xDedic Marketplace for hacked servers reappeared on Tor

Pierluigi Paganini July 14, 2016

Following a short disappearance, the xDedic market – the infamous ‘eBay’ of hacked servers, has made a new appearance on the Tor network.

The xDedic market is still offering everyone from entry-level cybercriminals to APT groups fast, cheap and easy access to legitimate organizational servers.

The domain (xdedic[.]biz) went offline following a report from Kaspersky Labs which detailed in its Corporate News section, the scope and method of operations of the illicit marketplace.

Up to 70,000 hacked servers were on offer from the site for as little as $6 USD, and with 416 registered sellers in 173 countries, the platform was operating a highly successful global business model which would rival that of many legitimate businesses.


Following the Kaspersky report the malicious site went offline, only to reappear in a Tor link on the Russian forum ‘exploit.in’, according to researchers at Digital Shadows.

“They’re upping their operational security a bit, but they’re obviously in a tricky place. They’ve got to advertise it. You can’t find it by browsing; they have to publish the link to point users to it. There is an interesting tension here, they have to promote their services, but don’t want to slip up and reveal their identity. It’s a tricky balance marketing their services and hoping work of mouth will do the work for them.” said Digital Shadow’s founder and CTO, James Chappell.

As before, registering with the site is free, however, activation of the account this time round required a mandatory payment of $50.

The site allows buyers to view lists of compromised boxes containing specifications on the levels of access available for each hacked resource including AV details, uptime and downtime state, installed browsers as well as the location of the device.

Kaspersky Lab’s reported “We are aware of reports of the return of xDedic and are monitoring the situation. We have a policy to share the findings of cybercriminal research with the relevant law enforcement agencies, and we have already done so in the case of xDedic.”

Although the site disappeared for a brief period, it is presumed that many of its previously compromised resources are still on offer.

“I would imagine they have some of the previous offerings available” according to Chappell. “Many of those servers are still compromised. They would still have stock in the stockroom.”

The lists of hacked machines available on xDedic covered many industries including online shopping, dating, banking and gambling sites as well as ad networks. Searches were often conducted on the old xDedic depending on what applications and uses the user required.

This was used to effect to sharpen the focus of certain criminal groups specific their particular illegal goals.

“It’s time-consuming to have to acquire servers. Why not use a middle man for that?” Chappell said. “It’s a good example of criminal networks specializing into roles. To have market dedicated to this scale is slightly more unusual. It’s a significant commodity; there’s a market for it and obviously people are willing to pay for it. It’s a functioning economy.”

Written by: Steven Boyd

Steven BoydSteven is a security consultant, researcher, ethical hacker and freelance writer with over 16 years of experience in the industry. He has provided security consultancy to some of the world’s biggest banks, the private sector as well as public services and defense. He is the owner and creator of security blog www.CybrViews.com.

Twitter: @CybrViews





[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –xDedic market, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment