One of the world’s largest free Dark Web hosting providers, Daniel’s Hosting (DH), decided to suspend operations after it was hacked for the second time in 16 months. The provider’s entire database was deleted, causing 7,600 dark web portals to be taken offline. The service intentionally did not back up any of the hosted web content. Not only was the database wiped, but the attacker also deleted Daniel Winzen’s database account and made a new one. Winzen is the German software developer who is responsible for the site’s creation. He says the hack took place early in the morning on March 10th and by the time he realized it, most of the data was already gone. Winzen is not quite sure how the backend was accessed, but since the hosting service is a side project for him, he hasn’t really looked into it much and he plans to keep the site down for now. Winzen stated that he plans to eventually relaunch the service with new features and improvements.
In addition to forums and marketplaces, Dark Web hosting has also been used for malware Command and Control (C2) servers, and for ransomware payment sites. Enterprises should consider detecting or blocking access to known Tor nodes from employee workstations. This can be done using Endpoint Detection and Response (EDR) tools, even if the employee workstation is outside the corporate network. Using free Dark Web hosting providers for legitimate content is risky, especially when the hosting provider is believed to provide services to host illegal or abusive content. Winzen mentioned that he had to spend most of his time investigating and removing illegal sites and scam sites that were hosted on DH. Having a reputation for providing service to such sites, even if they are eventually removed, makes the hosting provider a likely target for hacktivists.