Bitglass News

“Where’s Your Data: Project Cumulus” Lures Dark Web Users

By Bitglass | Feb 17, 2016 5:00:00 AM

CAMPBELL, CA – Feb. 17, 2016 - Results Show Hackers Access Other Apps, Download and Crack Encrypted Files, and Attempt To Cover Their Tracks

Bitglass, the Total Data Protection company, released the results of its second annual “Where’s Your Data” experiment, designed to help organizations understand what happens to sensitive data once it has been stolen. For Project Cumulus, Bitglass researchers created a digital identity for an employee of a fictitious retail bank, a functional web portal for the bank, and a Google Drive account, complete with real credit-card data. The team then leaked “phished” Google Apps credentials to the Dark Web and tracked activity across the fictitious employee’s online accounts. Within the first 24 hours, there were five attempted bank logins and three attempted Google Drive logins. Files were downloaded within 48 hours of the initial leak. Bitglass’ Cloud Access Security Broker (CASB) monitoring showed that over the course of a month, the account was viewed hundreds of times and many hackers successfully accessed the victim’s other online accounts.

Project Cumulus:

The Bitglass Threat Research Team created a complete online persona for an employee of a fictitious bank and pretended that the employee’s Google Drive credentials were “stolen” via a larger phishing campaign. Bitglass researchers populated the dummy Google Drive account with fake bank data, including several files that contained real credit card numbers and work-product. What the visitors didn’t know was that the Bitglass CASB had been deployed in monitor-only mode. Files were embedded with Bitglass watermarks, and all Google Drive activities -- from logins to downloads -- were monitored by Bitglass.

The Findings:

Bitglass observed an immediate spike in activity once the credentials were leaked onto the Dark Web. Hackers tested the fake bank employee’s Google Drive credentials in a number of the victim’s other accounts and were quick to download files, including those with real credit-card information.


  • Over 1,400 visits were recorded to the Dark Web credentials and the fictitious bank’s web portal
  • One in ten hackers attempted to log in to Google with the leaked credentials
  • 94 percent of hackers who accessed the Google Drive uncovered the victim’s other online accounts and attempted to log into the bank's web portal
  • 12 percent of hackers who successfully accessed the Google Drive attempted to download files with sensitive content. Several cracked encrypted files after download
  • 68 percent all logins came from Tor-anonymized IP addresses


Hackers Modify Their Techniques

In the company’s first data experiment, conducted a year ago, the Bitglass team leaked watermarked documents onto the Dark Web. The files were viewed 200 times in the first few days, but the frequency of downloads quickly decreased. In the prior experiment, few downloads used any form of anonymization via Tor, which made them easy to track. After an eight-month quiet period, Bitglass researchers noticed a large number of downloads via Tor late last year. This, coupled with the high rate of Tor usage in the bank experiment, suggests hackers are becoming more security conscious, realizing that they need to mask IPs when possible to avoid getting caught.

"Our second data-tracking experiment reveals the dangers of reusing passwords and shows just how quickly phished credentials can spread, exposing sensitive corporate and personal data," said Nat Kausik, CEO, Bitglass. "Organizations need a comprehensive solution that provides a more secure means of authenticating users and enables IT to quickly identify breaches and control access to sensitive data.”

Demographic Figures:

  • Hackers came from more than 30 countries across six continents
  • Percentages of the countries with non-Tor visits to the bank web portal are as follows:
    • Russia: 34.85 percent
    • U.S.: 15.67 percent
    • China: 3.5 percent
    • Japan: 2 percent


Information about the experiment can be found here:





Register for our webinar “Project Cumulus: Behind the Experiment,” live on February 24 at 10am PT | 1pm ET.

About Bitglass

Bitglass is a Cloud Access Security Broker that delivers innovative technologies that transcend the network perimeter to deliver total data protection for the enterprise -- in the cloud, at access, on mobile devices, on the network and anywhere on the Internet. Bitglass was founded in 2013 by a team of industry veterans with a proven track record of innovation and execution. Bitglass is based in Silicon Valley.