Someone Is Hacking Cybercrime Forums and Leaking User Data
Since the beginning of this year, an unknown threat actor has been hacking cybercrime forums and leaking user data publicly or offering it for sale.
At least four such forums have been breached to date, namely Verified in January, Crdclub in February, and Exploit and Maza in March. All are predominantly Russian-language forums and saw their breaches publicly disclosed elsewhere.
Intelligence firm Intel 471, which has been closely following the hacks, says that, while the identity of the actor behind the attacks is unknown, the public nature of the attacks eliminates the possibility of a law enforcement operation.
In January, a threat actor announced on underground forum Raid Forums that they breached Verified, an established Russian-language cybercrime forum. The adversary said they had Verified’s entire database, containing details on all registered users, including private messages, posts, threads, and hashed passwords.
The hacker, who apparently was able to transfer $150,000 worth of cryptocurrency out of Verified’s wallet, was offering the database for $100,000.
In February, the administrator account of cybercrime forum Crdclub was hacked, which allowed the threat actor behind the compromise to lure forum customers into using a fraudulent money transfer service and divert an unknown amount of money from the forum.
This week, both the Exploit and Maza underground forums were hacked. The attacker apparently gained secure shell (SSH) access to an Exploit proxy server destined for distributed denial-of-service (DDoS) protection, and also attempted to dump network traffic.
“Users on the Exploit forum are discussing moving away from using emails to register on forums as recent disruption efforts may have increased exposure of their online activities. Others are claiming that the database leaked by the attackers is either old or incomplete,” threat intelligence company Flashpoint notes.
Maza, an invite-only cybercrime forum active since 2003, was displaying a data breach notification on March 3, most likely the work of the hacker who managed to take over the forum.
A PDF file accompanying the announcement contained over 3,000 rows, including usernames, email addresses, various contact details, and partially obfuscated password hashes.
“Our initial analysis found that a portion of the leaked data correlated with our previous research findings, which confirms that at least some of Maza’s databases was breached,” Intel 471 said.
To date, no one appears to have claimed responsibility for the breaches, but the perpetrator’s actions could provide security researchers with increased visibility into who is using these cybercrime forums.