As we all know, the dark web is a mysterious part of the internet world, often attracting controversy, illegal activities and curiosities. It can be accessed by a TOR browser that runs against legal terms and goes against law enforcement and government oversight. In simple terms, it is home to several illegal and illicit activities, including drug trafficking, hacking and cybercrime, yet also to some legitimate and useful purposes such as activism, privacy protection and journalism.
In the previous editing, we discussed some shocking news and this month, nothing different. In this dark web digest edition of January 2024, we will see some latest trends, news and developments related to the dark web.
Let’s get started.
Cyber Attack Exposes Yakult Australia Employee Files on Dark Web
Yakult Australia, a popular probiotic company, has been targeted by a ransomware attack that has exposed its company records and sensitive employee documents, including passports, on the dark web. The company, based in Melbourne, is working with cyber incident experts to investigate the extent of the incident. All offices in Australia and New Zealand remain open and continue to operate. The group responsible for the breach is DragonForce, which has listed nearly two dozen targets that have refused to cooperate since the beginning of December. The targets range from a Texas-based family charity to commercial entities like Coca-Cola in Singapore and a South Australian-based bathroom manufacturer.
A sample of the 95 gigabytes of data leaked by ABC Investigations found company records dating back to 2001, including scans of passports and driver’s licenses, pre-employment medical assessments and certificates, salaries, and performance reviews. At least one of the passport scans belongs to a warehouse employee. In the leaked cache, the ABC has also seen Japanese passports, where Yakult’s parent company is based. A separate database also contains the names and addresses of nearly 9,000 people. It is unclear if these are customer records, but ABC has verified the accuracy of some of the names and addresses.
Yakult Australia became aware of the cyber attack on December 15, and DragonForce listed the probiotic company as one of its victims before publishing the stolen cache on Christmas Day morning. ABC Investigations has not independently verified each of DragonForce’s published leaks.
Dark Web Ads Target Booking.com Partners, Affecting Customer Security
Booking.com has been targeted by scammers for years, with hackers now posting ads on dark web forums to obtain the passwords of hotel partners. The scammers gain access to a hotel’s extranet, install malware, access passwords, and mimic IP addresses to bypass two-factor authorisation. They use the hotel partners’ login credentials to enter their Booking.com accounts and send urgent messages to customers urging them to send money to the scammers or risk losing their reservations. Booking.com acknowledges that the hackers are not gaining access to Booking.com’s backend systems but acknowledges that the scammers have broken into hotel partners’ accounts.
The hackers then communicate with Booking.com customers/hotel guests, urging them to send money to the fraudsters. The hackers then message customers from the official app and can trick people into paying money to them instead of the hotel. Booking.com has been unable to make the problem disappear, and the company has been working diligently to support its partners in securing their systems and helping potential customers recover lost funds. The company has been publishing best practices for avoiding these scams and is working to help customers recoup lost funds.
German Authorities Dismantle Global Dark Web Hub ‘Kingdom Market’
German law enforcement has disrupted the dark web platform called Kingdom Market, which specializes in selling narcotics and malware to thousands of users. The operation, which involved collaboration from the U.S., Switzerland, Moldova, and Ukraine authorities, began on December 16, 2023. Kingdom Market has been accessible over the TOR and Invisible Internet Project (I2P) anonymisation networks since March 2021, trafficking illegal narcotics, advertising malware, criminal services, and forged documents. As many as 42,000 products were sold via several hundred seller accounts on the platform before its takedown, with 3,600 originating from Germany. Transactions were facilitated through cryptocurrency payments, with the website operators receiving a 3% commission for processing the sales of illicit goods. The operators of ‘Kingdom Market’ are suspected of commercially operating a criminal trading platform and of illicit trafficking in narcotics. In addition, one person connected to the running of Kingdom Market has been charged in the U.S. with identity theft and money laundering.
GTA 5 Source Code Leaked Online One Year After Rockstar Hack
The source code for Grand Theft Auto 5 was leaked on Christmas Eve, a year after the Lapsus$ hacking group hacked Rockstar Games and stole corporate data. The hackers claimed to have stolen the GTA 5 and GTA 6 source code and assets, including a GTA 6 testing build. They also shared GTA 5 source code samples as proof of their theft.
Security research group vx-underground spoke to the leaker on Discord, who said the source code was leaked sooner than expected. They claimed to have received the source code in August 2023, motivated by combating scamming in the GTA V modding scene. BleepingComputer reviewed the leak, which appears to be legitimate GTA 5 source code, but could not independently verify its authenticity.
The Lapsus$ hackers are known for their skills in performing social engineering and SIM-swapping attacks to breach corporate networks. They have hacked companies such as Uber, Microsoft, Rockstar Games, Okta, Nvidia, Mercado Libre, T-Mobile, Ubisoft, Vodafone, and Samsung. Their success led the Department of Homeland Security (DHS) Cyber Safety Review Board to analyze their tactics and share recommendations for preventing similar attacks in the future.
While the Lapsus$ group has not been very active since members were arrested, some members are now believed to be active in the loose-knit hacking collective known as Scattered Spider. Scattered Spider shares similar tactics to Lapsus$, utilizing social engineering, phishing, MFA fatigue, and SIM-swapping attacks to gain initial network access to large organizations.
Health Data Breach Sparks Extortion Threats
A cyberattack on Integris Health, Oklahoma’s largest not-for-profit health network, compromised the personal information of two million patients. The breach was confirmed on November 28, 2023, and extortion emails were sent to patients threatening to sell their stolen data to other threat actors. The emails contained links to a dark web page where stolen data, including names, Social Security numbers, dates of birth, and hospital visits, was listed for about 4,674,000 people. The hackers who claimed responsibility for the cyberattack began sending the extortion emails on December 24. The emails claim to include dates of birth, Social Security numbers, addresses, phone numbers, insurance information, and employment details. The hackers threaten to sell the stolen data of those who do not pay the $50 deletion fee by January 5, 2024.
The cyberattack on Integris Health is similar to those used in the attack on Fred Hutchinson Cancer Center, where patients were subjected to similar extortion emails. Integris Health advised patients not to reply to the hackers or follow any instructions found in the extortion emails. A PDF containing frequently asked questions about the incident can be found at the bottom of the page. Affected patients are advised to stay alert and take necessary safety measures to reduce risks related to the compromised data.
Enhancing Cyber Security in Greece Amidst Frequent Attacks
The recent cyber-attacks targeting public bodies in Greece have highlighted a weakness in security, which the government of Prime Minister Kyriakos Mitsotakis plans to address with new legislation to create a National Cybersecurity Authority. The bill is about to be submitted for public consultation. Criminal groups prefer certain infrastructures in public sector services in Greece, possibly due to unpreparedness or laxity in taking protection measures.
According to CheckPoint Research, the number of cyber-attacks globally jumped 38% between 2021 and 2022. In the last six months, the top six targets in Greece were healthcare, retail/wholesale, finance/banking, manufacturing, and transportation. HPPC suffered a DDoS attack on November 8 but said it had not detected any data breaches; hacker group Ragnar Locker took responsibility for the attack on DESFA in August last year and posted 361 gigabytes of DESFA data on the dark web; the Greek postal service announced it had been hit in December 2022, nine months after the actual attack.
An organized security system is crucial, as achieving security is a long-term effort and not only a technical problem. A major problem is that when an organization is attacked, it does not provide all the necessary information in time. The Hellenic Data Protection Authority (DPA) has not issued any fines for personal data breaches following cyber-attacks.
Greece’s left-wing opposition party SYRIZA has accused the government of “inaction on the critical issue of cyber-security,” but Mavridis said cybercriminals are always ahead of everyone else. The point is not to be too far behind, as criminals constantly develop new ideas and attacks.
Currently, the fight against cyber-attacks in Greece is the responsibility of several different organizations. The military’s Cyber Defence Directorate protects the internet infrastructure of the Greek armed forces, the Cyber Security Operations Centre of the intelligence services protects the state’s digital infrastructure, and the police’s Cyber Crime Division handles online crime.
The legal framework, though complex, looks sufficient to prevent and fight cyber-attacks. However, the reality lags, with low awareness and education levels and no serious investment by companies in protecting their systems and compliance with the requirements of the existing legal framework. Greek experts suggest that the best way to deal with cyber-attacks is through prevention, detection, reaction, and sharing of information, as well as specialized cyber security personnel and heightened security awareness.
Vitoratos called for a strong National Cybersecurity Authority that can monitor the implementation of Greece’s National Cybersecurity Strategy and the compliance of actors while also being transparent and open with the public and civil society.
Rising Dark Web Sales of Stolen Data Prompt Cybersecurity Warning
CyberSecurity Malaysia has warned of a significant rise in data breach incidents from January to November this year, with stolen data being sold on the dark web. The increase includes Personally Identifiable Information (PII), including full names, permanent addresses, household income, identification numbers, email addresses, or phone numbers of victims.
CyberSecurity Malaysia emphasizes the importance of protecting personal and sensitive data, as it safeguards privacy, individuals, and business reputation. The company also urges organizations to be responsible for preventing such incidents and handling data exposure incidents appropriately.
Individual Selling Fentanyl Online Receives Life Sentence for 29 Overdose Deaths, Including 2 in Oregon
A Pennsylvania man, Henry Konah Koffie, was sentenced to life in federal prison for selling fentanyl online, which prosecutors say caused the overdose deaths of at least 29 people. Koffie, 38, sold a synthetic drug called furanyl fentanyl, a synthetic drug with no medical use. Between September 2015 and his arrest outside Philadelphia in July 2017, Koffie made 7,849 separate transactions, selling the drug in all 50 states. In Oregon, law enforcement linked Koffie to three overdoses, two of which ended in death. In March, a jury in Portland convicted Koffie on several felonies, including two counts of distribution of a controlled substance resulting in the death of an adult.
Koffie received fentanyl in the mail from suppliers in China, then advertised on AlphaBay, a former dark web site, and shipped the drugs through the mail to customers across the country. Investigators linked Koffie’s sales with overdose deaths in at least 15 states, including Idaho, Texas, Florida, Hawaii, California, New York, Minnesota, and Ohio. Scott Kerin, an assistant U.S. Attorney who prosecuted the case, called the drug Koffie was selling poison.
Koffie’s defense attorney asked Mosman not to sentence him to life in prison, stating that life is redeemable. Mosman acknowledged that it is a rare case that warrants a life sentence, as the callousness and cruelty with which a defendant commits a crime that kills others merits the highest sentence.
