They smiled at you! How we bring customers bad news from the Darknet

Short description

Anonymity and complexity have traditionally made it difficult for law enforcement and intelligence agencies to track down criminal behavior on the darknet. However, cybersecurity firm Bastion claims that automated monitoring and handmade virtual and fake accounts have enabled the company to track criminal activity for customers. Bastion monitors closed channels in social media and chat rooms, as well as the darknet, scanning for mentions of client companies, sensitive information related to clients, new vulnerabilities in clients’ system software, information about the clients’ partners in the context of malicious activity, and possible attacks. Reports are compiled monthly and include mentions of unusual activity related to clients.

They smiled at you! How we bring customers bad news from the Darknet

You’ve probably heard that police officers and FBI agents can’t be pushed into TOR. At the same time, they say that on Serious hacking forums they let in only their own, and the security forces have nothing to catch in the darknet. There is some truth in both, but what does it consist of? Is there any benefit to monitoring the darknet?

Below we will talk about one of the most subtle and closed areas of work in IS, around which there are many well-founded and not so rumors. Bastion analysts agreed to tell what is to what. And the bonus is a list of tools that will help you independently explore the network underground.

Recorded according to experts from the company Bastion, who wished to remain anonymous.

Secret services and the police pursue their goals, while we monitor the darknet for our clients. They are concerned about leaks and attacks in the making, so we monitor:

  • Any mention of client companies in connection with vulnerabilities or attacks.

  • Mention of all confidential information related to the work of the company and its employees.

  • Data on new vulnerabilities in the software included in the company’s stack.

  • Information about the company’s counterparties and partners in the context of malicious activity. For example, it can be monitoring attacks on supply chains.

Forewarned means armed, and the sooner the company’s security service finds out about all this, the better. Early response to leaks reduces damage, and information about the preparation of an attack helps to reflect it. However, for monitoring to work effectively, it is important to understand where to look.

The foggy borders of the darknet

Hackers, scammers and other illegals constantly roam from site to site, so the concept of “dark” is blurred. These are not only overlay networks such as TOR and I2P, but also a variety of deep web. A lot of interesting things happen in closed Telegram channels and chats. Groups discuss upcoming attacks in private IRC channels. It’s hard to say what this has to do with it, but a noticeable part of the hacking community is migrating to Discord.

We also monitor some forums on the regular Internet. As a rule, they are blocked in the civilized world, but are hosted in godforsaken places, so they work quietly despite the illegal subject matter. And hacker groups actively use Twitter for PR.

If a 10,000 person in the party writes something like, “Adobe is *****ing you tonight,” that’s a wake-up call. At the very least, this is an excuse to check out what’s going on in closed areas

That’s why we try to keep an eye on all the places where the villains congregate.

The specifics of these sources of information distinguish darknet surveillance from OSINT and activities such as monitoring brand mentions on social media. OSINT methods, techniques, and tactics have been used successfully on the darknet, but the information there is much more complex.

On the Internet, it is enough to turn on the VPN of a neutral country, which blocks almost nothing, and turn on the crawler. And here we have to leave. One site is not available from this country, but this one is working. On the other hand, it is the opposite. Here TOR is needed, here I2P. Here they let in by invitation, there by acquaintance. And there are enough scammers

In addition, in the darknet you often have to contact people, but let’s talk about everything in order. The work of observing this space can be conventionally divided into two parts. The first is automated monitoring.

Boot breeding

We use tools that work over the regular Internet, TOR, I2P, Telegram and IRC channels. Part of imported commercial solutions. In today’s reality, licenses for them have to be bought in complicated, tricky ways, so we will not reveal the name.

In addition, we make extensive use of open source crawlers and scripts:

  • ACHE CrawlerMore precisely, its modules operating on the darknet;

  • megadose/OnionSearch – To collect output of onion search engines;

  • josh0xA/darkdump – To search the darknet from the command line;

  • s-rah/onionscan – to search for correlations between onion sites;

  • fastfire/deepdarkCTI — to collect information about threats.

However, there is little left of open source. We are constantly tweaking and refining these utilities in the process of use.

As for the subject of the search, to track mentions of the company, we upload to the crawlers:

  • commercial name;

  • name of the legal entity;

  • TIN;

  • OGRN;

  • corporate domains;

  • e-mail addresses;

  • IP addresses stick out;

  • trademarks and product names;

  • personal data of key individuals, for example, directors;

  • and other identifiers.

If vulnerability notifications are required, information about the stack used by the company is additionally requested. We do not monitor public releases, such as messages on the CVE website, but what people write.

It is enough for someone well-known in narrow circles to mention a new 0-day associated with some point in such a product, and we notify customers who have it on the surface. We recommend increasing vigilance and setting logging on the product to the maximum level

Crawlers work in real-time, 24/7, but they don’t understand context, so we manually select relevant triggers. Of course, this can be done with the help of rules, but the more complex the automatic filtering, the higher the chance to miss something important, to lose key elements of the puzzle. After all, Open Source and boxed systems provide only surface monitoring anyway. For them to work effectively, you need to constantly add new data sources, and this is where the real difficulties begin.

Bad reputation

You go to a forum with free registration and see what is created there from the power of a couple of branches per week. Mind you, nothing is happening. At the same time, hundreds of messages are left on sites where people with a reputation are allowed – so lively, as if in a comment on VK

To get into cool hacker communities, you need to look like “yours”, not an analyst from Bastion. To do this, we create virtual, fake accounts, behind which there are elaborate legends. If someone is interested in the owner of such an account, he will find a person in the States, the Netherlands, Kazakhstan, who is not related to our company in any way. When you understand the mechanics of deanon, it’s easy to leave a false trail of breadcrumbs. The main thing is to avoid obvious clues, they look suspicious.

The main problem with such accounts is that they take a long time to create. For them to look alive, you need, for example, to endure a long pause between creating an email and registering on the forum.

We are currently preparing virtuals for registration on German darknet sites. You will be able to use these accounts after at least 3 months. After all, you will also need an understanding of the subculture and a reputation in the community. Pumping it is a constant job.

How this is done is a delicate matter. We cannot reveal the methods, but we will say that reputation is not necessarily earned by illegal means. A significant credit of trust can be obtained in the process of communication, with the help of psychology, competent questions and hints of awareness in certain things.

A lot is clear just by your questions. If you ask, something like: “Guys! I wrote a virus on Delphi, I have it on fire with Kaspersky and Norton. Throw some cryptor, please”, – you will never be taken seriously

Something similar to Khabr, don’t you think?

Your conditional experience is also important. If the account exists for several years, and its owner participated in discussions, then sometimes he is invited somewhere. This often happens in Telegram. A new chat on illegal topics appears, and links are sent to the regulars of the old sites. So you can move after active criminals and continue to collect information for years.

Fruits of a poisoned tree

Most of this espionage work results in banal periodical reporting. Once a month we write and send to the customer a report with an analysis of activity related to the company.

Recently, on one of the forums, lists of car numbers and models of employees of a well-known company were discussed. This is a caveat in advance, but we usually convey this sort of thing in periodic reports

However, sometimes something dangerous happens and requires an immediate response. For example, the number of mentions about the company is increasing dramatically. Then we start an urgent search and find out what it is connected with.

Another situation: a message about the sale of the database appears or the director’s certificate is leaked. We then notify the customer’s SOC and our forensics team. They start searching for traces of the incident.

It’s a pretty nasty job, but not because there’s a lot of shock content on the darknet. It rarely appears in the forum sections we monitor. The job is just nerve wracking like any other when it comes to IS monitoring. Conditionally, at 2 o’clock in the morning you are going to sleep, suddenly an alert comes and by six o’clock in the morning you pick it up urgently

There are also non-standard tasks. So, one day the company’s security service became reliably aware that they had stolen confidential information. We were asked to inform when and where it will surface.


Recently, there is more and more work, and it is becoming more diverse. You don’t have to be sad. Darknet activity correlates with the social and political environment. It is worth escalating any conflict, and various illegal activities are intensifying around.

It goes to organizations that are directly or indirectly connected with one or another state or public movement, market leaders and companies that lead an active media life. And sometimes, in order to fall under the distribution, it is enough to be in the “wrong” jurisdiction, or to accidentally be in the field of view of the villains. So we are unlikely to be out of work anytime soon. The experience of monitoring the darknet, and the information that can be extracted from this information space, remains valuable.

Related posts