Red Sky Alliance maintains a substantial dark web collections data set and we make this data available to our customers through our CTAC, RedXray, and API products. This gives customers the opportunity to explore and perform analyses on dark web data without the need for establishing a safe infrastructure for navigating the Tor network. To date we have collected over 1.4 million data points across 80 dark web sites. The set of sites that we collect from on an ongoing basis will change with new sites coming in and older sites shutting down, but we still maintain historical data for each site we collect from.
Our collection processes allow us to capture text on designated dark web sites, which then gets added to our Cyber Threat Analysis Center, or CTAC product for exploration. CTAC uses Amazon OpenSearch as a backend, which makes querying and analyzing data a simple matter. We can see below in Figure 1 a general overview of the nature of the sites we have collected from thus far in 2022. We can see that the majority of the sites we have collected from thus far have been forums, followed by a number of marketplaces and ransomware sites.
Figure 1. Distribution of dark web sites collected from in 2022.
As is clear from the distribution of the data, discussion forums so far this year. Due to the nature of discussion forums, quite a lot of the data ends up being filler or noise, but there is still valuable information to be found. An example of this is shown below in Figure 2. This is a set of leaked Spotify credentials found on the “Best Carding World Forum.” Given are email and password combinations along with payment method information. One thing to note about this kind of leak is that email/password combinations can be particularly dangerous since many people tend to use either the same or similar passwords for multiple accounts. Thus, the credentials present in this leak may also be used to access an individual’s email or Paypal account in addition to Spotify.
Figure 2. Leaked Spotify credentials on Best Carding World Forum.
Below in Figure 3, we give an overview of the most active sites we collect from in each category. For discussion forums, the Rutor forum is the clear leader, accounting for approximately 91% of our forum collections for this year. Other forums such as Dread, Helium, Best Carding World, and Darknet City each account for relatively small proportions of the remaining forum collections. For marketplaces, the ASAP Market accounts for nearly 43% of our collections, with DarkDock not far behind. The other notable marketplaces we have collected from this year include Dark0de Reborn, Digital Thrift Shop, and Black Market Guns. In terms of ransomware sites, Conti is the leader of the category, accounting for approximately 39% of our ransomware collections. Following behind are Grief, Lockbit 2.0, Snatch, and Cl0p.
Figure 3. Distribution of active sites in collection categories.
Moving the focus to marketplaces, as one might imagine, a wide variety of goods are available for sale on the dark web. An overview of the item categories in our marketplace collections can be seen in Figure 4. The largest item category in our marketplace collections are digital goods, which can encompass any number of things from instructions on how to commit fraud, account credentials, software keys, stolen credit card information, etc. Many of the remaining categories involve drugs, i.e., cannabis, benzos, stimulants, psychedelics, etc. Other items found in dark web marketplaces may include database dumps, or pirated software and ebooks.
Figure 4. Categories of items found in dark web marketplaces.
In terms of our ransomware collections, we can easily pull together a list of domains for the most active ransomware listings so far for this year. That can be seen in Figure 5.
Figure 5. Domains for most active ransomware collections.
One distinct advantage of our collections is how easily one area of collection connects to others. Take note of the tkelevator domain listing. Interestingly, we can connect this domain to a number of credentials found in our breach collections. These records are shown in Figure 6, demonstrating how leaked credentials could end up leading to future ransomware attacks.
Figure 6. Credentials found for tkelevator.com in breach collections.
Of course, it needs to be mentioned here that these are simply interesting discoveries in our collections, and they may not necessarily reflect direct causes of any issues. This information should be used in conjunction with context, risk analyses, or information gathered from other sources for decision-making and action planning.
About Red Sky Alliance
Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings