Wednesday 4 October 16:00 - 16:30, Red room
Youjin Lee, Kyunghee Kim, Jungyeon Lim & Dasom Kim (S2W)
On 31 January 2022, the operator of RaidForums, Coelho (a.k.a. Omnipotent), was arrested in the United Kingdom. Coelho was revealed to be 21 years old at the time, having been only 14 years old in 2015 when RaidForums first went live. At the time, RaidForums was known to be the largest hacking forum on the deep web, with at least 500,000 active users according to Europol.
Following the United States' seizure of RaidForums and the arrest of its chief administrator, a number of other hacking forums were created to follow in its footsteps. These include Breached (a.k.a. BreachForums) and DarkNetWorld, with many RaidForums users moving to Breached, bringing its total number of active users to around 336,800 – still active until recently.
On 15 March 2023, Conor Brian FitzPatrick (a.k.a. pompompurin), a moderator of Breached, was arrested in New York by US law enforcement.
The Threat Detection Team of S2W Threat Research & Intelligence Center analysed the life cycle, number of active users, and post regen rate of about 30 of the deep web forums currently in operation. The scale of each forum was identified based on certain numbers, and we found a new reference point for major and minor forums. Based on our analytics, we profiled the operators of three major forums.
First, we profiled Omnipotent, the operator of RaidForums. Omnipotent has since been arrested and the forums have been shut down, but prior to his arrest, Omnipotent was active on the surface web. We've been tracking his activity since 2019, when RaidForums became active, and his past activity is archived and still available. Omnipotent maintained an active presence on the open web, including GitHub, Twitter, Telegram and Keybase accounts, along with a fake profile describing himself as a LEMP stack developer & sysadmin based in the UK.
Second, we have been tracking pompompurin since before Breached was operational. Pompompurin joined RaidForums in October 2020 and began his activity on RaidForums by uploading an SQL database of a company's website. Even after becoming the operator of Breached, he did not stop his hacking activities. Surprisingly, he has operated various sites in addition to Breached. Representative sites include skidbin, an anonymous text hosting site, and og money, an anonymous file hosting site, and recently he built and started operating a Mastodon server/node, an anonymous SNS site. In addition, he has been active on the surface web by operating about 15 SNS accounts including Telegram, Twitter and Keybase.
Third, we profiled Chucky, the operator of LeakBase, who joined Breached in March 2022 and started his activity by uploading an SQL database of a specific corporate website. LeakBase was opened in June 2021, before he started his activity on Breached, and is now a forum with more than 8,000 active users. Chucky also runs a Telegram channel, where various data including leaked databases and stealer logs are uploaded. He also runs various SNS accounts and is active on the surface web.
Finally, we conducted comparative and statistical analyses of the three moderators of the major forums introduced above on the deep & dark web. In particular, we conducted a variety of analyses, including frequency of activity, language characteristics, and time of day analysis, and found that the three users have distinctly different characteristics between their activities as moderators and their activities as users in general forums. We also tracked their behaviour on the surface web, and found that in addition to running hacking forums, they were running a variety of additional sites on the surface web, and were not hiding this fact. In particular, we found that some of the users were using fake profiles on the surface web, and we were able to identify similarities and differences between these profiles and their real identities, which were later confirmed during the arrests.
In this presentation, based on what we have analysed so far, we will present the criteria for forums that will be a major threat in cyberspace. Also, we will share the results of a comparative analysis of the operators of three major forums, selected based on the frequency and size of their current operations, as well as the statistical analysis of their behaviour on the deep dark web and their behaviour on the surface web, and share the results of the strikingly common analysis points identified among the operators.
Youjin Lee's interests are cyber threat intelligence, OSINT, the deep & dark web, and incident response. Currently, she is working as a senior researcher in the Threat Detection Team at S2W Threat Research & Intelligence Center, performing correlation analysis between users of deep & dark web forums, analysis and response to deep & dark web data leakage incidents, and bitcoin transaction analysis. In addition, she is currently tracking cybercrime across various fields. She is also active in presentations and research at international conferences such as DragonCon and Virus Bulletin.
Kyunghee Kim works as a junior researcher (data analyst) in the Threat Detection Team at S2W Threat Research & Intelligence Center. She performs statistical analysis of deep & dark web forum activities. She specializes in time series analysis or anomaly detection with various structured and unstructured data. She is primarily interested in analysing forum trends, hidden channels, and threat actors.
After working at the Digital Forensics Center of the National Police Agency, Jeongyeon became interested in the cybersecurity industry. He has a lot of forensic experience in major cases, such as the development of IoT forensic techniques for the National Police Agency and forensics related to N room. Currently, he is working as a lead of the Incident Response Team at S2W Threat Research & Intelligence Center, performing analysis of ransomware attack organizations' money flow, analysis in the block chain, correlation analysis between users of the deep & dark web forums, and analysis and response to deep & dark web data leakage incidents.
Denise Dasom Kim is a lead of the Threat Detection Team at S2W Threat Research & Intelligence Center. She presented the Korean dark web-related topic “The Most Connected Darkness. Cases From The Korean Cyber Underground” at the Digital Crime Consortium 2018 hosted by Microsoft’s Digital Crimes Unit (DCU). Her main research areas are user profiling, brand abuse case analysis, and takedown process active on the deep & dark web. Recently, she has been performing correlation analysis and response to the data leaks and brand abuse on the deep & dark web. She is primarily interested in analysing threat actors related to stealer, ransomware, and data breach incidents found on the deep & dark web. She is also active in presentations and research at international conferences such as HITCON, Rootcon, AVTokyo and Virus Bulletin.