Inside the Dark Web: Building Threat Actor Profiles [Guide]

The deep and dark web has notoriously become a home for millions of cybercriminals, who use these spaces daily to communicate and build communities, plan illicit operations, and conduct illegal trade.  

Because these spaces are often frequented by cybercriminals, they have become a valuable resource for law enforcement agencies, cybersecurity companies, and intelligence firms that are interested in cyber criminal profiling. This includes collecting the data, analyzing it, and then building the profiles of threat actors who pose potential risks.

This article explores how analysts or sophisticated data processing tools can use pieces of information from deep and dark web sites and platforms to profile threat actors.

Our case study aims to investigate and create threat actor profiling of a cybercriminal network that is involved with drug trafficking and counterfeiting which we were able to gradually uncover with a single identification of a threat found on a dark web marketplace.

But before we start, let’s first understand what cyber criminal profiling entails.

What is cyber criminal profiling?

The main goal of cybercriminal profiling is to create better preventive and responsive strategies and unmask individual offenders or groups involved in unlawful activities. This article will specifically focus on cyber criminal profiling of active threat actors on the deep and dark web. 

The process of cybercriminal profiling starts with the collection of as many digital footprints that could be associated with a threat actor as possible. These footprints could be posts and records written by the threat actor on dark web platforms, the participation of this threat actor in certain groups and communities, any public correspondence of the threat actor with other members, and other digital assets that can be shared by the threat actors themselves, such as crypto addresses or phone numbers. 

These footprints are instrumental in constructing an in-depth intelligence profile of a threat actor – but collecting them is only the start of the cyber profiling investigation. The whole process requires rigorous data processing, identifying behavioral patterns, uncovering connections between different actors, and drawing substantial conclusions. All of these different elements come together to create a comprehensive profile of a cybercriminal, which provides critical insights into their operations, methods, and potential threat.

How to conduct threat actor profiling with dark web data?

To illustrate how to conduct threat actor profiling, we provide a step-by-step guide alongside a case study. We will talk about a few data analysis techniques that were applied to analyze the posts we collected and uncover the intricate web of connections between the different threat actors.  

Here are a few data analysis techniques used to carry out cybercriminal profiles:

Step #1: Topic-based monitoring

Topic-based monitoring involves a methodical monitoring process based on the specific topic we are investigating or use case. This includes identifying relevant keywords, relevant platforms, or any indicators associated with the illegal activities we are tracking. 

We ran a query using parameters related to drug trafficking to search through our pools of ongoing deep and dark web data. Our Cyber API then retrieved millions of posts and listings from various marketplaces over the past year which are linked to the trade of illicit drugs.

This kind of query can be limited to specific locations, drugs, or platforms.

Step #2: Entity extraction

Once we detect a certain threat we want to investigate, we start a process of identifying and extracting any entity that can be associated with a threat actor. This step is an important starting point for further analysis.

The following is a listing of 28 grams of Ketamine our API returned, which was found in a dark web marketplace:

The details we could extract from the listing above:

• Site name: Joy Market
• Site type: Marketplace
• Network: Tor
• Listing type: Drugs
• Date: May 15, 2023
• Username: JXXXXXl
• Seller or vendor: Vendor
• Vendor’s store: DXXXXXd
• Email address: d******[email protected]
• Phone number: +1 (424) *** ****  (associated with Los Angeles) 
• Telegram account: x***2
• Wickr Me ID: x***2

Step #3: Entity-based post expansion

In this step, we use the entities that were extracted from a specific record to discover other related records. This step is crucial in expanding the dataset and revealing more information about the threat actor, including his or her relationships with other actors and their records as well. 

This step usually involves conducting targeted searches on advanced data platforms, such as Webz.io’s, by using the extracted entities we found.

Using the entities we found, listed above, we could find hundreds of documents that we have scanned over the past year with relevant matches. Using this data, we found another 10 usernames that are linked to each other, that are active on 4 different dark marketplaces. 

One of the posts we found, which has the same Wickr ID, is the one below, which was published by a user with a different name on a different dark marketplace. This time, the listing isn’t related to drug trafficking but to the sale of counterfeit banknotes, which shows the variety of services that are offered by the same group of actors.

There are also other new entities that are mentioned in the post above, such as email addresses, phone numbers, a Telegram account (which is still alive), a Wickr ID, and other shipping details. 

This entity-based record expansion complements the information found in the initial record and enriches the analysis by capturing a wider range of data points and relationships. This, in turn, enables us to carry out a more comprehensive and effective actor profiling investigation.

Step #4: Network construction using link analysis

After enriching our dataset with ongoing searches, based on new entities that we found, we use link analysis, which is also known as network visualization, to map the networks of the threat actors, their connections, and their associated assets. This can be achieved by using an automatic system that can pull all the relevant data in JSON format and process it. Then we can create a node for each threat actor and establish links between them based on their associations and mentions in the posts.

So far, in our case study, we succeeded in identifying a network of about 100 different usernames that are associated with each other by a whole chain of linked entities.

Our data enrichment, which identifies entities like email addresses and phone numbers, allowed us to detect 25 unique email addresses, 35 unique phone numbers, and 2 unique crypto addresses. Based on the prefixes of the phone numbers, the majority of them are associated with North America, followed by the Netherlands, Ireland, Germany, and the UK. We also detected dozens of chat accounts that belong to two main chat applications: Telegram and Wickr ME.

We found various dark web platforms that hosted the activity of the usernames we investigated. Among them we can find dark web marketplaces such as Joy Market and RobinHood Market, underground forums such as Dread and XSS, and chat platforms such as Telegram. 

In addition, we used our location enrichments in order to find where the threat actors operate. The top locations of the threat actors we found are the US, Australia, New Zealand, Germany, and the United Kingdom. It is important to note though that as a group of dealers who mainly operate on dark web marketplaces, they offer worldwide shipping for most of their products.

We also used our categorizer, which identifies illicit topics and classifies them into relevant tags, in order to see what kind of illegal products or services they are trading. What we found is that they mainly deal with the sale of narcotics and counterfeit pharmaceuticals, but they also trade counterfeit bank notes, credit cards, fake documents (such as ID cards, passports, and driver’s licenses), counterfeit goods, and even hacking services.

This step plays an important role as it allows us to get a bird’s eye view of the subjects in question and their networks, as well as their links to each other and the nature of their operations.

Step #5: Entity resolution

Entity resolution aims to resolve and merge entities that refer to the same individual or entity across different data sources. This helps consolidate information and provide a clearer picture of the relationships and activities associated with a specific threat actor.

When looking at our case study, at this stage, we may still not know how many threat actors in total are part of this group, we can conclude that some threat actors maintain multiple users on a number of platforms to expand their scope, and some of them maintain their own unique users. 

Here are some insights we found:

#1: Clusters or communities

There seem to be groups or clusters of users that have common characteristics. For example, the same users are active on the same platform, use parts of the same text in their listings, and share the same contact points. 

The following are 2 different listings that were published by 2 different usernames. However, they share the same Wickr IDs, the same phone numbers, and parts of the same text. The way in which the phone number (where the prefix is connected to the prefix of the country)was written is also unique to these 2 users if we compare them to the rest.

#2: Unique Users

Some users have unique email addresses, phone numbers, or chat accounts that weren’t mentioned by any other users at all. This could indicate that each of those users is a unique individual rather than being one of a cluster of several different users that might be linked to only one unique individual. 

Step #6: Pattern Analysis

Pattern analysis involves identifying recurring patterns or behaviors within the data. It helps us detect common characteristics, trends, or any activities shared or performed by the threat actors. This allows us to identify groups or clusters within a network.

Here are just a few insights we found for our case study:

1. Highly active users – Some users are particularly active and are associated with a lot of linked email addresses and phone numbers out of the extracted list of entities. This could indicate that these users may be a key node in the network.
2. Specific contact methods –  Some users have clear contact preferences. For instance, some users have multiple connections but only through the phone number list, suggesting a possible preference for phone communication. On the other hand, other users have multiple connections but only through the email list, indicating a potential preference for communication by email.

3. Continuity – As soon as certain platforms the threat actors used, such as DarkFox for example, were shut down, they ensured they could maintain business as usual and moved to other alternative or new platforms. 

4. Recruitment and expansion – In addition to maintaining a network of at least a few individuals, they are open to new partners in order to help them grow and develop in new directions. 

The following is another username within the network that mentioned one of the most common emails in the network. In this post, it seems that he is looking for a partner that can help him create crypto/NFT phishing sites.

Beyond the partner search, we also learn about the new areas where the network wants to expand – after all, phishing campaigns are not among the top services they provide. Also, we can see in which areas this network is still lacking in skills.

How to use dark web data to unmask threat actors?

In an era plagued by cybercrime and illicit activities, cybercriminal or threat actor profiling stands as an indispensable tool for law enforcement agencies, cybersecurity companies, and intelligence firms.

The case study of the criminal group we investigated serves as a clear example of how using dark web data together with the data-analysis techniques we mentioned can help expose complex cybercriminal networks and contribute to cracking down on cybercriminal activities. Webz.io supports advanced platforms that automate these investigations with powerful streams of enriched dark web data feeds. By harnessing the power of threat actor profiling and continuously developing investigation techniques, cyber analysts can navigate the depths of the dark web and bring threat actors to justice.