Dark Web Monitoring: The Good, The Bad, and The Ugly
September 11, 2019
Dark Web Monitoring Overview
Gaining access to dark web and deep web sources can be extremely powerful – if you focus on relevant use cases. The most successful strategies we observe have clear requirements, such as fraud detection, threat monitoring, and finding exposed credentials.
However, monitoring these sources is challenging, and few solutions have sophisticated coverage. “Deep and dark web” spans a huge range of potential sources; marketplaces, closed forums, messaging apps, and paste sites. Few companies span all these sources; fewer still have capabilities to go beyond simple scraping of sites.
Unfortunately, there is a lot of FUD (fear, uncertainty, and doubt) concerning the dark web. Iceberg analogies have been common for several years, ostensibly demonstrating the deep and dark web is significantly larger than the open web. In truth, the dark web only contributes to a small chunk of cybercrime – we must consider additional sources to get a truer sense of the threat landscape.
What is the Dark Web?
The dark web is an area of the internet that is only accessible with specific browser software, such as Tor or I2P. It is a web of anonymity where users’ identities and locations are protected by encryption technology that routes user data through many servers across the globe – making it extremely difficult to track users.
The anonymity of the dark web makes it an attractive technology for illegal purposes. Unfortunately, gaining visibility into criminal locations is difficult: it requires specialized knowledge, access to closed sources, and technology that’s capable of monitoring these sources for misuses of your data.
However, let’s first dispel some misconceptions about the dark web.
- Assumption 1: The dark web is synonymous with the criminal internet. While the dark web is home to lots of crime, it also hosts many legitimate companies like New York Times and Facebook who offer Tor-based services, as well as generally benign content. The dark web is not synonymous with cybercrime.
- Assumption 2: The dark web is the same thing as the deep web. To clarify, the deep web is broadly defined as anything that is not indexed by traditional search engines. Unsurprisingly, the deep web is also home to criminality – but so too is the clear web. The dark web does not monopolize cybercrime.
Simply because it isn’t accessible by a traditional search engine, it does not mean the deep web is necessarily interesting. Most of the data on the deep web is mundane or “normal”; for example, email or Facebook accounts might fall under this definition as they require registration to see the content. While some deep and dark web sites are valuable sources, you need to know what you’re looking for, otherwise it’s easy to waste time and resources.
The Fight Over Dark Web Marketplaces
In July of 2017, United States and Dutch law enforcement launched Operation Bayonet where they seized and disabled two of the most prominent dark web marketplaces, AlphaBay and Hansa. United States Attorney General Jeff Sessions described the operation as:
“one of the most important criminal investigations of the year…because of this operation, the American people are safer – safer from the threat of identity fraud and malware, and safer from deadly drugs.”
Before Operation Bayonet, English-speaking cybercriminal activity mainly took place on online dark web marketplaces such as Alpha Bay and Hansa, where hundreds of thousands of vendors and buyers were doing an estimate of over $1 billion in illegal trade.
Law enforcement action didn’t stop there – on May 7, 2019 an internationally coordinated operation led to the takedowns of two more dark web marketplaces, Wall Street Marketplace and Valhalla Marketplace (Silkkitie). In the same operation, law enforcement simultaneously disabled one popular dark web news source and review page, DeepDotWeb. DeepDotWeb did not sell contraband; instead, administrators profited from promoting criminal sites and marketplaces through affiliate links. Its recent seizure displayed law enforcement’s willingness to target more of the illegal trade network beyond the marketplaces – including promoters and launderers.
In our dark web research report, Seize and Desist: The State of Cybercrime in the Post-AlphaBay and Hansa Age, we explored the impact of these dark web marketplace seizures. While a large chunk of cybercrime (especially Russian-speaking) was largely undisrupted, a breach of trust occurred in dark web criminal trade. This breach of trust caused criminals to consider new ways for generating trust in the underground.
While dark web markets, such as Tochka and Empire, certainly still exist, no market has yet risen to the prominence of Silk Road, AlphaBay, or Hansa. New criminal marketplaces continue to crop up, but they struggle to grow or decide to tread lightly with the growing fears of law enforcement disruptions and takedowns. To grow, these criminal marketplaces need a solid reputation, financing to scale, security to maintain current users, and trust to gain more traction.
There are some interesting candidates, however. Market.ms Marketplace, run by the former administrator of the prestigious Exploit[.]in hacking forum, who coincidentally now leads the emerging XSS forum (formerly Damagelab), is an up and comer in the dark web market. Focused purely on cybercrime; MarketMS is near peerless.
Cybercriminals will not rely on just one site and instead have presence across many of these sources – ensuring their name is well-known to any potential buyers. However, the presence of escrow services on marketplaces creates an understandable incentive to trade on these particular platforms. As a result, it’s important to note that these new dark web markets exist alongside Telegram and Jabber, which co-exist to obtain proofs, negotiate deals, and agree on a final price.
Continual Cybercrime and Criminal Innovation
Despite law enforcement action targeting dark web marketplaces, cyber activity continues apace. For example, Automated Vending Carts (AVCs) are criminal pages that trade credit cards, credentials and accesses – their trade has been largely unaffected by the recent seizures (aside from the seizure of xDedic in January 2019). Joker’s Stash, a prominent AVC used to purchase stolen credit card, continues to operate while also experimenting with new technologies like blockchain DNS.
Another AVC, Enigma market, is quickly gaining notoriety amongst cybercriminals as it has doubled its listings since February of 2019. The founder, a credential stuffing actor with the alias Stackz420, has recently been promoting his AVC across criminal forums and marketplaces and it’s been gaining traction. The AVC initially offered 11,000 hacked credentials and now lists around 20,000 and shows no signs of slowing. With an increased number of listings and a notorious administrator, this AVC is primed to grow in size and significance.
Building Trust in the Underground: Checks and Balances
Law enforcement is not the only force looking to disrupt the criminal community; their peers can be just as adversarial.
The Olympus Marketplace, an emerging dark web marketplace, ceased operations as the administrators reportedly conducted an exit scam – stealing user funds in the process. When AlphaBay and Hansa were seized, Olympus was a reputable, English-speaking marketplace that was expected by many to fill the void, but being the main marketplace comes with a hefty price. Time, money, and fear of getting caught loom too large for vendors and administrators who are continually choosing security over greed.
Dream Market, a main competitor of AlphaBay and Hansa, also ceased its operations after repeated DDoS attacks. Attackers seized control of accounts because of common password reuse amongst marketplace goers. It is widely believed these account attacks were conducted by While, the police did not gain full control of the site, breaching accounts of users was enough to cause administrators to abandon operations completely.
This recent fall in reputable marketplaces has exacerbated criminal-on-criminal fraud throughout the dark web. Cybercriminals create phishing kits of real dark web marketplaces to steal from other dark web users looking to trade and profit from illicit trade. Since Tor links tend to be longer and more complex than clear web links, cybercriminals utilize typo squats – replacing “m” with “rn” or rearranging complex character strings in the link – to phish and defraud other dark web users scanning through marketplaces.
These specific fraud actors that target other cybercriminals are labeled in the cyber world as “rippers.” For example, services have emerged within Russian-speaking communities to protect their sites against these rippers like Ripper[.]cc – a comprehensive database of all the known rippers targeting marketplaces. It’s important to remember cybercriminals do not act alone and need services to provide security and safety to their ecosystem.
A Rich Ecosystem: Criminal Support Services
Ripper[.]cc is just one example of a broad ecosystem of cybercriminal support services that exist on the deep and dark web. The truth is that cybercriminals do not act alone – it is simply not feasible for them to do so. They are supported by a rich and developed range of support services, including money laundering, malware, and infrastructure.
Outsourcing their money laundering enables cybercriminals to process and generate financial profits. Services in this realm include e-currencies, exchangers, transfer specialists, and mules. AlphaBay had mixer (an online laundering service) included within the site, but nowadays cybercriminals and fraudsters may turn to external services to clean their money.
Cybercriminals must also have malware to access. This includes its development and deployment, but also crypting services and exploit kits. While at their zenith in 2016, exploit kits have declined in popularity more recently. Nevertheless, they are still used to deliver some types of malware – most recently the delivery of Nemty ransomware through the RIG exploit kit.
Finally, infrastructure is required to protect their operations. Typical services include bulletproof hosting, counter-AV services, and anonymity services. These services are extremely popular as they reduce the risk of criminal sites becoming seized and allow cybercriminals to continue running away from law enforcement. One of the main services criminals rely on is bulletproof hosting services.
Bulletproof hosting is arguably more important than a Tor browser for conducting illegal trade online. Bulletproof hosting provides a protected internet structure for people or groups that is generally used for illicit purposes. This infrastructure is hosted on servers in countries where cyber-oversight is difficult and western law enforcement access is limited – enabling users to bypass internet content and service laws that restrict certain content and its distribution.
Some argue in favor of bulletproof hosting for civil rights as it promotes freedom of expression, press, anonymity, and privacy. In reality, these services are a vital aspect of cybercrime as they provide protection from law enforcement. We see two criminal sides of the bulletproof hosting operations – providers who supply bulletproof services and clients who buy their services to host illegal pages.
On the providers side we see users setting up bulletproof hosting on their servers in countries like China, Russia, and countries which were part of the former Soviet Union. The world’s biggest bulletproof provider operates under the alias “Yalishanda”, meaning Alexander in Mandarin. Security officials have been able to track his real identity and whereabouts but are unable to apprehend him as he is protected by his residency in Russia.
On the hosting side, we see users buying or renting these servers from upstream providers anywhere in the world. Hosts commonly utilized bulletproof hosting to host criminal services such as phishing, malware, forums, and exposed credentials. For example, Magecart groups – banking information thieves – are using servers from Ukraine to operate their credential trade.
Though difficult, law enforcement still seeks to target these bulletproof hosting providers. In a historical case, US law enforcement worked with Romanian law enforcement to arrest a man for his role in providing bulletproof hosting to the banking malware Gozi.
As displayed by this case, dark web takedowns extend beyond the headlines of criminal sites. Law enforcement perform tactical takedowns of counter antivirus sites, bulletproof hosting providers, and other services that are essential to the criminal ecosystem.
As the criminal ecosystem evolves around the strategies and tactics of law enforcement, so do the criminals as they are continually finding new and innovative ways to profit off of their expertise, including teaching. Former fraudsters and credential traders have set up their own cybercrime courses where they teach other cybercriminals all the skills from basic carding techniques, currency laundering, cash withdrawal schemes, social engineering, botnet creation, and use of exploits.
They post introductory lectures for free on dark web peer-to-peer networks like Telegram or Jabber that advertise their class and specific dark web marketplaces and AVCs for trading. Young cybercriminals can buy these lectures 75,000 Rubles ($1,100 USD), payable in bitcoin that gives them access to many more courses, lectures, and resources – including tutors. This is a dangerous development for organizations and consumers as amateur actors now have the resources and training to embark on a cybercriminal career.
How to Build a Dark Web Monitoring Capability
Building an effective dark web monitoring capability is extremely difficult. It requires a knowledge of the criminal landscape, access to closed sources, and technology that is capable of monitoring those sources.
Source coverage can be a very challenging issue with dark web monitoring. You need to diagnose the Tor and I2P sites that are of interest – and pose a threat – as well as IRC and Telegram channel chats, criminal forums, and paste sites that are not limited to the dark web sites.
There are several technologies who provide this visibility into the dark web. OnionScan provides this visibility to help researchers and investigators identify and track all these dark web sites. At Digital Shadows, we give a free 7 day access to search across these sources.
However, visibility isn’t solely enough.
To efficiently monitor the dark web, you need to filter out the irrelevant sources that do not pose imminent threats to your business. With the remaining sources, depending on your threat model, you need to monitor and find the specific counterfeits, mentions of your assets, and exposed credentials. This can require intensive human labor or a technology that can automate the process.
Furthermore, to gain access to higher-value criminal forums, organizations may need additional expertise to understand the nuances of different languages, how to access certain locations, and launch investigation into finding your exposed data. Some sites even require specific tradecraft to enter, which can relate to IP, webmail service whitelisting/blacklisting, and other requirements. To do all of this requires a lot of effort, expertise, time, and money. If not done effectively, it can be difficult to derive value for your organization.
In our work with organizations, we find that there are three key use cases when we talk about dark web monitoring:
- Tracking threats
- Identifying exposed credentials
- Detecting fraud
By focusing on these, it helps to make dark web monitoring more time-efficient, and more relevant to you.
Dark Web Monitoring For Business
Even with great coverage, organizations struggle with their dark web monitoring capabilities as it can be noisy and irrelevant.
However, dark web monitoring can be extremely valuable to a business when you know where to look, and what to look for. We have identified three use cases – threat actors, credentials, and fraud – that make dark web monitoring more risk-based, efficient, and effective.
The first use case is understanding the threat actors that target your company, VIPs, and brand. Effective investigation of these sources can bring insight to adversaries’ tools, tactics, techniques, procedures, and motives – which you can then apply to your security strategy.
More specifically you need to understand these personas and how established and reputable these threat actors are – which requires an understanding of their forum handles, their reputations, what they do, how they market, where they operate, and their overall MO. Continually collecting and tracking this data helps to apply context to these actors and better predict and detect attacks, enabling organizations to prepare defense strategies.
Similarly, insiders with valuable data or privileged access can use online forums and marketplaces to sell your valuable data. These insider threats are difficult to remediate quickly and pose a major challenge to any security team.
A “threat” isn’t just an actor, and it can also apply to a tool or malware. Tracking for developments here can be highly valuable. This may be a new piece of malware exploiting a new CVE, or an updated ransomware variant (as shown below).
Applying this context of threat actors and knowledge of the dark web landscape to tracking can allow you to proactively uncover threat actors targeting your company, VIP, and brand.
For further reading on this, check out https://www.digitalshadows.com/blog-and-research/digital-shadows-contributes-to-insider-threat-research/
Another common dark web monitoring use case is protection from exposed data and credential stuffing. Since password reuse is so common, credential stuffing has developed into a popular tactic to gain access to sites and sensitive data. Credentials from data breaches are sold in bulk on the dark web to other threat actors. These threat actors take the usernames and passwords and automate an overhaul login in an attempt to gain valuable assets. Our own tool and service, SearchLight, has detected 14 billion of these exposed credentials online to help prevent you and those in your digital footprint from being susceptible to targeted attacks.
Recently, we have seen more than just exposed credentials being compiled and sold. One gated market, Genesis Store, sells bots that bypass fingerprinting controls – providing customers with fingerprints, cookies, logs, saved passwords, and other personal information to emulate users and bypass security systems. This is an interesting development, enabling cybercriminals to bypass traditional anti-fraud controls. This trend has further developed from the Genesis Market, with another service – Richlogs – recently emerging to compete for users.
You can read more about the Genesis botnet at https://www.digitalshadows.com/blog-and-research/genesis-botnet-the-market-claiming-to-sell-bots-that-bypass-fingerprinting-controls/
One application of these stolen credentials is to commit fraud – whether that is trading payment card details, selling counterfeit goods, or phishing. One of the benefits of Genesis market taking this approach to collect credentials is they can have a more novel and effective way to impersonate users online for fraudulent purposes.
Phishing and other fraudulent techniques are used by actors to entice victims into sharing their sensitive data. Phishing kits look akin to the original websites and possess the ability to block certain IP addresses of known security companies to prevent timely remediation. Identifying fraudulent sites, products, or activities promotes better security practices.
Gift card fraud is another common activity conducted by online fraudsters. Over the past six months, there have been thousands of gift cards traded across criminal forums, dark web markets, dark web pages, IRC, and Telegram.
Approaches to fraud are adapting, for example, a trending Telegram Market called “OL1MP” utilizes a bot to automate the browsing for items – holidays, hotels, taxis, driver’s licenses, and documents. OL1MP utilizes the privacy and encryption of the telegram chat but is an automated marketplace so buyers can chat with a reputable dealer without running the risk of getting scammed.
However, OL1MP is a single example of the many criminal chat platforms used to contraband trade. Encrypted chatting services like Telegram and Discord host numerous chat channels that promote illicit practices. We identified roughly 5,000 mentions or advertisements to Telegram pages post- AlphaBay and Hansa takedowns. Dark web crime is adapting to the fall of AlphaBay and Hansa and continuing to pose threats to legitimate corporations and people – you need to be able to track the latest, hottest means and markets to protect your assets.
How Digital Shadows Provides Dark Web Monitoring
Digital Shadows provides dark web monitoring technology with SearchLight, so you can protect your exposed data when it appears on the deep and dark web. SearchLight continually monitors and indexes hundreds of millions of dark web pages, pastes, criminal forums, Telegram, IRC, and I2P pages and is programmed to look for specific risks to your organization.
Dark web pages
Our proprietary spider crawls Tor and I2P pages, identifying new content, and sources of value.
Approximately 50 million indexed Tor and I2P pages
IRC and Telegram channels
Our technology monitors services used by groups and individuals to chat on themes ranging from threat campaigns, fraud, tactics and techniques, and technical topics.
More than 30 million conversations
We have focused, automated custom collection on high-value forums where we identify a wide variety of activity – from exploit kits to the sale of breached data. Some of these are hosted on Tor or I2P, but many are not. Our closed sources team provides the direction and persona development to gain access to new forums.
More than 23 million indexed forums
Another sources that isn’t strictly limited to the dark web – there are many types of paste sites that exist across the clear and dark web. Malicious actors use these sites to share breached data and create target lists.
Approximately 60 million indexed pastes
Dark web marketplaces
Specific collection for marketplaces hosted on the dark web. Since the demise of AlphaBay and Hansa, there has been a proliferation of marketplaces. While their longevity has been dented by LEA success is in disruptions, new marketplaces continue to emerge, such as MarketMS: marketed by respected figures from the Russian scene.
Approximately 1 million indexed marketplace listings
In addition to the industry leading technology (don’t take our word for it – Forrester named us a leader in their report here), our closed sources team works to gain new access, develop personas, and produce intelligence reports on the latest cybercriminal trends.
Our Shadow Search capabilities also put the power in your hands by allowing you to search across our indexed data to track threat actors, campaigns, and instances of fraud.
Check it out for yourself. Take a Tour of the Dark Web in Test Drive now.
Making Dark Web Monitoring Capable & Relevant
Dark web monitoring can be intimidating for organizations – to see if your data is exposed on criminal sites and to find and remediate it – but it doesn’t have to be.
“Good” dark web monitoring entails constantly accessing new sources. Technology does the heavy lifting in collection by focusing on the key use cases and undercover security experts continually develop personas, socialize with criminals, and access these trickier places to provide proper source coverage and visibility into the darkest areas of the criminal landscape. This dual source coverage empowers you to quickly detect insider threats, identify fraud, find counterfeits, and instantly detect exposed credentials that are not easily visible to you.
Dark web monitoring can have a real business impact; it can protect you from compliance issues, financial implications, and reputational impacts that can occur if your assets are not properly monitored. Here at Digital Shadows, we work with you to develop a plan to make sure your data is not being exploited on the open, deep, or dark web and ensure you stay ahead of the cat-and-mouse game.
Download our Dark Web Monitoring Overview to learn more: