SADAQAHCOINS: Darknet Jihad Funding
A few days ago the word got out that a new da’esh jihadi funding site had hit the darknet. Much of the reporting has been about the novelty around this idea which isn’t all that novel really. There was another site back in the day that was looking for bitcoin donations and was much more sketchy than this site is but who’s paying attention right? Anyway, this site is the next generation of jihobbyist funding by an unknown group of guys and it is novel in a couple of ways that in reading the other reports, was missed out on. In fact, one alleged expert just marked this site down as just another scam site when in fact, while it may in fact be a scam, it is much more nuanced than the usual fare you see in the darknet and thus, I judge it to be run by people who at least know the jihad well and understand the Hadiths.
The premise of the site is based on the Islamic notion of Sadaqah, which is misspelled for the jihobbyists on this site to make it catchy. Sadaqah, literally means charity or benevolence and is an apt name for this site because it is exactly that which they are seeking. It is an interesting area of Islam concerning your obligations for charity as well as public works and in this twist, the sadaqacoins crew is attempting, as others have, to manipulate the original intent of Sadaqah, for jihad and the furtherance of the war against the infidels. That this site is using trackable bitcoins and attempts to use a more opaque currency like Monero is novel only for the fact that this site is much more slick and put together than the others I have seen out there in the past. Honestly, much of the jihad has always been propped up on donations and the Hawala system since the beginning of the GWOT.
Of course this site not only wants to have the believers give them bitcoin for the jihad but they have funding programs for specific things like buying a sniper rifle or a truck that they can mount a gun on. Not much new here in the way of asking for donations like this inside the jihad. Now, what is new is that the site is open to “others” to suggest finding programs or “projects” as well so anyone could hit them up within different areas of the jihad to get this funding set up. This could be the big difference if this thing actually flies. Imagine more of the disparate cells asking for new projects and then setting up their own bitcoin wallets. This could mushroom a bit for the more savvy jihadi’s out there on the net looking to help but maybe not get blown up in the lands right?
In fact, the most interesting bit for me and for my old friend Onionscan, was the fact that these guys added an Eid celebration to the mix where you could donate for sacrifice. What this means is that you could help the jihadi’s celebrate Eid in country by funding their goat dinner. This is a bit that I think others missed in reporting this because of two reasons. First, these people who wrote about the site don’t understand the religion and the sociology, and two the site had been updated by the time I got to it with the Eid celebration. In fact, it was here that Onionscan puked out some interesting information about the mostly secure site. It seems that their Eid celebrations were in haste to be posted and they forgot to get rid of their EXIF data.
Oops.
Basically, the data that I managed to pull out of all these photos show that they are using a phone camera by Motorola and managed to not have their geolocation turned on. Of course this doesn’t mean they won’t mess up later and leave that kind of data in them for us to hoover up and use as coords for a hellfire visit. This all could be leveraged by the right players though to manipulate them to make a mistake in the future as well. I look forward to seeing where this all goes in the future. However as it stands now, their OPSEC is fair to medium. They did manage to give us a lot to work with though with all the email addresses to reach them on and their Telegram channels to infiltrate and get in their insides with.
Another point of interest for me on the OPSEC front was their choice of languages for the site. It seems that these jihadi’s like to speak German, Turkish, and English. These three languages are of note because the site has no area that is strictly in Arabi and that is an oddity. This implies that the group who set this up are English speakers, Turks, and Germans but not really well equipped to write and read Arabic and this kind of tracks with some of the intelligence that comes out of the da’esh circles over the last couple years. There has been an influx of foreign fighters to the jihad but really guys, no Arabi? Shame on you as good Muslims not at least being able to have a page in Arabi!
I guess maybe we can see if they add some Arabic later on…
14gymFijxkFzbxbacbP9ioGndsqHRuJJTc —0 coins
1Dft8kgCWiuqRBLqgTuH2ZhVeUAxC8KGGi—0 coins
1KHDmXfqHJM9XqDHvGfCN4KVhsuReHDfLc—0 coins
1LGHotsLQF1evDXkt7DBTwvZ48SY3idTBL—0 coins
12QufGGoEoNUZN6aobofCoj9giNzCeHFP4—0 coins
184FNLi5aXGcurjEmUs7kgc7cYJ5gauduB—0 coins
1HABpbonuhGUL1woiQELuoDFXBEV6ZLpyG—0 coins
1Br6MtEQLgikLAQSFsrZKWxX6UPYzkAQz9—0 coins
15zbyqsq3q5s5ea5uEQz8xFkEpsPYAW3CE—0 coins
1KHmpHw8p7VGjQpftj2axdqq5NE3JYGT6C—0 coins
1MFeZbNsfWqBVytLmUjYcZoV3RhxJpQ3Kn—0 coins
17mwSmM6NzZTzoAiP3PHLAkooF9jd1xDY8—0 coins
Meanwhile, back to the bitcoins. This site has 12 bitcoin wallets at the time of my assessment and NONE of them have any coin in there at all. Nothing, nada, niente. Of course the site is fairly new so I can see why it wouldn’t have any coin in there yet. In fact the site only popped up on my link search in the darknet on the 24th of August so there is that. (see below) So we need to give it time to see what else they do and if anyone actually donates. Once they do, well then we can track the coins and see who did what huh?
Well, this was an interesting diversion for a while but I am still kinda meh about the whole thing. I am gonna keep an eye on it and maybe visit those Telegram channels to see what other OPSEC FAIL’s they make. Until then, hey, it’s out there and it’s novel.
BOOGA BOOGA BOOGA JIHAD IN THE DARKNET BOOGA!
Derp.
K.
Fine Old Cannibals: The Sexual Cannibal Site Started in 2007 and Is Still Munching Today
Well, I have done it again and went down the rabbit hole on cannibalism. This time I came upon another clearnet site called the “Donner Party Catering” site (donnerpartycatering.com) and, well, I let the Twitter poll decide all your fates so here’s the post on what I saw. First off, let me say that this site actually had a lot more “visual aids” than the previous site that the real cannibal Armin Miewes made his cannibal connection on. This site has been fodder for darknet stories though, and in this case the stories are more lurid than the actuality in a lot of ways. However, after looking at the “content” and at those who are actively still posting their stories, videos, and other materials, I wanted this time to not only cover the ick factor and novelty of this kind of site but also the actual psychology of sexual cannibalism.
The site has been around since 2007 like I said earlier but the design has stayed in the 90’s throughout the whole length of time as seen in the screen shot above. It’s so Geocities that it out Geocities Geocities! I guess though that it is fairly easy to maintain so it has that going for them. The owner has been traced to a man and his wife who currently live in Florida in a retirement community. I have decided to not out their names on this post but suffice to say that there is a married couple in Clearwater Florida at a retirement community who are still actively living out sexual cannibalism fantasies online and in real life. They make photo’s and video’s and they seem to be making some money off of this content today.
Note though, that while he is a computer guy, he isn’t a computer security guy. The OPSEC on this site and is terrible! The images and the doc and pdf files are all laden with metadata. I assume the movie files are too but in the case of the images I saw the EXIF data is all from their digital cameras and not from phones where you could get some more interesting info. However, who needs that when you have everything else for you to see by using their email addresses and such to track their real names and locations. Anyway, yeah, you can pretty easily find out just who they are in the world but I want to take a deeper look at the why of all this.
Google: site:darkfetishnet.com cannibal
Why cannibalism? Why cannibalism of women primarily? Of course there is a lot of the run of the mill BDSM on this site as well and plenty of amateur auteurs making videos. For me the puzzle is why the mock eating of people that gets sexualized for them? I also wonder just how far it is from fantasy to actually carrying these fantasies out for those who seriously have this fetish. According to my readings thus far, even if you have these impulses and carry them out in a fantasy, you may in fact already be showing signs of a serious psychopathy. You have to admit that this is a fairly odd fetish and to go to the extreme of Photoshopping images or, in one case a series of live action videos where women being spit roasted over a live flame, buttered, and basted like a turkey are considered arousing.
I started to do some research into the psychology here concerning what I have been seeing on this and other sites and I would have to say there are dual paraphilia’s at play. The first paraphilia that is most prevalent displayed on these sites is Gynophagia (see above) In this we see the preponderance of the sites use of cannibalistic/ritualistic fantasies of cooking and consuming women by men for the most part but I have also seen some women on women fantasies here as well. Of course all of this sits under the Erotophonophilia diagnosis but you get the picture right?
All of this seems to be focused on feelings of not only control on the part of the cooker, but the sense of loneliness and the desire to be integrated into a more powerful entity (person or animal in some cases) that may also concern feelings of inadequacy and loathing. In a study that I obtained online; “Vorarephilia: A Case Study in Masochism and Erotic Consumption”, one patient recounted how they had paraphilia’s concerning analingus and fantasies of being devoured by a large powerful woman and then excreted as feces. In this case it seems to have stemmed from a combination of loneliness and other incidents in the patients past that created this behavior. It then makes me wonder about these people online at this site and others. What histories they might have that led them to this particular paraphilia and what other darker and possibly more active measures they may have taken to sate their desires.
Lykins, A. D., & Cantor, J. M. (2014). Vorarephilia: A case study in masochism and erotic consumption. Archives of
Sexual Behavior, 43, 181–186. DOI 10.1007/s10508-013-0185-y
I also have to wonder about the pornography habits of people like Armin Miewes and Dahmer cited above in the paper on Vorarephilia. There has been very little study on this from my searching so maybe someone out there would like to take this up and do some scholarly work on the convergence of fantasies of Gynophagia/Erotophonophilia/Vorarephilia from online communities to real life and finally committing murder and physical cannibalism. This is a very interesting subculture and psychological area that will likely have me reading some more on as time goes by.
Incidents of cannibalism 2000-present
Finally I also have been wondering at just how many of the people on these sites and in the media created, are actually in it for the sexual paraphilia and how many are just paid performers. I am thinking that a preponderance of the material I have seen is all home made by those of both particular bents (being eaten and those doing the eating) this power dynamic needs to be determined. However, some of the content seems to be of a nature where it may be paid actresses and or models. In one series of videos called “Turkeys” three women are hunted by a man using a paintball gun while shackled. They are subsequently trussed up, taken in a truck to a remote locale, and then strung upside down. The movie cuts away to the next scene where a pit fire has been set and a spit contraption is set up with a woman being placed in it. She is then covered in butter and turkey basted while being turned over the fire by the other two women.
It’s disturbing.
Are these models paid for this? Are these women Vorarephiles seeking to live out their fantasy as well as the Gynophagic male?
I don’t really know and I really may not try to ask.
In closing, I decided to look up just how many cases of cannibalism had happened since 2000 and, well, you can see above that there have been quite a few. In fact, when you think about cannibalism you also have to take into account the core ideal of Christianity. The wafer and the wine are Jesus’ body and blood right? This has been going on since time immemorial but it’s also frowned upon by society right? Meanwhile online these people are obviously having their jollies on these clearnet sites and have been doing so for many years. You think you always hear about this stuff being spooky darknet stuff but the reality is that much more of it is on the clearnet in these really terribly designed sites by the likes of this retirement community cat.
We are a messed up species.
K
Russian Phish on Hudson Institute & IRI Org: Filling In The Gaps
So Microsoft proclaimed that they had taken down some domains and stopped the GRU/SVR from carrying out some more active measures against the US election cycle. Now, they obviously have some more intel than they are letting us all know about because while the domains are definitely set up for some gov spearphishing, we don’t have any emails or data to show they actively had a campaign running. The domains (see below) are concerned with two think tanks that have a plethora of data that the Russians would want to have and perhaps tinker with but the government domains are aimed squarely at the Senate.
While the domains that are meant to typo-squat the think tanks are around one hundred days old, the senate domains are much older. In fact, these domains have been creepin around anywhere nearly a year to just over a year. So you can see where the Russian services were aiming and have been planning for at least a year plus on the senate campaign. The think tanks are a newer though and as such I have to wonder about the thought process by the GRU/SVR on these. Were the Russians looking to simply gain access to these think tanks and gather intel not just on their Russian stances but also around the world as the Russians have done before (mostly by the SVR collections missions) or was their plan to somehow steal their data and leak it as part of the larger active measures campaigns?
It seems though from my searching that the domains never had any real pages attached to them but for one having an IIS front end with nothing else. Wayback machine fails on all of them as does Google, so I am going to assume that these were all just domains used as C2 for traffic and perhaps a drive by attack in the case of one that showed up in VT and Hybrid (see above) but I could find no malware being attached to these domains with these tools. This is not to say that they didn’t and that people clicked on links and got infected at the Senate or these think tanks. I guess we will have to wait for Microsoft to elucidate some more on these.
But, back to these think tanks and the phishing that likely was to come or already happened. I am going to assume they already happened and that is how these domains were picked up because something happened internally and got reported? I MS paying that much attention to domains or is it they were seeing O365 traffic (phish) and caught on? As I remember reading so far they really don’t tell us how they got the tip off but they must have had evidence because they took over the domains. In this section though, I want to focus on the why and the what of the active measures here by the Russians. Why these two think tanks? What were they going to do with the access one wonders. Or would this have been in tandem with the senate domains luring those being phished to an IRI report? It turns out that IRI (International Republican Institute) put out a press release on the revelations on their domain squat.
I guess that either IRI could be phished itself as well as this as well as the other org squatted (Hudson Institute) could be not only the targets of phish using these domains but also used as fodder to entice Republicans as well as perhaps Democrats to click on a tasty link and either get a drive by or be linked to a credential phishing site. As the DNC attacks I believe were credential harvesting sites, it is likely that this would be the case for all these entities were the Russians looking to gain a foothold on any of them. I am gonna say though, that the domain my-iri.org and the sharepoint domain for hudson.org says that they were looking to fool internal folks into clicking on something. As to the other domains it looks straight up like internal users being targeted.
So what would the goals be here with these? If you were to go after their internal systems and the fellows there what would you be looking for? I am going to say this too would have been a fishing expedition for information that the Russian government could use to destabilize all kinds of places as well as to understand how the think tanks were approaching Russia. If you look at the image at the top of the page you can even see how Hudson has a paper on countering the Kleptocracy. My concern here would be that not only would the adversaries be looking to steal information but also to pull the same kind of job on these orgs that they did to the DNC. Basically, I think it would be a disinformation campaign against these orgs to cause instability in their content and their following. I could also see tinkering with their reports as well as a means to make them untrustworthy. An added bonus to this also would be collection on any collaborators that the Russians might want to eliminate in country if the emails have source conversations too.
Of course now we are hearing that the Russians are attacking not only Dems but also Republicans and it is important to remember that their goal is to sow chaos and cause division. This is because if they can cause these things, the outcome is to have inaction as well as possibly traction for those like Trump that they are actively supporting with these kinds of active measures as we saw in 2016. So, there you have it, unless Microsoft and others care to give us some more information to work from this is pretty much all you can glean from their motives by proxy of their domains. You can see though, that they have been working on these plans for some time, at least a year for the think tanks and over a year for the senate campaigns.
In closing though, I want to just say that it would be real easy for the Russians to get the conventions of the email addresses as well as who to target at these institutions just by using LinkedIN. I did some cursory searches in Google and LI and came up with shovels full of names and email addresses to use. It’s phishing season kids! I do wonder just how much security training these people have….
Hmmmm…
K.
DEFCON, Hotel Sneek & Peeks, and The Law
DEFCON 26 was last week and as usual there was some hacker drama. It is an inevitability that drama will rise out of the con because, well, hackers know drama! In fact, they cause a lot of drama and that is their thing as a community. So, this year’s drama is brought to you by two factors. The first factor is that the DEFCON community has a long history of being kinda unruly and causes mischief, and some of that mischief is illegal while other pranks just cause heartburn for the people and the venues that the conferences are held at. However, in a post Mandalay Bay mass shooting era, the pranks and the mischief may not be tolerated as well by the casino’s like Mandalay Bay or Caesar’s because they are on edge and the community of hacker snowflakes need to take that into account when they attend.
While the conference owners/operators try to combat and police their hackers, it is still not uncommon to find attendee’s doing things that might damage the systems of the casino (like mess with WIFI using deauth) or to mess with the artwork (e.g. put googly eyes on all the statues and artwork in Caesars) So it is understandable why, as some have said this year, that “Caesar’s hates us” In fact, when you have a convention like DEFCON in Vegas and the whole town is being told not to use ATM’s, you phone, your blue tooth, your wireless, or anything electronic while the con is there, you pretty much have a bad reputation that YOU are in fact reinforcing right?
Just sayin…
Anyway, this last DEFCON we had a new wrinkle post the mass shooting at Mandalay as I alluded to last year. It seems that since the shooting the hotels have decided that they can “sneak & peek” any room they feel they need to in case the occupant might be planning something like this incident. Now you have a zillion hackers known for odd if not bad activities in the properties and a conference on hacking where shenanigans go on all the time and add this new rule and you get wailing and gnashing of teeth. It seems that the hotel had been just opening doors and walking in on guests there for DEFCON as well as going into their rooms while they were out and pawing through their things. In some cases it was said that the hotel security people had taken things like lock picks from the rooms, confiscated, because REASONS! People took to Twitter and complained saying that this was illegal and made things more dangerous for women (some had been walked in on and at least one may have been walked in on by someone not in security) and this was illegal search and seizure! The Fourth Amendment was being violated and this was targeting poor hackers!
WE ARE BEING PROFILED!
ERMEGERD!
Well, yes you security snowflake you were being profiled because look at your collective history! Honestly people, you have a bad reputation with the hotels and you expect anything else? At best we are tolerated for the money kids, we are not a beloved institution that is welcomed to Vegas, you need to wake up. While I personally think it is pretty shitty that these security folks were walking on on people with no knock in some cases, it is also my opinion that it is not illegal and that the Fourth Amendment is not being violated here because they are not doing so at the behest of the government or agents thereof, i.e. cops. I had an interesting exchange with a lawyer I know on Twitter about this and the salient point he gives is that you are not really given Fourth Amendment privileges here and that the contract you sign when you rent the space allows for these actions. What’s even more salient is that it is likely in the small print you are signing off to!
The gist here is as I said, you cannot rely on the Fourth Amendment here and that they have the legal right to do what they did. It’s sucky, but it is the law and you have to abide by it or not stay in their casino. Now, given what happened last year with the mass shooting, and that the Mandalay Bay is in fact suing the victims of the attack as a pre-emptive strike on law suits against them for allowing this to happen, you kinda see what the situation is right? The casino’s are covering their asses and using the law to do so. In a case where you, the snowflake hacker who wants to act all furtive and hide shit all week denying access to the room “because reasons” does not exactly engender the right tone to make the Casino think you are just a snuggy bear and not going to potentially do something like a mass shooting right? Think about it, how many of you all went out there and put the DND sign all week? If you were in the hotel security shoes and have to profile your guests now because of a mass shooting terrorist incident how would it look to you as a security professional?
Hotels are soft targets and as that goes they have to tread the line between security and ease of access and fun. In the case of attacks like that which was carried out at Mandalay Bay, you have to realize that the “Soft Targets” are the hardest to secure from a security perspective. Fuck, come on you guys YOU ARE SUPPOSED TO BE SECURITY PROFESSIONALS RIGHT? You should get this if anyone ever could! Yes, it is shitty for them to just be walking in on people but once again, they have the right to do so just as you have the right to not stay at their brand anymore. However, what if you denied them access by adding your own layer of security to stop them from at least walking in on you?
Say you are at the hotel and you know they can do this, or in fact anyone else with a modicum of technological know how, ya know, like HACKERS, who can pick locks and bypass PROX CARDS! What do you do in a situation like that to protect yourselves? Well, you could start by getting a simple door stop or a door stop with an alarm right? For all the women who were walking in on and scared, this technology might have made some difference in the threat right? It would have stopped the door from being opened and given you warning that something was happening. These tools would give you the ability to enhance your personal security AND allow you to call the front desk in the knowledge that unless they have a battering ram they are not going to get into the room quickly and you can make the call.
It’s my suggestion you spend the money and use them…
For a bunch of people who claim to be security professionals including and up to physical security you all seem kinda snow-flake like to me of late. Either don’t use their hotels anymore or assess the situation and adjust accordingly. For fucks sake people! I have said it before and I will repeat myself now, you are now targets of not only hotel searches because you seem scary but also because YOU ARE TARGETS OF NATION STATES BECAUSE YOU ARE AN ASSET!! How long till you finally figure this out? Hotel sneak and peeks by nation state actors including our own are NOTHING NEW! It’s just that now you are the targets as well because you now work in a space where you can and will be targeted.
Wake up.
K.
UPDATE: Dave Cochran makes a reasonable point about the dickishness level of the no knock on the people involved here. Yes, it is dickish, but, it is still not against the law per the cited text here. So, yeah, you don’t like it you can go elsewhere or you can try to get the hotels to not be dicks about it.
See what works.
QAnon and Qclearancearchive: Another False Flag Influence Campaign by Russia?
Recently the bowels of 4chan erupted with an ongoing thread’s dire warnings from an anonymous poster named “Q” into the real world. The posts, consisting of word jumbles and conspiracy wet dreams began to take on a new life in the real world at protests over Trump, MAGA, and the fight against all that is sane. I had looked at the original posts on Reddit in 2017 when they started and just shrugged it off as just another conspiracy hoax cum disinformation campaign by person’s unknown. How it would become an issue today just before the mid-term elections few could have conceived.
As you can see the posts are little more than bad haiku but, the conspiracy nuts on Reddit and 4chan and now a couple other aggregation sites (more on that later) have been busily using their cognitive dissonance to make crazy connections from these posts to a globalist conspiracy the likes of which even Alex Jones could not come up with himself! Basically the stories all lead to an overarching New World Order conspiracy that has everything, Illuminati, NWO, Soros, Pizzagate, and other crazy ideas all wrapped up in a bow being spoon fed crumbs about by someone allegedly inside the government with what is known as a “Q” clearance (DOE clearance) Of course Q cannot give just a straight narrative or a drop of classified data, no, it has to be this whack haiku as you see above.
I have tried to read more of this than a few pages but literally I started to go insane from reading this drivel, so I moved on to reading the output from a QAnon conspiracy site that archives and “makes sense” for the lay reader all the juicy secret conspiracies that are in the Q “archives” and man, it is full of cognitive bias, mental illness, and fantasy. I will not make you read it all here but if you do want to look for yourselves you can check the links at the bottom I will gift you all with. More interestingly though, I wanted to cover the movement as it stands today and to show you some of the information I was able to wrest from the archive site itself. The data that I got actually show’s real names of people involved (well, real I guess) that perhaps can be drilled down on some more later on.
Seen above are just some of the crazy ideas these people have about hidden codes in Q posts as well as the interaction of Trump on his Twitter feed. It seems these idiots believe that “Q” is in contact with Trump over Twitter and they are working together to destroy the globalist NWO conspiracy of lizard people ruling the world!
I shit you not.
So yeah, it’s a fair bit insane so please medicate if you plan on wading any further into the nutbaggery. However, I want to direct you to the site that this stuff came from and in particular the guy(s) who created it and are running it. At the top of this post you can see the image of a Twitter account for a “Iambecauseweare” which it turns out is the owner/operator (self proclaimed) of the irc.qclearancearchive.net a clearinghouse of all things Q and a primer of sorts for those who want to know the great truth and get involved.
This site is a font of Q information but, when you start to look under the hood, then you can see that there are some interesting threads to tug on. The site has a lot of information but what I was more interested in was that they have a penchant for creating pdf’s for the masses to conveniently download. Using Foca, I aggregated all the pdf’s and then ripped out all their metadata to see who was creating these things.
Out of about 200 pdf’s I have come up with 8 user names in the metadata. In this group one of them is a known conspiracy author (William Milton Cooper) but the others are all unknown people to me. Four of the accounts are just short names and no help but the other two, Mark C. Duncan and Martin Jr. Donald, seem to be legit names on the face of it. Now since they were all pdf’s there was not as much rich metadata as there would have been had they been Word files but at the very least we have some names to work with here.
The domain qclearancearchive.net was registered 225 days ago and done so anonymously, and with GDPR now, you get fuck all when you are trying to do OSINT on these kinds of things (thanks EU) so I am gonna have to rely on these names and some digging to get anywhere else. I started some cursory searches on these names and did not find much in the way of data. A second pass has yielded some information on Mark C. Duncan;
This Mark C. Duncan has two reviews in his Amazon list for books on conspiracy theories. One on the Mason’s and the other on Alien abductions. Well, this could very well be the guy but I have yet to get much else on him which makes me want to keep searching and I will. The other name that came out of the metadata was “Martin Jr. Donald” which is an interesting way to put that in your system’s metadata. I am going to assume that the name is Donald Martin Jr. and a search of this name is just as obtuse. The hits that come up first for this name are all about a 400lb guy in Ohio that asphyxiated his nephew by sitting on him…
Which, yeah, anything is possible here. I see no other digital bread crumbs (snerk look it up in the archives) to go on with this. So I am kinda at a dead end here unless they make some more mistakes. However, I would like to direct you to the language of the posts and pdf’s. Either these people are the most illiterate of sorts, or, English is not their first language.
All in all this is a nightmare to read and I would not recommend anyone do so. However, given recent events in Ohio and other places where QAnon’s have started showing up (including Trump rallies) I would suggest that we pay a little more attention to this movement. I suspect that at the very least this is yet another Russian active measure that is at best supported by the GRU and at worst, run by the GRU. Given that the movement has self realized and is now in the real world, I would think that if the GRU wasn’t already supporting or running this campaign, they soon will be as well.
I will leave you with the links here and move on from here. I will take a peek at their site intermittently to see if they leak anything else. There was no Cyrillic this time in the data, no keyboard layout, no language packs. Just some names that could be crazies in the states here who are just acting out because Trump has given them the air they need to do so. At worst though, here we go again with the active measures just before the mid terms.
Kinda convenient though huh?
K.
https://8ch.net/qresearch/index.html
https://8ch.net/qresearch/welcome.html
https://8ch.net/qresearch/archive/index.html
UPDATE:
It seems that some are buying into the coincidences that QAnon may be a new take on another Q, a book called Q by “Luther Bisset” a nome de plume for a couple authors of this Italian novel
While this is a close comparison I am doubtful that this is a giant prank against the Alt-right/Nazi/Trumpistanians. If it is in fact a prank, it has now gone way past that into action and terrible possible repercussions. The fact that these idiots are now showing up in the Trump Nuremberg rallies and elsewhere, and that he has tacitly accepted it all to his repertoire should scare the alleged pranksters greatly.
After looking into this whole debacle I have to say that this story doesn’t quite wash for me. This whole story isn’t just all about boomers to start. How many boomers are on fucking reddit? Fuck, for that matter how many are out there actively on 8chan or 4chan?
COME ON!
Nope, this is something else. Maybe, if it was a prank, it took on a life of it’s own but if Q is still posting, then these guys are about to get into a world of pain as I am sure now the federal authorities are interested in this because it has become a real world issue. Even if it was a prank to start, it may also be that the Russians decided to take this on and amplify this to their own ends. The whole dialog is very Trumpian and adds to the chaos.
Meh.
You guys decide for yourselves.
K.
Maria Butina: The Knockoff Anna Chapman
AGENT OF INFLUENCE:
The arrest of Maria Butina, the poor man’s Anna Chapman has opened a whole new avenue of investigation by the amateur spy hunters as well as the professionals this week. As it turns out, Maria had been under surveillance for a while and a known quantity to the FBI/DOJ as well for some time. Butina was even in the news cycles back in 2016 attached in stories to Alexander Torshin, a Russian Oligarch cum Bratva/Mobster with ties to the FSB and to Putin. This however did not make her a household name and in effect many people in the media were caught off guard I think when the feds arrested her and presented the affidavit in court on her FARA violations and flight risk potential.
Butina had been a fixture in 2015-2016 with the NRA circles and in fact it seems that she and Torshin had been a part of a plot to funnel money to the NRA as well as attempt to garner access to the Trump campaign/admin as well as others in the Republican party vis a vis entree from the NRA itself and a certain person 1, in the affidavit. Person one turns out to be Paul Erickson, an alleged master of the political universe in his own mind. He and Butina had been living together and it has become clear that it was a task that Butina felt she had to carry out to complete her mission per conversations the feds have picked up during their surveillance of her.
It seems that Butina, and Torshin with the help of Erickson and one other person yet unnamed, were able to potentially funnel money through the NRA to the Trump campaign and to the tune of 30 million dollars. With this access and her machinations to meet and greet as many players as possible (a list was provided by Erickson it seems to hit up with his direction) they would also have access and influence over CPAC, the conservative political action group as well. With this kind of access it seems that perhaps, with more information to come to confirm this, Russia had an access and influence campaign that changed the Republican platforms stance on Russia to be more along the lines of what Trump is evincing today.
Poor Man’s Anna Chapman:
After all the information started coming out post the affidavit’s publication online it then became an interesting rabbit hole to go down and see just how this operation was carried out and with what skill. After looking at things myself I am going to say here that I do not believe this was a well thought out operation that was being run by the likes of the SVR nor the FSB. I think that this was a condoned and “let’s see what happens” kind of operation that was a sideshow to the main events of the influence operations by the GRU and SVR that we are all dealing with today. I say this for a few reasons;
1) Torshin is connected to the FSB but he is not FSB: He in fact likely is an asset of the FSB much like some mobsters have been to the CIA in the past.
2) Torshin and Butina’s utter lack of OPSEC leaves me to believe that this was not a managed operation by the FSB/SVR/GRU because plainly it was so inept
3) Butina seems to be a clean skin (i.e. no history as an operative) but does have a backstop story of being a Russian business owner. She isn’t really a classic kind of “illegal” because she did not have a cover identity and paperwork like the illegals busted back in 2010 who were actually trained in tradecraft and sent here undercover.
In fact the absolutely poor OPSEC with which these two carried out communications online and off is a sign to me that there were no official handlers to the operation. If there were then they were negligent to the point of idiocy. There is even an amusing exchange between Butina and Torshin about being on a phone call and it being insecure where Butina recommends using WhatsApp but it is not clear if Torshin could handle using it and that they went silent so to speak. It seems overall that they did not and the feds have quite a bit of material on them both.
Add to this the fact that they carried a lot of these conversations in email and on facebook and Twitter and you can see a clear pattern of lack of tradecraft as opposed to what we have all seen come out of the indictments recently of the GRU operation against the DCCC and DNC as well as the disinformation operations. So once again I am gonna call it as amateur hour with a side of Anna Chapman Sparrow wannabe syndrome. This can also be reinforced with Torshin’s comments on how Butina is like and or had surpassed Anna in her operations.
A Noisy Operation:
What Maria Butina lacked in tradecraft, she easily made up for in ability to entice 54 year olds like Erickson with sex and access though. It seems that she played on this quite a bit and thought of herself as the next Anna super spy given all these photos she had taken by Oleg Volk, a photographer with a gun fetish in Tennessee. Her portfolio there is all guns all the time and since she was playing the part of a Russian NRA right to bear arms supporter it all fit the greater theme. However, even with her sex appeal and her playfulness, she managed to not be overly subtle either and her connections to Torshin were pretty clear. The media and certain people in the government noticed and asked for her to be investigated as well as her connections to the NRA.
As you can see from the text here she was a known quantity but all of these people around her did nothing to report her. They all just went along with the money and the possible access to her and Russia via Torshin. It really amazes me how people can just eschew all ethics and morals when large sums of money are being handed to them in order to further their own cause. As for the Republicans and the access there, like I said above I believe there is much more yet to come on her connections to individuals and the movements of money from them to NRA to Trump. I look forward to more of this coming out and in fact a little teaser yesterday was that a new player showed up at court for Butina’s hearing on being a flight risk.
That new player is a prosecutor who’s specialty is with trials concerning espionage. It turns out that though she has been arrested on FARA issues, she may in fact be later charged with espionage given that this prosecutor has shown up. It is also interesting that during the hearing there were two guys from the Russian consulate there and the reason that Butina was remanded without bail was the concern that she had packed all her things, moved money overseas, and that the consulate folks looked like they were planning an exfil if she was let go.
Giggity.
Players Yet To Be Named:
I also have to wonder who Person 2 is as well as others out there who had connections and or friendships with Butina. They all must be shitting bricks right about now I would think. One of those people mentioned in the articles I got in my OSINT searches was Cleta Mitchell. I looked her up and wouldn’t you know it, she is involved on the International Foundation for Electoral Systems board as well as seems to have raised the alarm about Russia, the NRA, and money and access being funneled from it to Trump.
I guess she saw it all up close and personal…
I wonder when we will have some more names added to the list and perhaps some indictments or at the least subpoena’s served on this matter. Overall though, this case could be a lynch pin for the Mueller investigation in a couple of ways. Certainly there is the money angle, and Mueller is following the money most certainly. The players here could end up helping the investigation for immunity as well. However, the big thing for me is that in this net of collusion and money, we may see even more republicans touched by this case. It seems pretty clear that the Republicans changed their attitudes toward Russia after the money spigot opened and perhaps this NRA money funnel and perhaps to CPAC will crack open and give us some answers on why people like Nunes and Gowdy for instance, are so available to subverting the constitution in favor of Trump and Russia.
Perhaps they are trying to hide their guilt because, gee, there’s kompromat on them as well.
Maybe some pics of Butina, guns, and naked senators somewhere…
K.
Extortion Phish: Your Password is XXXX
I started seeing a pivot on the extortion phish plots that I reported on a while back. The new iteration of these exploits starts off with the simple statement that the extortionist knows your password and actually states it in the first sentence of the email. On average the passwords that I have seen have been ones that the users actually do have in use on the internet at various places and become very agitated and panicky when they get these emails. Thankfully though the majority in my environment have had training and report these to me so I get to see them and work all this out as to who may be doing this.
I wanted to put this post out though to let others know about this pivot in the attack and the use of some psychology of fear tactics to get a knee jerk reaction out of the marks in hopes of getting them to cough up bitcoin. Of course in these they want a large sum upward of three thousand dollars which makes me wonder if they actually do have passwords or access to passwords from a dump somewhere or that these guys are brazen in their attempts.
SAMPLE 1
I will directly come to the point. I know that XXXX is your pass word. More importantly, I’m aware about your secret and I’ve proof of your secret. You do not know me personally and no one employed me to look into you.
It’s just your bad luck that I found your misadventures. Actually, I installed a malware on the adult video clips (porn) and you visited this web site to have fun (you know what I mean). When you were watching videos, your browser started functioning as a Rdp (Remote desktop) with a key logger which gave me accessibility to your display and webcam. Right after that, my software collected every one of your contacts from your messenger, social networks, and email.
Next, I put in more time than I probably should have into your life and made a double display video. 1st part displays the video you were watching and second part shows the recording from your web cam (its you doing inappropriate things).
Frankly, I am willing to forget about you and let you get on with your regular life. And my goal is to offer you two options that may make it happen. Those two choices either to ignore this letter, or simply pay me $2900. Let us explore those 2 options in details.
Option 1 is to ignore this email message. Let’s see what is going to happen if you opt this path. I will definitely send out your video recording to all of your contacts including relatives, colleagues, and so forth. It won’t help you avoid the humiliation your self will feel when relatives and buddies uncover your dirty details from me.
Option 2 is to make the payment of $2900. We will call it my “privacy charges”. Now let me tell you what happens if you choose this path. Your secret remains your secret. I will erase the recording immediately. You move on with your routine life as though nothing ever occurred.
At this point you must be thinking, “I’ll just go to the cops”. Without a doubt, I’ve covered my steps to ensure that this mail can’t be traced to me also it won’t stop the evidence from destroying your daily life. I’m not looking to dig a hole in your pocket. I am just looking to get paid for the time I placed into investigating you. Let’s assume you have decided to create pretty much everything vanish entirely and pay me the confidentiality fee. You’ll make the payment by Bitcoin (if you don’t know this, search “how to buy bitcoins” in search engine)
Required Amount: $2900
Receiving Bitcoin Address: 19aJnFC6UdNjiMRtP766hVsn7Wg4KXQHbZ
(It’s cASe sensitive, so copy and paste it)Tell nobody what you should be utilizing the Bitcoins for or they might not give it to you. The method to obtain bitcoin can take a few days so do not wait.
I’ve a specific pixel in this e mail, and at this moment I know that you’ve read through this email. You now have 2 days to make the payment. If I do not get the BitCoins, I will send your video to all your contacts including family members, co-workers, and so on. You better come up with an excuse for friends and family before they find out. However, if I receive the payment, I will erase the video immediately. It is a non-negotiable one time offer, thus please do not ruin my personal time & yours. Your time has started.SAMPLE 2
I will directly come to the point. I’m aware XXXXX is your password. More importantly, I do know about your secret and I have proof of your secret. You don’t know me and no one hired me to investigate you.
It is just your bad luck that I found your blunder. In fact, I actually placed a malware on the adult videos (pornographic material) and you visited this website to experience fun (you know what I mean). While you were watching video clips, your internet browser initiated operating as a Rdp (Remote control desktop) that has a keylogger which provided me accessibility to your display screen and also cam. Immediately after that, my software program obtained all your contacts from your messenger, facebook, and email.
After that I gave in much more time than I should’ve exploring into your life and generated a two screen video. First part shows the recording you had been viewing and second part shows the capture from your web camera (its you doing inappropriate things).
Frankly, I’m ready to forget about you and let you continue with your life. And I will present you two options which will accomplish this. The two option is to either ignore this letter, or perhaps pay me $3200. Let us explore above 2 options in more detail.
First Option is to ignore this e-mail. Let me tell you what is going to happen if you opt this path. I definitely will send out your video recording to your contacts including friends and family, co-workers, and so on. It doesn’t help you avoid the humiliation your household will must face when relatives and buddies find out your unpleasant videos from me.
Second Option is to make the payment of $3200. We will name it my “confidentiality tip”. Now let me tell you what happens if you choose this path. Your secret remains your secret. I will delete the recording immediately. You move on with your routine life as though nothing like this ever occurred.
Now you must be thinking, “I’ll just go to the cops”. Without a doubt, I have covered my steps to ensure this mail cannot be tracked returning to me and it will not stop the evidence from destroying your daily life. I am not trying to steal all your savings. I just want to be compensated for the time I placed into investigating you. Let’s hope you have decided to make all this go away and pay me the confidentiality fee. You’ll make the payment via Bitcoin (if you do not know how, type “how to buy bitcoins” in google)
Required Amount: $3200
Receiving Bitcoin Address: 1JE6Pxdb865yhxc92KfjypcaXHgdAJpdsZ
(It’s CASE sensitive, so copy and paste it carefully)Tell no person what you should be sending the bitcoin for or they might not sell it to you. The procedure to have bitcoins will take a short time so do not delay.
I have a unique pixel within this e-mail, and now I know that you have read through this email. You have 24 hours in order to make the payment. If I don’t get the Bitcoin, I definitely will send out your video to all of your contacts including family members, co-workers, etc. You better come up with an excuse for friends and family before they find out. Nonetheless, if I do get paid, I’ll erase the video immediately. It’s a non-negotiable offer, thus kindly don’t ruin my personal time & yours. The clock is ticking.
SAMPLE 3
Let’s get straight to the point. I am aware XXXXXXX is your password. More to the point, I am aware about your secret and I have proof of it. You don’t know me and no one paid me to investigate you.
It is just your misfortune that I came across your bad deeds. Let me tell you, I setup a malware on the adult vids (pornography) and you visited this site to have fun (you know what I mean). While you were watching video clips, your web browser started operating as a Rdp (Remote desktop) with a keylogger which gave me access to your display screen and also webcam. Right after that, my software gathered your entire contacts from your messenger, social networks, and mailbox.
Next, I gave in much more hours than I should have exploring into your life and made a two view video. 1st part shows the recording you were watching and next part shows the capture of your cam (its you doing inappropriate things).
Honestly, I want to forget all information about you and allow you to get on with your regular life. And my goal is to present you two options that may accomplish this. These two choices are with the idea to ignore this letter, or perhaps pay me $2900. Let us investigate above 2 options in details.
Option 1 is to ignore this message. You should know what is going to happen if you select this path. I will definately send out your video to all of your contacts including members of your family, coworkers, and so on. It won’t help you avoid the humiliation your household will ought to feel when friends and family find out your dirty details from me.
Second Option is to make the payment of $2900. We’ll call it my “confidentiality tip”. Now let me tell you what happens if you choose this path. Your secret remains your secret. I will destroy the recording immediately. You keep your life that none of this ever happened.
At this point you must be thinking, “I should go to the cops”. Let me tell you, I’ve taken steps to ensure this email message can’t be tracked time for me plus it will not prevent the evidence from destroying your daily life. I am not planning to steal all your savings. I am just looking to get paid for time I put into investigating you. Let’s assume you’ve decided to create all of this disappear completely and pay me my confidentiality fee. You’ll make the payment by Bitcoins (if you do not know how, type “how to buy bitcoins” in google)
Required Amount: $2900
Bitcoin Address to Send to: 169rDGiiDxTKknBYgLPDq4sCQJjKgejkni
(It is case sensitive, so copy and paste it)Tell no one what you should be utilising the Bitcoins for or they possibly will not sell it to you. The process to have bitcoin usually takes a short time so do not put it off.
I’ve a specific pixel in this email message, and at this moment I know that you have read through this email. You now have 24 hours in order to make the payment. If I don’t get the Bitcoin, I will send out your video to your entire contacts including members of your family, co-workers, etc. You better come up with an excuse for friends and family before they find out. Nevertheless, if I do get paid, I will erase the video immediately. It is a non-negotiable offer, so kindly don’t ruin my personal time and yours. The clock is ticking.
So as you can see from the samples, the extortionist is hoping that you visit porn and that your password was in fact some iteration if not literally the password they provided as a bona fide. If in fact the passwords are correct, it made me wonder if these were just good guesses on the part of the adversaries or do they have access to a dump of some site common to all the users in question. I am currently carrying out an investigation as to that, but, suffice to say that either method would work up to a point to get the fight or flight response of the end user going right?
So, if the adversaries have access to a dump I have to wonder what it is. In the case of some of the information I got from users, I used haveibeenpwnd and did not discover anything in there from old dumps. So, if there is a leak somewhere, it is likely on some hacker site where they are offering up these passwords and these guys decided to use them in this clever way. By sending these emails through open SMTP replays and expecting no response, with no links at all or malware, these phish get through every time bypassing the protections of filters and using sites like outlook.com to bypass any SPF settings one might have. It’s a smart tactic by an adversary intent on getting that bitcoin really.
Where the emails fail is the amount that they are looking for (nearly 3K) and this is where they tend to lose people I think. Who’s got that kind of money as an office worker? So far the bitcoin wallets are all empty and I suspect these guys are not going to be in the champagne room anytime soon from my users but other places may be different. Having an awareness program and interfacing with your employees is a key to fighting this and other phishing schemes and in my case it seems to be working with users either just deleting the emails or sending them in.
I just have to wonder now what the next iteration will be. Will these guys up the ante and present more hacked info? Maybe some sample clips of these alleged movies as bona fides?
Hmmmm…
K.
UPDATE:
It seems the gambit has worked on some people. One of the bitcoin accounts has over 4 grand in it today. A second has just over 3K.
UPDATE 2:
The phish are coming from the Microsoft domain space for SMTP servers so this is why they are not seen as spoofed. The email addresses are random names and do not exist really according to searches I have performed. So, Microsoft needs to address where these are coming from and maybe seal up the SMTP relay hole they have.
Additionally, the random nature of the email addresses and the Outlook domain make it hard to try to track and block these in defenses that rely on heuristics like subject and sender names. This is a clever means to get these to their targets by bypassing the controls in place without a real remedy.
I fully expect another iteration of this to come along where they add some content or some other key to get the targets to react quickly to their demands and send them bitcoin.
ALSO, it seems to be tracking that the passwords that are being cited in the extortion email are from the LinkedIN password dump in 2016. It may in fact be a melange of dumps but it seems since these are being targeted at corporate email accounts it makes sense that the adversary is using this dump cleverly.
UPDATE: 3
If my stats are right, the adversaries have now made approximately $185,499.50 cents in bitcoins from these phishing emails. I am checking the wallets again to insure I have the right ones in all cases but one of them has transactions.
