Dark Web Trends, Q3 & Q4 2021

10084484464?profile=RESIZE_180x180Red Sky Alliance has been building our dark web data collection since late January 2021. With it, we are able to make dark web content available without the need for analysts to touch the dark web to visit Tor .onion sites. To date, we have over 1.3 million data points on over 75 sites and we are adding new sites regulary. The dark web sites that we collect from evolves over time as new sites come and older sites shut down, but we maintain a historical record of those decommissioned sites. Lastly, we also take suggestions from our customers if we are not collecting from a site that they would like to see data from.

We have developed custom processes to capture text data from dark web sites that we designate, parse that information into a format that then gets added to our Cyber Threat Analysis Center, known as CTAC. CTAC uses Elasticsearch on the backend which makes querying the data extremely easy. Using CTAC, analysts can also run analytics on that data using Kibana. Everything in this article was generated from our dark web data collection and CTAC.

If we take a look at the pie chart in Figure 1, it shows the dark web collection broken down by site type. We currently ingest data from dark web forums, marketplaces, and ransomware sites.

10084549866?profile=RESIZE_710xFigure 1: Dark Web Data by Site Type


Discussion forum posts make up a large part of the content. While we do certainly find a lot of noise on discussion forums, there is valuable information to found there. For example in Figure 2, we see a post from the ”Best Carding World Forum” that exposes credentials for several Netflix accounts. This entry also exposes the payment method that the Netflix customer used for billing which for 2 of the 4 cases, is Paypal. As we all know, password re-use is a big problem and if the compromised Netflix user used the same password for their PayPal account, that PayPal account is very likely to have also been compromised. And this is just one of many forums that we have data for.

10084552095?profile=RESIZE_710xFigure 2: "Best Carding World Forum" Netflix credential leak

Figure 3 shows the Top 5 most active sites for each site type over the past 4 months.

 For discussion forums, we see as most active are:

  1. XSS
  2. Rutor
  3. Kohlchan
  4. DNM Avengers
  5. Dread

Compare this to what we observed in May, 2021.

Looking at marketplaces, UAS RDP Market has decreased over the last half of 2021 while White House Market activity has increased. Zero Day today activity has also decreased significantly, dropping from the #3 spot to the #5 spot.

Ransomware groups that sell or give away stolen data are ranked in Figure 3. The activity we have seen remained largely unchanged in the last half of 2021 from what we observed in May of that same year. However, it's worth noting that the Revil site was shutdown after an Russian FSB enforcement action in late January 2022.

10084565860?profile=RESIZE_710xFigure 3: Most active dark web sites by type


While preparing for this presentation, on Feb. 7, 2022, Red Sky analysts discovered this notification posted on the UAS RDP Market site, indicating the stie was “closed forever” by the Russian government.

10084566681?profile=RESIZE_710xFigure 4: UAS RDP Market take down page

The page reads, in part: “Management ‘K’ of the BSTM of the Ministry of Internal Affairs of Russia warns: theft of funds from bank cards is illegal!

The page goes on to cite Articles 272 and 273 of the Criminal Code of the Russian Federation which makes it illegal to steal or destroy data, or to create, distribute, or use software that is knowingly intended for data theft or destruction, or neutralizing data protection mechanisms.

Traditionally, cyber criminal have been allowed to operate in Russia territories as long as they did not target Russian organizations. The motivation behind these take downs performed by the Russian authorities is unknown at this time.

Looking at the most active cybersecurity-related marketplace categories in Figure 5, we see “digital goods” has replaced “web applications” at the top of the list. Examining the data shows the digital goods category encompasses many things, including instructions for committing fraud and identity theft, compromised account credentials, stolen databases, software keys, and stolen credit card information. You can see a small sample of those listings in Figure 6. Also in Figure 6, you will see that we have price data on these items as well for anyone that is interested in doing a price analysis on dark web marketplaces.

Among the other categories, we can see a strong emphasis on fraud, credit card theft, and compromised credentials.

10084567087?profile=RESIZE_710xFigure 5: Most active marketplace categories


10084569856?profile=RESIZE_710xFigure 6: Digital goods for sale

Looking at the most active users on the Top 5 most active marketplaces, we see some users operating on multiple marketplaces in Figure 7. For example, EmpireShop is active on both ASAP marketplace and White House Market. The user DrunkDragon seems to have decreased activity on White House Market since last May.

Likewise, the vendor GoldApple seems to have decreased activity on both World Market, or ASAP Market from what we observed last May.

Operating on multiple markets with the same account name, like EmpireShop is doing, is likely done to build brand loyalty with customers, but using the same vendor name on both sites also makes it easier for analysts to track threat actor activities across multiple marketplaces.

10084571283?profile=RESIZE_710xFigure 7: Most active marketplace vendors on the Top 5 marketplaces


Looking at ransomware activiy, on the left side of Figure 8 we see a list of domains for the most active ransomware listings in the second half of 2021. This is interesting to compare with what was printed in mainstream media. We have found that many ransomware victims are not publicized in the mainstream media. Also in Figure 8, we see a correlation between our breach data collection and our dark web collection that powerfully illustrates how a single compromised set of credentials could lead to a ransomware attack.

At the bottom of the figure, we see a record from out breach data collection showing a compromised credential pair for a domain belonging to a law firm. This record is dated July 2020.

Then, in January 2022, we observed the same law firm as being the victim of a ransomware attack on the Marketo ransomware site where stolen data is auctioned to the highest bidder. To be clear, these are the ONLY two indicators we have found in our threat intelligence data related to this domain. It’s an interesting correlation, and we must be careful not to assert causation. We cannot be sure that the leaked credentials were used in the ransomware attack. However, it is a definite possibility with the tendency of users to re-use passwords across multiple accounts.

10084576056?profile=RESIZE_710xFigure 8: Dark Web correlation with Compromised Credentials

In summation, based on the dark web activity we have seen over the last half of 2021, the Top cybersecurity threats for 2022 continue to be ransomware, and password re-use.

Please contact Red Sky Alliance with any question regarding this material or for more information on our dark web data set.


E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!