Darkhub’s dark network: cybercrime services advertised on the “Tor” network

A new “hacking-for-hire” platform called “Darkhub” has reportedly emerged on the “Tor” network, openly advertising a wide range of illegal cybercrime services.

 According to the investigation, the platform’s service portfolio includes unauthorized access to social media accounts, interception of private messages, email account compromise, mobile device monitoring and real-time location tracking of individuals, alongside cryptocurrency-related fraud, unauthorized bank account access and credit score manipulation activities.

It is noted that the platform presents these activities through a professional and commercially oriented interface, attempting to portray illegal cyber services as a legitimate business model. The services are reportedly targeting both individual users and organizations.

Particular attention was drawn to service categories such as “fund recovery” and credit score manipulation. It is reported that these types of services are widely recognized hallmarks of so-called “advance-fee scam” schemes. In such operations, individuals who were previously victims of financial fraud are promised the recovery of stolen funds in exchange for an upfront payment. However, in most cases, neither the funds are recovered nor the promised service is delivered.

The investigation also revealed several details regarding the infrastructure and operational mechanisms of the “Darkhub” platform. Findings indicate that the service is not operating solely behind the anonymity of the “Tor” network. A publicly accessible IP address associated with the platform was reportedly identified, suggesting that certain parts of its backend infrastructure may also be exposed outside the encrypted “Tor” environment.

Several technical indicators linked to the platform were also identified. These include the “onion” address used by “Darkhub” on the “Tor” network - 7comssbegmmbxdi7nu7obids2urmkqnmxao5ojbesga3hxmns2yjnxqd.onion, the public IP address associated with its backend infrastructure - 38.127.***.***, the ASN identifier linked to the hosting infrastructure - AS44259, as well as the contact email address darkhubhackers@protonmail.com and the Telegram handle @DarkHubs0 advertised on the platform.It is noted that these indicators may be used as Indicators of Compromise (IOCs) within threat intelligence and security monitoring processes. 

Security experts recommend that organizations and users exercise caution regarding infrastructure associated with such platforms and monitor suspicious traffic and compromise indicators through threat intelligence and security monitoring systems.