The Top 3 Ways to Build a Threat Actor Profile

Posted on December 16, 2020 by Noa Hassidim

read the article

For drug traffickers, hackers, and other cybercriminals active on the deep and dark web, the most important thing is to remain anonymous. But when you are a popular vendor on the dark web, that can be easier said than done – especially with dark web monitoring methods that build threat actor profiles. 

Cybercriminals selling illicit goods and services such as drugs, databases, hacking, or carding services need to communicate with buyers and accept the currency for the goods. As a result, they often provide contact details such as emails, phones, wallet IDs, or handles in social networks for potential buyers to contact them.

Armed with this type of information of a specific cybercriminal, we can start to perform threat actor profiling. Threat actor profiling is a method of linking the identity of specific anonymous actors on the dark web through identifiers such as wallet ID, phone numbers, or an email address that are connected to the actor. Using this method, we can track the posts of these actors in different forums, marketplaces, or chats and gain a deeper picture of his overall activity, services, or products he offers, and more. We also deanonymize the actor identity, especially if some of the details reveal his social identity using 3rd party databases. 

In this post, we’ll show you the top three ways we use Webhose’s Cyber API with its available filters and supported entities to build a profile of an anonymous actor.

Build a Threat Actor Profile Based on Contact Details

The first actor, who we’ll call Hades, offers different kinds of drugs and substances for sale on different forums both in the TOR network and outside of it. Since he is quite active on a number of channels and networks, we were able to build a threat actor profile for him. 

How? We searched extensively through millions of posts from hundreds of domains, servers, and channels and were able to link his handle name to different posts in several forums. We were then able to map all the domains where the actor advertises himself to reveal his illicit drug sales.

Here are the identifiers we found:

  • Emails: hades911@protonmail.comworldglobalpharmacy@gmail.com 

  • Phone numbers: +1(409) 242-0120

  • Handles in forums: Hades1, Hades911, Hades, Hcook

  • Handles in Telegram/Wickr: drHades

  • Domains:  http://quickdocuments.online/ and http://worldglobalpharmacy.com/ are mentioned in a lot of his posts as a shop where his products are being sold.

We were able to then generate a list of the illicit substances and services Hades sells: 

  • Heroin

  • Cocaine

  • Xanax

  • Alprazolam

  • Fentanyl

  • Crystal Meth

  • Morphine

  • Oxycontin

  • Weed, Cannabis, etc

  • Ecstasy

  • Ketamine

  • Hacking services

  • Hitman services

  • Fake passports, IDs, drivers’ license

  • And many more…

We discovered that Hades is active in the following domains:

  • Altcoin Explain

  • Agartha Marketplace

  • Several open-web paste sites

  • Deep Paste

  • A dark web image board

  • Several TOR based forums

  • And many more…

Here are a few examples of posts from Hades in various sources over the past year that we detected using our Cyber API:

Post from Hades in the TOR network found in the Webhose Cyber endpoint
Post from Hades from a Depesz, a paste site, found in the Webhose Cyber Endpoint
Post from Hades from Deep Paste, a paste site in the Webhose Cyber Endpoint
Post from Hades in the Webhose Cyber Endpoint

Build a Threat Actor Profile Based on a Payment Method

Another actor, who we’ll call teleadmin, was active primarily in the Telegram chat application.  

After extensive monitoring, we were able to detect both a wallet ID and a handle and identify an actor who offers carding and financial fraud services and is active in many Telegram channels that discuss those topics. Hackers and carders often share wallet IDs with their customers so they can receive payments from their customers.

Here are the identifiers we found: 

  • Handles in Telegram: teleadmin, teleadmin1, DeepwebAdmin1, legitspammer, Shadow_00_Boss, teleadmin1_boss

  • Wallet ID: 1JmCeg9kLpixRUc8YX4yPAXSqgG8PDPVzu

We were able to then generate a list of the illicit services teleadmin sells:
 
  •  Full credit card numbers

  • Illegal transactions (PayPal, Western Union, Bank of America, and more)

  • Carded phones and laptops (purchased goods with stolen credit card information

We discovered that teleadmin is active in the following domains:

  • Escrowcardig
  • Sharingcaringswipes
  • ACHACHA_NIG_LTD
  • And many more…
Post from teleadmin in Telegram from the Webhose Cyber endpoint

Once we extended the search to websites that index records of wallet ID activities (including transactions, balances, and more, we discovered even more information about this specific wallet ID and its transactions. We then discovered that this wallet ID was connected to over 7,000 transactions and was last active on November 23, 2020. That means that the actor still receives funds through this wallet ID, which is critical for law enforcement officials trying to track down cybercriminals.

Post of teleadmin’s wallet ID from Blockchain.com

By searching for posts of teleadmin over time, we detected a significant rise in his activity over the past 3 months in our data indexed in the Cyber Endpoint.

Increase in posts from teleadmin in the last 3 months from the Webhose Cyber Endpoint

Build a Threat Actor Profile Based on Textual Identifiers

Another example of actor profiling can be related to third-party mentions of content, feedback and discussions around him. Chlnsaint was an actor arrested recently whose name was added to The Northern California Illicit Digital Economy (NCIDE) Task Force TOR page on November 28, 2020. We thought we’d do a bit of digging to see if we could find activity related to this actor in our Cyber Endpoint. 

The Northern California Illcit Digital Economy (NCIDE) Task Force website in TOR

After an extensive search through our dark web sources we were able to gain more information about this actor prior to his arrest, which included:

  • Chlnsaint’s products listed on Empire Market.

  • Product reviews in Empire Market referred to Chlnsaint by name (examples below)

  • Several users asked about this vendor’s recommendations and presence on several Dark Web forums.

  • The identification of another actor in Empire Market using exact same phrases in his listings on the site, indicating the presence of an  ally of said actor/same actor (examples below)

  • Querying the actor’s handles shows that he was mostly active in Empire Market and referred to in different dark web forums, either by new buyers or clients.

Product review in Empire Market referring to Chlnsaint by name from the Webhose Cyber Endpoint
Product review in Empire Market referring to Chlnsaint by name from the Webhose Cyber Endpoint
Original post from Chlnsaint in Empire Market from the Webhose Cyber Endpoint
Another actor in Empire Market using exact same phrases as Chlnsaint from the Webhose Cyber Endpoint

A Tool For Catching Cybercriminals

Even though cybercriminals make it a top priority to remain anonymous, it’s not always so easy. Law enforcement officials have methods of detecting cybercriminals in the dark web, and one of those methods is through actor profiling. Webhose is proud to deliver the most comprehensive coverage of dark web data that includes millions of sites, marketplaces, shops, and forums to help LEA build threat actor profiles and stop the illicit activities of some of the most active criminals around the world.

Want to learn more about how you can use dark web monitoring for actor profiling? Contact one of our data experts to learn more today!