Live breach threat intelligence

In Kaduu, we distinguish two ways in which our customers can access Leak data:

  • Leak search via our database: This is a past query. Our analysts collect all leaks that are freely available on the Deepweb or Darknet and load them into our Elastic database. There you can set up alerts or perform searches.
  • Live Search: Leaks or any sensitive data that are very recent are usually not uploaded to the darknet for free. You usually have to buy them. With Live Search, we provide an interface where you can search for your data live on closed hacker forums in the deep and darknet using your custom search term.

On this page we cover the live search which consist of the follwing options:

  • Hacker Forum Search
  • Discord Search
  • Telegram Search
  • I2P and Onion Search

Hacker Forum Search

Hacker forums provide clues to possible attack techniques, attack preperations against clients or leacked data. Kaduu enables you to explore and monitor hacker forums, allowing our clients to gain a better understanding of the tools and techniques used by hackers and the areas that are most likely to come under attack.

What can you find in hacker forums?

Hacker forums can be a source of a wide range of data from organizations, including:

  • Personal information: Hacker forums may contain personal information such as names, addresses, phone numbers, and email addresses of individuals.
  • Login credentials: Hacker forums may contain login credentials, such as username and password combinations, that have been obtained through data breaches or phishing attacks.
  • Financial information: Hacker forums may contain financial information, such as credit card numbers and bank account numbers, that have been obtained through data breaches or other illegal activities.
  • Intellectual property: Hacker forums may contain stolen intellectual property, such as software source code or proprietary business information, that has been obtained through data breaches or other illegal activities.
  • Network information: Hacker forums may contain information about network vulnerabilities, such as open ports and misconfigured servers, that can be exploited by attackers.

How do we search forums?

In this deep-web search, we log in to +70 known hacker forums with various accounts and submit the keyword that is entered in the search mask of Kaduu. For example, you can enter your company name or a brand to see if people are talking about it in the forums. If there are results for the search term, we show them in a link as a download. The corresponding pages are saved as a screenshot and also as a web page. We focus on the most popular forums in English, German, French and Russian language.

Lets say your company name is “Bank24 LdT” and your domains are “bank24.com and bank24.us”. We recommend that you use a more generic search approach. The recommended query in the abive example would be “bank24” without the domain or legal specification. If we find any result related to your search keyword, you can download the screenshot and html file in an archive.

Are there any limitations?

A search can take up to 180 minutes. We also only allow a maximum of 5 searches per customer per day and a maximum of 20 per month, otherwise our authenticated accounts will be flagged. If you want to search for leaks without restriction, you can use the expert leak search mode https://wiki.kaduu.ch/doku/doku.php?id=leak_search, which searches for data that has been leaked in the past. The difference is that hackers usually do not publish recent data leaks for free, but sell them. So, if you want to find more recent data leaks that are being sold, you need to perform a live search.

Telegram Channel Search

Hackers share data leaks on Telegram in different ways. In some channels, hackers post data dumps with short explanations about what people can find in them. In these channels, minimal conversations occur. However, there are also dedicated hacking groups where many members actively discuss various aspects of Internet crime. There are many more ways Telegram is used by hackers:

  • Communication: Telegram can be used by hackers as a secure means of communication, as it offers end-to-end encryption and the ability to create self-destructing messages. This allows hackers to communicate with one another without fear of being monitored by law enforcement or other authorities.
  • Command and control: Telegram can be used to create a command and control (C&C) infrastructure for malware. This allows hackers to remotely control infected devices, exfiltrate data, and perform other malicious activities.
  • Malware distribution: Telegram can be used to distribute malware, such as trojans, keyloggers, and other types of malicious software. Hackers can create Telegram groups or channels and share links to malicious files, or use the app’s file-sharing feature to distribute malware directly.
  • Hacktivism and cybercrime: Telegram groups and channels can be used to coordinate and organize hacktivist campaigns and cybercrime activities. Hackers can share information, tools, and techniques, and plan and carry out attacks.

How many channels exist and how can we keep track?

Telegram has over 500 million active users, and many of these users are likely to have created or joined channels. Telegram allows anyone to create a channel and there’s no limitation or verification process to it, so the number of channels on the platform is quite high. Additionally, many of these channels are likely to be inactive or used for legitimate purposes, so it’s difficult to estimate the number of channels that are specifically used for hacking or other illegal activities. We try to keep track of channels, but we will only cover a very small fraction of all channels.

How do we search Telegram channels?

Kaduu allows you to search the discussion history by comparing your keyword query with real accounts and presenting you the results in a downloadable format. We query around 200+ Telegram channels.

How do we present the data?

If we find any result related to your keyword, you can download (2) the archive containing the keywords. If you are curious which forums contain the keyword, you can click on “view” (1).

The (x) marks channels, where the keyword was not found (4), the checkbox indicates, that something was found (3):

Are there any limitations?

To be able to do that, we use a variety of Telegram accounts. Because Telegram has security filters that block too many requests, we have to limit the number of requests to a maximum of 5 per customer per day. Please be aware that we query +200 channels at the same time. This takes a few minutes.

Discord Search

Discord is a popular communication platform designed for online communities and gamers. It offers a variety of features including text, voice and video chat, file sharing, and gaming integrations. Discord is available as a browser-based web app, a desktop app for Windows, MacOS, Linux and as mobile apps for iOS and Android. The platform allows users to create and join virtual servers (also called “Discord servers”) to connect with others based on common interests.

How is Discord used by hackers?

Discord can be used by hackers in various ways, including:

  • Sharing hacking tools and tutorials: Discord servers can be used as platforms to share hacking tools and tutorials with other individuals.
  • Coordinating attacks: Hackers can use Discord channels to coordinate and execute attacks on websites, networks, or other targets.
  • Phishing and scamming: Hackers may use Discord to phish personal information or scam users through fake giveaways or other deceitful means.
  • Spreading malware: Hackers can spread malware through links or files shared on Discord servers, infecting other users’ devices.

How many channels exist?

It’s not possible to determine the exact number of Discord channels that exist, as the platform allows for an unlimited number of servers and channels to be created. The number of Discord channels continues to grow as new servers are created and existing servers add new channels. Discord has over 150 million monthly active users, so there are likely a large number of channels across all the servers on the platform.

What channels do we monitor?

I2P and TOR Network Search

Onion websites are websites that are hosted on the Tor network, a network that is designed to provide anonymity and privacy for its users. These websites are not accessible through regular web browsers and can only be accessed using the Tor Browser or another tool that is capable of connecting to the Tor network.

On .onion websites, you can find a wide range of illegal and illicit goods and services, including:

  • Stolen credit card and personal information
  • Illegal drugs and weapons
  • Hacking tools and services
  • Counterfeit goods
  • Fraudulent services such as phishing and scams
  • Child pornography
  • Ransomware-as-a-service
  • Additionally, some .onion websites may also host forums or chat rooms where cybercriminals can share information and exchange tips on hacking, malware, and other illegal activities.

How reliable is a darknet search on onion websites and how much fata can you actually find?

Searching the darknet, specifically the Tor network, can be challenging and the reliability of the information found on .onion websites can vary greatly. Because the darknet is not indexed by traditional search engines, finding specific information or sites can be difficult without knowing the exact web address or a specific link to follow.

Additionally, many .onion websites are scams, or set up by law enforcement to catch criminals, so it’s important to be cautious when interacting with these sites. Even if you find a site that appears to be legitimate, the information or goods being offered may not be what they seem.

As for the amount of data you can find, it depends on what you are looking for. Some .onion websites may have a lot of information available, while others may be more limited. Additionally, as with any underground marketplaces, the availability of certain goods or services can change over time and may not always be available

How to use Live Tor Search in Kaduu?

On the Kaduu dashboard live search page you can search multiple (10+) darknet and clearnet search engines in live mode. Words you enter in the query field will be directly forwarded to multiple external search engines, so we suggest using only simple phrases – a company, person or domain name. Set “Validate Results” option in order to verify each found result and check whether it contains the exact search phrase. This option may be useful only when searching 1-word queries, otherwise search results may be inaccurate.

It may take up to a few minutes to get all results, as we will be requesting multiple external resources over proxy servers, TOR and I2P networks, which may be very slow.

We use a number of proxies and darknet search engines to search for the term. The respective search engine is displayed after entering the search term.

How to setup alerts?

Please go to settings alerts and choose “external” to setup an automated alerting for your search term:

The fact that your organization is mentioned on a darknet site does not necessarily mean that you are at risk. Some legitimate news and websites are mirrored on the darknet. However, the mention of your organization may indicate the preparation of an attack or even a successful attack. We therefore ask you to investigate the above-mentioned results and, if necessary, take the necessary steps