In Cybersecurity, not only one of the main goals is to protect a business or corporation from an attack, but if in the unfortunate chance that it were to happen, the other main objective is to also try to track down that individual(s) or even hacking group and bring them to justice.  But as we all know, the latter can be a very difficult proposition, as many of the Cyberattackers and hacking groups exist in foreign countries (such as China, North Korea, Russia, etc.).

It is one thing to find out who is responsible for a Cyberattack, but then it is another to get them tried under a court of law here in the United States, as a lot depends upon the extradition agreements that we have with other countries worldwide.  This can take a very long time to accomplish, if not months, then possibly years. 

But there is another way in which potential Cyberattackers can be tracked down in their footsteps before they even launch an attack.  This involves going deep into the abysses of what is known as the “Dark Web”. Essentially, this is part of the Internet that is not publicly available and can only be accessed through special means. 

In fact, I think last year, I wrote a three-part blog series on this (you can search for it), and there will be a chapter devoted to this in my new Web applications security book.

The Dark Web is very often considered to be the “underworld” of the Internet, where high level criminal activity and Cyberattackers find their home at.  Although I am far from an expert on it, I don’t think it is quite as bad as people say it is, but of course, a lot depends upon the protective measures that you take, and where you surf at in the Dark Web.  So how can one find these potential Cyberattackers?

According to an organization called “Recorded Futures”, simply tracking the frequency of posts in the underground forums is very often a pretty good indicator of whom (or which group) is bent upon engaging in some sort of criminal activity.  This is based upon the new report that was just published, entitled “Bestsellers In The Underground Economy”.  This study was conducted over a one-year time span, from May 2018 to May 2019. 

It was discovered that out of the almost 4 million posts that were up on the various forums in the Dark Web, most of them dealt with questions and answers about Ransomware, Cryptojacking, and Trojan Horses.  The next grouping of sought-after topics where those that dealt with Web Shells, Remote Access Trojans, Adware, Viruses, Exploit Kits and Root Kits.

This report even closely examined which specific Ransomware names were the most asked about by the people and groups visiting these online forums.  The top ones are as follows:

*njRAT (this is a Remote Access Trojan);

*Predator the Thief (this is a PPI theft mechanism);

*Spynote (this is a Remote Access Trojan);

*AZORult (this is a PPI theft mechanism);

*NLBrute (this is a Brute-Force attack tool);

*GrandCrab (this is a Ransomware);

*XRumer (this is a Phishing mechanism);

*DarkComet (this is a Remote Access Trojan);

*Imminent Monitor (this is a Remote Access Trojan);

*WarZone (this is a Remote Access Trojan).

As one can see from this list, it appears that the Remote Access Trojan Horses is the most favored topic on the Dark Web forums.  Just like Phishing, Trojan Horses are one of the oldest forms of Cyberattack vehicles, but there are many new variants of it that are coming out virtually every day, making it that much more difficult to stay ahead of.

It is also important to keep in mind that not all of the forums found on the Dark Web are in English – many of them are in other foreign languages as well, and it is quite likely that a potential Cyberattacker might even ask the same question (or even answer a question) in multiple languages.  In this regard, the hot topic discussed was about the availability and utilization of what are known as “Dual Use Tools”.  This simply means that a Cybersecurity tool is legitimate, but it can be reversed engineered for nefarious purposes as well.

The above is a prime indicator that the potential Cyberattacker is not interested in creating new threat vehicles; rather, they are far more interested in using tools that are already in existence.  Examples of this include the MinerGate cryptominer as well as the Imminent Monitor.  This report also discovered that there are 61 malware categories and 101,124 malware names that were found on the Dark Web during the time period of study.

My Thoughts On This

As for myself, I have never penetrated the Dark Web, but will probably do so in the coming months, once all of my safety mechanisms are in place (for instance, this involves getting the TOR web browser, a Virtual Private Network, a dedicated computer for surfing the Dark Web, etc.). 

But keep in mind that law enforcement officials are lurking down there as well, ready to nab anybody who engages in illegal activity.  Keep in mind that simply going into the Dark Web is not a criminal activity per se but buying something can be illegal.

That is why it is best never to purchase anything from the Dark Web, and to keep visits to it short, say under 30 minutes.  If you ever find yourself going into the Dark Web and you must purchase something, always do so with a virtual currency (such as Bitcoins) and not with your credit card. 

With regards to law enforcement, I am sure that they are already keeping their eyes and ears on those individuals or groups that are posting on the forums on a frequent basis.  It’s just that these are probably covert operations, and because of that, they don’t make the news.  But as mentioned, just making note and observing this frequency can lead a trained expert to build a profile on a potential Cyberattacker or hacking group.

After all, why would an individual or groups of people be always asking and answering questions on the Dark Web?  Obviously its not for educational purposes, there is some criminal motivation behind it.  As mentioned, United States federal law enforcement simply can’t go into these countries and question these individuals or groups about their motivation to be on the Dark web forums all the time.  So, what can be done?

Well, this is where intelligence sharing can come into play.  In this aspect, it is very important for the United States government and the Cybersecurity industry to forge strong alliances and relationships with the other governments around the world, so that they can do the questioning once we give them the intel.  That way, a Cyberattack could be potentially stopped before it causes any damage or harm.

But creating these kinds of relationships can take a long time to foster, as the government in the reciprocating country must be motivated to act with a sense of urgency on this intel as soon as they get it.

Finally, the report can be downloaded at this link: