Email Address Usage on the Dark Web

Last week, Anonymous compromised and took down Freedom Hosting II, the largest hosting service for Dark Web sites, and published the contents of the internal databases for those websites. Many of these databases contained email addresses forum users etc. We extracted the email addresses and took a look to see how users of the Dark Web were choosing to communicate. As expected, we saw a large number of webmail and anonymous email services in use, but also one large spam operation putting out forum posts to advertise bootleg pharmaceuticals. Even the Dark Web is not safe from spammers! The Dark Web is a term for websites that can only be accessed using special software that is intended to provide anonymity for both the publisher and the users of the site. The best known and most popular software for anonymous web access is Tor, and anonymous websites that can only be accessed using Tor are called Tor Hidden Services, and have URLs ending in .onion. Though there are legitimate uses of the Dark Web for free speech and anonymity, particularly in countries with repressive governments, it also facilities marketplaces for illegal services and the sexual exploitation of children. Not everyone who would like to run a Dark Web site has the technical expertise to set one up, so there are Dark Web hosting services that accept payment in bitcoin. The largest of these (until last week) was Freedom Hosting II, which hosted between 15% and 20% of all Dark Web sites. The original Freedom Hosting was shut down by the FBI in 2013 and the alleged owner is under arrest in Ireland pending extradition to the US on charges relation to child sexual exploitation images. The successor, Freedom Hosting II, was not toppled by law enforcement, but a hacker claiming connection to the activist organization Anonymous. On February 3rd, Dark Web users attempting to view any of the ten thousand plus Freedom Hosting II websites using Tor were greeted with this message.

A number of researchers have downloaded the database dump. It's has probably been downloaded by law enforcement and cybercriminals as well, but they aren't talking about it. It contains over ten thousand databases, many of them empty. According to researcher Sarah Jamie Lewis, the largest database in the dump facilitated the creation and distribution of child sexual exploitation images and videos. The illegal images and videos themselves are not contained in the data dump as user data was not included. We can expect to see email addresses pulled from that database used for extortion attempts as they were in the Ashley Madison hack. However, it's likely that most users of any such forum would use fake or anonymous email addresses. We scanned the entire database dump for email addresses, and found over 260,000 distinct addresses. Of these almost one third were various webmail services, with Gmail being the most popular, about a quarter were domains owned by one particular spammer, and about 8% were various Tor base anonymous email services.

As one researcher pointed out, there are a few .gov and .mil email addresses in the dump, but they all appear to be fake, as do many of the addresses in the "Other" category. In fact there are over a hundred addresses used in the domain fakemail.com. The spammer is one of those determined purveyors of fake pharmaceuticals, apparently spamming forums with links and using email addresses randomly generated in half a dozen domains all of which resolve to the same IP address. The email domains used were

• emailhearing [dot] com
• emeyl [dot] com
• clashatclintonemail [dot] com
• changingemail [dot] com
• gmailssdf [dot] com
• printemailtext [dot] com

These were associated with comments containing links to a number of disposable domains containing pharma websites.

It's a sign that email spam filters are doing a good job when spammers are forced to go to the the darker and more lawless corners of the Internet to promote their unwanted goods.