Thousands of people with accounts on darknet websites for sharing child sexual abuse material could be unmasked using information stolen by cybercriminals, according to research published Tuesday.
In a proof-of-concept report, researchers at Recorded Future said they have been able to identify these individuals from credentials harvested by infostealer malware - a type of malware that typically steals log-in credentials for banking services, which are then exploited by financial fraudsters.
Alongside the log-in details for banking apps are other credentials, including to accounts on.
Onion websites known for trafficking CSAM. The users of these sites, which run on the Tor network, are anonymized by the network relaying each connection through several hops on an encrypted network.
The individual infostealer logs contain credentials for other services used by the infected person.
The logs link those anonymous CSAM website users to accounts on clear web platforms, such as Facebook, where they have used their real names - and sometimes even include autofill data stored in a web browser, such as a home address - giving law enforcement agencies the opportunity to investigate offenders and safeguard at-risk children.
The Record is an editorially independent unit within Recorded Future.
The retailers involved in the ecosystem for trading these stolen credentials include Russia Market and 2Easy Shop, as well as the now-defunct Genesis Market, which was seized by law enforcement last year, leading to more than 120 arrests.
The retailers collect the stolen data from wholesalers.
Dmitry Smilyanets, a product manager at Recorded Future, explained that the company legally acquires this wholesale data, often shared in bulk on Telegram, for security purposes.
Recorded Future analyzes these records for domains used by corporate customers to protect compromised employee accounts or identify when customers are impacted to tackle consumer fraud, with around 150 million credentials being ingested by the company every month.
According to the report, by querying this data alongside partners - including World Childhood Foundation and the Anti-Human Trafficking Intelligence Initiative - the researchers were able to identify approximately 3,300 unique users with accounts on at least one darknet site for the sharing of CSAM. Recorded Future said it had shared all of its findings with law enforcement in the U.S., including raw data which is not included in the public report.
This Cyber News was published on therecord.media. Publication date: Tue, 02 Jul 2024 14:05:34 +0000