How the FBI relies on dark web intel firms as frontline investigators

A cadre of former intelligence officers is lurking on the dark recesses of the internet on behalf of government and a shortlist of wealthy clients.

U.S. law enforcement officials regularly rely on a complex network of relationships they’ve formed with a select group of private intelligence firms to monitor the vast, opaque expanses of the dark web, former FBI officials, company executives and defense contractors tell CyberScoop.

Insiders say the relationships are especially distinct because the companies operate in a hazardous legal environment where they must constantly balance operational risks and client interests while maintaining law enforcement’s trust.

“Generally, private sector companies want to help law enforcement catch bad guys, but they don’t want to be dragged into diverting time and other resources to assist in the prosecution process,” said Levi Gundert, vice president of intelligence and strategy for threat-intel firm Recorded Future. “The business needs to focus on serving customers, not [just] supporting law enforcement, so it’s a delicate balance.”

For agencies like the FBI, Department of Homeland Security and Drug Enforcement Administration, among others — organizations that face workforce and budget constraints — these partnerships are becoming increasingly necessary to understand the growing threat posed by terrorists, foreign intelligence services and criminals operating in hidden areas of the internet.

“It is certainly unique,” John Riggi, former FBI section chief for the Cyber Outreach Division, said of the relationship. “In some ways I would say it’s akin to a sort of neighborhood watch — although these security companies are obviously getting paid a lot to watch after a very, very dangerous neighborhood.”

‘Greater context’

The dark web is a section of the internet that can only be reached using the anonymizing Tor browser, which bounces encrypted traffic around between computers known as nodes. The network’s architecture makes determining the origin of traffic extremely difficult. Dark web addresses generally end in .onion and are famous for hosting criminal marketplaces like the notorious Silk Road or its successor, AlphaBay. Not all .onion domains are malicious in nature or host illegal content though.

Dark web intelligence firms provide the FBI with what Trent Teyema, a section chief who works in the cyber division, describes as a “more comprehensive map” of suspicious internet domains and illegal services that may be of interest to law enforcement.

A conglomeration of different, Tor-accessible domains have been home to various cybercrime discussion boards.

“It gives us greater context,” Teyema said of the private industry during a presentation at a recent cybersecurity conference in Arlington, Virginia. “It is threat information that you can leverage to get a better idea for what’s going on.”

Historically, dark web intel firms have gathered intelligence and passed on actionable information to the FBI  in recent years that has ultimately led to charges in criminal cases or helped agents takedown illegal digital operations. Examples include the Storm botnet, Cryptolocker, DNSChanger, Gameover Zeus and 2014 Yahoo breach cases, industry experts told CyberScoop.

“Even 10 years ago, this probably couldn’t have been a business,” said Nick Rossman, an intelligence production manager for iSight Intelligence. “This was just a government thing back then, but now there’s demand for this information from banks and other people, too.”

Inarguably, the private sector can better compensate individuals interested in the highly-specialized work, which typically calls for a diverse set of language, cybersecurity, espionage and other computer skills to properly surveil a variety of different criminal forums.

While regulatory oversight for the industry remains vague, firms continue to hire former U.S. intelligence analysts and cybercrime law enforcement specialists to equip their companies with the best technical expertise.

“It’s sort of like a revolving door, really,” said Rossman, a former FBI analyst. “People will know each other from their time in government … [and] I think that helps [with managing the relationship].”

Riggi said that firms sometimes proactively reach out and offer the government information free of charge when it concerns a pertinent threat they’ve seen. Whenever this occurs, a “revolving door” of informal personal relationships guides the sharing effort since there is no pre-constructed framework to organize communications.

“When [intel firms] spot a crime, which is rampant on the dark web, the better organizations will [voluntarily] report it to the FBI,” said Riggi, “They are filled with former intelligence community and law enforcement people … they may have access to closed forums that government does not.”

Analysts matter

From an industry standpoint, the market presents a wide array of competing companies that each monitor the hidden corners of the internet in a slightly different fashion.

Some of the best known firms for these services include Flashpoint, Intel 471, iSight, Terbium Labs, Deloitte and SenseCy. Prices for products sold by these companies ranges from several to hundreds of thousands of dollars.

Last year, iSight was acquired by cybersecurity giant FireEye for $275 million. The Department of Homeland Security is among a list of clients currently subscribed to iSight’s cyber threat intelligence feed, which includes insight into dark web activities.

Several of the more sophisticated, analyst-driven dark web intelligence firms boast tools that are at least on par with capabilities typically associated with traditional law enforcement or intelligence agencies, CyberScoop learned. In some companies, analysts work full-time to penetrate underground criminal communities, embed themselves alongside suspects and collect data — all tasks once reserved for agents.

“The primary advantages of the private sector monitoring the dark web for law enforcement are the breadth of sources and speed of analysis related to new dark web events and actors, said Gundert, a former Secret Service special agent based in Los Angeles. “[We] have broader insight due to proprietary technology, better compensated human resources and less legal requirements for open source intelligence collection.”

Occasionally, firms are motivated to provide information to government in order to help stop an attacker from damaging a client — “think of it as fulfilling needs,” said Flashpoint Chief Scientist Lance James. “Law enforcement investigates and [the] private sector tends to provide actionable intelligence in many cases enabling these investigations.”

Managing resources and the time of analysts to provide these friendly tips can be challenging, however.

“Obviously the whole ‘see something, say something’ model applies to the dark web to some extent,” Rossman said. “If we see something particularly nasty then we do tend to directly reach out … but we can’t spend all our time doing just that — there’s so much out there. No one can.”

Gilles Perez, director of business development and marketing for Israeli dark web monitoring firm SenseCy, told CyberScoop of one such case.

“We managed to get in touch with a prolific cybercriminal that was responsible for many phishing attacks against banking clients,” Perez said of SenseCy’s capabilities. “Using our [automated software], we obtained valuable personal details about a person of interest and were able to conduct a full link analysis of his activities and proved his involvement in financial theft, eventually facilitating his arrest.”

A touchy business

While dark web intelligence firms compete with one another to provide their clients with the best insights into secret marketplaces and forums, some companies do so at the risk of breaking the law by accessing, downloading or otherwise accidentally interacting with illicit content, according to James Trainor, a former assistant director for the FBI’s Cyber Division.

Companies who spoke with CyberScoop for this story said in no uncertain terms that they fully comply with the law as it’s written today.

“These guys, they really need to be careful with what they’re doing,” Trainor told CyberScoop. “I don’t think many of them realize where that fine line is … [and] that can turn out really bad.”

Until today, there’s been no court case — at either the state, local or federal level — involving a dark web intelligence firm improperly accessing data hosted on the dark web.

One of the principal laws that governs the niche industry is the controversial Computer Fraud and Abuse Act, or CFAA, a statute introduced in 1984 to define what exactly constitutes illegal access to a computer system or network.

“The CFAA was passed in 1986 and is woefully out of date, but it’s still the law, so it’s incumbent on private sector companies to understand how federal judges and [the Justice Department] interprets CFAA and conform to these interpretations,” said Gundert.

Varying interpretations of the CFAA exist in both the industry and courts. A lack of consistency adds to the tensions that arise from a delicate balance of equities.

Rumors commonly circulate among the small industry that certain firms are crossing that “fine line” by downloading stolen user data and accessing other illicit material in the name of gathering useful intelligence for clients.

The undefined, vague and undeniably confusing legal gray zone in which dark web analysts must operate allows for some of the more cavalier firms to skirt backlash, one insider said on the condition of anonymity.

The FBI declined to comment.

“I think you have to draw a line and say, ‘OK, I am not going to cross that,’” said  Tyler Carbone, chief operating officer at Terbium Labs. “Some [dark web] websites require you to commit a crime to login and enter the community … that’s simply not something we’re going to do,” Carbone explained, “just like other companies, we’re always talking with legal.”