The deep and dark web continues to provide a breeding ground for illicit activity. As cybercriminals, extremists, and data thieves become more sophisticated, these online underworlds have evolved into major hubs for bad actors and nefarious online behavior.

The dark web has grown to serve as a breeding ground for ransomware attacks, data breaches, and a variety of other malicious activities that can strike at the heart of any organization.

In August 2024, a cybercriminal group known as USDoD leaked a database on the dark web, offering it for sale at $3.5 million. The compromised data, originally gathered by National Public Data, includes sensitive details like names, addresses, Social Security Numbers, and information about siblings. A class-action lawsuit was filed against National Public Data in Florida, accusing them of failing to adequately protect the data and collecting information from non-public sources without consent.

This is just one of the many recent security incidents tied to activity on the dark web. The issue is no longer whether threats are lurking in these spaces, but rather how businesses can keep an eye on them in an ever-evolving landscape.

What Is the Dark Web?

Many people mistakenly believe that the dark web is a single, cohesive network, but this is inaccurate. It is a sprawling collection of decentralized platforms, each built with the intention of preserving anonymity and secrecy. These platforms are essential to understand if companies are to effectively monitor and mitigate potential threats.

• Tor (The Onion Router): The most widely recognized of dark web networks, Tor provides users with layers of encryption designed to conceal their online activity. This network serves as a key venue for cybercriminals to operate undetected.

• I2P (Invisible Internet Project): Though less well-known, I2P offers a similarly anonymous environment that’s often used for secure communication, particularly in covert operations or illicit dealings.

• ZeroNet: An alternative to traditional web hosting, ZeroNet uses peer-to-peer hosting technology, which further complicates monitoring efforts due to its decentralized nature.

What Is the Deep Web?

While the dark web tends to grab the headlines, the deep web encompasses a much broader and more general collection of online content that is not indexed by search engines. This content is not inherently dangerous, but it often includes areas where illicit activities take place.

• Paste sites like Pastebin or Ghostbin are often used to dump and share large datasets, including sensitive or stolen information.

• Encrypted messaging apps, including platforms like Telegram and Discord, have become favorites among criminals for their ability to facilitate communication in relative secrecy.

• Alternative social media platforms, such as Gab or BitChute, have carved out spaces for extremist groups and the spread of misinformation, far removed from the moderation standards of more mainstream platforms.

• Breach forums like Cracked and Nulled have emerged as key marketplaces for stolen credentials, malware, and hacking tools, further fueling the dark web ecosystem.

The Challenge of Accessing and Monitoring the Dark Web

For most businesses, monitoring the deep and dark web is a daunting task. First, internal network policies often block direct access to these areas, leaving security teams with limited insight into potential threats.

Even when access is available, security professionals may lack the specialized tools or expertise necessary to navigate these murky waters.

The sheer volume and unstructured nature of data on these platforms add another layer of complexity. Without the proper resources, businesses can easily miss critical indicators of a cyberattack, a data leak, or a vendor compromise.

Why an Enterprise OSINT Platform Is Essential

This is where an enterprise-level OSINT (Open-Source Intelligence) collection platform like Signal becomes an indispensable asset. A robust OSINT solution gives security teams the ability to proactively monitor threats across the deep and dark web without exposing themselves to unnecessary risks. Here's how a comprehensive platform can support your organization:

• Secure, Compliant Access: OSINT platforms like Signal offer compliant, secure access to restricted content. This ensures that security teams can gather intelligence on potential threats without violating company policies or compromising internal network security. They can analyze dark web content without needing to actually access the dark web.

• Automated Data Collection: Instead of relying on manual searches and outdated methods, OSINT solutions automate the process of tracking emerging threats. This includes everything from detecting stolen credentials and tracking extremist threats, to identifying ransomware incidents in real time.

• Advanced Search and Filtering: With advanced tools for parsing and analyzing vast amounts of unstructured data, an OSINT platform enables analysts to cut through the noise. They can extract relevant intelligence with precision, helping them focus on the most immediate threats.

• The Rising Importance of Dark Web Monitoring

As cyber threats become increasingly sophisticated and frequent, simply relying on internal cybersecurity measures is no longer enough. Threat actors can infiltrate via third-party vendors, supply chains, or business partners. A breach in a vendor's system and subsequent dump on the Dark Web, for example, could put your organization at risk, but you might not even know until it’s too late.

Organizations can no longer afford to wait until after the fact to find out if their partners or suppliers have been compromised. As the business landscape becomes more interconnected, proactive intelligence is essential to understand where the vulnerabilities are—and whether your organization is at risk.

Conclusion

The deep and dark web continue to evolve and fuel a vast range of cybercrime and malicious activity. For businesses, this reality requires a shift in how threats are monitored. Relying on traditional methods to keep track of digital dangers is no longer sufficient. The need for comprehensive, proactive OSINT collection solutions is clear.

By incorporating tools like Signal into your security strategy, you gain the ability to navigate the shadows of the internet. It’s a necessity for any organization committed to staying one step ahead of emerging risks.

At Signal, we empower organizations to take control of their cyber defenses with OSINT solutions, enabling you to monitor and respond to dark web threats with speed, accuracy, and confidence.

The allure of “one-click magic” solutions is undeniable. A tool that promises comprehensive results at the press of a button? Great. No digging, no deliberating, just answers. It sounds like a dream, doesn’t it? But dreams can quickly turn into nightmares when the methods behind those answers are shrouded in mystery.

As the old saying goes: if it sounds too good to be true, it probably is.

As we move further into an era dominated by artificial intelligence, it is imperative for analysts to demand transparency from “black box” OSINT solutions.

The Hidden Risks of Black Box OSINT

Without a clear understanding of how intelligence results are derived, users are left with little more than blind faith. Consider the consequences in high-stakes industries like journalism, law enforcement, or national security, where a single unverified piece of information could lead to reputational damage, operational failures, and even endanger lives.

Moreover, the very nature of these tools reduces trust in AI-driven solutions. When users are unable to see how conclusions are reached, skepticism grows. This lack of confidence undermines the potential of artificial intelligence to assist in critical decision-making, turning what should be a powerful ally into a questionable crutch.

Users should never be in the dark about the mechanics of their tools. A lack of transparency not only risks operational credibility but also perpetuates the idea that OSINT solutions are “magic” rather than reliable, verifiable systems.

A Beacon of Transparency: the Power of Clear Sourcing

Rather than hiding behind proprietary algorithms and secretive processes, Signal’s Global Feed platform provides users with interactive dashboards and traceable data points, making it easier to cross-verify intelligence. This proactive transparency is a game changer in an industry plagued by ambiguity.

Transparency begins with an honest discussion of AI’s capabilities and limitations. Global Feed doesn’t sell illusions. Instead, it equips users with a clear picture of what AI can achieve, alongside its potential pitfalls. This openness allows users to navigate the complexities of OSINT with confidence, rather than uncertainty.

Global Feed also incorporates the Admiralty Scale, a trusted method from the intelligence community, to evaluate the confidence and credibility of its sources. This approach not only ensures accuracy but also fosters a deeper understanding of the data’s nuances.

Why Transparency Fosters Trust

Trust is the currency of effective intelligence, and transparency is its foundation. But trust doesn’t come from blind faith; it’s earned through understanding. Global Feed recognizes this and prioritizes user awareness at every step.

By providing clarity and openness on its methodologies, Global Feed demystifies the process of AI-driven intelligence. Users don’t need to be experts in machine learning to grasp the basics of how the platform works. This accessibility empowers users to make informed decisions, rather than relying on the supposed infallibility of a machine.

This transparency creates an environment where users can not only trust their tools but also feel empowered to justify their decisions to stakeholders. The combination of clear sourcing, intuitive tools, and ethical AI use sets a new standard for OSINT platforms.

The Future of OSINT Lies in the Open

The world of OSINT is at a crossroads. On one side, we have black-box solutions that promise simplicity but deliver opacity. On the other, transparent tools like Global Feed that embrace openness as a guiding principle. As the demand for ethical AI grows, it’s clear which path will prevail.

Transparency isn’t just a buzzword; it’s a necessity. It’s the difference between tools that merely function and those that truly empower.

Choose Signal’s Global Feed

You can place your trust in tools that guard their secrets, or you can opt for solutions that place their trust in you by being transparent and forthright. The era of blind faith in “one-click magic” is over. It’s time to demand transparency. And with Global Feed, that demand is met honestly and upfront.

Choose transparency. Choose trust. Choose Global Feed.

Marrying Generative AI with Open-Source Intelligence: A New Era of Collaboration

Open-source intelligence (OSINT) plays a critical role in identifying risks and mitigating threats. However, as the sheer volume of data available continues to grow, the workload for analysts becomes increasingly unmanageable. Generative AI has emerged as a game-changing tool, not to replace the human element but to work alongside it, enhancing the efficiency and depth of OSINT efforts.

The Role of AI in OSINT

Generative AI transforms the OSINT process by automating repetitive tasks and delivering insights more efficiently. Tasks such as drafting reports, scanning social media, or analyzing large volumes of unstructured data can now be handled more effectively with AI tools. This allows analysts to redirect their focus toward deeper analytical thinking, rather than being bogged down by manual data aggregation.

Why Humans Are Still Essential

While AI is adept at processing data quickly, it lacks the ability to contextualize findings or understand the subtleties of human behavior. Analysts bring a depth of knowledge, critical thinking, and ethical oversight that machines cannot replicate.

For example, AI might flag a threatening social media post, but a human analyst would assess its credibility, motive, and broader implications. Human analysts are also better at triaging potentially threatening posts and deeper Behavioural Threat Assessments. Keeping a human in the loop ensures that the intelligence generated is not only accurate but also actionable.

Saving Time Through Automation

One of the most valuable contributions of AI is its ability to handle time-consuming tasks. These include scanning thousands of news articles, identifying patterns across multiple platforms, and summarizing dense reports. By taking on these labor-intensive activities, AI allows analysts to allocate their time to more complex tasks, such as horizon scanning, conducting behaviour threat assessments, and utilizing structured analytical techniques.

Enhanced Insights with Generative AI

AI tools are particularly effective in synthesizing large datasets to uncover trends and anomalies. For instance, generative AI can identify correlations in online chatter, highlight potential risks based on emerging patterns, and even generate hypothetical scenarios for organizations to consider. These capabilities empower analysts to make better-informed decisions, faster.

Navigating Ethical Challenges

The use of AI in OSINT also comes with ethical responsibilities. Ensuring the fairness and accuracy of AI-generated insights requires ongoing oversight from human analysts. This is particularly important in avoiding biases, respecting privacy, and ensuring compliance with legal standards. Human involvement provides the ethical compass needed to navigate these challenges effectively.

Generative AI is a Force Multiplier for Intelligence Analysts, Not a Replacement

Signal’s platform is designed to empower analysts by turning unstructured data into actionable intelligence, and generative AI enhances this mission by acting as a productivity multiplier. By automating tasks like data collation, summarization, and anomaly detection, AI streamlines workflows and frees analysts to focus on deeper analysis and decision-making. This integration doesn’t replace the human element—it amplifies it, allowing professionals to direct their expertise toward interpreting complex information and crafting strategic insights.

Generative AI within Signal’s platform also sparks innovation by surfacing hidden patterns, generating fresh perspectives, and suggesting alternative approaches. It operates as a tool in the hands of skilled analysts, whose judgment ensures accuracy and relevance. Signal’s commitment to blending advanced AI with human expertise creates a partnership where technology supports, rather than supplants, the critical role of analysts, driving more efficient and impactful intelligence work.

A Balanced Approach for the Future

Generative AI and OSINT are not competing forces but complementary tools.

Want to see Signal in action? Signal’s Global Feed delivers real-time insights from diverse, high-value sources across the globe, empowering analysts to stay ahead of emerging trends and threats.

Whether you’re tracking geopolitical developments, monitoring supply chain risks, or detecting hazards near your assets, Signal’s Global Feed provides the clarity and context you need to act decisively. Explore how Signal’s innovative platform is transforming open-source intelligence—learn more here.

What is Doxing?

The term itself originates from the phrase “dropping docs” and was later shortened to “docs” and then “dox”. As the original term suggests, doxing is when someone collects and then shares information about another person or organization.

There are numerous reasons someone might dox someone else or be the victim of doxing. It could be for revenge or a personal grudge, a disgruntled ex-employee might target their previous employer, for example. In 2014, Sony was the victim of a doxing attack backed by, experts believe, the North Korean government after they released a film which made fun of their leader. Other motivations include harassment and cyber-bullying, vigilante justice (for example, exposing neo-Nazi’s), and doxing for financial gain. 

Organizational doxing is on the rise and can be immensely damaging, exposing company secrets and customer data, or more directly exposing executives to new levels of threats.

Doxing Strategies and Goals

Traditionally doxing started with an online argument escalating to one person digging out information on their adversary and sharing it online. More recently though, doxing has become more of a cultural tool with hackers taking down people or groups with opposing ideologies. When it comes to organizations, threat actors have been known to both target an organizations reputation and to use information gained through a doxing attack to leverage financial reward.

For example, in one scenario an employee at a bank was blackmailed after a doxing attack into using his position in the bank to steal over $100,000 from customers for his blackmailers. 

The fallout is generally reputational with the victim suffering from online abuse such as death threats to them and their family in lieu of the new information shared. However, on occasion, the fallout can be significantly worse. There have been examples of mobs dishing out physical vigilante justice after a person's information, such as an address, was shared online.

There are numerous ways you can be identified online. By following ‘breadcrumbs’ of information a dedicated doxxer can assemble an accurate picture of a person - even if they were using an alias. The kind of details they might look for include, full name, current address, email address, phone number etc. Additionally, some doxxers might buy information from data brokers.

IP/ ISP Dox

There are various methods that can be used to locate your IP address, which is linked to your location. With just your IP address a doxxer could then use social engineering tactics against your Internet Service Provider (ISP) to discover the information they have on file such as:

• Your full name

• Email address

• Phone number

• ISP account number

• Date of birth

• Exact physical address

• Social security number

This requires the doxxer to go through a dedicated process, which may not even work, however, it’s just one strategy they can employ, and even if they are unable to gather further information through a gullible ISP worker they still have the first parts of the puzzle - your IP address and a rough location.

Doxing with Social Media

If your social media accounts are public then anyone can view them. Often things a threat actor can find out include your location, place of work, your friends, your photos, some of your likes and dislikes, places you’ve been, names of family members, names of pets, names of schools you attended, and more.

With this kind of information, they can then find out even more about you, or even discover the answer to your security questions helping them break into other accounts such as your online banking.

As such it’s recommended to keep your social media profiles private, and if you use multiple online forums to use a different name and password for each to help prevent doxxers from compiling information from across multiple online forums and social media sites. 

Data Gathered through Brokers

Data brokers on the internet collect information from publicly available sources and then sell the data for profit. Generally speaking, they sell this data to advertisers - if you’ve ever found yourself randomly receiving emails from companies you’ve never heard of before, this is why. However, for a doxxer it could be an easy way to start building a detailed profile of their target.

How Might Doxing be Used Against Your Organization?

For organizations to be successful with their media strategies they necessarily need to share relevant information and regularly engage with their customers through social media channels. This provides a substantial opportunity for doxxers.

By combining publicly-available data with basic attack techniques, such as phishing campaigns or credential stuffing, malicious actors can uncover large quantities of supposedly secure data. For consumers, exposed information could lead to identity theft or public shame. Meanwhile, companies face the prospect of large-scale reputation damage or lost revenue if proprietary project briefs or intellectual properties are leaked to the public.

Additionally, doxing can be used as an incentive to expedite the resolution of ransomware attacks. This is where the cyber attacker threatens to release documents or information to the public should their target not pay the ransomware fee promptly. This adds to already serious financial implications.

How Can you Prevent Doxing?

Unfortunately, it's nearly impossible to completely remove personally-identifying information from the internet, especially parts which are part of public records. Still, there are some tips to reduce your attack surface.

Keep your profiles private 

People and organizations do have a lot of say as to what gets published on the internet. Make sure to practice general data privacy best practices.

• Avoid posting identifying information

• Keep all social media settings at the most private level, and don't accept friend requests from people you don't know

• Change the settings on Office and your phone's photo app so personal info isn't embedded in those files

• Use a "burner" email address for signing up for accounts when possible.

• Set the ‘whois’ records on any domains you own to private

• Ask Google to remove personally available information about you, and request the same from data broker sites

Implement Safe Browsing Measures

These steps are good internet hygiene in any case, but can also prevent a breach that can lead to your info being exposed to a potential doxxer:

• Use a VPN, especially when using insecure public Wi-Fi networks

• Switch to a secure email system with built-in encryption

• Vary your usernames and passwords

Self-Doxing

Humans remain the weakest link in the security chain. In most cases, malice isn’t the problem or the intent when someone lets a threat actor in. Instead, employees overshare personal data on corporate platforms by accident or use insecure third-party applications. In both cases, however, following the breach and identifying the potential compromises is difficult when IT teams start from the side of defenders. 

By flipping the script and looking at your organization from the view of potential doxxer it becomes easier for IT and security teams to spot key areas of weakness. They can then develop strategies and staff training programs to protect against them.

Final Words

Doxing represents a growing threat to organizations and individuals. However, by self-doxing with security intelligence gathering strategies, security teams can create accurate attack surface maps. With this intelligence, they can then enhance threat modelling and deliver actionable insights to staff to reduce overall risks.

Using OSINT software like Signal you can learn about potential threats as or before they occur, learn about potential exploits targeting your organization, and self-dox to help identify weaknesses and shore-up defences.

People are increasingly aware of how their data is accessed and used, whether this is the security of their private conversations, their online browsing history, or even Personal Identifiable Information (PII). With this increase in consciousness for data privacy, chat applications have had to promise better encryption and anonymity if they are to compete.

As such, over the last few years new chat apps, with a primary USP of better privacy have hit the market. This includes the likes of Telegram and Discord. The anonymity and data security offered by these apps have quickly made them popular with both legitimate users and criminals. On Telegram, you don’t have to look too hard to uncover conversations around the sale of illicit goods, examples of extremist views and hate speech, the trading of PII, and more. It’s also worth noting that many marketplaces and forums on the dark web also have chat groups on Telegram.

Many of the groups and channels on apps like Telegram are open to the public, allowing users to easily reach a large potential market relatively risk-free. Not all groups though are open to the public making it substantially harder for security professionals and law enforcement to monitor these channels successfully.  

However, with a tool like Signal, you can view and monitor data from many of these closed communities and hard to access groups easily and efficiently.

About Telegram

Telegram is a messaging app that was launched in 2013. It focuses on supplying a fast, free and above all, secure messaging service. The chat app has end-to-end encryption and several other features which add to it’s perceived security. These features include “secret chats” which store data locally, a timer on messages to self-destruct after a specified time, notifications of screenshots, and messages in secret chats can’t be forwarded. Their main USP is to provide a service where data is protected from thirds parties, including any curious government or security agencies.

Unlike other chat apps, Telegram promotes itself as providing its users with full anonymity, including the ability to set up a unique username and make your phone number to private. It’s because of these security features as well as the offered anonymity that the application quickly became a popular choice for criminal communications.

How Can You Leverage Data from Telegram for OSINT?

There are various channels and groups on the Telegram app in which illicit and criminal activity is discussed or undertaken. This ranges from the sale of illegal goods, stolen data, to planning physical attacks on an organization or individual.

For example, on the group “Carders” on Telegram, a group which has over 5,000 members you can find stolen credit card details including full numbers and CVV codes. This chat group is linked to an online shop getbette.biz (which was taken down in early 2020). Most of the conversations in this group revolve around some form of financial fraud, whether that’s leaked card details or the sale of PII.

On other Telegram groups, you can find details for hacked personal accounts like Netflix, Disney Plus, Amazon Prime etc. These logins might be sold for a variety of reasons, such as credential stuffing, or for personal use.

It’s not just dealing in illegally obtained data though. Telegram is used for a broad variety of purposes. A particularly popular one is the sale of drugs. Narcotic Express DE is one such group. With close to 1,000 members, this German group is a closed group which focuses on the purchasing, sale and distribution of drugs. 

Closed groups cannot be found in a search within the app or in the dedicated Telegram search engine, instead, you have to be invited and sent a link by another user in the group. In addition, users can only see posts, not post themselves into the group.

Other examples of leveraging Telegram as a data source include monitoring for:

• Hate speech and death threats,

• Hacking services for sale,

• Exploit kits,

• Data breaches,

• Hate groups.

Using Telegram as an OSINT Source

As outlined above, are plenty of conversations of interest that happen through the Telegram app and its various groups. These groups can offer insight into criminal activity and better enable organizations to protect their assets and staff from emerging threats. For example, you might find information on a recent data breach through the app. Having this early knowledge of the breach is essential for mitigating costs.

However, as with any potential data source, it’s not a case of simply downloading the app. Efficiently scanning and monitoring the platform for potentially relevant or information of interest requires the right tools.

First, groups like Narcotic Express DE are closed groups, meaning locating and gaining access to them is a challenge in itself. Secondly, with features such as message self-destruct constant surveillance is necessary. These challenges mean time and resource need to be devoted to this specific channel, time and resource that might be better spent elsewhere.

Using an OSINT tool gives users the ability to access and utilize hard to reach data sources like Telegram. Data from Telegram is gathered by our data provider Webhose, who scrape the publicly available data from both open and harder to access closed groups continuously. Signal users can set up searches with Boolean logic, selecting Telegram as one of the data source options available. 

Ransomware is a form of malware which is installed on a victims device or devices with the main objective of seizing and/or locking away sensitive data. As the name suggests in order for a victim to regain access to their data and systems they need to pay a ransom. More often than not, the two options a victim is presented with when they succumb to a ransomware attack is to either rebuild their systems from scratch and potentially have the attacker leak the data online - or pay up.

As such, it’s unsurprising that, in our increasingly digital age with more and more data on the cloud, that the number of attacks and the success of ransomware attacks is on the rise. Approximately 58% of ransomware victims paid in 2020, compared to 39% in 2017.

Ransoms for these kinds of attacks range from a few hundred dollars to thousands or even millions of dollars payable in cryptocurrency such as Bitcoin. In return for the payout, the attackers will release a decryption key allowing the organization to return to business. Certain industries, such as government organizations and hospitals are more susceptible to ransomware attacks due to the nature of the work that they do often being time-sensitive. For example, a ransomware attack crippled a hospital in Germany, leading directly to one patient’s death.  

There are numerous strategies that ransomware attackers employ to gain access to a victims database. One of the most common though is through social engineering tactics, such as phishing emails. Cybercriminals can make these emails look exactly like trustworthy emails from official sources, tricking victims into downloading compromised software onto their device. 

Because of the nature of social engineering tactics, and the evolving cyber threat landscape no organization can ever be fully secure from malware threats. Below we outline 12 of the biggest ransomware attacks that occurred in 2020.

12 Ransomware Attacks that Happened in 2020

1. ISS World 

Estimated cost: $74 million 

In February of 2020 ISS world, a Denmark based company went down due to a ransomware attack. Thousands of employees were left without access to their systems and emails. This cost them an estimated $74 million which includes regaining control of the affected IT systems and re-launching critical business systems. 

2. Cognizant

Estimated cost: $50 million

A ransomware attack on the organization Cognizant in April of 2020 is said to have cost the company over $50 million, potentially as much as $70 million, including legal and consultation costs and data recovery costs, along with the financial loss reflected in their second-quarter earning in 2020.

3. Sopra Steria 

Estimated cost: $50 million

The company Sopra Steria revealed that they were hit by hackers using a new version of the Ryuk ransomware in October.

They estimate that the fallout, including dealing with the various systems that went out of action, is likely to have a gross negative impact on operating margin of between €40 million and €50 million.

4. Redcar and Cleveland Council 

Estimated cost: $14 million

Redcar and Cleveland Council in the UK suffered an attack on their systems in February of 2020 costing the council an estimated $14 million.  The ransomware attack is said to have disrupted the company’s network, tablets, computers, and mobile devices for 3 full weeks. The council announced that in March, that it could take months for a full recovery and estimated the overall costs to be between $14 - $21 million.

5. Software AG

Estimated cost: $20 million

Software AG is the second-largest software vendor in Germany. They were reportedly hit with the Clop ransomware in an attack in October of 2020. The company disclosed that the ransomware attack disrupted a part of its internal network but didn’t affect customer services. The cybercriminal group responsible demanded a $23 million ransom.

7. Travelex

Estimated cost: $2.3 million

It was reported that Travelex the money exchange firm was hit with a file-encrypting malware attack which shut down its internal networks, website and apps for several weeks. Reportedly Travelex paid a ransom of $2.3 million in BTC to the dark actors to regain access to their data and restore services.

8. University of California San Francisco (UCSF)

Estimated cost: $1.14 million

UCSF was targeted by a malware attack which encrypted servers used by the school of medicine impacting students in June of 2020. The ransomware was prevented from travelling to the core UCSF network and causing more damage. The authorities negotiated with the cybercriminals and UCSF ended up paying approximately $1.14 million in ransom of the $3 million demanded. 

9. Shirbit Insurance 

Estimated cost: $1million

After a cyberattack on the Israeli Insurance provider Shirbit in December of 2020 the attackers demanded roughly $1 million in Bitcoin. In order to pressure the company into paying they demanded immediate payment or an increase in the ransom cost, doubling after 24 hours. Additionally, to show they weren’t empty threats they dumped the first 300 records online, again threatening to dump additional records every 24 hours until they received payment.

10. Communications and Power industries 

Estimated cost: $500,000

California-based Communications & Power Industries (CPI) makes components for military devices and equipment, like radar, missile seekers and electronic warfare technology. The company counts the U.S. Department of Defense and its advanced research unit DARPA as customers. Reportedly, CPI paid $500,000 to obtain the decryption key to unlock their servers and return services.

11. Grubman Shire Meiselas & Sacks 

Estimated cost: $365,000

Grubman Shire Meiselas & Sacks is a law firm that specializes in law for those in the media and entertainment industry. Their clients consist of a range of A-list celebrities and, with such high profile individuals on the line, the stakes for them were extremely high. They were targeted and files encrypted by REvil ransomware. The firm agreed to pay an estimated $365,000, however, the attackers started demanding more afterwards and the company has since kept quiet on what it has or is willing to pay.

12. Tillamook County 

Estimated cost: $300,000

Tillamook county in the US was attacked by cyber attackers in January. The attack interrupted their email network, phone systems and website. After exhausting alternative options, they estimated the costs to restore service would cost well over $1 million and take several years and opted instead to pay the $300,000 ransom. 

Keeping your data and organization secure

1. Never click on suspicious links or any links attached in unsolicited emails. 

2. Back up systems and data continuously. Create a separate data-backup in an external hard drive that is not connected to your computer, so that you don’t have to pay the ransom if a ransomware attack happens.

3. Never disclose personal information over the phone or over email. 

4. Educate employees of cybersecurity best practices and social engineering tactics that may be used against them.

5. Limit employee access to sensitive data to reduce attack surfaces.

OSINT Tools and Mitigating Costly Ransomware Attacks

Early warning of data beaches through OSINT tools can help you predict and prevent cyber attacks as well as enable organizations to take mitigating actions faster. While open-source intelligence tools can’t prevent ransomware, they can help organizations reduce the risks and potential damages. 

OSINT tools can be used by organizations to monitor their supply chains, allowing them to learn of potential disruptions in real-time and enabling them to implement contingency plans fast. 

Additionally, organizations can use tools like Signal to monitor for ransomware and malware currently being used. This can help security teams determine emerging threats being used against other organizations in their industry to better inform ongoing cybersecurity best practices.

Ultimately, by using OSINT to monitor darknet forums and market places security professionals are able to learn about the newest strategies being employed, the most recent weaknesses being exploited, and the most current software being utilized. Armed with this knowledge they are much more able to develop effective countermeasures as well as actively prevent ransomware infection.

Dark web marketplaces are online marketplaces where people can buy and sell illicit goods and services under the protection of the anonymity of the dark web. The goods and services on offer range from leaked credit card details, exploit kits and hackers for hire, to advertisements for hitmen services.

Because of the range of goods and services found for sale, as well as the conversations that occur around these sales, dark web marketplaces can be immensely valuable sources of data on criminal activity. As such, they are normally under intense scrutiny from law enforcement and security professionals alike.

5 Dark Web Marketplaces

People have been organizing illicit trades via the internet since the 1970s. Those early examples though were through closed networks and the actual exchanges of money and goods generally had to take place in person. With the advent of crypto-currencies, it became not only possible to complete trades online without leaving a money trail, but easy. As such, the trading of illegal goods online has become more commonplace and vast dark web marketplaces have been created. 

The very first of these marketplaces to pair the darknet with Bitcoin was the Silk Road. Silk Road was created by Ross Ulbricht in February 2011. Over the next two years, the Silk Road set the standard for darknet marketplaces. By the time it was shut down in October 2013, and Ross Ulbricht arrested, the site had traded an estimated $183 million worth of goods and services.  

ToRReZ

ToRReZ Market is a wallet-less market; which means you only send funds when making an order. The market currently supports four cryptocurrencies: Bitcoin, Monero, Litecoin, and Zcash. Both physical goods such as drugs, and digital goods such as software and credit cards, are sold on ToRReZ Market.

Tor2door

Tor2door is a darknet marketplace that launched in June 2020. The market is built from scratch and has a unique design. Tor2door claims that security and usability are its main priorities. This market is one of the easiest to use and is very simple for inexperienced dark-net users.

Hydra

Hydra is the largest marketplace in the darknet and most popular darknet marketplace in the Russian-speaking sphere. According to the Project news outlet, it is responsible for 64.7 billion rubles ($1 billion) in sales through its 5,000 shops between 2016 and 2019. Although a wide range of illicit goods and services are sold, the site also has a few rules, which are perhaps one of the reasons for its longevity and success. These rules include no fentanyl, no weapons, no sale of hitmen services, viruses, or porn.

Versus Project

Established in 2019, Versus quickly gained a reputation for a user-friendly UI and intuitive search options. It has gained a lot of users and become a popular marketplace due to its focus on security. Buyers can purchase a range of digital goods and services which include illicit drugs, software and malware, and services related to fraud. The marketplace has over 8,400 listings and 500 vendors who communicate in English and accept Bitcoin for transactions.

White House Marketplace (WHM)

White House Market is a dark web marketplace that enforces the use of PGP (Pretty Good Privacy) encryption to just browse the site. The site goes into detail about its security on the About page and explains that it does not store Monero private keys on their servers, which can ease the mind of its users. Although White House Market is a smaller marketplace than the others on this list, it is possible that its ultra-security features and simple, easy-to-use UI will quickly attract more vendors.

Other markets include Icarus market, Dark0de Reborn, Canada HQ, Monopoly Market, and more.

How to Keep Track of Evolving Darknet Marketplaces

There are various active dark web marketplaces. According to Webhose, one of our data providers, there are approximately 20 active leading dark web marketplaces and there are dozens of smaller additional marketplaces. 

Gaining access and monitoring these darknet marketplaces comes with a unique set of challenges. Firstly, they generally have short lifespans. This could be for a variety of reasons, for example, law enforcement might close them down, or perhaps to help avoid this fate they frequently change their domain address. It could even be because the admin implemented an exit scam, which is what happened with Empire Market, where the admin team is estimated to have made off with some $30 million worth of Bitcoin in August 2020. 

Because of this short lifespan, security professionals need to constantly be on the lookout for the next big marketplace. However, because of the illicit nature of the dark web, many websites don’t want to be found, as such there is no easy way to navigate the dark web. Each website can be thought of as an independent silo. Darknet websites rarely, if ever, link to one another. To find the forums and marketplaces where the important and relevant is you will need to know what you’re looking for and how to look for it.  

Finally, once the relevant sites have been located and access gained, there is still the serious challenge of monitoring the dark website to effectively gather usable intelligence. Doing this manually requires vast amounts of resources, however, you also can’t simply scrape the website as such activity can quickly get you banned from a site. 

This is where Open Source Intelligence (OSINT) tools like Signal come in.

The Role of OSINT tools when Monitoring the Dark Web

OSINT tools allow security professionals to effectively and efficiently monitor the surface deep, and dark web. Using Signal you can create targeted searches with Boolean logic, and then run the results through intelligent filters powered by our advanced AI. This process can be automated with real-time SMS and email alerting. 

This reduces the need for skilled professionals to spend all their time manually monitoring the entirety of the web and assessing the associated risks. Additionally, it reduces the inherent risk of accessing criminal forums and marketplaces. Instead, security professionals get hyper-relevant alerts that can quickly be assessed and acted on without ever actually having to go onto the dark web or painstakingly gaining access to marketplaces.

This approach is vastly more time-efficient and allows you to put your web monitoring on auto-pilot, reducing costs while simultaneously increasing efficacy. As cyber-criminals embrace new technologies it’s becoming increasingly necessary for security professionals to do the same in order to stay ahead.

Increase the scope of your monitoring ability and the overall amount of hyper-relevant intelligence at your fingertips. Gather actionable intel in realtime.

The dark web has grown in popularity over the years as people become increasingly technologically savvy. Using a darknet browser like Tor or I2P allows users to stay anonymous whilst browsing online. 

There could be any number of reasons a person desires anonymity online, and many of those reasons are perfectly legitimate. For example, they might simply have concerns about large companies’ abilities to track their online activity, they might not feel comfortable giving Google all their data. Alternatively, they might live in a place with restrictions on freedom and free speech and necessarily turn to dark web anonymity to access world news or freely share journalism. 

However, the same anonymity which protects those people is also a boon for criminals. It allows them to operate across borders, organize crime, and trade in illegal items, both physical and digital. Additionally, any number of topics can be found on dark web forums being discussed, including extremist ideas, hate speech, threats of violence, or even plans for cyber attacks.

It is this broad array of potentially dangerous activity on the dark web which is of concern for security professionals. By monitoring the dark web with OSINT tools like Signal, security professionals can discover exploit kits targeting their organization, get early alerts of data breaches, and even prevent physical attacks on assets or employees. 

In this article, we take a look at a few of the more common dark web forums and how security professionals can utilize OSINT tools like Signal to more efficiently and effectively monitor threats on the dark web.

About Dark Web Forums as Data Sources 

Because of the anonymity afforded by the dark web, people feel comfortable discussing all manner of things. As such, the dark web, especially dark web forums, is a valuable source of intelligence for security professionals. Monitoring these channels can help expose real and potential threats ranging from planned attacks, both physical and digital, to fraud, data breaches, and more.

Below we take a look at 7 of the largest dark web forums that professionals need to be aware as potential security data sources.

Nulled

Nulled is an online forum board with over 3 million members as of 2020, mostly used by cybercriminals to trade and purchase leaked or hacked information. In 2016 it became known as the target of a data breach which helped law enforcement to obtain information about possible "suspects", who were registered on Nulled.

Dread

Dread is a forum on the darknet that mirrors Reddit’s functionality. It provides the same familiar community discussion boards. The forum takes many ideas from Reddit, such as sub-communities and user moderation responsibilities. The Website manages to mimic this functionality without any JavaScript. The main goal of Dread is to offer a censorship-free forum, but it also offers some services, such as pen testing.

CrackingKing

Cracking King is a community forum that provides tutorials and tools for hackers. Additionally, you can find information about and from data leaks, as well as gain access to their marketplace.

CryptBB

CryptBB, which launched in 2017, started out life as a private English-speaking hacking forum known for its rigorous application policy, only accepting members who passed an interview. They have, however, recently been expanding with a new section of the site for “newbies”.

RaidForums

RaidForums is a site dedicated to sharing hacked databases and tools to perpetrate credential stuffing attacks. They also have an open web version of their site.

FreeHacks

FreeHacks is one of the most popular and one of the largest hacking forums on the web. This Russian community of hackers and cybercriminals gathers its resources to expand and solidify their knowledge base.

HackTown

HackTown is an educational platform. They have numerous courses all of which focus on hacking for profit. The forum aims to educate new hackers and cybercriminals to help them develop their skill sets and successfully pull off fraud attacks, phishing campaigns and more. 

Related: How Can 4chan be Used as a Data Source for Security Intelligence? 

Key Challenges of Dark Web Monitoring for Security Professionals

Security professionals face a number of challenges when it comes to monitoring the dark web. For a start, there is the sheer volume of posts. With each of these forums and market places operating across numerous time zones, they have continuous activity. The most popular of them get tens of thousands of posts a day. Manually monitoring these sites is just not a feasible task.

Secondly, the more explicit dark web forums and market places will require you to create an account and may even go some way to verifying you have the skills to be allowed in. While the anonymity of the dark web means they likely can’t work out exactly where you came from or what your true purpose is on their platform, those that are interested might attempt to get further information out of you to determine your real identity. When creating an account it’s important to make sure it holds no relevance to any other online account you hold if you want to maintain your complete anonymity and don’t become a target of those same criminals you are looking to monitor.

Once you’re into one of these forums or marketplaces you will then need to remain active on the platform, without arousing suspicion otherwise you could have your hard-won access revoked. 

Finally, a lot of hackers on the dark web would be more than willing to turn their talents and attention to you should you accidentally cross them. Some websites will infect your device with malware and any and all links or downloads should be viewed with suspicion. Additionally, if you do click any links you may be taken to the material you don’t want to see that many people would find disturbing. As such, unless you’re confident you can safely and securely navigate the dark web, it may be better to look for safer, more efficient alternatives. 

The Role of OSINT when Monitoring the Dark Web

The Signal OSINT platform works by continuously scanning the surface, deep, and dark web. You can create custom searches using boolean logic and select from several data sources. These search results can then be filtered using our advanced AI and natural language processing (NLP) which enable you to search across languages, determine location, analyze copy in imagery, and even assess the emotional intent behind text through our NLP software Spotlight.

The benefits of having a tool like this for monitoring the dark web include efficient continuous monitoring and assessment of a multitude of sites allowing security teams to monitor more of the web to catch more threats faster. Additionally, they can access this data without ever having to hunt down and access the various dark web forums and marketplaces which is both more secure and much more time-efficient.

This approach allows you to leave your dark web monitoring on autopilot and not only effectively reduce costs but vastly increase the scope of your monitoring ability and the overall amount of hyper-relevant intelligence at your fingertips.

As threat actors continuously challenge the cyber defences of organizations, companies are increasingly forced to focus on improving cybersecurity practices. However, even the best cybersecurity teams with the largest budgets find it hard to stay ahead of the evolving threat landscape. And with more technology in use, a growing reliance on cloud storage and the Internet of Things (IoT), there is a growing potential for sensitive data to be exposed to threats. 

As such it’s unsurprising that data breaches, in spite of increased cybersecurity spending, are becoming more common and more expensive to deal with. Employees need intelligent security practices and cyber habits and companies need to be armed with the latest technology and tools for early data breach detection to gain the upper hand when combatting this ever-changing threat.

Data Breaches Need to be Caught Early

The average cost of a data breach in 2020 according to the IBM / Ponemon Institute report was $3.86 million. However, there are plenty of examples where the costs have vastly exceeded this average, escalating into the hundreds of millions or even billions. For example, the Equifax data breach in 2017 cost Equifax $1.7 billion in the end. Another high profile example, Facebook eventually settled on a fine of $5 billion after it’s ‘privacy misstep’ involving Cambridge Analytica. This bill doesn’t include the additional costs and expenses that Facebook has accrued in the development and expansion of their cybersecurity and privacy departments nor does it account for the reputational damage it suffered.

While costs of these extremes are rare, data breaches in general are not. The IBM report goes on to analyse particular subsets of the data noting that the worst impacted is healthcare with an average data breach cost exceeding $7 million. And that the average time taken for an organization to identify and contain a data breach, was an astonishing 280 days, over 9 months. This is in spite of significant evidence that the speed of containment has a significant impact on the overall data beach cost, which if left unchecked can linger for years after the incident. 

How to Prevent Data Breaches

As with many of these things prevention is often the best policy. 

Data Breach Prevention #1: Have Clear Security Protocols 

Every employee should know, understand and be able to abide by strict security protocols to keep company data secure and thwart social engineering tactics. Having protocols is one of the best ways to help prevent data theft by ensuring unauthorized personnel do not have access to data. 

Data Breach Prevention #2: Safeguard Against Human Error

Many data breaches are the result of an employee error. This could be anything from downloading a document off of an illegitimate website, social engineering tactics or even outright blackmail. Employees should only have access to the information that is vital to their particular roles within the company. Those with higher level access should accordingly have higher levels of cyber security training and understanding.

Data Breach Prevention #3: Improved Password Protection

Having strong unique passwords is the first line of defence against any cyberattack. However, nobody, whether they are a high level executive not, is going to be able to remember a dozen or more 12 character passwords that use special characters, letters and numbers. Make sure that 2FA is enabled on all logins, and use a password manager (with 2FA enabled) to auto generate and save complex passwords and ensure the highest levels of password security are enabled.

Data Breach Prevention #4: Update Security Software Regularly

Companies should utilize a high quality antivirus software, anti-spyware program and firewall. Additionally, these programs should be regularly updated to keep them free from vulnerabilities. 

Data Breach Prevention #5:OSINT for Dark Web Forums

By monitoring dark web forums and other chat rooms you can learn of planned attacks, potential exploits and even find exploit kits being sold online. This will give you a good indication of the access methods which have been discovered allowing you to implement a patch quickly to prevent it.

The Tools for Early Detection of Data Breaches: LERTR

Having the right tools is vital if an organization wants to prevent or mitigate the threat of data breaches. Using an OSINT platform like Signal allows security teams to efficiently monitor the surface, deep, and dark web for details or indications of potential and past data beaches. For example, you might find exploit kits targeting a vulnerability specific to your company. This would allow you to prepare a patch for this vulnerability before it was exploited. 

Additionally, hackers might discuss strategies or plans around an upcoming data breach attempt on a dark web forum. Forewarned, you have a better chance of catching and preventing the attempt. However, prevention isn’t always possible. For those scenarios where you do face a data breach you want to discover it as quickly as possible to mitigate the potential damage and limit the costs.

To this end we have integrated with Webhose to advance our early data breach detection capabilities. Additionally, we have launched LERTR, a cyber specific OSINT platform. aa

Final Words

Data breaches are increasingly common and expensive. Effective preventative measures need to be put in place and maintained to limit threats. However, even the best defences can fall to a determined threat actor. As such organizations needs to ensure they have all the tools to not only prevent, but also to detect early and contain data breaches quickly should one occur.

Signal is a powerful OSINT tool which allows users to create searches using boolean logic enhanced with NLP, with which security teams can efficiently monitor online activity to detect threats as or even before they emerge.

Artificial Intelligence (AI) describes technologies that can make informed, non-random decisions algorithmically. It has many current and potential applications, it is the current pinnacle of humanities ceaseless drive towards greater and greater efficiency. In particular regard to OSINT though, it enables humans to collect, analyze and interpret huge sets of data, data sets so large that it would be entirely unfathomable to even approach them without machine assistance.

Everyone knows AI is shaping their world in one way or another. But often the changes are subtle, gradual and go unnoticed. Very few of us know what actually goes on behind the steel doors of the big tech companies like Alphabet, Facebook, and Apple. And yet we interact with their AI systems on a daily basis and those systems have huge power over our lives. In this article, we take a look at some of the key ways AI is being used today and how it will become increasingly important as our technologies improve.

5 Ways AI is Shaping the World 

1. Improving and optimising business processes 

The very first robots in the workplace were all about automating simple manual tasks. This is the age of factories and production lines. Today though, it’s not manual tasks that robots are taking over. Instead, software-based robots are taking on repetitive tasks carried out on computers. 

Initially, this was limited to automating simple repetitive tasks, such as “send follow up email 2 if no response after 3 days”. This has already reduced admin tasks and improved business operational efficiencies immeasurably. The next step though is the use of AI technologies to further alleviate some of the more labour intensive ‘intelligent’ tasks such as data gathering, aggregating and analysis, leaving people to spend more time on complex, strategic, creative and interpersonal tasks.

2. More personalization will take place in real-time

Big tech companies are already using data to personalization services. Google Discover, for example, is a feed based on a complex algorithm which reads your online history and tailors the news feed to your particular interests. Other big tech examples are Spotify and Netflix which use AI to suggest relevant media based on your historical behaviour. 

This technology is constantly being evolved and is probably one of the most noticeable in our day to day lives. The end goal is a system which can almost perfectly predict your desires and needs, an outcome none of us are likely to protest against. On the other side of the same coin though is the use of that very same data to target individuals with hyper-relevant ads. This practice can often seem intrusive and is one of the driving forces behind the adoption of VPN’s.

3. AI in the creative space

Some things are still, even in 2020, better handled by humans. That being said AI technologies are now beginning to encroach on the creative spaces. Scorsese's, The Irishman, is one example of this, where Robert De Niro was de-aged on-screen using AI technology. 

There are additional uses though, for example, AI is being used to edit video clips for the purposes of spreading misinformation, and often these edits are incredibly hard to spot. This has led to a new sector of cybersecurity which requires AI technology to spot AI-generated or edited video and audio files. 

4. Increasing AI in Cybersecurity

Even as data grows and is used to progress the development of AI this simultaneously opens up new avenues for exploits by threat actors. For example, AI can be used to create and automate targeted ‘intelligent’ phishing campaigns. AI-supported cyberattacks though have the potential to go much further.  As such, increasingly advanced AI is needed to combat the evolving cyber threat landscape.

Related: How Machine Learning is Changing Modern Security Intelligence 

5. AI learning to perfectly emulate humans

Anyone that keeps their eye on the work that Google is doing will know about their 2019 update, BERT. A natural language processing (NLP) framework which is designed to better understand context and intertextual reference so that they can correctly identify both the searcher's intent as well as the intent behind any content created. 

One of the key challenges that faces AI right now is idiomatic or referential speech; language that has more depth of meaning, for example, determining the importance of the concept of a mother, or understanding a phrase like “six feet under”. Our current research and development project at Signal is one example of the practical applications of overcoming this challenge. It involves using machine learning to enable our software to understand the intent behind text, even when ‘hidden’ behind challenging language like idioms, to more accurately identify threats.  

As these natural language processes advance, so too will conversational AI bots, to the point where, because of the range and complexities of their answers, you would be forgiven for mistaking them as human.

The Future of AI and what that means for OSINT

Artificial Intelligence, machine learning, and automation have already revolutionized intelligence gathering. With OSINT tools like Signal security teams and intelligence agents can effectively and efficiently monitor the open, deep, and dark web, setting up customized alerts based on searches that leverage boolean logic. Machine learning takes this intelligence to the next level. It allows for vast amounts of data to be collected, aggregated, and for all the irrelevant hits to be essentially culled, supplying the security team at the end with actionable, relevant intelligence.

Humans play an essential role in this new intelligence lifecycle. In defining the search terms to match security strategies, analysing the end date the system feeds back, reassessing the searches based on the new evidential data and implementing appropriate responses. This is a key role that will no doubt evolve as the technology becomes more accurate, reducing inefficiencies in process.