from Hacker News

De-anonymizing ransomware domains on the dark web

by auiya on 6/28/22, 6:15 PM with 49 comments

  • by ziddoap on 6/28/22, 8:00 PM

    #1 and #2 really should just be a part of #3: catastropic opsec.

    I don't know what it is about people who run these criminal enterprises on the darknet, but they constantly seem to be failing even the most basic of opsec. Re-using identities across multiple services, using e-mail addresses with real names, posting photos with identifiable information (and before websites stripped metadata for them, often posted with metadata), etc. I mean it's nice that they are making it easier to catch themselves, but at the same time I can only wonder how some genius can invent some novel and complex ransomware operation just to turn around and use the email they've had since they were 13 to register the services that operate it.

  • by auiya on 6/28/22, 8:05 PM

    Not sure why there's a mystique over the "dark web", they're all still just websites, and suffer the same types of vulnerabilities.

  • by orthoxerox on 6/28/22, 7:23 PM

    This should come in handy if I ever have to run a website on the dark web

  • by spacemanmatt on 6/28/22, 11:17 PM

    Looks like every server they busted broke at least one rule from the opsec info posted here just a month or two ago. Classic.

  • by neh_89 on 6/30/22, 3:28 AM

    There is no silver bullet when it comes to protecting against ransomware. A ransomware attack A prime example of this was the WannaCry virus attack in May 2017, where 200,000+ computers worldwide were infected due to a weakness in Windows SMB EnternalBlue, which allowed hackers to hijack computers running on an unpatched Microsoft Windows operating system. Users were asked to pay anywhere from 300-700 bitcoins to decrypt the data in 3 days.

    https://www.spiceworks.com/it-security/cyber-risk-management...

  • by rkagerer on 6/29/22, 8:10 AM

    Basically they found some darknet onion sites whose operators reused the same unique favicon, self-signed TLS certificate, etc. on other sites hosted from public IP's. And in one case left a secret key in a publicly-accessible configuration file.

  • by paulpauper on 6/29/22, 12:58 AM

    Onion domains will never be good for anonymity. too big of a surface area, too much potential leakage somewhere

  • by Handytinge on 7/12/22, 6:36 AM

    Did that last one remind anyone of Uplink[0]?

    20 year old memories of proxying my ssh traffic through InterNIC just came flooding back!

    0. https://en.wikipedia.org/wiki/Uplink_(video_game)

  • by ipaddr on 6/28/22, 7:24 PM

    So certificates do not enable privacy they take it away.

    SSL may stop your roommate or isp but they provide another vector for linking to other entities.

    I wonder how many are using this technique to link web properties together.