The Dark Web in 2025

Aidan Murphy: Hello, and welcome to The Dark Dive, the podcast that delves into the depths of the dark web. My name is Aidan Murphy, and I’m your host as each month, we take a look at a different aspect of the dark web. In this first episode of 2025, we’re going to look at the year ahead of us. Of course, in order to do that, we...

Aidan Murphy: Hello, and welcome to The Dark Dive, the podcast that delves into the depths of the dark web. My name is Aidan Murphy, and I’m your host as each month, we take a look at a different aspect of the dark web. In this first episode of 2025, we’re going to look at the year ahead of us. Of course, in order to do that, we have to take a look at what changed in the year behind. How is the dark web different today compared to a year ago? What were the drivers of change, and what dark web trends are at the forefront as we move into a new year? Joining me to share their perspectives on the dark web today are two of my Searchlight Cyber colleagues from the threat intelligence team, Luke Donovan, head of threat intelligence, and Louise Ferrett, lead threat intelligence analyst. Before we get started, I’m just going to ask you to introduce yourselves to the listeners. Luke, can we start with you? 

(TC: 00:00:53) 

Luke Donovan: So, my name’s Luke Donovan. I’m the head of threat intelligence here at Searchlight Cyber. So, I’ve been an intelligence analyst for twenty years, dealt with everything from military intelligence all the way through to looking at cyber intelligence, looking at content on the dark web and also social media. My work here involves understanding the dark web, understanding all the data sources which we want to harvest content from, and also assisting our end customers and our prospects in getting the best out of the dark web and also social media, the likes of Telegram, etc, to answer their requirements. 

(TC: 00:01:31) 

Aidan Murphy: Brilliant, thanks, Luke. And, Louise, still holding the crown for the most frequent guest on the podcast, please can you reintroduce yourself to the listeners. 

(TC: 00:01:40) 

Louise Ferrett: Thank you for having me, Aidan. I’m sure someone will knock me off of that top spot one day, but until now, reigning champ. Yes, I’m Louise, I’m lead threat intelligence analyst here at Searchlight Cyber, been working in cyber threat intelligence for about four years now, and my job is heavily focused on dark web, data sources, new cyber criminal threats to enterprise, government and individuals, and very happy to be back on The Dark Dive. 

(TC: 00:02:17) 

Aidan Murphy: Brilliant, thanks, Louise. Alright, so I’m going to start this episode with a big question. There’s no easing in on The Dark Dive. So, I’m going to start with you, Louise, maybe. So, for you, what was the major development in the dark web last year? If we were going to say 2024 would be remembered for something, what is 2024 going to be remembered for from a dark web perspective? 

(TC: 00:02:42) 

Louise Ferrett: So, I’m going to expand this question a little, if you don’t mind. 

(TC: 00:02:47) 

Aidan Murphy: Yes. 

(TC: 00:02:48) 

Louise Ferrett: I’m going to expand it to, sort of, the cyber crime landscape as a whole, so dark web but also, like Luke mentioned, social media messaging apps like Telegram. I would say that 2024 will be remembered as the year that the cyber crime landscape became more fractured, and I guess you could also say, sort of, multi-polar. So, what I mean by that is in, kind of, previous years, we’ve had this ecosystem of a few established, heavy-hitter groups. I’m thinking about this in ransomware terms, first and foremost. I think that’s a good example to show this, but you can see it across other areas of the cyber crime landscape as well, so the explosion in, kind of, hacktivism actors and low-skilled actors that we’ve seen in the past year, rising regions, as well. So there are a few notable regions that pop up consistently when talking about dark web threats and cyber security in general. So, you’ve got your Russias, Irans, Chinas, but I think we’ve seen a rise, especially in the hacktivism area, in actors from India, actors from South East Asia, South American actors. So, that, to me, signals that we’re starting to go into a new era, where everything isn’t as concentrated in these few select regions, and likewise with these few select threat actor groupings. So, to go back to the ransomware example, that’s been a big talking point, I think, in everyone’s, sort of, end-of-year reports, the fact that there’s been a growth in the number of new ransomware leak sites popping up without necessarily a matching growth in the number of unique posts. So, that suggests that activity is, sort of, splintering between these smaller groups, and I think there are many reasons for that that we can talk about. 

(TC: 00:05:20) 

Aidan Murphy: I just wanted to jump in on a few points, so when you say multi-polared, you mean what you’re talking about, about these, kind of, different regions getting involved. It’s, like you say, maybe not the, kind of, dichotomy-, I’m not sure if I’m even using that word correctly, I’m going to go with it, the dichotomy of maybe the West versus Russia. Or I know a lot of other threat intelligence firms in the past have talked about what you were describing, like, the big four, Russia, China, North Korea and Iran. 

(TC: 00:05:46) 

Louise Ferrett: I knew that I’d forgot one. North Korea, that’s it. 

(TC: 00:05:48) 

Aidan Murphy: Yes, forget North Korea at your peril. 

(TC: 00:05:52) 

Louise Ferrett: Indeed. 

(TC: 00:05:53) 

Aidan Murphy: But, like you’re saying, a, kind of, broadening out, I guess, of the epicenters of where this crime could be originating from, based on things like language and political motivations that we’ve observed. Is that right, that’s what you mean by multi-polar? 

(TC: 00:06:07) 

Louise Ferrett: Yes, that’s correct. 

(TC: 00:06:08) 

Aidan Murphy: And then, yes, in terms of the fractured nature, so I guess that’s part of it. You said there could be a few factors behind that. Is one of them, do you think, maybe-, if you think of, like, arms proliferation and the ease of ability for people to start orchestrating these attacks themselves, is this something that used to be concentrated in the hands of a few, which has now become more accessible? Or do you think there’s something else behind it? 

(TC: 00:06:36) 

Louise Ferrett: Yes, I think that’s definitely part of it, the, sort of, proliferation angle. I mean, another trend that ties into this that we’ve seen continue to grow over the past years has been that lowering of the barrier to entry. So, what we’ve seen is the monetization of cyber crime tools. 

(TC: 00:06:59) 

Aidan Murphy: As a service element, is what you mean, right? Like, the ability for people to people to be able to launch attacks using other people’s technology that they’ve made quite readily available. 

(TC: 00:07:10) 

Louise Ferrett: Yes, exactly. The as-a-service model has grown increasingly popular. It’s that specialization, so an actor will get really good at a particular part of the attaching, whether it’s initial access brokering or authoring, loading malware, or authoring ransomware, or authoring a stealer malware. And they will, then, monetize that so that other actors-, for them to just plug and play, essentially, and use. And that does lower the barrier to entry for cyber crime, which, in turn, makes it easier for more groupings, more threat actors to, kind of, spring up without necessarily having the full comprehensive knowledge of how to manage a cyber attack from start to finish. I think another reason that we’re seeing this kind of fracturing and splintering in smaller groups could be the law enforcement threat or the risk that threat actors perceive to not only their freedom, which isn’t always a consideration depending on which jurisdiction they’re based in, at least freedom from, like, Western law enforcement, but the risk to their income is also a factor. 

So if we look at some of the really big names that took a hit year, two that spring to mind is obviously LockBit and then BlackCat. BlackCat, kind of, got forgotten about because it happened quite early in the year and went out with a whimper rather than a bang. But I think that one is especially indicative of how smaller-, not actors that are calling the shots but maybe affiliates of ransomware gangs can get burned as a result of law enforcement disruption. In BlackCat’s case, they weren’t fully shut down, but I think a decrypter was released, which then lead the people in charge to cut their losses and really, kind of, leave their affiliates in the lurch without their cut of the criminal proceeds. 

(TC: 00:09:32) 

Aidan Murphy: Yes, because I guess what you’re saying is, for there to be this fragmentation in all of these smaller groups, well, like you said, as you called them, the heavy-hitters, naturally some of them have maybe receded a bit. I know some of them are not necessarily gone for good, but BlackCat is a good example of one that, at least for the moment, seems to have disappeared in the form of BlackCat, and –

(TC: 00:09:54) 

Louise Ferrett: We can say that their brand has disappeared, yes. 

(TC: 00:09:56) 

Aidan Murphy: Their brand, yes, the brand has gone. 

(TC: 00:09:57) 

Louise Ferrett: I think that’s a good way to put it. 

(TC: 00:09:59) 

Aidan Murphy: I do want to talk more about the law enforcement angle, but before I get there, Luke, I need to ask you what you think 2024 will be remembered for. But before I get there, I guess, is there anything else you would add to what Louise is saying about this fragmentation? I mean, is that something you’ve also observed, and, yes, any additional thoughts? 

(TC: 00:10:16) 

Luke Donovan: Yes, absolutely. Fragmentation is definitely occurring all for the reasons which Louise has clearly articulated there. You know, there’s been seismic shifts within the ransomware arena. Louise mentioned about BlackCat, you know, BlackCat in 2023 were the second most prolific group in terms of the number of victims they’d posted after LockBit, and now this year, total demise. You know, they’re not there, but then the affiliates, so they operated a ransomware-as-a-service operation, as you guys mentioned. So, the affiliates have moved on, they’ve moved on to other organizations. Potentially, they’ve started up their own ransomware groups to ensure that they’ve got better security around them, so they haven’t got these breadth of individuals there, a select few people, so that the chances of gaining entry for law enforcement decrease slightly. So, we have very much seen that increase in the number of ransomware groups. In terms of the number of ransomware groups, I think we’ve seen a 38% increase from 2023 into 2024. I think there’s 94 ransomware groups which were active last year compared to 68 the previous year, so it just shows the change within that landscape. 

Back to your question, what do I see as being the trends from 2024? Overall, it’s the increase in cyber operations across the board. So, we’ve seen the increase in ransomware attacks, or ransomware victims being posted, by 11%. We’ve seen DDoS attacks increasing by 55% from 2023 into 2024, as well. Now, when we started looking at ransomware, the DDoS attacks, the stealer log information which is being breached consistently, although there has been some law enforcement operations against that, which I’m sure we will cover off, we’ve got to think about why is all this happening? And a lot of why it’s happening is due to that political landscape, that geopolitical landscape which Louise was mentioned. You know, that breakdown of old-style West versus East, your Chinas, your Russias, North Korea, Iran versus those Western Hemisphere organizations and countries. We’ve definitely seen a change there. It’ll make it very interesting, looking into 2025, when we start thinking about predictions in terms of what that will look like, but hopefully that answers your question. 

(TC: 00:12:45) 

Aidan Murphy: Yes, no, it’s a really interesting point, and I think it is worth calling out because, if I’m right, Luke, this is, kind of, a reflection then on what’s going on just generally in the world. The geopolitical landscape has become more complex in the last year, you know, we’re not political analysts, but I’m sure political analysts would agree with that. And what we see on the flip side is that exactly mirrored, effectively, in, you know, the realms of cyber crime and the dark web. 

(TC: 00:13:11) 

Luke Donovan: Yes, you’re absolutely right, Aidan. So, as a threat intelligence analyst, you’re typically looking at the tactical level of intelligence associated to you, your organization, what is directly going to impact you. However, we always have to look above that, we need to look at the operational and strategic-level impact. What is happening bigger term, and how could that then filter down and target me as an organization? So, we’ve got to think about those threat actors, you know, what motivates them, and why is that motivation in there? Is it their history, how they perceived the world? You know, all those factors start coming into effect when we start thinking about why somebody might target us, so the geopolitical landscape, those higher, strategic points will have an impact on that, tactical-level attacks against you. 

(TC: 00:14:03) 

Aidan Murphy: Yes. I do want to come back to the law enforcement side just because we’ve, kind of, talked around it a little bit, and I do think it is worth calling out. From my perspective, having done this podcast over the last year, I mean, we did a number of episodes last year that featured pretty significant law enforcement action against ransomware groups and malware strains. And obviously, this isn’t the first year that these operations took place, but it did feel a little bit like something changed maybe in the tactics that law enforcement used. Louise, I’m going to call on you again. You know, you were discussing the ransomware groups maybe changing how they operate based on some law enforcement again. What changed in the way law enforcement worked last year? 

(TC: 00:14:43) 

Louise Ferrett: Yes, so I think as we’re talking about these changes to the cyber crime landscape, it’s worth mentioning that law enforcement operations have adapted quite well to this fast-changing, kind of, ecosystem. This year, I’d say the main characterizations that you can give the law enforcement operation, or law enforcement actions, would be the fact that they’re increasingly focusing on striking that cyber crime supply chain. So as I mentioned, the, sort of, specialization of different tools and services that’s not all under one in-house operation, I guess you could say. So, striking those individual malware-as-a-service, phishing-as-a-service platforms, criminal infrastructure like botnets being used to host different loader or dropper malware, this is-, again, like you said, Aidan, it’s not necessarily a new thing, but it’s definitely a growing trend that I’ve observed over the past year. 

The other key element that I think sums up law enforcement operations in 2024 is the change in tactics from trying to, you know, just shut down a particular group, service, tool, make it no longer accessible to what I would call a disruption and discrediting operation. So, I mentioned previously, I briefly touched on the fact that it’s not always possible for law enforcement to catch and bring the perpetrator to justice in these sort of situations. They’ll quite often be out of law enforcement reach, so it’s quite interesting and quite clever, I think, that one of the main strategies that we’ve seen this year is trying to hit the heavy-hitter, as I called them. So, people high up in these criminal enterprises, hitting them where it hurts the most, which is their reputation. We’ve probably touched on it before in this podcast, but reputation is a very big deal on the dark web and in the, kind of, cyber crime community. In a place that regards anonymity above all, pretty much, you don’t have a lot to go on about a specific actor, other than their word and the word of people that have worked with them in the past. 

So, building a reputation on the dark web is very important. It’s something that big entities like LockBit, for instance, have been very successful in doing. I won’t go over it again, but we all know about the LockBit tattoo contest, various, sort of, savvy marketing moves. But yes, there are very successful of examples of that reputation building, so law enforcement in response to that has taken the route of attacking what they value the most highly, which is that anonymity. LockBit is an obvious example, but there’s been a few others, sort of, in the tail end of 2023, maybe going into 2024. 

(TC: 00:18:23) 

Aidan Murphy: We did an episode on infostealers at the end of last year, and we were looking at Operation Magnus and we noted at the time, then, that law enforcement used very similar tactics than they’d used against LockBit in Operation Cronos, and doing these, kind of, videos where they were trolling behind these malware strains. And, like you said, I think you put it really well then, you know, this clever approach of taking what they hold-, or what they have, effectively because, like you say, nobody knows LockBit’s background. They can’t pop a CV and, you know, discuss this kind of stuff, it’s all cred, basically, from how they act on the dark web, and if you damage their reputation, then that’s all they’re riding on. So, yes, it’s an interesting, new approach. 

Luke, you were nodding your head vigorously while Louise was speaking. I guess just to develop this a little bit more, you know, you mentioned the numbers, unfortunately, on the crime are going up, but law enforcement are changing their tactics. Do you think this is, kind of, a reaction to what’s going on in the cyber crime side, and how effective is it being? 

(TC: 00:19:31) 

Luke Donovan: Yes, it’s a great question that, Aidan. You know, as an analyst, we always think about being reactive versus proactive, and proactive versus reactive. When it comes to law enforcement, it is a bit of both. They are being proactive to try and combat, in terms of ransomware, the attacks against organizations, but there’s obviously going to be a little bit of reactiveness going on there as well, you know, looking at, what are those big trends in cyber environment? Law enforcement have a limited amount of resources, they need to hit where they’re going to get the most bang for their buck. You know, so it’s taking out those big players, those who are really hindering the cyber landscape. SpyCloud’s released an article which mentioned about the top threats reported for organizations. Number one was ransomware, number two was the phishing and spear phishing, and number three was infostealer malware, that side of things. Now, when we start looking at those and we start looking at the threats towards organizations, and we compare that to what law enforcement have been getting involved in, in terms of the take-downs-, 

(TC: 00:20:41) 

Aidan Murphy: Yes. 

(TC: 00:20:42) 

Luke Donovan: There is a clear line between both of those. You know, those big threats towards organizations are being hit by law enforcement, whether it was through taking down LockBit, by taking down or disrupting BlackCat, so again, both the two biggest players in 2023 for ransomware reduced in size in 2024. As you mentioned, we had Operation Magnus, you know, taking down the infostealer strains of RedLine and Meta. They’ve taken down some DDoS services, some market sites, and also they’ve taken down a massive botnet, okay, associated with cryptocurrency, and it can be used for all sorts. You know, a botnet can be used for multiple different reasons, so there’s been a real wide and hard-hitting approach by law enforcement. 

(TC: 00:21:40) 

Aidan Murphy: Yes, when you list it out like that, it is-, well, I think you’ve mentioned this to me before, the targeting is quite impressive. I mean, we release a yearly ransomware report, which this year’s will be out by the time this podcast comes out, I think, so you should be able to find it in the show notes. And I remember that we joked a couple of years that the groups that we highlighted as being the biggest groups, law enforcement seemed to take them out, basically, as soon as the report was released. I mean, it was a joke, I’m sure they’re not reading our report and going straight out there after those guys, but they are-, like you say, Luke, it’s not a coincidence that law enforcement are tackling what seemed to be the biggest players, the groups that have the most victims, and the threats. Like you say, it’s not just ransomware, you know, DDoS services, botnets, these things that are having the biggest effect. This needs to be a real approach of, you know, how can we protect the most people maybe by taking out the biggest players? Which does seem to have been quite impactful within the last year. 

(TC: 00:22:36) 

Luke Donovan: Definitely, definitely. It’s very tricky to get rid of all the infrastructure and totally destroy these groups and these individuals due to the location where the majority of these are operating from, so you have it do what Louise mentioned, you know, disrupt and degrade their capability and their infrastructure. LockBit, again, is a primary example, where there were 1,000 ransomware victims 2023 into 2024, that’s dropped by 50%. You know, so it is having an impact in terms of what law enforcement are doing within the cyber operating environment, and it leads those individuals who are involved in cyber operations to start questioning themselves, to start thinking, ‘Okay, who can I trust? Who can I not trust? What action do I need to take going forward?’ 

(TC: 00:23:22) 

Aidan Murphy: Yes, sowing the seeds of doubt. 

(TC: 00:23:24) 

Luke Donovan: Absolutely. 

(TC: 00:23:24) 

Aidan Murphy: Which is always a good thing from a law enforcement perspective. Brilliant, well, this might led on well to my next question. So, I was wondering, is there any particular news story that stands out for you from last year, that is either, kind of, indicative of a big trend that we’ve already talked about, or a new trend, or, again, that you just think is-, if people are looking at 2024, this is news story they should remember going forward? Luke, I’m going to start with you this time, to be fair. 

(TC: 00:23:56) 

Luke Donovan: Oh, this is a tricky question, because a lot of what we’ve seen in 2024 is a continuation from the previous years. 

(TC: 00:24:04) 

Aidan Murphy: Okay. 

(TC: 00:24:05) 

Luke Donovan: It’s just been an increase. However, I think it would be going back to the BlackCat situation, law enforcement operation in December 2023, start of 2024, they hit Change Healthcare and exit scammed from the ransomware environment. So, during that phase, what happened? So, they were operating as a ransomware-as-a-service group, again, second biggest group in 2023, but what happens to all those affiliates? Where do they end up going? You know, there’s potential that they end up going-, forming, again, their own ransomware groups, going off, becoming affiliates in other ransomware groups as well. So, for me, it’s these, law enforcement operations and understanding where do the individuals behind them start going, and what’s the knock-on effects to other organizations? Because those affiliates, potentially they’ve been turned, potentially they could be working with law enforcement now, potentially not. But are there now inroads to these other groups? But yes, I think a lot of it, we’re seeing a lot in the news, you know, it is a massive result, whereas these smaller operations, I say smaller, less well known operations such as BlackCat. 

(TC: 00:25:25) 

Aidan Murphy: Yes, I think you raise a really good point because, I mean, I’d written down BlackCat as well, to come back to, and because it did, I think, fly a little bit under the radar because of the size of Operation Cronos. And again, this kind of public trolling that law enforcement undertook that, literally, a couple of weeks later the second biggest ransomware group disappeared for good and it did seem to have less of a recognition from the ecosystem. Even though, I mean, that’s potentially hundreds of victims that won’t be affected anymore. So yes, I think it’s a really interesting one and one not to be forgotten, and also, like you say, we’ve talked a lot on the podcast, and I recommend people go back to the original ransomware episode we did if they want to know more about this, about the fluid nature of the ransomware landscape, it is not that these groups disappear and the actors retire and we never see them again. In fact, it’s quite the opposite, we see them pop up, we see their affiliates pop up, we see the code pop up again in a lot of instances, I’m thinking of Hive, that code has been floating around. So, it is worth people being aware that, one, the BlackCat did go away but, two, like Luke points out, where did those actors then go to next? Louise, same question to you, is there a news story from last year you’d call out? 

(TC: 00:26:45) 

Louise Ferrett: Yes, so it was quite difficult to choose this one because I think there have been quite a few interesting, high profile incidents. I mean, obviously stuff moves fast in this industry, I feel like 2024 was just on another level of breakneck speed, you know? Just when you’d finished getting to grips with one big story another one would completely take over the landscape. But what I’ve gone for, and it’s quite from the midpoint of the year, so I think it’s a good place to land, is the Snowflake data breach. You guys probably remember but just as a recap, Snowflake is a cloud data storage company, so they’re a service provider to many, many companies, a lot of big names including AT&T, Ticketmaster, several others. And the reason I chose this story is because I think it does cover, or it encapsulates, some of the points that we covered in terms of the trends that we saw for 2024. One of those is low skill, low barrier to entry techniques being used to have an enormous impact. So, in terms of how the Snowflake breach technically occurred, it wasn’t maybe what you would consider a traditional third-party breach, where the service provider leaves something vulnerable, an attacker gets into their system and then finds all the customer data that they’ve got, all their corporate customer data and starts stealing that. This one was interesting in the fact that the attackers actually exploited, I guess you could call, a weakness or an oversight in Snowflake’s 2FA policy for its customers. 

So, essentially, 2FA was not mandatory on customer accounts and the threat actors were able to find compromised credentials, like, harvested by infostealer malware, purchase them for a very cheap price. And these were credentials for the customers themselves, their databases that were hosted on Snowflake, so it was their own instance. The fallout of this was over 160 customers of Snowflake having data stolen in some capacity. 

(TC: 00:29:41) 

Aidan Murphy: And when you say customers of Snowflake, you mean, those are the organizations, right? 

(TC: 00:29:46) 

Louise Ferrett: Yes, so organizations like Ticketmaster, like AT&T. And then those databases, a lot of them were posted to or offered for sale on BreachForums. 

(TC: 00:30:00) 

Aidan Murphy: Yes, because the reason I mentioned that, yes, so you have, basically, Snowflake’s customers impacted but then each of those companies is then impacted. So, the total number of victims, I’m not sure if it’s even been calculated, but is huge. So, Ticketmaster alone had the data leaked of 560 million customers off the back of this, this vulnerability. And like you said, that’s just one of Snowflake’s organization users. So yes, I mean, it’s kind of hard to even wrap your head around how much data was leaked as a result of this. 

(TC: 00:30:38) 

Louise Ferrett: Yes, it’s hard to conceptualize that kind of scale, when the number gets that big. The reason I chose this story was that low barrier to entry, the use of, as a service, cyber crime tools, like stealer malware, and not necessarily just the malware itself as well but even buying access to the logs can be a very effective tool for cyber criminals to use. So, if they’re not interested in hitting a specific target to try and extract the credentials or sensitive information they can just buy, in bulk essentially, for very reasonable prices, a huge amount of data harvested from individuals’ machines and there’s always a good chance that there will be some corporate work credentials in there that can then be further exploited. So, there’s that element of it. The other element I wanted to talk about in relation to this was that, kind of, usual region that the threat actors themselves were based in. So, there’s been a couple of arrests now in relation to this incident, I think it was one guy in Canada, there’s another guy in Turkey who I think was already wanted by US law enforcement for a separate hacking and data breach incident. So, it’s a little different than what I said earlier, I suppose, about growing regions like south East Asia and India, obviously the Middle East more broadly than just Iran. You know, obviously we’ve got the political instability that’s going on at the moment and that is motivating a lot of different groups. But another trend that I find interesting is the US, the western side of things, specifically you don’t see it as often, I would say, or at least not to this scale and with this kind of brazenness. 

(TC: 00:32:55) 

Aidan Murphy: Yes, it’s a really interesting one, actually, like you say. It does crop up every now and then and I imagine, you know, if we’d asked, if we’d polled security professionals at the time of the breaches a lot of them would have probably hazarded a guess as Russian or somewhat affiliated. But yes, this is another interesting case of, actually, well, like you say, maybe not cropping up in the places you’d expect. Yes, it’s a really interesting point. 

(TC: 00:33:23) 

Louise Ferrett: Yes. And it kind of ties into another, broader trend of this new youth movement, almost in cyber crime. I mean, cyber crime, especially the BreachForum style stuff, has always skewed on the younger side but these, as service tools, are really enabling them to have an outsized impact, I think, in spite of their experience and maybe skill level. So, other examples of this would include the big casino hacks, I think that was in 2023? 

(TC: 00:34:04) 

Aidan Murphy: Yes. 

(TC: 00:34:05) 

Louise Ferrett: So, like MGM Grand and the like, that was all carried out by an associated grouping, it’s Scattered Spider, which I’m sure everyone knows the name of by now. But my difficulty with summing that up shows the new structures. 

(TC: 00:34:26) 

Aidan Murphy: Complexity, yes. 

(TC: 00:34:28) 

Louise Ferrett: Yes, the complexity, the very free, fluid alliances that are formed and break down in this particular concern of the cyber crime world. I feel like, typically, we see stuff that’s a little bit more structured. You know, if you go way back to the Conti leaks, there it was on the complete other extreme of being very bureaucratic-, 

(TC: 00:34:54) 

Aidan Murphy: Organization, yes. 

(TC: 00:34:54) 

Louise Ferrett: And hierarchical, everything very planned out and laid out, and everyone had their rank. Whereas this is, you know, just a lot more chaotic and fast moving, and people are getting arrested pretty quickly but it’s the classic hydra problem, I suppose, of as soon as that happens someone or multiple people will pop up to take their place. 

(TC: 00:35:19) 

Aidan Murphy: Yes, it kind of brings us full circle, almost, to the beginning of the conversation, like you said, this fragmentation. And there is a really interesting point you raise in terms of, I guess, you know, well, you’ve mentioned it a few times now, less skilled actors getting their hands on tools that allow them to conduct very scary attacks. I find it quite interesting because there is this stereotype of, I think we’ve even talked about it on this podcast, the script kiddie, some teenager sitting in their basement taking down these large organizations. Which I think for some time, like you said, went out of vogue as an idea, you know, there was this idea of these more serious cyber criminal organizations that have support and marketing, and almost it seems to be coming around full circle where we are seeing more less skilled actors being able to enter and, like you say, a slightly more confusing environment. Which I think probably does have an impact on cyber security professionals as well, right? Luke, I guess, if it’s less clear who is going to be attacking you, what their motivation might be and also there are more tools out there for them to be using, how do-, I guess I’m going to link this into what I was going to ask next is, going into the new year, or we’re well into the new year now, this is a more complex environment for the cyber security professionals, how should they react to that? What should they be thinking about? Just throwing the massive questions at Luke, sorry. 

(TC: 00:36:52) 

Luke Donovan: Yes, what a question. That’s a really tricky question because every different organization’s operating in a very different landscape in terms of what threats they face and what measures they should be taking in order to protect themselves. You know, I think if you look back in 2024, with the Synnovis breach, the NHS data within the UK for example, they went down a line of taking out a High Court order to prevent breached content from being publicized on, I think it was something like WikiLeaks, on Telegram and some other sources. So, they publicly stated, ‘No content can be shared on these sources.’ Now, since then obviously there’s been a lot of changes with Telegram, and the owner and their policy shift about can they post content or what content can be posted on there, what law enforcement activity can be taken against the owners of that content, will those sites be taken down? So, I think when you’re trying to protect yourself, again, I’m taking this from a very high level, holistic approach, you need to be looking at those changes in landscape, looking at the changes in the sits and sources where threats are being mentioned against your organization but also where content could potentially be posted about your organization, if you’re concerned about breaches of content for example. And then working out, ‘What steps do I need to do in order to potentially remove that content or report that content to get it removed?’ So, you’re looking at that from a proactive stance, trying to understand, ‘Who potentially could target me? Why could they target me?’ All the way through to that actions on objective, ‘Content’s been breached, what do I now need to do about this?’ 

So, you need to understand the operating environment there as well. Could you reach out to Telegram? Take out, potentially, a court order to remove content from Telegram? ‘Do I know how to take down a phishing website?’ You know, going back down to that SpyCloud top threats, phishing sites. Can you do that internally? Do you need to outsource it to somebody who could potentially monitor, identify and remove that content for you? So, overall, as an organization, you’ve got to look at it from the really holistic approach, looking at it from your point of view, who could potentially target you and what actions could you take at the end of that? 

(TC: 00:39:24) 

Aidan Murphy: Yes, I feel like after asking you a hard question there, Luke, you’ve given a great answer. So, I guess, like you said, a combination of proactive, and this comes down to threat intelligence gathering and your sources as well, trying to understand what the threats out there are. But like you said, preparing for the situation in which, if something is leaked, how do you mitigate that? I think that’s a great answer. Louise, from your perspective, is there anything you think cyber security professionals should be thinking about going into next year? What would your priorities be if you were working on a threat intelligence team for a large organization? What would you be thinking about? 

(TC: 00:40:04) 

Louise Ferrett: So, I’m going to piggyback off of Luke’s answer a bit because it was pretty great, but I’d follow that line of you can’t protect or you can’t defend against what you can’t see. So, you know, your intelligence is only as good as your collection is, so it’s really crucial to, like Luke said, keep up to date with where the stuff is happening, where it’s being talked about, where information is being leaked, where tools are being traded and deals are being made. And to really, sort of, give you that head start and just make you a bit more aware of the environment that you’re operating in, and then you can be more prepared for any threats that might come your way. The flip side of that is knowing your attack surface, knowing where you are vulnerable, you know, what is your weakest link in the chain? Where are all your assets? And what can you do to defend them against these common threats? And part of that is, you know, touching on my previous answers, monitoring your supply chain. So, obviously, just the cyber criminal industry, if you want to put it-, or the cyber crime economy, that’s a better way of putting it. You know, business and enterprise these days is also very specialized, it’s very rare that a company is undertaking every function, every part of their operation under the same roof, so outsourcing is essential. But obviously, with that gain in efficiency it does bring an increased risk of not having complete control over that process. 

So, as we’ve seen, I mentioned with Snowflake, Luke brought up Synnovis, which I think is probably the other major story of the year, data from a lot of companies and then several huge NHS trusts were leaked as a result of that, and those were both third-party service providers, which are necessary and needed in order for those organizations to function. But just, yes, the importance of auditing that and keeping it in your mind of, it’s not, ‘Now that it’s outsourced it’s not our problem any more.’ Like, you should still be very aware and assessing that risk on a regular basis. 

(TC: 00:42:50) 

Aidan Murphy: Yes, because like you say, I mean, I think every year we see this but last year in particular there were very, well, the biggest breaches, effectively, were to third-party platforms. And like you say, it’s just a reality of things and something that organizations need to prepare for. Okay, so onto my last question, which I’m going to give a caveat for to the listeners, which is that it’s obviously incredibly difficult to make predictions for the year ahead. If we were sat here twelve months ago it would have been very hard to call, I think, some of the instances that we’ve discussed over the last 30 or so minutes. But with that caveat in place, I’m going to call on Luke and Louise to see if they can, is there anything that you see coming in the year ahead? Any prediction you would make of what’s going to happen, either in the realm of cyber security, cyber crime, or the dark web and criminal landscape? Louise, I’ll start with you this time. 

(TC: 00:43:48) 

Louise Ferrett: I’m going to heavily caveat this one, but mine’s a pretty broad prediction anyway so I hopefully won’t end up looking too stupid if it’s incorrect, but I think we are going to see continued fracturing and multi- polarization, I don’t know if that’s a word, of the cyber crime landscape. So, I feel like there will be a point, I don’t know if it will be this year but there will be a point where ransomware, specifically, will start to reconsolidate as a lot of these smaller groups that have been springing up, some of them don’t stick around for very long, it’s kind of a natural process that the scene goes through. There might be a group that claims a really high profile attack one week and then the next week their leak site is dead. But you’ve got to watch for those few that stick around and consistently build both their affiliate network and their back catalog of leaks, that build that reputation. So, I think, yes, we’ll continue seeing some fracturing and polarization followed by a bit of consolidation around some new heavy hitters, I think I called it earlier. 

(TC: 00:45:16) 

Aidan Murphy: Yes, and I think just to link back then to what you and Luke were just discussing around advice you’d give cyber security professionals, I think more than anything else the ransomware example really supports that idea of you need to be aware, you need to be gathering the intelligence on what’s out there. Because yes, again, if you’d taken the ransomware landscape at the end of 2023 as your intelligence for the rest of the year, I mean, it’s a completely different landscape, the big players are no longer the big players, there’s many new players. And as you’re saying, Louise, there are new players who’ve sprung up, orchestrated some pretty big attacks and then completely disappeared again. So, it’s that thing of you can’t just rest on old intelligence, it has to be a continuous process. 

(TC: 00:46:03) 

Louise Ferrett: Yes, totally, continuous monitoring is the name of the game, for sure. And having an agile threat model that you can adapt depending on the shifting circumstances. I’ve got one more point, it’s not really a prediction, it’s just something I’ll be interested to see personally. I think you touched briefly on Telegram earlier, obviously that was quite a big event last year as well, the arrest of the CEO, Pavel Durov, in August, I believe? And then about a month later there was a fully in line moment where it was announced there would be more crackdowns on, kind of, channels and groups conducting illegal activity on the platform. You know, this hasn’t completely stopped cyber crime on Telegram, it’s still a huge information source for that sort of thing, but we do see more channels and groups disappearing or not sticking around for as long as they once would. So, I am interested to see if any other chat or messenger platform can take its place this year, because there are alternatives but we haven’t really seen any that can match Telegram in terms of-, there’s a few areas like the name recognition, obviously, where it’s just been around for a while, in hand with that is the user base. But also just how suited it is to this kind of activity, so the options for automation, sharing in between groups, mass adding people from one channel to another channel if, say, your previous brand is compromised and you need to start up again. Oh, the other thing is the ease of use, the fact that the platform is kind of one easy package that is, again, low barrier to entry. What we see quite a lot with suggested alternatives to Telegram, it will be a secure messaging protocol and then you can configure your own client that you want to use. 

(TC: 00:48:28) 

Aidan Murphy: It’s much more complicated than just, yes, logging into Telegram and getting going straight away. 

(TC: 00:48:32) 

Louise Ferrett: Exactly. 

(TC: 00:48:34) 

Aidan Murphy: You know, the ability, well, again this is something they’ve changed but, in the past, the ability to search and find particular groups. 

(TC: 00:48:41) 

Louise Ferrett: Yes, I think, you know, obviously a lot of threat actors will have the capability to do that but it’s finding that mass appeal, especially for the as a service sector. 

(TC: 00:48:54) 

Aidan Murphy: Market, yes. 

(TC: 00:48:54) 

Louise Ferrett: So, malware is a service. Yes, exactly, that as a service market they’re kind of relying on those noobs, shall we say, as their customer base. So, if they can’t figure out how to reach you, that is going to be an issue. So yes, I’d say I’m interested to see how the Telegram legacy and landscape unfolds. 

(TC: 00:49:18) 

Aidan Murphy: Brilliant. Wow, I got two predictions for the price of one there. 

(TC: 00:49:21) 

Louise Ferrett: Yes. 

(TC: 00:49:21) 

Aidan Murphy: Luke, what are your predictions, again with all the caveats added at the front, for the year ahead? 

(TC: 00:49:26) 

Luke Donovan: Yes, a significant number of caveats. I’m going to take Louise’s first point about that fracturing and looking at those global conflicts which are occurring around the world and how that’s having an impact on cyber operations. There’s a lot of effort being put in to try and resolve these conflicts, whether it’s in the Ukraine, Israel, Lebanon, Yemen etc, but even if the kinetic operations stop, so the fighting stops, you’re always going to have these groups who are disillusioned or disagree with, sort of, that prevention of the conflict. So, we are going to continue to see those cyber operations, potentially even grow significantly. If we look at some of the advancements in technology as well, we look at AI generation within China, we look at the likes of TikTok potentially being banned in certain countries due to the security implications. That’s providing a massive split between two distinct ways of operating. So, then you will get those who are ideologically motivated targeting organizations either side of that split, so I do think that will continue to rise over time. With that, with the ransomware stuff, it is going to continue, it’s a money-spinner and lots of different groups are spinning up, new, smaller groups, some of them are targeting specific sectors. 

But the way they’re operating is changing slightly as well, we are getting more ideologically motivated ransomware groups, we are getting those who now just breach organizations, taking their sensitive information and just giving it away for free, okay? Not even requesting finances, money etc for this but they’re still a ransomware group who’ve got hold of content, essentially they want those groups or those countries, those businesses to stop doing business around the world. So that, I think, will continue. That lower barrier to entry which Louise mentioned, absolutely, you know, with AI coming to the forefront in most organizations now, wherever you go there’s mentions of AI, again that will lower that barrier to entry in terms of capability. In terms of little things, like the Python scripting etc, you know, typing something in, getting a result back, really, really simple stuff. But it also enables those threat actors to conduct more specialized phishing campaigns against organizations and against individuals. And it’s more capable, isn’t it? You know, the deepfake technology which is out there at the moment, how many more people are going to start falling victim to that sort of technology? 

And I think my last one, this is further out than just 2025, this is going off into a few years now, it’s quantum computing, you know, the significant power which that can bring to both the defender and also the attacker themselves. You know, when you think about quantum computing can impact encryption-, so, if a threat actor got hold of a significant amount of quantum computing, how fast can they go through an organization, encrypt that data, get rid of it? Or what about obtaining some breached content? You know, there’s breached content out there which is encrypted at the moment, quantum computing could come across and breach that content, or make it more readable and exploit that content. So, that will be really interesting, to see how quantum computing shapes the whole landscape when it comes to threat intelligence. Not very clear there, Aidan, I’m afraid, but a few forks out there. 

(TC: 00:52:57) 

Aidan Murphy: No, that’s all good. No, I think with that look, well, a little bit further in the future and I think it would be interesting to come back to the quantum computing topic. I’ve come across some companies in the past who I’ve heard talk a lot about, like you say, well, kind of on both sides, so the capabilities of quantum encryption and these kind of things but also, yes, if it ever gets into the hands of the wrong people, what could be done with that. I think it would be a fascinating topic to look at again. But I think we’ve given everybody listening a lot to think about for the year ahead so, on that note, it seems like a good time to draw a line under this episode of The Dark Dive. A big thank you to Louise and Luke for joining me, and for visitors coming back for our first episode of the year. Please stay tuned for an exciting third season of the podcast ahead. To make sure you don’t miss anything, follow us for free on Apple Podcasts, Spotify, YouTube, or whatever app you use to listen to podcasts. And remember, if you have a question for us, a guest or a topic you’d like us to cover you can get in touch with us through the contact details in the show notes. Until next time, stay safe.