The Top 3 Ways to Build a Threat Actor Profile
For drug traffickers, hackers, and other cybercriminals active on the deep and dark web, the most important thing is to remain anonymous. But when you are a popular vendor on the dark web, that can be easier said than done – especially with dark web monitoring methods that build threat actor profiles.
Cybercriminals selling illicit goods and services such as drugs, databases, hacking, or carding services need to communicate with buyers and accept the currency for the goods. As a result, they often provide contact details such as emails, phones, wallet IDs, or handles in social networks for potential buyers to contact them.
Armed with this type of information of a specific cybercriminal, we can start to perform threat actor profiling. Threat actor profiling is a method of linking the identity of specific anonymous actors on the dark web through identifiers such as wallet ID, phone numbers, or an email address that are connected to the actor. Using this method, we can track the posts of these actors in different forums, marketplaces, or chats and gain a deeper picture of his overall activity, services, or products he offers, and more. We also deanonymize the actor identity, especially if some of the details reveal his social identity using 3rd party databases.
In this post, we’ll show you the top three ways we use Webhose’s Cyber API with its available filters and supported entities to build a profile of an anonymous actor.
Build a Threat Actor Profile Based on Contact Details
The first actor, who we’ll call Hades, offers different kinds of drugs and substances for sale on different forums both in the TOR network and outside of it. Since he is quite active on a number of channels and networks, we were able to build a threat actor profile for him.
How? We searched extensively through millions of posts from hundreds of domains, servers, and channels and were able to link his handle name to different posts in several forums. We were then able to map all the domains where the actor advertises himself to reveal his illicit drug sales.
Here are the identifiers we found:
Emails: firstname.lastname@example.org, email@example.com
Phone numbers: +1(409) 242-0120
Handles in forums: Hades1, Hades911, Hades, Hcook
Handles in Telegram/Wickr: drHades
Domains: http://quickdocuments.online/ and http://worldglobalpharmacy.com/ are mentioned in a lot of his posts as a shop where his products are being sold.
We were able to then generate a list of the illicit substances and services Hades sells:
Weed, Cannabis, etc
Fake passports, IDs, drivers’ license
And many more…
We discovered that Hades is active in the following domains:
Several open-web paste sites
A dark web image board
Several TOR based forums
And many more…
Here are a few examples of posts from Hades in various sources over the past year that we detected using our Cyber API:
Build a Threat Actor Profile Based on a Payment Method
Another actor, who we’ll call teleadmin, was active primarily in the Telegram chat application.
After extensive monitoring, we were able to detect both a wallet ID and a handle and identify an actor who offers carding and financial fraud services and is active in many Telegram channels that discuss those topics. Hackers and carders often share wallet IDs with their customers so they can receive payments from their customers.
Here are the identifiers we found:
Handles in Telegram: teleadmin, teleadmin1, DeepwebAdmin1, legitspammer, Shadow_00_Boss, teleadmin1_boss
Wallet ID: 1JmCeg9kLpixRUc8YX4yPAXSqgG8PDPVzu
Full credit card numbers
Illegal transactions (PayPal, Western Union, Bank of America, and more)
Carded phones and laptops (purchased goods with stolen credit card information
We discovered that teleadmin is active in the following domains:
- And many more…
Once we extended the search to websites that index records of wallet ID activities (including transactions, balances, and more, we discovered even more information about this specific wallet ID and its transactions. We then discovered that this wallet ID was connected to over 7,000 transactions and was last active on November 23, 2020. That means that the actor still receives funds through this wallet ID, which is critical for law enforcement officials trying to track down cybercriminals.
By searching for posts of teleadmin over time, we detected a significant rise in his activity over the past 3 months in our data indexed in the Cyber Endpoint.
Build a Threat Actor Profile Based on Textual Identifiers
Another example of actor profiling can be related to third-party mentions of content, feedback and discussions around him. Chlnsaint was an actor arrested recently whose name was added to The Northern California Illicit Digital Economy (NCIDE) Task Force TOR page on November 28, 2020. We thought we’d do a bit of digging to see if we could find activity related to this actor in our Cyber Endpoint.
After an extensive search through our dark web sources we were able to gain more information about this actor prior to his arrest, which included:
Chlnsaint’s products listed on Empire Market.
Product reviews in Empire Market referred to Chlnsaint by name (examples below)
Several users asked about this vendor’s recommendations and presence on several Dark Web forums.
The identification of another actor in Empire Market using exact same phrases in his listings on the site, indicating the presence of an ally of said actor/same actor (examples below)
Querying the actor’s handles shows that he was mostly active in Empire Market and referred to in different dark web forums, either by new buyers or clients.
A Tool For Catching Cybercriminals
Even though cybercriminals make it a top priority to remain anonymous, it’s not always so easy. Law enforcement officials have methods of detecting cybercriminals in the dark web, and one of those methods is through actor profiling. Webhose is proud to deliver the most comprehensive coverage of dark web data that includes millions of sites, marketplaces, shops, and forums to help LEA build threat actor profiles and stop the illicit activities of some of the most active criminals around the world.
Want to learn more about how you can use dark web monitoring for actor profiling? Contact one of our data experts to learn more today!