Norse Corp expert explains how darknet sites are being used to sell exploits and exploited machines


The Internet is a kind of inverted iceberg. At the top is the visible part – a huge, ever-changing mass of information. But lurking under the surface is a whole other Internet, probably far smaller, and drastically different. This is the darknet, typically accessible only using specialist tools such as Tor and I2P, and in information terms, it’s where people go to hide.

Like any enabling technology, the technologies that underpin the darknet can be used for good or bad. Tor, which was originally created by the US Naval Research Laboratory, has been useful as a tool for anonymous communications, which is especially useful in authoritarian regimes.

The dark side of the darknet is a scary place, though. Aside from sales of drugs, weapons and worse, there’s also a healthy market in computerised exploit tools, and this is what Joe Pizzo, field engineer at Norse Corporation, spends his time with colleagues looking at. He tracks down the people who create and sell tools via darknet sites. He’s seen things that would turn your hair white.

Pizzo set out to address the darknet and how it is becoming a breeding ground for emerging cyberthreats in his SecTor 2015 talk, Ground Zero Financial Services: Targeted Attacks from the Darknet. See SecTor’s interview with him here:


Years ago, nefarious sites used the open Internet to connect cybercriminals together. Carding forums would marry buyers and sellers of credit card and ID information. Some of them still do it this way, including Rescator, the credit card resale site run by the Ukranian hacker with the same handle.

More recently, though, the darknet has proven to be a safer haven for online marketplaces hoping to connect buyers and sellers of illicit material – including not just stolen IDs, but also malware and access to botnets. They’re being used to launch cyberattacks on financial institutions, and others.

Darknets make it even more difficult for law enforcement agencies to identify criminals’ identities. Admittedly, it wasn’t especially easy to crack many of these sites on the public Internet, either; bulletproof hosting and domain registrations with fake addresses made it difficult for cops to find the culprits.

Anonymous services make it harder still, though, as even with access to the server logs it can be impossible to work out where visitors to the site came from. “The sellers can just walk away,” Pizzo explained.

Law enforcement officers rely on a mixture of indirect electronic monitoring, and the occasional lapse in operational security by site organizers. That was what helped to bring down Ross Ulbricht, aka the Dread Pirate Roberts, who ran the Silk Road web site. But this is only part of the story; law enforcement officials must infiltrate these groups, operating undercover to gain the perpetrators’ trust. It’s a complex and lengthy process, which is why European prosecutors have discussed a pan-European task force to exchange information about darknet activities.

In the meantime, it takes minutes to set up a darknet site, and probably about as long to advertise it to other users via already-available channels. How’s that for network asymmetry?

Check out Pizzo’s talk on the darknet here:


Bookmark and Share