In March, some 7,600 dark websites – about a third of all dark web portals – were destroyed in an attack on Daniel’s Hosting (DH), the most popular provider of free .onion hosting services. Its portal has been breached, its database has been stolen, and its servers have been wiped out.
It was the punch. Punch Two landed on Sunday, when a hacker by the name of KingNull or @null uploaded a copy of the stolen DH database to a file hosting portal and then gave ZDNet a warning about the leak.
ZDNet reports that a quick scan of the data dump shows that it includes 3,671 email addresses, 7,205 account passwords, and 8,580 private keys for .onion (dark web) domains.
In March Daniel Winzen, the German software developer who runs DH, initially said his portal was kaput, at least for the foreseeable future … which he also said, more or less, after DH suffered an attack. earlier in September 2018. During the 2018 attack, hackers deleted 6,500 dark web sites in one fell swoop.
DarkOwl – a darknet intelligence, tools, and cybersecurity service that monitors DH and other dark web activity and analyzed the September 2018 breach – had spotted Winzen’s post acknowledging the most recent attack and shared it on twitter March 10. This is the same day that DH’s hosting database was destroyed.
Who is KingNull – the hacker who posted the DH database – and who else has it for DH? Since first spotting Winzen’s March tweet, DarkOwl analysts have searched for answers and posted their catch on the parties involved, the darknet subcultures to which they can be attributed and the online discussions of the attack. In one such discussion, an actor claimed that Winzen was compromised when accessing child pornography.
DarkOwl linked the actor behind the accusation, @Sebastian, to an anti-pedophilia hacking group formerly known as Ghost Security (#GhostSec) which was known to track down and de-anonymize criminals who engage in crime. harm to children. However, the group tends to take credit for the attacks and did not do so for the March attack, the company said:
An organized hacking collective like GhostSec certainly has the ability and motivation to take down Winzen’s servers, especially if there was questionable content hosted and shared, but the group has not released any statements or claims of responsibility for the hack. , as they have done with other groups and individuals they have targeted in the past.
Daniel’s was down for the account
After the March attack, Winzen said he was fed up. He freely gives of his time, he said, which is in addition to his full-time job. It takes time, he said, especially given the work involved in “keeping the server free from illegal and fraudulent sites.”
How clean were these servers, exactly? Not so much: After the 2018 attack, DarkOwl scanned for closed hidden services and discovered that hundreds contained content related to hacking and / or malware development, included drug-specific keywords, contained related content counterfeit, specifically mentioned the cards or referred to weapons and explosives.
No database backups, redux
Was Winzen really quite committed to his darknet projects? DarkOwl has been monitoring the skepticism of darknet users regarding Winzen’s engagement. In fact, @null had called the DH chat room in fact a honeypot – a claim that may well be legitimate, one anonymous user suggested. Those suspicions are underscored by a server upgrade or move that happened just weeks before the March attack, according to the darknet discussion.
If it was in fact a honeypot, that could explain why Winzen didn’t keep backups, some have suggested. This is how DH was wiped out so completely, twice. DarkOwl:
Those who suspect that Daniel’s chat room was in fact a honeypot assume that Daniel did not keep backups of his data because it was being monitored (and probably managed) by international or German legal officials. This was supported by the fact that a rule change regarding the sharing of any pornographic content occurred in 2018, around the same time Daniel was hacked and their databases vanished.
A lot of pasta has circulated around the darknet over the past year, claiming that many members, including [the chatroomâs controversial super administrator @Syntax] were the police.
DarkOwl’s post includes transcripts of many watched conversations and is worth reading.
ZDNet has asked threat intelligence firm Under the Breach to analyze the recent DH database leak. The company told the outlet that the leaked database contained “sensitive information about the owners and users of several thousand darknet domains” – information such as email addresses that can be used to link their owners to some dark-web portals, said Under the Breach. :
This information could significantly assist law enforcement in tracking individuals who conduct or participate in illegal activity on these darknet sites.
The darknet is doing very well without Daniel
DarkOwl reports that following the March attack, users of DH services spent several weeks scrambling to figure out where to congregate and how to communicate, with or without Winzen’s support. The darknet has done very well without DH: in fact, since the March 11 hack, DarkOwl said it has seen an average growth of 387 new domains per day across the darknet.
While many darknet site owners have taken a risk and parked with new hosting providers, they could be vulnerable to hackers grabbing new accounts if they didn’t change their old passwords, points out. ZDNet, if in fact their leaked and hashed passwords are cracked. .
While this may not seem like a glaring shame when it comes to dark, criminal-leaning web services such as those devoted to child sexual abuse, we cannot applaud their downfall. After all, in addition to protecting criminals, the darknet’s hidden services include opportunities for those who are persecuted and / or live under repressive regimes.
ZDNet reports that IP addresses were not included in the leak. This will serve to protect both darknet criminals and those who are only looking to escape surveillance and prosecution.
In March, following the hack, Winzen told ZDNet that he planned to relaunch the service in the coming months, but only after several improvements, and that “it was not a priority.”
Will these improvements finally include database backups? â¦ Or, in keeping with the suspicion that DH is in fact running a honeypot, will the relaunch include a way to penetrate the dark web in order to collect the IP addresses of hidden services?
If so, we’ll be sure to bring you any upcoming law enforcement news on this huge slice of the darknet pie.
Latest podcast from Naked Security