Darknet researcher: they said, they’ll come and kill me - interview

While the darknet offers refuge to criminals of every creed, good guys are lurking in the shadows, too. Providing insights from the dark, however, is anything but safe.

Cybercriminals are the next generation of robbers. While gold and cash-filled vaults were transported by train, thieves followed. Now money is digital, and so are criminals. Whereas outlaws of the past tried to avoid lawmen by flocking to sketchy taverns, 21st-century thugs hide under the cover of the darknet.

Hardly traceable and hidden from public view, the darknet is a perfect place to build shady connections. An ample supply of criminal forums guarantees steady access to willing accomplices, new extortion techniques, and fellow crooks. Little do they know, however, there are imposters among them. The good kind, who gather intelligence about the schemes on the dark side of the digital world.

They turned on me and said, we will find whoever wrote this and come kill them,

the researcher.

The task is neither easy, nor safe. Even the slightest whiff of suspicion may raise alarms. Losing access to a valuable forum is just the tip of the iceberg of problems a revealed identity can cause to a darknet researcher. For that very reason, we agreed not to disclose the personal information of a researcher from DarkOwl, a darknet data provider and intelligence company, who has agreed to talk with us.

"I was trying to figure out where they were operating, who they were involved with, what groups they were involved in, and I became a target. They turned on me and said, we will find whoever wrote this and come kill them," the researcher told CyberNews.

Peering deep into the darknet has its benefits. Once your company network access appears on criminal forums, it's best to act fast. As soon as ransomware cartels get their hands on the vulnerability, it might be too late to prevent a breach.

According to our interlocutor, it's never been so easy to be a cybercriminal. Long gone are the days when cipher specialists were the only ones designing ransomware lockers. Lack of scruples, a criminal mind, and a few hundred bucks is all it takes to attempt a career in the cyber Wild West.

We fired up a call to talk about the support system cybercriminals developed over the years, misconceptions about hackers, and what we should make of it all.

Ransomware attack
Image by Shutterstock.

Before the conversation, we've agreed not to mention your name or any other identifiers. Why is that? What kind of dangers does your work involve?

In our line of work, anonymity is priceless. No one knows who anyone is in real life and everyone is hidden by aliases and proxies. I don't want to draw attention to myself, both out there and in the real world. I became more serious about it a few years ago when I was actively pursuing several criminal threat actors and groups that were fairly deep in this space.

There was one specific criminal actor I was going after, trying to figure out where they were operating, who they were involved with, what groups they were affiliated with. I became a target. They turned on me and said, we will find whoever wrote this and come kill them. We will destroy them.

At first, I didn't take this too seriously, but a close and well-connected friend of mine told me that the guy who was writing this was serious, that he's unstable and obsessed with discovering my identity. My friend recommended I change my physical location and move my family.

I suddenly realized this was serious and I have kids to think about, and to protect. That experience made me very conscious about the severity of the environment we work in. We're sort of in the Wild West territory here, and it’s hard to distinguish what is real or make-believe.

We're sort of in the Wild West territory here, and it’s hard to distinguish what is real or make-believe,

the researcher.

That sounds very ominous. I mean, the threat of physical harm must be very distressing.

It is mentally draining. And while most users probably would never act on it, there are plenty of psychologically unstable individuals in the darknet too. It becomes a game, like trolling, an obsession where one person seriously aims to destroy another person.

Let's change gears to insights your career awards you with. Recently, there's been a lot of talk about the darknet ecosystem that supports cyber cartels. Being someone with a direct eye in the heart of darkness, do you think the ecosystem is as important as it's portrayed?

Yes, it's critical. Look at ransomware as a service (RaaS). First and second-generation ransomware lockers were developed by incredibly smart malware developers, cryptologists, and encryption specialists. Those who designed and employed such software were some of the most sophisticated malware developers or “elite” hackers around if you want to label them that.

But with the RaaS affiliate model, they're giving others the chance to “rent” ransomware for as little as a few hundred bucks a year, depending on which strain they're using. Anyone interested in getting into the business of ransomware can enter the market without necessarily having any prior or expert knowledge of how to conduct an enterprise-level attack against a network.

Some of the gangs, like Lockbit 2.0 are nearly entirely automated, and their affiliates don't need to have the slightest clue what they're doing. You just push, plug, and play. Identify the victim, drop it onto the network, and the rest is taken care of.

Image by Shutterstock.

Another aspect of the ecosystem is network access. The ransomware locks down the network but doesn't give the affiliate direct access. The largest ecosystem running alongside RaaS is called IABs or the initial access brokers. These brokers facilitate breaching the network, either a network vulnerability or a leaked credential that gives access to a server. It could be as simple as an open server, or port, or admin account.

RaaS affiliates don’t always know someone who works at a company they want to hack into. That's why they need IABs. Some RaaS groups are recruiting employees from their victim networks, like insider threats. There's also a network of consultants that provide support with victim negotiation and coordinate with the victims’ payments.

Also, many of these darknet criminals aren't exactly the most socially aware people. They don't necessarily know how to interact with people outside of their world. Half of them are not native English speakers. They even hire consultants who are customer service representative types to interact with the high value victims to get them to pay as much ransom as possible and close the deal.

I recently looked into this research that implied that some people within the ecosystem are not entirely aware that they're helping criminal gangs. What's your take on it? Do you think it's possible people don't know what they're putting themselves into?

There's a small slice of the darknet population who are ultra-super-smart users. These types eat, breathe, and sleep tech of any kind. They are passionate about building the code and solving puzzles. I have interacted with them, and they're beyond gifted.

They're some of the most intelligent people that I've ever encountered. In that intelligence, they are also slightly naïve and oblivious to the possibility anything they build would be used criminally.

But most people who are on darknet forums, writing malware and interacting with these players, are not dumb. They know that either you're law enforcement or you're a criminal. And they are acutely aware that the service or information they give will be used for some criminal activity or for taking down a criminal operation.

There's a small slice of the darknet population who are ultra-super-smart users,

the researcher.

There were some attempts to curb the ecosystem. After the Colonial Pipeline and JBS hacks, some forums banned discussing ransomware. Did you notice that the ban materialized somehow?

Yes, to a degree. Posts from RaaS groups, who used to advertise that they have a new ransomware strain and are looking for partners and targets, have disappeared. But that doesn't stop the conversations from happening. You just need to know what the language is now.

I'm not talking about a spoken language, but code. Yes, the information is being censored to some degree, but that does not mean that the discussions are not happening. Criminal groups have also migrated to Telegram and other sources. Other venues for these conversations aren't necessarily as heavily moderated or have such a high law enforcement presence.

There's a lot of mysticism surrounding ransomware cartels and cybercrime in general. Do you notice some misconceptions the general population tends to have about cybercriminals?

The most recurring misconception is a dim room full of hooded hackers in front of monitors with black screens and green text. That's just not happening. With ransomware, it is literally plug-and-play sort of stuff. They're running these scripts on Windows and with GUIs. It's not as cool looking like the Matrix.

The other side is that some people would like to think the attacks are random, made purely for financial gain. And we got this level of fear created in us, making us question whether we're next. But in reality, the attacks are more targeted, especially ones like Colonial and Kaseya.

Anonymous person in the hood sitting in front of computer
Image by Shuterstock.

Of course, many affiliates just want to exploit victims, capitalize on the opportunity, hit as many targets as they can, and get as much crypto as they can and then disappear. But there is a small section that is of bigger concern.

I think the U.S. government, the intelligence community, the international law enforcement community are concerned about what's the bigger play here. What is the bigger story here that we're missing? Is it espionage? Is it control of infrastructure? Where is this all headed next? That's one of the misconceptions, too, because people often think that it's completely random when it’s actually not.

Where do you think this is all headed? Maybe major attacks are meant to project power and make people scared.

Some of these darknet threat actors simply get off on the power. They like to be feared and they also like quick money. There are plenty of criminals in the darknet that have that simple of a motivation.

But there's another component of it, especially with the larger groups, operating at a level of sophistication consistent with nation-states. They're working at a level of sophistication that suggests a bigger master they're serving than simply money.

If you lay out all the different active RaaS groups right now, you can separate amateurs from those who have an operation and an agenda related to more significant targets, like critical infrastructure. It is likely espionage and cyber terrorism. It is something way bigger than anything that you guys have even wrapped your head around.

More from CyberNews:

Taking the Battle to Amazon: Microsoft’s Azure Government Top Secret Cloud

Bad romance: crypto scammers exchange 'love' for money

US to target ransomware payments in cryptocurrency with sanctions

Employees beware: 82% of IT execs anxious about WFH security

Skipping over spyware concerns, Apple boasts ‘built-in privacy’

Subscribe to our newsletter