Grey Area

A compelling, first-hand account of the dark web, from its underground ecosystem, to the people responsible for committing data breaches and leaking data, 21st century's most consequential data breaches, the responses to those attacks, and the impact of dark web data and intelligence gathering and can have in the defense and security of our nation.

In Grey Area, veteran hacker and cybersecurity investigations expert Vinny Troia offers an unfiltered, first-person look into the evolving relationship between open-source intelligence (OSINT) and the dark web data ecosystem. Drawing from years of hands-on experience in digital forensics, dark web investigations, and adversarial engagement, Troia explores how publicly available and commercially available information—PAI and CAI—are rapidly becoming the backbone of modern intelligence operations, and how a human intelligence network of known cyber criminals helped identify and stop one of the largest data breaches in known history.

This book examines the legal, operational, and ethical dimensions of collecting and exploiting data from the darkest corners of the internet, including leaked databases, breached credentials, and hidden criminal networks. It breaks down how to discover, process, validate, and operationalize this data in real-world contexts—from attribution and threat actor profiling to national security use cases.

You'll explore the evolution of OSINT within the Department of Defense and the Intelligence Community through exclusive, first-hand accounts from senior officials who helped define its path. You'll also learn how AI and automation tools are being used to validate data at scale, detect disinformation, and supercharge open-source investigations. The book also covers how data is stolen and what happens to it after the theft. Through his direct account as Reddington, Troia provides actual unedited conversations with the cyber criminals responsible for a hack targeting more than 160 companies, including his own interactions leading to the hack, the extortion negotiation and responses with each of the effected organizations, and how the hackers were ultimately brought to justice.

From discussions of the legal grey areas of data collection, ransom negotiations, and a first-hand perspectives of his interaction with well-known hackers, Grey Area is a compelling and honest account of the realities of the dark web, data theft, and ways in which the intelligence community should be leveraging these methods to help strengthen our national security.

Inside the book:

• Blow-by-blow accounts of one of the largest data breaches in recorded history
• Interviews and commentary from high level officials at the CIA, ODNI, DIA, and DOD.
• Informed, insightful commentary on how cybersecurity professionals are using dark web open-source intelligence to strengthen national security, and our country's defenses against hackers and foreign adversaries.
• Revealing interviews with experienced hackers who explain a variety of approaches, philosophies, and strategies for combatting and recovering from data breaches

Grey Area is essential reading for cybersecurity professionals, intelligence analysts, investigators, and policy leaders navigating the complex intersection of dark web data, national security, and open-source intelligence. Through real-world case studies and insider accounts, it delivers actionable insight into the future of data-driven investigations, threat attribution, and the expanding role of OSINT in modern intelligence operations.

Foreword xix

Introduction xxi

What Does This Book Cover? xxi

Introducing the Guest Experts xxiv

Part I Underground Field Guide 1

Chapter 1 Where We Left Off 3

Where to Start? 3

Summary 10

Chapter 2 A Cybercrime Economy of Stolen Data 11

The Stolen Account Black Market 11

Infostealers 18

Stolen Account Markets 21

The Com aka Scattered Spider 25

Summary 28

Chapter 3 Dark Market Forums 29

Data Marketplaces 29

Verifying and Validating Your Data 41

Summary 46

Chapter 4 Publicly and Commercially Available Information 47

Defining PAI and CAI 48

Data Acquisition and Oversight 50

Open vs. Closed Networks 54

Dark Web Data 58

Please Secure Your Data 71

Summary 72

Part II Open-Source Intelligence 73

Chapter 5 OSINT 101 75

Open-Source Intelligence 77

The Battle for OSINT 82

A System Under Pressure: The 36-Star Memo 89

Funding and Governance 91

OSINT as a Core Discipline 94

Summary 96

Chapter 6 OSINT for National Security 97

A Strategic Shift Toward OSINT 98

Forward Momentum 101

OSINT’s Way Forward 108

Streamlining OSINT Efforts 111

Summary 116

Chapter 7 The Future of OSINT 117

Reimagining OSINT 119

A Path Forward 122

HPSCI OSINT Subcommittee 136

Summary 139

Chapter 8 Investigations 141

An OSINT Primer 142

Hunting Cyber Criminals: Cracked.io Edition 148

Summary 156

Chapter 9 OSINT for Human Trafficking 157

Child Sexual Abuse Material 158

Fighting Human Trafficking 161

Identifying ArtBBS 166

Searching for a Trafficked Child 171

Summary 174

Part III Working with Information 175

Chapter 10 Validation as Tradecraft 177

Disinformation 178

Data Validation 181

ETL Automation 195

Summary 196

Chapter 11 Dark Web Data Processing 197

Working with HBL Data 197

Cleaning CSV Files 201

Data Structure and Formatting 205

Processing Headers 213

Summary 220

Chapter 12 Data Loading and Extraction 221

ClickHouse 221

Aleph 239

Summary 242

Chapter 13 Data Analysis and AI 245

Asking Your First Question 246

Identifying Patterns (of Life) 249

Citations 261

Summary 264

Chapter 14 Gathering Human Intelligence 265

HUMINT 266

Crafting a Persona 277

Summary 290

Part IV Snowflake 291

Chapter 15 Setting the Stage 293

John Binns (aka irdev) 294

April 16, 2024 299

Connor Riley Moucka 306

Summary 310

Chapter 16 The First Few Victims 311

The Arrest Document 311

Victim-2 (Telecom) 312

Victim-5 (The Bank) 319

Victim-4 (Entertainment) 322

Summary 332

Chapter 17 Intrusion Analysis 333

Discovering Snowflake 333

Maintaining Persistent Access 339

EPAM and Initial Entry Point 346

Origin of the Stolen Credentials 355

Summary 360

Chapter 18 Breach Timelines and Disclosures 361

Victim Breach Timeline 362

June 28: Ticketek 380

Breach Disclosures 382

Summary 386

Chapter 19 Identifying Moucka 387

Catist’s Ego and Immaturity 388

Hunting Catist 392

Catist’s Arrest 395

Identifying Catist 397

Being Grey 400

Chapter 20 Epilogue 401

Loose Ends 401

Thank You! 402

Index 405

VINNY TROIA, PhD, is a lifelong hacker, ransomware negotiator, and dark web investigator. Troia’s deep knowledge of the cybercriminal underground has placed him at the center of numerous high-profile investigations. He is the CEO of Shadow Nexus, a firm that delivers dark web data and intelligence to national security organizations.

OSINT Reimagined: The Rise of HBL Data and Dark Web Intelligence in National Security

In Grey Area, veteran hacker and dark web investigator Vinny Troia delivers an unfiltered, first-person account of how open-source intelligence (OSINT) and dark web data are transforming the intelligence landscape.

Drawing from years of hands-on investigations and adversarial engagements, Troia explains how publicly and commercially available information (PAI and CAI) now forms the foundation of modern intelligence operations—and how hacked, breached, and leaked (HBL) data can be weaponized to strengthen national security.

From legal grey zones and ransom negotiations to direct interactions with some of the world’s most notorious hackers, Grey Area offers a raw, inside look at the realities of the dark web—and how an intelligence network built around known cybercriminals led to the discovery of one of the largest data heists in history.

Packed with real-world case studies and operational insights from current and former members of the CIA, DIA, DoD, and ODNI, Grey Area is essential reading for intelligence analysts, investigators, cybersecurity professionals, and policy leaders navigating the murky intersection of OSINT, dark web data, and national security.