breaches are sold in bulk on the dark web to other threat actors. These threat actors take the usernames and passwords and automate an overhaul login in an attempt to gain valuable assets. Our own tool and service, SearchLight, has detected 14 billion of these exposed credentials online to help prevent you and those in your digital footprint from being susceptible to targeted attacks.

Recently, we have seen more than just exposed credentials being compiled and sold. One gated market, Genesis Store, sells bots that bypass fingerprinting controls – providing customers with fingerprints, cookies, logs, saved passwords, and other personal information to emulate users and bypass security systems. This is an interesting development, enabling cybercriminals to bypass traditional anti-fraud controls. This trend has further developed from the Genesis Market, with another service – Richlogs – recently emerging to compete for users.

Genesis botnet dark web

You can read more about the Genesis botnet at https://www.digitalshadows.com/blog-and-research/genesis-botnet-the-market-claiming-to-sell-bots-that-bypass-fingerprinting-controls/

Fraud

One application of these stolen credentials is to commit fraud – whether that is trading payment card details, selling counterfeit goods, or phishing. One of the benefits of Genesis market taking this approach to collect credentials is they can have a more novel and effective way to impersonate users online for fraudulent purposes.

Phishing and other fraudulent techniques are used by actors to entice victims into sharing their sensitive data. Phishing kits look akin to the original websites and possess the ability to block certain IP addresses of known security companies to prevent timely remediation. Identifying fraudulent sites, products, or activities promotes better security practices.

Gift card fraud is another common activity conducted by online fraudsters. Over the past six months, there have been thousands of gift cards traded across criminal forums, dark web markets, dark web pages, IRC, and Telegram.

gift card fraud dark web

Approaches to fraud are adapting, for example, a trending Telegram Market called “OL1MP” utilizes a bot to automate the browsing for items – holidays, hotels, taxis, driver’s licenses, and documents.  OL1MP utilizes the privacy and encryption of the telegram chat but is an automated marketplace so buyers can chat with a reputable dealer without running the risk of getting scammed.

OL1MP telegram market dark web

However, OL1MP is a single example of the many criminal chat platforms used to contraband trade. Encrypted chatting services like Telegram and Discord host numerous chat channels that promote illicit practices. We identified roughly 5,000 mentions or advertisements to Telegram pages post- AlphaBay and Hansa takedowns. Dark web crime is adapting to the fall of AlphaBay and Hansa and continuing to pose threats to legitimate corporations and people – you need to be able to track the latest, hottest means and markets to protect your assets.

How Digital Shadows Provides Dark Web Monitoring

Digital Shadows provides dark web monitoring technology with SearchLight, so you can protect your exposed data when it appears on the deep and dark web. SearchLight continually monitors and indexes hundreds of millions of dark web pages, pastes, criminal forums, Telegram, IRC, and I2P pages and is programmed to look for specific risks to your organization.

Dark web pages

Our proprietary spider crawls Tor and I2P pages, identifying new content, and sources of value.
Approximately 50 million indexed Tor and I2P pages

IRC and Telegram channels

Our technology monitors services used by groups and individuals to chat on themes ranging from threat campaigns, fraud, tactics and techniques, and technical topics.
More than 30 million conversations

Criminal forums

We have focused, automated custom collection on high-value forums where we identify a wide variety of activity – from exploit kits to the sale of breached data. Some of these are hosted on Tor or I2P, but many are not. Our closed sources team provides the direction and persona development to gain access to new forums.
More than 23 million indexed forums

Paste sites

Another sources that isn’t strictly limited to the dark web – there are many types of paste sites that exist across the clear and dark web. Malicious actors use these sites to share breached data and create target lists.
Approximately 60 million indexed pastes

Dark web marketplaces

Specific collection for marketplaces hosted on the dark web. Since the demise of AlphaBay and Hansa, there has been a proliferation of marketplaces. While their longevity has been dented by LEA success is in disruptions, new marketplaces continue to emerge, such as MarketMS: marketed by respected figures from the Russian scene.
Approximately 1 million indexed marketplace listings

In addition to the industry leading technology (don’t take our word for it – Forrester named us a leader in their report here), our closed sources team works to gain new access, develop personas, and produce intelligence reports on the latest cybercriminal trends.

Our Shadow Search capabilities also put the power in your hands by allowing you to search across our indexed data to track threat actors, campaigns, and instances of fraud.

Check it out for yourself. Take a Tour of the Dark Web in Test Drive now.

dark web monitoring tool

Making Dark Web Monitoring Capable & Relevant

Dark web monitoring can be intimidating for organizations – to see if your data is exposed on criminal sites and to find and remediate it – but it doesn’t have to be.

“Good” dark web monitoring entails constantly accessing new sources. Technology does the heavy lifting in collection by focusing on the key use cases and undercover security experts continually develop personas, socialize with criminals, and access these trickier places to provide proper source coverage and visibility into the darkest areas of the criminal landscape. This dual source coverage empowers you to quickly detect insider threats, identify fraud, find counterfeits, and instantly detect exposed credentials that are not easily visible to you.

Dark web monitoring can have a real business impact; it can protect you from compliance issues, financial implications, and reputational impacts that can occur if your assets are not properly monitored. Here at Digital Shadows, we work with you to develop a plan to make sure your data is not being exploited on the open, deep, or dark web and ensure you stay ahead of the cat-and-mouse game.

Download our Dark Web Monitoring Overview to learn more:

Digital Shadows Dark Web and Deep Web Intelligence Datasheet

Further Resources Around Dark Web Monitoring

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us

Related Posts

Unpicking Cybercriminals’ Personalities – Part 1:  Gender and Nationality

Unpicking Cybercriminals’ Personalities – Part 1: Gender and Nationality

September 23, 2020 | 9 Min Read

It’s easy to fall into the trap of...
DarkSide: The new ransomware group behind highly targeted attacks

DarkSide: The new ransomware group behind highly targeted attacks

September 22, 2020 | 8 Min Read

We’ve recently observed the emergence of a...
With the Empire falling, who will take over the throne?

With the Empire falling, who will take over the throne?

September 16, 2020 | 10 Min Read

With the Empire falling, who will take over...
Not another ransomware blog: Initial access brokers and their role

Not another ransomware blog: Initial access brokers and their role

September 9, 2020 | 5 Min Read

It’s hard to get very far in cyber threat...
Cyber espionage: How to not get spooked by nation-state actors

Cyber espionage: How to not get spooked by nation-state actors

September 8, 2020 | 8 Min Read

In all the years I’ve worked in the...
Dread takes on the spammers – who will come out on top?

Dread takes on the spammers – who will come out on top?

August 28, 2020 | 9 Min Read

Spamming is an irritating and sometimes...
Fall of the behemoth: Cybercriminal underground rocked by Empire’s apparent exit scam

Fall of the behemoth: Cybercriminal underground rocked by Empire’s apparent exit scam

August 27, 2020 | 10 Min Read

Summer is generally a relatively quiet time...
“ALEXA, WHO IS THE NUMBER ONE CYBERCRIMINAL FORUM TO RULE THEM ALL?”

“ALEXA, WHO IS THE NUMBER ONE CYBERCRIMINAL FORUM TO RULE THEM ALL?”

August 26, 2020 | 12 Min Read

In June 2020, the administrator of the...
RECAP: Discussing the evolution and trends of cybercrime with Geoff White

RECAP: Discussing the evolution and trends of cybercrime with Geoff White

August 25, 2020 | 8 Min Read

In late July 2020, Digital Shadows had the...
Dark Web Forums – The new kid on the block

Dark Web Forums – The new kid on the block

August 18, 2020 | 12 Min Read

Introducing DWF There’s a new kid on...
Optiv CTIE 2020: COVID-19, cybercrime, and third-party risk

Optiv CTIE 2020: COVID-19, cybercrime, and third-party risk

August 17, 2020 | 10 Min Read

Optiv recently released their 2020 Cyber...
Escrow systems on cybercriminal forums: The Good, the Bad and the Ugly

Escrow systems on cybercriminal forums: The Good, the Bad and the Ugly

August 11, 2020 | 15 Min Read

Just a few short months ago, the...
Saving the SOC from overload by operationalizing digital risk protection

Saving the SOC from overload by operationalizing digital risk protection

August 5, 2020 | 4 Min Read

As you may have seen last week, the latest...
The story of Nulled: Old dog, new tricks

The story of Nulled: Old dog, new tricks

August 4, 2020 | 9 Min Read

It is often said that old dogs have a hard...
Dark Web Travel Agencies Revisited: The Impact of Coronavirus on the Shadow Travel Industry

Dark Web Travel Agencies Revisited: The Impact of Coronavirus on the Shadow Travel Industry

July 29, 2020 | 10 Min Read

Back in February, Digital Shadows published...
Account takeover: Expanding on impact

Account takeover: Expanding on impact

July 27, 2020 | 7 Min Read

Digital Shadows has collected over 15 billion...
Ransomware Trends in Q2: How Threat Intelligence Helps

Ransomware Trends in Q2: How Threat Intelligence Helps

July 22, 2020 | 8 Min Read

If you’re anything like me, it can be a...
The Rise of OpenBullet: A Deep Dive in the Attacker’s ATO toolkit

The Rise of OpenBullet: A Deep Dive in the Attacker’s ATO toolkit

July 20, 2020 | 9 Min Read

Account takeover (ATO) has become a serious...
Abracadabra! – CryptBB demystifying the illusion of the private forum

Abracadabra! – CryptBB demystifying the illusion of the private forum

July 15, 2020 | 8 Min Read

You wouldn’t usually associate cybercriminal...
SearchLight’s Credential Validation: Only Focus on What Matters

SearchLight’s Credential Validation: Only Focus on What Matters

July 14, 2020 | 4 Min Read

Of the many use cases associated with threat...
Tax Fraud in 2020: Down But Not Out

Tax Fraud in 2020: Down But Not Out

July 13, 2020 | 4 Min Read

After a three month extension, tomorrow marks...
From Exposure to Takeover: Part 1. Beg, borrow, and steal your way in

From Exposure to Takeover: Part 1. Beg, borrow, and steal your way in

July 7, 2020 | 9 Min Read

Account Takeover: Why criminals can’t...
Digital Risk Reporting Best Practices: Top 10 Ways to Build Killer Reports in SearchLight

Digital Risk Reporting Best Practices: Top 10 Ways to Build Killer Reports in SearchLight

June 30, 2020 | 4 Min Read

We all have those days or that time of the...
Multiple vs. Exclusive Sales on the Dark Web: What’s in a sale?

Multiple vs. Exclusive Sales on the Dark Web: What’s in a sale?

June 29, 2020 | 9 Min Read

When going out on a shopping spree, you would...
Introducing Nulledflix – Nulled forum’s own streaming service

Introducing Nulledflix – Nulled forum’s own streaming service

June 23, 2020 | 8 Min Read

Lockdowns implemented during the COVID-19...
Torigon Forum: A sad case of all show and no go

Torigon Forum: A sad case of all show and no go

June 23, 2020 | 11 Min Read

When we review the ideal template for a...
Ensuring order in the underground: Recruiting moderators on cybercriminal forums

Ensuring order in the underground: Recruiting moderators on cybercriminal forums

June 18, 2020 | 10 Min Read

While there have been many predictable...
Security Threat Intel Products and Services: Mapping SearchLight

Security Threat Intel Products and Services: Mapping SearchLight

June 10, 2020 | 6 Min Read

For those of you who have not yet seen, Gartner...
New DDoS protection tool advertised on the dark web

New DDoS protection tool advertised on the dark web

June 9, 2020 | 7 Min Read

This blog examines a newly launched DDoS...
3 Phishing Trends Organizations Should Watch Out For

3 Phishing Trends Organizations Should Watch Out For

May 20, 2020 | 16 Min Read

It’s only May, and is it just me, or has this...
The 2020 Verizon Data Breach Investigations Report: One CISO’s View

The 2020 Verizon Data Breach Investigations Report: One CISO’s View

May 19, 2020 | 6 Min Read

Sadly, Marvel’s Black Widow release date was...
A NEW DECADE OF CYBER THREATS: LOOKING BACK AT THE TRENDING CYBER TOPICS OF Q1 2020

A NEW DECADE OF CYBER THREATS: LOOKING BACK AT THE TRENDING CYBER TOPICS OF Q1 2020

May 14, 2020 | 10 Min Read

Q1 2020 was packed full of significant...
BitBazaar Market: Deception and Manipulation on the Dark Web

BitBazaar Market: Deception and Manipulation on the Dark Web

May 12, 2020 | 8 Min Read

It's a BitBazaar that they thought they...
Competitions on English-language cybercriminal forums: A stagnant competition model?

Competitions on English-language cybercriminal forums: A stagnant competition model?

May 5, 2020 | 9 Min Read

Russian-language cybercriminal forums aren’t...
Charitable Endeavors on Cybercriminal Forums

Charitable Endeavors on Cybercriminal Forums

April 28, 2020 | 12 Min Read

One heart-warming aspect of modern society is...
Nulled: The modern cybercriminal forum to go mobile….?

Nulled: The modern cybercriminal forum to go mobile….?

April 22, 2020 | 9 Min Read

What’s more threatening than the thought of a...
What ‘The Wire’ can teach us about cybersecurity

What ‘The Wire’ can teach us about cybersecurity

April 21, 2020 | 12 Min Read

In the current era of self-isolation, remote...
Zoom Security and Privacy Issues: Week in Review

Zoom Security and Privacy Issues: Week in Review

April 17, 2020 | 10 Min Read

In the last month, you’ve likely been hearing...
Recon: Dark web reconnaissance made to look easy

Recon: Dark web reconnaissance made to look easy

April 3, 2020 | 4 Min Read

Just as the rest of us enjoy the ease of...
Coronavirus as a double-edged sword for cybercriminals: Desperation or opportunity?

Coronavirus as a double-edged sword for cybercriminals: Desperation or opportunity?

April 2, 2020 | 9 Min Read

The ongoing COVID-19 (aka coronavirus) pandemic...
COVID-19: Companies and Verticals At Risk For Cyber Attacks

COVID-19: Companies and Verticals At Risk For Cyber Attacks

March 26, 2020 | 8 Min Read

  In our recent blog, How cybercriminals...
COVID-19: Dark Web Reactions

COVID-19: Dark Web Reactions

March 19, 2020 | 5 Min Read

  Digital Shadows has been researching...
Apollon Dark Web Marketplace: Exit Scams and DDoS Campaigns

Apollon Dark Web Marketplace: Exit Scams and DDoS Campaigns

March 17, 2020 | 8 Min Read

  Imagine logging on to your favorite...
How One Cybercriminal Forum is Helping to Address Suicide Awareness

How One Cybercriminal Forum is Helping to Address Suicide Awareness

March 10, 2020 | 4 Min Read

  The world can be a stressful place...
Dark Web Search Engine Kilos: Tipping the Scales in Favor of Cybercrime

Dark Web Search Engine Kilos: Tipping the Scales in Favor of Cybercrime

March 5, 2020 | 7 Min Read

  With the recent indictment of Larry...
FBI IC3 2019: Cybercrime results in over $3.5 billion in reported losses

FBI IC3 2019: Cybercrime results in over $3.5 billion in reported losses

March 3, 2020 | 8 Min Read

  On February 11th, we were treated to an...
The Ecosystem of Phishing: From Minnows to Marlins

The Ecosystem of Phishing: From Minnows to Marlins

February 20, 2020 | 31 Min Read

YOU JUST WON $1,000. CLICK HERE TO CLAIM YOUR...
Cybercriminal Forums on Valentine’s Day – A nice night to “Netflix and steal”…

Cybercriminal Forums on Valentine’s Day – A nice night to “Netflix and steal”…

February 17, 2020 | 6 Min Read

  It's the night before Valentine's Day,...
Dark web travel agencies: Take a trip on the dark side

Dark web travel agencies: Take a trip on the dark side

February 4, 2020 | 11 Min Read

For at least the last two years, an ecosystem of...
How the Cybercriminal Underground Mirrors the Real World

How the Cybercriminal Underground Mirrors the Real World

January 21, 2020 | 7 Min Read

Mirror, Mirror, on the wall. Who’s the best...
Cryptonite: Ransomware’s answer to Superman…

Cryptonite: Ransomware’s answer to Superman…

January 14, 2020 | 4 Min Read

  Update: It appears that the Cryptonite...
The Closure of Market.ms: A Cybercriminal Marketplace Ahead of Its Time

The Closure of Market.ms: A Cybercriminal Marketplace Ahead of Its Time

December 18, 2019 | 9 Min Read

In the world of “what could have been,” the...
2020 Cybersecurity Forecasts: 5 trends and predictions for the new year

2020 Cybersecurity Forecasts: 5 trends and predictions for the new year

December 18, 2019 | 10 Min Read

  If all the holiday fuss isn’t...
Forums are Forever – Part 3: From Runet with Love

Forums are Forever – Part 3: From Runet with Love

December 17, 2019 | 24 Min Read

  The rise of alternative technologies...
Forums are Forever – Part 2: Shaken, but not Stirred

Forums are Forever – Part 2: Shaken, but not Stirred

December 10, 2019 | 5 Min Read

  Cybercriminal forums continue to thrive...
Forums are Forever – Part 1: Cybercrime Never Dies

Forums are Forever – Part 1: Cybercrime Never Dies

December 4, 2019 | 10 Min Read

If one could predict the future back in the late...
Probiv: The missing pieces to a cybercriminal’s puzzle

Probiv: The missing pieces to a cybercriminal’s puzzle

November 26, 2019 | 10 Min Read

A husband wants to find out who owns the unknown...
Black Friday Deals on the Dark Web: A cybercriminal shopper’s paradise

Black Friday Deals on the Dark Web: A cybercriminal shopper’s paradise

November 21, 2019 | 10 Min Read

  Black Friday. You love it, you hate it,...
DarkMarket’s Feminist Flight Towards Equality and the Curious Case of Canaries

DarkMarket’s Feminist Flight Towards Equality and the Curious Case of Canaries

November 19, 2019 | 4 Min Read

  In late August, Dark Fail (a Tor onion...
VoIP security concerns: Here to stay, here to exploit

VoIP security concerns: Here to stay, here to exploit

November 14, 2019 | 4 Min Read

  VoIP, or Voice over Internet Protocol,...
Understanding the Different Cybercriminal Platforms: AVCs, Marketplaces, and Forums

Understanding the Different Cybercriminal Platforms: AVCs, Marketplaces, and Forums

October 31, 2019 | 6 Min Read

  With the recent breach that targeted...
Cybercriminal credit card stores: Is Brian out of the club?

Cybercriminal credit card stores: Is Brian out of the club?

October 31, 2019 | 8 Min Read

  If you’re an avid follower of Digital...
Honeypots: Tracking Attacks Against Misconfigured or Exposed Services

Honeypots: Tracking Attacks Against Misconfigured or Exposed Services

October 17, 2019 | 9 Min Read

Honeypots can be useful tools for gathering...
Typosquatting and the 2020 U.S. Presidential election: Cyberspace as the new political battleground

Typosquatting and the 2020 U.S. Presidential election: Cyberspace as the new political battleground

October 16, 2019 | 15 Min Read

Typosquatting. It’s a phrase most of us know in...
Cybercriminal Forum Developments: Escrow Services

Cybercriminal Forum Developments: Escrow Services

October 15, 2019 | 5 Min Read

Financial transactions made on cybercriminal...
Dark Web Overdrive: The Criminal Marketplace Understood Through Cyberpunk Fiction

Dark Web Overdrive: The Criminal Marketplace Understood Through Cyberpunk Fiction

October 9, 2019 | 5 Min Read

In 1984, science fiction writer William Gibson...
Top Threat Intelligence Podcasts to Add to Your Playlist

Top Threat Intelligence Podcasts to Add to Your Playlist

October 3, 2019 | 4 Min Read

Looking for some new threat intelligence podcasts...
Domain Squatting: The Phisher-man’s Friend

Domain Squatting: The Phisher-man’s Friend

October 1, 2019 | 8 Min Read

In the past we have talked about the internal...
Singapore Cyber Threat Landscape report (H1 2019)

Singapore Cyber Threat Landscape report (H1 2019)

September 26, 2019 | 7 Min Read

Despite being the second smallest country in...
Nemty Ransomware: Slow and Steady Wins the Race?

Nemty Ransomware: Slow and Steady Wins the Race?

September 19, 2019 | 3 Min Read

As we outlined recently, ransomware is a key...
Your Data at Risk: FBI Cyber Division Shares Top Emerging Cyber Threats to Your Enterprise

Your Data at Risk: FBI Cyber Division Shares Top Emerging Cyber Threats to Your Enterprise

September 17, 2019 | 8 Min Read

Data breaches are not slowing down. Nobody...
Envoy on a Mission to Bring Stability to the Criminal Underground

Envoy on a Mission to Bring Stability to the Criminal Underground

September 4, 2019 | 3 Min Read

Recent Turbulence in the Underground From the...
Emotet Returns: How To Track Its Updates

Emotet Returns: How To Track Its Updates

August 26, 2019 | 5 Min Read

What is Emotet? Emotet started life as a banking...
The Nouns of Black Hat: People, Places, and Things From Summer Camp 2019

The Nouns of Black Hat: People, Places, and Things From Summer Camp 2019

August 19, 2019 | 6 Min Read

Black Hat and DEFCON are a wrap! Digital Shadows...
Fresh blow for dark web markets: Nightmare market in disarray

Fresh blow for dark web markets: Nightmare market in disarray

August 13, 2019 | 5 Min Read

Over the past three weeks, Digital Shadows has...
Capital One Breach: What we know and what you can do

Capital One Breach: What we know and what you can do

July 31, 2019 | 5 Min Read

Monday blues. It’s a thing. It’s when you...
The Account Takeover Kill Chain: A Five Step Analysis

The Account Takeover Kill Chain: A Five Step Analysis

July 30, 2019 | 17 Min Read

It’s no secret that credential exposure is a...
A Growing Enigma: New AVC on the Block

A Growing Enigma: New AVC on the Block

July 19, 2019 | 3 Min Read

This week, in a ground breaking announcement, the...
Facebook’s Libra Cryptocurrency: Cybercriminals tipping the scales in their favor

Facebook’s Libra Cryptocurrency: Cybercriminals tipping the scales in their favor

June 27, 2019 | 8 Min Read

The announcements of Facebook’s new...
BlueKeep: Cutting through the hype to prepare your organization

BlueKeep: Cutting through the hype to prepare your organization

May 24, 2019 | 8 Min Read

Over the last week we have all been tuning into...
FBI IC3: Cybercrime Surges in 2018, Causing $2.7 Billion in Losses

FBI IC3: Cybercrime Surges in 2018, Causing $2.7 Billion in Losses

April 23, 2019 | 4 Min Read

This week, the Federal Bureau of Investigation...
Easing into the extortion game

Easing into the extortion game

April 3, 2019 | 4 Min Read

One of the main ideas which flowed through...
Predator: Modeling the attacker’s mindset

Predator: Modeling the attacker’s mindset

April 2, 2019 | 6 Min Read

Author: Richard Gold  The phrases...
Cyber Risks and High-frequency Trading: Conversation with an Insider

Cyber Risks and High-frequency Trading: Conversation with an Insider

March 26, 2019 | 4 Min Read

Research from the Carnegie Endowment for...
Dark Web Typosquatting: Scammers v. Tor

Dark Web Typosquatting: Scammers v. Tor

March 21, 2019 | 7 Min Read

Time and time again, we see how the cybercriminal...
Purple Teaming with Vectr, Cobalt Strike, and MITRE ATT&CK™

Purple Teaming with Vectr, Cobalt Strike, and MITRE ATT&CK™

March 6, 2019 | 7 Min Read

Authors: Simon Hall, Isidoros...
Extortion Exposed: Sextortion, thedarkoverlord, and SamSam

Extortion Exposed: Sextortion, thedarkoverlord, and SamSam

February 21, 2019 | 3 Min Read

In our most recent research, A Tale of Epic...
Photon Research Team Shines Light On Digital Risks

Photon Research Team Shines Light On Digital Risks

February 13, 2019 | 2 Min Read

I’m very excited to announce the launch of the...
SANS DFIR Cyber Threat Intelligence Summit 2019 – Extracting More Value from Your CTI Program

SANS DFIR Cyber Threat Intelligence Summit 2019 – Extracting More Value from Your CTI Program

February 5, 2019 | 7 Min Read

We were fortunate to attend the 2019 SANS DFIR...
Security Practitioner’s Guide to Email Spoofing and Risk Reduction

Security Practitioner’s Guide to Email Spoofing and Risk Reduction

January 24, 2019 | 13 Min Read

In our previous extended blog, Tackling Phishing:...
Powering Investigations with Nuix Software: The Case of thedarkoverlord and the 9/11 Files

Powering Investigations with Nuix Software: The Case of thedarkoverlord and the 9/11 Files

January 22, 2019 | 6 Min Read

The Panama Papers in 2016 highlighted the...
Thedarkoverlord runs out of Steem

Thedarkoverlord runs out of Steem

January 16, 2019 | 6 Min Read

On 31 December 2018, the notorious extortion...
TV License and Vehicle Tax Fraud: New Year, Same Old Scams

TV License and Vehicle Tax Fraud: New Year, Same Old Scams

January 8, 2019 | 4 Min Read

Over the last week we’ve been tracking several...
Cyber Threats to Watch in 2019: Key Takeaways from our webinar with the FBI Cyber Squad

Cyber Threats to Watch in 2019: Key Takeaways from our webinar with the FBI Cyber Squad

December 20, 2018 | 5 Min Read

As 2018 comes to a close, Digital Shadows...
Bomb Threat Emails: Extortion Gets Physical

Bomb Threat Emails: Extortion Gets Physical

December 14, 2018 | 4 Min Read

We’ve seen yet another change in tactics for...
Tackling Phishing: The Most Popular Phishing Techniques and What You Can Do About It

Tackling Phishing: The Most Popular Phishing Techniques and What You Can Do About It

December 12, 2018 | 8 Min Read

Overall, the infosec community has done a...
2019 Cyber Security Forecasts: Six Things on the Horizon

2019 Cyber Security Forecasts: Six Things on the Horizon

December 5, 2018 | 9 Min Read

The new year is upon us! 2018 brought us Spectre...
Threat Actors Use of Cobalt Strike: Why Defense is Offense’s Child

Threat Actors Use of Cobalt Strike: Why Defense is Offense’s Child

November 29, 2018 | 5 Min Read

I’m a big fan of the Cobalt Strike threat...
Mapping the ASD Essential 8 to the Mitre ATT&CK™ framework

Mapping the ASD Essential 8 to the Mitre ATT&CK™ framework

November 27, 2018 | 3 Min Read

Australian Signals Directorate Essential 8 The...
Black Friday and Cybercrime: Retail’s Frankenstein Monster

Black Friday and Cybercrime: Retail’s Frankenstein Monster

November 20, 2018 | 5 Min Read

With every year that passes, Black Friday seems...
Sextortion 2.0: A New Lure

Sextortion 2.0: A New Lure

November 20, 2018 | 4 Min Read

Back in September we released a blog about the...
A Look Back at the ENISA Cyber Threat Intelligence-EU Workshop 2018

A Look Back at the ENISA Cyber Threat Intelligence-EU Workshop 2018

November 13, 2018 | 5 Min Read

I recently attended the ENISA (European Union...
To Pay or Not to Pay: A Large Retailer Responds to DDoS Extortion

To Pay or Not to Pay: A Large Retailer Responds to DDoS Extortion

November 8, 2018 | 3 Min Read

Fans of The Sopranos or Goodfellas are...
81,000 Hacked Facebook Accounts for Sale: 5 Things to Know

81,000 Hacked Facebook Accounts for Sale: 5 Things to Know

November 2, 2018 | 5 Min Read

This morning, the British Broadcasting...
The Dark Web: Marketers’ Trick or Threat Intelligence Treat?

The Dark Web: Marketers’ Trick or Threat Intelligence Treat?

October 31, 2018 | 5 Min Read

At this time of the year, you can’t go anywhere...
Bank Discovers Customer Credit Card Numbers Traded Online

Bank Discovers Customer Credit Card Numbers Traded Online

October 23, 2018 | 3 Min Read

Payment card fraud costs banks and merchants...
12.5 Million Email Archives Exposed: Lowering the Barriers for BEC

12.5 Million Email Archives Exposed: Lowering the Barriers for BEC

October 18, 2018 | 4 Min Read

Digital Shadows’ latest research report, Pst!...
33,000 Accounting Inbox Credentials Exposed Online: BEC Made Easy

33,000 Accounting Inbox Credentials Exposed Online: BEC Made Easy

October 9, 2018 | 4 Min Read

Last week, I wrote about how cybercriminals are...
Business Email Compromise: When You Don’t Need to Phish

Business Email Compromise: When You Don’t Need to Phish

October 4, 2018 | 4 Min Read

According to the FBI, Business Email Compromise...
Cybercriminal Marketplaces: Olympus Has Fallen

Cybercriminal Marketplaces: Olympus Has Fallen

September 28, 2018 | 5 Min Read

The Olympus cybercriminal marketplace has been...
Thedarkoverlord Out to KickAss and Cash Out Their Data

Thedarkoverlord Out to KickAss and Cash Out Their Data

September 27, 2018 | 5 Min Read

A user claiming to be the notorious darkoverlord...
The 2017 FSB indictment and Mitre ATT&CK™

The 2017 FSB indictment and Mitre ATT&CK™

September 20, 2018 | 11 Min Read

On  February 28th, 2017 the US Department of...
Airline Discovers Trove of Frequent Flyer Accounts Compromised and Posted for Sale Online

Airline Discovers Trove of Frequent Flyer Accounts Compromised and Posted for Sale Online

September 14, 2018 | 3 Min Read

Reward program fraud has been rising in recent...
MITRE ATT&CK™ and the North Korean Regime-Backed Programmer

MITRE ATT&CK™ and the North Korean Regime-Backed Programmer

September 13, 2018 | 18 Min Read

On 6th September the US Department of Justice...
Sextortion – When Persistent Phishing Pays Off

Sextortion – When Persistent Phishing Pays Off

September 6, 2018 | 4 Min Read

You may have heard of a recent surge in...
Online Risks to Fortnite Users

Online Risks to Fortnite Users

September 4, 2018 | 5 Min Read

With an enticing array of viral dance moves,...
Online Cybercrime Courses: Back to School Season

Online Cybercrime Courses: Back to School Season

August 23, 2018 | 4 Min Read

It’s that time of year again. Summer is drawing...
Mitre ATT&CK™ and the FIN7 Indictment: Lessons for Organizations

Mitre ATT&CK™ and the FIN7 Indictment: Lessons for Organizations

August 22, 2018 | 12 Min Read

On August 1, 2018, the US Department of Justice...
Five Threats to Financial Services: Part Five, Hacktivism

Five Threats to Financial Services: Part Five, Hacktivism

August 15, 2018 | 5 Min Read

OK, so it’s not a sexy as insider threats,...
Five Threats to Financial Services: Part Four, Payment Card Fraud

Five Threats to Financial Services: Part Four, Payment Card Fraud

August 14, 2018 | 6 Min Read

Payment card information is the lifeblood of the...
Digital Shadows Contributes to Insider Threat Research

Digital Shadows Contributes to Insider Threat Research

August 9, 2018 | 5 Min Read

On July 30, Forrester published its latest...
Five Threats to Financial Services: Phishing Campaigns

Five Threats to Financial Services: Phishing Campaigns

August 8, 2018 | 7 Min Read

In our last blog, we highlighted how banking...
FIN7: Arrests and Developments

FIN7: Arrests and Developments

August 2, 2018 | 6 Min Read

Three alleged members of FIN7 arrested On August...
Security Spotlight Series: Dr. Richard Gold

Security Spotlight Series: Dr. Richard Gold

July 31, 2018 | 4 Min Read

Organizations rely on Digital Shadows to be an...
Cyber Threats to ERP Applications: Threat Landscape

Cyber Threats to ERP Applications: Threat Landscape

July 24, 2018 | 4 Min Read

What are ERP Applications? Organizations rely on...
Five Threats to Financial Services: Banking Trojans

Five Threats to Financial Services: Banking Trojans

July 19, 2018 | 5 Min Read

A couple of weeks ago, we learned about a new...
Mitre ATT&CK™ and the Mueller GRU Indictment: Lessons for Organizations

Mitre ATT&CK™ and the Mueller GRU Indictment: Lessons for Organizations

July 17, 2018 | 10 Min Read

A recent indictment revealed how the GRU...
Alleged Carbanak Files and Source Code Leaked: Digital Shadows’ Initial Findings

Alleged Carbanak Files and Source Code Leaked: Digital Shadows’ Initial Findings

July 11, 2018 | 6 Min Read

Digital Shadows’ Russian-speaking security team...
Security Analyst Spotlight Series: Harrison Van Riper

Security Analyst Spotlight Series: Harrison Van Riper

July 10, 2018 | 6 Min Read

Organizations rely on our cyber intelligence...
How Cybercriminals are Using Messaging Platforms

How Cybercriminals are Using Messaging Platforms

June 21, 2018 | 4 Min Read

Alternative Ways Criminals Transact Online: A...
Five Threats to Financial Services: Part One, Insiders

Five Threats to Financial Services: Part One, Insiders

June 19, 2018 | 5 Min Read

The sensitive and financial data held by banks...
Security Analyst Spotlight Series: Rafael Amado

Security Analyst Spotlight Series: Rafael Amado

June 14, 2018 | 9 Min Read

Organizations rely on Digital Shadows to be an...
How Cybercriminals are using Blockchain DNS: From the Market to the .Bazar

How Cybercriminals are using Blockchain DNS: From the Market to the .Bazar

June 12, 2018 | 5 Min Read

Since the takedowns of AlphaBay and Hansa in...
Threats to the 2018 Football World Cup: Traditional Rules or a New Style of Play?

Threats to the 2018 Football World Cup: Traditional Rules or a New Style of Play?

June 7, 2018 | 7 Min Read

The tension and excitement that precedes all...
Market.ms: Heir to the AlphaBay and Hansa throne?

Market.ms: Heir to the AlphaBay and Hansa throne?

June 4, 2018 | 5 Min Read

It’s almost one year since the AlphaBay and...
Keys to the Kingdom: Exposed Security Assessments

Keys to the Kingdom: Exposed Security Assessments

April 24, 2018 | 4 Min Read

Organizations employ external consultants and...
Out In The Open: Corporate Secrets Exposed Through Misconfigured Services

Out In The Open: Corporate Secrets Exposed Through Misconfigured Services

April 18, 2018 | 4 Min Read

For organizations dealing with proprietary...
When There’s No Need to Hack: Exposed Personal Information

When There’s No Need to Hack: Exposed Personal Information

April 17, 2018 | 4 Min Read

With Equifax‘s breach of 145 million records...
Escalation in Cyberspace: Not as Deniable as We All Seem to Think?

Escalation in Cyberspace: Not as Deniable as We All Seem to Think?

April 12, 2018 | 5 Min Read

The recent assassination attempt on former...
Leveraging the 2018 Verizon Data Breach Investigations Report

Leveraging the 2018 Verizon Data Breach Investigations Report

April 10, 2018 | 5 Min Read

Today, the 11th edition of the Verizon Data...
When Sharing Is Not Caring: Over 1.5 Billion Files Exposed Through Misconfigured Services

When Sharing Is Not Caring: Over 1.5 Billion Files Exposed Through Misconfigured Services

April 5, 2018 | 4 Min Read

Our recent report “Too Much Information”,...
Genesis Botnet: The Market Claiming to Sell Bots That Bypass Fingerprinting Controls

Genesis Botnet: The Market Claiming to Sell Bots That Bypass Fingerprinting Controls

April 3, 2018 | 4 Min Read

An emerging criminal market, Genesis store,...
The Five Families: The Most Wanted Ransomware Groups

The Five Families: The Most Wanted Ransomware Groups

March 27, 2018 | 5 Min Read

Last week we presented a webinar on “Emerging...
Pop-up Twitter Bots: The Shift to Opportunistic Targeting

Pop-up Twitter Bots: The Shift to Opportunistic Targeting

March 22, 2018 | 4 Min Read

Since the furor surrounding Russia’s alleged...
Cyber Security as Public Health

Cyber Security as Public Health

March 21, 2018 | 4 Min Read

Public health, one of the great 20th century...
Anonymous and the New Face of Hacktivism: What to Look Out For in 2018

Anonymous and the New Face of Hacktivism: What to Look Out For in 2018

March 13, 2018 | 6 Min Read

The Anonymous collective has been the face of...
It’s Accrual World: Tax Return Fraud in 2018

It’s Accrual World: Tax Return Fraud in 2018

March 7, 2018 | 5 Min Read

With just over a month until Tax Deadline Day,...
The New Frontier: Forecasting Cryptocurrency Fraud

The New Frontier: Forecasting Cryptocurrency Fraud

March 1, 2018 | 6 Min Read

Not a week goes by without a new case of...
Threats to the Upcoming Italian Elections

Threats to the Upcoming Italian Elections

February 22, 2018 | 7 Min Read

On 5 March Italian citizens will vanno alle urne...
Prioritize to Avoid Security Nihilism

Prioritize to Avoid Security Nihilism

February 20, 2018 | 3 Min Read

In many situations associated with cyber...
Infraud Forum Indictment and Arrests: What it Means

Infraud Forum Indictment and Arrests: What it Means

February 15, 2018 | 7 Min Read

On 07 February 2018, the U.S. Department of...
Cryptojacking: An Overview

Cryptojacking: An Overview

February 13, 2018 | 5 Min Read

What is Cryptojacking? Cryptojacking is the...
2017 Android malware in review: 4 key takeaways

2017 Android malware in review: 4 key takeaways

February 8, 2018 | 4 Min Read

Android mobile devices were an attractive target...
Phishing for Gold: Threats to the 2018 Winter Games

Phishing for Gold: Threats to the 2018 Winter Games

February 6, 2018 | 7 Min Read

Digital Shadows has been monitoring major...
Four Ways Criminals Are Exploiting Interest in Initial Coin Offerings

Four Ways Criminals Are Exploiting Interest in Initial Coin Offerings

February 1, 2018 | 5 Min Read

Initial Coin Offerings (ICOs) are a way of...
Another Year Wiser: Key Dates to Look Out For In 2018

Another Year Wiser: Key Dates to Look Out For In 2018

January 10, 2018 | 4 Min Read

Early last year, we published a blog outlining...
Meltdown and Spectre: The Story So Far

Meltdown and Spectre: The Story So Far

January 4, 2018 | 5 Min Read

On Wednesday, rumors surfaced that there were...
Cybercriminal Christmas Wish List

What Attackers Want for Christmas

December 22, 2017 | 4 Min Read

Our guest author Krampus has a special blog post...
online carding bots

OL1MP: A Telegram Bot Making Carding Made Easy This Holiday Season

December 21, 2017 | 3 Min Read

Back in July, we published our research on the...
‘Tis The Season To Do Predictions – The 2018 Cybersecurity Landscape

‘Tis The Season To Do Predictions – The 2018 Cybersecurity Landscape

December 18, 2017 | 3 Min Read

This post originally appeared on Huffington...
Risks to Retail: Cybercriminals Sharing the Joy This Holiday Season

Risks to Retail: Cybercriminals Sharing the Joy This Holiday Season

November 21, 2017 | 3 Min Read

Despite some early deals, Black Friday officially...
Fake News is More Than a Political Battlecry

Fake News is More Than a Political Battlecry

November 16, 2017 | 3 Min Read

This week, British Prime Minister Theresa May...
Why “Have a Safe Trip” Is Taking On Greater Meaning

Why “Have a Safe Trip” Is Taking On Greater Meaning

November 14, 2017 | 5 Min Read

This post originally appeared...
OPCATALUNYA

Pwnage to Catalonia: Five Things We Know About OpCatalunya

November 2, 2017 | 5 Min Read

Since October 24th, Digital Shadows has observed...
ICS Security Cyber Aware

ICS Security: Strawmen In the Power Station

October 31, 2017 | 5 Min Read

Congrats, it is now almost November and we have...
cyber extortion

Extorters Going to Extort: This Time Other Criminals Are the Victims

October 26, 2017 | 3 Min Read

We are increasingly used to the tactic of...
cyber vulnerabilities

Trust vs Access: A Tale of Two Vulnerability Classes

October 20, 2017 | 5 Min Read

It's been a big week in cyberspace, with high...
krack attacks

Key Reinstallation Attacks (KRACK): The Impact So Far

October 16, 2017 | 4 Min Read

Today, a series of high-severity vulnerabilities...
german election threats

Bringing Down the Wahl: Three Threats to the German Federal Election

September 14, 2017 | 7 Min Read

Hacking has become the boogie man of political...
Exploit Kits

Fluctuation in the Exploit Kit Market – Temporary Blip or Long-Term Trend?

August 16, 2017 | 5 Min Read

Exploit kit activity is waning. Collectively...
Criminal Markets Alpha Bay Hansa

Cybercrime Finds a Way, the Limited Impact of AlphaBay and Hansa’s Demise

August 7, 2017 | 5 Min Read

The law enforcement operations that took down the...
Texting SMS Cyber Threats

Reading Your Texts For Fun and Profit – How Criminals Subvert SMS-Based MFA

August 1, 2017 | 4 Min Read

Why Multi Factor? Read almost any cyber security...
Credit Card Fraud

Fraudsters Scoring Big – an Inside Look at the Carding Ecosystem

July 18, 2017 | 3 Min Read

In season two of the Netflix series Narcos, Pablo...
Criminal Market Place Bitcoin Virtual Currency

The Future of Marketplaces: Forecasting the Decentralized Model

July 17, 2017 | 4 Min Read

Last week we wrote about the disappearance of...
exploit kit

Petya-Like Wormable Malware: The “Who” and the “Why”

June 30, 2017 | 7 Min Read

Late on 27 June, the New York Times reported that...
Cyber Criminal Attack Vectors

Keep Your Eyes on the Prize: Attack Vectors are Important But Don’t Ignore Attacker Goals

June 23, 2017 | 5 Min Read

Reporting on intrusions or attacks often dwells...
Dark Web Cyber Crime

Threats From the Dark Web

June 26, 2017 | 5 Min Read

Despite the hype associated with the dark web,...
Account Takeover Credential Stuffing

7 Tips for Protecting Against Account Takeovers

May 22, 2017 | 3 Min Read

In May 2017, an amalgamation of over 1 billion...
WannaCry Ransomware

5 Lessons from WannaCry: Preventing Attacks with Security Engineering

May 16, 2017 | 5 Min Read

With the recent news storm concerning the...
WannaCry Ransomware

WannaCry: The Early 2000s Called, They Want Their Worms Back

May 12, 2017 | 3 Min Read

Earlier today it was revealed that the United...
Threat Actors Cyber Criminals

The Usual Suspects: Understanding the Nuances of Actors’ Motivations and Capabilities

April 21, 2017 | 3 Min Read

When it comes to their adversaries, organizations...
French Election Cyber Threats

Liberté, égalité, securité: 4 Threats to the French Presidential Election

April 20, 2017 | 5 Min Read

French citizens will take to the polls on April...
OpIsrael

OpIsrael Hacktivists Targeted By Unknown Threat Actor

March 30, 2017 | 3 Min Read

Ideologically-motivated “hacktivist” actors...
Turk Hack

Turk Hack Team and the “Netherlands Operation”

March 29, 2017 | 4 Min Read

Since mid-March, Turk Hack Team have been...
Tax Fraud

Tax Fraud in 2017

March 27, 2017 | 4 Min Read

The IRS recently released an alert that warned...
Dutch Flag

Dutch Elections – Looking Back at Cyber Activity

March 21, 2017 | 3 Min Read

Last week, I wrote about the potential threats to...
Dutch Elections Red Pencil

Back to the red pencil – Cyber threats to the Dutch elections

March 13, 2017 | 5 Min Read

Over the weekend, media reports surfaced about...
Financial Threats

Learning from the Top Threats Financial Services Faced in 2016

March 8, 2017 | 2 Min Read

Organizations operating within the financial...
Blaze Exploit Kit

New “Blaze” exploit kit claims to exploit recent Cisco WebEx vulnerability

March 2, 2017 | 4 Min Read

A previously undetected exploit kit has been...
Sunset Stock

Sun to Set on BEPS/Sundown Exploit Kit?

February 22, 2017 | 4 Min Read

On February 13, 2017, the security researcher...
Valentines Day

Four Things to Look Out for This Valentine’s Day

February 14, 2017 | 4 Min Read

Consumers are increasingly moving to the Internet...
Malware Taylor Swift

An unusually Swift(tay) malware delivery tactic

February 9, 2017 | 5 Min Read

While doing some background research into recent...
Mongo DB

How the Frenzy Unfolded: Analyzing Various Mongo Extortion Campaigns

February 7, 2017 | 4 Min Read

The MongoDB “ransom” pandemic, which has been...
Super Bowl 2017

Ready for the Blitz: Assessing the Threats to Super Bowl LI

February 2, 2017 | 4 Min Read

Like any major event, Super Bowl LI brings with...
ATM Malware

Making Cents of ATM Malware Campaigns – Comparing and Contrasting Operational Methodologies

January 30, 2017 | 4 Min Read

Throughout 2016 some of the most notable...
Two Factor Authentication

Dial “M” for malware: Two-factor scamming

January 26, 2017 | 4 Min Read

Adversaries are developing new ways of attacking...
Ripper cc

Innovation in The Underworld: Reducing the Risk of Ripper Fraud

January 23, 2017 | 7 Min Read

Reputation is incredibly important for business....
Calendar Threats for 2017

Known Unknowns: Key Events to Keep Your Eyes Out for in 2017

January 19, 2017 | 3 Min Read

On Friday, millions will tune in to see Donald...
Keyboard

All You Can Delete MongoDB Buffet

January 12, 2017 | 4 Min Read

A number of extortion actors were detected...
Website

10 Ways You Can Prepare for DDoS Attacks in 2017

January 11, 2017 | 1 Min Read

At the end of last month, we published a paper...
Anonymous Hacktivist

Mirai: A Turning Point For Hacktivism?

December 16, 2016 | 5 Min Read

A “digital nuclear attack”. A “zombie...
Trojan

Coming to a Country Near You? The Rapid Development of The TrickBot Trojan

December 16, 2016 | 4 Min Read

Since the discovery of TrickBot in September...
DDoS Extortion

Crowdsourced DDoS Extortion – A Worrying Development?

December 13, 2016 | 3 Min Read

We all know about DDoS extortion – the process...
Chess Game

A Model of Success: Anticipating Your Attackers’ Moves

December 1, 2016 | 4 Min Read

In a previous blog, we discussed the role of...
Retail Cyber Threats

Windows Shopping: 7 Threats To Look Out For This Holiday Season

November 23, 2016 | 5 Min Read

Thanksgiving, Black Friday, Cyber Monday,...
Ransomware as a service

Ransomware-as-a-service: The Business Case

November 22, 2016 | 4 Min Read

It can be tempting to dismiss cybercriminal...
Media and Broadcasting Threats

Top 5 Threats to the Media and Broadcasting Industry

November 11, 2016 | 3 Min Read

For media and broadcasting organizations, the...
Code

Surveying the Criminal Market

November 8, 2016 | 3 Min Read

It’s no secret your personal information and...
Anonymous Poland

Anonymous Poland – Not Your Typical Hacktivist Group

October 28, 2016 | 4 Min Read

On October 29, 2016 a Twitter account associated...
Device Security

Don’t Break the Internet, Fix Your Smart Devices

October 25, 2016 | 4 Min Read

The Distributed Denial of Service (DDoS) attack,...
American Election Threats

Rocking the Vote? The Effects of Cyber Activity On The U.S. Election

October 25, 2016 | 5 Min Read

Contrary to some media reporting, our latest...
US Polling Data

Targeting of Elections; Old News, Fresh Tactics

October 25, 2016 | 4 Min Read

There has been no shortage of media coverage...
Domain Squatting

Squashing Domain Squatting

October 24, 2016 | 6 Min Read

Digital Shadows was recently the victim of a...
Combatting Online Crime With “Needle-Rich Haystacks”

Combatting Online Crime With “Needle-Rich Haystacks”

October 18, 2016 | 3 Min Read

At Digital Shadows our analyst team is...
Plumbing the Depths: the Telnet protocol

Plumbing the Depths: the Telnet protocol

October 3, 2016 | 4 Min Read

On October 1, 2016 Krebs on Security reported...
Exploit kit

Swotting Up On Exploit Kit Infection Vectors

October 3, 2016 | 3 Min Read

Exploit kit users need to drive web traffic to...
Phishful Of Dollars: BEC Remains Top Of The Charts

Phishful Of Dollars: BEC Remains Top Of The Charts

October 3, 2016 | 3 Min Read

Business email compromise (BEC) is not going...
exploit kit

Forecasting the exploit kit landscape

September 15, 2016 | 5 Min Read

We’ve previously written on the most popular...
exploit kit

Understanding Exploit Kits’ Most Popular Vulnerabilities

September 12, 2016 | 2 Min Read

One significant aspect of mitigating the risk...
OpSilence

Hacktivism, it’s not all DoSing around

September 12, 2016 | 4 Min Read

Hacktivism isn’t all high levels of low impact...
SCADA hacks

Show me the context: The hacking proof of concept

September 8, 2016 | 2 Min Read

A common feature at security conferences,...
DD4BC

Bozkurt to Buhtrap: Cyber threats affecting financial institutions in 1H 2016

August 23, 2016 | 3 Min Read

At the beginning of 2016, it was reported that...
OpOlympicHacking

Forecasting OpOlympicHacking

August 15, 2016 | 3 Min Read

We recently published a report on the eight...
thedarkoverlord

“Air cover” – cybercriminal marketing and the media

August 10, 2016 | 3 Min Read

For a new or relatively unknown cybercriminal...
Photo URL

Overexposure – photos as the missing link

August 3, 2016 | 3 Min Read

You have heard it all before ­– recycling...
OpOlympicHacking

More Data Leaks as part of OpOlympicHacking

July 28, 2016 | 2 Min Read

In our recent research, we demonstrated eight...
Anonymous Brasil

Tracking the Field: Eight cybersecurity considerations around Rio 2016

July 25, 2016 | 2 Min Read

Last week, we saw reports of individuals arrested...
PoodleCorp

PoodleCorp: in the business of kudos

July 22, 2016 | 5 Min Read

PoodleCorp claimed to have successfully rendered...
DDoS

Three Tactics Behind Cyber Extortion

July 11, 2016 | 3 Min Read

As explained in a previous blog, extortion is not...
Dridex

Modern crimeware campaigns – two bytes of the cherry

July 5, 2016 | 3 Min Read

To a Columbian drug lord, the most valuable...
SHA1

Recycling, bad for your environment!

June 27, 2016 | 4 Min Read

The news is constantly flooded with yet another...
Silk Road

The philosophical difference between the Old and New Schools of the cybercriminal underground

June 27, 2016 | 3 Min Read

I would recommend that anyone interested in the...
EU

Forecasting the implications for cybersecurity in Britain after Thursday’s referendum

June 21, 2016 | 4 Min Read

On Thursday, the United Kingdom goes to the polls...
dark web

Shining a light on the dark web

June 21, 2016 | 3 Min Read

The dark web receives more than its fair share of...
OPSEC

OPSEC versus branding – the cyber criminal’s dilemma

June 17, 2016 | 3 Min Read

Like any business, cybercriminals offering...
TeamViewer

“Hidden” TeamViewer service advertised on criminal forum

June 17, 2016 | 5 Min Read

Over the last few weeks, there have been a number...
Cyber extortion

Your money or your data: Keeping up-to-date with the innovation

June 17, 2016 | 2 Min Read

DDoS extortion and ransomware attacks have...
Business email compromises

Are you at risk from business email compromise?

June 6, 2016 | 3 Min Read

Business email compromises (BEC) are on the rise....
OpOlympicHacking

Hacktivism: same old, same old?

June 3, 2016 | 4 Min Read

Cyber activists, or hacktivists, have become a...
OPSEC

The OPSEC Opportunity

May 31, 2016 | 2 Min Read

Operations Security (OPSEC) has long been a key...
Advanced Persistent Threat

The Plan is Mightier than the Sword – Re(sources)

May 24, 2016 | 3 Min Read

After having discussed the importance of planning...
OpIcarus

OpIcarus – Increased Claims Against Financial Institutions

May 23, 2016 | 3 Min Read

There’s no shortage of online hacktivist...
Goliath malware

Goliath ransomware, giant problem or giant con?

May 17, 2016 | 3 Min Read

Ransomware can cause big problems for individuals...
DBIR

Analyzing the 2016 Verizon Data Breach Investigations Report

May 2, 2016 | 4 Min Read

Last week Verizon released the 2016 Data Breach...
OpIsrael

OpIsrael: An Update

April 6, 2016 | 3 Min Read

Last month our intelligence team published a blog...
Email Compromise

URGENT, ACT. RQD: Navigating Business Email Compromise

April 4, 2016 | 3 Min Read

Call me phishmail. Whaling ­– also known as...
dark web

Dark web: More than just a bastion of criminality

March 31, 2016 | 3 Min Read

For many people, the term “dark web” refers...
Automated Vending Carts

Online credit card shops – a numbers game

March 21, 2016 | 3 Min Read

You may have recently read headlines about an...
ASOR Hack Team

OpOlympicHacking: A hurdle for Rio’s sponsors to vault

February 22, 2016 | 3 Min Read

This month Anonymous Brazil and an affiliate...
bitcoin

Why Go Through the Trouble to Tumble?

February 17, 2016 | 3 Min Read

Today you can purchase a pizza in Berlin and pay...
PoS system

Surviving the threats posed by PoS malware

February 2, 2016 | 3 Min Read

These days, you can’t go into a store or mall...
Israeli Cyber Attack

“Largest cyber attack” on Israel lacks power

February 1, 2016 | 3 Min Read

On 26 January, Yuval Steinitz, the Israeli...
OpKillngBay

Escalation in OpKillingBay

January 25, 2016 | 3 Min Read

There has been a noticeable recent increase in...
web hosting

Criminal services – Bulletproof hosting

January 21, 2016 | 2 Min Read

Cybercrime can be a lucrative business if you do...
DD4BC

DD4BC Arrests: What Now for Extortion?

January 15, 2016 | 3 Min Read

Earlier this week, Europol published a press...
exploit kits

A Complex Threat Landscape

January 13, 2016 | 2 Min Read

Achieving a better understanding of the threat...
Remote Access Trojan

RATs: Invasion of Your Privacy

January 11, 2016 | 2 Min Read

When most people hear the word “RAT” they...
cryptocurrencies

Digital Currency and Getting Paid In The Underground

January 6, 2016 | 3 Min Read

It’s been said that money makes the world go...
Malware

Criminal Services – Crypting

December 18, 2015 | 3 Min Read

In the world of cybercrime, malicious software...
Hacker Buba

‘Hacker Buba’: Failed extortion, what next?

December 11, 2015 | 2 Min Read

An actor identifying itself as "Hacker Buba"...
Antivirus

Criminal Services – Counter Antivirus Services

November 30, 2015 | 4 Min Read

Infosecurity Magazine recently reported that two...
Crackas with attitude

Crackas With Attitude: What We’ve Learned

November 23, 2015 | 3 Min Read

One of the most active actors of the past several...
MitM

The Way of Hacking

November 10, 2015 | 3 Min Read

In the Japanese martial art of Aikido it is said...
ransomware

Emerging Markets: Online Extortion Matures via DDoS Attacks

November 9, 2015 | 5 Min Read

Unlike scenes from books or movies where shadowy...
crackas with attitude

Crackas With Attitude strike again?

October 28, 2015 | 2 Min Read

Last week, the New York Post reported that...
DDoS

Smilex: Dangers of Poor OpSec

October 27, 2015 | 3 Min Read

Background On 13 Oct 2015, it was revealed in an...
online carding

Online Carding

October 7, 2015 | 3 Min Read

There is no shortage of credit card information...
OPSEC

OPSEC and Trust In An Underground Cybercriminal Forum

September 9, 2015 | 4 Min Read

Introduction There are perhaps tens of thousands...
ransomware

Emerging Markets & Services: Ransomware-as-a-Service

September 7, 2015 | 5 Min Read

Emerging Markets & Services:...
duqu 2.0

Kaspersky Labs Discloses Duqu 2.0 Attack

September 7, 2015 | 4 Min Read

Introduction Today social media channels the...
Extortion

Online Extortion – Old Ways, New Tricks

September 7, 2015 | 6 Min Read

Online Extortion - Old Ways, New...
cyber extortion

Exploiting Is My Business…and Business Is Good

September 4, 2015 | 8 Min Read

Introduction Exploit kits are not new to the...