This Week in the Darknet

Welcome to our first "This Week in the Darknet" post! Each week, we will explore an event or topic of interest that we have recently discovered on the darknet.

This week we're taking a look at the latest updates on the confirmed Yahoo breach and its connection to the darknet marketplace on which many mega breach credentials are listed and sold, TheRealDeal.


Yahoo last week officially confirmed that a breach from 2014 lead to the exposure of the credentials and information of 500 million Yahoo users and that the hacked data included names, email addresses, telephone numbers, dates of birth, hashed passwords and security questions and answers. 

We, along with many others in the information security world, were first aware of this breach in early August when the hacker(s) known as Peace, tied to both the LinkedIn and Myspace mega breaches, first listed data associated with 200 million Yahoo accounts for sale on TheRealDeal. A representative of Yahoo was quoted by Motherboard saying that Yahoo "[was] aware of a claim" at the time, but we heard nothing else from Yahoo until this past week.  

TheRealDeal darknet marketplace has appeared in headlines in recent months as hackers such as Peace and TheDarkOverlord, who you may remember was linked to the breach of over 9 million healthcare records, continue to use the marketplace to list and sell datasets from mega breaches. When Yahoo confirmed the 500 million user credential breach last week, our analysts, who track TheRealDeal marketplace, checked the status of Peace's 200 million Yahoo account listing. Interestingly, our team was unable to view the listing as TheRealDeal has been suffering a distributed denial-of-service (DDoS) attack.

TheRealDeal marketplace is experiencing a distributed denial-of-service (DDoS) attack. TheRealDeal no longer shows the above error message and currently throws a standard "No response from [...]" error. 

TheRealDeal marketplace is experiencing a distributed denial-of-service (DDoS) attack. TheRealDeal no longer shows the above error message and currently throws a standard "No response from [...]" error. 

A DDoS attack entails bringing down a network or network resource by flooding it with useless traffic coming from a number of sources. DDoS attacks on darknet sites are rather uncommon, and the timing of this one is interesting for a few reasons.

First, the site went down due to the DDoS attack right around the time that Yahoo confirmed the breach. (Yahoo also happens to be in the middle of a $4.8 billion deal to sell its core internet business to Verizon.) Second, this attack comes as France-based hosting provider, OVH, is hit with the world's largest DDoS attack, powered by internet of things (IoT) devices, which reached over one terabit per second (Tbps). Third, this attack also comes as security writer Brian Krebs site went down for days due to a "large and unusual" DDoS attack.

Why would someone want to take down a darknet marketplace? Any of the above could potentially answer this question - perhaps an organization wants to keep the dataset from being sold, the Tor nodes supporting TheRealDeal are hosted on OVH or perhaps a hacker or hackers are testing a new DDoS attack, like the IoT DDoS.

Our team will continue to track the status of TheRealDeal, the hacked Yahoo credentials and ongoing implications. We're more than happy to answer your questions about TheRealDeal, Yahoo, activities on the darknet, dark web, deep web and surface web. Our goal, in addition to providing darknet security solutions and services, is to educate you. Please reach out!

Until next week,
The OWL Cybersecurity Team