Naked Security Naked Security

Hacker posts database stolen from Dark Net free hosting provider DH

Some 7,600 dark-web sites were obliterated in an attack on the most popular provider of .onion free hosting services, Daniel's Hosting.

In March, some 7,600 dark-web sites – about a third of all dark-web portals – were obliterated in an attack on Daniel’s Hosting (DH), the most popular provider of .onion free hosting services. Its portal was breached, its database was stolen, and its servers were wiped.
That was punch one. Punch two landed on Sunday, when a hacker going by the name KingNull or @null uploaded a copy of DH’s stolen database to a file-hosting portal and then gave ZDNet a heads-up about the leak.
ZDNet reports that a cursory analysis of the data dump shows that it includes 3,671 email addresses, 7,205 account passwords, and 8,580 private keys for .onion (dark web) domains.
Back in March, Daniel Winzen, the German software developer who runs DH, originally said that his portal was kaput, at least for the foreseeable future… which he also said, more or less, after DH suffered an earlier attack in September 2018. During the 2018 attack, hackers had rubbed 6,500 sites off the dark web in one fell swoop.
DarkOwl – a darknet intelligence, tools, and cybersecurity outfit that keeps an eye on DH and other dark web goings-on and which analyzed the September 2018 breach – had spotted Winzen’s post acknowledging the most recent attack and shared it on Twitter on 10 March. That’s the same day that DH’s hosting database got knocked out.
Who is KingNull – the hacker who went on to post DH’s database – and who else has it in for DH? Since they first spotted Winzen’s March tweet, DarkOwl analysts have looked for answers and published their take on the involved parties, which dark-net subcultures they can be traced to, and online chats about the attack. In one such discussion, an actor claimed that Winzen was compromised while accessing child abuse content.
DarkOwl connected the actor making the accusation, @Sebastian, to an anti-pedophilia hacking group formerly known as Ghost Security (#GhostSec) that was known for tracking and de-anonymizing criminals who harm children. However, the group tends to claim credit for attacks and hadn’t done so for the March attack, the firm said:

An organized hacking collective like GhostSec definitely has the capabilities and motivation to take down Winzen’s servers, especially if there was questionable content hosted and shared, but the group has not published any declaration or claim of responsibility for the hack, like they have with other groups and individuals they’ve targeted in the past.

Daniel’s was down for the count

After the March attack, Winzen said that he was fed up. He gives freely of his time, he claimed, which adds on to his full-time job. It’s time-consuming, he said, particularly given the work it takes to “keep the server clean from illegal and scammy sites.”
How clean were those servers, exactly? Not so much: after the 2018 attack, DarkOwl had analyzed the shuttered hidden services and found that hundreds contained content related to hacking and/or malware development, included drug-specific keywords, contained content related to counterfeiting, specifically mentioned carding, or referred to weapons and explosives.

No database backups, redux

Was Winzen really all that committed to his darknet projects, though? DarkOwl has monitored skepticism among darknet users regarding Winzen’s commitment. In fact, @null had referred to the DH chatroom as actually being a honeypot – a claim that well might be legitimate, one anonymous user suggested. Those suspicions are underscored by a server upgrade or move that happened mere weeks before the March attack, according to the darknet discussion.
If it were in fact a honeypot, that could explain why Winzen didn’t maintain backups, some have suggested. That’s how DH was wiped out so thoroughly, twice. DarkOwl:

Those who suspect that Daniel’s chatroom was actually a honey pot surmise that Daniel didn’t maintain backups of his data because they were being monitored (and probably managed) by international or German law officials. This was supported by the fact that a change in rule regarding sharing any pornographic content occurred in 2018, around the same time that Daniel was hacked and their databases disappeared.
There have been numerous pastes circulated around the darknet in the last year claiming many of the members, including [the chatroom’s controversial super administrator @Syntax] were Law Enforcement.

DarkOwl’s post includes transcriptions of many of the conversations it’s monitored and is well worth a read.
ZDNet asked threat intelligence firm Under the Breach to analyze the recent leak of DH’s database. The firm told the media outlet that the leaked database contains “sensitive information on the owners and users of several thousand darknet domains”- information such as email addresses that can be used to link their owners with certain dark-web portals, Under the Breach said:

This information could substantially help law enforcement track the individuals running or taking part in illegal activities on these darknet sites.

The darknet’s doing just fine without Daniel

DarkOwl reports that following the March attack, users of DH’s services spent several weeks scrambling to figure out where to congregate and how to communicate, with or without Winzen’s support. The darknet did just fine without DH, though: in fact, since the 11 March hack, DarkOwl said that it’s observed an average growth of 387 new domains per day across the entire darknet.
While many darknet site owners pulled up stakes and parked with new hosting providers, they could be vulnerable to hackers taking over the new accounts if they didn’t change their old passwords, ZDNet points out, if in fact their leaked, hashed passwords get cracked.
While that might not seem like much of a crying shame when it comes to the criminally inclined dark-web services such as those devoted to child sexual abuse, we can’t cheer their downfall. After all, besides shielding criminals, the hidden services of the darknet include outlets for those who are persecuted and/or living under repressive regimes.
ZDNet reports that IP addresses weren’t included in the leak. That will serve to protect both darknet criminals and those who are only looking to escape surveillance and prosecution.
In March, following the hack, Winzen told ZDNet that he was planning to relaunch the service in coming months, but only after several improvements, and that “this was not a priority.”
Will those improvements finally include database backups? … or, in keeping with the suspicion that DH is actually running a honeypot, will the relaunch include a way to penetrate the dark web in order to collect IP addresses of hidden services?
If so, we’ll be sure to bring you whatever news might be in the offing regarding law enforcement action on this huge slice of the darknet pie.

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.