Introduction

On 09JAN2026, Scattered LAPSUS$ Hunters (SLSH) leaked a BreachForums (BF) user database
containing over 320,000 user records on their Dedicated Leak Site (DLS). While the dataset was
publicly released in JAN2026, analysis indicates the data originates from a breach that
occurred in OCT2025. The JAN2026 leak is a high profile resharing of the same compromised
database, rather than a newly obtained intrusion. Several notable actors tracked by our team
and the community appear in the leak, providing new visibility into their forum presence,
aliases, and activity patterns.

BreachForums

Launched in 2022, BreachForums served as the successor to RaidForums. The platform
became the most prominent English language cybercrime forum and facilitated the trading of
stolen data, selling hacking tools and network access, distributing malware, coordinating
ransomware activity, and hosting fraud and credential marketplaces.

The forum became a frequent target for law enforcement operations, internal leaks, and rival
threat actors. After the arrest of founder Conor Brian Fitzpatrick (“pompompurin”) in 2023, the
forum went through multiple ownerships and admin changes. Control ran through various
threat actors/groups like ShinyHunters, IntelBroker, and admins using the alias “Anastasia.”

Brief BreachForums timeline:

➔ MAR2022: BreachForums launched by pompompurin as successor to RaidForums

➔ MAR2023: pompompurin arrested; forum temporarily down

➔ Mid-2023: Forum relaunched under new admin, including ShinyHunters

➔ 2024: Admin shifts to the alias “Anastasia”

➔ Early 2025: IntelBroker assumes control; later arrested that year

➔ OCT2025: US and French authorities seize BreachForums related domains tied to extortion activity

➔ 09JAN2026: database linked to BreachForums is leaked by a site associated with ShinyHunters exposing user accounts, private messages, and admin data.

Scattered LAPSUS$ Hunters (SLSH) 

Scattered LAPSUS$ Hunters (SLSH) is a cybercriminal collective formed in mid-2025, including members from Scattered Spider, LAPSUS$, and ShinyHunters for coordinated extortion and data theft operations. The group focuses on coordinated extortion and data theft operations, targeting high profile organizations and technology platforms.

SLSH has operated multiple Telegram channels and a Dedicated Leak Site (DLS) to publish breaches claims, victim lists, and stolen data. The group initially gained attention for the compromises involving SaaS platforms and Salesforce related environments..

The Breach: What was Exposed

On 09JAN2026, the SLSH DLS shinyhunte[.]rs surfaced with a page titled “Doomsday: The Story of James,” which takes users to download a BreachForums database archive.

The below images reflect the most recent update to the shinyhunte[.]rs domain, which previously hosted content related to the Salesforce leak. 

After navigating through approximately 23 pages of narrative text, users are presented with a direct link to a compressed 7z archive. After accepting and downloading the file, the archive was found to contain: 

➔ A text document mirroring content posted on the website

➔ The BreachForums PGP Secret key

➔ A SQL database export containing forum user records, including credentials, emails, and account metadata. 

Current BreachForums administrators claim the leaked data was partial and dated back to mid-2025. DarkTower analysis supports this assessment, indicating the database content aligns with forum activity and records consistent with the OCT2025 breach window.

The data exposure likely occurred during a period when BreachForums was being restored or recovered under its former .hn domain. During this process, the user table and forum PGP key appear to have been placed in an unsecured directory, allowing unauthorized access and exfiltration. The JAN2026 leak represents the public redistribution of this previously compromised dataset.

Exposed Threat Actors

Analysis of the BreachForums dataset confirms the presence of multiple known high profile data leakers, hacktivists, ransomware affiliates, etc. The following examples are the types of actors identified within the dataset:

Loki (BreachForums Moderator)

Loki’,’$argon2i$v=19$m=65536,t=4,p=1$SkFUR3ZJOXZ2Q1V2cURxWQ$4rhfA1rZy141cKTvmOwZ2ipkzXUuhvkHY6tgCbhgrk8′,’Y8PU2Q0X’,’xodLICJaraV9phfbUug52DJO5jddoq6IVdtUm6vlNg6zPtAq6v’,’[email protected]’,2451,64,’./uploads/avatars/avatar_229941.jpg?dateline=1724621360′,’300|400′,’upload’,3,”,415,’The God of Stories’,1719738914,1754913040,1754907828,1754911696,”,’0′,”,”,”,’all’,'[img]https://64.media.tumblr.com/c28f803dbfef10a302ff051a43746f2f/3c5cd0a36f0a9b03-5f/s540x810/e47c91a87cc521d1efbd20183b42ee4259c9c593.gifv[/img]\r\n[url=https://pastebin.com/yjgXNNUB]PGP[/url]’,0,1,0,1,1,0,2,0,1,0,”,1,1,1,1,1,1,0,0,0,’0′,’0′,’0′,0,2,”,”,0,0,0,’0′,”,’0$%%$1$%%$2$%%$3$%%$4**’,”,0,6,1787,0x7F000009,0x7F000009,”,2371165,1,353,4,0,0,0,0,0,0,0,0,0,1,0,”,0,588.00,’argon2i’,0,”,'[]’,”,0,’0′,”,’a:1:{s:7:\”session\”;s:66:\”057a36bb51f17c3d4dd59950eaf83103939dfc411b387f25a38f8b13b8b256f47a\”;}’,1,0,0,0,”);

888 (BreachForums Moderator) 

(25923,’888′,’$argon2i$v=19$m=65536,t=4,p=1$VC5hQUtBZXNrZ1JBbVU1TA$4PmWNWclDHvBTpQx/ItlB2788pdFQm7tk8umjfYqxwU’,’maSfX4EA’,’vg30NEy9AXEL8z5rgT6XHrmBwy6PkVAuhfFrV8WIKWANVTMMmo’,’[email protected]’,1004,131,’./uploads/avatars/avatar_25923.jpg?dateline=1735568083′,’296|400′,’upload’,6,”,330,’Kingpin’,1692376533,1754953804,1754952050,1754933963,’https://doingfedtime.com/888/’,’0′,”,”,”,’all’,'[align=center][img]https://external-content.duckduckgo.com/iu/?u=http://pomf2.lain.la/f/l0xgkt9q.gif[/img][/align]\r\n[align=center]@IntelBroker @EnergyWeaponUser @888 @wonder[/align]\r\n[align=center][url=https://pastebin.com/raw/iL4mecAg]PGP[/url][/align]\r\n’,1,0,0,1,1,0,1,0,1,0,”,1,1,1,1,1,1,0,0,0,’0′,’0′,’0′,1,2,’17170′,”,0,0,0,’0′,”,’0$%%$1$%%$2$%%$3$%%$4**’,”,0,12,4159,0x7F000009,0x2D813B44,”,3907990,1,61,0,0,0,0,0,0,0,0,0,0,1,0,”,0,11744.00,’argon2i’,0,”,'[]’,”,0,’0′,”,’a:3:{s:7:\”keybase\”;s:7:\”real888\”;s:6:\”matrix\”;s:20:\”@bullying:matrix.org\”;s:7:\”session\”;s:66:\”054de8cc127c76f94eed19bbcc950fe9c9f6f9ef9f410f79e64989f480197a4476\”;}’,0,0,0,0,”);

NarodArmiya (BreachForums Moderator)

(471230,’NarodArmiya’,’$argon2i$v=19$m=65536,t=4,p=1$MEhHNG43eHJhWFpqSkE5SA$hF4fuWfkM9DeTPY3I7aA/6JfMJz0u+rgcJox0zyRrjk’,’jH0GnDR7′,’5nCcJHVQspSupSU6LcSskl2XAw6r2fR51Mfmopdb2ELNGXI3iC’,’[email protected]’,176,28,’./uploads/avatars/avatar_471230.jpg?dateline=1754488561′,’400|400′,’upload’,8,”,631,’⭐⭐ Народная CyberАрмия ⭐⭐’,1753685113,1754930837,1754923815,1754914701,”,’0′,”,”,”,’all’,'[color=#c10300]Session:[/color] [b][color=#008e02][u]059948f695d926899bb5fdb130a1d1de16f919c4a0fb7432d2c323d799d07cd811[/u][/color][/b]\r\n[color=#c10300]qTox:[/color][color=#008e02] [u][b]4CBAF7F9EF8253BF8AC088A949778250DD305EB0D8414AD847E617B6C848752DF0940CACCE24[/b][/u][/color]’,1,1,0,1,1,0,2,0,1,0,”,1,1,1,1,1,1,0,0,0,’0′,’0′,’0′,0,0,”,”,0,0,0,’0′,”,’0$%%$1$%%$2$%%$3$%%$4**’,”,0,0,421,0x7F000009,0x7F000009,”,251583,1,13,1,0,0,0,0,0,0,0,0,0,1,0,”,0,33.00,’argon2i’,0,”,'[]’,”,0,’0′,”,’a:2:{s:4:\”qtox\”;s:76:\”4CBAF7F9EF8253BF8AC088A949778250DD305EB0D8414AD847E617B6C848752DF0940CACCE24\”;s:7:\”session\”;s:66:\”059948f695d926899bb5fdb130a1d1de16f919c4a0fb7432d2c323d799d07cd811\”;}’,0,0,0,1,”);

Handala (Hacktivist)

(86504,’Handala’,’$argon2i$v=19$m=65536,t=4,p=1$NDUuNFFqSDEzTW9tQ0dDVg$fj9SCgj8XVoEdMsbqUJsg69bbPyfChd8RQVzdiVpnxQ’,’sndk735l’,’JRsy3q2IMPil5a3b9ktJZt2DW01DuhMKkOrMcuTM4g7SrQDwry’,’[email protected]’,65,57,’./uploads/avatars/avatar_86504.jpg?dateline=1702889629′,’400|400′,’upload’,8,”,0,”,1702889514,1739117076,1739089494,1739117050,’https://handala.cx’,’0′,”,”,”,’all’,”,1,1,0,0,0,0,0,0,1,0,”,1,1,1,1,1,1,0,0,0,”,”,’0′,0,2,”,”,0,0,0,’0′,”,’0$%%$1$%%$2$%%$3$%%$4**’,”,0,2,163,0x7F000009,0x7F000009,”,135963,1,0,0,0,0,0,0,0,0,0,0,0,1,0,”,0,154.00,’argon2i’,0,”,'[]’,”,0,”,”,’a:2:{s:4:\”qtox\”;s:76:\”02C75E60211314F4A69C323A3CE334D75C72CD8C742F3ED168447405C541DF057294365D6C1E\”;s:8:\”telegram\”;s:14:\”Handala_Backup\”;}’,0,0,0,0,”);

ShinyHunters

(2,’ShinyHunters’,’$argon2i$v=19$m=65536,t=4,p=1$V0tDNWdGVk9ENlo2aVBWVQ$e5RpG8afJds8HA6mkVehErnC+tqlUr8CVH6EPJa93ZU’,’0aD4YjHd’,’DBydbBlDLNThW9vB7PjZnra95YR2x3ffa8bk0UrTDomNRo7AAZ’,’[email protected]’,9,9,’./uploads/avatars/avatar_2.jpg?dateline=1716924433′,’400|400′,’upload’,12,’328′,4,”,1685485743,1754933007,1754930993,1754923096,”,’0′,”,”,”,’all’,’PGP: https://pastebin.com/raw/qUp9Ax9M\r\nPGP Archive Link: https://web.archive.org/web/20210921111301/raidforums.com/user-ShinyHunters’,0,1,0,1,1,0,2,0,1,0,”,1,1,1,1,1,1,0,0,0,’0′,’0′,’0′,0,0,”,”,0,0,0,’0′,”,’0$%%$1$%%$2$%%$3$%%$4**’,”,0,107,1894,0x7F000009,0xB95D03C3,”,951795,1,16,1,0,0,0,0,0,0,0,0,0,1,0,”,0,3250.00,’argon2i’,0,”,'[]’,”,0,’0′,”,’a:0:{}’,0,1,0,0,”);

IntelBroker

(1210,’IntelBroker’,’$argon2i$v=19$m=65536,t=4,p=1$ZnJqLjVReW0yNm1WUTlLcA$I8VmyFHD9rWslTc5rKsFp3VNhA8CbWSpdfbn6axYMKI’,’zpUCbn0A’,’qvCB8hGqqkQsO58087Y8865ai2irQfEE35G3QnWVFCKjQ4W9P7′,’[email protected]’,2039,301,’./uploads/avatars/avatar_1210.png?dateline=1737669509′,’236|239′,’upload’,7,”,0,’BreachForums Operative’,1686679770,1741001350,1741001338,1738881167,”,’0′,”,”,’29-7-1998′,’age’,'[align=center][img]http://pomf2.lain.la/f/l0xgkt9q.gif[/img][/align]\r\n[align=center]@IntelBroker @EnergyWeaponUser @Wonder @888[/align]\r\n’,0,1,0,1,1,0,0,0,0,1,”,1,1,1,1,1,1,0,0,0,’0′,’2′,’3′,0,2,”,’64690′,0,0,0,’0′,”,’0$%%$1unread$%%$2sent items$%%$3$%%$4$%%$8‎’,”,0,188,5064,0x7F000009,0x7F000009,”,3919946,1,1,1,0,0,0,0,0,0,0,0,0,4,0,”,0,4470.00,’argon2i’,0,”,'[2,3,7,8]’,”,0,’0′,”,’a:2:{s:4:\”qtox\”;s:76:\”C400C2E637A3A7AFE7FD137841793245963A71D64CBA95B3F5057C2860FEDA273136950EB87A\”;s:4:\”xmpp\”;s:27:\”[email protected]\”;}’,1,1,0,0,”);

Registration Timeline

DarkTower analyzed the BreachForums registration data and identified several spikes that closely align with major breach disclosures and forum related disruptions.

The first major increase occurred in early APR2024, coinciding with the National Public Data breach posting. Between 02APR2024 and 04APR2024, the forum recorded 6,088 new registrations, representing the largest single surge in user registrations. The second notable spike occurred in MAR2025, coinciding with the Oracle breach posting. On 13MAR2025, the forum recorded 2,495 new registrations.

Overall, registrations increased following high-profile breach disclosures and frequently paused or declined following law enforcement actions or forum takedowns. 

Geographic Distribution

When DarkTower analyzed the geographic distribution of BreachForums users, based on both registration IP addresses and last known login IPs, the data revealed a globally diverse user base with concentrations across North America, Europe, and parts of Asia.

The registration IPs reflect the location at account creation, whereas last login IPs reflect more recent access patterns. Any difference between the registration and last login locations might point to uses of VPNs or proxies.

Last IP login

Registration IP

Email Domain Usages

DarkTower analysis of email domain usage shows that Gmail was the most commonly used provider by a wide margin, accounting for over 240,000 registrations. Proton, the second most used, accounted for more than 42,000 registrations.

The post SLSH: Analysis of the BreachForums User Database appeared first on DarkTower.

Introduction

A Telegram Emoji Pack is a collection of custom static or animated images that users can add to the messenger to personalize their communication. Telegram Premium users are able to subscribe to exclusive packs with unique designs, while any user can view them in messages. Users can also create and upload their own emoji packs to share with others.

Threat actors are creating packs with emojis that contain logos of companies they target. When they communicate with other threat actors about targeting a specific company, they will reference the target organization without spelling out the company’s name. Therefore, when analysts search for a specific company’s name in malicious Telegram groups, not all of the relevant search results will appear.

Example: Telegram threat actors “Jack” and “Jill” are planning on illegally buying a bank log, cloning the victim’s debit card, and draining the funds via ATM. However, Jack and Jill realize that they need to recruit two more threat actors: one to clone the card, and another to physically withdraw the funds from an ATM. In order to recruit these needed individuals, Jack decides to create an emoji pack containing the logo. Jill also wants to recruit individuals for the plan, so she subscribes to Jack’s emoji pack through Telegram premium and can now also use the bank logo emoji. Therefore, Jack and Jill can recruit individuals for the job without ever typing the name “Bank.” So, if an analyst is conducting a general search for Bank-specific criminal activity, a search for “Bank” will not uncover Jack and Jill’s operation.

Investigation

@KURASAOCAP

As of 20SEP2025, DarkTower has identified and recorded four different emoji packs containing bank logos. The first one is seen below, and the title of the pack tags @KURASAOCAP AS the creator.

Kurasao Cap’s bio states that he is a motion/graphic designer. Some of the bio is in Russian.

Display Name: 𝐾𝑈𝑅𝐴𝑆𝐴𝑂 𝐶𝐴𝑃 | 𝑊𝑂𝑅𝐾 [𝐵𝐼𝑂]
Handle: @KURASAOCAP
User ID: 943537646

Kurasao Cap also owns the handles @vsekartiny and @ralphlaur.

Random Acct Drops / Biz Drops

The second emoji pack is titled “Random Acct Drops / Biz Drops”. The pack does not credit a specific user as the creator. A general search for the display name of the pack revealed a wide variety of results, unrelated to emojis.

@atmanman :: @fStikbot

The third emoji pack is titled “@atmanman :: @fStikbot”. The pack credits two users in the display name.

The second user listed, @fStikbot, is still active on Telegram. @fStikbot appears to be a service that allows Telegram users to transform their own pictures into emoji packs. It is likely (not confirmed) that a threat actor abused this tool to upload target companies’ logos.

Display Name: Favorite Stickers Bot 🇺🇦
Handle: @fStikbot
User ID: 449972946

Telegram user @atmanman is no longer found on Telegram. However, a global search for the old handle reveals only one user, @Atmanmanjl.

Atmanmanjl’s display name and bio are written in Arabic.

Display Name: عفاف سرحا ن
Handle: @Atmanmanjl
User ID: 643068108

In English, Atmanmanjl’s display name is “Afaf Sarhan.” In English, Atmanmanjl’s bio reads “And seek help through patience and prayer.”

VICE UNION @viceunion

The fourth emoji pack is titled “VICE UNION @viceunion”. The pack credits the user @viceunion in the display name.

As of 22SEP2025, The Telegram user @viceunion is no longer found on Telegram. It is believed that the Telegram channel “VICE UNION SHOP” belonged to @viceunion. On 09SEP2025, Telegram user “Davidson terrace” forwarded a message from “VICE UNION SHOP” in the channel “ 🇦 Fraud Cartel 🇦”. The message has been replaced by the message below.

It is likely that @viceunion and VICE UNION SHOP were both removed from Telegram simultaneously.

The post Telegram Emoji Packs appeared first on DarkTower.

Phishing scams are executed through emails, text messages (SM[i]Shing), phone calls (Vishing), and social media, becoming more sophisticated over the years, making them harder to detect and block. Phishing attackers use social engineering tactics to exploit specific consumer trends by impersonating well-known brands to deceive customers. All businesses operating online are potential targets, as these attacks target employers or customers to gain access and obtain sensitive data or systems. 

Email

A shocking amount of email traffic is spam, with a large chunk of that spam purposely crafted for fraudulent purposes, to compromise communication, or gain access to data, networks, or funds. Threat actors often ask for various types of personal information through phishing emails, including: date of birth, social security number, login details, home address, phone numbers, credit card details, or passwords. This information is then used by the threat actor to impersonate the victim, apply for credit cards or loans, open bank accounts, and commit other fraudulent acts. Furthermore, this information can be used for more targeted and sophisticated attacks like spear phishing or business email compromise (BEC).

Once a victim acts upon the requested action in the email, the phishing occurs. Requested actions can include clicking an attachment, updating a password, enabling macros in a Word document, responding to a social media friend or contact request, connecting to a new wifi, or clicking on a website link.

Below are some of the phishing emails DarkTower employees have received this season:

Mobile Phishing- Smishing

While signing up for text alerts to keep track of package arrivals can be a great method to ensure items have been delivered, threat actors have taken advantage of this feature to impersonate carriers and other entities to exploit consumers.

Smishing is when a threat actor uses SMS phone messaging to impersonate a trusted entity in an attempt to steal personal information or install malware on a device. Typically, the end user is social engineered into clicking on a link within the text message which either auto downloads malware on the victim’s device or leads victims to a login page to input certain personal information.

Threat actors generate phone numbers randomly which are repeatedly used until they get a hit. Threat actors entice their targets via special offers, saying a prize has been won, package delivery claims, energy support payments from the Government, and more.

Below are some of the smishes DarkTower employees have received this season:

Voice Phishing- Vishing 

The holiday season is a busy time where individuals are calling to reconnect with family and friends, ensure their packages are arriving on time, donating to their favorite charities, and more. It is also a busy time for vishers! 

Phishing which occurs over voice calls is known as vishing. Threat actors utilize social engineering tactics over phone calls to deceive and exploit individuals into sharing sensitive personal information or even remote access into the victim’s computer. These threat actors attempt to impersonate well known entities including credit unions, banks, government agencies, or tech support. 

Once on the phone, the threat actor will try to manipulate the victim through various types of techniques including robocalls, spoofed caller ID, voicemail drops, text messages with a number to call, software alerts with a “tech support” number to call, and impersonated calls.

Social Media Phishing

Did the holidays even happen if we didn’t see it on Facebook?!

Social media has become part of our everyday lives used to keep up with family and friends, the news, connect with the world, celebrate, fall in love, make purchases, and much more. Social media is also used by businesses to keep their consumers informed about all the latest products, events, and offers and by their employees for work and personal activities. All of this then in turn makes these platforms attractive to threat actors especially during the holiday season.

Phishing attacks over social media are executed for the purpose of collecting social media account login credentials, credit card information, and personal information that can be used to launch other scams and attacks. Social media is one of the fastest growing attack surfaces; threat actors exploit its ubiquity and develop niche tactics for each social media site. 

Threat actors create phishing sites that mimic social media login pages which capture credentials as they are inputted. With the credentials, the threat actor has full access to the victim’s account. This can also expose the victim to more damage if they use those same credentials to log on to other social media sites, bank accounts, and more. Once the threat actor has access to the social media account, they can spy on the victim, take over the account and pose as the legitimate user, and also request personal information from the victim’s friends or followers. 

Another scam conducted over social media is a romance scam. Many people are lonely during the holiday season, making it an ideal time for threat actors to target victims, build trust and take advantage of their vulnerability. The threat actor manipulates the victim into sending money or coercing the victim to engage in criminal activity.  Many times the social media profiles used by criminals appear to be individuals who are military officers, offshore oil rig workers, or doctors who are part of international healthcare charities – all occupations that make it seem justifiable if the individual is unavailable to speak by phone, is uncommunicative for long periods of time, etc.  Romance scams are a complex topic that deserve their own blog post, so stay tuned for more from DarkTower on this topic in the coming weeks.

Examples of Fake Military Social Media profiles often used for Romance Scams

The post “Vishing” you a Merry Christmas and a “Smishing” New Year! appeared first on DarkTower.

On 10OCT2023, the Izz Al-Din Al-Qassam Brigades’ newest android app was shared on the group’s official telegram channel. The first message shared was an image advertising the Al-Qassam app, receiving about 650,000 views and over 10,000 reactions. The second message shared was a download of the app and a text telling users to download the free trial version of the app that is available for Android devices, receiving two million views and over 18,000 reactions. Compared to previous messages sent in the Al-Qassam telegram channel, which typically receive between 100,000-400,000 views, the views on messages advertising the app are significantly higher.

Figure 1: Al-Qassam Telegram channel advertising the group’s app

Al-Qassam Android Application Contents

The Al-Qassam Android Application functions as a news feed, updating users on Al-Qassam Brigades news, activities, operations, martyrs, and more. The app itself is simplistic, but provides consistent and regular reports. The home page is styled similar to a Twitter/X feed where short text posts are shared and dated. These contain images of official announcements and videos of rocket launches, and the posts are made every few hours.

Figure 2: Cover photo when opening the app

Main Page

The main page of the app displays the most recent reports from each tab of the app including videos, statements, and urgent news with as many as 8,000 views on certain announcements.

Figure 3: Main page of the app

App Menu

The app provides several different informational resources. The menu bar has ten tabs including a link to the Al-Qassam website, breaking news, Qassam memories, statements, reports, videos, operations, martyrs, contact page, and notifications options.

On the bottom of the menu bar, the app includes links to the group’s telegram channel and website. The previous Al-Qassam website is down and has moved to a new IP Address that the app connects to. 

Figure 4: App menu

Breaking News Tab

The Breaking News section includes content that is currently occurring or developing, mostly involving Al-Qassam operations.

Figure 5: Breaking news

Qassam ‘Memories’ Tab

The Qassam ‘Memories’ tab includes an archive of historical events like operations or martyrdoms. This section will showcase the events that occurred on the date that the user is viewing this tab. Users can also filter results by day, month, and year. 

Figure 6: Qassam Memories

Statements Tab

The Statements tab includes a list of official Al-Qassam released statements describing operations and claiming attacks.

Figure 7: Statements 

Reports Tab

The Reports section is updated daily with information on military operations conducted in the region including images.

Figure 8: Reports

Videos Tab

The videos section includes a number of videos ranging from interviews with members of the group to videos of military operations.

Figure 9: Videos

Operations Tab

The operations tab catalogs military operations being conducted by the group. 

Figure 10: Operations

Oasis of Martyrs Tab

The Oasis of Martyrs section showcases a list of Al-Qassam members that have died including their name, where they are from, and the date of their death.

Figure 11: Oasis of Martyrs

Contact Page

The Contact section is a place where users can contact the group under four options: general messages, contacting the administrator, support and donation, and public relations. 

Figure 12: Contact page

The message that are written and submitted in the app will redirect users to their email account sending to one of the following emails based on who the user is trying to contact: 

fund@alqassam[.]ps, info@alqassam[.]ps, admin@alqassam[.]ps, or public-relation@qassam[.]ps.

Figure 13: List of Emails

Notifications Options

The notification section allows users to create alerts for different tabs that they would like to receive notifications from. This includes a reports notification, breaking news notification, video notification, and statement notification.

Figure 14: Notification options

Al-Qassam Website

A new website belonging to Al-Qassam was identified and is linked on the group’s app. The website is available in Arabic and English almost mirroring the content that is disseminated through the app.

Figure 15: Al-Qassam Website in Arabic

The English version of the Al-Qassam website has a slightly different display with similar content.

Figure 16: Al-Qassam Website in English

The registration information for the new Al-Qassam website lists the registrar as GoDaddy, creation date as 25OCT2023, and name server as Cloudflare.

Figure 17: Registration Whois Datapoints

Network Traffic

IP Address:   5.253.143[.]42

When examining the network traffic involving the Al Qassam Brigade app, DarkTower observed TCP traffic to the server palcloud[.]ps on the IP 5.253.143[.]42. All news updates to the app come from this address as seen in the network traffic capture below. Palcloud[.]ps also hosts the Al Qassam news site with similar content to media-ps[.]org. There is no internal way to update the application from within the app itself. If the palcloud[.]ps site were to be taken down, the app would need to be reinstalled; most likely this would be announced in the official Al Qassam Brigade Telegram channel where the app originated from.

Figure 18: Al-Qassam website network traffic

Figure 19: Al-Qassam Website DNS History

DNS History from Zetalytics indicates that PalCloud.ps was previously hosted on the Russian IP address 185.209.32[.]193 and used Cloudflare for Nameservers.  This hosting changed on 12OCT2023 to use Turkish IP address 5.253.143[.]42 and self-hosted Nameservers. 

Al-Qassam Telegram

The official Al-Qassam telegram channel is linked on their app with a total of 691,069 subscribers.

Figure 20: Al-Qassam Telegram channel

Additionally, the telegram channel belonging to Al-Qassam’s official spokesman for Al-Qassam, Abu Ubaida, was identified by DarkTower with a total of 584,466 subscribers.

Figure 21: Abu Ubaida Telegram Channel

The post Izz Al-Din Al-Qassam Brigades Android Application appeared first on DarkTower.

Crypto-Investment Scams

By now you’ve certainly heard about the link between human trafficking and pig butchering. Last year the Internet Crime Complaint Center received complaints about crypto-related investment frauds resulting in $3.3 Billion dollars in losses to U.S. citizens. It was the first year in recent history where Business Email Compromise losses were not the number one category of fraud.

We easily found evidence of the crypto-investment scam websites, both through their advertising on social media groups, Telegram channels, and WhatsApp groups, and also through Passive DNS analysis and reviews of newly registered domains.  You can see a partial list of the more than 25,000 domains we have linked to crypto-investment fraud by searching URLScan.io for the tag “cryptoscam.” At this time URLScan is showing a list of more than 4300 such domains.

Pig Butchering

But how are Crypto-Investment Scams linked to Pig Butchering?  I first wrote in August of 2022 relaying the story behind the origins of the term “pig butchering” or 杀猪盘 (Shā zhū pán) on my Cybercrime & Doing Time blog.   The term became widespread as Hao Zhendong  (郝振东) relayed his experiences of being lured to Myanmar and being enslaved and forced to work scamming people by brutal overseers who regularly beat and threatened their staff. Since that time many documentaries and investigative reports have been published on the story.  Two exceptional examples are the Al Jazeera 101 East documentary, “Forced to Scam: Cambodia’s Cyber Slaves” and the BBC World Service documentary “The Pig Butchering Romance Scam”. Both of the documentaries are brutal to watch, including videos of the scammer-slaves being beaten and shocked with electric prods.

Homeland Security Investigations and ACAMS released a special alert about pig butchering.  In that report they describe pig butchering as combining traditional romance and investment fraud with people trafficking and modern slavery.  They say that it is typically conducted by organized criminal gangs operating from SouthEast Asia in Myanmar, Laos, Cambodia, and Thailand.

There have been arrests of the scammer masters in the United States, Australia, and Malaysia .  But the more fascinating law enforcement actions are the rescues.  Huge numbers of enslaved scammers have been freed in multiple cases, including 2,700 in the Philippines.  The Los Angeles Times estimates that at least 100,000 victims are enslaved in these pig butchering operations, often being held captive in Casino resorts in Cambodia that fell into disuse after the COVID-19 pandemic bankrupted their original operations, which was also documented in VODEnglish’s story describing thousands of victims, forced to scam.

The Career Lure

But how are the victims lured to these jobs?  And what types of careers are offered by the scammers?   

One website that is clearly part of a Pig-Butchering recruitment project is Trionix Multitech.  The website describes how their main location is in Thailand and that they have 10,000 employees working in a 750- acre Tech Park in Mae Sot, Thailand. Employees are provided “free accommodation with 4 meals per day” and health checkups “every 2 months to keep our environment safe.” The website describes their unique crypto environment and the Tokens that they offer, showing that 45% of the tokens are allocated for public sales, 25% for private sales, and how the rest are split between the founders, advisors, and used for bounties and events for employees.

There are 8 categories listed as “Careers” and 6 categories listed as “IT Jobs.” While it may seem odd that one of those categories is “Model,” it makes sense based on my experience with Pig Butchering conversations.  While engaged in weeks’ long conversations with pig-butchering girls, I was treated multiple times each day to photos of my “friends.” Maria, who I met by chance when she accidentally texted the wrong number, was a beautiful blonde woman from Croatia. After only a couple messages she declared “I think you are very sincere. Your mature tone gives me a good feeling. I like to communicate with you so I want to know more about you.” Several of the photos she shared with me had buildings in the background that were clearly in Thailand based on the architecture.

When I asked about them, she explained that she and her father had visited Thailand recently and the picture was from their trip.  She started and ended each day by sending me a photograph of herself. When I shared those with others, several other people had received photos of the same individual.  This leads us to believe that the “models” described below provide regularly updated photographs that those involved in the romance scams use to make their relationships more credible.

Where is Trionix Multitech?

An animated Roadmap on the website provides directions on how to reach Techpark.

The animation implies that from Home, you will go to the Bangkok Airport, then to a Hotel, then you’ll be driven to Mae sot, and then to Tech Park.

The website lists their address as being “PH6F+XV Mae Sot Municipality, Mae Sot Subdistrict, Mae Sot District, Tak 63110” in Thailand. A Thai telephone number is linked to their WhatsApp button on the website: +66 634 026 873 and it indicates the same number can be used for Telegram. That telephone number is said to belong to “Madhu Sudhan Rao, Manager.”   A second Thai telephone number is given for “Mr Yan Lee, Head of the HR Department” — +66 630 257 424.

Several news articles have indicated the presence of “Cyber Slaves” in Mae Sot, and imply that the slave masters have the ability to easily transport their “employees” to Myanmar, which is 15 minutes away from the Mae Sot location. One of these articles was in Decripto.org on 03JUL2023.  The Decripto article includes a map showing pins for Mae Sot, the Tak Border crossing, the Myawaddy Border Patrol station, and Myawaddy, in Myanmar. The drive from Mae Sot to the Myanmar border would take approximately 15 minutes, per Google maps.

Another article entitled “A Criminal Cancer Spreads in Southeast Asia” is from the United States Institute of Peace, 26JUN2023.  In that article, the authors describe “at least 17 distinct crime zones” that offer “5 million square meters of criminal office space” along a 31-mile stretch of the Moei River which divides Myanmar from Thailand. The article points out that although Thai law enforcement has taken some enforcement actions, “construction continues around Mae Sot and new players are emerging along the Thai border.”

Selected Job Descriptions from Trionix Multitech

I’ve included the text from several of the job descriptions from the Careers section below, in case they would be more helpful as text for those researching these situations.

Human Resources:- HR

• Salary Trial period 10000 RMB, 12,000 RMB after normalization
• Working hours: 9 hours/day; 4 days off/month Recruit 2 people for monthly tasks, 5000/person (unlimited positions)
• Off-task commission 8000/person (unlimited positions)
• Task:
  • Responsible for recruiting talents to the company every month
  • Job requirements
  • It is necessary to know Chinese and Chinese typing, and it is good to know Chinese and English!
  • Strong sense of obedience, aged 20-39 years old;
  • Recruitment experience is required, and newbies are accepted
  • Conscientious and meticulous, strong sense of responsibility, strong execution, and obedience to arrangements;
  • Familiar with the use of computer chat software and various office software

Model

• Salary: Basic salary $4000 usd, after regular employees $5000 usd
• Job Responsibilities:
  • Have questions and answers / maintain customers warmly and thoughtfully.
  • Responsible for shooting company advertisements and other content when necessary.
  • Answer the customer’s video and call to chat with the customer when needed.
  • Improve the adhesion of customers through excellent service.
• Job Requirements:
  • 20-30 years old Ukraine, Russia, Kazakhstan, Uzbekistan or other place; Female only
  • Beautiful-looking and fluent in English.
  • can have good communication skills.
  • There is no need to work in the office, and the work is easy.

Marketing Specialist

• Blockchain project
• Salary base salary 12,000 RMB to 15,000 RMB cap
• Commission 5-16 points, accurate resource promotion
• Monthly salary comprehensive guaranteed minimum salary of 30,000-50,000 yuan 11 hours of working hours, 4 monthly breaks
• If the performance is less than 20,000, 6% will be drawn, and if the performance is 5-10, 7% will be drawn
• 9% for 10-20 performance, 11% for performance 20-30
• 30-50 performance, 13%, 50% or more, 16%
• job requirements
  • Age 20~35 years old; accept overtime / sensitive to data;
  • Excellent communication skills, good affinity, strong sense of service, positive and optimistic.

English promotion specialist:

• Blockchain project
• Basic salary of 1000 US dollars, regular employees 1500 US dollars
• Commission 5-16 points, accurate resource promotion
• Monthly salary comprehensive guaranteed minimum salary of 30,000-50,000 yuan
• 11 hours of working hours, 4 monthly breaks
• If the performance is less than 20,000, 6% will be drawn, and if the performance is 5-10, 7% will be drawn
• 9% for 10-20 performance, 11% for performance 20-30
• 30-50 performance, 13%, 50% or more, 16%
• job requirements
  • Age 20~35 years old; accept overtime / sensitive to data;
  • Excellent communication skills, good affinity, strong sense of service, positive and optimistic.

Customer Service Specialist

• Need to be familiar with Chinese and be able to use office software
• Salary: Basic salary of 75,000 Thai baht, an Up to 100,000 baht plus high incentives the
• Working hours: 12 hours, 4 monthly breaks, two shifts
• Job Responsibilities:
  • Have questions and answers / maintain customers warmly and thoughtfully.
  • Online guide customers to achieve more target performance.
  • Maintain a good relationship with customers and keep splitting and opening new ones.
  • Improve the adhesion of customers through excellent service.
• job requirements:
  • Must be able to speak Chinese and Chinese typing (1) 20-30 years old Chinese nationality or foreign Chinese, Except Fujian, Stan can be (2) Invint respects and does not reject personal religious beliefs, However, work cannot be affected by personal religious beliefs. (2) Fluent in Mandarin listening, reading and writing, typing > 30/min. (4) Have a good sense of service and active service ability. (5) Understand the sports and give priority to those with customer service/maintenance experience.
• Contents of performance appraisal:
  • Attendance in the current month (whether there is lateness or absence, etc.)
  • Work attitude (whether there is laziness, burnout, etc.)
  • Basic ability (whether the work can be completed within a given time)
  • Business level (whether you can complete the work independently)
  • Superior evaluation (direct leader evaluation/supervisor evaluation)

Security Engineer (Network)

• Salary: 9hrs per day Salary 2000$ 5000$ Depends on Experience
• Working hours: 9 hours
• Essential Skills
  • Extensive knowledge of Windows, Linux/Unix, Network
  • Knowledge of Firewall, IDS, Data Encryption, DLP etc.
  • Strong understanding of Active Directory, DNS, LDAP and Okta
  • Understanding of security and compliance frameworks such as CIS, NIST, ISO27001.
  • Previous experience of having used enterprise DLP products whilst installing configuring and managing these in the past.
  • Very strong understanding of AWS platform.
  • Proven experience with log management and/or SIEM technologies such as Splunk or Log Rhytm.
  • Knowledge of cloud and containers. Excellent understanding and experience with the following IT categories: Network Security, Vulnerability Management, Access Control, Device and Network Hardening methods.
  • Strong understanding of SOAR technologies and implementation.
  • Previous experience of deploying, configuring and managing Network Detection and Response (NDR) and Endpoint Detection and Response (EDR) tools within an enterprise environment.
  • Expertise in these domains; Security Architecture and Engineering, Communication and Network Security, Identity and Access Management (IAM), Security Assessment and Testing.
• Basic Skills:
  • Experience of implementing, configuring and tuning security tools and technologies in a geographically dispersed environment.
  • Good communication and presentation skills.
  • Good written language skills.
• Responsibilities:
  • Gain a thorough understanding of the security engineering culture and becoming embedded into the landscape of tools, technologies and solutions that form the backbone of delivery of security management.
  • Interacting with colleagues in different time zones, different level of expertise and understanding and in different cultures.
  • Provide expert support on the technical aspects of delivery of programs.
  • The deployment, configuration and management of new security tools, solutions and services.
  • Ensure various security tools, technologies and solutions are properly placed, configured and fine-tuned to provide the visibility and data that ensures this organisation can proactively identify, respond and mitigate threats and vulnerabilities across the global function.
  • Effectively liaise and collaborate with teams inside and outside of the respective department, including infrastructure, Networking, Digital Workplace, DevOps and engineering colleagues.
  • Continuously monitor and test the tools and solutions deployed, ensuring the goals of the security strategy and program are met.
  • Actively take part in project management life-cycles and demonstrate expertise when working on large security improvement programs

Full-stack / Back-End (Senior)

• Being a professional software engineer
• Salary: 9hrs per day Salary 3000$ 5000$ Depends on Experience
• Working hours: 9 hours
• Job Responsibilities:
  • You are proud to deliver high-quality code and maintain such quality through continuous testing, adopting best practices, reducing code complexity and incorporating critical feedback
  • You believe that collaboration with clear and consistent communication and excellent-documentation are key for successful product development
  • You are pragmatic and comfortable making short-term development decisions without losing sight of the product’s long-term vision and development road map Having been in the industry, you have:
    • Strong and demonstrable experience developing high-availability and concurrency analytic products
    • Solid knowledge of Java development frameworks: Dropwizard, Spring, and Hibernate
    • Good experience working with APIs and queuing management technology like RabbitMQ and/or Kafka
    • For full-stack , a good understanding and experience developing and designing intuitive and interactive platforms front-end and analytic tools
• Our development team works through seven project-based cycles a year. Each cycle consistsof three two-weeks sprints documented and tracked in Atlassian (Jira and Confluence) andGitLab. New features and functions are continuously deployed throughout a project cyclewith the support of GitLab to automate and streamline the DevOps process. Ahead ofdeployment, new code requires passing our pre-commit reviews (quality, functionality andsecurity), which we use Deepsource, Codesens and SonarQube.
• Our platform technology stack consists of
  • Containerised Java and microservices hosted on AWS
  • PostgresSQL, Redis, dbt and Metabase for data management and analytics
  • Python and LISP for the AI and ML modules
  • Kubernetes and Docker to manage and scale container deployments
  • CloudWatch and for performance monitoring and incident response
  • Intercom and Segment to streamline customer service and support
• By joining our innovative and agile team, you will enjoy:
  • Great opportunity to work on innovative cyber security products & collaborate toward new improvements
  • Work alongside some of the industry’s leading experts & founders• Play an integral part of a young, exciting start-up growing and scaling up
  • Flexible working environment
  • Fully serviced offices: Belfast & London
  • State-of-the-art equipment and tools for the job
  • Access to rich development and personal growth learning resources and training
  • Competitive base salary, depending on the level of experience

Digital Specialist (Paid Ads, SEO/ASO)

• Salary: 9hrs per day Salary 2000$ 5000$ Depends on Experience
• Working hours: 9 hours
• You’ll Have The Following Responsibilities
  • Support Global Paid Ads Strategy by increasing local relevance for campaigns by localizing and suggesting Ad content more culturally relevant
  • Develop Local narratives for performance marketing creatives and manage design briefs to meet local needs Monitor and report on performance using analytic tools like AppsFlyer, Google Analytics, Appannie, and Similarweb. Strong analytical skills are required
  • Work with the Performance Marketing central team in the local campaigns planning across creatives, audiences, optimization strategies, channels, and geographies to maximize ROAS
  • Meet ambitious growth KPIs Work with editorial and marketing teams to drive SEO in content creation and content marketing
  • Support SEO and Link Building with local publishers increases Binance site reputation
  • Closely collaborate with the CRM & Lifecycle team to improve the localization for email marketing and automation in the region
  • Collaborate with the affiliate marketing team in obtaining local resources and partners to develop the program locally
• Responsibilities:
  • 3-4 years of relevant paid social marketing experience, preferably directly managing digital marketing campaigns for a fintech or mobile app company
  • Solid understanding of performance marketing, conversion, analytics and online customer acquisition
  • Up-to-date with the latest trends and best practices in SEO and SEM
  • Email marketing previous experience is a plus
  • Experience with SEO industry programs, such as Google Analytics or Adobe Analytics
  • Proven SEM experience managing PPC campaigns across Google, Yahoo etc Must have a strong interest and knowledge in the crypto/blockchain/technology space
  • University degree relating to Business, Marketing, Statistics, or Economics is plus
  • Must be a fluent English speaker • Fluent Chinese will be a strong plus
• Conditions:
  • Competitive salary
  • Flexible working conditions
  • Flat organization
  • Great Locations with a highly talented and international colleagues
  • Be a part of the exciting future of the crypto-currency revolution and work on the world’s no.1 crypto-currency exchange!

The post Getting a Job In Pig-Butchering appeared first on DarkTower.

The numbers from the IC3.gov 2022 Annual Report reinforce the trends that we’ve been trying to draw attention to from DarkTower. Criminals flock to where the money is, and right now, the fraud funds are flowing more freely than ever as the criminal refine their tactics. As we look at the enormous increase, please be aware that there is still a huge under-reporting of cybercrime! These numbers are confirmed victim losses, but only of the people who took the time to report their losses to IC3.gov. When you hear that someone has been scammed, please send them to IC3.gov and have them click “File a Complaint.” Are they elderly? confused? not tech-savvy? Sit with them and walk them through the process. Documenting losses and providing all the details we can is one path towards fighting these crimes. IC3.gov calls it “Protect one another” and I agree.

BEC, Romance Scams, and West African Organized Crime

For at least the past five years we have been talking about how #BEC and #RomanceScams are largely run by West African organized crime groups called Confraternities. Most prevalent among them are the Black Axe (NeoBlack Movement of Africa), the SEC (Supreme Eiye Confraternity, or AirLords), the Buccaneers (Brodas/Brothers Across Nigeria), the SVC (Supreme Viking Confraternity, or SeaLords), the SEC (Supreme Eiye Confraternity, and the MAPHITES (Green Circuit Association). While they continue to dominate Business Email Compromise, the first reduction in Romance Scams in several years is because the Romance victims are now being lured into Investment Scams, of which most are “Crypto Investment Scams.” These groups are still a primary recruiter of Money Mules around the world. In North America, they mostly show up as Financial criminals, in Europe, they are heavily involved in Human Trafficking for forced prostitution and drug trafficking, as was so well-documented by the BBC Africa Eye in “Black Axe: Nigeria’s Mafia Cult.” Our stolen funds enable those crimes.

Pig Butchering

The biggest change that led Investment Scams to more than double is the vast improvement and refinement in this area by Chinese Organized Crime operating slave shops of scammers in neighboring countries. The term “Pig Butchering” comes from the story of a Myanmar labor-trafficking victim that I shared on my Cybercrime & Doing Time blog: “Please stop calling all Crypto Scams Pig Butchering!” but the same situation is going on in Cambodia, as was so incredibly well-documented by Al Jazeera in “Forced to Scam: Cambodia’s Cyber Slaves.” As my friend Erin West leads the charge against “Pig Butchering” from California’s REACT Task Force, be aware that there are two very different models of this crime, but both leading to the same result. Social media and Dating site recruitment play heavily in both models. The West African version tends towards investment on a web page, while the Chinese version tends more towards a longer recruitment cycle followed by installation of a dodgy APK “Investment App.”

WE NEED THE INDUSTRY TO BRAINSTORM WITH US ON HOW TO SHUT DOWN CRYPTO INVESTMENT WEBSITES AND THE RELATED SOCIAL MEDIA GROUPS! Right now, Registrars and Hosting companies are not accepting the role they play in the NUMBER ONE CYBERCRIME IN AMERICA. Quit dodging and come to the table ready to engage.

There is another way of tracking Crypto Investment Scams. Most of them are visible from the Blockchain if you have access to the right analytical tools. The Chainalysis 2023 Crypto Crime Report shares the news that the top ten scams last year were all Crypto Investment Scams. According to blockchain analysis, just those ten scams were responsible for stealing $3.469 Billion dollars! At DarkTower, we’ve identified more than 25,000 such websites. And the losses from TEN of them exceed all of the losses reported to the FBI in 2022 in this category.

Indian Call Centers, VOIP, and “Open-Ups”

The other HUGE surge in cyber financial crimes is based in the Indian Call Centers. Last year at the RSA Conference I joined Josh Bercu from USTelecom in a presentation called “Knowing the Robocallers: Illegal Call Centers and Efforts to Stop Them” and spoke afterwards to WIRED magazine for their story “Here’s Why You’re Still Stuck in Robocall Hell.” #TechSupportScams are up 231% THIS YEAR, but up 800% over the past two years! After a slight improvement in Government Impersonation scams, we had another huge surge in these last year. Same issue. We must DISRUPT their ability to function. For the Call Centers this means BLOCK THEIR USE OF #VOIP SERVICES. We must identify and eliminate, not at the telephone number level, but destroying the ability of fraudulent call centers to easily re-acquire a new number.

Call Center fraud also surged because of the emergence of new financial companies in the US who just do not understand how fraud works. The successes we had here in blocking merchant accounts and credit card processing, and then the successes we had in Gift Card payments. The new monetization method which has allowed their resurgence is how easy it is to open US-based financial instruments among the NeoBanks and FinTech companies. As each of those companies fights for market share, their marketing departments are fighting with their security teams to “reduce friction” in new account creation. “Runners” working for the Indian Call Centers, not just in America, but in the UK, Australia, and other western countries, are doing “open ups” at scale to have western bank accounts that can receive funds directly via Zelle, CashApp, Venmo, or other “fast payment” systems.

The post New Fraud Trends from the IC3.gov 2022 Report appeared first on DarkTower.

Ransomware is a continually evolving type of malware that implements encryption to hold a victim’s data at ransom. When a system is hacked and infected, ransomware has the ability to lock and encrypt data, restricting victim access, and hold the data for a monetary ransom in exchange for decryption. Costs of these ransoms can range from a few thousand dollars to millions, in addition to other disruptions a target might face. And even if the ransom is paid, there is no guarantee that the decryption key and data will be provided. 

Over the years ransomware has shown its ability to evolve from a malicious floppy disk to a multi-billion dollar industry expanding operations and increasing profitability. Ransomware has become one of the most complex and prolific attacks in today’s threat landscape. 

Ransomware groups are developing new strategies, especially when extorting their victims, playing on double extortion where ransomware groups encrypt and exfiltrate the victim’s data. Ransomware groups are also using triple extortion by deploying DDoS to disrupt services and quadruple extortion where the ransomware group threatens or harasses and directly contacts the victims .

In 2022, the ransomware landscape presented no exception to the continuous growth and sophistication of these types of attacks. In this new year, we take a look back at the most prolific ransomware groups DarkTower has monitored in 2022, mapping out these threat actors’ TTPs and looking forward to how they may evolve in the future.

LockBit 

One of the most prolific ransomware groups seen in 2022 was LockBit. LockBit is a ransomware-as-a-service (RaaS) group that hires affiliates to distribute and deploy its malware, dramatically increasing its reach. LockBit was the most prevalent ransomware group in 2022, according to data posted on the group’s dedicated leak site. The group was responsible for more than a third of the total number of victims in every quarter of the year. Beginning the year with more than two hundred known double extortion victims, the group continued at a steady lead throughout the year, even in quarter three when there was a general decrease in ransomware activity.

LockBit has claimed at least 1,000 double extortion victims that among them represent approximately $460 billion in revenue in 2022, targeting small to large enterprises. LockBit targets various industry sectors globally, with about half of its victims from the U.S., followed by France, the U.K., Italy, Canada, and Germany. The most impacted organizations have been in the manufacturing, professional and legal services, retail, construction, federal government, and healthcare and public health sectors. 

We entered the year with LockBit 2.0, which was launched in June 2021, but saw the group’s latest iteration, LockBit 3.0, come onto the scene in June 2022. Along with its updated affiliate program and malware in June 2022, the group launched a bug bounty program that challenged individuals to find vulnerabilities in the ransomware program and the gang’s infrastructure, such as its Tor-hosted website, secure messenger and more. If a vulnerability is found the group would offer the individual between $1,000 and $1 million. On 19SEP2022, the first bug bounty was paid at $50,000.

Compared to LockBit 2.0, LockBit 3.0 incorporated a few additions to its dedicated leak site, including pages for affiliate rules, links to additional mirror sites, and web security, and bug bounty. The site provides nine mirror sites and three payment method options, including Bitcoin, Monero, and Zcash.

LockBit 3.0 also posted a ransom payment policy that involves different payment options, allowing anyone to: (1) extend timer for 24 hours; (2) destroy all information; or (3) download data at any moment for every victim that they publish to the leak site.  

Additionally, on its leak site, LockBit includes a “Leak Index” where it retains the stolen filesets indefinitely of targets that don’t pay, showcasing the victims for however long the group wants along with their leaked data.

LockBit’s ability to continually and quickly update its malware has allowed it to be the most prominent among RaaS operations that have targeted organizations over the past few years. LockBit’s activity over the years has also shown how ruthless it can be when picking when and which victims to attack. For example, one of the group’s victims in OCT2022 was Lincare, one of the largest providers globally of oxygen for respiratory care, and LockBit targeted them in the middle of our respiratory virus pandemic.

In August, the group announced its efforts to take its operations to the triple extortion level after it was hit with a DDoS attack allegedly conducted by Entrust. Along with encrypting its victims’ files, demanding a ransom, and leaking compromised files on its dedicated leak site, LockBit added DDoS attacks against targeted victims to disrupt their operations. The group’s updated version also includes a new encryption tool called StealBit, and the group moved to target not only Windows systems but Linux computers as well. 

BlackCat (ALPHV)

Another highly-prolific ransomware group in 2022 was BlackCat (also known as ALPHV), which is one of the most sophisticated RaaS operations.  It is believed to be a successor to REvil and Darkside/BlackMatter (responsible for the 2021 Colonial Pipeline attack) and to have links to FIN7 and FIN12. BlackCat compromised over 200 entities worldwide in 2022, with at least sixty in just the first quarter, 55 in the second quarter, 42 in the third quarter, and, at its high in the fourth quarter, it impacted 80 entities via double extortion. BlackCat targets public and non-profit organizations as well as large entities. Most of its victims are in the U.S., followed by Canada, Germany, the U.K., and Australia, targeting the manufacturing, professional services, legal, finance, and retail sectors. In September, the group claimed attacks targeting airports, gas stations, fuel pipeline operators, and other critical infrastructure providers.

In March, BlackCat announced “ALPHV MORPH,” a ransomware variant written in the Rust programming language, making BlackCat the first ransomware group to execute attacks using this language. By using the Rust language, BlackCat is able to improve its operation and increase defense-evasion capabilities. It also allows the group to customize malware across different operating systems like Windows and Linux, providing a larger scope of enterprise environments as targets.

In July, BlackCat revealed “ALPHV Collections,” a searchable dedicated leak site that indexes and makes all of the data leaks easily viewable. On the site, visitors are able to search by wildcard, filename, and file type (pdf, docx, jpg, png). Most double-extortion ransomware groups maintain a dedicated leak site, but BlackCat, along with other groups, has added this searchable feature as a way to further shame the victims in an attempt to compel them to pay the ransom demanded. 

In late September, BlackCat implemented an upgrade to its ExMatter data exfiltration tool used in conducting double extortion attacks and its new malware called “Eamfo”. The updated ExMatter tool “searches for specific file types from selected directories, uploads them to attacker-controlled servers, and then corrupts and destroys the files”. The tool adds wiper functionality, as it does not just encrypt an organization’s data but goes a step further by deleting and destroying it. Similar to LockBit, BlackCat uses triple extortion tactics where the group threatens to launch DDoS attacks on its victims, on top of exposing exfiltrated data to compel victims to pay the ransom demand. 

In December, a victim published on BlackCat’s dedicated leak site did not meet the demands and led the group to publish all the stolen data, which is usually what occurs; however, this time BlackCat took it a step further and decided to also publish this data on a cloned site that looks similar to the victim’s website. Publishing the data on the clear web becomes a greater concern to victims because a wider audience aside from the infosec community is able to access it. Below, the cloned site can be seen on the left, and the victim’s original site is the image on the right. 

The tabs presented by the cloned website, when clicked, take the viewer to a page where they are able to view and download this victim’s leaked data.

Last year, the group attack many major entities and caused significant disruptions including Swissport in FEB2022 causing flight delays and service disruptions; The Austrian State of Carinthia in MAY2022 demanding $5 million and causing the victim to shut down nearly 3,700 administrative systems; University of Pisa, which is one of the oldest universities in Europe, in JUN2022 with a demand of $4.5 million; Suffolk County New York in SEP2022 targeting many of the counties computer systems and causing emergency 911 operators to use paper and pencils to write down emergency call information.

Cl0P

Cl0p ransomware group, associated with Russia,  uses the double extortion RaaS method and targeted over 250 organizations in 2022, adding it to the list of most prolific ransomware groups of last year. At the end of 2021, Cl0p’s activities decreased because six of its members were arrested; however, this did not keep the group down for long. At the end of the first quarter in 2022, Cl0p had become one of the most active groups, attacking over twenty organizations. Cl0p appears to favor the professional services, retail, manufacturing, and information technology sectors and targets mostly organizations in the U.S., Canada, Switzerland, France, and Singapore.

In December, Cl0p began inserting malware into medical records that are then sent to telehealth medical practices. The group booby-trapped medical records for the “patients.” Cl0p infiltrated entities in the healthcare industry by sending the infected files that were disguised as ultrasound images or other medical documents for patients that were being provided remote consultations. Another tactic used by Cl0p entailed the group reaching out to victims’ customers directly and threatening that their data will be leaked unless they convince the victim to pay the ransom.

Cl0p is the successor of a group called CryptoMix and is operated by Russians. Cl0p has been observed to be a payload for different Russian groups including the FIN11 group as well as TrueBot malware. The ransomware is able to dodge security detection and appear as an authentic file by using verified and digitally signed binary. The group is able to avoid detection and disrupt investigations by using anti-analysis and anti-virtual machine analysis.

Hive

First observed in June 2021, Hive has become one of the most prolific ransomware groups in the double extortion RaaS ecosystem. Its operations are also supported by its dedicated leak site, which is accessible on the dark web. The group sprung up in 2022, attacking over a hundred entities, and became most active in the first and third quarter of the year. The U.S. had the most double extortion victims from Hive in 2022, followed by the U.K., Spain, Brazil and the Netherlands. The highest targeted industry by this group is the healthcare industry, followed by hospitality, telecommunications, manufacturing, and construction.

In November, CISA, the FBI, and HHS warned that Hive has exploited more than a thousand entities globally, collecting $100 million in ransom payments, and, in April, HHS warned that Hive had become exceptionally aggressive in its attacks against the healthcare sector. This warning came right after the group attacked Partnership HealthPlan of California in March, shutting down its operations. Other healthcare entities, as seen in the images below, that were hit by Hive this year included Baton Rouge General Hospital in Louisiana in June, Henry Regional Medical Center in September, and Lake Charles Memorial Health System (LCMH) in October, stealing more than 200GB of data.

Hive leveraged Golang to design its malware, and in July the group started using the Rust language in its newest version, just like BlackCat, to make it more difficult for security researchers to analyze the group’s operations. 

Conti

Conti, one of the world’s most aggressive double-extortion RaaS groups which is associated with Russia, first appeared in Summer 2020. It took the place of Ryuk ransomware and ended its operations in Summer 2022 in the wake of Conti Leaks. 

Although Conti has been disbanded, it accounted for about 20% of attacks in the first quarter of 2022. Conti’s dedicated leak site has been inactive since May, with the last victim being posted on 25MAY2022. The leak site officially disappeared in June.  

The group’s last victim was the Costa Rican government’s network in April, when it breached various government bodies, taking 27 government agencies offline for an extended period of time. After the government refused to cooperate with the group and pay the demanded ransom, Conti increased its price to $20 million. The FBI referred to Conti as “the costliest strain of ransomware ever documented,” targeting over 1,000 victims and obtaining over $150 million as payouts since its inception. In its final months, the group’s targets were in North America and Europe, with manufacturing as the leading industry sector victimized, followed by professional services, retail, transportation, and construction.  The gang behind Conti ransomware, is based in Russia and the Russia-Ukraine war was a major factor in the ransomware group going offline, as the group announced its full support of Russia. This move made any financial support almost impossible, cutting off a large part of the group’s income and ultimately damaging its ability to operate.

Members have moved elsewhere and have been partnering with well-known smaller ransomware gangs, including Black Basta, BlackByte, BlackCat (ALPHV), Hive, and Karakurt.

Black Basta

Emerging in April and less than a year old, Black Basta, a RaaS group, has quickly become another one of the most prolific ransomware groups of 2022. The group rose to prominence, based on the frequency of attacks in such a short period of time. In the first month of its existence, it attacked a little over ten victims, causing speculations of it being tied to a more-established group. It is believed that Black Basta is connected to the Conti ransomware group. A thread on XSS forum reveals LockBit stating that Black Basta is a rebrand of Conti: 

Black Basta has victimized over 150 entities, mainly targeting organizations headquartered in the U.S., the U.K., Canada, Australia, and Germany. In the second half of the year, Black Basta was the third highest ransomware group based on total victim count from its leak site at a little over a hundred victims. The group has targeted the manufacturing, construction, retail, transportation, and healthcare industries. Although a relatively new ransomware group compared to others in this list, Black Basta has shown a steady climb in attacks over the past year. 

Black Basta is a double-extortion RaaS ransomware group that also uses DDoS attacks to compel victims to pay. The group also uses Qakbot malware by means of phishing emails to gain initial access on a victim’s network before moving laterally within the network.  Additionally, the group has developed a Linux variant where in June it was seen targeting Linux systems used by larger companies and enterprises, which left VMware ESXi virtual machines  at risk of attacks.  

Black Basta has also been linked to FIN7, which has a notable track record and is known for innovating the criminal ecosystem, showing that threat actors are always trying to find ways to expand and evolve.

Interestingly, the group has not been seen advertising for recruits or calling the malware a RaaS on darknet forums, which could possibly go to suggest that the group works with a close set of affiliates or installs the ransomware through its own custom toolset. 

Karakurt

Karakurt, a relatively new ransomware group that emerged in late 2021, is another one of the most prolific ransomware groups of 2022. The group has claimed around 150 victims, targeting the manufacturing, retail, construction, professional services, and healthcare industries mostly in the U.S., the U.K., Canada, Turkey, and Australia. Alongside LockBit and Black Basta, Karakurt registered the highest number of attacks in the second and third quarters of 2022. 

Karakurt is unlike typical ransomware groups which encrypt the stolen data, but rather the group simply steals the data and demands a ransom. Karakurt threatens to auction off the stolen data or leak it to the public if the ransom is not paid.

In June, the FBI, CISA, and other federal entities released a cybersecurity advisory on the group. Federal agencies have focused on Karakurt because it is believed to be the “data extortion arm” of the Conti ransomware group. The group’s name reflects its extortion tactics as the Karakurt spider’s bite is “very toxic and dangerous,” according to the group’s description on its dedicated leak site. 

Karakurt has created both Twitter and Telegram profiles that allow it to expand its online presence. The group not only posted recruitment information on its dedicated leak site but also on Telegram, where it claimed to be looking for disgruntled/fired employees with network access, insiders of financial services companies, pentesters and security researchers, data recovery companies, and hacktivists to join its efforts.

During the fourth quarter, Karakurt has been trying out new tactics on its dedicated leak site. When the group publishes a new victim on its leak site, it does not disclose the victim’s name fully but rather only partially shows it using asterisks. This prompts users to guess the name of the victims but can also be a teasing game for those entities that know it is their name that is hidden. This method can compel victims to pay the ransom so that their name is not revealed because, if they do not pay the ransom, their name will be revealed to the public.

Conclusion

Over the past year we have seen disruptions in some of the major ransomware groups, the emergence of new groups from the old, an expansion of operations, incorporation of novel TTPs, and an evolution of systems and procedures. Ransomware groups have adopted new programming languages, switched up their targeting to impact both Windows and Linux servers, developed new methods of deployment on compromised systems, grown their leak sites to incorporate a diversity of features, expanded their compel-to-pay methods, and more. 

Ransomware continues to become highly targeted and a human driven operation functioning in a sophisticated and methodical manner. Traditional malware, which is much more predictable and automated, is no longer in use. Ransomware is now much more organized and closely resembles software-as-a-service companies.

These groups are not stopping at double extortion, but moving beyond to triple and quadruple extortion, making it a nightmare for their victims, while also continuing to target critical infrastructure. Ransomware will steal sensitive information and monetize the data, become solely extortion groups, and turn their faces toward the cloud as more companies are moving their assets and critical data there.

Ransomware operations will not die anytime soon, but rather these groups will continue to innovate and reinvent themselves. 

The post Most Prolific Ransomware Gangs of 2022 appeared first on DarkTower.

Have you ever received an email with a too-good-to-be-true vacation offer?  You’re right to be skeptical, but holiday or travel-related fraud is a much bigger category than just those “bargain travel” offers.  Americans reported almost 54,000 incidents of travel-related fraud to the FTC in 2021, costing over $95 million.  

You’ve won an AMAZING LUXURY vacation!

If you receive an email stating that you’ve won a vacation, but you don’t recall actually entering a contest, take a moment to pause.  Typically, you’ll find that once you read the fine print, there are taxes and fees that will make the vacation you’ve “won” anything but free.  

Check the details.

When you book a package vacation, and the travel company doesn’t share specifics on the “luxury resort” or “five-star hotel”, ask for more information and get the details in writing before you book.  Oftentimes, when you arrive at the destination, you’ll find that the accommodations are more like “flea motel” than luxury resort, and that vacation that you thought was a huge bargain has now cost way more than it was worth.

Privately-owned Vacation Rentals

Fraudsters regularly post vacation properties on sites like VRBO and AirBNB and other direct-to-consumer websites.  Take a moment to thoroughly research before you book a property.  Just because it has traveler reviews doesn’t necessarily mean it’s legitimate.  Reviews can be faked or purchased, so read them thoroughly.  Does the review narrative make sense in relation to the property it’s reviewing?  Does it say “ocean view” when the property is located in the mountains?  Do several of the reviews use identical language?  Also, take a moment to look up the address on a map site like Google Maps and make sure it exists.  If the property is located in a condo facility, call the property management company and verify the status.  Make sure the site you’re booking through is a reputable booking engine and has clearly stated payment protection policies.

Both AirBnB and Vrbo say to “stay and pay on platform.”  There are many scams that involve luring the guest “off platform” such as saying that there is a problem with the property booked, but they have another option that is not on AirBnB’s platform, or that for some reason they can only accept payment by wire transfer or cashier’s check. As soon as you leave the platform, you have assumed responsibility for any fraudulent activity that happens from that point forward.

Lookalikes

Cyber criminals will stand up websites that look nearly identical to legitimate ones, so make sure when you visit the booking site for your favorite travel search engine or your favorite resort, that you’re typing the URL in the browser and validating that you’ve arrived at the legitimate site.  Clicking on links from search results or links from email advertisements can lead you to a lookalike site that will result in some major travel disappointment.  

Not only do scammers mimic legitimate travel booking sites, they also create fake sites for travel documents like visas and international driving credentials.  Many times, you can inadvertently end up on a site that will harvest your personal information, take your money and not give you the protection or credentials you were seeking.  

Additional Resources

https://www.aarp.org/money/scams-fraud/info-2019/travel.html

https://consumer.ftc.gov/articles/avoid-scams-when-you-travel

The post The Twelve Frauds of Christmas – Holiday Fraud appeared first on DarkTower.

With the holidays quickly approaching, the season of giving for some reigns as the season of taking for many others. One avenue used to trick victims out of their money involves scammers fronting as representatives for charitable organizations. These charity scams operate by contacting victims and asking for donations to fund their efforts to combat some issue plaguing the world.

According to the FBI’s internet crime report, the total amount of losses caused by charity scams surpassed the overwhelming amount of $4.4 million in 2020. This is a drastic increase from the previous two years as 2019 saw a total loss of $2.2 million due to the fraud, and 2018 saw a loss of $1 million. With millions of victims tricked into sending their money to these scammers, it is apparent the amount of losses will certainly continue to rise.

Due to the overwhelming amount of trust given to charitable organizations, threat actors are able to easily exploit victims. Reported by the Better Business Bureau’s Wise Giving Alliance, Americans’ trust level in charities far exceeds those placed in other establishments, such as the media, or even the government. Along with abusing this ever-present trust, scammers will attempt to play on victims’ emotions by creating stories of great strife necessitating quick action. Scammers, while largely serving as representatives of fake charities, will also attempt to represent legitimate charities to seem more credible.

Scammers will use phone calls, emails, and text messages to trick victims into donating. Along with these more conventional methods, social media posts and crowdfunding sites are used to reach a large amount of people. Fraudsters will typically associate their campaign with recent national tragedies or the holidays due to the large emotional connection many feel for each. 

With the recent COVID-19 pandemic, instances of charity scams drastically increased as threat actors saw the opportunity to pose as organizations, using donations to fight the outbreak. Following the trend of many other charity scams, threat actors capitalized on the masses’ fear of uncertainty to deceive and gather money from victims. 

Oftentimes, victims would receive phone calls from individuals representing a charity. This representative would ask the victim if they would like to donate any amount to fighting COVID-19 in the forms of providing personal protective equipment to lower income communities, funding vaccine efforts, and increasing the amount of Covid tests throughout America. The victim would then give their card and personal information to the representative. From this stage, the threat actor has the capability to sell the victim’s information on darknet forums, or use their information as a means to contact more people, further adding to their scamming total. 

Another recent increase in charity fraud occurred during early November, as Veterans Day neared. The Federal Trade Commission warned of scammers attempting to convince victims to donate under the guise of helping veterans throughout America. Like the COVID-19 campaigns, the charity scams surrounding Veterans Day largely took advantage of the sense of national pride and support for veterans many Americans feel during the holiday. 

These scams largely followed similar methodologies to the pandemic scams as victims received phone calls from scammers posing as representatives for a charity. Then after emotionally manipulating the victim, the scammer would ask for payment information along with personal information like their phone number, email address, and full name. 

To mitigate the effects of charity fraud, it is imperative to have an understanding as to how these scams spread and take advantage of victims. The Australian Competition and Consumer Commission provided some warning signs to look out for to best avoid being scammed. First and foremost, if the name of the charitable organization is unfamiliar, it is always best to refrain from donating. Similarly, if the representative from the charity is attempting to put pressure or shame someone into obtaining a donation or information, this is a likely sign of a scam. 

Another factor to consider is the payment method offered by the charity representative. If the representative is seeking a donation via cryptocurrency solely, it would be best to forgo donating as this payment method is used by many scammers due to the anonymity factor and lack of regulation. Remember, there are many resources available to check the legitimacy of a charity, like Give.org and CharityNavigator.org. 

Additional Charity Fraud Resources:

https://www.charitynavigator.org/donor-basics/protect-your-giving/avoid-charity-scams/

https://consumer.ftc.gov/features/how-donate-wisely-and-avoid-charity-scams

https://www.scamwatch.gov.au/types-of-scams/fake-charities#toc-how-this-scam-works

https://give.org

The post The Twelve Frauds of Christmas – Charity Fraud appeared first on DarkTower.

Take a look at the image below. Can you differentiate between one Microsoft account login page and the other? Pretty tough, right? The main difference is that the first one will take you to your emails, and the second will steal your password and email. This is just one example, but to this day, attackers are becoming more sophisticated when replicating pages and impersonating trustworthy brands.

Current authentic Microsoft account login page

Microsoft account Login phishing page

This is known as Phishing. It is a type of cybercrime in which users are contacted through email, telephone, or text message by a threat actor impersonating a trustworthy entity to obtain sensitive data such as login credentials, credit card details, or personally identifiable information (PII).

Every day, people come across different phishing sites developed by attackers that impersonate multiple brands to steal users’ data. These attackers copy a legit website’s user interface (UI) and make it look authentic. According to the 2021 IC3 Report, over $44 million was lost to various types of phishing crimes.

Netflix account login phishing page

Bank of America account login phishing page

Phishing is one of the greatest cyber threats that most organizations face worldwide. Verizon’s 2022 Data Breach Investigations report found that more than 20% of all data breaches involve phishing in a different sector.  Cyber attackers mostly rely on phishing, which is 41% of the social engineering breaches associated with BECs.

Verizon’s 2022 Data Breach Investigations report

Meanwhile, APWG’s Phishing Activity Trend Report states that 1,270,883 phishing attacks have been reported in the third quarter of 2022. Ransomware attacks have decreased as compared to phishing. According to the report APWG, 23% of attacks were recorded against the financial sector, followed by software-as-service (SaaS) and webmail providers (17%).

The report also found that 11% of phishing attacks target social media sites, while logistics and shipping platforms account for 6% of incidents. 

Most targeted industries in Q3-2022

According to Proofpoint’s 2022 State of the Phish report, 91% UK based organizations faced bulk phishing attacks, and 90% of Australian-based companies have been impacted by spear phishing. Spear phishing is a method that targets specific individuals or a group of people within an organization. Mostly attackers impersonate a higher authority within the organization and send text messages to employees asking for a favor.

Examples of Spear phishing

New employees of a company are often targeted by Spear Phishing, as they typically share their new role on platforms such as LinkedIn.  Additionally, they are often eager to reply quickly to new tasks and please their managers.  The spear phishing examples above were targeting new employees of DarkTower, and when investigating their LinkedIn views, all the employees who received messages had been viewed by the same profile, Anoruo James.

Fictitious LinkedIn Profile

Upon reviewing Anoruo James’ profile, it contained clearly fictitious information and also shared multiple posts recommending a product called ContactOut where you can “find anyone’s email and phone number.”  ContactOut offered up to 3 contacts for free.  

Promotions of ContactOut

Many other phishing attacks were executed through email, apart from spear phishing. The attacker will register a fake domain that copies a genuine organization and sends thousands of requests. In contrast, in other cases, fraudsters create a unique domain that includes a legitimate organization’s name in the URL.

Phishing Email

There are multiple ways to identify a phishing email, but generally, you should always check the email address which asks you to click a link or download an attachment.

Identifying the phishing email:

1.       Look whether the public domain email address is used to send the email.

2.       Checking if it includes unexpected files or attachments.

3.       Evaluating if that email develops a sense of urgency.

4.       Looking for grammatical errors in the domain, email address, or the attached link looks unfamiliar.

The post The Twelve Frauds of Christmas – Phishing appeared first on DarkTower.