Sheep’s clothing of deep & dark web operators: there are no secrets you can hide forever

Wednesday 4 October 16:00 - 16:30, Red room

Youjin Lee, Kyunghee Kim, Jungyeon Lim & Dasom Kim (S2W)

On 31 January 2022, the operator of RaidForums, Coelho (a.k.a. Omnipotent), was arrested in the United Kingdom. Coelho was revealed to be 21 years old at the time, having been only 14 years old in 2015 when RaidForums first went live. At the time, RaidForums was known to be the largest hacking forum on the deep web, with at least 500,000 active users according to Europol.

Following the United States' seizure of RaidForums and the arrest of its chief administrator, a number of other hacking forums were created to follow in its footsteps. These include Breached (a.k.a. BreachForums) and DarkNetWorld, with many RaidForums users moving to Breached, bringing its total number of active users to around 336,800 – still active until recently.

On 15 March 2023, Conor Brian FitzPatrick (a.k.a. pompompurin), a moderator of Breached, was arrested in New York by US law enforcement.

The Threat Detection Team of S2W Threat Research & Intelligence Center analysed the life cycle, number of active users, and post regen rate of about 30 of the deep web forums currently in operation. The scale of each forum was identified based on certain numbers, and we found a new reference point for major and minor forums. Based on our analytics, we profiled the operators of three major forums.

First, we profiled Omnipotent, the operator of RaidForums. Omnipotent has since been arrested and the forums have been shut down, but prior to his arrest, Omnipotent was active on the surface web. We've been tracking his activity since 2019, when RaidForums became active, and his past activity is archived and still available. Omnipotent maintained an active presence on the open web, including GitHub, Twitter, Telegram and Keybase accounts, along with a fake profile describing himself as a LEMP stack developer & sysadmin based in the UK.

Second, we have been tracking pompompurin since before Breached was operational. Pompompurin joined RaidForums in October 2020 and began his activity on RaidForums by uploading an SQL database of a company's website. Even after becoming the operator of Breached, he did not stop his hacking activities. Surprisingly, he has operated various sites in addition to Breached. Representative sites include skidbin, an anonymous text hosting site, and og money, an anonymous file hosting site, and recently he built and started operating a Mastodon server/node, an anonymous SNS site. In addition, he has been active on the surface web by operating about 15 SNS accounts including Telegram, Twitter and Keybase.

Third, we profiled Chucky, the operator of LeakBase, who joined Breached in March 2022 and started his activity by uploading an SQL database of a specific corporate website. LeakBase was opened in June 2021, before he started his activity on Breached, and is now a forum with more than 8,000 active users. Chucky also runs a Telegram channel, where various data including leaked databases and stealer logs are uploaded. He also runs various SNS accounts and is active on the surface web.

Finally, we conducted comparative and statistical analyses of the three moderators of the major forums introduced above on the deep & dark web. In particular, we conducted a variety of analyses, including frequency of activity, language characteristics, and time of day analysis, and found that the three users have distinctly different characteristics between their activities as moderators and their activities as users in general forums. We also tracked their behaviour on the surface web, and found that in addition to running hacking forums, they were running a variety of additional sites on the surface web, and were not hiding this fact. In particular, we found that some of the users were using fake profiles on the surface web, and we were able to identify similarities and differences between these profiles and their real identities, which were later confirmed during the arrests.

In this presentation, based on what we have analysed so far, we will present the criteria for forums that will be a major threat in cyberspace. Also, we will share the results of a comparative analysis of the operators of three major forums, selected based on the frequency and size of their current operations, as well as the statistical analysis of their behaviour on the deep dark web and their behaviour on the surface web, and share the results of the strikingly common analysis points identified among the operators.


silhouette.jpg

Youjin Lee

Youjin Lee's interests are cyber threat intelligence, OSINT, the deep & dark web, and incident response. Currently, she is working as a senior researcher in the Threat Detection Team at S2W Threat Research & Intelligence Center, performing correlation analysis between users of deep & dark web forums, analysis and response to deep & dark web data leakage incidents, and bitcoin transaction analysis. In addition, she is currently tracking cybercrime across various fields. She is also active in presentations and research at international conferences such as DragonCon and Virus Bulletin.

 

silhouette.jpg

Kyunghee Kim

Kyunghee Kim works as a junior researcher (data analyst) in the Threat Detection Team at S2W Threat Research & Intelligence Center. She performs statistical analysis of deep & dark web forum activities. She specializes in time series analysis or anomaly detection with various structured and unstructured data. She is primarily interested in analysing forum trends, hidden channels, and threat actors.

 

Jeongyeon-Lim.jpg

Jeongyeon Lim

After working at the Digital Forensics Center of the National Police Agency, Jeongyeon became interested in the cybersecurity industry. He has a lot of forensic experience in major cases, such as the development of IoT forensic techniques for the National Police Agency and forensics related to N room. Currently, he is working as a lead of the Incident Response Team at S2W Threat Research & Intelligence Center, performing analysis of ransomware attack organizations' money flow, analysis in the block chain, correlation analysis between users of the deep & dark web forums, and analysis and response to deep & dark web data leakage incidents.

 

Dasom-Kim.jpg

Dasom Kim

Denise Dasom Kim is a lead of the Threat Detection Team at S2W Threat Research & Intelligence Center. She presented the Korean dark web-related topic “The Most Connected Darkness. Cases From The Korean Cyber Underground” at the Digital Crime Consortium 2018 hosted by Microsoft’s Digital Crimes Unit (DCU). Her main research areas are user profiling, brand abuse case analysis, and takedown process active on the deep & dark web. Recently, she has been performing correlation analysis and response to the data leaks and brand abuse on the deep & dark web. She is primarily interested in analysing threat actors related to stealer, ransomware, and data breach incidents found on the deep & dark web. She is also active in presentations and research at international conferences such as HITCON, Rootcon, AVTokyo and Virus Bulletin.

Back to VB2023 Programme page

Back to VB2023 conference page

Register for VB2023

Other VB2023 papers

Targeted attacks using secure USB

VB2023 paper: Targeted attacks using secure USB

Tales from a cloud CSIRT - let’s deep dive into a Kubernetes (k8s) infection

VB2023 paper: Tales from a cloud CSIRT - let’s deep dive into a Kubernetes (k8s) infection

RedStinger: new APT discovered amid Russia-Ukraine conflict

VB2023 paper: RedStinger: new APT discovered amid Russia-Ukraine conflict

The evolution of TA551

VB2023 paper: The evolution of TA551

Let's go door with KCP

VB2023 paper: Let's go door with KCP

Supply chain attack targeting South Asian government delivers Shadowpad

VB2023 paper: Supply chain attack targeting South Asian government delivers Shadowpad

Abusing Electron-based applications in targeted attacks

VB2023 paper: Abusing Electron-based applications in targeted attacks

Darkbit decoded: analysis of an Iranian-sponsored attack

VB2023 paper: Darkbit decoded: analysis of an Iranian-sponsored attack

Lazarus campaigns and backdoors in 2022-2023

VB2023 paper: Lazarus campaigns and backdoors in 2022-2023

Sheep’s clothing of deep & dark web operators: there are no secrets you can hide forever

VB2023 paper: Sheep’s clothing of deep & dark web operators: there are no secrets you can hide forever

Side loading is not dead: the Chinese and the Korean way

VB2023 paper: Side loading is not dead: the Chinese and the Korean way

South Korean Android banking menace - FakeCalls

VB2023 paper: South Korean Android banking menace - FakeCalls

The history and tactics of visa-centric scams in search, spam, and social apps

VB2023 paper: The history and tactics of visa-centric scams in search, spam, and social apps

Terror in Peru: the Zanubis banking trojan

VB2023 paper: Terror in Peru: the Zanubis banking trojan

Looking into TUT’s tomb: the universe of threats in LATAM

VB2023 paper: Looking into TUT’s tomb: the universe of threats in LATAM

Mac-ing sense of the 3CX supply chain attack: analysis of the macOS payloads

VB2023 paper: Mac-ing sense of the 3CX supply chain attack: analysis of the macOS payloads

Don’t flatteN yourself: deobfuscating malware with Control-Flow Flattening

VB2023 paper: Don’t flatteN yourself: deobfuscating malware with Control-Flow Flattening

When a botnet cries: detecting botnets infection chains

VB2023 paper: When a botnet cries: detecting botnets infection chains

Look out! Outlook’s gonna get you!

VB2023 paper: Look out! Outlook’s gonna get you!

"Undocumented"[2:] MSI format. Take it. We are gganbu, aren't we?

VB2023 paper: "Undocumented"[2:] MSI format. Take it. We are gganbu, aren't we?

R2R stomping - are you ready to run?

VB2023 paper: R2R stomping - are you ready to run?

Stolen cookies, stolen identity: how malware makers are exploiting the insecurity of browser data storage

VB2023 paper: Stolen cookies, stolen identity: how malware makers are exploiting the insecurity of browser data storage

May the Shadow Force with Maggie – Shadow Force Group characteristics and relationship to Maggie

VB2023 paper: May the Shadow Force be with Maggie – Shadow Force Group characteristics and relationship to Maggie

Dancing the night away with named pipes

VB2023 paper: Dancing the night away with named pipes

Ransoming and clipping for illicit cryptocurrency gains

VB2023 paper: Ransoming and clipping for illicit cryptocurrency gains

Into the Cumulus: Scarcruft bolsters arsenal for targeting individual Android devices

VB2023 paper: Into the Cumulus: Scarcruft bolsters arsenal for targeting individual Android devices

Intent-based approach to detect email account compromise

VB2023 paper: Intent-based approach to detect email account compromise

How to develop MoleRats defensive strategies: hunt, counterattack and adversary simulation

VB2023 paper: How to develop MoleRats defensive strategies: hunt, counterattack and adversary simulation

Generic script emulation

VB2023 paper: Generic script emulation

Building a cybersecurity AI dataset for a secure digital society

VB2023 paper: Building a cybersecurity AI dataset for a secure digital society

The Dragon who sold his Camaro: reversing a custom router implant

VB2023 paper: The Dragon who sold his Camaro: reversing a custom router implant

C2F2: a framework for detecting C2 frameworks at scale

VB2023 paper: C2F2: a framework for detecting C2 frameworks at scale

MEGALO-(414E)-DON: uncovering data espionage, blackmailing and shell companies in mobile lending apps

VB2023 paper: MEGALO-(414E)-DON: uncovering data espionage, blackmailing and shell companies in mobile lending apps

Teasing the secrets from threat actors: malware configuration extractors

VB2023 paper: Teasing the secrets from threat actors: malware configuration extractors

Web3 will bite you in the Web 2.0: exploring IPFS threats

VB2023 paper: Web3 will bite you in the Web 2.0: exploring IPFS threats

The Dropping Elephant never dropped

VB2023 paper: The Dropping Elephant never dropped

Corporate users in the crosshairs as malvertising gains momentum again

VB2023 paper: Corporate users in the crosshairs as malvertising gains momentum again

SharpTongue: pwning your foreign policy, one interview request at a time

VB2023 paper: SharpTongue: pwning your foreign policy, one interview request at a time

DNS "takeover": the full journey and redemption

VB2023 paper: DNS "takeover": the full journey and redemption

Infostealers: investigate the cybercrime threat in its ecosystem

VB2023 paper: Infostealers: investigate the cybercrime threat in its ecosystem

The rise of China-based financially motivated threat actors?

VB2023 paper: The rise of China-based financially motivated threat actors?

TIPS: Exploring the efficacy of community-driven TI: a real-world approach

VB2023 TIPS presentation: Exploring the efficacy of community-driven TI: a real-world approach

TIPS: Little crumbs can lead to giants

VB2023 TIPS presentation: Little crumbs can lead to giants

TIPS: All for value and value for all – 'Responding RFIs: the merit lies in the difficulty'

VB2023 TIPS presentation: All for value and value for all – 'Responding RFIs: the merit lies in the difficulty'

TIPS: Why joining forces can help solve the crime… or not

VB2023 TIPS presentation: Why joining forces can help solve the crime… or not

TIPS: Dream on: exploring the community effect in cybersecurity

VB2023 TIPS presentation: Dream on: exploring the community effect in cybersecurity

TIPS: AI-based digital evidence enhancement technology for profiling attack groups and techniques to respond to cybersecurity threats

VB2023 TIPS presentation: AI-based digital evidence enhancement technology for profiling attack groups and techniques to respond to cybersecurity threats

TIPS: The global state of scams 2023

VB2023 TIPS presentation: The global state of scams 2023

TIPS: Securing the future: the vital role of computer security vendors in an AI-driven world

VB2023 TIPS presentation: Securing the future: the vital role of computer security vendors in an AI-driven world

TIPS: Emotet in 2023: a comprehensive overview for decision makers on the resurgence, evolution and threat landscape

VB2023 TIPS presentation: Emotet in 2023: a comprehensive overview for decision makers on the resurgence, evolution and threat landscape

TIPS: Operation Cookiemonster – the law enforcement response to the notorious Genesis Market

VB2023 TIPS presentation: Operation Cookiemonster – the law enforcement response to the notorious Genesis Market

Deobfuscating virtualized malware using Hex-Rays decompiler

VB2023 paper: Deobfuscating virtualized malware using Hex-Rays decompiler

Workshop: Modern threat hunting

VB2023 workshop led by VirusTotal

Applied one-to-many code similarity analysis using MCRIT

VB2023 presentation: Applied one-to-many code similarity analysis using MCRIT

Keynote address: Solving cyber insecurity

VB2023 keynote: Solving cyber insecurity

TIPS: Evolution vs extinction & the 10th man

VB2023 TIPS presentation: Evolution vs extinction & the 10th man

Data mining, darknet and chat monitoring - a deep dive into Telegram monitoring and the latest features of the AIL framework

VB2023 presentation: Data mining, darknet and chat monitoring - a deep dive into Telegram monitoring and the latest features of the AIL framework

Keynote: The physics of information asymmetry

VB2023 keynote: The Physics of Information Asymmetry

Turla and Sandworm come filelessly

VB2023 paper: Turla and Sandworm come filelessly

W3LL phishing kit - the tools, the criminal ecosystem, and the market impact

VB2023 paper: W3LL phishing kit - the tools, the criminal ecosystem, and the market impact

Unravelling the MOVEit vulnerability: a journey from exploitation to Clop ransomware infestation

VB2023 paper: Unravelling the MOVEit vulnerability: a journey from exploitation to Clop ransomware infestation

Everything happens for a reason: the choices made by ransomware operators

VB2023 paper: Everything happens for a reason: the choices made by ransomware operators

Hit the bullseye: detecting browser exploits abusing the X memory in WebAssembly

VB2023 paper: Hit the bullseye: detecting browser exploits abusing the X memory in WebAssembly

Browser extensions as an emerging threat vector: unveiling the MANGO malware

VB2023 presentation: Browser extensions as an emerging threat vector: unveiling the MANGO malware

FirePeony: a ghost wandering around the Royal Road

VB2023 paper: FirePeony: a ghost wandering around the Royal Road

$100 hardware backdoors – your old routers may be happily spilling corporate secrets

VB2023 paper: $100 hardware backdoors – your old routers may be happily spilling corporate secrets

USB flows in the Great River: classic tradecraft is still alive

VB2023 paper: USB flows in the Great River: classic tradecraft is still alive

Unveiling activities of Tropic Trooper 2023: deep analysis of Xiangoop Loader and EntryShell payload

VB20203 paper: Unveiling activities of Tropic Trooper 2023: deep analysis of Xiangoop Loader and EntryShell payload

It all makes sense if you don't think about it - misinformation in malware analysis

VB2023 presentation: It all makes sense if you don't think about it - misinformation in malware analysis

Reinventing the steal: Arid Viper now with a Rusty flavour

VB2023 paper: Reinventing the steal: Arid Viper now with a Rusty flavour

Partner presentation: Reversing Nim binaries

VB2023 partner presentation: Reversing Nim binaries

Magniber's missteps: because even spiders trip over their own web

VB2023 paper: Magniber's missteps: because even spiders trip over their own web

Silent whispers of malware: unveiling hidden threats in legitimate network traffic

VB2023 paper: Silent whispers of malware: unveiling hidden threats in legitimate network traffic

Addressing the ransomware threat from outside the lab

VB2023 panel discussion: Addressing the ransomware threat from outside the lab

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.