Tor Friendly ISP Takes a Break

October 17, 2022

I usually do not post “real news.” I am making an exception today because two Tor friendly ISPs have taken a break. Usually when law enforcement takes down a Dark Web centric outfit, there are news releases, news stories, and reports about sentencing (if the “owners” are convicted).

Our routine check of the 24 Tor friendly ISPs we track, Ablative have either “paused” sign ups or disappeared. We are working to track down the individuals who have played a role in these companies. That’s not the easiest task for my team. There are some nifty obfuscation techniques available and creating personas (what some call sock puppets) is easy. Plus, the technique of paying a person in need of cash to set up an account without revealing how that account will be used is easier than ever. (Just check out the folks using free WiFi at a public library, a coffee shop near a university or methadone clinic, or individuals loitering near a food disbursement point.

Stephen E Arnold, October 18, 2022

DarkCyber for November 16, 2021, Now Available

November 16, 2021

DarkCyber, Program 23, is now available at this link. The mid-November 2021 DarkCyber (Number 23 in the 2021 series) includes six stories.

There are two cyber “bytes”. The first reports about the legal pressure being applied to Signal, a maker of secure messaging software. The second explains that an international team of police arrested more than 100 people in Operation HunTor. Sixty-five of these bad actors resided in the United States.

Malware is tough to stamp out. In fact, Rootkits, a well-known method of compromising targets is returning, is regaining popularity. Plus, bad actors have begun placing malware in computer source code. The targets are unaware that their systems have been compromised. The program provides a link to a report about the Trojan Source method. the US government has blacklisted the NSO Group, a developer of specialized software and systems. What’s interesting is that three other firms have been blacklisted as well. One of the organizations responded to the US action with a sign and indifference. Amazon and Microsoft have learned that their customers/users have been subject to somewhat novel attacks. For Amazon, the Twitch “bit” reward system was used for money laundering. Google ads were used to distribute malware via a old-fashioned spoofed pages which looked legitimate but weren’t.

The drone news in this program reveals that Russia presented more than 200 war fighting technologies at a recent trade show in Lima, Peru. The point DarkCyber makes is that Russia perceives South America as a market ripe for sales. DarkCyber is produced every two weeks by Stephen E Arnold, publisher of the Beyond Search blog at and subject matter expert in some interesting technical specialties.

Kenny Toth, November 16, 2021

The Darknet: a Dangerous Place

October 6, 2021

Criminal activity on the Darknet is growing and evolving. One person who has taken it on themselves to study the shadow realm shares some of their experiences and observations with reporter Vilius Petkauskas in, “Darknet Researcher: They Said They’ll Come and Kill Me—Interview” at CyberNews. The anonymous interviewee, who works with research firm DarkOwl, describes a threat to their life, one serious enough to prompt them to physically move their family to a new home. They state:

“There was one specific criminal actor I was going after, trying to figure out where they were operating, who they were involved with, what groups they were affiliated with. I became a target. They turned on me and said, we will find whoever wrote this and come kill them. We will destroy them.”

Yes, poking around the Darknet can be dangerous business. What sorts of insights has our brave explorer found? Recently, there has been a substantial uptick in ransomware, and for good reason. The researcher explains:

“Look at ransomware as a service (RaaS). First and second-generation ransomware lockers were developed by incredibly smart malware developers, cryptologists, and encryption specialists. Those who designed and employed such software were some of the most sophisticated malware developers or ‘elite’ hackers around if you want to label them that. But with the RaaS affiliate model, they’re giving others the chance to ‘rent’ ransomware for as little as a few hundred bucks a year, depending on which strain they’re using. Anyone interested in getting into the business of ransomware can enter the market without necessarily having any prior or expert knowledge of how to conduct an enterprise-level attack against a network. Some of the gangs, like Lockbit 2.0 are nearly entirely automated, and their affiliates don’t need to have the slightest clue what they’re doing. You just push, plug, and play. Identify the victim, drop it onto the network, and the rest is taken care of.”

How convenient. Getting into the target’s network, though, is another matter. For that criminals turn to

initial access brokers (IABs), also located on the Darknet, who help breach networks through vulnerabilities, leaked credentials, and other weaknesses. See the write-up for more of the researchers hard-won observations. They close with this warning—there is more going on here than opportunists looking to make a buck. Espionage and cyber terrorism are also likely involved, they say. We cannot say we are surprised.

Cynthia Murrell, October 6, 2021

DarkCyber for September 21, 2021 Now Available

September 21, 2021

DarkCyber for September 21, 2021, reports about the Dark Web, cyber crime, and lesser known Internet services. The program is produced every two weeks. This is the 19th show of 2021. There are no sponsored stories nor advertisements. The program provides basic information about subjects which may not have been given attention in other forums. The program is available at this link.

This week’s program includes five stories.

First, we provide information about two online services which offer content related to nuclear weapons. Neither source has been updated for a number of months. If you have an interest in this subject, you may want to examine the information in the event it is disappeared.

Second, you will learn about Spyfone. DarkCyber’s approach is to raise the question, “What happens when specialized software once considered “secret” by some nation states becomes available to consumers.

Third, China has demonstrated its control of certain online companies; for example, Apple. The country can cause certain applications to be removed from online stores. The argument is that large US companies, like a French bulldog, must be trained in order stay in the Middle Kingdom.

Fourth, we offer two short items about malware delivered in interesting ways. The first technique is put malicious code in a video card’s graphics processing unit. The second summarizes how “free” games have become a vector for compromising network security.

The final story reports that a Russian manufacturer of drones is taking advantage of a relaxed policy toward weapons export. The Russian firm will produce Predator-like drones in countries which purchase the unmanned aerial vehicles. The technology includes 3D printing, specialized software, and other advanced manufacturing techniques. The program includes information about they type of kinetic weapons these drones can launch.

DarkCyber is produced by Stephen E Arnold and his DarkCyber research team. You can download the program from the Beyond Search blog or from YouTube.

Kenny Toth, September 21, 2021

DarkCyber for July 27, 2021: NSO Group Again, Making AWS Bots, How Bad Actors Scale, and Tethered Drones

July 27, 2021

The 15th DarkCyber for 2021 addresses some of the NSO Group’s market position. With more than a dozen news organizations digging into who does what with the Pegasus intelware system, the Israeli company has become the face of what some have called the spyware industry. In this program, Stephen E Arnold, author of the Dark Web Notebook, explains how bad actors scale their cyber crime operations. One thousand engineers is an estimate which is at odds with how these cyber groups and units operate. What’s the technique? Tune in to learn why Silicon Valley provided the road map for global cyber attacks. If you are curious, you can build your own software robot to perform interesting actions using the Amazon AWS system as a launch pad. The final story explains that innovation in policing can arrive from the distant pass. An 18th century idea may be the next big thing in law enforcement’s use of drones. DarkCyber is produced by Stephen E Arnold, who publishes Beyond Search. You can access the blog at and view the DarkCyber video at this link.

Kenny Toth, July 27, 2021

Tor Compromised?

July 9, 2021

I read “Tor Encryption Can Allegedly Be Accessed by the NSA, Says Security Expert.” I was stunned. I thought that the layers of encryption, the triple hop through relays, and the hope that everything worked as planned was bulletproof. And who funded Tor in the first place? What’s the status of the not-for-profit foundation today? Why were some European entities excited about cross correlating date and time stamps, IP addresses, and other bits of metadata? I don’t have answers to these questions, nor does the write up.

The article presents this information:

A security expert by the name of Robert Graham, however, has outlined his reasons for actually believing that the NSA might not even need tricks and paltry exploits in order for them to gain access to Tor, according to a blog post on Erratasec. Why? The security expert notes that this is because they might already have the keys to the kingdom. If they don’t, then they might be able to, according to arsTechnica.

Let me see if I can follow the source of this interesting assertion. TechTimes (the outfit publishing the “Tor Encryption Can” story cited above) quotes a security expert. There was a source called Erratasec. Then there was a story on ars Technica.

Now I think that Tor software and the onion method have security upsides and downsides. I also know that what humans create, other humans can figure out. I think the point of the write up is that anyone who uses Tor should embrace the current version.

Can NSA or any other intelligence entity figure out who is doing what, when, and why? My view is that deobfuscation methods are advancing. The fact that bad actors are shifting from old-school Dark Web sites to other channels speaks volumes. Bad actors have been shifting to messaging services which feature end-to-end encryption (E2EE) and do not require a particularly hard-to-complete registration process. But this shift from the “old” Dark Web to the “new” Dark Web began several years ago.  Bad actors have been aware that other secure communications options were Job One for years. My thought is that this story in interesting, just not focused on what is actually further consumerizing criminal behavior. The action has shifted, and the US may not be the leader in making sense of the new types of communications traffic.

Stephen E Arnold, July 9, 2021

The New Dark Web: Innovation in the Middle Kingdom

July 9, 2021

Chinese actors have created an interesting spin when obfuscation is important. “China’s Dark Web Spawns a Hard-to-Crack Hacker Community” reports:

Dark websites in China are unique in two ways, according to SouthPlume, the Japanese agency for CNsecurity. First, Chinese hackers communicate with one another through local social media. This creates what amounts to a members-only organization that differs from the general darknet, where websites are accessed only through anonymizing browsers such as Tor. Chinese dark websites also lack the typical underground listings of drugs, weapons or child pornography. Instead, they mostly traffic in personal information and tips on hacking corporate sites, according to SouthPlume.

Is Tor the go-to system? i2p? Neither. The trick is to use social media. Worth watching.

Stephen E Arnold, July 9, 2021

Deloitte Acquires Terbium Labs: Does This Mean Digital Shadows Won the Dark Web Indexing Skirmish?

July 7, 2021

Deloitte has been on a cybersecurity shopping spree this year. The giant auditing and consulting firm bought Root9B in January and CloudQuest at the beginning of June. Now, ZDNet reports, “Deloitte Scoops Up Digital Risk Protection Company Terbium Labs.” We like Terbium. Perhaps the acquisition will help Deloitte move past the unfortunate Autonomy affair. Writer Natalie Gagliordi tells us:

“The tax and auditing giant said Terbium Labs’ services — which include a digital risk protection platform that aims to helps organizations detect and remediate data exposure, theft, or misuse — will join Deloitte’s cyber practice and bolster its Detect & Respond offering suite. Terbium Labs’ digital risk platform leverages AI, machine learning, and patented data fingerprinting technologies to identify illicit use of sensitive data online. Deloitte said that adding the Terbium Labs business to its portfolio would enable the company to offer clients another way to continuously monitor for data exposed on the open, deep, or dark web. ‘Finding sensitive or proprietary data once it leaves an organization’s perimeter can be extremely challenging,’ said Kieran Norton, Deloitte Risk & Financial Advisory’s infrastructure solution leader, and principal. ‘Advanced cyber threat intelligence, paired with remediation of data risk exposure requires a balance of advanced technology, keen understanding of regulatory compliance and fine-tuning with an organization’s business needs and risk profile.’”

Among the Deloitte clients that may now benefit from Terbium tech are several governments and Fortune 500 companies. It is not revealed how much Deloitte paid for the privilege.

Terbium Labs lost the marketing fight with an outfit called Digital Shadows. That company has not yet been SPACed, acquired, or IPOed. There are quite a few Dark Web indexing outfits, and quite a bit of the Dark Web traffic appears to come from bots indexing the increasingly shrinky-dink obfuscated Web.

Is Digital Shadows’ marketing up to knocking Deloitte out of the game? Worth watching.

Cynthia Murrell, July 6, 2021

DarkCyber for June 15, 2021, Now Available

June 15, 2021

DarkCyber is a video news program issued every two weeks. The June 15, 2021, show includes five stories:

  • Pentest tools you can download and use today for free
  • A free report that explains Britain’s cyber weaknesses
  • Additional information about the E2EE revolution
  • Another tip for finding flexible developers and programmers who will do exactly what you want done
  • The FireScout, a drone with a 100 mile range and the ability to drop sonobuoys and other devices, perform surveillance, and remain aloft for up to 10 hours.

The DarkCyber video news program contains information presented in Stephen E Arnold’s lectures to law enforcement and intelligence professionals. His most recent lecture was the New Dark Web. He presented his most recent research findings to a group of more than 100 cyber fraud investigators working in Connecticut for a variety of LE and related organizations. The

The June 15, 2021, DarkCyber video program is available from Mr. Arnold’s blog splash page and can be viewed on YouTube. One important note: The video program does not contain advertisements or sponsored content. We know that’s unusual today, but the DarkCyber team prefers to operate without an invisible hand on the controls or an invisible foot on the team’s neck.

Kenny Toth, June 15, 2021

DarkCyber for June 1, 2021, Now Available

June 1, 2021

DarkCyber is a video news program about the Dark Web, cyber crime, and lesser known Internet services. This edition’s story line up includes a bad actor promoting on the regular Internet, a look at Europol’s business process analysis for industrialized cyber crime, a University of Washington research project for a do-it-yourself IMSI sniffer, two free reports about phishing, the go-to method for compromising users’ computer security, and a look at the Gaza, a new drone designed to strike at those who would wrongfully act toward certain groups. DarkCyber is produced by Stephen E Arnold with assistance from the DarkCyber research team. The programs appear twice each month. The videos are available on YouTube. You can view the video via the player on the Beyond Search blog or at No ads, no vendor supported posts, nothing but Mr. Arnold commenting on important news stories. How is this possible? No one who thumb typers knows.

Kenny Toth, June 1, 2021

Next Page »

  • Archives

  • Recent Posts

  • Meta