The Illicit Networks category includes different subcategories related to the criminal underground, also known as dark web or darknet.

Certain websites have areas of expertise, such as drugs, fraud and hacking, or focus on specific geographical areas. Others are more generic and contain all types of items. Most of them have a certain set of rules describing what they allow or refuse on their platform.

For sources in the criminal underground, Flare collects and stores the entirety of the data on the source. When you run a search on dark web sources, it is run locally only on the database that Flare has collected. The search terms or identifiers are never disclosed to the external sources.

The Market subcategory includes events collected from underground markets, also called crypto-markets. On these markets, actors put up listings for different items they have for sale. This includes products and services related to drugs, fraud, hacking, etc.

Transactions typically take place in cryptocurrency, mainly in Bitcoin and Monero.

Account shops are underground markets where malicious actors list and sell accounts to specific services and websites.

Infected devices (called "bots") refers to the listings of credentials and cookies on illicit markets (e.g. Genesis Market) obtained by malicious actors that gained access to someone's personal computer. The listings therefore include the date these credentials and cookies were stolen and the partial IP address of the victim, as well as the country of origin of the IP address.

For example, we have seen firms being able to use the partial IP provided to identify which employee was the one listed on Genesis Market. If you receive an alert where the credentials listed are domains or subdomains of critical infrastructure (e.g. adfs.domain.com), be sure to act on this information rapidly! Some corporate network attacks' initial access have been attributed to Genesis Market bots in the past, such as the Electronic Arts breach in 2021.

Forums are spaces in the criminal underground where actors discuss and collaborate together. They are similar to clearweb social media, with the difference that they offer anonymity to their users. They usually have a defined target audience and conversations are centered around certain subjects, such as hacking and fraud but also on politics, opinions, etc.

Profiles include pages collected on markets and forums that represent actor profiles.

The Chats subcategory includes events collected on various chat rooms where cybercriminals tend to discuss or advertise. Specifically, we monitor many ICQ chat rooms and Telegram chat rooms.

This subcategory includes pages collected on the public websites of ransomware groups. Since 2019, many Ransomware groups have started to list their victims publicly on their websites. They often share proof that they have access to the data, such as a Windows Explorer screenshot and often put up the payment deadline and cryptocurrency ransom address. Certain websites even host auctions for the leaked data.

Illicit blogs - not to be confused with ransomware blogs - are websites onto which actors publish "article" type content, in the same way blogs operate on the clear web. We collect blog posts from a few illicit blogs, mostly related to the cybercrime ecosystem and Cyber Threat Intel news. Some blogs operate as "lone wolves", where the owner of the blog is also the author, whilst others are a platform onto which people can publish articles (think something like Medium), for example, Telegraph.

This source type will show you events from credit card autoshops. These are sites where criminals can purchase stolen credit card information.

Most websites require the creation of accounts, sometimes with valid email addresses, to access the listings and conversations. Flare’s crawlers automatically create these accounts and connect to the platforms.

Crawlers also use various approaches to appear human-like in terms of navigation speed and behavior to bypass any bot-detection mechanism present on most websites.

Most relevant data points are scraped from the HTML webpage. These include actor names, item names, dates and times, descriptions, ratings and reviews.

The following steps are applied on collected events.

If items are identical, they are merged in a single card with the And X similar events mentioned.

For events to be considered identical, they must have the same title, the same content and be on the same website. They can have different website categories (fraud vs carding) and posting dates.

Click on theAnd X similar events to list all the events.

Certain events are tagged by a text analysis machine learning algorithm. The tagging system is applied only on events related to financial fraud. There are 12 categories, including Carding and Money Transfer as shown above. These tags help understand quickly what an event is about.

Each actor posting on markets or forums has a profile built in Flare. Simply click on an actors' name to reach his profile. The page includes different information points, such as the first and last time he was seen, any contact info, including from time to time valid email addresses.

Actors from different websites and sources might be merged in a single profile if it is believed that the different personas are in reality a single actor (individual or group). This is done by comparing the public PGP keys of the actors, their names as well as other attributes.

In the screenshot below, you can see multiple user names (REDFOX, isellLOGS and iSellLogz) that were correlated using this technique.

Most events originating on the criminal underground have a severity of at least 3 due to the location where they were found. Certain events may have a lower severity if they are identified as noise by the analyzers.