Archive for the ‘DARKNET’ Category
Darknet Red Rooms: The Reality and the Fiction
This was a red room that was actually a viral ad on the darknet for a book sold on amazon!
It is said that in the darknet no one can hear you scream…
*stare*
*giggle*
Ok ok ok, I was retreading Alien’s tagline for drama, the truth of the matter is this; there are these sites out there calling themselves “red rooms” where bad things are supposed to happen to people and you, the voyeur, can pay to see that happen. Actually, you can pay and in some cases participate by chat, telling the “dungeon master” what to do to the hapless victim. All of this stuff makes for a good book or a movie, but, have you ever asked yourself if they are at all real?
Well, I did, and the answer I seem to be finding is no.
To date, I have not seen any proof of a real situation where someone was tortured to death and filmed or live online. There are just what you might call “Exit Scams” in the darknet where people make the offer look as legit as they can to get you to pay for access and then do not deliver. While other cases out there of horrific online, or more to the point, video content, has been created and shared for sale in the clearnet and darknet such as the case of Peter Gerard Scully (see image below on case) It is yet to be proved out that any of these alleged live red rooms were anything but a scam or someone’s idea of a spooky site on the darknet.
So, when I was cruising the darknet the other day and came across this post on a pastebin, I was incredulous about this new redroom to be. However, when I brought up the links in the paste and they had someone’s real photos, I had to dig a little further. The idea of the red room to be, is that this is being planned by some groom who is marrying this targeted individual to bring her to a honeymoon red room event. The post itself is one in a series of evolving posts where they are looking for two things; dom’s and people to pay for access to this event. Now, do I believe that this is real and that this woman is in danger?
Not really.
However, do I think that she knows that her photos have been provided as an object of this red room and those who would pay to see bad things happen to her?
No, I do not think she is aware, and this is a problem for me. You see, in the darknet I see a lot of bad shit. In many cases of late, there seems to be a spike of use of the paste sites as well as fully created and posted content, out to incite others to do harm mentally and physically to people in the real world. In an effort to find out more I did research forensically on the photos and came up with pretty much nothing useful, they have been cleaned of metadata. I then went to Google image search as well as Tineye, but none of these photos seem to be online in a way that can be searched. So, it is kind of a dead end unless someone on the internet see’s this post and knows who this is. I am sure that this person might like to know that someone with access to her photos has uploaded them and tagged them to a violent red room post seeking individuals to do harm to her and to pay to watch it.
This brings me back to the whole leveraging of the darknet to post anonymously and target individuals for abuse in the real world. I have been passing these off to the proper authorities in hopes that at least the targets could be warned that this is actively happening and perhaps ready them, if not prompt them to take some protective measures to halt it. I gotta say, the darknet can be a wonderously derpy and fun place, but all of this targeted abuse stuff is just malevolent.
Can’t we just have a nice darknet that is just the new geocities with shitty bandwith?
K.
@manhack sent me a link to more pictures found on yandex.ru of the woman in question! They were located on a “fap” site, and there seems to be no more information as to a name to put to the face, but the images were posted in 2009 by a user “rayray11” on imagefap.com which is, well, a fap site… So these pictures may be known to rayray, or they may have been stolen and posted here. If more turns up I will update in this section.
UPDATE II
Thanks to the diligence of @H0tdish we have located the party in question. She is a lawyer in California. We will reach out to her to let her know about these events.
UPDATE III: Authorities have been contacted to alert the person in question of these events.
K.
shaqgegpbanuq24g.onion: Alleged Iranian Espionage Sale Site
Tooling along the darknet last week I came across this little beauty and decided to play along. I collected the site first and took a look at the Persian text as well as tested the sites security with OnionScan. Here is what I found.
Original post from a pastebin on the darknet…
The Persian seems to have the right syntax for part of it but my Farsi is meh so if anyone wants to correct me there go right ahead.
ن از کارمندان سابق وزارت اطلاعات بودم و میخوام بگم که اگه کسی به اطلاعات دقیق نیاز داره یا خریدار اطلاعات است میتونه با من در تماس باشه از اونجایی که من خودم تو اون مملکت نیستم خیالم راحته و میخوام هرچی اطلاعات راجب کاراشون و افراد مخفی اون ها دارم رو در اختیار یک خریدار خوب قرار بدهم
Translation online:
I was a former employee of the Ministry of Intelligence, and I want to say that if someone needs accurate information or information purchaser can contact me, since I’m not in that country, I’m comfortable and I want all the information you need about them and their secret people. Give me a good buyer
Now all this tied to the imagery of Wikileaks and Anonymous kinda made me giggle but, it could still be legit (though not likely) so I decided to email the guy and see what I could get from him or them. The email address louferna@secmail.pro made me wonder if that was a name, I mean, Lou Ferna? Hmmm… A google of the name “Lou Ferna” got some hits but nothing that means anything really. The same goes for louferna straight up. I did go down the anagram rabbit hole for a bit but stopped myself before I started making murder maps with yarn in the office.
Anyway, in pondering the offering I had to wonder at the high bitcoin rate there. Seven bitcoins currently is worth about fifty four thousand dollars, which, I mean you gotta be a real player to pay this right? This kinda passed the smell test on this kind of data’s worth to the right people. Then there is the bit about giving proofs, which we shall cover further down in the post. I decided that this was worth playing with and used a cutout account to email the seller. Here is the results…
I emailed asking for proofs 
They responded first by saying they were working with someone else and brushed me off. I found that to be odd, so I pushed and emailed back saying that, that deal could fall through and what harm would there be if you gave me proofs? I mean, I could up the bitcoin amount if it was good stuff! They responded back with the text below….
With this email they had attached an image file. I checked that it wasn’t some malware etc and then opened it locally to inspect it. Once I took a look I emailed back to say that I would backstop what they had sent me and respond back confirming an offer. Of course I did not respond back but instead tried to do the backstopping as I had said I would.
The information that they sent is rather complete but useless in my opinion. I will admit that I did not spend a lot of cycles on the OSINT here (enough to translate names into Persian and then search) but I tried with all the ancillary data. So far, I was able to locate only one of these people and even that one had their name misspelled. Image searches for these guys proved fruitless as well because the engines kinda suck at this kind of thing. What became obvious to me is that this is all trying to play off of the leaks by the actors dropping APT34 data on the darknet as well as telegram, which I believe dropped even more tools etc this week if I remember correctly.
Anyway, if any of you come up with more solid data on these cats lemme know. I am not spending any more cycles on it really. Add to this the fact the the site is down now and was as of Monday when I checked again, so pretty much after I emailed them they went poof. I got no wallet to send money to etc. For all I know the other “client” paid up if there really ever was one. For myself, I am leaning on this being a fraud, an interesting one at that, but a fraud. The only other thing I can possibly think is that maybe I am just not seeing the right picture here and they did sell it and rolled up the carpet.
*shrug*
Some things to take from this though…
- The site was clean, no security leaks at all. If you are gonna have a presence in the darknet it is really best to use the KISS method. These guys just used a simple HTML static page. Simple yet effective in keeping the security of where the site sat and not leaving a trace online to track back with. The only thing I could say is that the email address could be an Achilles heal because it is hosted by a company rather than their own hosting service.
- The story had enough to keep one interested and to possibly think it is legit. It was a step above offering at the start to give proofs.
- The brush off, if it was a ploy, was superb SE and they were playing the long game with that.
- The 54K price tag also played into the thing being legit enough to at least talk to them.
- The story that they used to be Iranian spooks and that they lived outside of Iran now played too, it also made for possible stale data in the offering, note they talked about Khomeini and agencies from the past.
Nothing ventured nothing gained huh? I of course reported the site to the right people in low places and forwarded a copy of the site in case it went poof (which it did) so they have it all.
An amusing story for you all.
Feel free to play the home game on those guys in the pics and lemme know what you find.
K.
Darknet Mystery Boxes and UN-Boxing: Buying Mystery Boxes on Ebay and CLAIMING They Came From the SCARY SCARY DARKNET for Ad Revenue!
Spooky Darknet BOXES!!!
Lately I have become more of a YouTube junky than I ever have been. This means that I have been pluming the depths of the derp in the YouTubes as well as looking at cool documentaries that get posted there on History and the like. Lately though, I have been watching these “Top 5/10/15” channels with weird things like found footage posts and other oddities, ya know, the urban legends kind of shit. Well, once I started getting into that it was only fate that I would be presented with a whole bunch of videos around “Dark Net MYSTERY Boxes!”
Spoooooky!
If you are not familiar with this whole craze, the story is that in the deepest and darknets of darknets there are places where you can cough up cash (bitcoin) for mystery boxes that will be shipped to you and contain strange and spooky shit! This then, once delivered to you, the intrepid YouTuber will “unbox” that strange shit for you LIVE on cam! Often these people suit up in surgical gloves and masks and eagerly open these mystery boxes only to find random strange shit in them that often is supposed to make you think they have either been cursed or been sent a serial killers kit of tools.
WOOOO!
A prime example of this dipshittery is Ali H a YouTuber who claims to have spent one thousand dollars on a “darknet mystery box” for his channel and opened it on camera. While rummaging around in it he claims to have felt a stick and pinch only to pull out a syringe complete with needle! It’s here that I have to call out some things, first off, if this guy actually bought some rando box of stuff off of “the darknet” well, then where is he getting that kind of money to do stupid stuff like this? Second, what the hell is he doing sitting in front of the camera if this is indeed a random box of stuff he did not put in there himself and did not really get a needle stick on? I would think that he would have shut that camera down and went straight to the E.R. with that needle and the story to start some tests!
*swigs whiskey*
Which then makes me wonder, is this guy faking it all for clicks? Or is there some money to be made here with these kinds of stories? Now, in looking at his video there were no ads, so, he is not making money off of advertising on his channel that I can see. He does have some other channels like an instagram and such, but I am not seeing any other revenue streams here. Well, he does have a “business inquiries” email address though… Business? What business is that? Opening darknet boxes for profit? TV hosting? Being a millennial idiot?
So yeah, if this guy has a grand to drop on some darknet mystery box and is not making some money on this somehow I can easily show you a fool who was parted with his money as the old adage goes. But ok, so what if there is no money in it? What if he really did not spend ANY money on this box that he packed himself and opened on air? Well, then WHY is he doing it? Well, that’s a good question and in the age of social media I am going to go with likes, clicks, and internet fame! Yup, indeed we as a society have gone full reality TV online as well as on air. I mean, this one video here is even trying to imply that this guy could DIE from buying and intrepidly braving the darknet to buy and open this spooky box! In reality, if I were this guy and really got a box that gave me a needle stick that could potentially lead to life threatening illness I’d be on the phone toot suite with the USPS and the cops about an incident.
This guy, nah, he just looks like a stuck dull eyed cow into the YouTube machine hoping for clicks, comments, and “business inquiries”…
Ugh.
In fact while looking over the plethora of spooky mystery box channels I see many of them have no ads, but instead have other channels where they are asking for anything from bitcoin donations to hawking their own merch to keep their channels going. I mean, hell, YOU GOTTA have the bank to buy these $500, $600, $5000 mystery boxes man! What’s even more galling is that people on the other side of the screen believe this stuff! Honestly, have we devolved that much that we have an era where Slenderman and mystery boxes are “real” to people who watch a video online?
No wonder we are in the mess we are in with fake news and russian disinformation! We need to start teaching logic and ethics STAT!
There are no “Darknet Mystery Boxes”
Kids, listen close, get closer, sit by the cyber fire here… I have something to tell you. There is no such thing as a “darknet mystery box”
Trust me, I know, I live in the darknet…
*baleful stare*
In fact, I have searched high and low as others have done on the darknet forums and not one mystery box can be found for sale.
NO REALLY!
Don’t believe me? Well look above here and take it from a minion of the darknet on a post IN THE DARKNET!!
So yeah, they don’t exit on the forums but they DO exist on Ebay! In fact while looking at these I do not even see any for sale for that alleged 5k… Hmmmm… Gee, I must not be in the right place huh? Maybe I need to go further down into the Marianas Web huh? If I do I better harden my system, I mean the pressure in the Marianas is a brazillion pounds per square inch right?
Nah, I shall just stay in the surface darknet I guess because THE DARKNET MYSTERY BOX IS A LIE KIDS! Don’t believe these numbnuts on YouTube and certainly don’t give them money for this fakery!
STAHHHHHHHHHHHP!
Ugh.. and I thought Russian disinfo was bad…
I’m gonna just go drink in the corner here kids.
K.
SADAQAHCOINS: Darknet Jihad Funding
A few days ago the word got out that a new da’esh jihadi funding site had hit the darknet. Much of the reporting has been about the novelty around this idea which isn’t all that novel really. There was another site back in the day that was looking for bitcoin donations and was much more sketchy than this site is but who’s paying attention right? Anyway, this site is the next generation of jihobbyist funding by an unknown group of guys and it is novel in a couple of ways that in reading the other reports, was missed out on. In fact, one alleged expert just marked this site down as just another scam site when in fact, while it may in fact be a scam, it is much more nuanced than the usual fare you see in the darknet and thus, I judge it to be run by people who at least know the jihad well and understand the Hadiths.
The premise of the site is based on the Islamic notion of Sadaqah, which is misspelled for the jihobbyists on this site to make it catchy. Sadaqah, literally means charity or benevolence and is an apt name for this site because it is exactly that which they are seeking. It is an interesting area of Islam concerning your obligations for charity as well as public works and in this twist, the sadaqacoins crew is attempting, as others have, to manipulate the original intent of Sadaqah, for jihad and the furtherance of the war against the infidels. That this site is using trackable bitcoins and attempts to use a more opaque currency like Monero is novel only for the fact that this site is much more slick and put together than the others I have seen out there in the past. Honestly, much of the jihad has always been propped up on donations and the Hawala system since the beginning of the GWOT.
Of course this site not only wants to have the believers give them bitcoin for the jihad but they have funding programs for specific things like buying a sniper rifle or a truck that they can mount a gun on. Not much new here in the way of asking for donations like this inside the jihad. Now, what is new is that the site is open to “others” to suggest finding programs or “projects” as well so anyone could hit them up within different areas of the jihad to get this funding set up. This could be the big difference if this thing actually flies. Imagine more of the disparate cells asking for new projects and then setting up their own bitcoin wallets. This could mushroom a bit for the more savvy jihadi’s out there on the net looking to help but maybe not get blown up in the lands right?
In fact, the most interesting bit for me and for my old friend Onionscan, was the fact that these guys added an Eid celebration to the mix where you could donate for sacrifice. What this means is that you could help the jihadi’s celebrate Eid in country by funding their goat dinner. This is a bit that I think others missed in reporting this because of two reasons. First, these people who wrote about the site don’t understand the religion and the sociology, and two the site had been updated by the time I got to it with the Eid celebration. In fact, it was here that Onionscan puked out some interesting information about the mostly secure site. It seems that their Eid celebrations were in haste to be posted and they forgot to get rid of their EXIF data.
Oops.
Basically, the data that I managed to pull out of all these photos show that they are using a phone camera by Motorola and managed to not have their geolocation turned on. Of course this doesn’t mean they won’t mess up later and leave that kind of data in them for us to hoover up and use as coords for a hellfire visit. This all could be leveraged by the right players though to manipulate them to make a mistake in the future as well. I look forward to seeing where this all goes in the future. However as it stands now, their OPSEC is fair to medium. They did manage to give us a lot to work with though with all the email addresses to reach them on and their Telegram channels to infiltrate and get in their insides with.
Another point of interest for me on the OPSEC front was their choice of languages for the site. It seems that these jihadi’s like to speak German, Turkish, and English. These three languages are of note because the site has no area that is strictly in Arabi and that is an oddity. This implies that the group who set this up are English speakers, Turks, and Germans but not really well equipped to write and read Arabic and this kind of tracks with some of the intelligence that comes out of the da’esh circles over the last couple years. There has been an influx of foreign fighters to the jihad but really guys, no Arabi? Shame on you as good Muslims not at least being able to have a page in Arabi!
I guess maybe we can see if they add some Arabic later on…
14gymFijxkFzbxbacbP9ioGndsqHRuJJTc —0 coins
1Dft8kgCWiuqRBLqgTuH2ZhVeUAxC8KGGi—0 coins
1KHDmXfqHJM9XqDHvGfCN4KVhsuReHDfLc—0 coins
1LGHotsLQF1evDXkt7DBTwvZ48SY3idTBL—0 coins
12QufGGoEoNUZN6aobofCoj9giNzCeHFP4—0 coins
184FNLi5aXGcurjEmUs7kgc7cYJ5gauduB—0 coins
1HABpbonuhGUL1woiQELuoDFXBEV6ZLpyG—0 coins
1Br6MtEQLgikLAQSFsrZKWxX6UPYzkAQz9—0 coins
15zbyqsq3q5s5ea5uEQz8xFkEpsPYAW3CE—0 coins
1KHmpHw8p7VGjQpftj2axdqq5NE3JYGT6C—0 coins
1MFeZbNsfWqBVytLmUjYcZoV3RhxJpQ3Kn—0 coins
17mwSmM6NzZTzoAiP3PHLAkooF9jd1xDY8—0 coins
Meanwhile, back to the bitcoins. This site has 12 bitcoin wallets at the time of my assessment and NONE of them have any coin in there at all. Nothing, nada, niente. Of course the site is fairly new so I can see why it wouldn’t have any coin in there yet. In fact the site only popped up on my link search in the darknet on the 24th of August so there is that. (see below) So we need to give it time to see what else they do and if anyone actually donates. Once they do, well then we can track the coins and see who did what huh?
Well, this was an interesting diversion for a while but I am still kinda meh about the whole thing. I am gonna keep an eye on it and maybe visit those Telegram channels to see what other OPSEC FAIL’s they make. Until then, hey, it’s out there and it’s novel.
BOOGA BOOGA BOOGA JIHAD IN THE DARKNET BOOGA!
Derp.
K.
Supernotes and Poorly Cloned Darknet Sites
I was on safari in the darknet this morning and I came across the site above. The address is druglixdfcb3gda3.onion and as you can see it proclaims it is selling supernotes of American currency. Of course this is always of interest to me and they are making claims about printing specs and things that sound right. However, when you look closer at the site you see that it is not quite finished. It has some lorem ipsum text in there and it also has a lot of broken image links so you get no sample images at all even though they are linking to them.
They even have testimonials! Yet they don’t work either. Now, it got my interest at the bottom there where the site is claiming that you can contact them on the information below. Which, well, is all clearnet addressing and contains a physical address in Italy as well as a domain and email address in the UK! I had to look twice there to make sure I wasn’s seeing things. So I began looking more closely at the code and pulled up the information on the domain that they listed with a contact email of contact@andia.co.uk.
Once I pulled up Domain Tools, I saw that the domain has been around since 2014 and has not changed hands. I did some looking on the Wayback Machine and saw that there really never has been a site and that the names attached to the firm were a couple guys in London, which matched the address in the domain data. I then looked up these guys and found some interesting congruences. Andia LTD has been dissolved as of 2016 and dig this, one of these guys is a specialist in “bank fraud”
*blink blink*
So, um, how coincidental is it that this domain of a dissolved company of a couple thirty somethings in the UK has one that is a specialist in banking and fraud? Hmmmmm… Well, it goes down the rabbit hole pretty quickly and I was thinking OK! I am on to something here but then I started to look at the code some more… It turns out that if you start to Google the code and key words on the page you get a LOT of hits elsewhere. It turns out that this site in the darknet was using code from a free template created by this guy Anli Zaimi, who has a bunch of these templates. So, was this all just for naught? I mean, there are a lot of sites that seem really really sketch using his template and many do not bother to redact the contact details that he put in there.
Also, since this domain is real (andia.co.uk) how does that fit in? Then there is the whole thing with the banking connection and failed businesses. I am letff scratching my head a little here. I mean, who puts up a forgers site so poorly in the darknet? OK ok ok, the darknet really is the Geoshitties of the 2000’s right? So yeah some nitwit just flung this hapless piece of shit up there…
But…
This site has been around a while. Why? No changes? Static and just bad.
Oh well… I even did the due diligence and emailed the contact address and it bounced, so, it ain’t there. I guess in the end it just shows you that the darknet is a garbage heap full of the strangest detritus. I did learn one thing though, this guy’s template is the go to for scammers it seems.
It’s just that most of them are so code illiterate that they don’t take out the dummy data and leave a long trail on google.
K.
Create NEW Ransomware: Darknet Site Ransomware Scheme
Surfing the darknet as I do, I came across this little gem of a site today. The idea here is that you can share in the bitcoin ransom by entering your wallet address and then getting a download of the malware to deploy wherever you like. This seems like a ponzi scheme to me where you offer a great reward for a little action and in the end you get ripped off but ok, let’s run with it. The site is in the darknet and I am not sure if or how they are publishing this site elsewhere so people can find it and use it. I must say though that the site is more complete than I thought it would be once you start to dig and the ransomware is new to me as well as it seems to be to VT and Hybrid.
So yeah, I decided to play along and I used someone’s wallet to start the process here. Who’s wallet you ask? Well this guy’s wallet will do since he has never had anything in it. So it’s fairly simple, you put in the wallet address then solve the captcha and lo and behold you download the ransomware. I also decided to see if I put in an alternate wallet address would I get another hashed file, and yes, yes I did. I only changed the wallet address by one letter (a) and got a new file that I uploaded to VT after the first one.
Upon upload to VT and Hybrid I get hits on the major players and the designation of the malware is of course ransomware but you choose the name you like because there are too many per the AV firms (please stop this)…
So yeah, the ransomware is not so stealth and likely anyone with current AV will have some intervention one hopes …But how many really keep their AV up to date and working?
*sigh*
Anyway, I uploaded it to Hybrid and got the following report and the second with the second sample here …
The malware reaches out to the darknet via .casa online bridge to the darknets. Once you plug in that address you get the Qrypter site frontend. This site is your C&C ostensibly to track your malware and your bitcoin “donations” from the poor sods who get the malware. The unfortunate bit is that when you go to the url that is in the malware you get the following sad news:
OH NOES! Are you smelling a scam? Cuz I am kinda smelling a scam here now…
Anywho, the interesting bit for the site itself is that it has a display on how many AV vendors are seeing the malware and as of today it’s… Wrong?
Mmmmmmyeaahhhh no, I see 14 vendors seeing this as malware and I have just added to the hash pile by uploading my samples here so that is likely to get even more detected as the day passes on. So, this is an interesting turn in malware as a service, or in this case Ransomware As A Service (RAAS) as I have seen out there on the net. I have captured the whole site in the darknet and I will be spending some more cycles on the malware later on so updates will likely follow on this post. For now though, just enjoy the novelty and the derp.
Cheers,
K.
UPDATE: This is evidently a new replay of something seen in 2017
Art Forgeries Sold In The Darknet
Stolen Forgeries:
Surfing the Darknet, as one does, I came across a new site that finally settled a prediction I made a few years ago. The site, “Fisher Shop” claims to be selling forged artworks as well as gold and diamonds. Now, I don’t really care about the diamonds and the gold bullion, but the art is the thing that enthuses me. I think I even once posted a blog about how I thought the Darknet could be used in art forgery, theft, and other machinations to sell stolen or forged artworks. This day has come to pass and I thought I would share it with you all.
The site itself is kinda poorly put together, or renders poorly on my browser for some reason and thus the text is all messed up pagination wise and makes it harder to read. Security wise the site is secure enough, an onion scan produced no vulnerabilities or leaks of data save for the email addresses that they are providing for contact. Both of the emails are easily obtainable sites like protonmail and sigaint so there isn’t much there unless you start talking to them and they slip up somehow OPSEC wise so at least this seems somewhat professional at the least.
The artwork though is what interests me most of all but I also will be taking a look below at the bitcoin acct they are using and those who have transfered money to it in the past. First though, the art…
The art works for sale range from old masters to Picasso. Two of the paintings on offer are missing pieces that have been stolen and not recovered yet. The one that intrigues me the most is the Rembrandt piece “Christ In The Storm On The Lake of Galilee” which was stolen from the Isabella Stewart Gardner museum in 1990 and recently was being searched for just a few miles from where I live a year or two ago. This work has been missing since 1990 but was claimed to have been seen by a reporter who was taken blindfolded to an unknown location and shown the work unrolled lit by a flashlight.
Scan of original from Isabella Stewart Gardner Museum of Rembrandt Van Rijn Christ on Sea of Galilee
Image from darknet site. Not whole image of the painting
Now in looking at the image provided by the darknet site along side the image presented by the Isabella Stewart Museum of the lost work itself, you can see variance in the image already. The colors are not the same and there are subtle differences in the work itself. Also the image that is provided on the darknet is not the whole canvas that was lost in the theft in 1990. The image has no real EXIF data to work with either so I cannot tell if this was a copy from elsewhere on the net easily. I have hashed the image and will do a bit more searching to see if I can lock it to a specific sample. However, when using image search for this hosted image we get a plethora of hits that are very much like it.
By looking all of these you can see a great variance in the colors but most of them have the same cropped image to show you. all of this is just stuff to go down the rabbit hole on but my main concern here is that this site is offering forgeries, and in some cases forgeries of lost art …Which makes you wonder just who might buy it? In the case of the Rembrandt the cost of the painting for purchase in bitcoins is 7,000 Euro’s which as of today is $8.331.00 ! Eight grand for a forgery of a stolen painting! Oh and this guy claims that he has been doing this for years and not been caught all the while admonishing the buyer about the security around packages and shipping.
Anyway, the original Rembrandt that was stolen has a 3.2 million dollar reward on it so I guess eight grand for a forgery of it is a steal huh? Speaking of steal, I started looking through the image search engine for the other paintings on offer and low and behold the Raphael on offer was stolen in 1945 and the Picasso went missing in October 2012! So, looking for a forgery of a stolen work? Look no further than Fisher on the Darknet it seems.
Picasso Harlequin Head
Raphael: Portrait of a Young Man
Now where the searches got interesting on the images was from the two listed paintings with original photos; the Frederick H. Clark painting of a cottage in Martha’s Vineyard and the John Bunyon River School pieces both it turns out are photos that originated from PlayTheMove.com where one can sell artwork and other things. If you look closely at the photos from the darknet forgery site and the images from playthemove they are identical. You can see that there has been some manipulation of the tones (contrast shift) but by looking at the background you can see that the backdrops are the same. So, the forgery site is using these images to show you “forged” paintings on offer. Now the playthemove site claims that these are original paintings for sale. So, either these images were cribbed from playthemove and used on the darknet (which I cannot prove as the images have been manipulated and metadata stamped out) or the same people at playthemove have taken second sets of these photos sans the time stamp that we see on playthemove.
Notice identical background folds and lack of time stamp on darknet sample (bottom)
Implies it is an original…
Same folds from playthemove but lacks the time stamp and has been edited (timestamp and curves)
Curiouser and curiouser no? Now the question becomes are the people selling these works on playthemove also trying to sell forgeries of the paintings in the darknet? Or was this just conveniently found online so they decided to use these because really, when you pay for them you will get nothing back? Which at this point one has to ask the question “Will you get anything from these guys?” I mean, caveat emptor in the darknet right? But what if you did get a copy? What if it really came? These two paintings are fairly odd in that they are not commonly known works that people are looking for so it begs the question, did someone have the original and decided to maximize their returns by making copies?
Interesting…. Oh and one more fun fact, they are wanting just a bit more for the fakes than the original sold for on playthemove!
Bitcoins and Wallets:
Next I looked at the bitcoin wallet that they are using on this darknet forgery site. The wallet (1DEKexRrsUadfiLF3gvzMCSMoBkmMHjRhV ) has 70 transactions on it and held about 8.10093985 BTC or the equivalent of $77,201.92 which is a pretty penny indeed. Of course the wallet is empty presently but that is quite the bit of traffic through there up to Oct 17 2017. The transactions spread out to numerous addresses and I started to go down that rabbit hole with Maltego but after a while it just became a morass. I may pick at this later on but the largest set of transactions happened in September of this year;
Overall I have not been able to see this wallet used on other darknet sites and I have yet to run into anything that could tip me off as to who may own the wallet or where else on the darknet it has been used with other entities. So we are back again to the whole idea of forgeries being sold as “forgeries” on the darknet. One has to ask are these being sold to people who will put them in their house or, do you think perhaps the goal here might be to sell these on to those who may try to pass them off as real to unsuspecting buyers in the art world?
This is an interesting conundrum for me because who would you sell a hot forged Rembrandt to? I mean, wow, you would have to then claim you are part of the cabal who stole it and entice someone to buy this highly known piece, stolen in a highly known robbery that the FBI and everyone else is looking for. Now that takes some major balls! Though, in the art theft world and grifter verse, I can see some of them trying to pull this one off. I mean if there were the mythical “collector” who was offered a painting like this, would they take the offer? Ok ok ok, so look at it this way, if you even got the painting in the first place from this site, to be able to turn that eight thousand dollar investment into say, five hundred thousand dollars to an unscrupulous buyer… WIN right?
Interesting… Very interesting.
I will keep an eye on this site and maybe send them an email asking some questions. If I see anything else I will update this piece.
Ciao
K.
Bluebox2600: It’s Time
So the other day I posted about some puzzle sites linked together in the darknet by someone calling themselves BlueBox2600. Today I am bringing you their new game site and the creepy imagery and puzzles that are there. Check the site out for yourselves but I thought it appropriate to pull apart some of the stuff that is there and having copied the site totally locally I have posted the videos for you on YouTube if you don’t want to dare go to the darknets. Inasmuch as this site is supposed to be a puzzle box of sorts, I will tell you know on the surface of it I am kinda meh. The only really interesting bits are Doors one and four but you decide for yourselves. The site just went up this week and is fresh so this may be virgin territory for the Reddit set.
Let’s begin….
Entrance
The entrance has a video that shows what looks to be some hooded figure who brings in a small body and begins to dissect it or gut it. Within the imagery you get a quick flash of the following text below…
I have tried to string this together into a sentence but have yet to make it work. I will say that there are two capitalized letters “On” and “I” and either could start a sentence. I will play with this some more….
Choose your door
Once you enter the “game” you are presented with four doors to choose from…. Below are the videos behind each.
Door One
This starts with a pan of an outdoor scene and a song by Billie Holiday but starts to skip and break up. The scene goes blank and words start to appear on the screen…
Mortus
Dead Man!
The screen clears to the sight of what I liken to Batman’s Scarecrow villain…
It’s at this point that the figure begins to talk and it is garbled at first but clears up. The scarecrow starts talking about stalking a woman…
I saw you with your true love…
I saw you with your child….
I have watched the child…
I have watched your child but some day I may decide to do more…
One day I merely may decide not to follow, not to watch…
I may decide something needs to be done…
Something more vicious…
Whether it be with you or your child….
The face of Scarecrow
So far this is the creepiest and longest of the videos on the site but amazingly the hidden code in the HTML says that it is not the right door. As far as I am concerned it is in fact the right door for creeptastic imagery and sound.
All in all, this video has the most interest for me with the imagery and the strange details it is putting out there for us all to parse. Is this some kind of scary footage you would see on YouTube that would lead to other sites or some kind of creepypasta? I have yet to see anything in the footage to show a link anywhere but I have yet to look at the file itself to see if there is something else there. Are there more things interlaced into the video that you cannot see with the naked eye? Basically the story line of some crazy scarecrow like figure hunting/stalking some poor woman and her kid is disconcerting.
Door Two
Door two is a bit strange…
KITTY CANDY!
Strange shots of a mannequin and yelling about feeding the kitty….
Go watch it… But it is not the right door according to the hidden text in the HTML
Door Three
Door three’s video is just plain boring to me and the fact that the hidden text in the HTML is telling you that it is the right door kinda makes me wonder what I am missing here. I will see if I can take a look at the file itself and look for interlaced things you can’t see with the naked eye but all this is some rando images of a hokey mask like figure and nothing more.
Door Four
Now, here at door four we have something interesting.. Actually some “things” that are interesting. The footage is a staged scene of a devil or Baphomet figure who is holding some woman in a chair hostage… Poorly. She breaks free of the chair easily all the while screaming about feeling gross from being in the chair and unwashed. However, once this cuts away we have the Baphomet figure holding a giant fan open and this has some interesting things on it in handwritten text…
So once again, the most interesting content is marked as not important but yet here we have all this stuff on the fan. You are sleeping is the clearest thing to see but under it are esoteric symbols again and names like David Kelly and Steve Mostow and Ian langford. Now once you start to Google those names you get some interesting things popping up;
Steven Mostow is either a character on Grey’s Anatomy or it is this guy, I am gonna go with this guy because the other name above him is David Kelly..
David Kelly refers to another scientist who was killed which is in turn connected to Ian Langford, yes, another scientist who got whacked. One of 24 scientists alleged to have been killed by some cabal…
Right! So all of these names lead back to conspiracy theories surrounding these doctors deaths! Interesting and yet NOT the door we want? Something is out of whack here I think.
You can also make out three Bible verses scrawled on the fan;
Genesis 5 3:1 When Adam had lived 130 years, he had a son in his own likeness, in his own image; and he named him Seth.
Revelation 12:9 And the great dragon was cast out, that old serpent, called the Devil, and Satan, which deceiveth the whole world: he was cast out into the earth, and his angels were cast out with him.
Revelation 20:2 And he laid hold on the dragon, that old serpent, which is the Devil, and Satan, and bound him a thousand years,
All of this is tied back to the esoterica of previous puzzles by BlueBox2600 (oh and yeah, for all you hackers out there BlueBox 2600 come on!) All of this seems to be pointing in the general direction of esoteric beliefs, conspiracy theories and general creepypasta action on the darknet. Hell, there’s even a Fibonacci Sequence on the fan as well!
Mostly I find this stuff to be kind of muddled and not really leading me in any one direction. Maybe there are clues within clues I haven’t seen yet and I will keep looking for a bit. I thought though that this site was worth a gander for you all. If you are in the darknet feel free to slide on over and check it out yourselves… And if you find something new let me know.
K.
Bluebox2600: Darknet Games
It all started for me yesterday when a new darknet site popped up on the spider. The page primarily consisted of the image above that contained a movie that plays automatically. The movie consists of what looks like a hooded figure bringing in a small corpse of some kind and through cut scenes begins to dissect it with a kitchen knife. This of course intrigued me so I went down the darknet rabbit hole to find out more. Luckily for me the breadcrumb trail was left on the page listing the previous sites that the user had created “games” on in the past.
I then copied down the urls in that image file above and began to call them all up in the browser. It turns out I had seen these sites before and dug around a bit on them in the past. The reason for my interest back then, which waned eventually, was that each site had embedded codes in the html to break. These codes weren’t hard really and I wondered if I was missing something else but you know me, I get bored and I walked away after a bit. Of course now with this new site I had to go back and take another look.
Once I went down the rabbit hole, I kinda found myself in an interesting esoterica hell. The pages pretty much all lead to one after the other when you decode the hidden codes. Note that I have only looked at the HTML and not into the imagery itself (e.g. looking for Steg) and maybe I will do that after a time. Anyway, these are the sites as linked by code and the “puzzle” that this person(s) has put out on the darknet for the chosen few to work out. It all comes down to some kind of esoterica that is supposed to enlighten the puzzler.
I don’t feel too illuminated but it was fun. I did get a little turned around a couple times and I still have not quite solved the math problem into a URL. I do dig the imagery used especially all the old creepy photos and shops of things like the anthropomorphic rabbit. I don’t quite know what about him there is that makes it nightmare fuel for me but I am all up into that. These pages though as a whole don’t seem to give you a way to talk to the creator, but maybe they were watching the hits on the pages to see if people were working them out. As I show in the post here I also was able to dig up a WHOIS and a name as well as an email address used in Domain Tools so I may have nailed down who made these and what else they have online. I will look more into that later on and let you know…
For now, enjoy the puzzling and know that the images at the top here? Well, they are back at it and I already am going down the new rabbit puzzle hole too.
K.
Illuminati
Code in HTML:
.-.. .. --. .... - .- --.. .--. .. -.. --- -..- -.- --.- -.-. . .-.-.- --- -. .. --- -. -..-. - .... . -.. --- .-.. .-.. .- .-. .-.-.- .... - -- .-..
Translation: LIGHTAZPIDOXKQCE.ONION/THEDOLLAR.HTML
The Dollar
HTML code:
http://lightazpidoxkqce.onion/_ _ _.html Looking for 3 letters here .. Type illuminati backwards then add .com what is the abbreviation of the organization this leads you to.
itanimulli.com redirects to the NSA website
TEXT
WHOIS info on this is interesting…
Domain Name: ITANIMULLI.COM
Registry Domain ID: 92386827_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2017-06-22T22:32:21Z
Creation Date: 2002-11-20T07:54:13Z
Registrant Name: John Fenley
Registrant Organization:
Registrant Street: 1985N 360E
Registrant City: Provo
Registrant State/Province: Utah
Registrant Postal Code: 84604-1803
Registrant Country: US
Registrant Phone: 8014273274
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: pontifier@hotmail.com
Registry Admin ID: Not Available From Registry
Admin Name: John Fenley
Crop Circles
Code in HTML:
<!–
2+3=8,
3+7=27,
4+5=32,
5+8=60,
6+7=72,
7+8=?? 98
/??.html
As a math problem:
2 *1 + 3 *2 = 2+6 = 8
3 *2 + 7 *3 = 6+21 =27
4 *3 + 5 *4 = 12+20 = 32
5 *4 + 8 *5 = 20+40 = 60
6 *5 + 7 *6 = 30+42 = 72
7 *6 + 8 *7 = 42+56 = 98
SOLVE: 7+8 = 98
I never quite got this one… Can you put this solve into a URL?
To Wonderland
Code in HTML:
01101000 01110100 01110100 01110000 00111010 00101111 00101111 01100011 01110010 01100101 01100101 01110000 01111001 01101101 01101000 01110000 01100111 01101001
01100010 01110011 01100101 01110111 01110010 00101110 01101111 01101110 01101001 01101111 01101110 00101111 01110100 01101000 01100101 01110010 01100001 01100010
01100010 01101001 01110100 00101110 01101000 01110100 01101101 01101100
Binary Translation: http://creepymhpgibsewr.onion/therabbit.html
The Rabbit
Code in HTML:
WVVoU01HTkViM1pNTWs1NVdsZFdkMlZYTVc5alIyUndXVzVPYkdRelNYVmlNalZ3WWpJMGRtUkhhR3hhTWtaNllsZEdlbUY1Tlc5a1J6RnpTVU13ZEZveU9YWmFRMEp4WWpKSlBRPT0=
Base 64 decode thrice = http://creepymhpgibsewr.onion/thegasmask.html –good job
The Gas Mask
Code in HTML: 68 74 74 70 3a 2f 2f 63 72 65 65 70 79 6d 68 70 67 69 62 73 65 77 72 2e 6f 6e 69 6f 6e 2f 66 61 63 65 6c 65 73 73 2e 68 74 6d 6c
HEX decode: http://creepymhpgibsewr.onion/faceless.html
Faceless
Code in HTML:
\x68\x74\x74\x70\x3a\x2f\x2f\x63\x72\x65\x65\x70\x79\x6d\x68 \x70\x67\x69\x62\x73\x65\x77\x72\x2e\x6f\x6e\x69\x6f\x6e\x2f \x68\x61\x6c\x6c\x6f\x77\x65\x65\x6e\x2e\x68\x74\x6d\x6c
HEX Decode: http://creepymhpgibsewr.onion/halloween.html
Halloween
Code in HTML:
104 116 116 112 58 47 47 99 114 101 101 112 121 109 104 112 103 105 98 115 101 119 114 46 111 110 105 111 110 47 116 104 101 115 99 114 101 97 109 46 104 116 109 108
Decimal Decode: http://creepymhpgibsewr.onion/thescream.html
The Scream
Code in HTML: http://creepymhpgibsewr.onion/thepic.jpg
The Pic
This kinda dead ends for me….
Page # The Witch
Code in HTML:
V1ZWb1UwMUhUa1ZpTTFwTlRUSlNkMXBGWkU5aU1EVklWR3BhYTFZeFNuWlhWRTV2WVZad1dHUXpWbWxOYWxaM1dXcEpNR1J0VFhsU2FrSmFWbnBTTVZsVmFGTmtSMHBFVVZoU1RWWXlVakpaYWtwU1dqSkdkRTlYYXowPQ==
Base64 Decode: http://witch4czudhcxbel.onion/satan.html –good job
I am going to assume that the witch is the solve for the math problem converted into a URL…
Satan
Code in HTML:
WVVoU01HTkRWWHBSVTFWNVVtbFZlVkp1WkhCa1IwNXZUa2RPTm1SWFVtOVpNMmhwV2xkM2RXSXlOWEJpTWpSc1RXdGFlbVZYTVdsaU1uaDZURzFvTUdKWGQzSk1VekZ5V2xkV2Qwc3laSFpoVnpWdQ==
Base 64 Decode: http//witch4czudhcxbel.onion/symbols.html+–keep+going
Symbols
Code in HTML:
YUhSMGNEb3ZMM2RwZEdOb05HTjZkV1JvWTNoaVpXd3ViMjVwYjI0dmRHaGxaRzl2Y25NdWFIUnRiQT09
Base 64 Decode: http://witch4czudhcxbel.onion/thedoors.html
Doors
Choose your doors…
Door One “Gore 226”
Code in HTML:
Base 64 Decode: http://gore226jrod4ia2c.onion/gore911/ — enter
Once you put in the url you get the following text on the new page:
Door Two “Grandma’s Garden”
I have yet to play with this one… I will get round to that.
Door Three “The End”
Code in HTML:
Congrats!! You broke the witches code.There will be more puzzles to come. Hope you enjoyed this Bluebox2600 @ http://blueboxlxc4o7mvk.onion/
Now the Esoterica begins…
Door Four “Sacred Geometry”
Code in HTML:
“Once in a while you get shown the light In the strangest of places if you look at it right”
Right! Well we are back to esoteric teachings that seem to be Illuminati in nature. I am not sure where this guy is going but it was a fun trip.
Who’s Molesting Your Corpse?: Necrophilia and Snuff In The Darknet & Clearnet
Vault of Sex and the Dead
Just when you thought I could delve no more deeply into the darknet I bring you this….
RIGHT! Well, since my deep dive into the world of cannibalism, I began to look at the other links out there to other paraphilia’s on offer in the darknet and once again to the clearnet. Today’s menu consists of Necrophilia and Snuff, which is quite the taboo really and something you would expect to be in the so called Darknet. In as much as what is indexed currently out there in the darknet there are a total of two sites that really cater to these two particular bents. The first being the one you see above in the screen shot. This one requires bitcoin payment just to see the content but you can get a taste by clicking on their samples.
Sex & The Dead
Sex & The Dead
What seems to be on offer here is a melange of snuff films and images that are staged mixed with actual gore photos culled from the clearnet and other places I suspect. Generally, it is all pretty vile and all rather violent which then in tandem with the data concerning how much money their bitcoin wallet has ($3140.76) one wonders just how many people are buying this service and how many are here just for the day or are return customers. The nominal fee to gain entry is (0.027 BTC) which is presently ($112.06) per entry fee. So, let’s tally that one up shall we?
Lesee, carry the one….
That’s thirty users of this site. Thirty people have paid over one hundred dollars to get into this site with bitcoin and wank to this stuff.
*shiver*
Oh and look someone just bought access on the 25th of this month!
So someone has at least some pocket money it seems from this little darknet adventure. I guess it all depends on how much you put into it though eh? I mean, how much is the hosting per month? Are you hosting this yourself? Web design seems to be not so much something they care about so no real expense there. Overall, this site seems to be a going concern because it is affordable and maybe has some content these thirty people want. I do wonder just how many though are seriously “using” the content as opposed to how many investigative entities bought access to “investigate” criminal activity. I suppose we could take all those bitcoin wallets and do some mining to see if anyone made some OPSEC mistakes but meh.
The second site in the darknet has a theme in that it is called “Japanese Lady Extermination” and they live up to that name with a lot of Asian/Japanese content. Between you, me, and the lamp post, we all know that the Japanese have some particular, well, shall we call them tastes in porn? On first look this site has much more content and the design is a bit better but is it a hub for this activity? How many people use it? Well, it seems that this one is the high price callgirl of the darknet in that they want some big bucks to get in on the action.
Dig this, they have two options for access. One is for a month of access which they want 0.6 bitcoins and the other for three months which costs a whopping 1.2 bitcoins! That translates into the one month access being $2493.34 and the three month plan being $5026.27! Now that is steep for access to some lady killin and if you have sticker shock so to do all the would be customers of this site as well. In looking at the wallets for the plans both have nothing in them. There are no transactions at all for both so this is a bust for the lady killers owners it seems.
Three months
One month
Three month wallet
Zilch
Nada
One month wallet
It seems to me that Japanese Lady Killin just ain’t a money making concern so far. Of course it seems that a lot of this content could be gotten via the clearnet and a vendor in Japan willing to ship a DVD so there is that. So that brings me to the conclusion that the darknet is not that scary and dark when you really take a look into it. Nope, what’s much more scary is the prevalence of this kind of thing on the clearnet available to all and easily gotten to by mistyping a URL. When I began Googling for links the first one that came up was darksites.net which is another site designed by our friends at Geocities.
My god.
…The horror.
The domain was created in 2000 so that probably answers the question right there. Why upgrade the site when you have a good thing going right? The site has a couple names attached over time from the WHOIS history and one of them goes back to a “Michael Guy” which has info out there. Just another rabbit hole one could go down to ask why? WHY? But I will continue on with the sites contents.
Domain Name: DARKSITES.NET
Registry Domain ID: 20065601_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.enom.com
Registrar URL: http://www.enom.com
Updated Date: 2017-02-18T07:42:12Z
Creation Date: 2000-02-17T20:13:39Z
Registry Expiry Date: 2018-02-17T20:13:39Z
Registrar: eNom, Inc.
Registrar IANA ID: 48
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: DNS1.REGISTRAR-SERVERS.COM
Name Server: DNS2.REGISTRAR-SERVERS.COM
DNSSEC: unsigned
Darksites
Darksites
Darksites
Darksites
This site is the clearing house of all things deviant. All your desires can be sated with this list of things.
There are things I have never heard of here…
Like the whole cannibal thing I reported on before, all of this could just be fantasy and acting or it could lead to actual committing of crimes. As we saw on the cannibal sites it was all fun and games until someone got really eaten by that whacky German guy right? I am not trying to say that these desires are bad or dirty but the paraphilia’s could lead one down the wrong path if they go too far or are unbalanced to start with. In the case of Miewes in Germany he had been fascinating about eating people since he was eight years old. At what point do kinks turn into actual crimes? Now add to this that the clearnet seems to be the biggest purveyor of this fantasy fuel free on the net (or for a nominal fee) one has to start wondering just how many people have stepped over that line after becoming addicted to this kind of content.
I also have to look at the psychology of being exposed to this stuff and becoming hooked on it. You become inured to it and it becomes pedestrian, then you need more of it to sate yourself and perhaps even things that are even further outside the norms just to feel the thrill? I have read such things in treatises by psychiatrists in the past, so now instead of having to really do the leg work and go somewhere to get the content you can just Google it up. Think about the pathology here…
Interesting stuff.
Anyway, the other outcome from my foray into this dark world is that the darknet is not really so dark. Well, at least where it concerns this stuff, the clearnet has it beat by a mile in amounts and ease of access. And this is one of the things I started down this path wanting to get out there. Other than the voyeuristic aspects here, I wanted to take a plain look at the oft spookily talked about darknet and defuse the hype. It’s not that scary and it isn’t that hard to get into no matter what Hollywood would like you to think. Nope, it’s just another space for people to do things they probably shouldn’t with a cool name.
But hey, at least in the darknet I found a manual on how to Necrophilia…
Woo!
K.
Krypt3ia 
