ALPHABAY MARKET: LESSONS FROM UNDERGROUND INTELLIGENCE ANALYSIS CHRISTY QUINN Threat Hunting, OSINT and Reconnaissance (THOR)
BACKGROUND Christy Quinn · South London, UK · War Studies nerd · Threat intel since 2015 · Organizations and networks...
BASELINE: WHAT'S UNDERGROUND INTELLIGENCE?
· Subsetofthreatintelligence
· Providingvisibilityintounderground criminal activity
CYINT
HUMINT
OSINT
PROS AND CONS... · Get to know the people targeting you · Identify clusters of criminal activity · Optimal outcome- identify threat to org at target selection stage · Suboptimal outcome- identify threat to org at post-attack exploitation stage · High risk for average organization to homebrew- discovery and retaliation · Technically and organizationally intensive- language, infra, opsec, etc
CYBER CRIMINAL OPERATIONAL CYCLE
HOW SHOULD MY ORG USE THIS? · Global hotel and resort operator · Identify clusters of TTPs within communities · Interesting: employees offering insider access to customer payment systems of unspecified hotel company · Engage with actor, ascertain threat · Attempt to identify and mitigate planned attacks at the earliest possible stage
DEEP DIVE: ALPHABAY MARKET · Founded in December 2014 by Alpha02 · Combined "Silk Road" style marketplace with "Darkode" style criminal community · By June 2017, approximately 190,000 registered members · Target of strategic research project
GUNS, CREDIT CARDS AND DRUGS, OH MY!
IT WAS GREAT WHILE IT LASTED... · Disappeared on July 5 2017 · DoJ announce joint AlphaBay Hansa Market seizure on July 20 2017 · Some operational security mistakes...
WHY ALPHABAY? · Provided visibility into: - Operational planning of low-med tier cyber crime operators - Organizational relationships between Russian and Englishlanguage communities - Top tier criminals operating the market - Highly sophisticated financial model connecting AlphaBay with cryptocurrency manipulation
"LIKE REDDIT, BUT FOR CRIMINALS"
Hackers for hire
Phishers
Insiders
Mules
Developers
Social engineers
Botnet herders
Spammers
EXAMPLE: TACTICAL UNDERGROUND INTEL · Contacted by criminal gang in Southern Europe on AlphaBay forum · Had physical access to corporation's internal networks · Needed specialist to provide malware to install using malicious insiders *Some details changed to protect victims
THE RUSSIAN CONNECTION · Heavily leveraged connection to Russian underground · Sale of Russian PII and financial data banned on market · Cazes was Canadian and based in Thailand · What do?
AB FINANCIAL MODEL Escrow fees Mixer fees Bitcoin investments
HOW TO PUMP UP CRYPTO-CURRENCIES USING A MARKETPLACE · Step 1: Buy a lot of a cryptocurrency not currently supported by marketplaces · Step 2: Announce AB support for said-currency · Step 3: Watch buyers flood into the market and pump up the coin's value · Step 4: ??? · Step 5: PROFIT
MONERO · Market cap: · Aug. 18, 2016- 28,078 m USD · Aug 21, 2016- 32,981 m Oasis Market announce support · Aug. 22, 2016- 33,613 m AlphaBay announce support · Sept. 1, 2016- 108,643 m AlphaBay complete integration
ALEXANDRE CAZES ASSET FORFEITURE NOTICE
1605 BTC 8309 ETH 3691 ZEC
18.4 Million USD 10.3 Million USD 1.7 Million USD (As of Jan 28 2018)
WHAT DOES ALPHABAY TELL US ABOUT UNDERGROUND INTEL? · Powerful visibility into attacker intent and TTP development. · Halt or mitigate attacks at target selection stage. · Know your community!
QUESTIONS? Reach out: @christyquinn [email protected]