Customer portal

The Dark Web

Opinion, The Dark Web

Hacking your lawyer: Why Legal Firms need Cyber Threat Intelligence

Data breaches are not good for anyone (excluding the cyber criminals), but breaches are particularly bad for industries that handle sensitive information. Unfortunately companies that often handle sensitive data typically do not take their security threats seriously. The pharmaceutical and medical sectors saw a 20% increase in cyber attacks in 2021, costing them, on average, $45,000 per hour of downtime. 

The medical industry is not the only industry handling sensitive data. Legal firms hold a tremendous amount of personal data on, not only clients, but also anyone involved in their respective cases.

For threat actors, legal firms hold a treasure trove of data that they can use for criminal activities such as, financial fraud, extortion, or even just crude doxxing. 

Unlike hospitals and pharmaceutical companies legal firms typically are not held to the same security and data privacy standards and regulations. In the United States acts like HIPAA and GLBA require any company that handles certain information to abide by set security standards. But, regardless of the law, a data breach looks good for no one. 

Defensive security measures like proper data storage and encryption are a must for any legal firm, but these measures can only go so far. In order to take your security to the next level proactive measures are needed.

Luckily for us, threat actors are often very open about their upcoming or ongoing attacks. Hackers will post on dark web forums or even in public chat rooms. 

Publicly posted data leak of a New York legal firm 

Collecting and aggregating this information can be difficult for a small legal firm with less resources. This is where SOS Intelligence comes in. SOS Intelligence can offer your legal firm – small or large – tools to bolster your proactive security measures. 

Due to the nature of established and emerging threat actors, defensive measures like proper data encryption and storage is not enough. Threat actors will always be able to find a way around these defences.

Whether it involves paying an insider for access to your network or exploiting a n-day vulnerability in your VPN software, SOS cyber threat intelligence will be able to provide insider intelligence not found anywhere else. 

Our Dark Web monitoring tool can be utilised for searching for hackers discussing your company. You can quickly build a profile on threat actors targeting your firm then proactively adapt your defensive measures to compensate. 

Getting a sense for threat actors targeting your firm will do wonders for both your cyber defence and – in the case of a breach – can assist incident response. SOS Intelligence offers tools that can actively pull information from common dark web forums and chat rooms. 

Our tools can also grab messages from closed source forums and chats. Dark web monitoring will be able to offer a different perspective than the hundreds of various defensive tools. The SOS Intelligence toolkit will allow you to see through the eyes of a hacker. It’s time to take your security to the next level, try out the SOS toolkit today.

If you are a legal firm who would like some advice on what you need to be doing plus a demo of how we can help you, then click here now to book some time with Amir, our founder. We promise this is something you won’t regret.

Photo by Tingey Injury Law Firm on Unsplash

Ransomware, The Dark Web

Keeping track of the CL0P ransomware group

We’ve been featured again over on ITPro. This time it’s about the latest CL0P ransomware group and the news that they have been busy compromising Swire Pacific Offshore (SPO). They announced it had fallen victim to a cyber attack with “some confidential proprietary commercial information” along with personal information believed to be stolen.

ITPro. article

Sadly, this is an all to common occurrence and one which is increasing in frequency.

If you are concerned about your cyber security and need to monitor the Dark Web, then please schedule a demo. The best 30 minutes you’ve ever spent cold possibly be a slight exaggeration, but you never know!

You can also follow us on Twitter – @sosintel

Photo by Oxa Roxa on Unsplash.

Opinion, The Dark Web, Tips

An investigation into SS7 Exploitation Services on the Dark Web

In this latest investigative article we will be taking a look at alleged SS7 exploitation services on the Dark Web and diving into their credibility using our SOS Intelligence analytics toolkit.

If you don’t want to miss the latest post, then please sign up to our newsletter here.

SS7 Significance &  Background

Signalling System 7 is a telecommunications protocol adopted internationally that defines how the network elements in a public switched telephone network (PSTN) exchange information and control signals.

The signalling transport (SIGTRAN) protocols proved interoperability of SS7 signalling to operate over IP based networks. This enables PSTN services to operate analogue telephone systems and modern IP network equipment. SIGTRAN uses its own Stream Control Transmission Protocol (SCTP) as opposed to TCP or UDP (Transmission Control Protocol or User Datagram Protocol)

With the flexibility of SIGTRAN operating over IP this has given rise to the commoditisation of SS7 access through SS7 gateways, that bridge TCP based service such as VoIP, SMS gateways etc. providing interconnectivity through to SS7 Link providers. 

SS7 offers the following key services (but not limited to):

  • Call set up, routing and tear-down
  • Caller ID
  • SMS
  • Mobile phone roaming and tracking
  • Call forwarding 
  • Voicemail and call waiting 
  • Conference calling

The primary security defence of a SS7 network is that it is a closed system, no real message integrity or security exists and therefore messages transmitted across the SS7 network are easily intercepted or forged. End users, even SMS gateway providers do not have access to it.

However, given the feature rich tooling of SS7 it is ripe for abuse and a target for not only government run intelligence agencies but also organised crime groups that operate partly or wholly in the cyber domain, therefore access to SS7 is a sought after wildcard for any criminally minded hacker.

SS7 enabled crime and abuse

There are a number of significant abuses of SS7 that are possible with a compromised gateway or with clandestine access to a SS7 network.

We will discuss some of the SS7 enabled abuses as an overview. Please read on!

SMS 2FA Interception

SS7 plays a part in the transportation of SMS messages. An attacker may be able to register a victims MSISDN (mobile number) on a fake MSC (Mobile Switching Centre), the victims operator’s HLR (Home Location Register) that works as a kind of telephone directory for MSISDNs, operators and SMS service centres (SMSC) will set the new location for the Victim’s MSISDN.

When, for this example the victims Bank sends them a 2FA authentication token the MSC transfers the SMS to the SMSC the real MSMSC asks the victims opeartor’s HLR for the victims location, the HLR replies with the attacker operated MSC. The real operator’s SMSC transfers the SMS to the fake MSC operated by the attack.

Therefore the attacker is able to obtain the original 2FA token and respond to the victim’s Bank authentication prompt.

Call Intercept 

Likewise a similar attack is possible with Call interception where an attacker can using the first part of the spoofing process redirect a victims call to a VoIP provider or their own IP-PBX (for example Asterisk) and handle the call much like any VoIP call.

This attack can also surface in other ways, such as WhatsApp and other ‘end to end’ encrypted messaging services where the attack may be able to redirect WhatsApp enrolment to another device and intercept, by redirecting messages to their own attacker controlled phone.  

SMS Spoofing

By far the simplest of attacks and an attack that doesn’t require direct SS7 access is the spoofing of SMS messages to a sender. Most are unaware that the “from” part of a SMS message has no authentication and can easily be spoofed, in fact the SMS sender can put any alpha numeric word in the “from” of an SMS message. 

SMS spoofing attacks can be easily and cheaply performed by obtaining access to an SMS gateway service (on the clear web). Nearly all of the ones that SOS Intelligence were able to asses appeared to have no abuse monitoring or prevention. It is therefore possible to very easily and cheaply (in some cases for free) send a spoofed message much like a phishing email to a victim and prompt a call to action. 

Location Tracking

There are a number of free or paid for clear web services that allow some basic HLR lookup services, none of these services necessary provide an exact location fix of a Mobile Subscriber however they do in part allow some one to see if a MSISDN is roaming, assigned to its home operator, active or deactivated. 

Within the SS7 network of a network operator it may be possible to request the LAC (Location Area Code) and Cell ID and with that information get a reasonably good location for a victim. However, this may require the prior knowledge of the subscribers IMEI (International Equipment Identity) or and IMSI (International Mobile Subscriber Identity) – A MSISDN alone may not be sufficent to be able to query this information. However, a LHR lookup may provide an attacker with an IMSI.

It understood that it is fairly common and universal for an operator to provide specific LAC/CID, information to a GSM MAP (Mobile Application Part) message where an attack could send a “provideSubscriberinfo” message asking for the subscribers location and spoofing a SMSC. The LAC, CID and other information can then be looked online for example using Ofcoms website or service such as cell mapper. tower locator

It may be possible to automate the process of mapping LAC/CID [along with MCC&MNC information] to a geographic location such as with joining together of services provided by for example. 

Availability and Legitimacy of SS7 hacking services on the Dark Web

With the initial introduction to SS7 background and the significance of hacking SS7 out of the way lets start by taking a look into what SS7 hacking or exploitation services are available on the Dark Web. 

If we start off with using our DARKSEARCH too and searching for SS7 in page titles across the last year of our index we see some 84 unique onion domains. 

SS7 Title Search

Narrowing down on only onions that we’ve seen to be up recently further reduces our results to a manageable amount.

Key providers of alleged SS7 exploitation services

It would appear that there are a few main key providers of alleged SS7 exploitation services. 

1) SS7 Exploiter 




Services Offered:

  • Get Location 
  • DoS subscriber 
  • Intercept calls 
  •  Intercept SMS 
  • Spoof call/SMS 
  • Manage subscription 
  • Voicemail settings 
  • Upload SIM toolkit 

2) SS7 ONLINE Exploiter


 Services Offered:

  • Get Location 
  • DoS subscriber 
  • Intercept calls 
  • Intercept SMS 
  • Spoof call/SMS 
  • Manage subscription 
  • Voicemail settings 
  • Upload SIM toolkit

3) SS7 Hack



Services Offered:

  • SMS Intercept
  • Call Intercept and Redirect
  • Location Tracking

Services appear to be offered on time bases (1 day, 7 days, 30 days)

SS7 Hack

All onions associated with this provider appear to be offline at time of writing. All information of this service is gained from the historic SOS Intelligence Dark Web index.

4) Dark Fox Market



Services Offered:

  • SS7 Bypass 2FA (SMS Intercept)
  • SS7 Call Intercept 
  • SS7 Location Tracker

Lets dig into these and see what we can find. 

Looking at the “SS7 Exploiter Dashboard” service 

 SS7 Exploiter Dashboard

The oldest reference we have in our index, from June 6th 2020, we see that the HTML source of that page appears to have been Mirrored using HTTrack (A common website mirroring tool used by ‘419’ Advance Fee Fraud scammers) on the 14th of May 2019 mirroring another domain, xpll5hy2owj4zj22.onion 

  HTTrack Mirror of xpll5hy2owj4zj22

and likewise the other domain for the SS7 Exploiter Service: 64n64bh345yszlrp3diytow33gxzriofaii72lsiiq4uh4laqgddvyad.onion 

Appears also to have been a copy of xpll5hy2owj4zj22.onion 

This then leaves the SS7 ONLINE Exploiter an almost identical looking website, as the SS7 Exploiter Service but without the Demo Video 

 We see that this page has a contact email address of “[email protected]

But these pages have no HTTrack comments in them, suggesting that they may be the original pages and that the “SS7 Exploiter – Dashboard” are copies.

SS7 Exploiter Dashboard

We can use our dark web email search API to locate any reference to that email address across the dark web

So far we only see one result.

Email Dark Web Search API

It would appear that the “SS7 ONLINE Exploiter” services came after SS7 the cloned “SS7 Exploiter” and may in fact just be clones of a clone with the HTTrack parts stripped out and  demo video link removed and with the contact email address added.

SOS Intelligence DARKMAP tool

Using our DARKMAP tool we see the xpll5hy2jlze25w2.onion website on the very edges of the Dark Web with no known links in or out.

 Dark Map location of  xpll5hy2jlze25w2.onion

However, the identical copy of the website but under the 64n64bh345yszlrp3diytow33gxzriofaii72lsiiq4uh4laqgddvyad.onion address we see in a much more central part of the Dark Web:

Dark Map location of 64n64bh345yszlrp3diytow33gxzriofaii72lsiiq4uh4laqgddvyad.onion

And we see it with 3 inbound links 

inbound Links from:

sz5h6tiqkdkfl55qa3kcxgzck3xeffo6cso7sjpc7hc7sr3vghdyicqd.onion “The Dark Web Links Directory

linkdir7ekbalksw.onion  “The Dark Web Links Directory v2 Onion Address

toponiibv4eo4pctlszgavni5ajzg7uvkd7e2xslkjmtcfqesjlsqpid.onion “Hidden Link Directory

 Dark Map 64n64bh345yszlrp3diytow33gxzriofaii72lsiiq4uh4laqgddvyad.onion inbound Links

SS7 Hack

As for the SS7 Hack service. This too appears to have been a copy clone, this time of a clear web website www[.]ss7[.]dev made on Friday the 18th 2021

 HTTrack clone of website

Indeed, both of the “SS7 Hack” websites appear to be identical 

Dark Map location of SS7 Hack

SS7 Hack has one inbound link from:

e6wzjohnxejirqa2sgridvymv2jxhrqdfuyxvoxp3xpqh7kr4kbwpwad.onion  “TorNode – Onion Links Directory “

On the cached front page of SS7 Hack website we find an email address and as before using our Email Search API we see there are 3 results, 1 being a Tor Search service and the other two being the SS7 Hack website duplicates. 



        “created_at”: “Mon, 22 Feb 2021 16:30:49 GMT”,

        “description_json”: {},

        “hostname”: “searchgf7gdtauh7bhnbyed4ivxqmuoat3nm6zfrg3ymkq6mtnpye3ad.onion”,

        “is_up”: false,

        “language”: “en”,

        “last_seen”: “Sat, 09 Oct 2021 08:42:11 GMT”,

        “portscanned_at”: “Tue, 23 Feb 2021 02:59:20 GMT”,

        “powered_by”: “”,

        “server”: “nginx”,

        “ssh_fingerprint”: null,

        “title”: “The Deep Searches”,

        “url”: “http://searchgf7gdtauh7bhnbyed4ivxqmuoat3nm6zfrg3ymkq6mtnpye3ad.onion/”,

        “useful_404”: true,

        “useful_404_dir”: false,

        “useful_404_php”: true,

        “useful_404_scanned_at”: “Wed, 29 Sep 2021 18:15:38 GMT”,

        “visited_at”: “Sat, 09 Oct 2021 08:43:37 GMT”



        “created_at”: “Fri, 25 Jun 2021 21:19:08 GMT”,

        “description_json”: {},

        “hostname”: “ss7hfyqn7fv7kjs7.onion”,

        “is_up”: false,

        “language”: “en”,

        “last_seen”: “Tue, 07 Sep 2021 19:02:07 GMT”,

        “portscanned_at”: “Tue, 29 Jun 2021 18:23:08 GMT”,

        “powered_by”: “”,

        “server”: “Apache”,

        “ssh_fingerprint”: null,

        “title”: “SS7 Hack – SMS Intercept – WhatsApp, Telegram, GMAIL, Facebook, Instagram, Twitter, Phone Tapping, Call, Tracking.”,

        “url”: “http://ss7hfyqn7fv7kjs7.onion/”,

        “useful_404”: true,

        “useful_404_dir”: true,

        “useful_404_php”: true,

        “useful_404_scanned_at”: “Mon, 06 Sep 2021 17:46:32 GMT”,

        “visited_at”: “Wed, 06 Oct 2021 15:28:34 GMT”



        “created_at”: “Tue, 05 Oct 2021 21:35:23 GMT”,

        “description_json”: {},

        “hostname”: “ss7hxvtum6iyykshcefjmm5pvb2y3lsvcfh2lzml2vtdhqlseqhqnpqd.onion”,

        “is_up”: false,

        “language”: “en”,

        “last_seen”: “Fri, 15 Oct 2021 21:21:48 GMT”,

        “portscanned_at”: “Wed, 06 Oct 2021 02:31:26 GMT”,

        “powered_by”: “”,

        “server”: “Apache”,

        “ssh_fingerprint”: null,

        “title”: “SS7 Hack – SMS Intercept – WhatsApp, Telegram, GMAIL, Facebook, Instagram, Twitter, Phone Tapping, Call, Tracking.”,

        “url”: “http://ss7hxvtum6iyykshcefjmm5pvb2y3lsvcfh2lzml2vtdhqlseqhqnpqd.onion/”,

        “useful_404”: true,

        “useful_404_dir”: true,

        “useful_404_php”: true,

        “useful_404_scanned_at”: “Thu, 07 Oct 2021 23:26:02 GMT”,

        “visited_at”: “Tue, 26 Oct 2021 21:19:15 GMT”



The clear web “original” website appears to have almost identical services and pricing:

Screenshot of the “original” website.

This supplier boasts a good reputation rating on

Secured Hacks

DarkFox Market

They appear to have a fairly e-commerce style webpage, payment is in either Bitcoin or Monero.

DarkFox Market appears to be a more “holistic” hacking service provider, offering a wider range of non SS7 services from DDoS to Ransomware As a Service. 

The check out process requires you to enter your “victim’s” Phone number.

In terms of inbound and outbound links the DarkFox Market website has the most out of all the services seen so far,

DarkFox DARKMAP links

Inbound Links from:

uprb6pfh6yslgecvrx7w4kcsqyxrox26yt4sap5m4sdkvirmsmkroyad.onion “Dark Web Forums –

dwforumsmrcqdnt3.onion “Dark Web Forums 

searchgf7gdtauh7bhnbyed4ivxqmuoat3nm6zfrg3ymkq6mtnpye3ad.onion “The Deep Searches

Outbound Links to:

hackerss4ptfozouwjix72eh2y7cu2v72nz57c4myjdceejqfwnz3zyd.onion “DSM Hackers – All Hacking Tools And Services In One Place

The Proof videos on the DarkFox Proofs page for “Telegram hacking” show an SMS Intercept video. Part of this video actually shows a web portal similar to what’s shown on the “SS7 attack demos” web page! The video is actually stolen content from a journalist who wrote an article on this very attack back in June 2016, with the video along with a WhatsApp hack video uploaded originally in May 2016.

DarkFox Video

Original Youtube Video

www[.]ss7[.]dev video analysis

Although not on the Dark Web the website carries probably the most ‘credibility’ out of all of the SS7 hacking services on the Dark Web. 

The proof videos show web pages that look extremely similar to that of the original demo hack videos from 2016, with a distinctive “superman” SS7 logo however, the page background is white rather than a light yellow proof video uploaded 2nd August 2020

In one of the tabs from the proof video we see an open page to the DSM Hackers forum

Proof video tabs

We know that this was one of the outbound links from the DarkFox market, although this could be coincidental, we are not quite sure of the relevance for the Moscow local time web page tab.

In the service demo video, the first 6 minutes are spent showing how to set up an account and pay for the services.

The most unconvincing of all the services, “SS7 Exploiter ” has to no surprise one of the most unconvincing demo videos. Like the, it spends the first nearly 3 minutes out of 5:23 showing how to buy bitcoin and pay for the service. 

It then shows what is meant to be the supposed “SS7 Exploiter” CLI interface.

SS7 Exploiter Demo Video

Note that this version of the web page, at the time of it being recorded does not show a demo video link in the navigation menu on the left hand side.

Note also the Subscription End date “9/03/21 12:00AM GMT”

If the operator purchased a subscription “out of their own pocket” of 1 Month then that would put the recording of the video at around the 9th of February assuming a DD/MM format. 

Assuming a MM/DD format, this puts the recording at around the 3rd of August. The video itself was uploaded on the 16th of October 2021 to YouTube. It is possible that the video was re-uploaded, from an earlier time.

Interestingly looking back on our index history for this onion domain. We first added the domain to our index on the 23rd of July 2020 with pages crawled  on the 27th and 4th of August 2020. 

The demo.html page and link to it from the left navigation menu was only added to our index on the 18th of October 2021, a few days after the video is uploaded to Youtube. 

With the entire website being originally mirrored by the HTTrack tool on the 13th of May 2019


There appear to be 4 main alleged SS7 Hacking/Exploitation services on the Dark Web, with one “SS7 Hack”, a clone of a clear web website “” being completely offline. 

The other service appears to be a clone of another almost identical website offering a highly suspicious SS7 Exploiter service

With the last, DarkFox Market that offers more than just SS7 services showing nothing more than already stolen / faked videos. 

With ironically the most ‘credible’ of all a clear web website, shows what appear to be spoofs / copies of SS7 hacking demos that were originally uploaded to YouTube back in May 2016.

Like most things on the Dark Web that promise a lot they are very likely all fake money making schemes for some one who is benefiting from all of those who failed to do even the smallest amount of due diligence, as they say Caveat Emptor. 

Are there genuine SS7 hacking services on the Dark Web? 

Most likely, but they are more than likely to be hidden behind membership only hacking services advertised by individuals for a very short period of time, an example of some posts related to SS7 hacking from our intelligence collection service:

SOS Intelligence posts on SS7

In any case it is very unlikely to find a long lived actual openly advertised service offering compromised SS7 gateway access 

It would seem that there is a lot of interest in SS7 exploitation services but not a lot of genuine providers. post about SMS OTP Interception

Of all of the fairly openly advertised services, clear web or dark we strongly believe to be complete fakes.

How much money could they have made?

Using the advertised bitcoin wallets and assuming they are not changing wallets with each transaction we can look at the Bitcoin blockchain explorer to see exactly when and how much bitcoin was sent these wallets



2x Transactions $159.62



1x Transaction $10.09


It would appear that DarkFox e-commerce shop assigns a bitcoin wallet at time of transaction. It is difficult to tell if a wallet contains transactions specifically for SS7 hacking or other services. Upstream review of outbound transactions from these wallets reveal fairly large transactions suggesting that DarkFox is doing a reasonable amount of business.


2x Transactions $180.03


4x Transactions $779.55


2x Transactions $140.23


2x Transactions £319.50



1x Transaction $389.57


No Transactions.

Featured image Photo by Mario Caruso on Unsplash

Product news, The Dark Web

Automating Cyber HUMINT Collection

This blog post will attempt to give a high-level overview of how we go about automating typically manual Cyber HUMINT ( “a category of intelligence derived from information collected and provided by human sources.”) collection. 

Significant elements of this blog will have to be described in general, non-specific, terms or redacted. Due to the nature of the work that we do, keeping our tradecraft methods, tactics and techniques private is important. The methods employed by us are not only commercially sensitive but over disclosure of specific details may render the methods ineffective.

Automating Cyber HUMINT Collection - SOS Intelligence
Screenshot of SOS Intelligence showing OSINT search

OSINT Source Selection

OSINT source collection SOS Intelligence
OSINT source

A fair amount of thought and research goes into selecting our OSINT (Open Source INTelligence) sources. For the most part, ideal collection sources would be ones that offer an API (Application Programming Interface) for information scraping and do so without significant restrictions. 

For example, Pastebin with a paid account grants access to a reasonable scraping API. Using this API we’ve been able to create a custom collection to download each paste, analyse it for relevant customer keywords and, if any matches found, store the paste & alert our customers.

In most cases, however, paste sites typically have no available APIs. Where these sites have a rolling list of new pastes posted, and those pastes can be enumerated & are publicly accessible, further development of a custom collection is required. 

An automated process is used to periodically check for new and available pastes, fetch those pastes in a raw format where possible, perform keyword matching and store where needed. A significant number of paste sites that we collect from, either on the internet or Dark Web, fall into this category. Generally there are no significant technical challenges other than the creation of a bespoke collection for each specific source type.

SOS Intelligence
URL code

As a general rule, for websites that do not have any specifically designed automated collection or scraping method, we apply a high degree of courtesy and do not aggressively scrape the site. 

Since the paste enumeration and paste collection is a fairly lightweight process, and given that pastes in general are uploaded every so often, there is no need for any aggressive polling of a target site.

SOS Intelligence
Lightweight and courteous collection

Authenticated Access

Member only Dark Web Forum
Member only forums

Some of the sources we collect from are closed, member only, Dark Web or internet hacking forums. Without going into too much detail as to how accounts are created on these forums, an account is essential since we must be able to access topics and posts as well as a roll of recent posts. 

In most cases forums helpfully provide a feed of new content by way of RSS (Really Simple Syndication) feed. This can in part, like an API, assist in the creation of a custom automated collection for that source. An additional caveat to this being that the collector passes credentials to the forum so as to appear to be a “logged in” user, e.g. simply viewing posts or browsing the forum. 

A good 30% of all the OSINT sources we collect from are authenticated. To maintain continuous automated collection, we ensure that we have a sufficiently well stocked array of back up accounts for each of the forums we collect from.

Bot Protection Bypass

In some cases the sources we collect from deploy DDoS or Bot Protection. The purpose of this is typically not to prevent scraping or automated collection but more to prevent the site from high volume denial of service attacks. 

The bypass for this defence varies depending on the source. In some cases, for example collection from Doxbin, we employed a CloudFlare challenge bypass method that essentially consists of:

  • Detecting the browser challenge.
  • Solving the challenge.
  • Passing the challenge answer back and obtaining a cookie.
  • Passing the cookie over to the collection processes to begin automated collection. 
  • Detecting when the cookie expires, ensuring any further challenge request are solved.
CloudFlare challenge bypass method
Bot Bypass
CloudFlare challenge bypass method
CloudFlare challenge bypass method

Even when fairly advanced bot/browser verification defences have been deployed by the target source, these have thus far all been mitigated and not prevented our automated OSINT collection. 

As for the Doxbin example, the challenge of bypassing their new bot protection was significant and on balance, considering the quality of the OSINT source, might not have been warranted. It was, however, still a challenge that couldn’t be left unmatched! 

CAPTCHA (Human Verification)

Raid Forums CAPTCHA
Raid Forums CAPTCHA

Automated solving of CAPTCHAs is tricky and is probably the toughest bypass we’ve had to solve so far. The amount of detailed technical information that we can share for how we go about bypassing CAPTCHA is very limited. However, it runs along similar lines to the browser challenge process, whereby detection of a CAPTCHA and the solving of it are tied into the automated collection functions. 

So far there are very few OSINT sources that employ this type of challenge and we’ve been able to mitigate these in all cases whilst maintaining automated collection.

Old school CAPTCHA
Old school challenge!

Staying Undetected

As with the above topic, it is tricky to discuss and share in any level of detail our methods for remaining “undetected“. However, in general we ensure that the accounts we use do not raise any significant cause for concern to the forum operators. 

In most cases, accounts with no post count after a number of months (or sooner!) are deleted. This means that our accounts must have some level of interaction with the forum, however minimal, to ensure their persistence. 

We try, wherever possible, to use Tor to access content. This helps preserve our anonymity in as much as not pinning our collectors down to one location. We also ensure we rotate things like user agents and other fingerprints to ensure relative anonymity. 

Then important aspect to blending in with the noise is ensuring that collection is not overly aggressive and not overly routine. We achieve this by randomising the frequency and timings of either enumeration of new posts, fetching / viewing posts or pastes. The key is to appear sufficiently “human“. This has afforded us the ability, in some cases, to collect with the same account for a year or more without administrator intervention. 

Detecting Faults

This can be even more challenging than bypassing CAPTCHA challenges. The goal for us is to ensure we have sufficiently robust detections for whenever a logged in session expires; a challenge pass expires; the very likely and common scenario of an overloaded website itself going offline or a Tor circuit is struggling. 

To ensure the best chance of successfully reaching a website over Tor, we employ a number of load balanced Tor routers that are themselves proxied and balanced to cater for our crawling services and automated collection. 

But things do go wrong, Tor is not the most reliable tool so our collection processes that utilise it have sufficient retry intervals and “back-off” intervals programmed into them. Should one of our requests result in a gateway time out the system will simply retry, hoping it is balanced to a less utilised Tor relay. 

At times we do get detected and blocked by forum administrators. In such instances, the system will attempt to detect any “authentication loops” and select another account to continue automated collection with. 

Some of the fault detection is relatively simple, such as enumerating how many pages a collection source has and iterating through each page until all pages have been collected.

SOS Intelligence Cyber HUMINT
Collection source
SOS Intelligence Cyber HUMINT
SOS Intelligence Cyber HUMINT

The process is not always perfect, but we try to monitor it and optimise wherever possible. We spend a lot of time on the initial development phases of a collection ensuring that all possibilities, within reason, are accounted for and once a collection goes into production that any following “cat and mouse” changes required are as minimal as possible. 

We hope this gives an insight into how SOS Intelligence works. We have a number of plans available and if you would like to schedule a demo, please click here.

Thanks for reading!


PS If you enjoyed this, we think you also enjoy An investigation into the LinkedIn data sale on hacker forums.

Opinion, The Dark Web, Tips

How Does the Dark Web Work? An In-Depth Guide (2021)

This is the authoritative 2021 guide to the Dark Web

If you are looking to understand:

  • The Dark Web basics
  • Where did the Dark Web come from?
  • What’s driving the growth of the Dark Web?
  • What activities take place on the Dark Web?
  • Which Dark Web threats can impact my organisation?
  • How to protect organisations from Dark Web activity?
  • What does Dark Web Monitoring do?

Then this guide will provide you with all of the answers you need.

Chapter 1: The Dark Web basics

What is the Dark Web? 

The Dark Web is a peer-to-peer interconnected network of computers that use the Tor Protocol, commonly known as the Tor browser.

Tor uses the top-level domain .onion which takes its name from the method of routing the Tor network’s users.

Anonymity is maintained by building a circuit each time a user tries to connect to a certain .onion domain.

The circuit becomes a multi-layered encryption chain, with each layer unwrapping the next one until it gets to its destination. Hence the reference to an onion.

This method ensures that the relaying nodes on the network between sender and recipient never know who the other one is. They only know the next layer as they unwrap it.

It provides 100% anonymity whilst on the network.

The Dark Web is essentially the containing of that encrypted traffic within the Dark Web itself.

Is the Dark Web 100% anonymous?

There are only 2 places where you can breach Dark Web anonymity.

Either the client end before you transmit data onto the Tor network or via the other end using an Open Relay.

Anyone can download and install an Open Relay and capture information then pass it out onto the internet if the data hasn’t been sufficiently secured within itself.

Chapter 2: Where did the Dark Web come from?

The Tor Project is an open-source foundation that was started as a US Navy research project.

It was originally part of the National Security Agency, a national-level intelligence agency of the United States Department of Defense.

It’s likely that it predates its official launch by a number of years.

The early development of the .onion protocol was designed to allow spies to communicate with each other and contact their commanders via the internet in as safe and secure a manner as possible.

For it to work properly, they needed a sufficient number of nodes in order to allow traffic to pass anonymously.

Too few nodes would simply allow adversaries to intercept and attack their encrypted data.

So (the story goes) the Tor Project was started as a free open source project to encourage widespread use.

It has become increasingly popular over the years and undergone a number of significant iterations since its release in 2002.

Chapter 3: What’s driving the growth of the Dark Web?

The Tor Project quickly gained users thanks to its advanced anonymity properties.

Let’s face it, you build a road and people are going to start driving on it.

Yet here’s the thing:

There are numerous key global events that have seen spikes in growth of Tor.

These include the following:

  • Government clampdowns on file sharing following successful lobbying by Hollywood and the music industry forcing ISPs to block access to torrent hosting websites
  • Key political moments such the Arab Spring in 2010

Meanwhile, various Hacking Communities began using it because it became the ‘cool thing’ to do.

Chapter 4: What activities take place on the Dark Web?

Most of the activity taking place on the Dark Web is as dull and trivial as the rest of the Internet.

In truth, for all its negative connotations the Dark Web shouldn’t be something to be afraid of.

Of the 95,317 sites we currently track, less than 5% are flagged as having potentially abusive content on them.


There is also a significant amount of fraud taking place here, along with a percentage sharing abusive content.

The biggest threat to organisations comes in the form of Ransomware.

What is Ransomware?

Ransomware is the process of hackers encrypting and stealing sensitive company and customer data then ransoming it back to the organisation for profit.

Let’s look at this in more detail in the next chapter.

Chapter 5: Which Dark Web threats could impact my organisation?

In June 2017, the chief technology and information officer for Maersk, a Danish shipping and logistics giant, returned from his honeymoon to discover that the company has suffered a major malware attack.

The attack on its IT systems was so bad that the company was virtually unable to operate, even to the point that its ship’s captains were forced to navigate the globe using paper and pen.

4 years later and the company is still remediating, estimated costs to date are as much as £300 million.

No one is sure whether this attack was Ransomware gone wrong (no public request for payment has been made) but the damage to its business continues to be felt to this day.

The different types of Dark Web attack

The Dark Web enables hackers to remain anonymous whilst providing them with a marketplace to force you as the victim to pay to have your data decrypted.

It gives them a foothold, a place where they can publicly advertise to the world all of the organisations they have hacked.

This data often includes intellectual property, financial information, and customer data and is usually placed on the Dark Web and made free to download until the organisation pays to have it removed.

These are very professional operations with call centers, helplines, and live-chats. Some of them even provide a ‘Get 1 File for Free’ service to prove that the decryption works.

Human Driven Ransomware

This term describes when a group of hackers come together and plan an attack. This would often involve them having a good look around your network before they begin encrypting specific files and servers.

They typically look to exploit vulnerabilities in your network and appear to be reasonably agnostic when it comes to sectors and industries.

Victims could be a dental surgery or multinational aerospace company. The primary motivation is getting you to pay for your encryption keys.

Another way into your systems is via ‘phishing’.

This could involve an IT employee’s credentials are stolen and where the company doesn’t have sufficient protection to prevent the hackers from gaining access to the system.

Ransomware Trends

Ransomware is developing and maturing into a more industrialised activity, with a much greater trend towards automation.

A lot of Ransomware programmes will automatically send your encryption keys off to an onion domain that is spun up just for you, gaining access through something as simple as a Word or Excel document that executes a Macro in the background.

The Macro will then automatically begin to encrypt your data and spin it out onto the Dark Web.

Apart from disabling Macros, patching applications to keep things up-to-date, not opening docs you aren’t sure about and using good security software there isn’t much more you can do.

At present we are aware of between 26-30 active ransomware groups.

If you find yourself on a Ransomware site, there is nothing you can really do except pay and begin remediating.

However, police forces are active on the Dark Web looking to take down operations and have had some success. Dutch police were recently so pleased to have taken down one botnet network that they even posted about it as themselves on a hackers’ forum.

Chapter 6: How to protect organisations from illegal Dark Web activity?

Protecting your organisation from hacking and Ransomware is a difficult task, especially when a concerted hacking campaign coupled with human error comes into play.

If as an IT Professional and/or diligent CTO you have done everything within your power to secure the network and Ransomware still finds its way through a lot of it will simply come down to bad luck.

Hackers work hard to ensure that they are fully undetectable and use dynamic systems that generate malicious downloads on the fly, making it difficult to defend against these types of attacks.

The priority then becomes managing the fallout and particularly the PR as best as you can.

A data breach quickly moves from being an IT problem to a business problem. If you can show that you have behaved competently and done as much as you can there is a chance to come out of it looking better.

Our Dark Web Monitoring tool supports you in this process by providing early warnings of any Dark Web activity around your brand.

SOS gives you awareness, time, and context by letting you know if your information is out there; what information that is; and who is talking about it.

Having these instant alerts can be very reassuring, giving you time to react with the full knowledge of just how big your exposure is.

Now we’d like to hear from you. Have you been affected by any of the issues raised in this guide? Do you have any concerns around data breaches and threat intelligence?

Please get in touch if you need to find out more using the contact info below. And if you’ve found this information helpful, please feel free to share it on your social networks!

The Dark Web

The Latest Dark Web Statistics for 2021

Looking for new stats about the Dark Web?

This is a complete list of up-to-date Dark Web statistics for 2021.

On this page, you will find hand-picked stats by our threat intelligence experts about:

  • Most Commonly Used Languages on the Dark Web
  • Most Prolific Ransomware Groups
  • Dark Web Server Technology
  • Dark Net Web Technologies
  • Number of Open Ports
  • How many Onions are live on the Dark Web right now?
  • Average Ransomware demands per Industry
  • Number of Ransomware Attacks Happening Right Now

So, let’s take a look at these statistics in more detail.


Most Commonly Used Languages on the Dark Web

Below you can see the most commonly used non-English languages today, compared to 2018. 

Although English is by far the most dominant language on the dark web the language distribution across the rest of the domains has remained surprisingly stable since we began indexing in 2018.

This suggests that despite growth in recent year, the content and individuals using dark net platforms has remained the same.

  • English accounts for 98% of language on the Dark Web
  • Russian is second with 1%

Most active Ransomware groups 

Who are the most prolific Ransomware organisations on the Dark Web? How many victims are each group targeting and who is the largest Ransomware organisation? 

Ransomware activity is dominated by a small number of groups, with the top 3 below accounting for approximately 44% of all victims.

Some of these organisations operate in a surprisingly business-like way, with call centres, helplines and ‘buy-one-get-one-free’ offers all part of the operation in what must seem like a galling experience for the victims looking to get their data removed from the Dark Web.

The victims range in size from smaller SMEs to global enterprise level organisations. These groups are not picky. If they can find a vulnerability and exploit it, they will do so.

Note: These figures represent the latest snapshot of ransomware activity on the Dark Web. Hackers are actively engaged at all times and our tools detect new victims on a daily and weekly basis. 

Dark Web server technology 

Our indexing technology allows us to collect highly granular data about the Dark Web domains we find. 

Here we are able to see the predominant server technologies powering the Dark Web.

This tells us that Nginx, the popular free and open-source software released by Igor Sysoev in 2004, accounts for a whopping 91% of all Dark Web server technology. Nginx is an incredibly popular reverse proxy so it is no wonder it has a significant market share as the front for most websites on the internet and Dark web.

Some way behind Nginx at 8% we have Apache, with the rest of the pack making up the remaining 1%

Dark Net web technologies 

We also look at the different tools and techniques used in the process of communication between different devices over the dark net. 

Analysing this data lets us see not only which versions are out there, but how potentially vulnerable some of these systems actually are.

Over 95% of the Dark Web is powered by PHP, making it the most popular web framework by a long way.

From collecting web technology information like this we can gain insights into the most popular frameworks and their versions as well as understanding how up to date or not some of these websites actually are.

Number of open Ports 

As we explore the microcosm of the Dark Web our tools log the number, type, and ID of the open ports we find. 

This allows us to glean a surprising amount of information about the servers used to exploit organisations via hacking, data theft and ransomware attacks.

For example, our most recent data tells us that Port 80 accounts for 96% of those discovered on the Dark Web.

Number of Dark Web domains

How many domains are live on the Dark Web right now? 

There are over 100,000 .onion domains live on the Dark Web right now. For a live feed of current stats visit our homepage here and check out our carousel for our live Dark Web threat tracking stats.

It’s important to note that new domains pop and shut down all the time as hackers and ransomware groups spin up new sites to carry out their attacks.

This graph shows how our indexing tools are beginning to plateau as our total coverage of the dark web increases over time.

Top Ransomware stats 2021 

Ransomware attacks are on rise in 2021 and we predict that this activity will continue to grow.

Indeed, Ransomware represents criminality on a truly industrial scale with hackers targeting larger and more sophisticated organisations all the time.

The Healthcare Sector is one of the most heavily exposed with approximately 24% of all of attacks targeting healthcare organisations.

Indeed the biggest ever attack (WannaCry in 2017) badly affected the UK’s NHS (National Health Service), costing it almost £92 million. Worse still, the chaos caused by the attack shut down IT systems for days which almost certainly cost lives.

According to Cyence, the total loss caused by WannaCry was close to $4 billion worldwide.

Average cost of Ransomware

Whilst the numbers above are pretty eye-watering it is worth pointing out that the average ransomware demands are more modest.

Indeed, the average ransomware demand for an organisation is $233,217.00. However, the average cost of remediating a ransomware attack is much higher at $761,106

It’s worth noting that this figure doesn’t consider the costs associated with the average downtime caused by a ransomware attack, which currently stands at 19 working days.

Ransomware attacks happening now

On average there are 4000 Ransomware attacks worldwide each day.

This works out at an average of an attack every 11 seconds.

The most common form of Ransomware attacks occur via email, with 1 in 3000 emails passing through security filters containing some form of malware, such as Ransomware.

Want to know more? 

We’ve created a helpful guide to the dark web.

So if you are looking for more information on:

  • The Dark Web basics
  • Where did the Dark Web come from?
  • What’s driving the growth of the Dark Web?
  • What activities take place on the Dark Web?
  • Which Dark Web threats can impact my organisation?
  • How to protect organisations from Dark Web activity?
  • What does Dark Web Monitoring do?

Then this guide will provide you with all of the answers you need:

How does the Dark Web work? An in-depth guide (2021)

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google
Consent to display content from Spotify
Sound Cloud
Consent to display content from Sound