[BreachExchange] Everyone Here Is a Criminal or a Spy: How Darknet Groups Operate

Thu Mar 26 10:21:22 EDT 2020

https://www.wsj.com/articles/everyone-here-is-a-criminal-or-a-spy-how-darknet-groups-operate-11584523800

Darknet groups where corporate employees illegally peddle inside
information come with their own sets of rules.

Stocknet, for instance, is a dark-web-hosted platform that offers an
annual membership for one bitcoin, equivalent to just over $5,300 at
the current exchange rate. Free membership is available for those who
submit information at least twice a year that would be useful to other
members. Member guidelines reviewed by WSJ Pro Cybersecurity advise
members to keep trades small to avoid detection by regulators.

“Make a nice profit with each trade and grow your wealth. Don’t bring
attention to yourself with a million dollar trade if you haven’t done
that volume before,” the guidelines say.

Insiders Sell Employers’ Secrets on Darknet Bazaars

Stocknet also spells out what types of private corporate data members
should offer: Important news announcements that could move markets,
such as M&A deals or contract wins, for instance, must be submitted at
least three hours before being made public. Attempts to identify and
reach Stocknet operators were unsuccessful.

In more transactional groups, sellers sometimes ask for big money. A
post on a darknet group, Torum, on Jan. 8 offered access to a private
data set that it said could be used to make investment decisions.

“This data source is still unknown to institutional investors, this
explains the large edge,” the post reads. “Proof (confirmed by a 3rd
party) and metrics are available on request.”

The seller suggested that a prospective buyer had already offered
$300,000 and asked for other bids. These transactions are usually
conducted through private messages, so any final sale amount isn’t
public.

Buyers usually demand a sample of the data for sale or a demonstration
that sellers have the access they claim. Forum moderators often act as
middlemen, holding funds in escrow until delivery, for a cut.
Reputation determines access levels, and scammers are quickly cut from
groups, often becoming targets of their would-be marks.

It is clear when participants make bogus offers, said Kurtis Minder,
chief executive of cyber intelligence company GroupSense Inc. “There’s
no honor among thieves, but there is enough chatter on the darknet
about scams that you would know [a scam].”

Some groups, like Torum, simply require a minimum post count to access
restricted forums, said Kyle Hanslovan, chief executive of security
firm Huntress Labs Inc.

Other groups demand that aspirants bring something to prove their
worth, such as a list of hacked credit-card accounts or a cache of
personally identifiable information, he said. Members must contribute
regularly to stay, Mr. Minder said.

More exclusive groups might require a demonstration of hacking
prowess, such as being assigned a vulnerable server to attack, with
any data captured then disseminated to the group. In effect, Mr.
Hanslovan said, bona fides are sometimes demonstrated by committing
crimes.

This is a challenge for researchers who don’t want to break laws. The
intelligence companies that provided material to WSJ Pro Cybersecurity
said that they didn’t attain it through criminal acts.