Back in the late 1990s, a new service appeared to help IRC users to share large blocks of computer code with each other. These services were called “pastebins”. It was a simple concept, upload it into a text hosting service for others to access with a simple URL. It allows for easy sharing without disrupting chat channels.
Fast forward 20 plus years later to 2015 where major pastebin sites (such as pastebin.org) had evolved into repositories for hacked documents, accounts, and other information. Data leaks from companies like Morgan Stanley caused a large increase in pastebin sites as hackers and insiders sought out more secure and private locations.
The following analysis explores the current state of pastebins in 2020, as well as the trends that are visible within the pastebin category.
Pastebin Analysis
The research team at Media Sonar conducted a 12-month analysis into pastebins spanning from September 2019-present. For this review, we looked at five of the larger Deep Web pastes, using Media Sonar technology to include non-searchable pastes, as well as two larger paste sites on the Dark Web.
Media Sonar’s templated keyword groups were used to scan 5.7 billion pieces of content and assess if markers indicating identity or credential information were found. While Media Sonar platform users would search in conjunction with an asset to narrow results, all queries categorized and counted content for the purpose of trend analysis.
The following pastebins were analyzed:
- Pastebin.com (Including hidden pastes)
- Controlc.com
- Hastebin.com
- pastebin.pl
- ybin.me
- Stronghold Paste (TOR network)
- DeepPaste (TOR network)
1. Pastebin Usage is Shrinking
Since September 2019, Pastebins have experienced a 75% decrease in content. While there were almost 1 billion monthly new pastes discovered in September 2019, there has been an almost constant downward trend – with the exception of the early stages of the COVID-19 pandemic while companies were at their most vulnerable.
While the increase of P2P marketplaces like OpenBazaar, encrypted conversations and email services have reduced the value of pastebins in communications, the value of an anonymized central repository remains the niche that pastebins preserve.
OpenBazaar blends the secrecy of Silk Road with the mainstream appeal of Ebay. Street drugs, counterfeit and stolen goods can all be sold on OpenBazaar and are difficult to find unless you know where to look. Media Sonar helps security professionals gain visibility into OpenBazaar as well as Dark Web marketplaces.
2. The Concentration of Illicit Content is Increasing on Pastebins
While pastebins as a whole have been decreasing, the percentage of content containing identity and credential information has been increasing to over half of all pastebin content.
A major trend in previous years has been “swatting” and “doxing” in which hacker groups or amateur sleuths would try to expose as much personal identifiable information (PII) of celebrities, executives, politicians, and other prominent individuals. While doxxing as an activism trend has disappeared from popular culture, you can find hundreds of thousands of “dox” posts across pastebins today. Professional doxing services have primarily moved to be “for hire” services in which a full extraction of PII (including address, SIN, family members) could be done for as little as $25. A frequently-used service for hackers targeting executives.
3. Pastebins on Dark Web Marketplaces are Growing Quickly
Across the two major Darkweb pastebins covered in this research (StrongHold Paste and DeepPaste), exponential growth was found with a major part of all pastes now being hosted on the Darkweb.
Compared to the Deep Web-based pastebins sites, the majority of Dark Web pastebins contain illicit content. The most common usage being sample credit cards, user accounts, or private documents that are being provided alongside advertisements on Dark Web marketplaces. This approach helps Dark Web marketplace users to verify the quality of the sold information from different vendors.
Impacts on Corporate and Cyber Security Teams
Over the past 12 months, the concentration of identity and credential information has grown to be over 50% of all new pastebin content. Some relief can be found in the massive decrease of pastebin content overall, however, the explosion of Dark Web pastebins since April 2020 indicates greater severity of content than before. The usage of pastebins appears to have evolved from a clipboard for developers to share code snippets, to being a clipboard for illicit information exchanging.
At just under 200,000 new monthly posts or 7,000 per day, the current trends indicate that 3,500 new pieces of identity or credential information are surfaced each day. Therefore pastebins must be a necessary part of any OSINT threat detection strategy.
How Can Media Sonar Help?
Media Sonar makes searching on the Deep and Dark Web instant. Use our pre-built keyword groups, rapid search logic, and instant data return to easily discover exposed information. Looking for exposure takes seconds, and transforming into detection rules takes only a few clicks more. The most efficient analysts use Media Sonar to save hours each day.