Cyber criminals run daily attacks against organizations and their employees. In case of success, they try to commercialize the captured data. Often, they sell it to other hackers as leverage and/or in preparation for further attacks. If, for example, login credentials are stolen, they can be used to spread malware or gain access to further internal systems. The stolen data becomes a valuable product, and the hacker becomes a businessperson that trades that product – mainly in the Dark Web. As a result, millions of breached accounts, credit card and other data pop up almost daily in the Dark and Deep Web.
Login credentials and other breached data can be used to prepare targeted attacks against an organization. Even if the login data of an employee originates from a third party website, the threat is real and common because of password re-use, that is, employees often use the same or similar password to log into the organization’s applications. Often, breached data also contains a lot of valuable information about the target organization or its employees. This could help an attacker prepare spoofing or impersonation attacks.
Monitoring whether your organization’s name appears in Dark Web forums, Onion-, I2P and paste sites can help you detect potential insider threats, enabling you to prevent data leaks and other incidents that may cause damage to your organization. Dark Web monitoring involves actively searching and tracking the Dark Web for information about your organization, including leaked or stolen data, compromised passwords, breached credentials, intellectual property, and other sensitive data. Please note: This functionality refers to a DB search. If you look for a Live Search, please consult this article.
The database is updated daily from our analysts. We use different discovery methods (manual and automated).
A data leak is when sensitive data within an organization is leaked to an external, unauthorized target, either accidentally or through a cyber attack or vulnerability. The data leak can be of physical or electronic information.
Unlike accounts, which always involve usernames and or passwords, a data leak can be, for example, an SQL database, a user's password, or even internal, confidential emails.
The leaks can be seen in the expert mode under the navigation item "list" (1). Every leak has some basic attributes like site, records or number of accounts included (2). If you want to see the details of the leak, you need to click on its name (3).
You will find basic metadata such as the date of discovery and publication (1). This is the date when the leak was discovered by our team. However, the data may have been stolen earlier. The leak may also include a website reference (2) if the leak originated from a hacked website.
The actual files within the leak can be downloaded when you click on "Files". Please note that only files less than 10 Mbyte are allowed to be downloaded:
The downloaded files will appear under "downloads" where you can open them:
Leak results often contain "Tags" assigned for the leak, which briefly show what information is contained within the leak. The system supports the following tags at the moment:
Kaduu comes with two different search modus when manually searching for leaks (1). The standard modus (2) will allow you to search for a specific pattern. The results then will show where this search pattern appears (2a), what type of data it may contain (2b) and how many records it has (2c). If you want to see all the records, simply click on the number (2c).
When you use the extended search, you will directly see all records for your search term. Kaduu allows you to choose how many characters you can display before and after the exact match of your search term (1). The actual search term is always highlighted (2). The leak reference is displayed to the left (3). You can also sort the records with different sort filters (4).
In order to export the leak data, you first need to select the records you want to export (1) and then click on (2) export and select the according format (JSON, CSV, DOCX, HTML):
Based on specific search results you are able to create alerts. Please click "create alerts" in the navigation menu (1) and select the alert type:
Opposite to a single target within the search field, you can also upload a list of targets (1) using the upload button. Please use one entry per line (2). The results will then be displayed to the left:
When you look for the word "examples", you will find +100 K records containing that word. If you look for "examples.com" you will see much less records. A search term that contains a domain like "examples.com" will on the other hand result in many more account records. But you might be missing out leaks that do not contain domains. Therefore it is important to play with the search terms and try only the company name without the domain. If the company name is very generic, you might end up with too many false positives. In such a case you can use the search tools explained in the next chapter.
So what is the best search strategy? The answer is: it doesn't exist. Every customer has different domain names or brands. If a customer uses a very generic word or a very short word, the number of search results will be enormous. In such a case, you have to approach it slowly with targeted manual queries. Therefore, each customer should first be individually examined manually by an analyst before creating automated alerts.
Kaduu offers many search options.
Field | Details |
---|---|
createdAt | Creation date & time. |
content | Leak content (default field). |
leakId | Leak ID |
fileName | Leak file name (fileName:yourfile.txt) |
fileExtension | Leak file extension (fileExtension:sql) |
Detailed Search Syntax:
Field | Details |
---|---|
test | Search documents containing test as a separate word or as a part of other word (delimited by punctuation characters).The following will match: test@gmail.com, test.love@mail.com, god_test@nice.org, "this is a test data", hey@test.org, bye@test-data.org |
test.com | Search documents containing test.com as a separate word or as a part of other word (delimited by punctuation characters). The following will match: boss@test.com, hr@this-is-test.com, test.com, data.test.com, super-test.com. |
john@test.com | Search documents containing john@test.com email. The search will only match that exact email and nothing else. |
@test.com | Search documents containing emails on test.com domain. |
test AND leakId:158dd4b2-7672-3492-95f6-019479cb4552 | Search documents containing test, in leak with ID 158dd4b2-7672-3492-95f6-019479cb4552. |
microsoft AND fileExtension:sql AND createdAt:[2020-01-01 TO *] | Search documents containing microsoft in files with sql extension in leaks that were indexed after January 1st, 2020. |
"bank hack"~5 | Search documents using a fuzzy search. The matching document should contain bank word, followed by hack word within 5 words distance. |
quick brown | Search for quick or brown in leak text. This is the equivalent of quick OR brown search query. |
quick OR brown | Search for quick or brown in text. OR keyword is case-sensitive. This is the equivalent of quick brown search query. |
quick AND brown | Search for quick and brown - the document should have both. AND keyword is case-sensitive. |
quick AND NOT brown | Search for documents with quick and not brown. AND and NOT keywords are case-sensitive. |
quick -brown | Search for documents, with quick and no brown. This is the equivalent of quick AND NOT brown query. |
createdAt:2020-03-05 | Search for documents created on 5th of March, 2020. |
createdAt:[2019-01-01 TO 2020-01-01] | Search for leaks created between January 2019 January 2020 |
createdAt:[* TO 2020-01-01] | Search for leaks created until 1st of January, 2020. |
Each leak or entry in Kaduu has multiple associated dates, which help to understand its timeline and relevance. Here’s an example:
Leak XXX; Publish Date: 2021-08-18; Discover Date: 2021-10-20; Creation Time: 2022-02-04 10:45:30
In assessing the relevance of a leak, it’s essential to distinguish between paid and free leaks. Hackers typically attempt to monetize data by offering it for sale on specialized forums. If the data doesn’t sell, the price often decreases over time, eventually becoming available for free a few months post-breach. As a result, there can be a time gap of up to six months between when a leak is first offered for sale and when it appears in the free leaks section of Kaduu.
For real-time alerts on data that is still actively being sold, Kaduu provides a live hacker forum query feature. Learn more here.
Surprisingly, even older leaks can retain a 5% success rate for credential validity. This might seem small, but with thousands or even millions of credentials in each leak, this percentage can result in a significant number of active accounts. Given the sheer volume of credentials released daily, it’s impractical for attackers to exploit them all in real time. Hackers usually focus on data that is easy to monetize, such as access to streaming platforms or shopping sites, rather than corporate applications like SAP or webmail.
Another crucial point is password patterns. Many users follow predictable patterns, such as "PaSSw0rd2024June," which means an expired password may still be relevant, as similar credentials can be anticipated for future periods (e.g., July). Additionally, breached credentials may highlight corporate policy violations—like a company email being used on personal websites (e.g., dating sites), signaling a need for awareness training.
Different dates associated with a leak can often reflect varying stages of its lifecycle, from initial breach to public disclosure. Here’s why discrepancies may occur:
In Kaduu, users might notice that some leaks are reported multiple times. This duplication can occur due to various factors, including the way data is handled by hackers and the inherent challenges of processing leaked information. Below is an explanation of why such duplicates appear and how they are managed:
Many hackers repurpose existing leaks by combining them into new data archives, often referred to as combolists. These are collections of login credentials repackaged for distribution. In the past most famous combolists had names Like "collection I" or "collection II". In this case a cyber security analyst was collecting all leaks and saved them in one large archive called "collection" which was a so called combo list.
To maintain database integrity, the Kaduu team ensures that combolists with a similarity index of 100% are excluded. A similarity index of 100% means that all the data in the leak already exists in Kaduu's database. However, combolists with a lower similarity index, such as 90%, are retained. This is because such leaks may still contain new and relevant data. Unfortunately, it is not possible to filter out the 90% overlaps programmatically.
Sometimes, the same credentials appear in multiple leaks because users often reuse their login information across different platforms or websites.
For example, the same username and password might be discovered on various servers, indicating poor security practices.
This is considered significant because it provides insights into a user's vulnerability across platforms.
Leaks often vary in their formatting and syntax, which can make it challenging to identify duplicate information. For example:One leak might present credentials as https://website.com:username:password, while another might use the format username:pwd:website.com.
Due to the differing order of elements, these entries are treated as distinct in Kaduu's system, even though they represent the same credentials.
This discrepancy is a technical limitation that prevents automated detection of duplicates.
To address these challenges, Kaduu is enhancing its capabilities through the upcoming platform darknetsearch.com. The following measures are planned:
The new platform will include features to filter duplicate entries in alerts. This will help clients manage the redundancy in leak reports more effectively.
Since some clients find value in tracking where a user’s credentials appear (e.g., in which forums or combolists), the duplicate filtering feature will not be activated by default. This allows users to choose whether they want to view all instances of a user's credentials or only unique occurrences.
When our team issues an account to access the application, we ususable enable full content output for the user, unless we are asked not to show password details etc. But when you create yourself users in the system, the default setting is "asterisks - hide content". As a result you will only see partial data and most of the sensitive data is hidden behind symbols like "*". If you want this to be changed for the users, please contact info@kaduu.ch with the information of your client name and user name. We will change that within 24 h in the backend for you.
Many stealer logs do not get processed correctly in the account search and you might see partial or no passwords. In such a case you can use this API script to query the leak endpoint: