Last updated at Mon, 18 Apr 2022 20:44:20 GMT
KickAss is one the most revolutionary and exclusive forums on the dark web, describing itself as the first platform for insider trading. It’s unique in that it operates out in the open and publicizes its actions to draw attention to itself, while most dark web forums try to stay as hidden as possible. It has a reputation among many hackers and threat intelligence companies as the place to trade information and establish credibility on the dark web.
KickAss was apparently seized by the US government, but there is much speculation over what really happened. In this post, we review recent activity on the KickAss forum and share why it's important for threat intelligence and cybersecurity teams to follow these stories.
As noted above, KickAss is well-known for facilitating the transfer of insider trading information. This includes selling access to companies’ internal servers, trading leaked confidential information, and any other services that can be leveraged by insiders. The site also focuses on hacking and coding, with access available exclusively to users with considerable experience. To join, users need to pass through its filtering techniques that includes a deep examination of their hacking and technical abilities.
Last week, it was announced that KickAss was taken down by the US Immigration and Customs Enforcement (ICE), the agency that enforces immigration laws and is responsible for investigating criminal and terrorist activities perpetrated by foreign residents on US soil. This is not the first time ICE initiated an operation to take down illegal websites. In 2015, it teamed up with several governmental departments around the world to shut down approximately 37,000 thousand illegal websites.
Since then, speculation has increased about the veracity of this announcement. Many users posted their doubts on whether the announcement was an intentional trick by KickAss’ admins in order to divert attention gained after the hacking group “thedarkoverlord” claimed to publish sensitive documents on the forum.
A few months ago, thedarkoverlord breached the insurance company Hiscox, stealing 18,000 documents related to 9/11 insurance claims and sensitive information. On December 31, it posted its intention to publicly expose the first few documents of this breach on Pastebin.
After the reported (and potentially fake) seizure of KickAss, users in many dark web forums have been desperately searching for invitations to the new underground forum, but most of them with no luck.
Why would a forum that had no problem exposing illegal information trading in the past suddenly feel the need to lower its profile? This isn’t the first time that authorities have shut down a famous forum.
KickAss up and running again
The question now appears moot as the KickAss forum reappeared on January 27, available through the same URL with the same home page layout and jabber contact as before. It appears that KickAss scammed its users by uploading a fake warning sign from the US ICE, making them think the forum was another victim of a site takedown executed by the authorities.
We can’t blame them, based on previous actions by authorities to shut down hacking forums containing similar files that claim to expose governmental information. We saw this happen this month with forums containing information regarding the German government officials, where links became mysteriously unavailable seconds after the news broke. Therefore, we think this was likely a safety precaution by the site admin(s) in order to protect against unwanted attention.
What this means for cyber threat intelligence
Creating a hacking community on the dark web is not an easy task. A lot of hackers work either alone or in closed communities like KickAss, where individuals must prove their intent and abilities in order to take part. It’s not easy to trust other individuals in the dark web to share sensitive information, especially when it comes to insider trading. That’s why penetrating these forums takes expert work from threat hunters.
Information sharing poses a direct risk to organizations of all sizes and must be part of an organization’s intelligence monitoring process. Keeping an eye on all kinds of dark web forums is key to understanding the threat landscape and identifying new threats to your organization.
Want to learn more about dark web threat hunting? Check out the 2021 SANS Threat Hunting Survey.