PROFILING A

DARK WEB CRIMINAL

A U S E C A S E F O R G AT H E R I N G I N T E L L I G E N C E O N A D A R K W E B A L I A S

I N T R O D U CT I O N
The main reason that criminals use the dark W H I L E T H E D A R K W E B M AY M A S K
web is for the anonymity that it provides. Dark
web networks such as The Onion Router (Tor) A T H R E AT A CTO R’S I D E N T I T Y, I T
mask where traffic is coming from, so that a user A L S O P R O V I D E S A G R E AT D E A L O F
can not be identified based on their IP address.
I N T E L L I G E N C E O N T H E I R A CT I V I T I E S
The most sophisticated criminals work T H AT C A N B E U S E D TO I N F O R M
hard to maintain their operational security CY B E R S E C U R I T Y D E F E N S E S A N D
(OPSEC) on the dark web, taking care not
to share any information that might lead to U LT I M AT E LY P R E V E N T AT TA C KS.
their identification by law enforcement or
In the area of cybersecurity in particular, a
cybersecurity professionals. Of course, it is
cybercriminal’s real name is almost certainly
hard to avoid mistakes over time, and there are
of less value to a defender than a clear
countless examples of criminals being unmasked
understanding of details such as their favored
by slip ups such as the use of email addresses or
tactics, techniques, and procedures, their
usernames that match clear web accounts (see
associations with other cybercriminals, and their
our Suspect Identification1 use case for more
role in the cybercriminal ecosystem. While the
information on how criminals can be identified).
dark web may mask a threat actor’s identity, it
also provides a great deal of intelligence on their
However, even in the case where a criminal’s
activities that can be used to inform cybersecurity
OPSEC is so good that they can’t yet be
defenses and ultimately prevent attacks.
unmasked, there is still a great deal of value that
can be unlocked in gathering intelligence on
To demonstrate how this can be achieved,
their online persona.
we have taken the example of a real dark web
persona that goes by the alias “carnaval” to show
how intelligence and cybersecurity professionals
can build a profile using dark web intelligence.

1
https://slcyber.io/whitepapers-reports/suspect-identification-gathering-evidence-from-the-dark-web/

Searchlight Cyber 1
Profiling a Dark Web Criminal

A CY B E R C R I M I N A L O F I N T E R E S T
To demonstrate how dark web intelligence can
be used to build a profile of a cybercriminal, we
have taken the real life example of “carnaval”,
an actor we regularly observe interacting with
Initial Access Broker posts on dark web forums.

This activity makes carnaval a “person of

interest” because Initial Access Brokers are a type
of cybercriminal that sell vulnerabilities in an
organization onto other threat actors to exploit.
They play a critical role in the cybercriminal
ecosystem, where increasingly actors with
specific skills own their own area of the attack
“supply chain”. For example, we regularly observe
cybercriminals involved with ransomware groups
purchasing vulnerabilities from Initial Access
Brokers, to conduct their attacks.

This activity usually takes place on dark web

forums and often in the form of a rudimentary
auction - with the Initial Access Broker listing a
“start” price, “step” increments of bidding, and
a “blitz” price to buy the access outright.

We have observed carnaval “bidding” on these

posts, which indicates that they could be an active
cybercriminal. Indeed, carnaval was recently
identified by cybersecurity researchers2 as a
possible affiliate of the ransomware group LockBit.

Now we have identified our individual of

interest, what can we learn about them using
dark web intelligence?

2
https://www.trendmicro.com/en_gb/research/24/d/operation-cronos-aftermath.html

2 Searchlight Cyber
 Profiling a Dark Web Criminal

P R O F I L I N G A T H R E AT A CTO R
When assessing a cybercriminal, typically we are trying to understand the following things:

THEIR THEIR
C A PA B I L I T I E S CREDIBILITY
Establishing how skilled they are at Further assessment of the risk an actor
hacking, the resources they have at their poses can be undertaken based on their
disposal, and their previous experience reputation within the cybercriminal
in conducting attacks, can help a security community. For example, a cybercriminal
team determine the level of genuine with long-standing forum accounts, a lot of
threat an actor poses. Remember - like communication with other forum members,
all online forums - there is an element of and generally positive interactions could
bravado on hacking forums. Cybercriminals be assessed to be more of a threat than an
are not above making false claims and actor with no clear social “standing” in the
overstating their ability, so this assessment hacking world. Many forums have ranking
is important for identifying which threat systems that can help security professionals
actors need to be monitored as a priority. to quickly establish an actor’s credibility.

THEIR GOALS IDENTIFYING

A N D M OT I V E S CRITERIA
While most cybercriminals operating on Capturing information such as emails,
the dark web fall under the bracket of usernames, cryptocurrency addresses, and
“financially motivated”, there are nuances details such as Telegram account handles,
within that category. For example, we Tox addresses, and PGP keys not only
increasingly observe financially motivated increases the likelihood of law enforcement
attacks being targeted at organizations unmasking the individual but can also help
in nations that have an opposing cybersecurity professionals to identify other
political view. Goals also differ between accounts the actor has. Cybercriminals often
cybercriminals, with some looking to operate across multiple sites, sometimes
launch the attack themselves while others with different usernames. Linking these
(like Initial Access Brokers) hold a role in dark web profiles enables a more accurate
the cybercriminal supply chain. assessment of the threat.

Understanding these key points will enable a security team to assess the level of threat an actor poses to
an organization and - from there - make decisions around the best next steps. Ultimately, that is the aim
of threat intelligence: to make the best possible decisions given the situation and information at hand.

Searchlight Cyber 3
Profiling a Dark Web Criminal

P R O F I L I N G C A R N AVA L
Our dark web intelligence platform has accumulated the following information on the cybercriminal known
by the alias “carnaval”. This initial intelligence gets us some way to building a profile on carnaval, in line
with the criteria outlined on Page 3. For example, even the actor’s presence on the XSS and Exploit forums
is suggestive of a certain amount of credibility within the cybercriminal community. Their Tox account
also helps us to create a link between different dark web sites, increasing the likelihood that it is the same
individual operating in different forums.

A CT I V E S I N C E IDENTIFIERS
October 2020 Tox Address

A CT I V E O N LANGUAGES
XSS, Exploit, Russian (primary),
AntiChat English (secondary)

A CT I V E S I N C E
The actor carnaval appears to have initially started their activity on the hacking
forum Exploit and then transitioned over to XSS, with no activity seen on Exploit since
September 2023 (Figure 1). Exploit and XSS are infamous hacking forums that have been
active for nearly two decades. Users of these forums tend to see themselves as more
“professional” than cybercriminals in other, non-Russian hacking forums.

40

35

30
COUNT OF RECORDS

25

20

15

10

0
2021 2022 2023 2024

Figure 1: A timeline of carnaval’s DATE PER 30 DAYS EXPLOIT XSS

activity on Exploit and XSS forums.

4 Searchlight Cyber
 Profiling a Dark Web Criminal

A CT I V E O N
As well as Exploit and XSS, we assess with low confidence that carnaval also has a presence
on another Russian hacking forum, AntiChat. There are only two posts attributed to carnaval
on this site, which makes it difficult to come to a reliable judgment, although there is a shared
identifier that suggests it is the same actor (see “Identifiers” below).

IDENTIFIERS
The same TOX address was used by the actor carnaval across their Exploit, XSS, and AntiChat
accounts, suggesting that it is the same person on all three sites. TOX is a messaging service
offering end-to-end encryption, which makes it a popular communication tool for cybercriminals.

LANGUAGES
More than two-thirds of carnaval’s posts are in Russian, which indicates that this is their first
language. This is consistent with the use of Exploit, XSS, and AntiChat, which are all forums
that primarily use the Russian language.

W E R E G U L A R LY O B S E R V E CY B E R C R I M I N A L S
I N V O LV E D W I T H R A N S O M WA R E G R O U P S
PURCHASING VULNERABILITIES FROM INITIAL
A C C E S S B R O K E R S, TO C O N D U CT T H E I R AT TA C KS.
Searchlight Cyber 5
Profiling a Dark Web Criminal

L E A R N I N G F R O M T H R E AT A CTO R C O N V E R S AT I O N S
Once cybersecurity professionals have established where the actor is active, far more intelligence can
then be produced by reviewing the conversations carnaval has had on the dark web and actions that
they have taken.

C U S TO M E R O F I N I T I A L A C C E S S B R O K E R S
Searching for “carnaval” and the auction terms discussed on Page 2 in our dark web platform returns
dozens of results for Initial Access Broker posts that carnaval has bid on. Figure 2 is a typical example,
where carnaval has paid the “blitz” price - i.e. bought the access outright - in an auction for remote
desktop protocol (RDP) access related to an organization in the US.

RDP LOCAL ADMIN USA 7 KK

18th Aug 2023, 10:57:00 am // Posted on Exploit English

18th Aug 2023, 10:57 am English

- Posted by sandocan // Posted on Exploit 18th Aug 2023, 12:10 pm English
- Posted by carnaval // Posted on Exploit
rdp
Geo: usa Blitz
Network = local network
Level = Login Administrator
Domain computers = 33 18th Aug 2023, 12:13 pm English
Zoom/rev: 7kk - Posted by sandocan // Posted on Exploit
Industry: Airlines, Airports & Air Services,
Transportation Winner Carnaval
The company transports Metals to Airlines
Companyes and Commercial Companyes
AV = Kpaspersky 18th Aug 2023, 12:25 pm English
Windows = 2012 R2 - Posted by sandocan // Posted on Exploit

Info: Over 5 TB of data Moderator Please close

: Quick Books Installed
Access sold to @ Carnaval
Start 1000$
Step 250$
Figure 2: carnaval successfully bids on access to an American organization
Blitz 1500$ in the aviation industry on the hacking forum Exploit. “Blitz” indicates that
carnaval bought the access outright for the listed price of $1,500. Spelling
PPS / 12 H mistakes have been included so as not to alter the original posts.

Forum Escrow +++ Accepted !!!

By monitoring these posts, a security team can gather intelligence on the types of organizations that
carnaval targets, the types of access the actor typically bids for, and exactly how much the actor is
willing to pay for the access. These trends become particularly clear across multiple posts.

6 Searchlight Cyber
 Profiling a Dark Web Criminal

P R O A CT I V E LY A D V E RT I S I N G F O R I N I T I A L A C C E S S
A closer investigation of carnaval’s forum activity shows that the actor does not just reactively
bid for access but also actively advertises the fact that they are looking to buy access into certain
organizations. These posts shed even more light on carnaval - including their victimology, the types of
access they are interested in, and their reputation within the cybercriminal community.

Figure 3 is an example of such a post on the XSS hacking forum, with just some of the subsequent
responses and comments from other forum users to demonstrate the intelligence that can be extracted
by monitoring these posts.

I WILL BUY CORPORATE ACCESS

27th Feb 2023, 11:52:52 am // Posted on XSS Russian

27th Feb 2023, 11:52 am Originally posted in Russian

- Posted by carnaval // Posted on XSS carnaval’s original advert, posted in February 2023,
establishes the criteria the actor is looking for in their
Hello everyone! victims. Interestingly, the actor claims that they are not
interested in attacking hospitals, critical infrastructure
I will purchase or take into work (50% to 50%) or causing any “danger to human life”.
corporate access. I will consider any adequate GEO.
This speaks to the nuances in “goals and motivations”
I will consider purchasing with Local Admin, Domain
we mentioned on Page 3. The indication here is that
User. Organizations without revenue, hospitals,
carnaval is a cybercriminal motivated by financial gain,
critical infrastructure, where there is a danger to not a desire for disruption.
human life and health, do not offer. Revenue from $
5kk. Cost from $ 500. There will never be payment in Of course, carnaval’s reticence to conduct attacks that
advance. Keep this in mind. Only after verification. could impact “human life” does not necessarily come
from a place of altruism. Many financially motivated
cybercriminals avoid these targets simply because of
TOX:
the perception that it will bring unwanted attention
from law enforcement.

Figure 3: A post from carnaval on the XSS forum in February 2023 titled “I will buy corporate access”, followed by a selection of the responses.
We have redacted the actor’s TOX address.

Searchlight Cyber 7
Profiling a Dark Web Criminal

Several XSS users respond to the advert over the next

3rd Mar 2023, 05:35 am Originally posted in Russian month (in both English and Russian) claiming to have
- Posted by blessthefall // Posted on XSS worked with carnaval before and leaving positive
reviews. This strongly implies that carnaval is seen to
I worked with a person at a neighboring site, I can only have high credibility among their peers.
leave a positive review!
More can be learned about the actor’s reputation by
taking a broader look at their hacking forum profiles
and interactions. On XSS, the actor has a +44 reputation
22nd Mar 2023, 09:23 am Originally posted in English score, as well as a recorded history of six successful
- Posted by SGL // Posted on XSS deals, and a 0.1 BTC forum deposit (which is a down-
payment that is forfeited if the actor commits a scam).
Worked with him in the past on exploit.
This supports the hypothesis that the actor has a high
Serious person. level of credibility on the XSS forum.

However, carnaval’s Exploit account, which they had

been using until September 2023, is a murkier picture.
30th Mar 2023, 00:28 am Originally posted in Russian
On Exploit, carnaval had a +28 reputation and a
- Posted by RocketRacoon // Posted on XSS
0.035575 BTC deposit but also has scamming reports
Great buyer! against them.

In each of these disputes, carnaval is accused of

indicating that they would like to buy access but
27th Apr 2023, 08:32 am Originally posted in Russian then not paying the seller. The records show that
- Posted by amoralventures // Posted on XSS carnaval settled each of these disputes, paying out the
seller before receiving a harsher reprimand from the
Everything is great! The man knows his business moderator of the forum. It is possible that a negative
and doesn’t mess around. reputation for not paying for initial access drove
carnaval to switch from the Exploit forum to XSS.

carnaval posts again several times on the same

1st Dec 2023, 10:33 am Originally posted in Russian
thread over the next year, often clarifying their
- Posted by carnaval // Posted on XSS
interests. For example, in these posts the actor
We will buy expensive or take at % Local Admin, Domain narrows down the geographies that they are
interested in and that they are willing to buy
User, Domain Admin. Only domain infrastructure.
access to organizations “even with Sentinel”, which
Only USA, CA, Australia, New Zealand, EU. could be a reference to the cybersecurity products
SentinelOne or Microsoft Sentinel.

Once again, this intelligence provides a clearer

20th Sep 2024, 08:54 pm Originally posted in Russian
sense of the actor’s “goals and motivations”. While
- Posted by carnaval // Posted on XSS
carnaval is primarily motivated by financial gain,
We will buy expensive or take good access even with their targets are clearly within geographies on the
opposite geopolitical spectrum to Russia. This is
Sentinel at the discussed percentage - it doesn’t
most likely driven by the fact that Russian authorities
matter. Only USA, Canada or greater Europe (Software
are less likely to prosecute cybercriminals targeting
agreements). We don’t take anything else. organizations in these countries.

8 Searchlight Cyber
 Profiling a Dark Web Criminal

22nd Sep 2024, 02:11 am Originally posted in English

- Posted by Infernolord // Posted on XSS

Are you interested in the rights and interests

of Chinese companies? I have a lot of True to their word, there does appear to
Chinese permissions be markets that carnaval is not interested
in pursuing. In this exchange on the
thread, the actor turns down access to an
organization in China.
24th Sep 2024, 11:14 am Originally posted in English
- Posted by RocketRacoon // Posted on XSS

not interested

26th Oct 2024, 06:07 pm Originally posted in English

- Posted by Cr4 // Posted on XSS

We have access to a leading Moroccan car

manufacture company.
Revenue last year 500m$+ Some Initial Access Brokers post their
adverts onto the thread, in the hope that
1. Level: DA carnaval will purchase them.
2. How many hosts: Too many (heavy bloodhound)
3. Type of access: We have a proxy on the internal
network (full access), we can get you RDP or Anydesk
4. AV: Windows Defender
5. Price: $10,000+

All of this detail from one hacking forum thread can enable an organization to build a profile that helps
them determine if carnaval is a cybercriminal that they should be monitoring - for example, if they
match the description of the Moroccan car manufacturing company posted at the end of the thread.

Just as importantly - in a world where resources are scarce and security teams have to make choices
on prioritizing threats - it can also help organizations to rule out carnaval as a significant risk to them.
For example, organizations in critical infrastructure or outside of western Europe and the US could de-
prioritize carnaval as a threat.

Searchlight Cyber 9
Profiling a Dark Web Criminal

S U M M A RY
The small sample of dark web intelligence we have provided here demonstrates how a cybersecurity
team can begin to build a profile of a cybercriminal they are concerned about. We now know of carnaval:

THEIR THEIR
C A PA B I L I T I E S CREDIBILITY
carnaval’s interaction with Initial Access carnaval clearly has an established
Broker posts suggest that they are reputation among the cybercriminal
experienced in exploiting RDP access. communities on the XSS and Exploit hacking
This, combined with open source forums (even if this is partly down to a bad
intelligence that they are associated track record of not paying for the access they
with the ransomware group LockBit, have acquired) suggesting that the actor is
indicates a potential point of ingress that an active threat.
organizations should be monitoring.

THEIR GOALS IDENTIFYING

A N D M OT I V E S CRITERIA
Organizations in the USA, Canada, While carnaval has a high level of OPSEC,
Australia, and Europe are in the firing not exposing clear web information such
line of carnaval, unless they operate in as email addresses or accounts, their use of
the healthcare and critical infrastructure TOX has allowed us to confidently link their
sectors. The actor is financially motivated accounts across multiple forums, providing
and selects targets based on turnover, more information to build a comprehensive
so should be a particular focus of profile of the actor.
organizations with a higher revenue.

10 Searchlight Cyber
 Profiling a Dark Web Criminal

U S I N G S E A R C H L I G H T CY B E R TO P R O F I L E
DARK WEB CRIMINALS
Our dark web investigation platform gives CASE MANAGEMENT
analysts access to the most comprehensive Searchlight Cyber’s case management system
dark web dataset on the market. It continuously allows analysts to collate intelligence and
captures data from the dark web and makes it useful information on a particular persona
easy to interrogate it in all the ways the dark or group in files within the platform. Once a
web isn’t, allowing cybersecurity professionals case has been created, it can be augmented
and law enforcement to gather intelligence and with automated alerts that trigger whenever
take actions against cybercriminal activity. new intelligence comes to light. This allows
cybersecurity professionals to continue with
DARK WEB SEARCH their day-to-day activity, safe in the knowledge
Search through more than 15 years of dark web that they will be aware if there is any update on
data for intelligence on forums, marketplaces, a person of interest.
hidden sites, communications, threat actors,
illegal goods and more. Searchlight Cyber uses S T E A LT H B R O W S E R
proprietary software to index more sites than Safely access dark web sites through a secure
any other solution on the market. Our data virtual browser hosted within the Searchlight
collection is continuously updated as new sites, Cyber platform. The Stealth Browser allows
posts, and profiles appear and this information analysts and investigators to view content on
is kept forever, even if the original item is the dark web networks Tor or I2P with one click,
deleted from the dark web. providing them with quick access to gather
intelligence at the source. At the same time,
DARK WEB PROFILES it protects the user’s machine from malware,
Searchlight Cyber automatically builds profiles allowing them to visit the dark web without
for dark web actors, allowing analysts to find putting themselves or their infrastructure at risk.
associated profiles on other dark web sites,
assess links to other groups, and monitor RANSOMWARE SEARCH AND INSIGHTS
dark web conversations. Data points such as The profiles of the administrators and members
identifying criteria are automatically parsed by of ransomware groups are automatically collated
the platform, providing invaluable context on in the Searchlight Cyber platform. Track and
actors and allowing cybersecurity professionals investigate the dark web activity of the most active
and law enforcement to pivot on key artifacts. ransomware groups through our continuously
updated dashboard. Ransomware Search and
Insights automatically collates intelligence on more
than 60 ransomware groups’ communications,
members, and victims, arming security teams with
the latest insights.

Searchlight Cyber 11
 U K H E A D Q U A RT E R S U S H E A D Q U A RT E R S
Suite 63, Pure Offices, 200 Massachusetts
1 Port Way, Port Solent, Avenue Northwest,
V I S I T W W W.S LCY B E R.I O TO F I N D Portsmouth PO6 4TY Washington, DC 20001
O U T M O R E O R B O O K A D E M O N O W. United Kingdom United States