Cyber Crime

Hackers breached four prominent underground cybercrime forums

A suspicious wave of attacks resulted in the hack of four cybercrime forums Verified, Crdclub, Exploit, and Maza since January.

Since January, a series of mysterious cyberattacks that resulted in the hack of popular Russian-language cybercrime forums.

Unknown threat actors hacked the Verified forum in January, Crdclub in February, and Exploit and Maza in March, the attackers also leaked stolen data and in some cases they offered it for sale.

“Since the beginning of the year, Intel 471 has observed four well-known cybercriminal forums dealing with a breach, including two since the beginning of March.” reads the post published by threat intelligence firm Intel 471. “Intel 471 does not know who is responsible for the hacks, but due to their public nature, we think it is unlikely that this is a law enforcement operation.”

The nature of the data breaches leads the experts into excluding that the hacks were the result of law enforcement operations.

In January, experts noticed on the popular Raid Forums an advertisement for the Verified’s database containing registered users’ data and their private messages, posts, and threads. The database was offered for sale for US $100,000. The attackers also managed to transfer $150,000 worth of cryptocurrency from Verified’s wallet to a wallet under his control.

In February, the administrator of the cybercrime forum Crdclub discloses a cyber attack that resulted in the hack of the administrator’s account.

“By doing so, the actor behind the attack was able to lure forum customers to use a money transfer service that was allegedly vouched for by the forum’s admins. That was a lie, and resulted in an unknown amount of money being diverted from the forum.” continues Intel 471. “The forum’s admins promised to reimburse those who were defrauded. No other information looked to be compromised in the attack.”

In March, the cybercrime forums Exploit and Maza were hacked, the attackers also gained secure shell (SSH) access to an Exploit proxy server destined for distributed denial-of-service (DDoS) protection, and also attempted to dump network traffic.

This week, the administrator of the Exploit cybercrime forum disclosed an unauthorized secure shell (SSH) access to a proxy server used for protection from distributed denial-of-service (DDoS) attacks, he also observed an attempt to dump network traffic.

This week also the Maza cybercrime forum was hacked, its members were redirected to a breach notification page upon signing in. The notice also included a PDF file allegedly containing data of forum users (i.e. usernames, partially obfuscated password hashes, email addresses). Intel 471 researchers confirmed that Maza’s database were breached by the attackers.

Source FlashPoint

The hack of the Maza cybercrime forum was also reported by researchers at Flashpoint.

“Flashpoint analysts successfully obtained the purported leaked data. While the compromised data appears to be extensive, it’s worth noting that the passwords have been hashed and most other data fields included in the dump have been hashed or further obfuscated.” reads Flashpoint. “The leaked Maza data includes the following:

  • User id
  • Username
  • email
  • Password (hashed and obfuscated)
  • Crt_filename
  • Crt_pass
  • Icq (when available)
  • Aim (when available)
  • Yahoo (when available)
  • Msn (when available)
  • Skype (when available)

“Users on the Exploit forum are discussing moving away from using emails to register on forums as recent disruption efforts may have increased exposure of their online activities. Others are claiming that the database leaked by the attackers is either old or incomplete,” Flashpoint concludes.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, GootKit)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Meta stopped covert operations from Iran, China, and Romania spreading propaganda

Meta stopped three covert operations from Iran, China, and Romania using fake accounts to spread…

18 hours ago

US Treasury sanctioned the firm Funnull Technology as major cyber scam facilitator

The U.S. sanctioned Funnull Technology and Liu Lizhi for aiding romance scams that caused major…

1 day ago

ConnectWise suffered a cyberattack carried out by a sophisticated nation state actor<gwmw style="display:none;"></gwmw><gwmw style="display:none;"></gwmw>

ConnectWise detected suspicious activity linked to a nation-state actor, impacting a small number of its…

1 day ago

Victoria’s Secret ‘s website offline following a cyberattack

Victoria’s Secret took its website offline after a cyberattack, with experts warning of rising threats…

2 days ago

China-linked APT41 used Google Calendar as C2 to control its TOUGHPROGRESS malware

Google says China-linked group APT41 controlled malware via Google Calendar to target governments through a…

2 days ago

New AyySSHush botnet compromised over 9,000 ASUS routers, adding a persistent SSH backdoor.

GreyNoise researchers warn of a new AyySSHush botnet compromised over 9,000 ASUS routers, adding a…

2 days ago