10 Things About the Dark Web

You Probably Didn’t Know

Mention the dark web and many people summon imagery of a massive, mysterious online criminal
underground, where all manner of products and information are bought, sold, and traded, hidden
away from the prying eyes of the public and law enforcement.

But is that really what it’s like, or is that just cybersecurity marketing hype?

1O Things About the Dark Web You Probably Didn’t Know Recorded Future | www.recordedfuture.com | 1
 It’s Way More Than Just What You Can’t Google............................................ 3

Friends in Dark Places: Social Networks......................................................... 4

Cyber Threat Actors Profiting From Exploits.................................................. 5

The Role of Cryptocurrency.............................................................................. 6

It’s Probably Not Speaking Your Language..................................................... 7

Thieves and Geeks: Russian and Chinese Threat Actors.............................. 8

It’s a Useful Tool for Organized Crime............................................................ 9

There’s No Honor Among Dark Web Thieves............................................... 10

Bad Actors Use the Dark Web to Recruit Corporate Insiders..................... 11

Data Leaks Aren’t Only on the Dark Web...................................................... 12

Just One of Many Sources of Threat Intelligence......................................... 13

1O Things About the Dark Web You Probably Didn’t Know Recorded Future | www.recordedfuture.com | 2
 It’s Way More Than Just What You Can’t Google

So what’s in a name? There has been a tendency to label the dark web as “any
website not indexed by Google,” but this definition is far too broad.

Recorded Future’s director of advanced collection, Andrei Barysevich, has worked

as a consultant for the FBI Cyber Division and with international law enforcement
on many cases involving Russian cybercriminals. He offers this definition of the
dark web:

“The term ‘dark web’ can be confusing. I’d like to name it the criminal underground.
Let’s imagine a nondescript entrance to a bar in a dark alley — a place which you
will not find in the yellow pages. If you know the secret knock and password, they’ll
let you in. Otherwise, good luck next time. The same concept actually applies to the
criminal underground, or dark web communities, which you will not find via Google
or any other search engine. Some of them may only be onion sites accessible
through Tor, and others might only have an IP address, but no name at all.”

1O Things About the Dark Web You Probably Didn’t Know Recorded Future | www.recordedfuture.com | 3
Friends in Dark Places: Social Networks
There might be the temptation to think that every person accessing the dark web is
a criminal looking to profit from the misfortune of others. Recorded Future recently
conducted social network analysis on threat actor data. From this work, we saw that
the dark web is organized in three distinct and not always connected communities:

Low-Tier Underground Forums: Usually free and open-access forums, with many
novice members.

Higher-Tier Dark Web Forums: The access is generally restricted through things
like strict membership vetting, only hosting the site on Tor, or other requirements
for access. Members of these sites are experienced and regarded as reputable
by other members of the criminal community. Rippers (members that scam other
members without delivering a good or service) are scarce, and rigorous banning
is enforced in order to protect the community.

Dark Web Markets: Market sites with listings of illicit services and goods, stolen
credentials, credit card dumps, and so on. The access is usually open, meaning that
they do not require an existing member to vouch for new registrants.

Although there are many shared connections between the lower and higher-tier
forums, barely any of these profiles are also present on the markets.

1O Things About the Dark Web You Probably Didn’t Know Recorded Future | www.recordedfuture.com | 4
 Cyber Threat Actors Profiting From Exploits
Threat actor communities monitor sources and look for vulnerabilities to exploit
and profit from. In many cases, analysis of new vulnerabilities will be translated into
the native languages of dark web communities to help them better understand the
ways they could be weaponized.

It is also common for proof-of-concept malware to be developed and shared

through code repositories. Threat actors will then seek ways to use this malicious
code in malware or exploit kits. Once threat actors are content that the malcode
is effective, they will begin to market it to the rest of their dark web community.

One advantage to defenders here is that threat actors also use the CVE naming
convention when discussing vulnerabilities or selling malware. This means that
intelligence gathered from the right sources can give unique insight into those
vulnerabilities actually being exploited in the wild.

In the eyes of a criminal, no company is unique. Often perpetrators will initially cast
a wide net and move toward the easiest prey. It’s far more likely that a company
becomes a victim via a common attack vector rather than a highly sophisticated
and tailored attack.

1O Things About the Dark Web You Probably Didn’t Know Recorded Future | www.recordedfuture.com | 5
The Role of Cryptocurrency
The rise of these online criminal communities has coincided with that of
cryptocurrencies like Bitcoin, Monero, and Litecoin. Traditionally, threat actors
looking to make money through exploits and malware would have to find a way to
eventually get their hands on the cash they earned either as payment for developing
them or the profits from their use. This was also the reason they usually got caught.
Law enforcement generally applies the rule “follow the money.”

To provide a greater level of anonymity for illicit transactions, many dark web
communities had been using Bitcoin, but recent research from Recorded Future
revealed that Bitcoin’s increasing popularity and transaction cost has driven
cybercriminal organizations to use lesser known currencies like Litecoin, Monero,
or Dash.

1O Things About the Dark Web You Probably Didn’t Know Recorded Future | www.recordedfuture.com | 6
 It’s Probably Not Speaking Your Language
Traditional dark web “markets” selling illicit drugs, firearms, or stolen credit card
details may operate in English in order to reach the widest available audience.

However, the kind of dark web communities that develop and trade malware
are predominantly Russian- or Chinese-speaking forums. This language barrier
presents significant challenges to anyone trying to collect and analyze intelligence
from these discussions.

This is where technology can help. Machines that are able to understand these
languages can collect and analyze data from dark web locations and alert
you to relevant information as well as translate these references so you are
able to read them.

1O Things About the Dark Web You Probably Didn’t Know Recorded Future | www.recordedfuture.com | 7
Thieves and Geeks: Russian and Chinese Threat Actors
Russian forums leave very little room for socializing or camaraderie. These sites
are places of business, not bastions for community. Respect and trust are built on
successful financial transactions, and the reliable, consistent forum members rise
to the top of their trade, while those with lesser consistency are given poor ratings.

Despite being focused on business, successful members offer useful tools and
good customer service. Sellers of trojans and spam services give out holiday
discounts, and bulletproof hosters pay referral bonuses to any existing customers
who send them new business. These actors operate with the financial wit of the
major corporations they themselves so often target.

Unlike Russia’s underground hacking community, many of China’s first hackers

rallied around patriotism. Chinese forum members feel an overwhelming sense
of community online. The term “geek spirit” (极客精神) is used to describe the
culture of these forums. It’s referring to groups of technical individuals who hope
to create a more ideal society. Many of these forums require members to engage
with a post, either through a comment or personal message, before being able to
purchase or trade malware.

1O Things About the Dark Web You Probably Didn’t Know Recorded Future | www.recordedfuture.com | 8
 It’s a Useful Tool for Organized Crime
Intelligence gathered by Recorded Future from dark web communities shows
that organized criminal groups (OCGs) are using hackers as a service to defraud
businesses and individuals. These groups operate just like legitimate businesses
in many ways, with a hierarchy of members working as a team to create, operate,
and maintain fraud schemes.

A typical group is controlled by a single mastermind. The group might include

bankers with extensive connections in the financial industry to arrange money
laundering, forgers responsible for fake documents and supporting paperwork,
professional project managers who oversee the technical aspects of operations,
software engineers, and skilled hackers. Some groups include ex-law enforcement
agents who gather information and run counterintelligence operations.

The members of these cybercriminal syndicates tend to have strong ties in real
life, and often are respected members of their communities. They certainly don’t
regard themselves as ordinary street criminals. They rarely cross paths with
everyday gangsters, preferring to remain in the shadows and avoid attention from
law enforcement and local mafia branches. However, schemes that require large
numbers of people — for example, those with large cash-out operations — can
involve a chain of intermediaries who recruit and manage the “troopers.”

1O Things About the Dark Web You Probably Didn’t Know Recorded Future | www.recordedfuture.com | 9
There’s No Honor Among Dark Web Thieves
In Russian forums in particular, there is little patience for selling poorly executed
tools or deliberate dishonesty. Members with poor ratings or bad reviews often
end up on the forum’s blacklist and can be sentenced to a role as a “kidala,” or
“ripper,” meaning an individual who rips off others. There are no apprentices in
this corner of the dark web, and few Russian forum members are willing to teach
anyone anything without clear financial benefit.

The problem of rippers on these forums has driven some members to set up
other dark web sites to report offenders. Visitors to these sites are able to flag
the user profiles they suspect, as well as information on how they are scamming
other forum users.

1O Things About the Dark Web You Probably Didn’t Know Recorded Future | www.recordedfuture.com | 10
 Bad Actors Use the Dark Web to Recruit Corporate
Insiders
There are cases when cybercriminals need an “inside man” to help them profit from
their illegal activities. They most often look to find an individual in an organization
who can help them with something like “cashing out” stolen credit card or account
information. To recruit these insiders, threat actors will often advertise for them
on dark web markets and forums.

Getting alerted to potential insider threats on closed forums or the dark web takes
two forms. Monitoring for direct mentions of your organization or assets are the
first priority, as mentions likely indicate either targeting or a potential breach.
Industry mentions or tangential targeting are the next avenue of monitoring, as
mentions of a “UK bank” or “x number of banking accounts” attempt to cover the
source of the information.

1O Things About the Dark Web You Probably Didn’t Know Recorded Future | www.recordedfuture.com | 11
Data Leaks Aren’t Only on the Dark Web
In most cases, threat actors who have breached financial data will look to find ways
to monetize it through less skilled and more commercially-minded intermediaries.
This means using sites known as “carding forums” that sell either synthetic card
numbers that will pass cursory checks, or card “fullz” — comprehensive records
that pair stolen credit card numbers with the associated CVV codes — and in some
cases, the social security number or date of birth of the actual owner.

Actors selling leaked credentials from websites or other systems also crop up on
the dark web. As a way to advertise the legitimacy of the breached data, they will
often publish incomplete lists of their breached data not just to the dark web, but
also to more easily accessible paste sites (sites like Pastebin or Ghostbin). These
are useful sources to monitor for potential compromises of credentials in your
own organization.

1O Things About the Dark Web You Probably Didn’t Know Recorded Future | www.recordedfuture.com | 12
 Just One of Many Sources of Threat Intelligence
We mentioned at the start that just thinking of the dark web as all the sites not
indexed by Google is too broad of a definition, but it’s not entirely wrong, either. If
you only collect data from open sources when generating cyber threat intelligence,
you will miss out on just about everything happening in the criminal underground.
That can be a huge blind spot in your organization’s risk assessment — the most
comprehensive threat intelligence comes from data gathered not only from open
sources, but technical sources and the dark web as well.

To see more best practices for creating and using threat intelligence, get your free
copy of “The Threat Intelligence Handbook.” It’s got everything you need to know
about how to use threat intelligence to work faster and smarter, no matter what
security role you’re in.

1O Things About the Dark Web You Probably Didn’t Know Recorded Future | www.recordedfuture.com | 13
1O Things About the Dark Web You Probably Didn’t Know Recorded Future | www.recordedfuture.com | 14