The dark web is constantly changing, and in the same way that marketplaces come and go, new groups form and disband. In recent months, GroupSense researchers have observed several groups forming. In this post, we will compare the differences between a threat actor motivated by ideology and a fraudster looking to profit financially from a scam.
A Threat Actor Recruiting Members to Target the US Antarctica Project
In our first example, we review a post by a threat actor called D1sgruntl3 on the popular dark web forum, Torum. In the post, the actor is recruiting hackers to launch a long attack against the US government (AKA 1 of the 5 eyes).
About the threat actor
D1sgruntl3 is a well-known threat actor in the dark web community. Disgruntl3 first appeared on the Intel Cutout forum (now abandoned), and is currently on Torum. He maintains a high profile and is known for contributing his skills to causes he believes to be worthwhile. Because of his long tenure and high profile, he is respected and trusted, so his word is meaningful to other dark web users. Not long ago, GroupSense researchers observed D1sgruntl3 posting on Torum in an effort to hire “analysts to conduct cyber research” – the claimed deliverable was a report to be delivered to a client.
D1sgruntl3 maintains close relations with another threat actor, Spectre123, who is a known broker of intelligence data. Spectre123 distributes confidential data and expresses interest in buying highly sensitive government information.
Last week, D1sgruntl3’s validity came into question when he was absent for an extended period of time. However, he eventually reappeared and verified with his PGP key that he was in fact active. Additionally, Spectre123 also publicly verified that there had been communication between the two and that D1grunlt3 was active.
Recruiting Members on the Dark Web
D1sgruntl3 makes participating in this hack easy. There are no requirements – he simply asks that all participants use this thread to share information they gather. He also invites threat actors to use this thread to highlight their skills.
Figure 1: Screenshot showing D1sgruntl3’s initial recruiting post.
About the plan
In the original post, made on 10 July 2019, D1sgruntl3 announced he is beginning an attack against the United States Antarctica Project. In addition to sharing that all are welcome to participate, as long as they realize there will be no monetary reward for participation, he also mentioned the attack targets the US, one of the “five eyes,” with the goal of full penetration. At this time, there is no additional information; we suspect we will see more in the future.
An interesting characteristic of this story is the actor demonstrating his intent and skills by providing some basic DNS recon. Of particular interest to GroupSense researchers was D1sgruntl3’s discovery of publicly inaccessible government domains.
Figure 2: List of .gov domains identified by D1sgruntl3.
Since July 2019, numerous follow-up posts added to this thread, but we do not always know the origin of the posts because the thread is carefully moderated by D1sgruntl3. What is interesting is the open communication and collaboration among the various actors participating in the thread.
Could this be more than an attack on the US?
D1sgruntl3 is an ideologically motivated hacker, engaging in illicit activities with goals other than profit. In this case it could be along the lines of finding out what the government is hiding.
This thread is significant because:
- a) It is an attack against government infrastructure;
- b) It reveals .gov domains;
- c) It could reveal confidential data if successful;
- d) It serves as a prompt for any anti-governmental actors to work together.
GroupSense researchers question whether this post indicates D1sgruntl3 is up to more than just launching an attack against the US Antarctica Project. Due to the close relationship D1sgruntl3 maintains with Spectre123, one theory is this potentially being a way to gather the sort of high-value government intel in which Spectre123 is known for dealing.
Another possibility is that this thread is being used to liaise between anonymous seller and anonymous client. It is also possible D1sgruntl3 is using this thread to recruit analysts for his self-proclaimed dark web intel efforts mentioned above.
While it remains to be seen whether the group will succeed, the thread is still active and new discussions are being added regularly.
An Emerging Fraud Scam Recruiting Members
The original source of this post is Crdclub, a dark web forum popular for carding and other fraud schemes. A new threat actor known as O-Team posted this thread. Though O-Team appears new on this forum, we have a reason to believe those actors are experienced fraudsters.
There are several interesting differences between O-Team and D1sgruntl3. First is the fact that O-Team is completely unknown. Second, it appears this is not an individual, but a group of seven experienced and trusted members working together to recruit additional threat actors to participate in the scheme.
Recruiting Members on the Dark Web
O-Team crafted an elaborate and competitive application process which begins with a $65 fee. Following this, the applicant will complete three tasks and then it will be determined if the applicant will be accepted. Scoring from the task completion will be used to assign roles within the final teams. In many ways, this resembles the structure of known organized crime groups, and if one candidate fails, they are replaced with another.
About the Scam
O-Team focuses on this opportunity for members to create a “sustainable and self-sufficient method of making an income.” Upon paying the entry fee and successfully completing the three tasks, members will be assigned to a team. The post states that they plan to have a maximum of 70 total members with seven participants per team, meaning there are a total of 10 teams. They mention that the scores achieved on the three tasks will be used to determine a leader.
While O-Team doesn’t provide any details as to the nature of the scam the teams will be running, researchers suspect it could be a carding scheme because each team receives a completely verified blockchain account, online banking, and a new identity which includes a scannable passport, address verification, selfie, life story, and social life (essentially email log and Facebook account).
Another interesting aspect of this post is that it has limited the identities to the United States, Canada, France, Germany, UK, Sweden, Spain, Croatia and Japan.
It is likely this group is operating across many locations in order to evade law enforcement. A group operating in this fashion is notoriously difficult to track.
It is important to compare and contrast the methods and behaviors of ideological hackers and financially motivated ones. As the dark web continues to evolve, building our understanding of the different types of threat actors and their behaviors is a critical part of building an effective defense, as well as monitoring for breaches against an organization. Tracking such cyber fraud organizations from their initial establishment is crucial as a preemptive measure within the context of contemporary cyber security practices.
This post was contributed by Ani Doycheva, Dimitur Elchinov and Viktor Banov of the GroupSense research team.