Author note: This originally appeared at the defunct Norse Darkmatters blog during the summer of 2015: Exploring the Dark Recesses of the Deepweb (with minor edits).
. . .
Darknet Rabbit Hole
I’ve been back down the rabbit hole, into the Darknet again and it’s been a hell of a hostile and discordant excursion this time. For those of us who are merely researching the cybercriminal ecosystem, it can become an extremely precarious place to visit sometimes.
I’ve had noxious miscreants jabbering me, insisting that I hack something to prove that I am who I say I am — some of whom even messaged me direct phishing links.
While some side trips led to the discovery of more phishing sites in the cloned market realm — cybercriminals are jacking cybercriminals, journalists, researchers, and those with inquisitive minds.
Though my pseudonyms are anonymous (at least I think they are), I am unwilling to share my identity or hack anything for inclusion into their inner circle.
Though I’ve shared specific Darknet identities with a few trusted journalists — my real life family and friends are clueless as to who or what I represent in the nether regions below.
In part 1 of this series I meandered through the Darknet where I questioned deviant mind sets, while in part 2 I explored more of the dark recesses that make up the shadowy underbelly of the underground cybercrime ecosystem.
In part 3 of this continuing saga I will share more encounters, experiences, observations, and a few additional utterances,
Hell Remodels Itself
The Hell forum recently switched to invite-only mode. Current members who would like to invite friends to the forum must request an invite key from a mod. High ranking data dumps and breaches have been removed from the main forum and secreted away into the innermost fissures of Hell.
Remnants of a prior conversation regarding the AFF data leak has been removed, and the only snippet left is:
Jamal666: “Where can I get the entire AFF-Database?”
Ping: “ROR sold it, he kept back some of the goodies…”
One Forum: Two Hell’s:
- The main Hell forum: This is where you get to hang out with LE, journalists, noobs, and the untrustworthy. It is here that you can expect to be misled and toyed with.
- The private Hell forum: This is the new home for the elite and trusted cybercriminals who have proven their hacking skills to the Hell crew.
The most profound modification to the forum has been the removal of all timestamps; including personal messaging and search.
Main Characters Resurface
On July 2 both ROR[RG] and PING resurfaced within 30 minutes of each other — but, you won’t find their recent posts in the main forum. For a very short time ROR[RG] was a busy little beaver as he moved all his posts to the hidden (private) section of the forum.
PING (who may not be the real PING) appeared for a few minutes to rescript his I’m back dialogue (after a 16 day hiatus). Shortly after posting his surprise re-entrance post, he declared that he would be on vacation until August.
More Hell Banter
Hackerjon requested an exclusive place where only users that are known to have committed felonies can access. Hackerjon states in the main forum:
For instance, a single discussion thread that only users that have openly dumped a site, carded, or something like that can read…there are things, plans, and questions that I keep to myself because there is simply nowhere to share ideas with proven motherf##kers (at least in the forum format).
He further elaborates that he has been doing all kinds of shit recently:
But since you closed the barn door after the cows have already left, or in this case LE is already in, I won’t participate in that thread.
Next on stage is Botis. He posits that the future of the credit card industry in the U.S. is important because:
In the next year all the majors will start introducing technologies that are being used in Europe and Canada, EVM and NFC. I have acquired the equipment for producing cards in both as that is the future, and I want to be doing this for a while. Of the two NFC (Near Field Communications) is the one that interests me most.
You do not need a pin for this, just simply “tap your card” on a POS terminal and the payment is made. He also acquired a new tech toy:
I recently picked up a bluetooth key-chain sized scanner that if within 8 or 10 inches of a person’s card will send a signal to wake up the card and then record the information it beams-over … right to my cellphone. On a recent trip visiting Canada I managed to beam off the information of 6 people while hanging at a Starbucks “trying to decide” on what to have on my first attempt.
Drumroll f0r Botis’s get-out-of-jail-free card:
I could carry around a cellphone with hundreds of cards and yet have no physical evidence linking me to criminal act, such as a fake credit card. In fact if you are carrying your own phone with your credit card installed, you could just claim it was a weird aspect of the system , a glitch.
How cool is that? Next on his agenda is to locate an app/software that can run orbot to capture the beam over, organize it based on usage and date, and have it work like Tap2Pay technology works.
Since it does not exist in U.S. markets yet, if the Canadian and European carders do not have “such a thing” Botis is very interested in helping to develop this technology for the U.S. market.
As you can see, cybercriminals are busy writing a new chapter while paying due diligence to new technologies in order to support their efforts.
UPDATE July 10 2015:
Hell Forum: AFF link to download files pinned to hacked data section are in the main forum now. Other hacked data dumps [also pinned] include:
- Ping’s database for hacked data
- Hacking Team
- mSpy Data Dump
- OPM DB sample [not the real OPM hack]
Captainkirk is definitely the king of the Darknet marketplace when it comes to ebooks. For a buck or under per book I could potentially buy thousands of dollars worth of tech and infosec books for mere pennies on the dollar.
This month there are 4,947 fraud items broken down into the following categories: in a little over two weeks 653 new fraud items was added to the market.
- 2,529 Accounts & bank drops [up 356 items]
- 909 CVV & cards 909 [up 86 items]
- 206 Dumps [up 11 items]
- 738 other 738 [up 543 items]
- 565 Personal information and scans [up 98 items]
In the “other category” you will find items such as Agora free!!! This is a freebie by vendor vaas who has 100% positive feedback and has been a seller for 16 months. Giving away free items can increase your popularity in the marketplace.
Another vendor is selling Spotify accounts with a twist:
At level 6, RedSon is one of the hottest (and highly popular) credit card vendors on AlphaBay, (He previously held the #1 spot at the now defunct Evolution marketplace).
RAMP is the Russian Anonymous Marketplace and I’ve heard this market is Russia’s version of what SilkRoad used to be. Since I do not speak Russian, I merely squatted at their entrance for a few minutes.
The Tochka Market is small but interesting, and forbids the following:
- Opiate family drugs
- Research-chemical-type drugs that have a short history of human consumption
- Weapons, explosives, poisons, etc
- Counterfeit documents and bills
- Any pxxnography, erotica, snuff, etc
- Nationalism, antisemitism and other kinds of discrimination
- Politics and Religion
Vendor Darkmarket88 immediately caught my eye. He appears omnipresent in the market places. He is a vendor at the East India Company, Mr Nice Guy, Nucleus, The Real Deal (roudybit888), etc and so on. Some of the items he is selling are:
- The Ultimate Hacking Tools Pack
- The AntiDetect © software
- Kon-Boot for Windows v2.4
I visited Genesis, but I was the only one on the forum. That made me too uncomfortable so I did not stick around. Then I found Galaxy 2, and this place is a quite diverse and very friendly.
I found out that it is actually a social network. People share a lot of fascinating links and information here. It is very different from the majority of places that I frequent on the Darknet.
This tour has ended. There is no time to check the pasties on this trip. Part 4 of this series may cover doxxing, phishing, search engines, and more thoughts (trends) on the cybercrime ecosystem.
Part 1: Darknet Underground Meanderings
This post originally appeared at the now defunct Norse Corporation Darkmatters blog. This concludes Part 3 of the 3-part series.