Into the Darknet: An Expanded Glossary of Terms

At OWL Cybersecurity, we believe in the importance of educating everyone on the darknet. Much of the terminology we use to discuss darknet related content is common to those familiar with computer networking and information security, but like a foreign language to the general reader. Below are the first of a series of posts covering key terms and definitions you will find helpful as you continue to learn about the darknet and how it can affect both you and your business. Keep an eye on our Blog, as well as our continually-growing Darknet 101 Terms page, as we will continue to add to our list of terms over time.

Bitcoin: One of the most popular cryptocurrencies in use today. As of publication date (3/24/17), 1 Bitcoin = 984.35 U.S. dollars. 

Blockchain: Essentially a distributed database. Information within a blockchain is publicly shared across all participating users or machines. With regards to Bitcoin, the Bitcoin blockchain is a public record of all Bitcoin transactions which helps to verify transactions and prevent double spending.

Carding: The practice of stealing and selling credit card information.

Clearnet: The "regular" internet (non-Tor), often referred to as the surface web. 

Cryptocurrency: Virtual currency that employs cryptography for security purposes.

DARKINT: Short for darknet intelligence, DARKINT encompasses actionable data from the darknet and other interconnected sources, including Tor, IRC channels, hacker forums, FTP servers, paste sites, high-risk surface internet and more.

Darknet Market: A marketplace website hosted on a darknet (such as Tor), setup to provide the sale of goods and services while maintaining anonymity of vendors and buyers; also known as a cryptomarket.

Dox: The act of posting or publicizing an individual's personally identifiable information (PII), commonly done to expose said individual's true identity or for other, typically malicious, purposes.

Exit Scam: A scam in which a darknet market admin or vendor shuts down operation while stealing as much money as possible from their users and/or buyers in the process.

Hidden Service: Another term for a .onion (Tor) site.

Honey Pot: A website or hidden service setup by law enforcement in an attempt to attract and identify individuals who participate in illegal activity.

IP Address (aka Internet Protocol): A unique string of numbers separated by periods that identifies a computer connected to the internet, e.g. (iPv4).

Mirror site: A site with the same content as another site but a different domain.

Pastebin: A surface net site used to publicly post and store text for a certain, often short, period of time. Pastebin ties closely with the darknet as it is an easy way to anonymously share information without the need for a specialty based browser, such as Tor.

Protocol: Refers to the scheme in which internet content is retrieved and displayed to a browser. Tor and the darknet leverage “non-standard communication protocol” which refers to the complex set of onion proxy methods to obscure the identity of the requestor and the content server.  Protocol can also refer to a method of financial transaction, e.g. bitcoin.

Relay (aka node): Within Tor there are over 7,000 relays, mostly internal. When a request to access a particular hidden service is made, the browser calculates the optimal route through a series of relays, exchanging cryptographic keys between nodes, to display the content without disclosing the IP address of the request originator.

Tor (aka The Onion Router): A free web browser designed for anonymous internet browsing and protection against network traffic analysis; the most commonly used tool for accessing and browsing the darknet.

Tumble: A method of scrambling or anonymizing the source of one’s bitcoins.

Wiki: Like the surface net site Wikipedia, a darknet wiki is a website that allows registered users to collaboratively write and edit content directly from their browser. Example: The Hidden Wiki.

Curious about something you've read on our blog? Want to learn more? Please reach out - we're more than happy to have a conversation.

Financial Institution Threat Analysis

There are only two types of companies: those that have been hacked and those that will be.
— Robert Mueller, Former FBI Director

Financial data is appealing to cyber criminals because of the speed at which it can be monetized, especially in an array of underground marketplaces like those found on the darknet. As discussed in our recent post, these darknet markets offer cyber criminals a platform via which stolen information can be sold to vetted buyers. Given that in 2016, cyber crime cost the global economy roughly $445 billion, the ability to quickly acquire and turnaround data enables criminals to maximize profits.

The information security risk to financial institutions is significant. Not only are malware, ransomware, cyber fraud, money laundering and ATM hacking direct threats, but the growth of the Internet of Things (IoT) and the move to mobile financial platforms have increased the overall threat level as the footprint of financial institutions moves beyond protecting brick-and-mortar infrastructure.

Common tactics, techniques + procedures targeting financial organizations

Tactics, techniques and procedures (TTP) refer to employing available means to accomplish an end and the methods in which they are applied. Below we take a look at six common TTPs seen in the financial sector.

Common Financial TTPs
Spoofing +
Financial-related sites that require a login, and the user credentials associated with those logins, are commonly at risk of compromise. Email spoofing attacks use similar URLs to impersonate legitimate sites. Multi-factor authentication methods are increasingly considered mandatory for financial institution sites involving online banking.
ATMs Various ATM-specific threats have been discovered over the past few years. For example, GreenDispenser malware infects an ATM and allows a criminal to withdraw large amounts of money without detection. Reverse ATM attacks which leverage "money mules" to reverse transactions to allow criminals to cover their tracks have recently emerged.
Mobile Apps The growing use of mobile devices for banking purposes exposes major vulnerabilities; public WiFi networks are inherently insecure, mobile applications lack encryption, poor reception increases the likelihood that banking transaction traffic could be intercepted by a third party and many fraudulent apps that harvest user and account data exist.
Third Party
Joint ventures, vendors, affiliates, brokers, payment systems and other third parties associated with financial institutions must maintain a strict level of security in order to protect the entire infrastructure. Managing third party risk is essential to the security of every financial institution.
EMV Cards:
Chip + PIN
EMV cards are now as easy to clone as their magnetic strip predecessors. Researchers recently demonstrated that they could withdraw $15,000 in cash from an ATM in under 15 minutes leveraging a simple chip-and-PIN hack. The Man-in-the-Middle (MitM) based attack collects chip-and-PIN information from a small device placed on a point of sale machine where a payment card is entered or swiped. The attackers can then simply access this stolen financial information with a smart phone and recreate the victim's card for fraudulent use.

In February of 2016, attackers stole $81 million from the Bangladesh Bank by hacking into the bank's network and sending fraudulent payment order requests through the Society for Worldwide Interbank Financial Telecommunication (SWIFT) payment network. Similar to cyber attacks seen on other networks, the attackers were able to move laterally through the bank networks, compromise administrator credentials and leverage those credentials to execute further attack. (Source)

Who is attacking with these techniques?

Three criminal organizations are considered top players in cyber attacks on financial institutions. All three leverage spearphishing as their method of entry, their initial technique used to gain unauthorized access.


Atypical of the majority of attacks against banks and other financial institutions, which focus on targeting bank clients, the Carbanak criminal gang targets institutions themselves. Carbanak targets banks in the United States, Germany and China, and we're expecting expansion further into Asia. The gang's hackers leverage spearphishing attacks containing malicious Word documents, among others, through which a backdoor is installed. This backdoor allows Carbanak members to imitate bank employees and further access systems to escalate privileges. (Source)

метель, or Metel

метель, Metel, Russian for "blizzard," is a cyber criminal gang that, much like Carbanak, directly targets financial institutions via spearphishing email campaigns containing malware which directs users to a website hosting an exploit kit. This malware kit allowed Metel to steal data and access virtually any internal system. Metel was able to steal money from ATMs and spoof them into recording an untouched account balance. 


As with Carbanak and Metel, GCMAN leverages spearphishing to infect a target bank's network via executable attachments. Once inside a target network, GCMAN leverages common penetration testing tools (VNS, Putty and Meterpreter) to gain further access. GCMAN is believed to have compromised over 56 accounts from 139 attack sources over a year and a half period. (Source)

Where do these threat actors currently operate?

How are threat actors using the darknet to target financial institutions?

Threat actors commonly use the darknet as a means of eliciting information from insiders - disgruntled employees that themselves or via a third party cause damage to systems and data.

Consider insider trading, the illegal practice of trading to one's own advantage via access to confidential information. Threat actors often post sites on the darknet soliciting employees who may have access to key insider information. Most of these insider solicitation darknet sites require users to register.

A darknet forum where purveyors of insider information are offering their services.

A darknet forum where purveyors of insider information are offering their services.

phpBB appears to contain forums in which threat actors are seeking "someone who has non-public information concerning US Stocks, ETFs, Etc." Discussions of this nature continue to occur on the darknet.

phpBB appears to contain forums in which threat actors are seeking "someone who has non-public information concerning US Stocks, ETFs, Etc." Discussions of this nature continue to occur on the darknet.


What are some other ways in which threat actors leverage the darknet? As a simple case study, let's take a look at the world's second largest bank, Wells Fargo. Leveraging our database of DARKINT, we can generate a snapshot of any organization's darknet footprint.

Wells Fargo darknet footprint

As seen above, Wells Fargo data is present on the darknet in many ways, as are other banks of a comparable size. Often times, the easiest way into an organization's environment is through the "front door."

Just as our security services team analyzes an entity's digital footprint to determine attack vectors, so does a real world attacker. Financial organizations the size of Wells Fargo or JPMorgan Chase have a myriad of domains, IP blocks, email domains and physical addresses associated with them.

When looking at this digital footprint, from an attackers perspective, it is simply a matter of identifying the most vulnerable entry point.

Leverage DARKINT to protect your organization. 

Facing ever more sophisticated and coordinated attacks, information security has been primarily focused on building higher and thicker walls. However, as evidenced by Wells Fargo above, financial institutions must look beyond their four walls at their darknet footprint. Leveraging our continually updated database of DARKINT, financial institutions can shorten the timeframe to detection of their sensitive data on the darknet, swiftly detect security gaps and mitigate damage prior to the misuse of their data.

Our automated OWL Vision platform can be customized to meet the unique needs of every client. From our SaaS offering to a full on premise solution, our scalable platform allows us to find the right fit for your organization. If you have already begun to leverage the power of the darknet, the OWL Vision engine can enhance current methods by pointing to and capturing the information of your specific areas of interest.

For more information about anything you've read in the above report, or to request a demo or additional information on DARKINT, please reach out to us!

A Guide to Darknet Markets, Part II

Following on our first post regarding darknet marketplaces, A Guide to Darknet Markets, Part I, this post will take a more in-depth look at both current and up-and-coming darknet markets, how to access them and the future of the markets.

As mentioned in the first part of this guide, the darknet contains a vibrant and thriving e-commerce sector, in which participants trade in illegal goods and services. These darknet markets offer goods like drugs, counterfeit money and IDs, stolen credit cards, weapons and credentials for accessing sites including everything from lifetime Netflix subscriptions to adult websites.



Since the confiscation of the original Silk Road in 2013, hundreds of marketplaces have come and gone with varying levels of success. Currently, roughly 1,000 vendors trade across over 50 active darknet markets. While there are many rumors on the future of the Tor Hidden Service relay system, those who frequent darknet markets will continue to seek out anonymous marketplaces per the laws of supply and demand.

Based on our research, we forecast that The Open Road Market and Trade Route are two up-and-coming marketplaces to watch over the next year.  

Despite a limited number of listings, Trade Route features a streamlined user interface without requiring javascript, supports various multisig and escrow transaction methods and even offers a custom “PayPal-like” escrow system. Trade Route is currently offering a $10 limited vendor account for those new to darknet markets, so we suspect this market will grow in popularity.

Related: A Guide to Darknet Markets, Part I

The Open Road Market is one of the newest markets on the darknet, having opened less than a month ago. The new market features two-factor authentication (2FA) for enhanced buyer and vendor security and a “Finalizing Early Option” for exit scam prevention. This market also offers a low-cost entry for vendors who have an established (positive) reputation on other markets.


THE TRIED-And-True darknet markets

While The Open Road Market and Trade Route are up-and-coming players in the space, the below chart shows additional information on three of the largest darknet markets currently in existence. As mentioned in our last post, AlphaBay holds the top spot for sales and total number of listings (last recorded at 294,739 distinct listings and growing), with The Dream MarketValhalla (Silkkitie) and Hansa falling close behind.

Disclaimer: Darknet sites are by their nature quite transient, going up and coming down at unexpected times. The below charts include a variety of .onion links which are subject to change. Please use your best judgement if you choose to visit Tor yourself, and see the "Further Exploration" section of this post below.

Invite Link pwoah7foa6au2pul.onion/
Select "Register" and put DNMs in the "Invited User" field if it isn't already there.
Market pwoah7foa6au2pul.onion
Backup Sites alphabaywyjrktqn.onion
Alternative sites in case of DDoS on main market link.
Forum pwoah7foa6au2pul.oni

Dream Market
Invite Link lchudifyeqm4ldjj.onion/?ai=218297 Follow the “Register” link at the upper right corner
Market lchudifyeqm4ldjj.onion Must be registered to use this link
Backup Sites jd6yhuwcivehvdt4.onion
Alternative sites in case of DDoS on main market link
Forum tmskhzavkycdupbr.onion Discussion space for reviews a vendor feedback

Hansa Market
Invite Link hansamkt3iph6sbb.onion/
Note: Confirmations by the Bitcoin network are slow at the moment due to the large amount of transactions in the blockchain.
Market hansamkt3iph6sbb.onion Site uses multi-sig transactions exclusively – more secure but also for more advanced users.
Backup Sites hansamkt2rr6nfg3.onion Most markets include mirror .onions which point to the original market

Beware the Scammers

For users interacting with potential vendors on the darknet, it is nearly impossible to distinguish between a legitimate vendor and a potential scammer. As mentioned in the first part of this guide, many seemingly legitimate markets turn out to be complete scams from which scam administrators walk away with large sums of bitcoin. Ways in which a market and a vendor can potentially be validated include:

  • Help + Support: Does the market have a supportive and responsive customer support team? Is the team willing to help with disputes between vendors and buyers?
  • Market Reviews: Does the surface net contain forums and/or reviews regarding the market and its vendors?
  • Uptime: How often does the site go down? Uptime is an objective measure of a market’s performance and stability.
  • Anonymity + Security: How secure is a given market's account? Does the site contain security measures such as Pretty Good Privacy (PGP) encryption and two-factor or multi-factor authentication?
  • Escrow, Finalize Early + Multisig: Does the market leverage any of a variety of transaction methods in order to protect users?

Further Exploration

If you're interested in diving further into darknet markets by visiting one, we encourage you to first do your research on browsing the darknet. This includes learning about Tor and ensuring you know how to safely access it. We recommend installing TOR-Pi-do on a Raspberry Pi.

See also: 

Curious about something you've read on our blog? Want to learn more? Please reach out - we're more than happy to have a conversation.

A Guide to Darknet Markets, Part I

Since its inception, one of the key applications of the darknet has been its ongoing e-commerce sector, specifically in the trade of illegal goods and services. The FBI brought the world’s attention to the underground world of darknet markets when they shut down the now infamous Silk Road in 2013 and arrested its unsuspecting founder.

While Silk Road was one of the largest darknet markets in service at the time, there are now thousands of vendors distributed across some 50 markets who are actively trading across the deepest and darkest parts of the internet.  

The Silk Road Lineage

Cryptoanarchist Ross Ulbricht was only 26 years old when, in 2011, he launched Silk Road using The Onion Router’s (Tor's) Hidden Services protocol. According to Ulbricht, the origin of this darknet marketplace was experimental in nature.

[The Silk Road is] an economic simulation to give people a first-hand experience of what it would be like to live in a world without the systemic use of force.”
— Ross Ulbricht, Founder, The Silk Road

The Silk Road experiment proved to be short lived, however, when in 2013 Ulbricht was charged and subsequently convicted on seven counts of varying extents, including charges of money laundering, computer hacking, conspiracy to traffic narcotics and attempting to have six people killed. 

By this point, the Silk Road marketplace had become a mecca for buying and selling illegal drugs and narcotics.

Just one month after the original Silk Road was shut down, a new version (Silk Road 2.0) appeared in its place. The marketplace was successfully operated for almost a year by administrator Blake Benthall before being seized by the FBI. Authorities shut down the market and all pages within its domain, replacing each landing page with the above image.

Seeing a rebranding opportunity, a then less-popular darknet market, Diabolus Market, rebranded as Silk Road 3 Reloaded, capitalizing on the brand and popularity of the Silk Road lineage. Shortly thereafter, Silk Road 3 Reloaded appeared on I2P with a similar look and feel to the original Silk Road market. The marketplace is still in operation today, with stronger encryption and security measures in place to evade confiscation.

beyonD THE silk road

While the Silk Road was a pioneer in the darknet market space, it does not hold the record for the largest market in sales or listings to date. Over the last four years, darknet markets have surged in popularity. Those with significant sales in the past include Agora, Evolution, and Nucleus markets (all now defunct). It is estimated that since 2013, darknet market sales have skyrocketed, now averaging between $300,000 and $500,000 USD per day collectively across all markets. 

With this surge, we’ve also observed an uptick in the online presence of local and Federal authorities. With the growing presence of law enforcement, darknet underground markets are constantly adapting, both in their .onion domain addresses and brand name to avoid apprehension. 

Of the current active darknet markets, AlphaBay holds the top spot for sales and total number of listings (last recorded at 294,739 distinct listings and growing), with The Dream Market, Valhalla (Silkkitie) and Hansa falling close behind. These marketplaces feature multiple .onion domains for access during peak times of Tor network activity and require an invitation to gain access (as either a buyer or vendor) to reduce the potential for scammers. They also employ captcha based encryption on login to avoid a distributed denial of service (DDos) attack.



Whats for sale?

While the most profitable items for sale in these markets are drugs, both illegal and prescription, darknet markets also feature non-drug related offerings, such as:

  • Hacking services
  • Digital goods (malware, toolkits and viruses),
  • Stolen data, such as credit card numbers and personally identifiable information
  • Electronics
  • Weapons
  • Passports
  • Adult content
  • eBooks
  • Pirated movies
  • Exotic animals

Cannabis related products, MDMA and ecstasy lead the illegal drug market, while the top prescription drugs include Alprazolam, Xanax and Oxycodone. (Source)

Visa or MasterCard?

Neither. If you’re going to do business on the darknet, then you'll need to use the principal transaction method in darknet markets: cryptocurrency. Bitcoin (BTC), a commonly used cryptocurrency, currently trades quite high. As of now, 1 BTC is equal to approximately $1201.26 USD, with the value of bitcoin continuing to rise.

Buyers must be aware that many seemingly legitimate darknet markets end up scamming their entire user base and the administrators flee with millions of US dollars in BTC. 


As darknet markets frequently come and go, it's hard to know when a marketplace will disappear. In 2015, the leading marketplace at the time, Agora, announced it was shutting down due to “suspicious activity” and believed attempts to break its security protection, either by law enforcement or malicious hackers, that could have potentially revealed the IP addresses of Agora users.

Some markets, Hansa and Silk Road Reloaded for example, have adapted to these challenges by by expanding trading beyond the darknet onto I2P channels, where they compete with non-darknet, more traditional marketplaces. One of the big players in this space, OpenBazaar is a bitcoin-based market that offers an inventory of more "socially acceptable" goods and services via the surface web. Their transaction framework allows trading directly to the customer, pivoting off the I2P technical construct by using multisig addresses and digital signatures to allow for secure communication directly between the buyer and seller. 

Things became even more interesting when OpenBazaar recently announced that its next update (May 2017) will incorporate a “Tor mode option," integrated seamlessly within their desktop interface, which will allow users to opt to become a “relay," bouncing their traffic through volunteer computers around the world. This will effectively obscure and protect their identity, making the next version of OpenBazaar something of a "darknet lite" website. The creators of OpenBazaar are passionate advocates of anonymity and admit this feature will likely lead to an influx of vendors offering illegal goods and services, adding a darknet flavor to the marketplace. 

As these marketplaces continue to evolve, the world of anonymous, marketplace-based trading is likely to expand and overlap. We'll be keeping an eye on these developments, and will continue to update you, our readers, on the ever-shifting world of darknet marketplaces.

Continue Reading: A Guide to
Darknet Markets, Part II

Curious about something you've read on our blog? Want to learn more? Please reach out - we're more than happy to have a conversation.

A Hidden Story Behind the Hidden Wiki

Last week, we saw an interesting uptick in the number of domains collected by the OWL Vision platform. Our analysts leveraged DARKINT to find a surge of new domains, increasing the number crawled by our platform by nearly 36%. In the time since, this trend has continued in the same upward manner. With the number of domains our tool crawls increasing by over 123% since February 26, our team decided to begin digging for an explanation, and found a correlation with the Hidden Wiki.

The Main Page of The Hidden Wiki.

The Main Page of The Hidden Wiki.

So, how does the Hidden Wiki tie into the increase in domains? Almost 94% of the new domains seen by our analysts contain the landing page for The Hidden Wiki and merely serve as a mirror back to the original, well-known Hidden Wiki site. A mirror site is essentially a site with the same content as another but a different domain.

Why would those behind the Hidden Wiki have over 30,000 sites mirroring theirs? 

The Wikis of the darknet

The Hidden Wiki is a darknet site which provides wikis operating as Tor hidden services. For those unfamiliar, a wiki, like the surface net site Wikipedia, is a website that allows registered users to collaboratively write and edit content directly from their browser.

Just like the Wikipedia that we're familiar with, just about anyone can anonymously edit the Hidden Wiki. The Hidden Wiki landing page provides a comprehensive directory of links to other .onion sites on Tor and advice on how to safely use Tor. The Hidden Wiki is believed to have come online in 2011, and interestingly, was a top client of the Freedom Hosting service taken down by Anonymous last month.

In the world of the darknet wikis, there is also an "uncensored” version of the original site called The Uncensored Hidden Wiki. This wiki offers the same layout and feel as the Hidden Wiki but focuses on more adult and illicit topics but does also cover announcements and other general Tor-related information. The most recent change to its main page discusses the recent SIGAINT secure email service outage. The Uncensored Hidden Wiki first appeared on the darknet in mid-2016.

As with the majority of sites on Tor, all of the darknet wiki-like sites should be used with caution. You cannot know for certain that the lists of .onion links they contain have been verified; many can contain malicious software and/or links to illicit material without warning.

the big question: why the Hidden Wiki Mirror domain up-tick?

As we mentioned, about 94% of the new domains seen by our analysts are mirrors of the well-known Hidden Wiki site.

Perhaps this is merely a glitch in the Hidden Wiki's torify wget bash code, as there is no rationale behind that many hidden service domains. Or, could this be related to yesterday’s news report of WikiLeaks Vault-7 release of almost 9,000 documents detailing the cyber capabilities of the CIA's covert Center for Cyber Intelligence (CCI) division? 

Our analysts will continue to investigate and keep you updated as more information becomes available via DARKINT.

Curious about something you've read on our blog? Want to learn more? Please reach out - we're more than happy to have a conversation.

IRS Issues "Urgent Alert," Urges Widespread Vigilance

"Dangerous W-2 Phishing Scam Evolving; Targeting Schools, Restaurants, Hospitals, Tribal Groups and Others," is the alarming headline of a new announcement from the IRS. This warning is the latest in a series of press releases alerting the public to one of the most lucrative tax seasons hackers have ever seen. 

According to, who is keeping an ongoing record, 99 companies and organizations have been victimized of such a scam thus far in 2017. While this is nothing new, (see our phishing alert from 2016) these types of targeted phishing scams have continued to grow in popularity over the past year and are becoming increasingly sophisticated and effective. Join us as we leverage DARKINT and the skills of our analysts to take a look into what's happening.


This has historically been a hot time of the year for cyber scammers. The IRS saw an approximate 400% surge in phishing and malware incidents in the 2016 tax season. With that increase in cyberattacks has come an undoubtable refining of technique, making this year's threat more dangerous and effective than ever. Experts have coined it as a "cross breed" spear phishing campaign that applies advanced social engineering techniques to exploit its victims. Here's how it works: 

1.     Hackers gather information about the targeted company, including the names and contact information of its chief executive(s) as well as relevant, (often mid-level) HR or payroll personnel.

2.     They then use this information to pose as the selected executive, let's say the CEO, by crafting an email and configuring it to look as though it is coming from the CEO's actual email address.

3.     The dubious email is then sent to the relevant employee (or employees) in HR - or in payroll - requesting that they send the W-2 forms of, say, the employees belonging to a specific department, or, in many cases, of the entire company.

4.     Not wanting to refute a request from their executive, a significant portion of the recipients will acquiesce and email the W-2's in question to the attacker. 

5.     The hacker uses the W-2 information to file tax returns with the IRS on behalf of each legitimate employee, collecting whatever tax refunds their victims are eligible for. Or, in some cases, the stolen documents are put on the darknet and made available for purchase.

This method of committing tax-related identity theft has proven to be largely successful. As recently as last week, an HR employee of Mount Healthy City School District replied to an email from her "boss," following up on his request by sending him the W-2's of 600 current and former employees. Within a day, a number of those employees came forward to say that their IRS tax status indicates they have filed for this year, though they themselves did no such thing. 

"Easy Money"

Curious as to what the darknet was saying regarding this spear phishing scheme, we decided to look for ourselves by running a keyword search of our darknet database.

Screenshot of a listing on a darknet marketplace offering W-2's to buyers for $1.76 apiece.

Screenshot of a listing on a darknet marketplace offering W-2's to buyers for $1.76 apiece.


The search results confirmed that many stolen W-2's are being offered for sale on various darknet marketplaces. We also found chatter among darknet users, with many discussing and sharing various different spear phishing techniques and engaging in social engineering contests, challenging each other to spear phish selected targets and bragging when they successfully do so. 

Other .onion pages tout the scam in the form of a PSA to fellow hackers:

"This is a very easy method to do and by the end I am sure you will be wondering why more people do not know about it. It is gaining media attention this year (specifically in FL) and I suspect that within 1-2 yrs the USA legislators will take the steps necessary to close the loopholes in the tax code so this method will at the very least be much more difficult to reproduce. Currently e-file returns undergo little or NO review process at all before the refunds are sent out."
- Anonymous Darknet User

OUTSMART cyberthieves by taking action 

"All you have to do is pick up the phone," our analysts say. You can avoid falling victim to one of these ubiquitous spear phishing emails by having a quick verbal exchange.  

It is important to make your colleagues or employees aware that if they receive an email requesting sensitive documents or the personal information of any employee, such as the one pictured above, the first thing they should do is call the sender of the email on the phone to confirm its legitimacy. 

Curious about something you've read on our blog? Want to learn more? Please reach out - we're more than happy to have a conversation.

A Survey of Nation State Sponsored Hackers

The darknet is an unpredictable source of both white hat and black hat hackers working to develop malware, toolkits and viruses (MTVs) for any number of reasons - from political hacktivism to cyber crime. In our last few posts, we’ve touched on the various motivations for hacking and the different personas behind it; we now take a closer look at the recent history and current state of one of the hacking communities biggest players: Nation State Actors.

In this day and age, nearly everyone is aware that hacking and leaking the emails of the politically powerful, and their affiliates, is a common offense. Many times, this is perpetrated by hackers who simply oppose various political positions. Hacktivist groups, such as Anonymous, often participate in politically-motivated hacking due to much more nefarious, and arguably widespread, intents and agenda. In response to the Tunisian government limiting access to the internet, Anonymous struck government websites in the country with DDoS attacks and caused the sites to falter and crash. The group released the below letter, illustrating the motives behind the attack.

foreign actors

The political storm surrounding the now infamous Russian hacker known as Guccifer 2.0, who coordinated the release of the emails hacked from servers hosting the Democratic National Committee’s email, is one recent instance of politically motivated hacking.

The U.S. intelligence community clarified through all source intelligence analysis that nation state actors from Russia’s foreign intelligence service and main intelligence agency directly sponsored the team of hackers who carried out the attacks, recruited them in targeted social media campaigns and directed their actions. The state actor hackers probed voter registration databases and used bots and fake stories to make information more damaging – strategically magnifying the effects of these leaks – with the singular goal of directly influencing the outcome of the U.S. election process.

Beyond influencing election results, a state sponsored attack may have direct intentions to further the policies and agendas of the state government. Most noteworthy is the success of China’s military-based cyber team (Unit 61398) which accessed several government controlled (*.mil) and defense contractor domains to collect plans, drawings and key project details for a variety of cutting edge technology programs. This "army" encompassed a variety of organizations from specialized military units, experts from civilian organizations and a number of external entities comprised of hacking-for-hire mercenaries and non-government affiliated personas.  

The volume of websites targeted by Unit 61398 appears to have decreased with the 2015 agreement between then-U.S. President Obama and Chinese President Xi Jinping declaring a mutual agreement to end or “knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage.” Nevertheless, this agreement has not stopped China from its cyber espionage operations, as the U.S. intelligence community briefed the Senate earlier this year, going on record that “Beijing continues to conduct cyber espionage against the U.S. government, our allies and U.S. companies" 

The allocation of human, technological and financial resources towards nation state cyber efforts is substantial. In 2015, China admitted what had many had long suspected, that it had an “army of hackers” for digital espionage and sabotage. Recent reports indicate that China’s total number of cyber operatives is believed to be in excess of 100,000. 

Because of the covert nature of the Russian government, it is much more difficult to discern the extent of their cyber program. Despite reports that Russia annually spends roughly $300 million on cyber related activities and leverages at least 1,000 cyber operatives, we know Russia regularly sponsors underground cyber criminal organizations across Eastern Europe to support their campaigns.

There is also an element of nationalism woven into nation state hacks that cannot be understated. Take the common practice of including symbolic terminology within each nation's campaigns. Russian cyber campaigns are often referred to with the keyword “BEAR,” perhaps in reference to the well-known internet memes of Putin riding a bear. Significant Russian campaigns include: Cozy Bear, Energetic Bear and Berzerk Bear. Campaigns launched by China often use the keyword “PANDA,” such as Hurricane Panda, Putter Panda and Deep Panda.

The CURRENT CLIMATE: a cybersecurity 'arms race'

After the 2012 U.S.-Israel campaign to sabotage Iran’s nuclear weapons program, Stuxnet, Iran rapidly became a world player in state sponsored hacking and malware development. Iran is believed to have heavily invested in their own cyber capabilities and significantly contributed to the rise of cyber terrorism in the Middle East, with historic support in funding regional terrorist organizations such as Hamas and Hezbollah. There is limited information on the capabilities of Hamas’s cyber team, Gaza Cybergang. A hacking group affiliated with Hezbollah, known as Qadmon or “Kadimon” reportedly cracked security cameras at a Defense Ministry compound in Tel Aviv in early 2016. Groups conducting Iranian sponsored campaigns involve the keyword “KITTEN,” Clever Kitten, Magic Kitten, and most recently, Rocket Kitten.

This climate of competition has created what many consider a cybersecurity "arms race."

Western and NATO member nations, such as the U.S., UK and Germany, have developed cyber teams for intelligence and cyber-defense purposes. However, it is difficult to discern how resources such as funding and people, have been allocated between offensive cyber campaigns and information system security missions. We can only assess based on the bits that we know, such as the fact that the British Army has a team of over 1,000 people dedicated to tackling the propaganda effectively published by terrorist organizations like ISIS through social media.  

We have observed federal agents from U.S. intelligence and homeland security communities active on the darknet, arresting numerous key underground market vendors, such Area51 and DarkApollo, from AlphaBay in August last year. For the last two years, the German Interior Ministry has deployed custom-developed trojans to track suspected citizens’ user chats and conversations on smartphones and PCs.

The power of nation state hackers 

While espionage is motivated by the intent to learn something, cyber attacks are often leveraged to sabotage a competing or enemy nation, where direct action is taken.

Direction action can include network infiltration to control of a strategic or tactical network, using access for fraudulent purposes, collecting information for leverage such as blackmailing or ransoming data, launching a distributed denial of service (DDoS) to shut down access to government websites and social media and more. In more extreme scenarios, such as a cyber warfare attack, nation state hackers may utilize malware toolkits and viruses to disrupt or disable key infrastructure of the enemy nation, such as power grids or transportation systems. 

The malware tools used for espionage and sabotage are interchangeable and typically refined to best serve their intention. A nation state hacking team would utilize the key tools in any common hacker’s arsenal to gain access to key computer systems with data of interest. They would then establish persistent presence via advanced persistent threats (APT) and remote access tools (RAT) to evade detection and mitigate any IT security measures in place. Once the connection has been established and secured, the hackers would launch an automated data mining program to harvest the data of significance off to a remote server for final dissemination or leverage. There is a high-level sophistication and finesse of the code developed and utilized to evade detection and quickly connect and disconnect from the targeted information system.

Nation state sponsored hackers are one of the hacking community's biggest players. We will continue to monitor these trends as countries continue to move to cyber espionage and outright cyber attack.

Join us next time when we take a look at internationally infamous financial malware developers - their tools currently being disseminated, those recently arrested and how the darknet is involved in coordinating financial attacks.  

Curious about something you've read on our blog? Want to learn more? Please reach out - we're more than happy to have a conversation.

Into the Darknet: A Beginner's Glossary of Terms

At OWL Cybersecurity, we believe in the importance of educating everyone on the darknet. Much of the terminology we use to discuss darknet related content is common to those familiar with computer networking and information security, but like a foreign language to the general reader. Below are the first of a series of posts covering key terms and definitions you will find helpful as you continue to learn about the darknet and how it can affect both you and your business. Keep an eye on our Blog, as well as our continually-growing Darknet 101 Terms page, as we will continue to add to our list of terms over time.

Alias: A screen name intended to conceal a user's identity, with little to no ties to the user's actual personal information.

Darknet: The darknet is a network, built on top of the internet, that is purposefully hidden; it has been designed specifically for anonymity. Unlike the deep web, the darknet is only accessible with special tools and software - browsers and other protocol beyond direct links or credentials.

Denial of Service (DoS): A malicious attack on a network that is executed by flooding a server with useless network traffic, exploiting the limits of TCP/IP protocols and thus rendering the network inaccessible.

Domain Name Server (DNS): The internet’s equivalent to a phonebook. On the surface web, this consists of a routing table, translating a character based domain name (ending in *.com, *.net, etc.) to the server’s IPv4 32-bit IP address. In the darknet, a special set of Tor DNS servers correlate the *.onion sites to the source, usually through a series of proxies to obscure the server’s identity.

Firewall: Hardware and/or software that is specifically designed to protect a network or system from unauthorized access through employing specific rules to control and direct incoming and outgoing network traffic.

Forum: A digital environment where ideas and topics can be discussed freely among users. Members of forums generally log in with a screen name or alias to post and comment on content. Forums differ from real-time internet messaging and chat rooms in that the topics and information are not intended to be discussed real-time but instead posted for all users to see over a more extended period of time.

Hacking: The process of identifying targeted computer information systems of interest and employing a computer program to gain unauthorized access to the target system.

Internet Relay Chat (IRC): A popular text-based chat service enabling users connected to a server to communicate with each other in real-time.

Packet: A formatted unit of data routed between its origin and a destination. Data packets are used in internet protocol (IP) transmissions to navigate the internet and darknet.

Peer-to-Peer (P2P): An ad-hoc connection of computers where information can be passed directly between the participants. In a P2P, each node of the network functions as both the server and the client.

Phishing: A data collection method used in social engineering. Phishing targets sensitive information (usernames, passwords and credit card details), often for malicious intent, by disguising itself as a trustworthy entity in an electronic communication. See spoofing below.

Router: The hardware used to forward packets of information along a network, performing the traffic directing functions of the internet.

Scraping: In the context of web scraping, this term describes the process of harvesting large sets of data from websites and storing the content in a database on a local computer or server. 

Screen Name: The name a user employs to communicate with others online.

Spoofing: The process of falsifying the origin of network communication (via the internet) in order to mislead or misdirect the recipient. Example: a fake email from your bank asking you to validate credit card or personally identifiable information.

Username: A string of characters used to log in to a computer information system.

Curious about something you've read on our blog? Want to learn more? Please reach out - we're more than happy to have a conversation.

The Tor Project to Upgrade Security + Privacy


Welcome to a special post on the Tor Project's recently announced planned upgrades to the security and privacy of Tor. We will take a closer look at the implications of these pending upgrades - and who they may potentially affect (including us here at OWL Cybersecurity).

TOR Project Upgrades

When Wired reported that the Tor Project was planning a series of security upgrades two weeks ago, the internet quickly took notice. The cybersecurity industry has since been attempting to determine how any measures taken to further obfuscate (or "harden") Tor's darknet websites will impact individual users, cybersecurity firms, and the darknet as a whole. 

Here at OWL Cybersecurity, for example, a portion of the data that OWL Vision (our darknet scraping tool and search platform) collects comes directly from Tor. So, it makes sense that we've started hearing from customers and associates who have heard about the proposed changes to Tor, and want to know what these increased measures of security-  intended in part to make it more difficult for tools like OWL Vision to scrape- will mean for us.

Will this impact our platform's capabilities? Will we have less data? More? How does this impact the usage of Tor? What are our plans?

Our team is well aware of the hardening of Tor and is actively preparing for it. Behind our technology is an agile team of engineers and intelligence analysts who are adept at being flexible with the changes we face working in the ever-shifting realm that is information security.

As such, we've taken a look at a couple of potential outcomes of these recent proposals from the Tor Project, which are set to "go live sometime later this year." The measures that Tor plans on taking are: 

  • Hidden services will no longer declare .onion addresses to hidden service directories; instead, they'll derive a cryptographic key from that address, which will be given to the hidden service directories.
  • Hidden services will switch to ED-25519 elliptic curve keys, which are shorter but more difficult to decrypt.
  • Hidden service directory URLs will grow from 16 to 50 characters in length.

Our Core Approach

The OWL Vision platform has mature and sophisticated methodologies for finding hidden services that do not rely on the privacy variables Tor plans on updating.

While finding these services after the proposed hardening of Tor will indeed be slightly more challenging, our core approach will remain applicable, and we are very confident that this approach will outshine the competition in our space. Nor will this hardening affect our ability to scrape hidden services once we have discovered the addresses.

In some cases, scraping content may actually become easier as some hidden services relax their requirements under the assumption that Tor itself has become more secure. 

Furthermore, while some hidden services (such as the larger darknet marketplaces) will move quickly to implement the proposed standards, many hidden services are likely to upgrade in a less timely manner. During this transition period, we will be able to collect both "old" hidden services and "new" hidden services. And, our historical archive of Tor material will continue to remain available to our clients.

Sites Want to Find Customers

We also believe that no matter what encryption is applied, many of Tor's darknet sits actually want to be discovered. Even if the majority of sites did want to limit their exposure to a specific subset of target users, this is more easily said than done.

For example, many of the darknet marketplaces (AlphaBay, Hansa, etc.) have spent a significant amount of time on not only obtaining a vanity URL but then also on sharing that URL, marketing and advertising themselves across both the darknet and the surface web and gaining customers.

While these marketplaces no doubt would prefer to keep themselves hidden to all but their target prospects or customers, this targeted marketing or advertising is difficult and often results in more widespread visibility. Sites will need to quickly establish transition plans as they presumably will not want to lose these customers they've worked so hard to attract. 

More Users, More data

Overall, we're viewing these proposed changes as positive. They will continue to make Tor an attractive and viable place on the darknet for those seeking anonymity, for good or for bad.

In fact, we predict that Tor's announcement will actually draw in more users, as the platform will be viewed as more secure. 

We look forward to seeing increase security and privacy around Tor and will continue to monitor the Tor Project's implementation of these upgrades.

Curious about something you've read on our blog? Want to learn more? Please reach out - we're more than happy to have a conversation.

OWL Vision Watching Freedom Hosting II Hack

Novice Hacker Incited by Hosting Site

Last week, a first-time hacker took down what amounts to over one-fifth of the darknet. The target, Freedom Hosting II (FH2), is purportedly the single largest hosting provider for the darknet, accounting for over 10,000 individual domains - 10,613 to be exact. Hacktivist group Anonymous, who has since been linked to the hack, and the individual hacker himself, have explained the motivation behind this large scale takedown.

According to a statement displayed on each compromised .onion website, the reason behind the hack was ethics based - referring to and triggered by the published policy that once displayed on every FH2 homepage claiming to have a "zero tolerance policy" for nefarious content.

After the FH2 websites were compromised on Friday, Anonymous released a statement that replaced the standard policy-related message above. Visitors to any FH2 hosted website were instead greeted with the following:

Hello Freedom Hosting II, you have been hacked
We are disappointed… This is an excerpt from your front page ‘We have a zero tolerance policy to child pornography.’ — but what we found while searching through your server is more than 50% child porn…
Moreover you host many scam sites, some of which are evidently run by yourself to cover hosting expenses.
All your files have been copied and your database has been dumped. (74GB of files and 2.3GB of database) 

The statement goes on to direct visitors as to where they can find the hacked data (including user email addresses, passwords and usernames).

Various news sources quickly picked up the large scale hack, including this initial report from The Verge. The resulting data dump has since been publicized and is being watched closely by cybersecurity activists worldwide.

Compromised Sites Now Being Reactivated

OWL Cybersecurity launched its own investigation by leveraging DARKINT; we pulled the compromised domains from Pastebin and directing the OWL Vision engine to crawl the each site repeatedly. OWL Vision has been collecting the entire HTML content at a higher frequency than our typical daily scraping of the darknet.

Shadow Web, a FH2 hosted website that was taken down in Friday's attack, has now appeared back online.

Shadow Web, a FH2 hosted website that was taken down in Friday's attack, has now appeared back online.

Our DARKINT showed that the sites provided were indeed defaced with the “Freedom Hosting II – hacked” landing page as published in the reports.

However, as early as Sunday night, OWL Cybersecurity analysts observed some of the hacked sites, such as Shadow Web (pictured), slowly coming back online.

From Our Analysts

Because of the complexity of the Tor relay routing system, it is difficult to determine whether the reactivated sites are reloads of the compromised domains hosted with FH2. It is equally possible that the owners of these sites have taken their source code to other darknet hosting servers and redirected the domains to point to the new (identical) sites. It is quite likely that the latter is the case, as user confidence has been significantly damaged.

A tweet from @haveibeenpwned, posted over the weekend, indicates that Anonymous also released roughly 381,000 email addresses via a MySQL database associated with the user accounts from the Freedom Hosting II breech.

Sources state that almost 21% of the 381,000 addresses were part of previous breaches registered in Have I Been Pwned?. This suggests that many of them are real, day-to-day email addresses and not simply “burner,” or disposable email addresses. Access to the site owner’s real email address gives Federal authorities the opportunity to track down and potentially prosecute individuals if they were involved in nefarious activities on the darknet.

The FH2 hack bears a striking resemblance to an October 2011 Anonymous campaign, dubbed "#opDarknet," in which the group took down Freedom Hosting I servers. Those servers were hosting over 100 GB of illegal content at the time; the operation resulted in the exposure of some 190 individuals involved in illegal activity.

Moving forward, we'll be keeping an eye on how the FH2 hack and subsequent data dump mirrors its predecessor, especially as more of these compromised websites resurface. 

Curious about something you've read on our blog? Want to learn more? Please reach out - we're more than happy to have a conversation.

Into the Darknet: Comparing MTV Developers + Users

This week we continue our "Into the Darknet" blog series, which aims to provide readers with a better understanding of the darknet's history, users, uses and purpose and examine other hot topics in DARKINT, cybersecurity, including malware, toolkits, viruses, cryptocurrency, marketplaces and OPSEC.

As we covered last week, Tor’s Hidden Services and the anonymous nature of the darknet make it an ideal space for the collaboration on and the dissemination of malware, toolkits and viruses (MTV). The composition of the groups leveraging MTV varies not only in ethnicity, gender and level of creative sophistication but also in both expertise and intention.

Some malicious code is developed by individuals, but a majority of large-scale hacking campaigns utilize an organized network of hackers with varying technical and societal backgrounds. MTV is developed and deployed by several different types of groups including state sponsored cyber groups, cyber terrorists, hacktivists, hackers-for-profit security researchers and hobbyist/individual hackers.

faceless dude in crowded subway.jpeg

Comparing EXPERIENCE: MTV Developers + Users

While some malicious code is developed by individuals, the majority of large-scale hacking campaigns utilize an organized network of hackers with varying technical and societal backgrounds.

MTV is developed and deployed by several different types of groups, including state sponsored cyber groups, cyber terrorists, hacktivists, hackers-for-profit, security researchers and hobbyist/individual hackers. Each of these groups have varying levels of experience within specialized areas, and are motivated by different (often overlapping) incentives. 

First, we look at the typical background and experience profile for each group segment.

Screen Shot 2017-02-02 at 1.56.56 PM.png

Key takeaways: 

1. Every type of persona using and developing MTV has a background in, and/or experience with, Systems Engineering + Network Architecture, Computer Programming or Scripting and Social Engineering. 

2. Only half of all groups have experience as Certified Security Professionals.

3. MTV users typically have experience in a variety of areas, making them well-rounded, flexible and difficult to profile. 



While the above comparison indicates that there is significant overlap in the characteristics of our segmented MTV groups, the factors that drive them to utilize these tools are varied and demarcate their uniqueness.  


Key Takeaways: 

1. Hacktivists are the only type of MTV users that are not driven by some form of monetary gain. 

2. Everyone who develops, uses and/or disseminates MTV is motivated by their ego, curiosity or the desire to showcase their skill set. 

3. Security Researchers and Criminal Organizations are the only groups not driven to use MTV for reasons associated with politics or ethics. For the remaining majority, these powerful, often deeply personal causes serve as motivational forces that many view as impacting the greater good.



While some malicious code is developed by individuals, a majority of large-scale hacking campaigns utilize an organized network of hackers with varying technical and societal backgrounds and motivations, as explored above. MTV is developed and deployed by many different groups including state sponsored cyber groups, cyber terrorists, hacktivists, hackers-for-profit security researchers and hobbyist/individual hackers.

Join us next week when we take a closer look at one of the most organized MTV groups in the world: nation-state sponsored cyber organizations.

Curious about something you've read on our blog? Want to learn more? Please reach out - we're more than happy to have a conversation.

Into the Darknet: Who is Developing + Using MTV?

This week we continue our "Into the Darknet" blog series, which aims to provide readers with a better understanding of the darknet's history, users, uses and purpose and examine other hot topics in DARKINT, cybersecurity, including malware, toolkits, viruses, cryptocurrency, marketplaces and OPSEC.

As we introduced last week, MTV is an overarching term that OWL Cybersecurity has adopted to refer generally to all malware, toolkits and viruses used to test, penetrate, exploit or compromise personal or commercial information systems and data.

MTV on the darknet

Tor’s Hidden Services and the anonymous nature of the darknet make it an ideal space for the collaboration on and the dissemination of MTV. In this post, we use DARKINT to take a look at the personas and types of groups behind MTV development. While some hold the common stereotype of a "hacker" to be some 400 pound guy sitting at his computer, the ethnicity, gender and level of creative sophistication behind the hackers and MTV developers of today is more diverse and unpredictable than ever before.

While malware is often spoken of with a malicious connotation, some malware is developed for the sole purpose of information assurance, e.g. penetration testing, by ethical software developers, or white hats. We regularly witness hackers of all types in darknet forums and chat room discussions, often offering their services and digital goods for sale in underground markets. The scale of the offered operation and expertise with varying types of MTV varies dramatically according to each developer's or hacker's intent and resources.

Some malicious code is developed by individuals, but a majority of large-scale hacking campaigns utilize an organized network of hackers with varying technical and societal backgrounds. MTV is developed and deployed by several different types of groups including state sponsored cyber groups, cyber terrorists, hacktivists, hackers-for-profit security researchers and hobbyist/individual hackers.*

*Stay tuned for a post comparing these groups, their expertise and intentions!

Black hat + White hat hackers

Richard Stallman

In a computer laboratory on the campus of Massachusetts Institute of Technology (MIT), a crusader for the concept of open source and freely accessible software by the name of Richard Stallman conceived the term “black hat” to contrast the maliciousness of a criminal hacker with the spirit of playfulness and exploration of the booming hacker culture. 

While "white hat" and "black hat" correspond to those who infiltrate computer information systems with either good or evil intent, we all know there are many shades of grey in between the two. Most of us in information security struggle with labels and can certainly relate to the idea that most hackers will wear a “rainbow hat,” taking on a different shade depending on his or her mood, experience and intention at the time.

Grey Hat Hackers

One definition of "grey hat" hackers encompasses those who utilize black hat methods with a white hat, or ethical, intent. Another states that grey hat hackers are often white hat security experts by day who act as malicious black hat hackers by night. Regardless, grey hats have been instrumental to the software development community, identifying many 0-day exploits before they are a public, major security issue.  However, once a grey hat hacker receives payment or monetary gain for their work, he has crossed the boundary into the realm of a black hat. The specifics of a grey hat hacker’s formal code of ethics are unfortunately unknown.

Politically charged groups like Anonymous recruit grey hat hackers to use both white hat and black hat hacking methodologies to launch their attack against an organization’s network, often to highlight their moral, political or ethical statement or “hacktivist” campaign. These hackers come from all age groups and backgrounds and are widely distributed across the globe. They have been most active on the darknet in several campaigns to oust criminals involved in illicit activities with children, where the hactivists exposed these criminals of the darknet by releasing their names and email addresses.

Organized Crime in the digital realm

The typical cyber criminal organization consists of a group of predominantly male, black hat hackers with an average age of about 35. While the true percentage of “organized” digital crime is unknown, many cyber crime rings consist of small groups of individual black hats who collaborate together for monetary gain, like the 2013 ATM Casher Crew, comprised of less than a dozen members, whose average daily earnings totaled almost $5MM after the group successfully hacked 4,500 ATMs across 20 countries. [1]

Some organized crime groups have developed and disseminated malware designed specifically to steal bank account details from an infected computer. This same malicious software could also be used to turn the affected machines into a “zombie army” to launch a distributed denial of service (DDoS) attack against the bank with the intent to distract the bank's IT security staff, while the team cleans out bank accounts using the stolen account credentials or offers the credentials for sale on popular darknet marketplaces like AlphaBay.

In December 2016, authorities arrested 35-year old Aaron James Glende (aka IcyEagle) for hosting over 300 darknet market listings selling credentials, including an offer of “Hacked SunTrust Bank Account Logins $100-$500 Balances” for $9.99. [2]

Final thoughts

From white hat hackers using MTV for legal, sanctioned penetration testing to black hat hackers deploying MTV to steal and sell account credentials, the various players in the MTV realm are developing and deploying these malware, toolkits and viruses at an alarming rate. The darknet is their playground of choice, and DARKINT allows us to better understand and track developments when it comes to MTV.

Join us next week when we take a closer look at comparing the varying levels of experience and intent behind hacker personas!

Curious about something you've read on our blog? Want to learn more? Please reach out - we're more than happy to have a conversation.


Into the Darknet: What is MTV?

This week we relaunch our "Into the Darknet" blog series that will not only provide a better understanding of the darknet's history, users, uses and purpose, but will also take an in-depth look at other hot topics in DARKINT, cybersecurity, including malware, toolkits, viruses, cryptocurrency, marketplaces and OPSEC.


In this post, we take a high-level look at malware, toolkits and viruses (MTV), as they are some of the most commonly discussed, released and exchanged tools on the darknet.

Our analysts have adopted the term "MTV" to refer generally to a collection of malware, toolkits and viruses that are used to test, penetrate, exploit or compromise personal or commercial information systems and data. Common systems where MTV could be employed include desktop computers, laptops, servers, network devices, routers, firewalls, printers, WiFi adapters, tablets and smartphones.

What is MTV?

MTV is, and includes, any type of software code used either for good (information assurance) or bad (malicious) purposes, such as: Bots, Password Crackers, Rootkits, Adware, Backdoor Access, Keyloggers, Ransomware and Remote Access Trojans.

The average hacker will have some or all of these handy in his or her arsenal of tools to use against targeted information systems and will often utilize a variety of MTV in a full-fledged attack, depending on the intent of the operation.

Both penetration testing and risk analysis activities, like those conducted by the OWL Cybersecurity teams, utilize these MTV tools for preventative purposes, to detect security holes which could lead to a compromised network. For example, THC Hydra (an open-source password cracking tool) can be used to test the strength of users' passwords on private or commercial networks.

Malicious hackers, cyber spies and cyber criminals, however, can easily use this same code to exploit user accounts with weak credentials.

Type of MTV



Code installed on a compromised computer enslaving the system to a master botnet owner, who controls the, now zombie, along with hundreds or thousands of other infected systems to conduct large-scale attacks.

Password Cracker

While a password protects a computer from unauthorized access, a password cracker is code designed to intelligently guess or recover a password in order to gain access to a targeted system. Common open source password crackers include Brutus and John the Ripper.


A clandestine computer program designed to provide continued, administrative access to a computer while actively concealing its presence, burying itself deep within the system. Famous rootkit malware includes Flame and Zeus.


Computer code designed to influence the user’s internet browsing experience by displaying specific advertising content. Malicious versions of adware incorporate spyware, which collects and disseminates a user’s personal information, passwords and browsing history.


An undocumented method to obtain access to a computer information system from a remote location. Some backdoors are intentionally installed by developers for debugging and troubleshooting purposes, while others are installed by MTV developers to maintain persistent, unauthorized access.


A covert tool used to record the keystrokes of a user of a computer information system, often to gain unauthorized access, which stores personal information, usernames and passwords. Keyloggers are utilized in both software and hardware implementations. Popular open source keyloggers include REFOG and Revealer.


Malicious code used to block access to, or data contained on, a computer information system, for the purpose of financial gain. The most destructive form of MTV, ransomware employed in 2016 includes Cerber, Locky and Cyptowall.

Remote Access Trojan

Software used for precise, malicious operation, a remote access trojan (RAT) provides complete control over a remote computer information system. These are the most difficult to detect, as RATs often mimic legitimate commercial remote administration tools. Common RATs used for malicious purposes include: Sakula, Dark Comet and Havex.

A brief History of MTV

The first example of malware debuted in the early 1980's as a software video game piggyback, displaying the now-infamous Elk Cloner poem and corrupting the Apple boot sector. 

It will get on all your disks
It will infiltrate your chips
Yes it’s Cloner!

It will stick to you like glue
It will modify ram too

Send in the Cloner!
— Elk Cloner Poem

In the late 1990's and early 2000's, both the MTV market and the hacker community exploded with the propagation of the internet, aggressive social engineering tactics and the exploitation of spam emails for malware distribution.

By the mid-to-late 2000's, malware like Conficker and Sinowal demonstrated how aggressively a virus can spread, and remote command and control, enabled via clandestine communication and package concealment was born.

As antivirus companies grew to counter these emerging threats, the hacker community accepted the challenge and created even more sophisticated and difficult to detect MTV.

Accessing valuable protected information

As society has become more dependent on online activity, our digital footprints, or online presences, have expanded. A lucrative market for the trade in this information existing on the darknet, with high value placed on personally identifiable information (PII), among other bits of data.

Malicious hackers and cyber criminals require a variety of MTV tools, such as network discovery tools, password crackers and backdoor access programs, in order to gain unauthorized access to key systems containing this valuable data.

These attackers establish a persistent presence via advanced persistent threats (APT) and remote access tools (RAT) to evade detection - and mitigate any IT security measures in place there to stop them.

Once connections are established and secured, hackers launch automated data mining programs to harvest valuable information, like PII, and send it to a remote server for final dissemination or leverage. 

UP NEXT In "Into the darknet"

In our next post, we will take a look at the "who" behind the development of MTV, and, through our unique DARKINT, get to know some of the known, key actors of the darknet.