3 Dark Web Intelligence Trends for Security Teams to Monitor

6 minute read

The dark web is perhaps the most notable and feared environment that threat actors leverage, often represented by the image of a hacker in a hoodie. Though the dark web traditionally garners references to largely closed and inaccessible sources hosted on anonymous networks like Tor, threat actors operate seamlessly across a variety of platforms. Hacking and carding forums, illicit marketplaces, data leak sites, encrypted chat platforms and associated social media sites and discussion boards provide threat actors a network, requiring dark web intelligence to understand and address a host of potential threats. 

In 2020, ZeroFox threat researchers published nearly 1,500 internal reports on notable findings across this cybercriminal ecosystem of forums, marketplaces, data leak sites, encrypted chat platforms, and discussion boards. The rapid advancement and circulation of computing technologies since the turn of the millennium have given rise to an unprecedented number of interconnected individuals. In turn, this has also driven an increase in opportunity for cyber threat activity ranging from sophisticated nation-state hacking and cybercrime-as-a-service models to compromised account takeovers and phishing scams. In this post, we’ll discuss the top 3 dark web intelligence trends our team has observed over the last 12 months.

Download your copy of the report, Fact vs. Fear: Dark Web Trends Security Teams Need to Focus on.

While the dark web has been stereotyped as a criminal underground, there are legitimate security concerns that warrant effective monitoring and analysis. Over the last 12 months, ZeroFox has observed the tactics and techniques threat actors have adopted and adapted to meet the remote work environment established by the COVID-19 pandemic. 

Rise of Double Extortion Ransomware

In 2020, sophisticated ransomware gangs increasingly adopted new tactics to place additional pressure on their targets. Many groups shifted to a double extortion model throughout the year, encrypting the data for ransom and then threatening to release it online as well. Since the second half of 2019, ZeroFox has observed the creation of and tracked updates to over two dozen primarily Tor-hosted leak sites stood up by ransomware gangs to dump the data of non-compliant victims. Revil, Maze, Netwalker, and DoppelPaymer led the way in 2020, standing up their sites earlier in the year. Follow-on gangs such as Conti, who launched in August, and Egregor, who launched in September, and allegedly recruited operators from Maze (who officially closed in November), quickly became dominant players in this space as well. Besides data exposure, some groups tested other tactics alongside their successful distribution of ransomware like Distributed Denial of Service (DDoS) attacks, victim shaming through social media advertisements, cold-calling victims who refuse to pay, and messaging customers, not just corporate representatives, of targeted companies with extortion threats.

ZeroFox Dark Web intelligence on Ransomware Leaks
ZeroFox Reporting on Ransomware Leak Sites in 2020

Forum Brokers of Access and Data

The rise of double extortion ransomware operations exemplifies a broader trend of the increasing professionalization of the cybercriminal underground over the past several years. Serious threat actors work to establish their reputations as trustworthy and formidable brokers of access and data across various forums. Some sellers strictly follow established forum rules for presenting their products, while others dump partial or complete leaks of sensitive information for free to garner attention and build a brand. Buyers and collectors then exploit these offerings for a plethora of follow-on malicious targeting, such as malware and ransomware delivery, credential stuffing and account takeover, or phishing and other social engineering. ZeroFox closely monitors the established operators and rising stars of these activities as part of its dark web monitoring efforts.

Exploit User Operating Thread of Access Sales (Translated to English)

Resilience of Illicit Marketplaces

The COVID-19 pandemic and coordinated law enforcement actions created new challenges for various illicit marketplaces. ZeroFox noted several Tor-based marketplaces that allegedly stole their users’ money and shut down, most notably Empire Market, Icarus Market, and Apollon Market in 2020. Authorities announced the results of DisrupTor targeting dark web opioid trafficking in September 2020, which led to the arrests of 179  vendors. In January 2021, an international police operation seized control of Dark Market, briefly the largest marketplace on the dark web, and arrested its administrator. The seizure prompted the “proof-of-life” post in the below image on the Reddit-style dark web forum “Dread” that requested evidence of ongoing business by other market administrators.

Proof-of-Life Post by Dread Administrator After Dark Market Seizure

Despite these pressures, ZeroFox continues to observe considerable resilience in illicit marketplaces, especially those that specialize in digital products instead of physical goods. Besides primarily fake offerings of COVID-19 testing kits and vaccine doses, the most adaptive dark web sellers pivoted to monetizing personally identifiable information (PII) for defrauding COVID-19 economic relief programs. The below image shows one social security number (SSN) shop with a dedicated section for “fakepayout_covid” that returns tens of thousands of products available for purchase.

SSN Shop Selling PII Data for Fraudulent COVID-19 Payouts

How Dark Web Intelligence Can Be Useful for Security Teams

The dark web can be useful for finding valuable data that informs the types of threats a company is facing as well as supporting a more nuanced understanding of its risk profile. However, data from this source can be hard to find and is often unreliable. As-a-service offerings, data dumps and general chatter about an organization can all be valuable data points that can inform a robust security posture. Validating each data point is crucial to avoid wasted resources. The resources required to find the data in the first place and then validate will be significant. 

It’s essential that security teams focus their dark web efforts appropriately. While there is plenty of criminal activity on the web, focusing on the specific threats to your business will allow you to cut through the noise and understand your organization’s unique risk profile. Learn more about how your security team can leverage dark web intelligence in our latest report, Fact vs. Fear: Dark Web Trends Security Teams Need to Focus On.

See ZeroFox in action