Executives in the Crosshairs: How the Dark Web is Fueling Targeted Threats

From doxing to credential leaks, cybercriminals are exploiting executive data like never before.

The recent act of violence against UnitedHealthcare CEO Brian Thompson sheds light on the need for a comprehensive approach to monitoring executives. Security for executives goes beyond protection through physical security solely and should include monitoring their online footprint on the open web, deep, and dark web. This article focuses on current threats to executives on the deep/dark web specifically, as malicious activities and stolen PII in these spaces provide valuable data for threat actors to use in targeting high-profile individuals.

Doxing

One of the top threats to executives on the dark web is doxing. Doxing is defined as the publishing of identifying information about an individual on the internet. Information that is posted in doxing efforts can include not just information about the executive but also information pertaining to their family members. A threat actor can use address information to engage in activities such as violence, stalking, and targeted harassment.  A common practice with doxing efforts is to perform SWATTING at that location. SWATTING is the action or practice of making a prank call to emergency services in an attempt to bring about the dispatch of a large number of armed police officers to a particular address. These dangerous activities put police officers and those at the residence lives at risk. 

Doxing originating from the dark web can occur multiple ways:

On the dark web there are services where individuals on a forum or chat will perform the doxing on your behalf. These services are similar to phishing-as-a-service models where the threat actor is paid to do all the actions required. 
Calls-to-action to dox a targeted individual can also lead to someone unassociated with a doxing service taking on the doxing request after seeing communications on dark web forums. 
Doxing efforts posted on the dark web can also be shared via social media/open web sources, increasing their exposure to the public.
Sensitive PII can also be posted in a doxing effort that could potentially lead to other compromises, such as the posting of a social security number, medical records, or even credit card numbers.

The example below showcases a doxing effort against a major CEO of a Health Insurance company. This information was posted less than a week after the shooting of the UnitedHealthcare CEO. Information on this dox included the following: current home address, previous addresses, political donations, floor plan of current home, phone numbers, email addresses, immediate family PII, family occupation information, reason for dox, call to SWAT the residence.

A screenshot of a computer

AI-generated content may be incorrect.

Credential Compromise

A major threat to executives is credential compromise of both their corporate and personal email addresses. Leaks that lead to compromise can occur from bonified database compromises, breaches, and threat actors making their own combo-lists. Threat actors are keenly looking for corporate email addresses in each of these cases. Configuration tools like OpenBullet will allow threat actors to quickly download leaked data and test email(username)/password combos to see if the information they have also works on other websites, allowing criminals to process large amounts of data rapidly. With how common password re-use still is in our world, this is still one big vector of compromise.

Executives are also at risk if their device has been compromised by infostealer malware. This malware can be deployed through traditional phishing methodologies, downloading malicious applications, and downloading pirated software. Devices compromised by infostealer malware can go up for sale on marketplaces like the Russian Marketplace and Exodus. On these example marketplaces, threat actors are looking specifically for compromised devices where they can see a possible internal login was compromised. Purchasing content from these infostealer marketplaces is relatively cheap ($3-$10) and has been documented as one avenue in which ransomware groups have gained internal access. Initial Access Brokers are another concern for leaked data as they will advertise the data they have captured and compromised on dark web forums for sale. It is not uncommon to see threat actors posting about data for sale like this on forums such as Breached and XSS. Lastly, credential leakage opens the possibility for threat actors to utilize this information for espionage efforts as they gain access to internal systems.  

Personal Identifiable Information (PII) 

When everyone hears about data leaks and breaches the first thought is always asking if there were username/passwords present in the dataset. That is an important data point to want to capture but not all these compromises have username/password records. Leaks may also have information regarding their home address, phone numbers, email addresses (corporate or personal) and other PII tied to the individual.

An example of a PII breach was the National Public data leak in 2024. This leak included a large set of full names, dates of birth, addresses, social security numbers, and phone numbers. Data breaches like this have the potential to lead to targeted phishing/smishing campaigns, spear phishing, and social engineering efforts. Not only could executives be targeted themselves with this information, but threat actors could use this information to impersonate the executive to carry out malicious activities targeting their employees. Leaks like the National Public data leak can also open executives to threats like new account fraud, authentication bypass, account takeover, and synthetic identity creation. Data like street addresses or family member names may seem like they are not the most sensitive of information, but it is not uncommon for users to use information like this in their security questions on their various accounts. 

Reputational Damage

Monitoring the dark web and dark web-adjacent sites can reveal individuals impersonating executives by using their names and likeness. While this type of impersonation isn’t always harmful it could be used to spread negative rhetoric or violent commentary to their followers or members of that channel. This kind of commentary could lead to reputational damage to the executive, especially if this commentary makes its way out into the social media arena.

The image below showcases one such impersonation threat to an executive on Telegram. In this post, a user on Telegram is telling users to message a prominent CEO of a crypto company to recover money lost. In addition to posting the CEO’s name, the actor on Telegram posted a channel with the executive as the name that you could reach out to for financial help. This leads open the possibility of impersonating the CEO on Telegram to scam users out of monetary funds.

If content originates from the dark web and begins to transition to the surface web and social media, it increases the exposure of the leaked information to the public. In addition, when content moves out of the dark web it has the potential to do reputational damage to the executive. Because taking down content on the dark web is not possible, security teams should monitor the exposure of this information as it is not uncommon for content to spread to different sources from the original leaked channel.

Steps security teams can take to mitigate these threats include:

Deploying monitoring for credentials compromised by infostealer malware as this is a common tactic for threat actors to get internal access to your systems. Infostealer compromised data can be leaked over dark web sources but also can show up for sale on markets such as the Russian Marketplace. Threat actors are keenly looking for internal logins so monitoring of this material is necessary to help protect your organization.
Verifying if information found tied to a data leak or credential compromise is accurate or was accurate at some point in time. With username and password leaks, it is also prudent to reset passwords where necessary and alert the effected parties of the compromise. The commonality of password re-use in our world allows threat actors to download data leak files and manipulate the data quickly in tools like OpenBullet to test logins on other websites.
Alert affected parties of doxing efforts as soon as possible as this information can lead to targeted harassment and violence to an executive and their families.
Deploy takedown efforts to help mitigate leaked information should it be posted to the surface web and social media.
Make sure employees are educated on the latest phishing threats, as content such as leaked email addresses and phone numbers could be used to target both themselves or executives.

Recent acts and threats of violence against CEOs shed light on the need for a comprehensive approach to monitoring executives. Having strong protection for executives can prevent security breaches, keep them safe from harm, and stop disruptions of business. Monitoring for executive threats across the surface web, deep web, dark web, and social media, will provide complete visibility into an executive’s online presence and quickly identify real threats that need addressing. By familiarizing yourself with these threat types and following the steps above, security teams can better protect their executives and organization.

Nick Oram is senior manager of domain and dark web monitoring solutions at global cybersecurity company Fortra, where he leads innovative efforts to protect organizations from cyber threats. He began his cybersecurity career in 2016 at BrandProtect, playing a key role in developing the company’s dark web monitoring service. This early effort laid the foundation for a service that has since expanded to include brand monitoring and compromised credential monitoring.

Nick earned a Master of Science in Applied Intelligence from Mercyhurst University, where he sharpened his analytical abilities and strategic thinking, preparing him to excel in diverse intelligence environments. Follow Nick on LinkedIn.

Join our LinkedIn group Information Security Community!

Source link

#Executives #Crosshairs #Dark #Web #Fueling #Targeted #Threats

Executives in the Crosshairs: How the Dark Web is Fueling Targeted Threats

Recent Posts

Executives in the Crosshairs: How the Dark Web is Fueling Targeted Threats

Clock and Calendar Understanding Challenges in Multimodal LLMs

Grok vs ChatGPT vs Perplexity in 2025

Ubisoft reportedly implements “anti-harassment plan” for Assassin’s Creed Shadows devs

10 real-life cloud security failures and what we can learn from them

Cash App integrates with Afterpay for BNPL at the checkout

The Download: speaking to robots, and growing pharmaceutical mushrooms

DOGE cuts to USDA may open door to invasive species, higher food prices

11 Best Early Amazon Spring Sale Deals (2025)

Five benefits of a health tech accelerator program