The DarkNet is the hidden part of the internet that is not indexed by search engines and requires specialized software to access. It represents 96% of the total internet. Much illegal activity occurs on the DarkNet, including the sale of drugs, weapons, child pornography, and stolen information. While criminals use the DarkNet's anonymity, it is also used by political dissidents and for anonymous communication. Human intelligence is needed to effectively monitor the DarkNet and identify criminal actors and plans, as automated methods cannot synthesize and analyze the unstructured information in the same way.

1. The DarkNet - Why It Matters to Everyone
Think of the Internet as an iceberg. The Internet we use every
day represents only 4% of the total Internet. The visible part is
indexed and searchable by major search engines like Google
and Bing. Lurking below the surface is the remaining part of the
Internet called the DarkNet or DarkWeb, and it is never seen by
the vast majority of users. This vast, hidden area is where most
illegal activity is transacted. It is in the DarkNet where transactions
involving weapons, bombs, human body parts, assassinations,
drugs, human trafficking, child pornography, malware and stolen
assets take place.
Tor is the most common technology used to access the DarkNet.
The Tor Project defines the DarkNet as, “that portion of the web
which cannot be easily reached from the public Internet, and
usually requires specialized software to access.”1
The DarkNet originally referred to any content that could not
be reached through the open Internet. This changed when users
began sharing files and the DarkNet as we know it today was
born.2
In addition to the criminal underworld, the DarkNet is
also home to political dissidents and anti-surveillance activists.
Ed Alcantara, BLACKOPS Cyber
Chief Cyber Intelligence Officer
64 United States Cybersecurity Magazine

2. There are currently three million Tor users, who use
the DarkNet to support anonymous communication.3
Criminals exploit this anonymity to facilitate the sale
of drugs, counterfeit currency, malware, stolen banking
information, weapons and many other illegal activities.
There is no single definitive source for the size and
scope of the DarkNet but Tor estimates that it’s search
engines have indexed over 350,000 pages so far. Much
of the DarkNet is yet to be indexed and the process is
made difficult because it was not built with the intent
of being indexed.
The DarkNet features online marketplaces offering black
market goods, sometimes sold alongside legal products.
The emergence of several new DarkNet markets after
the take down of the infamous Silk Road demonstrates
how easily the black market commercial void is filled.4
DarkNet markets, the equivalent of an Amazon.com but
in the criminal realm, sell drugs, credit card, banking
information and the malware that enables criminals to
stealpersonal and financial information. The DarkNet is a
driving force behind fraud which can have a devastating
financial impact on companies, families andindividuals.
Child pornography and extortion are the most prevalent
criminal activities found on the DarkNet. According to
THORN, an organization that is dedicated to addressing
online child exploitation, more than 30 percent of searches
on eDonkey, a DarkNet peer-to-peer (P2P) network, are
related to child sexual abuse content and 42 percent of
sextortion victims met their perpetrators online.5
In one
three month period, from January to March 2015, the
FBI intercepted over 60,000 child pornography users
on the DarkNet.6
DarkNet markets cannot be stopped with algorithms
and data mining programs. Human intelligence activity is
required to identify and analyze the markets and collect
data on administrators and users.
Human Interpretation and Success in a
Multi-Faceted, Secretive Online Fight
The importance of the inclusion of human intelligence,
or HUMINT, in successful cyber operations cannot
be overstated. In the detailed and critical review of
information necessary to carry out intelligence operations
against DarkNet actors, human intelligence is necessary
to identify and correlate the links in the intelligence that
made the key difference in each case.
For example, in March 2015, cyber intelligence analysts
monitoring DarkNet criminal activities identified the
existence of certain private marketplaces operated by
Chinese hackers and trafficking in financial information.
The analysts were aware that hackers employed by the
Chinese government had begun penetrating the world’s
financial systems as early as 2006.7
In this context, in early July 2016 the analysts discovered
that UniTeller, a financial services company that services a
network of 87 banks and approximately 32,000 payment
locations worldwide, had been compromised by hackers
who breached its network. In this case, the analysts
correlated the patterns and practices of specific threat
actors to the methodology used in the UniTeller breach
and were able to identify a connection to the Chinese
hacker marketplace. Having made this connection, the
analysts were able to localize their focus within the
DarkNet and target specific individuals with the objective
of collecting actionable information.
Selecting individual cyber actors for targeting and
cultivation is a primary component of an analyst’s
work, and can often determine an operation’s success.
Tradecraft specific to cyber operations is used to gain
entry to sites where the targeted actor is operating.
Once in, an engagement plan is executed. This consists
of social interaction at a level and in a style expected by
site members. This process is continually documented
The DarkNet is a driving force behind fraud
which can have a devastating financial impact on
companies, families and individuals.
Winter 2017 | www.uscybersecurity.net 65

3. and evidence noted and preserved. This Uniteller case
was resolved when the company accepted that it had
been compromised and took its system off line for
remediation.
Similarly, in August 2016, analysts collected intelligence
that assisted UK law enforcement agencies in thwarting
attacks planned on Westminster. Plans called for attacks
during the peak of the tourist season. A cyber analyst
monitoring a Telegram Messenger channel8
was able
to identify the threat actor. Over time, the analyst built
a profile which supported evaluations of the threat’s
credibility and the capacity of the actor to execute.
Once the threat was deemed credible, cyber HUMINT
tradecraft was used to locate the threat device and the
actor. Telegram Messenger channels are controlled by
a host who determines who is and who isn’t granted
admission. It is the analyst’s skill and tradecraft that
that enables him or her to penetrate and maintain a
presence within the channel.
The volume of information created and shared by terrorist
organizations can overwhelm law enforcement and
intelligence resources. Compounding the problems
are obfuscation techniques designed to make the most
important details seem insignificant and the trivial seem
important. Only the critical thinking and discernment of a
seasoned HUMINT analyst can separate signal from noise.
Terrorists are now making use of steganography as
a means of communicating operational information.
Steganography is the practice of concealing a confidential
file, message, image, or video within another, non-
secret file, message, image, or video. The message
may not be literally hidden; rather, it may simply be an
instruction in a graphic form which prevents it from being
detected in an automated manner. Messages range
from operational instructions, data, GPS coordinates
to schedules. Steganography renders the algorithms
and scripts used by data mining programs ineffective.
A HUMINT analyst, on the other hand, can recognize
the visual cues and clues in a steganographic image
that a script cannot.
Finding DarkNet sites, tracking their users, and accessing
the data they store and exchange all require the use of
computer technology. But automated processing cannot
effectively gather, analyze and synthesize intelligence
into actionable information. For example, on September
22, 2016, a terror plot against the Université libre de
Bruxelles, in Belgium was prevented due to information
provided by a cyber HUMINT analyst.
The threat was discovered in a series of tweets posted to
a Jihadist Twitter account. It concerned an imminent plan
to carry out an attack against the university. Dozens of
photoswereposted,oneofwhichrevealedaspecificthreat
and motive: revenge for the US-led coalition’s bombing
of Mosul University. This was an important discovery
because the Twitter account did not follow anyone
and had no followers. It was clearly a communications
channel for jihadists.
The social media account that issued the threat had a
uniquely coded and cryptic account and used images
to avoid data mining script detection.9
The analyst was
able to build a threat actor profile, validate the collected
data and transmit the information to the appropriate
authorities. As a consequence, the U.S. State Department
issued a Travel Alert and Belgian authorities prevented
the attack.
It’s the ability to synthesize disparate and unstructured
data that makes the cyber HUMINT analyst so valuable.
Software operates deterministically; even sophisticated
artificial intelligence has this limitation. Humans can
think outside of their given parameters to change their
own programming, challenge their own protocols and
see what is hidden.
Cyber HUMINT analysts often operate as part of a team
that includes intelligence operatives on the ground.
In October 2016, a cyber HUMINT analyst received
Humans can think outside of their given parameters
to change their own programming, challenge their
own protocols and see what is hidden.
United States Cybersecurity Magazine66

4. information that a cache of 36 rockets capable of being
fitted with chemical warheads had been discovered in
the possession of an ISIS element in Qayyarah, Iraq, just
east of Mosul. The ground source claimed the weapons
were used for mustard gas, and readings showed residue
of blister agent chemical in the area. The cyber HUMINT
analyst correlated photographs and chemical readings
with known ISIS patterns related to the production and
storage of chemical rockets and concluded that the
information was credible. After establishing a location
for the cache, the rockets were secured. Cyber HUMINT
operates in the digital world but its effects can have
immediate impact in the physical world.
In October 2016 the Islamic State Hacking Team was
discovered attempting to access IP-enabled security
cameras around the world. Cyber HUMINT analysts
had been monitoring a pro-ISIS hacking group when
they came across URLs that could be used to access
public cameras. A YouTube video, containing detailed
instructions on how to gain control of the cameras was
being disseminated. Bad actors exerting such control
would be able to conduct remote target surveillance
and deny situational awareness to lawful authorities.
Days later, a Joint Terrorism Task Force (JTTF) arrested
a man in Ohio, near one of the hijacked cameras. He
was allegedly plotting a terror attack on behalf of ISIS.10
Cyber HUMINT analysts employed social engineering and
threat analysis to determine that the Democratic National
Committee (DNC) had been breached. In September
2015 the analysts revealed the existence of a website
from which large databases of stolen emails, usernames,
and passwords related to people connected to major
services providers and other organizations connected
to the DNC could be purchased. The analysts provided
screenshots, chat logs, and video evidence of the traffic
in the stolen information to the press.11
In many cases, the intent of data transactions and online
behavior is obfuscated so as to mask the activity from
automated security systems. Such instances require
the intervention of a trained cyber HUMINT analyst to
discern the truth hiding within what Winston Churchill
called “a bodyguard of lies.”
Non-Stop Vigilance
The Darknet is massive, anonymous and populated with
active threats to global economic interests and physical
safety. The application of cyber human intelligence to
the DarkNet is an essential part of any comprehensive
cybersecurity program. Cyber HUMINT makes penetrating
DarkNet websites and malicious actor communities
possible and enables continuous monitoring for a
broad range of threats. From the classical to the wildly
unconventional, cyber HUMINT is arguably the most
reliable and responsive intelligence collection mechanism
applied to the cyber problem. After all, human
beings and their intentions are behind every action
and every crime.
About the Author
Ed Alcantarafounded the first ever CyberHUMINT™
company. Currently holding position of Chief Cyber
Intelligence Officer (CCIO), at BLACKOPS Cyber,
Inc - BOC. Concurrently he also serves as CCIO,
for BLACKOPS Partners, Corp. Alcantara provides
counter-terrorism support to law enforcement,
military, and government agencies leveraging his proprietary
CyberHUMINT™ tradecraft. Alcantara is a recognized
CyberHUMINT™ and Offensive Counterintelligence (OFCO),
Subject Matter Expert (SME) on Darknet. Alcantara built and
manages the world’s largest CyberHUMINT™ and OFCO army
on the Darknet and surface web.
Sources
1. https://trac.torproject.org/projects/tor/wiki/doc/HowBigIsTheDarkWeb
2. https://www.wilsoncenter.org/sites/default/files/deep_web_report_october_2015.
pdf p.7
3. https://trac.torproject.org/projects/tor/wiki/doc/HowBigIsTheDarkWeb
4. https://www.wilsoncenter.org/sites/default/files/deep_web_report_october_2015.
pdf p.10
5. https://www.wearethorn.org/about-our-fight-against-sexual-exploitation-of-
children/
6. https://motherboard.vice.com/read/the-fbis-unprecedented-hacking-campaign-
targeted-over-a-thousand-computers
7. http://www.theepochtimes.com/n3/1992641-chinas-state-sponsored-hackers-set-
up-business-on-the-darknet/
8. Telegram is an encrypted, cloud based, instant messaging service with a message
self-destruct feature.
9. http://markets.ibtimes.com/ibtimes/news/read/33067868/
10. http://securityaffairs.co/wordpress/53048/terrorism/isis-surveillance-cameras.html
11. http://www.theepochtimes.com/n3/2126828-exclusive-infamous-hacker-detox-
ransome-stole-democrat-databases- in-2015/
Winter 2017 | www.uscybersecurity.net 67