Cyber criminals run daily attacks against organizations and their employees. In case of success, they try to commercialize the captured data. Often, they sell it to other hackers as leverage and/or in preparation for further attacks. If, for example, login credentials are stolen, they can be used to spread malware or gain access to further internal systems. The stolen data becomes a valuable product, and the hacker becomes a businessperson that trades that product – mainly in the Dark Web. As a result, millions of breached accounts, credit card and other data pop up almost daily in the Dark and Deep Web.

Login credentials and other breached data can be used to prepare targeted attacks against an organization. Even if the login data of an employee originates from a third party website, the threat is real and common because of password re-use, that is, employees often use the same or similar password to log into the organization’s applications. Often, breached data also contains a lot of valuable information about the target organization or its employees. This could help an attacker prepare spoofing or impersonation attacks.

Monitoring whether your organization’s name appears in Dark Web forums, Onion-, I2P and paste sites can help you detect potential insider threats, enabling you to prevent data leaks and other incidents that may cause damage to your organization. Dark Web monitoring involves actively searching and tracking the Dark Web for information about your organization, including leaked or stolen data, compromised passwords, breached credentials, intellectual property, and other sensitive data. Please note: This functionality refers to a DB search. If you look for a Live Search, please consult this article.

The database is updated daily from our analysts. We use different discovery methods (manual and automated).

A data leak is when sensitive data within an organization is leaked to an external, unauthorized target, either accidentally or through a cyber attack or vulnerability. The data leak can be of physical or electronic information.

Unlike accounts, which always involve usernames and or passwords, a data leak can be, for example, an SQL database, a user's password, or even internal, confidential emails.

The leaks can be seen in the expert mode under the navigation item "list" (1). Every leak has some basic attributes like site, records or number of accounts included (2). If you want to see the details of the leak, you need to click on its name (3).

You will find basic metadata such as the date of discovery and publication (1). This is the date when the leak was discovered by our team. However, the data may have been stolen earlier. The leak may also include a website reference (2) if the leak originated from a hacked website.

The actual files within the leak can be downloaded when you click on "Files". Please note that only files less than 10 Mbyte are allowed to be downloaded:

The downloaded files will appear under "downloads" where you can open them:

Leak results often contain "Tags" assigned for the leak, which briefly show what information is contained within the leak. The system supports the following tags at the moment:

• account - contains account data (login and password pair)
• address - physical address information
• company - company name
• credit-card - credit card details: a number and an expiry date
• csv - the leak contains files with comma-separated values
• dob - date of birthday
• email - the leak contains email addresses
• hash - hashed passwords
• identity - identity information - passport numbers, SSNs, etc
• ip - IP addresses
• json - JSON file
• log - application log file
• mix - mixed data format
• name - person's first and last names
• paper - the leak contains company's internal papers and documents - PDFs, Excel sheets, etc
• password - clear text password data
• phone - phone number
• sql - the leak contains SQL dump files
• url - links to websites
• username - the leak contains user names or user aliases, which are different from email addresses

Kaduu comes with two different search modus when manually searching for leaks (1). The standard modus (2) will allow you to search for a specific pattern. The results then will show where this search pattern appears (2a), what type of data it may contain (2b) and how many records it has (2c). If you want to see all the records, simply click on the number (2c).

When you use the extended search, you will directly see all records for your search term. Kaduu allows you to choose how many characters you can display before and after the exact match of your search term (1). The actual search term is always highlighted (2). The leak reference is displayed to the left (3). You can also sort the records with different sort filters (4).

In order to export the leak data, you first need to select the records you want to export (1) and then click on (2) export and select the according format (JSON, CSV, DOCX, HTML):

Based on specific search results you are able to create alerts. Please click "create alerts" in the navigation menu (1) and select the alert type:

Opposite to a single target within the search field, you can also upload a list of targets (1) using the upload button. Please use one entry per line (2). The results will then be displayed to the left:

When you look for the word "examples", you will find +100 K records containing that word. If you look for "examples.com" you will see much less records. A search term that contains a domain like "examples.com" will on the other hand result in many more account records. But you might be missing out leaks that do not contain domains. Therefore it is important to play with the search terms and try only the company name without the domain. If the company name is very generic, you might end up with too many false positives. In such a case you can use the search tools explained in the next chapter.

So what is the best search strategy? The answer is: it doesn't exist. Every customer has different domain names or brands. If a customer uses a very generic word or a very short word, the number of search results will be enormous. In such a case, you have to approach it slowly with targeted manual queries. Therefore, each customer should first be individually examined manually by an analyst before creating automated alerts.

Kaduu offers many search options.

Detailed Search Syntax:

Every leak or entry in kaduu has different dates. Example:

Publish Date 2021-08-18 Discover Date 2021-10-20 Creation Time 2022-02-04 10:45:30

The publish date is when we think the leak happened. The Discover date is when we discovered the leak. The creation date is when the leak was indexed in our DB. Thats why you should only filter by publish date to associate the leak with the correct date!

When our team issues an account to access the application, we ususable enable full content output for the user, unless we are asked not to show password details etc. But when you create yourself users in the system, the default setting is "asterisks - hide content". As a result you will only see partial data and most of the sensitive data is hidden behind symbols like "*". If you want this to be changed for the users, please contact info@kaduu.ch with the information of your client name and user name. We will change that within 24 h in the backend for you.

Many stealer logs do not get processed correctly in the account search and you might see partial or no passwords. In such a case you can use this API script to query the leak endpoint:

• Use the DateRange.txt file to define the date range for your query
• auth.txt contains your Kaduu login
• input.txt contains the domain you want to query. Do not use a subdomain like www in your query.
• tags: The script filters for leaks that have the tag account. You can add more tags if reuquired