Friendly fire: Four well-known cybercriminal forums dealing with breaches

Mar 04, 2021

Since the beginning of the year, Intel 471 has observed four well-known cybercriminal forums dealing with a breach, including two since the beginning of March. The forums, all predominantly Russian-language forums, saw the breaches publicly disclosed elsewhere, with some instances of user data being leaked or put up for sale.

Intel 471 does not know who is responsible for the hacks, but due to their public nature, we think it is unlikely that this is a law enforcement operation.
The first instance Intel 471 saw this year was an actor claiming to have breached Verified, an established Russian-language forum. In January, the actor claimed on another popular forum, Raid Forums, that they had taken Verified’s entire database, which allegedly contained information on all registered users and their private messages, hashed passwords, posts and threads for US $100,000. Additionally, the actor managed to transfer $150,000 worth of cryptocurrency from Verified’s wallet to his own wallet.

In February, the administrator of another popular cybercrime forum, Crdclub, announced the forum sustained an attack that resulted in the compromise of the administrator’s account. By doing so, the actor behind the attack was able to lure forum customers to use a money transfer service that was allegedly vouched for by the forum’s admins. That was a lie, and resulted in an unknown amount of money being diverted from the forum. The forum’s admins promised to reimburse those who were defrauded. No other information looked to be compromised in the attack.

Earlier this week, the administrator of the Exploit cybercrime forum, announced that a monitoring system detected an unauthorized secure shell (SSH) access to a proxy server used for protection from distributed denial-of-service (DDoS) attacks, as well as an attempt to dump network traffic. Further investigation led to the admin banning a known bulletproof hosting provider due to their alleged role in the attack, but admins eventually ended up restoring the account on Wednesday. It’s unclear who was actually responsible for the attack.

Most Recent Attacks

On March 3, Intel 471 observed Maza, an invite-only cybercrime forum, redirecting its users to a breach notification page upon signing in. The announcement was accompanied by a PDF file allegedly containing a portion of forum user data. The file comprised more than 3,000 rows, containing usernames, partially obfuscated password hashes, email addresses and other contact details. Our initial analysis found that a portion of the leaked data correlated with our previous research findings, which confirms that at least some of Maza’s databases was breached.
The incidents show that even perpetrators of cybercrime aren’t immune from experiencing the fallout that comes with personally identifiable information being made public. Various cybercrime forums are alive with chatter following the breaches, with nefarious actors wondering if their real-world identities will be discovered thanks to the leaked data.

While Intel 471 isn’t aware of anyone claiming responsibility for the breaches, whomever is behind the actions has indirectly given researchers an advantage. Any information unearthed from the breaches aids in the fight against these criminals due to the added visibility it gives security teams who are tracking actors that populate these forums. Intel 471 will continue to monitor the cybercrime underground for reaction to how these breaches impact its inhabitants.