Search This Blog

Showing posts with label Darknet. Show all posts

Eastern Europe is a Hotspot for Illegal Cryptocurrency Trading

 

According to a new study, Eastern Europe is a hub for illicit cryptocurrency operations. According to Chainalysis data published on Wednesday, Eastern European cryptocurrency addresses contributed $815 million to investment ponzi scams that attract customers with false promises of large returns between June 2020 and July 2021. Ukraine, in particular, provided a large amount of traffic to fraud websites in the region, outnumbering the United States by about 20 million visits.

Eastern Europe is the region that sends the most cryptocurrency to darknet markets. This is attributable in great part to activities at Hydra Market. Hydra is the largest darknet market in the world, although it mainly serves Russian-speaking users in Eastern Europe. 

Finiko, a scam, received half of the money sent to the region. Finiko was a Ponzi scheme established in Russia that collapsed in July 2021, shortly after participants reported being unable to withdraw payments from their accounts. Finiko encouraged customers to invest with Bitcoin or Tether, promising monthly profits of up to 30%, and then established its own cryptocurrency that was sold on various platforms. 

Finiko was led by Kirill Doronin, a popular Instagram influencer who has been linked to numerous Ponzi scams, according to the Moscow Times. Finiko received approximately $1.5 billion in Bitcoin in over 800,000 distinct donations between December 2019 and August 2021.

While Eastern Europe is primarily thought of as a recipient of illicit cryptocurrency funds, the research points out that due to the region's economic instability, it is also home to an increasing number of victims. Scam payments outperformed all kinds of crime in Eastern Europe, as well as every other region analyzed by Chainalysis, despite the constant rise in ransomware assaults. 

Eastern Europe came in second place in terms of ransomware funds received, at $46 million. However, due to overlap in services, some of the $51 million in activity attributed to Western Europe could be credited to Eastern Europe, according to researchers. 

Cryptocurrency scams have also grown in popularity in the United States, which came in third in terms of scam payments after Eastern and Western Europe. Despite this, the firm discovered that fraudsters have amassed tens of millions of dollars in cryptocurrency ransomware payments.

The average price of access to a hacked company in the darknet reached $5,400

Specialists of the Israeli company Kela analyzed more than 1 thousand ads for the sale of initial access to the internal computer networks of hacked organizations published on the darknet from July 2020 to June 2021. The average lot price is about $5.4 thousand.

Kela noted that pricing depends on the revenue of the hacked company: this indicator also determines the nominal value of the ransom that hackers can request. Therefore, access to small firms costs $100-200, and the most expensive lots are thousands of times more.

The highest price tag that the experts met was equal to 12 bitcoins (about $540 thousand at the exchange rate on August 18). That's how much the brokers asked for access to an unnamed Australian company with an annual income of $500 million. The second most expensive access cost 5 bitcoins (about $225 thousand). For this amount, an account was sold in the ConnectWise Control remote desktop access system from the network of one of the American IT companies. Another lot from the top three most expensive accesses was a lot for $100,000, which promised access to the network of some Mexican government agency.

Kela's specialists have compiled a rating of countries, access to companies from which are most often sold on the darknet. The United States led the top by a large margin: 27.9% of ads concern American organizations. France is on the second line with an indicator of 6.1%. Next are the United Kingdom and Australia with shares of 4% each. Canada closed the top five with a result of 3.8%. Then there are Italy (3.5%), Brazil (3.2%), Spain and Germany (2.3% each), the United Arab Emirates (2%).

The researchers noted that Russia and the CIS countries could not enter the top 10, since working with local companies on Russian-language hacker forums is not customary.


Cyber Criminals Using a New Darknet Tool to Escape Detection

 

There has been an ongoing war between criminals and authorities in cyberspace for years. Although cryptocurrencies are anonymous in nature, new techniques for tracking funds around the cryptocurrency blockchain have led to the arrest of dozens of cyber-criminals in the previous two years. 

But recently a new website has surfaced on the darknet that allows criminals to assess how "clean" their digital currencies are. 

Dr. Tom Robinson, chief scientist and founder at analysis provider Elliptic, who discovered the website explained, "We're seeing criminals start to fight back against blockchain analytics and this service is a first." 

"It's called Antinalysis and criminals are now able to check their own Bitcoin wallets and see whether any association with criminal activity could be flagged by authorities." 

According to Elliptic, the finding demonstrates how complex cybercrime networks are becoming and how concerned criminals are about being detected. 

"It's a very valuable technique. If your funds are tainted, you can then do more laundering and try to remove that association with a criminal activity until you have clean coins," he said. 

According to Dr. Robinson, this new trend is concerning that could make their work and law enforcement difficult. However, as per the researchers who examined it, the service isn't functioning very well right now. 

"It actually wasn't very good at identifying links to criminal sites. However, it will inevitably improve over time. So I think this is going to be a significant capability for criminals and money launderers in the future." 

Authorities all across the world, including China, the United Arab Emirates, and the United Kingdom, are attempting to address the rising problem of money laundering using cryptocurrencies. Cryptocurrency monitoring has resulted in several high-profile arrests, such as US teenager Graham Ivan Clark, who is presently in prison for plotting one of the largest-ever social media hacks. 

Last year, on July 15, Clark hacked into the accounts of dozens of celebrities, including Kim Kardashian, Elon Musk, Bill Gates, and Joe Biden, on Twitter.

"Everyone is asking me to give back," Mr. Gates stated in a tweet purportedly sent from his account. "You send $1,000, and I send you $2,000 back." After that, Clark and his hacking team tweeted an ad for a cryptocurrency fraud, which resulted in hundreds of transfers from people wanting to profit from the fraudulent giveaway. 

Clark gained more than $100,000 (£72,000) in only a few hours and began the process of transferring the money around to cover his tracks. He is now 18 years old, pleaded guilty, and is currently serving a three-year sentence in a Florida jail. 

The growing usage of so-called privacy coins is another trend that authorities are concerned about. Cryptocurrencies like Monero, for example, provide more secrecy than popular coins like Bitcoin. 

Hackers are now urging victims to pay with these currencies in return for a discount in some extortion incidents. This is a trend that is yet to completely take off, and Kim Grauer, director of research at bitcoin monitoring firm Chainalysis, believes that this technique offers disadvantages for criminals. 

"Privacy coins haven't been adopted to the extent that one may expect. The primary reason is they aren't as liquid as Bitcoin and other cryptocurrencies. Cryptocurrency is only useful if you can buy and sell goods and services or cash out into mainstream money, and that is much more difficult with privacy coins."

Darknet Markets are Scrambling to Attract Joker’s Stash Clients

 

The administrator behind Joker's Stash professes to have formally closed down the operation on 15th February. Meanwhile, criminal gangs offering stolen payment cards for sale have stepped up their promotional efforts. Among the darknet marketplaces vying to get previous Joker's Stash clients are Brian's Club, Vclub, Yale Lodge, and UniCC, Kela says. Joker's Stash clients were likely already searching for a new marketplace, says the threat research firm Digital Shadows, because of the site's declining customer service and having its service hindered by law enforcement officials in December 2020. 

Brian's Club has gone the additional mile with its marketing efforts, Kela says. For instance, it has supplanted Joker's Stash as the official sponsor of the popular underground forum Omerta, which focuses on payment card trading. "With the heavy marketing and advertising that Brian's Club has been investing in, it seems that the long-time attempts of marketing to credit card traders may be finally paying off now that Joker's Stash is out of the picture," says Victoria Kivilevich, a threat intelligence analyst with Kela.

Kela and Flashpoint additionally say that Yale Lodge could arise as a dominant market for stolen card information since it operates both Tor and clear web card shop and has a self-facilitated checking service. This service permits the buyer to verify whether the card data being purchased is substantial. Kivilevich brings up, however, that Yale Lodge charges a $150 registration fee and a minimum deposit of $200, which is 10 times higher than what Joker's Stash required.

Flashpoint says the operators of the Ferum market likewise have a wealth of experience and give simple access, yet the site has less card information available for sale than others. Then, Trump's Dumps, which is a newer operation, has expanded its publicizing, Flashpoint reports. It offers an assortment of services, including a self-facilitated checking service. Kivilevich says she has spotted Vclub members attempting to enlist Joker's Stash clients on darknet forums. Be that as it may, Kela's research has discovered numerous complaints about the quality of cards accessible on Vclub. 

“Cybercriminals buy cards and dump not only in specialized shops but also on forums, via instant messaging channels, and behind closed doors in private deals," Kivilevich says.

Cyber Criminals Leak Hackney Council Files on the Darknet Website

 

Cybercriminal group recognized as Pysa/Mespinoza has leaked the sensitive information stolen from the Hackney Council on the Darknet website. The group of attackers claimed that the stolen documents are from Hackney Council in a ransomware attack last year. The council in East London stated that they are collaborating with the Ministry of Housing and the UK’s National Cyber Security Centre (NCSC) to scrutinize and perceive the impact of the incident.

The stolen data published on the ‘dark web contains the personal information of council staff and residents; the files include critical information regarding the PhotoID, staff data, passports dump’. Cybercriminal group is utilizing the stolen data as their leverage to extort payment from the Hackney Council.

Cybersecurity expert, Brett Callow stated that “It’s an increasingly common place for ransomware groups to steal data and use the threat of its release as additional leverage to extort payment. Organizations in this position are without good option. Whether they pay or not, they’ve had a data breach and the criminals have their information. The most they can hope for is a pinky-promise that it will be destroyed”.

In this regard, the National Cyber Security Centre (NCSC) guidelines announced that there is no assurance that organizations, companies, or councils will get access to their stolen data even if the ransom demand from extorters is fulfilled. Hence law enforcement ‘does not encourage, endorse, nor condone the payment of ransom demands’.

Hackney council spokesperson asserted that in their initial investigation there are no indications that the majority of the critical and personal information of our residents have been published or affected. There are also not any signs of this critical information visible via search engines on the Internet.

He further asserted that necessary precautionary measures have been taken and they are closely monitoring the whole incident. They have collaborated with the local authorities including the Information Commissioner’s Office, Metropolitan Police, and National Crime Agency to investigate the whole incident.

Russian hackers selling program in darknet that bypasses spam protection

The Russian-language Darknet site sells a program that allows you to distribute spam messages bypassing traffic and email protection tools. The program uses a function in the IMAP protocol

A new tool for spammers is actively being sold on the Darknet, which allows you to bypass the standard protection of e-mail accounts. By exploiting a feature in the Internet Message Access Protocol (IMAP), attackers upload the messages they need directly into the mailboxes of victims.

To trigger the attack, it is necessary that the attackers already have access to the victim's account. The Email Appender malware has been actively promoted on Russian-language hacker forums since the fall of 2020.

The author offers to use the program through a subscription — $50 for one day, $300 for a week or $1000 per month. This is very expensive, but judging by the latest campaigns, the demand for this service is very high.

Experts of the information security company Vade Security indicate that companies in Italy, France, Denmark and the United States have already been subjected to full-scale attacks by spammers using Email Appender. One of the affected organizations claims that it received 300 thousand spam messages in one day and was forced to spend very substantial resources to disable compromised accounts or change usernames and passwords.

Databases of usernames and passwords to mail are actively sold out on hacker forums. According to Gemini Advisory, an attacker can upload such a database to Email Appender, after which the program will try to connect to accounts that match pairs of usernames and passwords via IMAP. Next, it remains to use the IMAP function, which allows hackers to upload ready-made mail messages to the mailbox.

"There are a number of ways to block such spam campaigns, but the main one is to regularly change passwords and not use the same combination (or similar to it) more than once," said Alexey Vodiasov, technical Director of the company SEC Consult Services.

In addition, according to Vodiasov, two-factor authorization is effective, so that even a compromised account cannot be connected without attracting the attention of its rightful owner.

The expert added that it is also possible to enable notifications of cases of logging into an account from unusual IP addresses. Mail systems are quite capable of doing this.

179 Dark Net Vendors Arrested in a Massive International Sting; 500 kg Drugs Seized


Global police agencies have confiscated over $6.5m both in cash and virtual currencies, 64 firearms, and 1,100 pounds of drugs - arresting 179 vendors across 6 countries including the U.S and Europe in one of the biggest raid on dark web marketplaces. The international sting operation saw considerable co-operation from Law enforcement agencies all over the world including the US, UK, Germany, Europe, Canada, Europe, Sweden, Austria, and the Netherlands.

The 500kg of drugs recovered by investigators during the operation included fentanyl, methamphetamine, oxycodone, ecstasy, cocaine, hydrocodone, MDMA, and several other medicines containing addictive substances, as per the findings.

The authorities dubbed the global sting operation as 'DisrupTor' and while announcing it, they claimed in a press release that the "golden age of the dark web marketplace is over." The roots of the operation go back to May 3, 2019; the day German authorities seized the dark web drug market, "Wallstreet market" and arrested its operators.

"Operations such as these highlight the capability of law enforcement to counter encryption and anonymity of dark web market places. Police no longer only take down such illegal marketplaces – they also chase down the criminals buying and selling illegal goods through such sites." The press release further read.

According to the Justice Department, it was the largest international law enforcement operation that targeted opioid traffickers on the dark web. The investigation witnessed an extensive range of investigators ranging from the FBI, ICE, DEA, Customs and Border Protection (CBP), to the Defense Department.

Commenting on the success of the operation, the head of Europol’s European Cybercrime Centre (EC3), Edvardas Šileris said, “Law enforcement is most effective when working together, and today’s announcement sends a strong message to criminals selling or buying illicit goods on the dark web: the hidden internet is no longer hidden, and your anonymous activity is not anonymous. Law enforcement is committed to tracking down criminals, no matter where they operate – be it on the streets or behind a computer screen.”

“With the spike in opioid-related overdose deaths during the Covid-19 pandemic, we recognize that today’s announcement is important and timely,” said Christopher Wray, FBI director. “The FBI wants to assure the American public, and the world, that we are committed to identifying dark net drug dealers and bringing them to justice.” He further added.

The data of clients of the Russian bank Alfa-Bank leaked to the Network


On June 22, a message appeared on the Darknet about the sale of a database of clients of the largest Russian banks. The seller did not specify how many records he has on hand but assured that he is ready to upload 5 thousand lines of information per week.

One of the Russian Newspapers had a screenshot of a test fragment of the Alfa-Bank database, which contains 64 lines. Each of them has the full name, city of residence, mobile phone number of the citizen, as well as the account balance and document renewal date.

A newspaper managed to reach up to six clients using these numbers. Two of them confirmed that they have an account with Alfa-Bank and confirmed the relevance of the balance.

Alfa-Bank confirmed that they know about the data leak of several dozen clients.
The seller of Alfa-Bank's database said that he also has confidential information of clients of other credit organizations.

"I can sell a database of VTB clients with a balance of 500 thousand rubles or more with an update from July 17 for 100 rubles per entry," claimed the seller. However, the Russian newspaper was not able to get test fragments of these databases.

The newspaper also contacted two other sellers who offered information about users of Gazprombank, VTB, Pochta Bank, Promsvyazbank, and Home Credit Bank.
Information about the account balance is classified as a Bank secret. Knowing such confidential details makes it easier for attackers to steal money using social engineering techniques.

"There are two ways to get bases on the black market. One of them is the leak of data by an insider from a Bank or company. The second option is through remote banking vulnerabilities," said Ashot Hovhannisyan, founder of the DLBI leak intelligence service.
According to him, the reason for the ongoing leaks is inefficient investments in security. Companies often protect their systems from hacking from outside, but not from insiders.

IM Platforms Increasingly Used by Threat Actors in Place of Dark Web Marketplaces


Researchers at IntSight have discovered that IM platforms such as WhatsApp, Telegram, Discord, IRC, and Jabber are being used by cybercriminals for advertising and putting their goods and services on sale. One of the major reason as to why cybercriminals are switching to these IM platforms from the conventional ones is 'law enforcement practices'; law enforcement operations have been targeting online darknet markets one after another. Earlier in 2017, the world's largest dark web market, AlphaBay was taken offline, sending darknet users into chaos. Immediately after, the cyberspace witnesses the shut down of Hansa, another major darknet market. As more and more major dark web markets went offline due to the law enforcement penetrations, cybercriminals are wisely migrating to new platforms.

Although threat actors are loving IM platforms, the regular cybercrime sources such as dark web markets, credit card shops, and forums are still witnessing their web usual traffic. These platforms have more advantages such as chatbots, fewer rules, and automated replies due to their core nature, unlike IM platforms that are majorly meant for communication.

While giving insights, Etay Maor, IntSights CSO, said, "Telegram appears to be experiencing the most growth, with more than 56,800 Telegram invite links shared across cybercrime forums and over 223,000 general mentions of the application across forums. Telegram is also the platform most often discussed in foreign language forums."

"Financial threat actors and fraudsters exchange stolen carding information, selling or trading all kinds of credit card dumps, and publishing methods or techniques relevant for the fraud community. In addition, there is also a trade of physical items stolen or counterfeited from organizations in the retail industry.” He added.

“While the data itself is fully encrypted and law enforcement needs sophisticated algorithms in order to decrypt it, some countries have authorized law enforcement agencies to access the private information of their citizens if sanctioned by courts or other judicial authorities – including information that lives in IM platforms. Threat actors are worried about the cooperation between technology companies and law enforcement agencies, especially in the United States.” Maor further explained.

Hackers sell data of 80 thousand cards of customers of the Bank of Kazakhstan


An announcement about the sale of an archive of stolen data from 80,000 Halyk Bank credit cards appeared on the Darknet's site Migalki.pw.

It should be noted that Halyk Bank of Kazakhstan is the first Bank in the country in terms of the number of clients and accumulated assets. This is not the first time for a Bank when data has been compromised.

The fact that the archive consists only of Halyk Bank cards suggests that the cards were stolen inside the structure.

Typically, identifiers of stolen cards are obtained using MitM attacks (Man in the middle). While the victim believes that he is working directly, for example, with the website of his Bank, the traffic passes through the smart host of the attacker, which thus receives all the data sent by the user (username, password, PIN, etc.).

It is possible that the archive is not real. This may be a bait for potential carders created by the Bank, the so-called honey pot. This trap for hackers creates an alleged vulnerability in the server which can attract the attention of attackers and inspire them to attack. And the honeypot will see how they work, write down the information and pass it to the cybersecurity department.

Although, such actions are risky for the image of a financial institution, as any Bank tries to avoid such negative publicity.

It is important to note that all data leaks from the Bank is the personal fault of the owners, managers of the Bank. In Russia and in Kazakhstan, in case of data leakage, the bank at best publishes a press release stating that "the situation is under control". However, banks in the US and Europe in the same situation receive a huge fine.

Data of Bank customers in Russia are becoming more expensive on the Darknet


In the first half of 2019, the price of banking customer data has rapidly increased on the Darknet. Thus, the cost of obtaining data on cards or statements of operations increased by 3-7 times. At the beginning of the year, the client's account statement could be purchased for 2 thousand rubles ($ 32), now its cost can reach 15 thousand rubles ($ 238).

According to the Positive Technologies analyst Vadim Solovyov, data on ATMs used by the client appeared on many sites, their price is from 8 thousand ($ 127) to 15 thousand rubles ($ 238). He noted, rather, this information can be used in traditional criminal schemes, for example, so that the fraudster's call to the client sounded more reliable.

"If the cost has increased, it means that the methods of countering leaks in banks have significantly complicated the business of attackers", the Central Bank believes.

The Head of the Information Security Department of the Open-Bank Vladimir Zhuravlev associated the price increase with a change in the type of attacks on customers. According to him, earlier fraudsters often used technical means, such as Trojans, phishing links or skimming. Now 90% of the theft occurs using social engineering methods, where the availability of personal customer data is very helpful to the fraudster.

The Central Bank does not disclose official statistics on the theft of funds of individuals in the first half of the year. However, law enforcement officers recorded an increase in successful thefts from bank accounts. For example, in the Kurgan region, the number of crimes has doubled, in the Smolensk region has grown five times.

According to Stanislav Pavlunin, the Vice-President of Post-Bank, the Bank uses different approaches and methods to combat internal fraud, for example, photo and video shooting of monitor screens, as well as official documents, presentations containing confidential information is prohibited.

It is interesting to note that Sixgill analysts have prepared a report, according to which Russia took the last place in the number of stolen bank cards. The researchers see two reasons for such low rates: the first is a large percentage of Russian cybercriminals, and the second is the economic situation in Russia.

Darknet: The digital underground



The arrest of two Delhi youths for the import and sale of illegal marijuana through the darknet in December last year sparked widespread discussion on the rising prominence of the darknet in India. With dark net being the new market for drug peddlers and illegal traders, it is slowly becoming one of the most challenging problems to be tackled in this cyber age.

What is the darknet?

The world wide web can be divided into three categories- the surface web, the deep web and the dark web. While pages on the surface web(visible web ) are indexed and can be easily accessed by the public, pages on the deep web are not indexed and hence cannot be readily accessed. The content of the deep web is hidden behind HTTP forms and includes many common uses such as webmail, online banking, and services that users must pay for, and which is protected by a paywall, such as a video on demand, some online magazines and newspapers, and many more. Content of the deep web can be located and accessed by a direct URL or IP address and may require a password or other security access past the public website page. The dark web is that part of the internet which can be accessed only by ‘overlay networks ‘ and needs special browsers like TOR to access. Browsers like TOR ensure anonymity to the host as well as the user, by protecting the IP address with its ‘overlay network’ structure.

Illicit drugs, weapons and online fraud : the endless dangers of darknet

The promise of anonymity the darknet offers has led to an alarming increase in its use in the last 4 years. A 2015 study showed that drugs are the most traded commodity on the dark web and 26 per cent of its content can be classified as ‘child exploitation’. A December 2014 study by Gareth Owen from the University of Portsmouth found that the most commonly hosted type of content on Tor was child pornography, followed by black markets. Stolen credit card details, forged documents, counterfeit currency and weapons are the other types of content. Reports of crowdfunded assassinations, hitmen and live streamed murders are believed to be available on the darknet.

How does it work?

Cryptocurrencies such as bitcoin are used for transactions on the darknet. Purchases on the darknet come with reviews and ratings just like on Amazon and Flipkart and are delivered to the customer’s doorstep just like any other order. Service providers like ‘escrow’ ensure that the transaction is made to the seller only after the customer receives the package. Often disguised, these illegal products mostly make their way through customs to the customers' doorstep.

Cracking the whip :

Though highly evasive, browsers like Tor aren’t completely untraceable. In early November, a coordinated action by the FBI and Europol known as Operation Onymous seized dozens of Tor hidden services, including three of the six most popular drug markets on the Dark Web. For now, just how the feds located those sites remains a mystery.

“ The Interpol, Europol and the FBI are the ones striving hard to keep the darknet dangers in check”, says J.Prasanna, Director of Cyber Security and Privacy Foundation, Singapore.

” The first step towards net safety comes down to parental supervision”, says J .Prasanna who provides dark web monitoring for banks.

“ The Indian government should ensure stringent punishment for the offenders using darknet for illegal trade and activities. The police department too should be technologically advanced to handle such crimes”, says V.Rajendran, Chairman, Digital Security Association of India.


The bright side :

It would be safe to say not everything is dark about the darknet. The privacy it provides is a major attraction to many who are looking to escape the watchful eyes of service providers and federal agencies. Anonymous messenger services and access to tonnes of resources (data, books, documents) argues the use of darknet for good.

Author:
Yamuna Chandran