Illicit Networks

the illicit networks category in flare aggregates data collected from dark web marketplaces, underground forums, ransomware extortion sites, encrypted messaging channels, and infostealer ecosystems together, these sources give you structured visibility into threat actor behavior, data exposure, and active extortion operations before they escalate ransom leaks ransomware groups regularly publish victim data on dedicated extortion sites to pressure organizations into paying ransoms publication typically follows a failed negotiation, meaning the data is already public when an event fires this event category covers key scenarios such as direct targeting of your organization, breaches at third party suppliers, and broader supply chain exposure learn more about ransom leaks docid\ v1dmpdzafwhy4ghp99ca0 how flare tracks ransom leak updates ransomware groups often publish in stages the first blog post is commonly a teaser with minimal information full victim details, file listings, and download links are added in subsequent edits whenever a post is updated, flare creates a new, separate event to represent that update this update event has its own unique id (uid) and appears independently in your events feed each update event includes a diff view that shows exactly what changed between the previous version of the post and the current state this allows you to quickly identify what new information was added, such as a victim name being published, files being released, or a deadline being changed, without reading the full post each time this update event appears independently in your events feed, and includes the following information ransom victim metadata structured fields in a side by side table with changed values highlighted for quick scanning content full post text from the previous crawl alongside the updated version, making it easy to spot what was added or changed a drop down menu provides quick access to all previous versions of the event, so you can trace how the post evolved from initial publication to its current state watch the following demo for more information accessing events via api update events for ransom leaks are new as of june 2026 if you were monitoring ransom leaks prior to june 2026, here are a few things to keep in mind for your integrations a single ransomware post can now produce multiple event ids (uids) the original event retains its uid (e g , document/source/1) and a new uid is generated for each subsequent update event (e g , document/source/1/abc) the parent uid is no longer updated once an update event has been created if your integration queries the tenant events feed, no changes are required ransomware update events will surface in your feed alongside original events you may notice an increase in ransomware related events this is expected behavior and it reflects activity that was previously occurring but not being surfaced, specifically post publication edits that are now generating their own events if your integration polls a specific ransomware uid directly, update your logic to also query child uid, or switch to querying the tenant event feed, to avoid missing post publication updates markets dark web marketplaces, also called crypto markets, are storefronts where threat actors list goods and services for sale, ranging from stolen credentials and malware to fraud tools and counterfeit documents transactions are typically settled in cryptocurrency, primarily bitcoin and monero this sub category surfaces activity relevant to your organization when your data or assets appear in listings learn more about markets docid\ v1dmpdzafwhy4ghp99ca0 account shops account shops are a specialized type of underground marketplace focused exclusively on the sale of compromised accounts to specific services and websites they provide a direct signal that credentials associated with your organization or your users are being actively monetized in the criminal ecosystem learn more about account shops docid\ v1dmpdzafwhy4ghp99ca0 infected devices (stealer logs) this sub category covers data from infostealer malware infections on end user machines, appearing in two forms marketplace listings advertising access to compromised devices, and fully parsed stealer logs containing credentials, session tokens, cookies, and detailed device information it is one of the highest signal sources in flare for detecting compromised employees, customers, or corporate systems learn more about infected devices docid\ v1dmpdzafwhy4ghp99ca0 forum posts underground forums are spaces where threat actors discuss, collaborate, and advertise, covering topics ranging from hacking and fraud to data breach announcements and initial access brokering each event includes the message body, author alias, thread context, and extracted indicators forums are often where deals are struck before they surface on marketplaces learn more about forum posts docid\ v1dmpdzafwhy4ghp99ca0 profiles this sub category aggregates identity pages from dark web markets and forums, including actor aliases, registration details, activity history, reputation scores, and contact handles such as telegram or tox usernames it supports threat actor tracking and persona correlation across platforms learn more about profiles docid\ v1dmpdzafwhy4ghp99ca0 chats messages ingested from encrypted and semi public messaging platforms, primarily telegram and icq, where threat actors coordinate in real time this sub category captures stealer log distribution, initial access brokering, and service advertisements, often providing earlier warning than a corresponding marketplace listing learn more about chats docid\ v1dmpdzafwhy4ghp99ca0 blog posts illicit blogs are content publishing platforms within the criminal ecosystem where actors publish articles, technical guides, and cybercrime commentary some operate as solo publications while others function as open platforms with multiple contributors this sub category can surface leaked internal documentation, adversary tooling guides, or proprietary materials shared without authorization learn more about blog posts docid\ v1dmpdzafwhy4ghp99ca0 financial data criminal autoshops are automated storefronts where stolen payment card data is bought and sold via cryptocurrency with instant delivery this sub category surfaces cards issued by or associated with your organization that are actively being trafficked, enabling proactive fraud mitigation before financial damage occurs learn more about financial data docid\ v1dmpdzafwhy4ghp99ca0