The Top Leak Trading Dark Web Actors of 2020

Posted on December 1, 2020 by Ziv Fried

read the article

One of the most challenging but important tasks of law enforcement and national security organizations is identifying cybercriminals engaged in planning and execution of illegal activities on the dark web. These cybercriminals, or actors, take advantage of the anonymous dark web for their communication, making it especially difficult for LEA (law enforcement agencies) to discover their true identities. Modern crime fighting has engaged the help of advanced dark web monitoring technology, which provides coverage of the many dark web sites, files, networks, marketplaces and chat applications to piece together different identifiers and connect them to the same actor. 

How Dark Web Monitoring Identifies Criminals Through Actor Profiling 

For LEA to be successful in uncovering the identity of anonymous cybercriminals, they must have a method of linking these anonymous profiles to their true identity. 

This method, known as actor profiling, links the identity of anonymous actor profiles on the dark web through identifiers such as wallet ID, phone numbers, or an email address that are connected to the actor. 

For instance, in the post below the actor left his phone number. Dark web monitoring can search extensively for any other posts with the same phone number and start to create an actor profile from information from these posts.

Post from cyber endpoint showing an actor left his phone number (blurred)
Post from cyber endpoint showing an actor left his phone number (blurred)

Here in this blog post we have focused on three of the top dark web actors connected to leak trading that we identified this year through actor profiling using Webhose’s cyber endpoint. 

ShinyHunters Description: Most likely a group of different actors 

First appearance: April 

Famous breaches: Tokopedia, Zoosk, Home Chef

As far as most cyber experts know, ShinyHunters is the name of a group of a few different actors who have mainly shared databases of various companies in the last few months. Some experts speculate that ShinyHunters group is connected to GnosticPlayers, another well-known database sharing group active from 2018 to 2019. ShinyHunters built their reputation very quickly, gaining a lot of press attention at the same time. 

ShinyHunters’ first appearance was in April when they started sharing databases of companies or sites such as Bitrewards and ActionNetwork on multiple dark web forums like RaidForums. They first received media attention in early May after the group shared stolen records from about 15 companies with close to 200 million records stolen. ShinyHunters named this big stream of data Stage 1, indicating that there would be more breaches in the future.

During Stage 1, ShinyHunters shared databases of famous companies such as Tokopedia, the Indonesian e-commerce site that included 11 million user records. Later they offered the complete database of 91 million records for sale. They shared or offered for sale the databases of dating app Zoosk, meal kit company Home Chef and many more. Since Stage 1, ShinyHunters are still active and they continue to share databases publicly on the dark web from time to time. In one of their latest posts, they claimed to also offer additional databases from other industries and countries. The details of the specific sources or nature of those leaks have yet to be revealed.

Since their first appearance on Raidforums, ShinyHunters have also been active on platforms and sites such as Exploit, a famous Russian forum on the TOR network, and the recently closed Empire Market where they offered some of their databases for sale. 

Number of posts from ShinyHunters and 3rd-party mentions of them in the cyber endpoint
Number of posts from ShinyHunters and 3rd-party mentions of them in the cyber endpoint

KelvinSecurity 

Description: Most likely a group of actors 

First appearance: Beginning of 2018

Famous breaches: BMW, Frost & Sullivan, Konga

Kelvin Security is a hacking group known also as kelvinsecteam amongst other names. Their main focus is hacking in addition to leaking and the trading of databases of sites and companies. The group offers various hacking tools and databases on different platforms. One can see the full scope of their activity after purchasing a subscription to their formal site. 

The group has been active since the beginning of 2018 but in the last few months, they have become better known due to some large databases they advertised for sale or for download. In the last few months, the group posted several times about leaks for sale that they have in their immediate possession. Some of the databases they possess belong to big companies such as BMW, business consulting firm Frost & Sullivan, and the Nigerian e-commerce company Konga.

The group is currently active and posts different tools and databases on a daily basis on the dark web platforms in addition to deep web forums, and the open web social media platforms Twitter and Facebook. They also operate a Telegram channel to post new updates about their activity. KelvinSecurity has gained a high degree of credibility and seniority after operating for a number of years.

During the last two years of their activity, the KelvinSecurity hacking group shared different identifiers that enabled us to locate more of their activity on the dark web.

Number of posts from KelvinSecurity and 3rd-party mentions of them in the cyber endpoint
Number of posts from KelvinSecurity and 3rd-party mentions of them in the cyber endpoint

NightLion

Description: A single hacker

First appearance: July 12th

Famous breaches: DataViper 

NightLion is a single hacker who became famous after a big breach he claimed responsibility for from the DataViper service, a data leak monitoring service managed by Vinny Troia, the security researcher behind the Night Lion Security company that the hacker named himself after. NightLion first opened a dark web portal on July 12th where he declared responsibility for the DataViper service database leak. He became active on different dark web platforms such as Raidforums and Empire Market. He then posted this dark web portal on different platforms and also emailed tens of cyber-security reporters to gain more media coverage. 

The only known breach this actor took part in was the DataViper breach. Within the DataViper service breach, however, the actor claimed to have an additional 8,200 different databases in his possession. Among them are old databases of well-known brands like Zynga and new ones like the full 142M records from MGM resorts that have not been seen before in the dark web scene. NightLion offered the biggest 50 databases for sale on Empire Market and in the following weeks published many other databases for free on various dark web forums.

This hacker was active for only one month, announcing his last day on August 12th. Since then, this actor has disappeared from the dark web scene without any explanation.

Number of posts from NightLion and 3rd-party mentions of him in the cyber endpoint
Number of posts from NightLion and 3rd-party mentions of him in the cyber endpoint

Connecting the Dark Web Data Footprints  

In the dark web, gathering and collecting as much information about cyber criminals is a critical part of the job. Even more important, however, is the ability to filter and sort through this information and connect the right information to the right actors. In the long term, it even helps LEA track the criminal and prevent future illicit activities. Advanced dark web monitoring solutions like Webhose continuously collect and gather data from the vast numbers of networks, sites, files, and marketplaces along with discussions in chat applications to connect posts and discussions to the same actor. With the added ability to search for specific entities such as wallet ID, email address, and usernames, however, LEA and other crime-fighting organizations can now start to uncover the different identities of actors hiding anonymously in the dark web and bring their crimes to light. 

Want to learn more about how you can use dark web monitoring for actor profiling? Contact one of our data experts to learn more today!