Login
Get started Get started
Get started Login
Products
Solutions
KNOWLEDGE
HELP CENTER
COMPANY

Open web

DARK WEB

DATASETS

TECHNOLOGIES

Learn

Your hub for web data

BLOG

Featured Article

Access Exclusive Content: Introducing CFC Content for Webz.io News API

Webz.io is now offering access to exclusive CFC (Centre Français d’exploitation du droit de Copie) content.

Back to Blog

The Top 3 Ways to Build a Threat Actor Profile

December 16, 2020
The Top 3 Ways to Build a Threat Actor Profile

For drug traffickers, hackers, and other cybercriminals active on the deep and dark web, the most important thing is to remain anonymous. But when you are a popular vendor on the dark web, that can be easier said than done – especially with dark web monitoring methods that build threat actor profiles. 

Cybercriminals selling illicit goods and services such as drugs, databases, hacking, or carding services need to communicate with buyers and accept the currency for the goods. As a result, they often provide contact details such as emails, phones, wallet IDs, or handles in social networks for potential buyers to contact them.

Armed with this type of information of a specific cybercriminal, we can start to perform threat actor profiling. Threat actor profiling is a method of linking the identity of specific anonymous actors on the dark web through identifiers such as wallet ID, phone numbers, or an email address that are connected to the actor. Using this method, we can track the posts of these actors in different forums, marketplaces, or chats and gain a deeper picture of his overall activity, services, or products he offers, and more. We also deanonymize the actor identity, especially if some of the details reveal his social identity using 3rd party databases. 

In this post, we’ll show you the top three ways we use Webz’s Cyber API with its available filters and supported entities to build a profile of an anonymous actor.

Build a Threat Actor Profile Based on Contact Details

The first actor, who we’ll call Hades, offers different kinds of drugs and substances for sale on different forums both in the TOR network and outside of it. Since he is quite active on a number of channels and networks, we were able to build a threat actor profile for him. 

How? We searched extensively through millions of posts from hundreds of domains, servers, and channels and were able to link his handle name to different posts in several forums. We were then able to map all the domains where the actor advertises himself to reveal his illicit drug sales.

Here are the identifiers we found:

  • Emails: [email protected][email protected] 

  • Phone numbers: +1(409) 242-0120

  • Handles in forums: Hades1, Hades911, Hades, Hcook

  • Handles in Telegram/Wickr: drHades

  • Domains:  http://quickdocuments.online/ and http://worldglobalpharmacy.com/ are mentioned in a lot of his posts as a shop where his products are being sold.

We were able to then generate a list of the illicit substances and services Hades sells: 

  • Heroin

  • Cocaine

  • Xanax

  • Alprazolam

  • Fentanyl

  • Crystal Meth

  • Morphine

  • Oxycontin

  • Weed, Cannabis, etc

  • Ecstasy

  • Ketamine

  • Hacking services

  • Hitman services

  • Fake passports, IDs, drivers’ license

  • And many more…

We discovered that Hades is active in the following domains:

  • Altcoin Explain

  • Agartha Marketplace

  • Several open-web paste sites

  • Deep Paste

  • A dark web image board

  • Several TOR based forums

  • And many more…

Here are a few examples of posts from Hades in various sources over the past year that we detected using our Cyber API:

marijuana actor profile1
Post from Hades in the TOR network found in the Webz.io Cyber endpoint
paste actor profling2
Post from Hades from a Depesz, a paste site, found in the Webz.io Cyber Endpoint
novelty profiling 3
Post from Hades from Deep Paste, a paste site in the Webz.io Cyber Endpoint
actor profiling 4
Post from Hades in the Webz.io Cyber Endpoint

Build a Threat Actor Profile Based on a Payment Method

Another actor, who we’ll call teleadmin, was active primarily in the Telegram chat application.  

After extensive monitoring, we were able to detect both a wallet ID and a handle and identify an actor who offers carding and financial fraud services and is active in many Telegram channels that discuss those topics. Hackers and carders often share wallet IDs with their customers so they can receive payments from their customers.

Here are the identifiers we found: 

  • Handles in Telegram: teleadmin, teleadmin1, DeepwebAdmin1, legitspammer, Shadow_00_Boss, teleadmin1_boss

  • Wallet ID: 1JmCeg9kLpixRUc8YX4yPAXSqgG8PDPVzu

We were able to then generate a list of the illicit services teleadmin sells:
 

  •  Full credit card numbers

  • Illegal transactions (PayPal, Western Union, Bank of America, and more)

  • Carded phones and laptops (purchased goods with stolen credit card information

We discovered that teleadmin is active in the following domains:

  • Escrowcardig
  • Sharingcaringswipes
  • ACHACHA_NIG_LTD
  • And many more…
actor profiling 5
Post from teleadmin in Telegram from the Webz.io Cyber endpoint
actor profiling 6

Once we extended the search to websites that index records of wallet ID activities (including transactions, balances, and more, we discovered even more information about this specific wallet ID and its transactions. We then discovered that this wallet ID was connected to over 7,000 transactions and was last active on November 23, 2020. That means that the actor still receives funds through this wallet ID, which is critical for law enforcement officials trying to track down cybercriminals.

actor profiling 7
Post of teleadmin’s wallet ID from Blockchain.com

By searching for posts of teleadmin over time, we detected a significant rise in his activity over the past 3 months in our data indexed in the Cyber Endpoint.

actor profiling 8
Increase in posts from teleadmin in the last 3 months from the Webz.io Cyber Endpoint

Build a Threat Actor Profile Based on Textual Identifiers

Another example of actor profiling can be related to third-party mentions of content, feedback and discussions around him. Chlnsaint was an actor arrested recently whose name was added to The Northern California Illicit Digital Economy (NCIDE) Task Force TOR page on November 28, 2020. We thought we’d do a bit of digging to see if we could find activity related to this actor in our Cyber Endpoint. 

actor profiling 9
The Northern California Illcit Digital Economy (NCIDE) Task Force website in TOR
1 1

After an extensive search through our dark web sources we were able to gain more information about this actor prior to his arrest, which included:

  • Chlnsaint’s products listed on Empire Market.

  • Product reviews in Empire Market referred to Chlnsaint by name (examples below)

  • Several users asked about this vendor’s recommendations and presence on several Dark Web forums.

  • The identification of another actor in Empire Market using exact same phrases in his listings on the site, indicating the presence of an  ally of said actor/same actor (examples below)

  • Querying the actor’s handles shows that he was mostly active in Empire Market and referred to in different dark web forums, either by new buyers or clients.

tip jar
Product review in Empire Market referring to Chlnsaint by name from the Webz.io Cyber Endpoint
actor profiling 13
Product review in Empire Market referring to Chlnsaint by name from the Webz.io Cyber Endpoint
actor profiling redo
Original post from Chlnsaint in Empire Market from the Webz.io Cyber Endpoint
actor profiling 15
Another actor in Empire Market using exact same phrases as Chlnsaint from the Webz.io Cyber Endpoint

A Tool For Catching Cybercriminals

Even though cybercriminals make it a top priority to remain anonymous, it’s not always so easy. Law enforcement officials have methods of detecting cybercriminals in the dark web, and one of those methods is through actor profiling. Webz.io is proud to deliver the most comprehensive coverage of dark web data that includes millions of sites, marketplaces, shops, and forums to help LEA build threat actor profiles and stop the illicit activities of some of the most active criminals around the world.

Want to learn more about how you can use dark web monitoring for actor profiling? Contact one of our data experts to learn more today!    

a41c69813f7a7cc558788f2f229acb07?s=150&d=mm&r=g

Webz

See author's posts

actor profilingcyber threat intelligenceDark Webthreat actorthreat actor profiling
Spread the News
Previous Post
Next Post

Subscribe to our newsletter for more news and updates!

By submitting you agree to Webz.io's Privacy Policy and further marketing communications.

Read More

Dark Web Data: A Comprehensive Guide
November 19, 2023    

Dark Web Data: A Comprehensive Guide

Learn all about dark web data in our full guide. We cover what dark web data is, how to access it, how to collect data from the dark web, and how to analyze it.
The Top Dark Web Trends in 2022
December 27, 2022    

The Top Dark Web Trends in 2022

Webz.io’s cyber analyst team reveals the top dark web trends in 2022.
Revealed: Emerging Ransomware Group, Leaked AWS Accounts, & Secret Log4j Discussions
January 12, 2022    

Revealed: Emerging Ransomware Group, Leaked AWS Accounts, & Secret Log4j Discussions

In our first edition for 2022, we reveal that threat actors are discussing Log4j vulnerabilities on the dark web, the closure of popular marketplace Torrez, a new and emerging ransomware group targeting large companies and compromised AWS accounts we found ahead of the FlexBooker leak.

Feed Your Machines the Data They Need

Feed Your Machines the Data They Need

GET STARTED
Subscribe to our newsletter for more news and updates!

Ready to Explore Web Data at Scale?

Speak with a data expert to learn more about Webz.io’s solutions
get started
Create your API account and get instant access to millions of web sources
SEE DEMO