The Dark Dive

On May 7th, 2025 the notorious ransomware group LockBit’s dark web leak site displayed an unusual message: “Don’t do crime, crime is bad xoxo from Prague”. Alongside this text was the link to an archive file, containing data that appeared to have been stolen from the LockBit ransomware group itself.In this month's episode of The Dark Dive, members of the Searchlight Cyber threat intelligence team share what they learned by downloading and analysing the files. They share insights into the "Lite" version of LockBit's Ransomware-as-a-Service scheme captured in the data, what we learnt about the 76 affiliate hackers caught up in the data leak, and from the 208 victim negotiations. Juicy details include the range of payments that the hackers demand from their victims, unexpected conversations in the negotiation chats, and the deliberate targeting of Chinese enterprises.Further reading:- Previous episode of The Dark Dive on LockBit - "The LockBit TakeDown" (Discussed at 01.20): https://slcyber.io/podcasts/the-lockbit-takedown/ - Listen to previous episode of The Dark Dive - "Ransomware Groups on the Dark Web" - for more information on Ransomware-as-a-Service schemes (Discussed from 01.50 onwards): https://slcyber.io/podcasts/ransomware-gangs-on-the-dark-web/ - The episode of The Dark Dive that covers TOX and other messaging applications - "Encrypted Communication Apps: From Telegram to EncroChat" (Discussed at 10.20) : https://slcyber.io/podcasts/encrypted-communication-apps-from-telegram-to-encrochat/ Want to find out more or have a suggestion for future podcast episodes?Email: thedarkdive@slcyber.io Website: www.slcyber.io LinkedIn: www.linkedin.com/company/searchlight-cyber X: www.twitter.com/SLCyberSec Weekly newsletter: www.slcyber.io/beacon/

This month's episode of The Dark Dive revisits the topic of Attack Surface Management. In particular, how it relates to a relatively new cybersecurity term, CTEM: Continuous Threat Exposure Management.In a lively discussion, guests Michael Gianarakis and Ben Jones help define CTEM, a security process that has quickly gained traction thanks to being championed by the analyst firm Gartner. They debate what CTEM adds to cybersecurity, how it builds on previously established concepts, and where ASM and threat intelligence play a role in the process.Along the way, Michael and Ben give practical advice for how organizations should be implementing CTEM, including common pitfalls to avoid and ways that security teams can measure the success and maturity of their CTEM program.This episode ties in with the new e-book published by Searchlight Cyber, "ASM in the age of CTEM", which you can download here for free: https://slcyber.io/ebooks/asm-in-the-age-of-ctem/Want to find out more or have a suggestion for future podcast episodes?Email: thedarkdive@slcyber.ioWebsite: www.slcyber.ioLinkedIn: www.linkedin.com/company/searchlight-cyberX: www.twitter.com/SLCyberSecWeekly newsletter: www.slcyber.io/beacon/

This month's episode of The Dark Dive tackles the thorny issue of hacktivism: hackers that are driven by ideological - rather than financial - motivations.Threat intelligence experts Luke Donovan and Vlad join the podcast to discuss how hacktivism has evolved from the "digital utopia" era, to the anti-establishment antics of Anonymous, to the state-aligned activities we observe today.Along the way, we cover the defining tenets of modern day hacktivist groups, including their targets, tactics, and use of Telegram to promote their attacks and causes. We also discuss how hacktivism has escalated from acts of protest and defacement to more sophisticated attacks, including the use of ransomware.Further reading:- "Hacking in the Name Of", article on the history of hacktivism authored by Diana Selck-Paulsson in The Hacker News (discussed at 04:30): https://thehackernews.com/expert-insights/2025/02/hacking-in-name-of.html - "Encrypted Communication Apps: From Telegram to EncroChat" our podcast episode on Telegram and other messaging apps (discussed at 25:27): https://slcyber.io/podcasts/encrypted-communication-apps-from-telegram-to-encrochat/ - "The Rise of the Hacktivist Supergroup", previously published threat intelligence from Vlad on hacktivist group team-ups (discussed at 36:45): https://techinformed.com/the-rise-of-the-hacktivist-supergroup/ Want to find out more or have a suggestion for future podcast episodes?Email: thedarkdive@slcyber.io Website: www.slcyber.io LinkedIn: www.linkedin.com/company/searchlight-cyber

This bumper episode of The Dark Dive features no fewer than four co-founders, as the CEO and CTO of Searchlight Cyber (Ben Jones and Gareth Owenson) are joined by their counterparts from the Attack Surface Management company Assetnote (Michael Gianarakis and Shubham Shah).Together, we discuss the background of Assetnote and origins of its founders in the offensive security and bug bounty world, the rationale behind the Searchlight Cyber's recent acquisition of Assetnote, and the fundamentals of Attack Surface Management (ASM).We take a deep dive into the tenets of Attack Surface Management, including viewing ASM as a process rather than a technology, nuances in the ASM market, and the role of vulnerability research.Further reading:Press release on Searchlight Cyber's acquisition of Assetnote (discussed 12:00 - 21:34): https://slcyber.io/press/searchlight-cyber-acquires-assetnote/Visit the Assetnote Security Research Center for the most recent vulnerability research from Assetnote (discussed 35:32 - 42:33): https://slcyber.io/assetnote-security-research-center/Assetnote's ServiceNow vulnerability research (discussed 37:40 - 38.35): https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-dataAssetnote's Citrix Bleed vulnerability research (discussed 41.06 - 42.33): https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966Visit this page more information on the Assetnote Attack Surface Management platform: https://slcyber.io/dark-web-security-products/attack-surface-management-tool/For more insights from the Assetnote co-founders on Attack Surface Management check out their own podcast, Surfacing Security: https://youtu.be/LEcFfC6OrYk?feature=sharedWant to find out more or have a suggestion for future podcast episodes?Email: thedarkdive@slcyber.io Website: www.slcyber.io LinkedIn: www.linkedin.com/company/searchlight-cyber X: www.twitter.com/SLCyberSec Weekly newsletter: www.slcyber.io/beacon/

In this episode of The Dark Dive we look at how specific individuals - Executives, VIPs, and high-net worths - are targeted by cybercriminals and on the dark web.Ahead of the launch of their Digital Footprint Review service, NCC Group's Matt Hull joins us to discuss the threats facing individuals - including social engineering and Business Email Compromise (BEC) - and how these can be mitigated by auditing your personal online presence and monitoring the dark web.Meanwhile Searchlight Cyber's Ben Jones explains the threats facing individuals from the dark web - from doxxing to physical threats - and shares his own experiences as an executive of being the target of CEO Fraud.Visit www.nccgroup.com for more information on the NCC Group and resources for on securing your digital footprint.Marsh McLennan research report mentioned 15.38: https://slcyber.io/whitepapers-reports/the-correlation-between-dark-web-exposure-and-cybersecurity-risk/.Want to find out more or have a suggestion for future podcast episodes?Email: thedarkdive@slcyber.io Website: www.slcyber.io LinkedIn: www.linkedin.com/company/searchlight-cyber X: www.twitter.com/SLCyberSec Weekly newsletter: www.slcyber.io/beacon/

In the first episode back of the year we've assembled two of Searchlight Cyber's threat intelligence experts to give their take on what we can expect from the dark web in 2025.Louise Ferrett and Luke Donovan say what they think 2024 will be remembered for, choose one news story that might have gone under the radar, and (are forced into) making a prediction for a year ahead.Along the way we discuss the fragmentation of the cybercrime landscape, how law enforcement upped their takedown game last year, and the priorities for cybersecurity professionals in 2025.You can download Searchlight Cyber's report "Same Game, New Players: Ransomware in 2025" (discussed from 21.45) here: https://slcyber.io/whitepapers-reports/same-game-new-players-ransomware-in-2025/Want to find out more or have a suggestion for future podcast episodes?Email: thedarkdive@slcyber.ioWebsite: www.slcyber.ioLinkedIn: www.linkedin.com/company/searchlight-cyberX: www.twitter.com/SLCyberSecWeekly newsletter: www.slcyber.io/beacon/

In this episode of The Dark Dive we're looking at a particular type of malware called Information Stealers or "infostealers". This malware is designed to (you guessed it!) steal information from infected devices.Threat Intelligence Engineers Rob Fitzsimons and Joe Honey discuss exactly how infostealers work, why this malware has become so prolific, and where it can be spotted on the dark web. During the episode we cover the differences between different strains of infostealer, recent law enforcement action that has succeeded in taking infostealers offline, and how organizations should be protecting themselves.You can download Searchlight Cyber's infostealer report (discussed 26.53 - 29.40) here: https://slcyber.io/whitepapers-reports/infostealer-identified/And find more information on Operation Magnus (discussed 38.18 - 47.06) here: https://www.operation-magnus.com/Want to find out more or have a suggestion for future podcast episodes?Email: thedarkdive@slcyber.ioWebsite: www.slcyber.ioLinkedIn: www.linkedin.com/company/searchlight-cyberX: www.twitter.com/SLCyberSecWeekly newsletter: www.slcyber.io/beacon/

This episode of The Dark Dive focuses on encrypted communication apps, including Telegram, Tox, Signal, Session, and Jabber.While not strictly speaking part of the "dark web", these apps are used by the same criminals to perpetrate many of the same crimes. We start with the "mainstream", taking a close look at the popular messaging app Telegram in the wake of the arrest of its CEO in August 2024. Vlad, a threat intelligence analyst at Searchlight Cyber, then takes us through the alternative apps that criminals may migrate to, should the privacy changes to Telegram make in an inhospitable environment for cybercrime.We then take a look at the other end of the spectrum with the example of EncroChat - an enrcypted communication network that required a special device sold on subscription. Dave Osler, Head of Product at Searchlight Cyber, talks us through the type of crimes that took place on this "high end" encrypted network and the international law enforcement operation that brought the whole thing crashing down.Further reading:The arrest of Telegram's CEO: https://www.reuters.com/world/europe/telegram-messaging-app-ceo-pavel-durov-arrested-france-tf1-tv-says-2024-08-24/Privacy changes on Telegram: https://thehackernews.com/2024/09/telegram-agrees-to-share-user-data-with.htmlVice's reporting around the takedown of EncroChat: https://www.vice.com/en/article/how-police-took-over-encrochat-hacked/Europol and Eurojust's figures around EncroChat: https://www.europol.europa.eu/media-press/newsroom/news/dismantling-encrypted-criminal-encrochat-communications-leads-to-over-6-500-arrests-and-close-to-eur-900-million-seizedThe Ghost app takedown: https://www.europol.europa.eu/media-press/newsroom/news/global-coalition-takes-down-new-criminal-communication-platformWant to find out more or have a suggestion for future podcast episodes?Email: thedarkdive@slcyber.io Website: www.slcyber.io LinkedIn: www.linkedin.com/company/searchlight-cyber X: www.twitter.com/SLCyberSec Weekly newsletter: www.slcyber.io/beacon/

In this episode of The Dark Dive we're joined by incident response heavyweight Caleb Barlow (former head of IBM X-Force and now CEO of Cyberbit) and Searchlight Cyber's Head of Threat Intelligence Luke Donovan to discuss the best ways to respond to a cyberattack. Caleb and Luke share war stories, talk about what progress has been made in the cybersecurity industry (and areas of improvement!), and each give their own take on how organizations can best prepare for the fateful day that their network is breached.Along the way we discuss how incident response has changed over the years, where threat intelligence and - in particular - dark web intelligence on cybercriminals fits into the incident response process, and why a eight-year-old Ted Talk now seems remarkably prescient.The Ted Talk discussed at the 39 minute mark is "Where is Cybercrime Really Coming From?": https://www.ted.com/talks/caleb_barlow_where_is_cybercrime_really_coming_from?Want to find out more or have a suggestion for future podcast episodes?Email: thedarkdive@slcyber.io Website: www.slcyber.io LinkedIn: www.linkedin.com/company/searchlight-cyber X: www.twitter.com/SLCyberSec Weekly newsletter: www.slcyber.io/beacon/

Can you quantify the risk the dark web poses to organizations? In this episode of the podcast, we discuss a landmark study that has tried to do just that.We're joined by Scott Stransky, Managing Director and Head of the Marsh McLennan Cyber Risk Intelligence Center and Ben Jones, CEO of Searchlight Cyber and Scott unravel the findings of the report "The Correlation Between Dark Web Exposure and Cybersecurity Risk".We discuss how cyber insurance loss data can be used to calculate the impact of dark web exposure on an organization's cybersecurity risk. We look at how different types of dark web exposure individually impact the chance of a cyberattack. Then we explore how multiple factors combined increase the chances of a cybersecurity incident.Download the research report discussed in the podcast: https://slcyber.io/whitepapers-reports/the-correlation-between-dark-web-exposure-and-cybersecurity-risk/Apply for a Dark Web Risk Report on your organization: https://slcyber.io/dark-web-risk-report-find-out-your-dark-web-exposure/Want to find out more or have a suggestion for future podcast episodes?Email: thedarkdive@slcyber.ioWebsite: www.slcyber.ioLinkedIn: www.linkedin.com/company/searchlight-cyberX: www.twitter.com/SLCyberSecWeekly newsletter: www.slcyber.io/beacon/

This episode of the podcast looks at the Qilin ransomware group's attack on the UK's National Health Service. Or - more accurately - their ransomware attack against Synnovis, a third party pathology testing organization for a number of London hospitals.Guests Louise Ferrett and Joe Honey go through time timeline of the attack - discussing the group's history, whether to trust claims that the attack was politically motivated, and the reasoning behind leaking 400gb of stolen patient data.This episode also looks at the state of ransomware half a year into 2024 - including where some of the biggest groups from last year have disappeared off to, new groups that security professionals should be aware of, and the diversification of ransomware landscape as more groups emerge than ever before.Want to find out more or have a suggestion for future podcast episodes?Email: thedarkdive@slcyber.ioWebsite: www.slcyber.ioLinkedIn: www.linkedin.com/company/searchlight-cyberX: www.twitter.com/SLCyberSecWeekly newsletter: www.slcyber.io/beacon/

This episode of The Dark Dive takes a listener's question as a jumping off point to talk about the topic of data leaked on the dark web.Guests Luke Donovan and Adam Wilson discuss noteworthy data leaks from over the years - impacting organizations such as 23andMe, Ashley Madison, and Yahoo! - and bring things right up to the present day (June 2024) by looking at the data leaks on BreachForums impacting Ticketmaster and Santander customers.We look at how data such as credit card information, addresses, passwords, usernames, and even biometric information is stolen in the first place, how it is packaged and sold on the dark web, and the implications of highly sensitive data being leaked.Want to find out more or have a suggestion for future podcast episodes?Email: thedarkdive@slcyber.io    Website: www.slcyber.io   LinkedIn: www.linkedin.com/company/searchlight-cyber  X: www.twitter.com/SLCyberSec      Weekly newsletter: www.slcyber.io/beacon/ For more background on the cases we discuss:Ticketmaster: https://www.bbc.com/news/articles/cw99ql0239wo Santander: https://www.bbc.com/news/articles/c6ppv06e3n8o 23andMe: https://www.bbc.com/news/technology-67624182 El Salvador: https://securityaffairs.com/162790/data-breach/el-salvador-massive-leak-biometric-data.html Ashley Madison: https://www.forbes.com/sites/zakdoffman/2020/02/01/ashley-madison-hack-returns-to-haunt-its-victims-32-million-users-now-have-to-watch-and-wait/ Yahoo! 2013 data breach: https://www.bbc.co.uk/news/business-41493494 Nitro: https://www.bleepingcomputer.com/news/security/massive-nitro-data-breach-impacts-microsoft-google-apple-more/

In the first episode of season two, The Dark Dive takes a forensic look at Operation Cronos, the international law enforcement takedown of the notorious ransomware group LockBit.Dr. Gareth Owenson and Louise Ferrett give an overview of LockBit, explain how Operation Cronos has unfolded, and discuss why law enforcement has taken an unconventional approach (“the most epic trolling in cybersecurity history”) to this ransomware group takedown.Recorded on May 14, this episode includes the “unmasking” of LockBitSupp in early May, how LockBit has responded to the law enforcement action, and how this operation has (and could still) impact other groups - with the BlackCat ransomware gang choosing early retirement.Useful links:NCA press release, February 20, 2024: https://www.nationalcrimeagency.gov.uk/news/nca-leads-international-investigation-targeting-worlds-most-harmful-ransomware-group/ LockBit statement: https://x.com/vxunderground/status/1761506370656825531US DoJ sanctions, May 7, 2024: https://www.justice.gov/opa/pr/us-charges-russian-national-developing-and-operating-lockbit-ransomwareWant to find out more or get in touch with us?:Email: thedarkdive@slcyber.io Website: www.slcyber.ioLinkedIn: www.linkedin.com/company/searchlight-cyberX: www.x.com/SLCyberSecWeekly newsletter: www.slcyber.io/beacon/

The final episode of this limited series looks at how law enforcement and cybersecurity professionals can respond to the dark web criminality outlined in the previous five episodes.Returning guest Dr. Gareth Owenson is joined by Ben Jones, CEO of Searchlight Cyber, and Evan Blair, General Manager of North America, to discuss the actions that law enforcement agencies and private organizations are tackling threats that emerge from the dark web.This bumper conversation ranges from how officers identify individuals that are masking their identity with the anonymity of the dark web, to how security teams are beginning to monitor the dark web for "early warning signals" that their organization is about to be attacked, and concludes with the final messages that our experts would like listeners to take away from this podcast series.Want to find out more or have a suggestion for future podcast episodes?Email: thedarkdive@slcyber.ioWebsite: www.slcyber.ioLinkedIn: www.linkedin.com/company/searchlight-cyberX: www.twitter.com/SLCyberSecWeekly newsletter: www.slcyber.io/beacon/Report, "Government Agency Targeted on the Dark Web": https://www.slcyber.io/whitepapers-reports/government-agency-targeted-on-the-dark-web/

This episode of The Dark Dive looks at what host Aidan Murphy describes as "dark web service providers" - i.e. the services that keep dark web criminality ticking.In particular, threat intelligence experts Carlito Perschky and Rob Fitzsimons explain where cryptocurrency fits into the dark web, how it has enabled illegal marketplaces to flourish, and the methods criminals use to hide where their funds are going to and from.We also discuss the paradox of dark web search engines and link sites that criminals use to navigate the dark web, as well as stranger aspects of the dark web that haven't been covered in our previous podcast episodes.Want to find out more?Email: thedarkdive@slcyber.ioWebsite: www.slcyber.ioLinkedIn: www.linkedin.com/company/searchlight-cyberX: www.twitter.com/SLCyberSecWeekly newsletter: www.slcyber.io/beacon/

In this episode of The Dark Dive we look at how cyber defender's biggest nemeses - ransomware groups - use the dark web.Returning threat intelligence experts Jim Simpson and Louise Ferrett explain all of the functions of a ransomware leak site, how ransomware group members use dark web forums, and how monitoring this activity helps us understand how ransomware threat is evolving.We cover some of the biggest groups*, take a fascinating look at how they work with each other, and host Aidan Murphy learns the difference between "state-backed" and "nation-backed" threat actors.*Note - this episode was recorded before the takedown of LockBit in the international law enforcement action, Operation Cronos.Want to find out more?Email: thedarkdive@slcyber.ioWebsite: www.slcyber.ioLinkedIn: www.linkedin.com/company/searchlight-cyberX: www.twitter.com/SLCyberSecWeekly newsletter: www.slcyber.io/beacon/Report: "More Groups, More Problems: Ransomware in 2023"

We're joined by threat intelligence experts Joe Honey and Vlad to delve into dark web hacking forums.The conversation covers how dark web forums differ from regular internet forums, the topics that users are discussing, and how forums manage to have such longevity in comparison to criminal marketplaces.On the way our guests explain the "barrier to entry" to getting onto these forums, the blurry line between Russian, English language, and Chinese forums, and how these sites act as a market for a specific type of cybercriminal known as "Initial Access Brokers".Want to find out more?Email: thedarkdive@slcyber.ioWebsite: www.slcyber.ioLinkedIn: www.linkedin.com/company/searchlight-cyberX: www.twitter.com/SLCyberSecWeekly newsletter: www.slcyber.io/beacon/Report, "Combatting Initial Access Brokers With Dark Web Intelligence": https://www.slcyber.io/whitepapers-reports/combating-initial-access-brokers-with-dark-web-intelligence/

In this episode of The Dark Dive - the podcast that delves into the depths of the dark web - we take a forensic look at dark web markets.Guests Louise Ferrett and Dave Osler outline the different types of marketplaces that exist on the dark web, the illicit and criminal goods they sell, and the challenges they create for law enforcement.In the process, we discuss the difference between drug and digital goods markets (known as "autoshops"), the short lifespan of marketplace sites, and the strangest things they've seen sold on the dark web.Want to find out more?Email: thedarkdive@slcyber.ioWebsite: www.slcyber.ioLinkedIn: www.linkedin.com/company/searchlight-cyberX: www.twitter.com/SLCyberSecWeekly newsletter: www.slcyber.io/beacon/

In this first episode of The Dark Dive we start at the beginning, with the question: what is the dark web? Renowned dark web academic Dr. Gareth Owenson and threat intelligence expert Jim Simpson define exactly what the "dark web" is in relation to the "clear web" and the "deep web", how dark web networks like Tor work, and why it's relevant to law enforcement and cybersecurity professionals. They also provide an overview of the types of traditional and cyber criminal activity that take place on the dark web, while busting (and confirming) some dark web myths.Want to find out more?Email: thedarkdive@slcyber.io Website: www.slcyber.io LinkedIn: www.linkedin.com/company/searchlight-cyber X: www.twitter.com/SLCyberSec Weekly newsletter: www.slcyber.io/beacon/

Introducing The Dark Dive, the podcast that demystifies the dark web.