-
Notifications
You must be signed in to change notification settings - Fork 294
All About Darkweb
Tips and trick for DARKINT (dark web intelligence) assesment and analysis, info gath
The dark web is the World Wide Web content that exists on darknets (overlay networks) that use the Internet, but require specific software, configurations, or authorization to access. Through the dark web, private computer networks can communicate and conduct business anonymously without divulging identifying information, such as a user's location. The dark web forms a small part of the deep web, the part of the web not indexed by web search engines, although sometimes the term deep web is mistakenly used to refer specifically to the dark web
The darknets which constitute the dark web include small, friend-to-friend networks, as well as large, popular networks such as Tor, Hyphanet, I2P, and Riffle operated by public organizations and individuals. Users of the dark web refer to the regular web as clearnet due to its unencrypted nature.The Tor dark web or onionland uses the traffic anonymization technique of onion routing under the network's top-level domain suffix .onion
Ransomware groups rely on dark web infrastructure across the attack lifecycle. Ransomware-as-a-Service (RaaS) operators recruit affiliates through dark web forums such as RAMP and, prior to bans imposed after the 2021 Colonial Pipeline attack, Exploit and XSS, where they advertise toolkits, commission structures typically offering affiliates 60–80% of ransom proceeds, and vet prospective partners.[27][28][29] Most prominent ransomware groups also operate dedicated data leak sites on the Tor network as part of a double extortion model pioneered by the Maze ransomware group in November 2019, in which stolen data is published or threatened to be published if victims refuse to pay, with groups such as LockBit, ALPHV/BlackCat, and Cl0p hosting data from hundreds of victim organizations.[30][31][32] Rather than conducting the full attack lifecycle independently, many ransomware affiliates purchase pre-established network access from initial access brokers (IABs), specialized threat actors who compromise organizations through methods such as exploiting vulnerable systems, phishing, or leveraging credentials from infostealer malware, and sell that access on underground forums, with listings typically priced by factors including victim revenue, access type (VPN, RDP, Active Directory), and geographic location.[33][34][35] This division of labor has created an efficient criminal supply chain that lowers the technical barrier to entry for ransomware attacks.[36]
Botnets are often structured with their command-and-control servers based on a censorship-resistant hidden service, creating a large amount of bot-related traffic.[21][37]
Main article: Darknet market
Commercial darknet markets mediate transactions for illegal goods and typically use Bitcoin as payment.[38] These markets have attracted significant media coverage, starting with the popularity of Silk Road and its subsequent seizure by legal authorities.[39] Silk Road was one of the first dark web marketplaces that emerged in 2011 and has allowed for the trading of illegal drugs, weapons and identity fraud resources.[38] These markets have no protection for its users and can be closed down at any time by authorities.[38] Despite the closures of these marketplaces, others pop up in their place.[38] As of 2020, there have been at least 38 active dark web market places, even though there can be many more.[38] These marketplaces are similar to that of eBay or Craigslist where users can interact with sellers and leave reviews about marketplace products.[38]
Examination of price differences in dark web markets versus prices in real life or over the World Wide Web have been attempted as well as studies in the quality of goods received over the dark web. One such study was performed on Evolution, one of the most popular crypto-markets active from January 2013 to March 2015.[40] Although it found the digital information, such as concealment methods and shipping country, "seems accurate", the study uncovered issues with the quality of illegal drugs sold in Evolution, stating that, "the illicit drugs purity is found to be different from the information indicated on their respective listings."[40] Less is known about consumer motivations for accessing these marketplaces and factors associated with their use.[41] Darknet markets have also provided leaked credit card information that was made available for free.[42]
Bitcoin is one of the main cryptocurrencies used in dark web marketplaces due to the flexibility and relative anonymity of the currency.[43] With bitcoin, people can hide their intentions as well as their identity.[44] A common approach was to use a digital currency exchanger service which converted bitcoin into an online game currency (such as gold coins in World of Warcraft) that will later be converted back into fiat currency.[45][46] Bitcoin services such as tumblers are often available on Tor, and some – such as Grams – offer darknet market integration.[47][48] A research study undertaken by Jean-Loup Richet, a research fellow at ESSEC, and carried out with the United Nations Office on Drugs and Crime, highlighted new trends in the use of bitcoin tumblers for money laundering purposes, using escrows.
Due to its relevance in the digital world, bitcoin has become a popular product for users to scam companies with.[43] Cybercriminal groups such as DDOS"4" have led to over 140 cyberattacks on companies since the emergence of bitcoins in 2014.[43] These attacks have led to the formation of other cybercriminal groups as well as Cyber Extortion.[43]
Many hackers sell their services either individually or as a part of groups.[49] Such groups include xDedic, hackforum, Trojanforge, Mazafaka, dark0de and the TheRealDeal darknet market.[50][circular reference] Some have been known to track and extort apparent pedophiles.[51] Cyber crimes and hacking services for financial institutions and banks have also been offered over the dark web.[52] Attempts to monitor this activity have been made through various government and private organizations, and an examination of the tools used can be found in the Procedia Computer Science journal.[53] Use of Internet-scale DNS distributed reflection denial of service (DRDoS) attacks have also been made through leveraging the dark web.[54] There are many scam .onion sites also present which end up giving tools for download that are infected with trojan horses or backdoors.
Recently, around 100,000 compromised ChatGPT users' login information was sold on the dark web in 2023. Additionally, the logs showed, in the opinion of the researchers, that the majority of the compromised ChatGPT passwords had been extracted by the data-stealing virus Raccoon.[55]
Scott Dueweke the president and founder of Zebryx Consulting states that Russian electronic currency such as WebMoney and Perfect Money are behind the majority of the illegal actions.[44] In April 2015, Flashpoint received a 5 million dollar investment to help their clients gather intelligence from the deep and dark web.[56] There are numerous carding forums, PayPal and bitcoin trading websites as well as fraud and counterfeiting services.[57] Many such sites are scams themselves.[58] Phishing via cloned websites and other scam sites are numerous,[59][60] with darknet markets often advertised with fraudulent URLs.[61][62]
The type of content that has the most popularity on the dark web is illegal pornography—more specifically, child pornography.[43] About 80% of its web traffic is related to accessing child pornography despite it being difficult to find even on the dark web.[43] A website called Lolita City, which has since been taken down, contained over 100 GB of child pornographic media and had about 15,000 members.[43]
There is regular law enforcement action against sites distributing child pornography[63][64] – often via compromising the site and tracking users' IP addresses.[65][66] In 2015, the FBI investigated and took down a website called Playpen.[43] At the time, Playpen was the largest child pornography website on the dark web with over 200,000 members.[43] Sites use complex systems of guides, forums and community regulation.[67] Other content includes sexualised torture and killing of animals[68] and revenge porn.[69] In May 2021, German police said that they had dismantled one of the world's biggest child pornography networks on the dark web known as Boystown; the website had over 400,000 registered users. Four people had been detained in raids, including a man from Paraguay, on suspicion of running the network. Europol said several pedophile chat sites were also taken down in the German-led intelligence operation.[70][71]
Terrorist organizations took to the internet as early as the 1990s; the birth of the dark web attracted these organizations due to the anonymity, lack of regulation, social interaction, and easy accessibility.[72] These groups have been taking advantage of the chat platforms within the dark web to inspire terrorist attacks.[72] Groups have even posted "How To" guides, teaching people how to become and hide their identities as terrorists.[72]
The dark web became a forum for terrorist propaganda, guiding information, and most importantly, funding.[72] With the introduction of Bitcoin, anonymous transactions were created which allowed for anonymous donations and funding.[72] By accepting Bitcoin, terrorists were now able to fund purchases of weaponry.[72] In 2018, an individual named Ahmed Sarsur was charged for attempting to purchase explosives and hire snipers to aid Syrian terrorists, as well as attempting to provide them financial support, all through the dark web.[43]
There are at least some real and fraudulent websites claiming to be used by ISIL (ISIS), including a fake one seized in Operation Onymous.[73] With the increase of technology, it has allowed cyber terrorists to flourish by attacking the weaknesses of the technology.[74] In the wake of the November 2015 Paris attacks, an actual such site was hacked by an Anonymous-affiliated hacker group, GhostSec, and replaced with an advert for Prozac.[75] The Rawti Shax Islamist group was found to be operating on the dark web at one time.[76]
Within the dark web, there exists emerging social media platforms similar to those on the World Wide Web, this is known as the Dark Web Social Network (DWSN).[77] The DWSN works a like a regular social networking site where members can have customizable pages, have friends, like posts, and blog in forums. Facebook and other traditional social media platforms have begun to make dark-web versions of their websites to address problems associated with the traditional platforms and to continue their service in all areas of the World Wide Web.[78] Unlike Facebook, the privacy policy of the DWSN requires that members are to reveal absolutely no personal information and remain anonymous.[77]
The Dark Web is frequently used by hackers (e.g., Threat Actors), hacking groups, and for illegal activities and goods. There are numerous incidents, particularly online, involving the Dark Web—such as child pornography, drugs, hacking tools, ransomware, and criminal activities or those requiring a high degree of privacy. Why is the Dark Web so commonly used? The Dark Web offers high anonymity, and domain purchases are not regulated by ICANN or IANA because the system used by TOR (The Onion Router) operates differently (Onion Services Network). Consequently, you cannot perform a WHOIS lookup or an nslookup to view the name servers (NS) or the domain ownership.
OSINT researchers frequently face this challenge gathering information from the dark web is neither easy nor quick (depending on field conditions). For instance, tracking hacker groups, log stealers, or leaked data being sold on the dark web, or other criminal activities, Many Threat Actors (TAs) use underground forums within the dark web, so researchers must possess the skills to conduct investigations, search for information, and monitor information available on the dark web
The different darkweb and deepweb also surface web
The Dark Web consists of websites that are intentionally hidden and cannot be accessed using a standard browser, as their purpose is to ensure the complete anonymity of their users and needed access with tor and have the .onion domain
The Deep Web refers to websites or data that are not indexed by search engines for security or privacy reasons, such as account dashboards, email content, or bank records
How does the DOJ (Department of Justice) take over dangerous websites—both on the surface web and on the onion network? If it’s on the surface web, they can take over the Name Servers (NS) and redirect the DNS to the DOJ’s own Name Servers (Every surface site have NS, DNS, TLD domain)
If it’s an onion site? Since onion sites are not regulated by IANA and ICANN, there are several methods available, though I cannot specify them explicitly. Here are some ways they take over:
- Seizing the VPS. Onion sites can run on a VPS; you can set one up yourself using the TOR service
- Misconfiguration on the onion site
- Seizing the physical server actually running the operation
- Obtaining the onion site’s private key
- Conducting undercover and insider operations (for details, read about HUMINT)