Business espionage – the sale of intellectual property on the dark web

What is the dark web?

For those who are new to this, concept, the dark web is the third part of the internet which is not indexed by ordinary search engines and requires a specific web browser (a ‘TOR’ browser) to access. The other two parts of the internet are the surface web (what we all think of when we hear the term ‘internet’), and the deep web, which comprises often proprietary databases and data holdings which sit behind a firewall and generally require a subscription or password to access. A database of media articles is one example.

Photo by Pixabay on

There are a number of illicit markets on the dark web selling everything and anything which is illegal in an anonymised way. These illicit markets also include illicit payment mechanisms for financial transactions which bypass the global financial system. Whilst it makes sense that IP would be sold here, until now this is not something I had heard much about aside from the sale of counterfeit products – shoes, medicine, passports etc. My working hypothesis is that much of the stolen IP on the dark web which is not counterfeit product is likely derived from ‘business espionage’.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

What is business espionage?

We all know that information is power, but these days it is also a global currency. According to Forbes Magazine, innovation and intangible assets today comprised around 80% of a business’ value in 2014 (Juetten). In recognition of their value, the International Accounting Standards Board (IASB) adopted IAS 38 Intangible Assets in 2001 to prescribe the accounting treatment for intangible assets.

For simplicity here, I refer to all types of valuable business information, intangible assets or intellectual assets as ‘IP’. Business espionage is a term that I have borrowed from Bruce Wimmer (2015) to refer to the theft of commercial information from businesses including ‘industrial espionage’ (companies spying on their competitors) as well as ‘economic espionage’ (theft of IP by nation states for national security purposes).

Photo by cottonbro on

The types of IP that is stolen includes:

Research dataPricing data
Confidential informationCustomer lists
Trade SecretsProduct development data
Engineering schematicsSales figures
Proprietary software codeStrategies and Marketing plans
Chemical formulasCost analyses
‘Know how’Personnel data
Examples of IP targeted by business spies – Nasheri (2005)

If I think about it simplistically, my hypothesis is there are two main ways someone could obtain this IP for sale: licit and illicit. The licit route would arise where a party has access to the IP and is authorised to copy or use that IP for a permitted purpose (such as under license or terms of confidentiality), but then chooses to use that information for a non-permitted purpose. Examples here could include:

  • Where IP is provided to an outsourced service provider or business partner, such as a Contract Research Organisation, Contract Manufacturing Organisation, or IT managed services provider. When a contractual arrangement ceases the IP may not be properly destroyed, and could be used for unauthorised purposes later (such as to win a new contract with a previous customer’s competitor).

In contrast, the illicit route refers to cases where IP is stolen and then onsold. There are a number of potential vectors here including:

  • Theft and / or exfiltration by trusted insiders (such as employees, contractors or suppliers)
  • Targeting of business travellers in hotels, bars, etc
  • Cyber criminals and hackers breach secured networks
  • Opportunistic individuals who find valuable information on an unsecured corporate network
  • Plus other similar examples

So, to recap, we have the scenario where commercially valuable information (IP) has been stolen – sometimes employees steal IP from an employer as they see it as ‘theirs’ and feel they are the legitimate creater or owner of this information, despite typically having assigned their moral rights to their employer via their employment contract. In this scenario, my experience is that employees rarely sell this information to a third party – but they will often use this information for personal advantage in future roles or positions. However, this is not the focus of this post. In this post, we are referring to the theft and sale of commercially valuable information on a large scale.

Photo by Kindel Media on

Is there a criminal value chain behind the illicit market for stolen IP?

It makes sense that someone who has access to sensitive IP which is valuable in the market and who has ulterior motives would want to sell it, but how does this work? Do they sell it exclusively to the highest bidder at auction? Do they sell it multiple times to multiple parties? If you are the highest bidder at auction, how do you guarantee you are the only buyer? Also, how do you guarantee the authenticity or quality of the information?

“It does little good to steal intellectual property if you do not have the expertise to use it”

James Lewis, SVP and director of the Center for Strategic and International Studies’ (CSIS) Technology Policy Program in Gates (2020)

I have so many unanswered questions here, but the presenter I referred to earlier mentioned the prices some buyers pay for stolen IP on these illicit marketplaces is in the millions of US dollars, and that about 90% of the IP on these illicit markets is authentic. These illicit market dynamics mean this is clearly something worth examining further. As a security consultant, part of my job involves ‘thinking like a criminal’ to identify how such a scheme would work – I have developed my hypothesis below based on my experience and knowledge of how other illicit markets work:

© Paul Curwell, 2022

In my hypothesis shown above, I have assumed there is a degree of criminal specialisation in the stolen IP market, as there is in other aspects of cyber crime and cyber fraud. Just with legitimate online marketplaces, if I were a buyer I wouldn’t trust sellers I don’t know or who other people I trust haven’t verified, and I’m not going to pay anything more than a trivial amount or take the risk to buy IP which hasn’t been verified either as authentic (i.e. stolen from the company alleged to have produced it) or not fictional (i.e. garbage content). For a good overview of how online review systems work, look at this Harvard Business Review article from Donaker et al (2019).

In my mind, there must be information brokers who play a ‘trusted intermediary’ role and offer an independent validation and verification services – for a fee. However, this would also require access to pool of experts who would be paid to perform this work (e.g. scientists, doctors or engineers who are specialists in their field and open to a side hustle). Presumably some are complicit and know what they are doing, but are some also told this is legitimate and have no cause to question further? And what about the companies that are happy to take the risk both that the info might be fake and that they might get caught? As it stands I have more questions than answers, but the one thing I know is this is something I will be looking into further.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Defining your ‘Threat Universe’ as a building block of your intelligence capability

Author: Paul Curwell

The role of a threat universe in your intelligence capability

The focus of intelligence is generally on what is happening (and likely to happen in the future) external to your organisation. In the commercial world, risk and compliance teams are often inwardly focused, looking at who is doing what and identifying potential implications, rather than focusing on the external source of the risk (i.e., the threat).

Identifying and categorising your actual and potential threats is a first step in building a new intelligence capability. The threat universe is a taxonomy of all possible threats and their associated vectors which could target your organisation, products or supply chain. Defining your universe of threats creates the boundaries for what your intel function does and does not need to focus on, including any strategic intelligence progams such as horizon scanning.

Photo by Kaique Rocha on

The dangers of intelligence ‘silos’ across your organisation

Depending on your role, you may only be interested in threats associated with a specific functional area, such as fraud, cyber-crime or physical security, as opposed to having an enterprise wide focus. However, silos create problems when threats overlap (e.g. criminals who started with opportunistic theft of physical goods move on to defrauding your organisation through its services).

If you don’t have the right mechanisms in place, your organisation will be blind to these overlaps and you will not realise you are being targeted. An example here is fraud in banks – teams working on credit card fraud might not share their data with teams working on motor vehicle insurance fraud, yet the actual criminal targeting them might be the same person.

The first step in building a threat universe is identifying your most important assets, as this helps inform both a threat actor’s motive and any threat vectors they are likely to use (how a threat actor might successfully defraud or attack you).

Work out what is valuable to your business

A basic rule of security is that you can’t protect your assets if you don’t know what you’re supposed to protect. There are many ways of doing this, but I start with a simple taxonomy and then get into further levels of detail with my clients. When I think of assets, I start with five main categories:

Asset CategoriesDescription
PeopleIncludes your employees and customers
FacilitiesBuildings such as offices, plants, warehouses, laboratories
InformationIncludes Intellectual Property (IP such as patents, copyright, personal or private information (generally covered under privacy legislation), and confidential business information (proprietary information) such as marketing plans, strategies, pricing models
SystemsComprises the computer networks, servers and related technology that keeps the business functional
Brand & ReputationRepresents the premium the market places on your products and services as a result of how you do business

Your products & services are assets too!

Products are all too often overlooked by many security and fraud professionals. There are two things you need to consider. Some threat actors make money by abusing your products or services. Pharmaceutical counterfeiting and loan fraud syndicates are two examples, both of which profit by directly targeting a company’s products or services.

Perhaps more pernicious are those who use of your products or services as a criminal enabler. This means that your company may not lose money by having criminals use your products or services, indeed, some companies might even make money in the form of sales revenue, but your products or services are used to facilitate criminal business operations. Money laundering and identity crime are two common examples. A less obvious one is drug trafficking rings that smuggle illicit product into a legitimate shipment to transport their illicit product.

Photo by Ketut Subiyanto on

Identifying the threat actors likely to target your assets

Once you have identified what is likely to be targeted in your business, the next step is to understand who is likely to target you. You will likely not have all the information you need to complete this step without some research, but you will probably be able to complete a high level summary quite quickly. Remember that criminals might be considered to lie on a spectrum, from opportunistic through to serious organised crime.

Use this simple taxonomy for threat actors to get you started:

Threat ActorDescription
Opportunistic CriminalsOpportunistic criminals are only engaging in crime because they think they won’t get caught. For example, perhaps you are a retailer who sells expensive clothing, and your products can easily be slipped into a bag without paying?
Unsophisticated CriminalsI use this category to describe people who might be engaging in crime more than just opportunistically, but are either just starting out or really aren’t any good. History has plenty of examples here, and this category (particularly those that aren’t any good), are probably the ones most likely to get caught.
Organised criminalsOrganised criminals are just that – organised. That implies some level of competence, which likely translates into them being harder to find and catch. This is particularly the case with fraud syndicates. If you have something which is attractive to criminal groups, or can provide them with access to something that is valuable which they couldn’t get any other way (e.g. a way to launder their money or use someone else’s identity), you may be a target. Fraud syndicates and cyber-crime rings are frequently encountered examples here, although there are overlaps between these examples and all other categories.
Organised Crime GroupsWe need to make a distinction between ‘organised criminals’, basically sophisticated groups of people engaged in criminal activity, and true ‘organised crime groups’ like the Mafia and Yakuza. Successful criminals are all organised, but not all organised criminals are members of transnational organised crime groups. Organised crime groups these days are generally transnational, and involved in a broad spectrum of legitimate and illegitimate enterprises.
Nation States & their associatesNation states and their associates (such as front companies and intermediaries) can be involved in a range of activities including Intellectual Property Theft, technology transfer, weapons profileration, economic espionage, foreign interference, information operations (e.g. cyber attacks, misinformation / disinformation campaigns), supply chain attacks and sabotage (physical and cyber).
Terrorism &
Politically Motivated Groups
An unfortunate reality of life is that some crimes are politically motivated – Terrorism is one example. Companies and their assets (including employees) may be directly targeted for some reason – perhaps they are high profile and an easier target than say a police station or government building – or they may just be in the wrong place at the wrong time. If your office is in the same building as a government agency or other high profile business, you would be wise to ensure this is on your threat universe.
Issue Motivated GroupsIssue Motivated Groups might sound a bit strange, but these are effectively groups of people who are willing to commit crimes (sometimes serious crimes such as murder) in the name of what they feel is important. Examples include environmental activists, anti-abortion activists, religious motivations, animal rights activists and others. They range from peaceful and benign (e.g. peaceful protests) through to very serious – such as the bombing of anti-abortion clinics or the murder of staff associated with them. You need to know if your company operates in an industry that is targeted by IMGs.
Street criminals / gangsThis might seem a strange addition to the list depending on where you live or operate, but it is important to remember the threats facing corporate travelers as companies have a duty of care towards their employees. Theft (including cargo theft), robbery, random acts of violence, and even opportunistic kidnappings perpetrated by common criminals or organised groups may need to feature on your risk register if you send employees to high risk locations.
Insider ThreatsRefers to any person who has the potential to harm an organisation for which they have inside knowledge or access, including employees, contractors, consultants, and employees / contractors of suppliers and business partners. An insider threat can have a negative impact on any aspect of an organisation. Insiders can also collude or collaborate with external threats such as organised crime groups.

As you start to define your threat universe, you can develop sub-categories which will help you further identify and manage the threat. For example, if your organisation is exposed to organised crime, start to categorise them. Add sub-categories such as middle east organised crime, outlaw motorcycle gangs etc. Then you can undertake research to find out what sort of activities they typically engage in, and whether your business, products or supply chain are typically targeted by each group in your region. Having done this exercise once, you can keep it up to date by building a media monitoring capability to identify emerging trends.

Applying your threat universe in practice

A threat universe could comprise something similar to an an organisational chart, and be supplimented with prorfiles and information you gather on each group. Advanced versions will be in a database or similar system. Your threat universe should be a living document, which develops as both your business evolves and the external environment in which your business operates changes.

Once complete, you can start to focus your intelligence resources. Not everything on your threat universe is going to be a problem right now (i.e. be a ‘current threat’) – indeed, there may not be any threats targeting you within a specific category right now, but this can change without warning. When something strange happens or the beginnings of a new trend start to emerge, you can easily look to your threat universe and assess whether this is something you need to be worried about.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.