Home

Published

- 4 min read

6 months in the DarkNet

RedTeaming Offensive Security Pentesting Cybersecurity
img of 6 months in the DarkNet

When you start into Ethical Hacking, you may come from a lot of career pathes. For us this meant, we never before had contact or experience with the digital, criminal underworld. We had a lot to learn.

6 Months in the DarkNet

Your journey into Ethical Hacking may start from a career as BlackHat or GreyHat, seeking to leave your criminal life behind, hoping that nobody will discover your past activity. Or from a regular office job, you may’ve been a supervisor in a Bank for 30 years, concerned with legal documents, then transitioning into a CISO position. We did relatively boring Webhosting and Webdevelopment, a Tailor here, a local Electronics Provider, the Hair Stylist next door. On the private side, raising a child and a family, in relatively unstable times. It was mostly technical interest that brought us into Hacking.

Several years into Offensive Security, we still didn’t have much contact with the Dark Side. To be honest, we didn’t want to, out of fear. A personal interest in TrueCrime - before it became famous - mainly for the reason to study Interrogation Techniques and to develop Social Engineering capabilities, we got more and more in digital contact with real crime and cybercrime.

Around November 2023 we started to finally take a deeper dive into the actual DarkNet. We probably have a different definition than that Iceberg Infographics that probably comes to your mind now: The TOR network isn’t the DarkNet.

What’s the DarkNet?

It’s basically all online services used for illigetimite actions. It doesn’t matter, where they are, cause currently there is no group or criminal activity, that would limit itself purely to the TOR network. They may have an .onion server, but at the same time, they’ll run Domains on the Clearweb, use the same service you and we do, use Messengers like WhatsApp or Telegram. They choose the services like any legal organisation would do: By the factors the group needs and the services provide.

We’ve seen quite a bit of misuse of VOIP services - legitimate services meant for Businesses. We know, most Phishing campaigns go increadibly fast: Often times when we receive the Phishing Email, the registered Domain where the malware was hosted, is already down, less than 12h after the start of the campaign.

They use all the tools out there, meant for privacy or legitimate customers. We know, that Discord actively cooperates with Law Enforcement, but have no clear answer for most other services, like Email & VPN provider Proton. Most companies don’t seem to talk about the fact, that their services are used by Cybercriminals.

Recently, numbers showed that a great chunk of GitHub hosts basically malware.

Did You Find Anything?

Did we find anything on our journey through the DarkNet (our definition)? Well, how could we put that, so it won’t come across wrong?

We wouldn’t even know, where to start. By now, we found so many accounts, groups, repositories, more breach data than our drives could hold, tools that spit out working credentials by the second, never-ending streams of stolen Credit Cards - let me repeat that: we wouldn’t know where to start.

“It’s like you’d be talking on the phone, to an entire criminal organisation, and they tell you everything they did, non-stop. At the end of the day - literally - you basically just hang up.”
That’s all you can do. You finish your notes, you close the 30 new browser tabs, and turn on Netflix or a PC game.

We came into Cybersecurity to do Redteaming, and yeah, things like OpSec & OSINT, you need to know them inside out. Of course, you should know and understand your opponent. You also should be able to bypass certain security measures. Yet we don’t see it as our task, to post an entire, working killchain to GitHub. We can produce it, on the job.

On top: We’re not investigators - we found for us, this is where our responsibility ends. We could send data to the Police all day and night, or post about it. But for us, at least right now, this doesn’t feel like our duty. We’re in for the love of Technology, to understand Hacking and be able to prevent it. We didn’t start this to run after everyone, who smells phishy. Right now, we haven’t heard from any Company that they would care for us doing that. They don’t pay us to do that.

We’re payed to understand Hacking, real Hacking. We think now we do, at least a bit better.

Update: Date was set wrong initially, now corrected.