From the Dark Seas of Cyberspace: Unraveling “Fun” Facts of the Dark Web

Just as today’s media is in motion every second, the world of the Dark Web is as turbulent as a raging sea, and the reason you don’t see it is that there aren’t many outlets for the news. As the SOCRadar team, we continue to keep up to date on this issue and in this blog post we have brought you the news that attracted our attention in the last month.

Fig. 1. Dark Web Illustration generated using Bing Image Create, dark web fun facts — *Fig. 1. Dark Web Illustration generated using Bing Image Create*

September – October

Ransomed’s relationship with BreachForums

Ransomed, a relatively new ransomware group, announced its partnership with BreachForums, which is not known to be on good terms with each other.

Fig. 2. RansomedVC’s announcement about partnership with BreachForums, dark web fun facts — *Fig. 2. RansomedVC’s announcement about partnership with BreachForums*

Following this, BreachForums admin Baphomet published an announcement and made a statement to clear the air:

*Fig. 3. Baphomet’s post about RansomedVC’s partnership announcement*

Baphomet reported that there is no formal partnership established with RansomedVC. The discussions between the two entities were purely exploratory, initiated after RansomedVC expressed an interest in active participation within BreachForums’ community and falsely conveyed a partnership via a blog post.

According to the Baphomet, BreachForums maintains a stringent policy against ransomware activities and victim harassment, focusing on ethical data sharing about breaches to inform and empower its users.

Baphomet underscores, “No partnership exists,” and insists discussions were solely around considering the feasibility of RansomedVC’s potential involvement, always safeguarding the community’s integrity and values.

Source code leak of HelloKitty Ransomware

As ransomware variant that has been active since late 2020 and is known for targeting Windows systems, HelloKitty Ransomware’s source code has been leaked on the XSS forum by kapuchin0 user:

Fig. 4. HelloKitty Ransomware’s source code leak on XSS Forum (Source: 3xp0rt) — *Fig. 4. HelloKitty Ransomware’s source code leak on XSS Forum (Source:* *3xp0rt*)

The HelloKitty ransomware has been used in several high-profile attacks, including against a game development studio, CD Projekt Red.

SiegedSec, 8Base and Team_Herox are looking for a new house

SiegedSec announced in an Telegram post that their telegram channel has disappeared and they have started to share their posts on a new channel:

*Fig. 5. SiegedSec’s Telegram announcement about its new Telegram channel*

Ransomware group 8Base experienced the same situation on Twitter and announced a new Twitter channel:

*Fig. 6. 8Base’s Telegram announcement about its new Twitter account*

Anonymous ally Team_Herox seems to be suffering from the same situation:

Fig. 7.Team_Herox’s Twitter announcement about the actor’s new accounts

ThreatSec’s recruitment message

ThreatSec, a hacktivist who is part of Five Families (ThreatSec, GhostSec, Stormous, Blackforums, and SiegedSec), announced that they are hiring and are looking for people with skills in Network, Web penetration, malware creation, encryption, cryptography and reverse engineering:

*Fig. 8. ThreatSec’s recruitment post on Telegram*

XSS’s 7th issue of Inception has been released!

Hacker forums continue to compile their own content and publish it in magazine form, the 7th issue of XSS was recently released:

Fig. 9. 7th issue cover of XSS Forum’s magazine Inception, dark web fun facts — *Fig. 9. 7th issue cover of XSS Forum’s magazine Inception*

This issue contains many topics such as NoSQL injection, disabling Windows Defender, hiding cobalt strike, Bypassing Kaspersky.

Telegram is so safe!

Does Telegram, which is frequently used by threat actors, provide enough anonymity? As we can see from the “Telegram Nearby Map” repo on Github, Telegram users in the neighborhood can be seen using OpenStreetMap:

Fig. 10. Telegram Nearby Map’s Github Description, dark web fun facts — *Fig. 10. Telegram Nearby Map’s Github Description*

Anonymous Sudan is Targeting Kenya

Anonymous Sudan is shifting from its typical DDoS attack approach, now targeting comprehensive access to Kenyan governmental entities.

*Fig. 11. Anonymous Sudan’s Telegram post about the attack on Kenya*

Similar leak sites are on the rise!

It seems that some ransomware groups are so focused on their operations that they don’t think about where to share their activity. On the leak page that the CryptBB group opened to share their leaks, we can see that they directly used 8Base’s site source code:

*Fig. 12. 8Base’s and CryptBB’s Leak Sites*

Following this, we see the same thing happening between LostTrust and Metaencrpytor, which brings to mind the question: are these the same groups?

Fig. 13. LostTrust and Metaencryptor’s leak sites (Source: Stefano Favarato) — *Fig. 13. LostTrust and Metaencryptor’s leak sites (Source:* *Stefano Favarato*)

New threat actor has entered the ring

An Iranian anti-Iran threat actor has appeared on the scene with the name of antimullah1337:

Fig. 14. Telegram profile of the threat actor “antimullah1337”

The threat actor mentioned Black Reward, who made major Iranian leaks, and LabDookhtegan, who tracked down various actors and shared its findings, is this move because of a connection or because it attracted attention?

*Fig. 15. Telegram post of “antimullah1337” about Black Reward and LabDookhtegan*

The Dark Web is not at rest and we don’t expect it to become slower, you can use Dark Web News in SOCRadar XTI’s Cyber Threat Intelligence module to keep up to date with developments on the Dark Web: