This Cybersecurity Firm Maps Hackers' Lives by the Clues They Leave Online

The digital underground, populated by hackers, drug dealers, and other criminals, is a vast space. The sheer number of forums, cybercriminal handles, and backroom dealings can be overwhelming to researchers or journalists.

Some cybersecurity companies have devised ways to gain a bird's-eye view on that space.

Next month at the Black Hat Europe hacking conference, Christopher Ahlberg, CEO and co-founder of threat intelligence firm Recorded Future, will show how, by scraping vast quantities of posts from forums, it's possible to reveal trends among different groups of users—such as hackers—and potentially generate leads to identify some of them too.

"We wanted to see: Could we actually track individuals, and groups of individuals, without knowing their individual handles?" Ahlberg told Motherboard in a phone interview.

For the past four years, Recorded Future has crawled forums and sites across the dark, deep, and surface web. Using this information, the company provides customers with information about any perceived threats to their business or organisation, such as planned attacks or data on sale. According to Recorded Future's website, 86 percent of Fortune 100 companies get their intelligence from Recorded Future.

Today, the company is monitoring close to 1,000 sites, Ahlberg said. With that wealth of data comes the opportunity to track users or groups from one place to another or map out when they're active.

For example, Ahlberg said that users of an Iranian hacking forum basically went quiet on the anniversary of the Iranian revolution, while a Saudi forum peaked on Ramadan.

Those sort of findings may seem pretty innocuous, but there are more revealing insights. On one Iranian forum, there was a spike in activity on Wednesdays.

Why? Microsoft traditionally releases new security patches on Tuesdays: The hackers were discussing how to reverse-engineer the newly published information to figure out how to exploit vulnerabilities. A similar phenomenon exists for Russian forums too.

"We can actually see proof of it in the data," Ahlberg said.

But whereas the tool shows Russian users tend to post at night, a number of Iranians are active during the day. That gives an indication, according to Ahlberg, "that the Iranians are either university students or government employees doing this stuff."

It's then possible to zoom in further and analyse when some users stop posting and others start. Ahlberg pointed to two prolific Iranian hackers, "Hassan20" and "Crisis". When one would stop posting, the other would suddenly spring into action.

"Now I probably have a very good indication that Hassan20 and Crisis is the same guy," Ahlberg said.

This is not to say that big data just magically unmasked these hackers. Instead, information like this might act as a decent starting point for further investigation.

"Of course, this is just leads," Ahlberg said.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.