Kickass is one the most revolutionary and exclusive forums on the dark-web, describing itself as the first platform for insider trading. It’s unique in that it operates out in the open and publicizes its actions to draw attention to itself, while most dark web forums try to stay as hidden as possible. In an exclusive interview with Deepdotweb in May 2016, the forum’s admin provided details about the type of information it trades and the mechanisms it uses to make sure it publishes only reliable information. It gained a reputation among many hackers and threat intelligence companies as the place to trade information and establish credibility on the dark-web.
Kickass was apparently seized by the U.S. government, but there was much speculation over what really happened. In this post, we review the recent activity of the Kickass forum and share why it's important for threat intelligence and cybersecurity teams to follow these stories.
Kickass is well known for facilitating the transfer of insider trading information. This included selling access to companies’ internal servers, trading leaked confidential information and any other services that can be easily operated by an insider. The site also focuses on hacking and coding, with access available exclusively to users with professional experience. To join, users need to pass through its filtering techniques that includes a deep examination of their hacking and technical abilities.
Forum Taken Down
Last week, a Twitter account posted a big announcement that Kickass was taken down by the U. S. Immigration and Customs Enforcement (ICE), the agency that enforces immigration laws and is responsible for investigating criminal and terrorist activities perpetrated by foreign residents on U.S. soil. This is not the first time ICE initiated an operation to take down illegal websites. In 2015, it teamed up with several governmental departments around the world to shut down approximately 37,000 thousand illegal websites.
Figure 1: Kickass Seizure Notice
Since then, speculation has increased about the veracity of this announcement. Many users posted their doubts on whether the announcement was an intentional trick by Kickass’ admins in order to divert attention gained after the hacking group “thedarkoverlord” claimed to publish sensitive documents on the forum.
A few months ago, the hacking group breached the insurance company Hiscox, stealing 18,000 documents related to 9/11 insurance claims and sensitive information. On December 31, it posted its intention to publicly expose the first few documents of this breach on Pastebin.
After the reported (and potentially fake) seizure of Kickass, users in many dark web forums have been desperately searching for invitations to the new underground forum, but most of them with no luck.
Figure 2: Pastebin Message Paste Regarding '9/11 Papers'
When we investigated this case, we came across an interesting paradox. Why would a forum that had no problem exposing illegal information trading in the past suddenly feel the need to lower its profile? This isn’t the first time that authorities have shut down a famous forum.
‘Kickass’ Up and Running Again
The question now appears moot as the Kickass forum reappeared on January 27, available through the same URL with the same home page layout and jabber contact as before. It appears that Kickass scammed its users by uploading a fake warning sign from the U.S ICE, making them think the forum was another victim of a site takedown executed by the authorities.
We can’t blame them, based on previous actions by authorities to shut down hacking forums containing similar files that claim to expose governmental information. We saw this happen this month with forums containing information regarding the German government officials, where links became mysteriously unavailable seconds after the news broke. Therefore, we think this was likely a safety precaution by the site admin(s) in order to protect against unwanted attention.
What This Means for Cyber Threat Intelligence
Creating a hacking community in the dark-web is not an easy task. A lot of hackers work either alone or in closed communities like Kickass, where individuals must prove their intent and abilities in order to take part. It’s not easy to trust other individuals in the dark-web to share sensitive information, especially when it comes to insider trading. That’s why penetrating these forums takes expert work from threat hunters.
Information sharing poses a direct risk to organizations of all sizes, and must be part of an organization’s intelligence monitoring process. Keeping an eye on all kinds of dark web forums is key to understanding the threat landscape and identifying new threats to your organization.
Want to learn more about dark web threat hunting?