This article has originally appeared on Cybercrime Diaries

On February 20, 2025, the cybersecurity community received an unexpected stroke of luck as internal strife seemingly spread within the infamous Black Basta ransomware group. On that day, an unknown individual using the alias ExploitWhispers released a file on Telegram, allegedly containing the group’s internal chat logs. The file was a JSON dataset comprising of 196,045 messages from a Matrix/Element chat, primarily in Russian, spanning from September 18, 2023, to September 28, 2024.

While the true identity of the leaker and their actual motives remain unknown, ExploitWhispers accused Black Basta of crossing a red line by targeting Russian banks. A preliminary analysis suggests that most, if not all, of the leaked data appears legitimate. However, the possibility of data manipulation cannot be entirely ruled out.

Black Basta is a ransomware-as-a-service (RaaS) group that emerged in April 2022 and has since attacked over 500 organizations worldwide across various sectors, including healthcare, manufacturing, and utilities. Notable victims include Ascension, Dish Network, Maple Leaf Foods, BT Group, and Rheinmetall. According to estimates published by The Record in November 2023 the group received over 100 million dollars in ransom payments to that date. However, since January 2025 no new victims have been reported and the group’s leak site is presently down, suggesting that an internal conflict could have shaken up the group.

Figure 1: Ransomware victims per country for Black Basta (Source: Ransmware.live)

Back in 2022, this RaaS was founded by Conti Team 3, also known as Tramp’s team, which remained in control of the group during the period covered by the leak. In the leaked chat, Tramp appears under the aliases gg and aa. An investigation by LeMagIT, supported by external sources, confirmed that the likely real identity of this threat actor is Oleg Nefedov, a Russian citizen originally from Yoshkar-Ola.

While extensive research has already been published, providing insights into who Nefedov is and which vulnerabilities the group exploited, this short blog focuses on Black Basta’s internal organization. Additionally, this will offer a glimpse into how and where the group hosted and obfuscated its leak site and C2 servers.

Back in 2022, this RaaS was founded by Conti Team 3, also known as Tramp’s team, which remained in control of the group during the period covered by the leak. In the leaked chat, Tramp appears under the aliases gg and aa. An investigation by LeMagIT, supported by external sources, confirmed that the likely real identity of this threat actor is Oleg Nefedov, a Russian citizen originally from Yoshkar-Ola.

While extensive research has already been published, providing insights into who Nefedov is and which vulnerabilities the group exploited, this blog will primarily focus on Black Basta’s internal organization. This offers a look into how and where the group hosted and obfuscated its leak site and C2 servers.

Key Observations from the Leak and Available Information

• The true identity of the group’s leader, Tramp (aka gg), is possibly Oleg Nefedov, a 35-year-old Russian citizen from Yoshkar-Ola, who is officially known as a successful entrepreneur, but claims to be protected by powerful friends allowing him to pursue his malicious endeavors. 
• Black Basta operates as a highly structured and hierarchical organization, with at least two offices, likely located in Moscow or its outskirts.
  • Group members have several different specializations focusing on areas such as infrastructure management, initial access, malware and C2 obfuscation, development, and negotiations.
  • A key distinction existed between threat actors who were employees of the group—working under Tramp’s direct and strict supervision in office settings—and more independent operatives, known as pentesters or affiliates, working online.
  • These independent affiliates were often Tramp’s former associates from other illicit operations, such as Conti RaaS or banking trojans. They operate within their own teams, using distinct tools, methods, and internal hierarchies. This division sometimes leads to tensions between them and Black Basta’s core management.
  • The group periodically changes Matrix servers for OSPEC reasons. In September 2024, Tramp decided to migrate to a new server. This can also be explained by Tramp’s brief arrest that almost resulted in an extradition from Armenia during a vacation trip in June 2024. 
• Black Basta members are active on major Russian-language cybercrime forums such as XSS, Exploit, and RAMP, where they purchase services from other threat actors. These services include crypting (payload obfuscation), hosting, spam campaigns, exploits, and initial access to compromised networks.
• The group’s leak site, admin panel, and C2 servers were primarily hosted on legitimate providers such as Hetzner, but these were acquired through third-party resellers that specialized in server rentals and accepted cryptocurrency payments.
  • Infrastructure obfuscation appeared to be a more viable strategy than relying on bulletproof hosting. However, bulletproof hosting services, such as Gerry, were used for deploying abuse-resistant C2 servers for Cobalt Strike and for fast-flux capabilities, which helped conceal the real IP addresses of domains.
• Overall, the leak of this chat underscored once again that a substantial part of cybercriminal activity takes place outside forums or public chats, with the latter being just the tip of the iceberg.

Black Basta’s Organization and Internal Hierarchy

A statistical analysis of the leaked data provided valuable insight into the group’s hierarchy. The most active user—by far—was the leader, Tramp, also known as “gg” (@usernamegg in the Figure 2 below). He was responsible for coordinating other members, developing new methods for obtaining initial access, participating in attacks, handling negotiations, and maintaining strict control over his employees. He enforced this control by personally visiting both offices where they operated.

Lapa is the second most active user, he can be described as a senior “pentester” who seemingly knew Tramp before joining the chat in September 2023. The majority of messages from this user were related to access to corporate networks of victims. There are also active external pentesters such as “w.”

Figure 2: Black Basta members by number of messages (Source: Flare)

The periods of activity and the nature of messages itself indicate that the group had specifically defined and organized vacations periods, like in January or June 2024 when almost all activity stopped.

Figure 3: Messages per Week on Black Basta (Source: Flare)

Another notable observation was the distinct structure of the usernames present in the chat. Usernames composed of the word “username” followed by two letters—such as “gg” (aka Tramp), “ww”, “tt”, or “ss”—and hosted on the bestflowers247.online Matrix server appeared to belong to Black Basta’s core members (example: @usernamegg:bestflowers247.online). These threat actors were directly managed by Tramp, who also provided them with their Matrix accounts.

This structure clearly distinguished them from other members of the chat, who used their own Matrix servers, had different username formats, and operated more independently. These independent actors, that can be in fact considered as affiliates, often referred to their own teams and other threat actors who were not part of the chat.

This differentiation is also highlighted in the graph below, where it can be seen that core members remained active for a much longer period than external ones. However, some noticeable discrepancies suggest that the data might be incomplete or that certain core members were simply dismissed in June 2024.

For instance, no disputes or conflicts were recorded for core members such as “ww”, “mm”, “zz”, or “cc”, yet the chat abruptly stopped in June 2024. This indicated the following possibilities: that the dataset is likely incomplete or that these members moved to another communication channel.

Figure 4. Black Basta members and their first and last messages (Source: Flare)

Analysis of the various exchanges between members in the chat led to deciphering their main roles and specializations within Black Basta. As shown in the graph below—and accessible through the provided link—the group could be divided into the following specialties:

• Leadership and management: Led by gg, also known as Tramp.
• Infrastructure management, servers, and hosting payments: Handled by yy, also known as bio.
• Internal pentesters and support: A group working directly under Tramp’s command from two offices. These members were strictly monitored, often asking for his permission even to step away from their computers for a few minutes. Notable members included nn, ww, zz, and others.
• External affiliates: More independent and experienced, often operating with their own teams. They were particularly active in obtaining initial access and conducting social engineering attacks. For instance, Kortez was frequently mentioned as the leader of another malicious group working alongside blood, adm, nickolas, and u123.
• Coders and programmers: Mostly seasoned malware developers such as n3auxaxl, also known as mekor, and chuk. They were responsible for developing new malware, including the group’s Pikabot, which consisted of a downloader/installer, a loader, and a core backdoor component. Black Basta occasionally hired additional coders, though this appeared to be one of the hardest roles to fill.
• Crypting and obfuscation specialists: Primarily a small group of two individuals. One notable figure was muaddib6, also known as Bentley, who may have been the infamous Russian threat actor Vitaly Kovalev.
• Social engineering experts: Specialized in gaining initial access by targeting high-value companies. They used tactics such as impersonating IT support personnel, calling employees, and convincing them to install AnyDesk to deploy malware.
• Brute-force and password de-hashing specialists: At least two threat actors focused specifically on these techniques.

Black Basta’s Internal Structure

Figure 5: Black Basta’s Internal Structure (Source: Flare)

Black Basta’s Infrastructure: Hosted in Germany and Obfuscated

Thanks to this preliminary work, which helped identify the main specialization of each threat actor active in the chat, it became easier to determine where to look for specific information, such as details about the group’s infrastructure.

According to the previous paragraphs and Figure 5, the threat actor yy, also known as bio, was responsible for Black Basta’s hosting, websites, and penetration testing servers.

As illustrated in Figure 6 below and in the graph available here, the group’s most critical servers were likely purchased from VPSKot, a company accepting cryptocurrency payments and reselling servers from legitimate hosting providers unaware of their real customers. One such provider was the German company Hetzner, where Black Basta hosted its Onion websites like the administrative panel, blog, and Element/Matrix chat service in September 2023.

Black Basta’s Key Servers in September 2023

Figure 6: Black Basta’s Key Servers (Source: Flare)

The examination of yy’s messages from November 2023 also gives an interesting glimpse into how Black Basta deployed Cobalt Strike on servers and obfuscated them behind proxies. Cobalt Strike is a post-exploitation framework commonly used by red teams and cybercriminals to establish command and control, move laterally within networks, and execute malicious payloads.

The group seemingly used bulletproof hosting (BPH) but rather marginally, mainly preferring to acquire many servers from « grey » and offshore hosting companies to rotate their servers and obfuscate their sensitive infrastructure. One BPH that was still mentioned multiple times in the leak, referred to as « the Abkhaz hosting », was a service advertised by the threat actors « gerry », one of the most prominent illicit hosting presently active on Russian-language cybercrime forums.

Black Basta’s Cobalt Strike Servers and Proxies in November 2023

Figure 7: Black Basta’s Cobalt Strike servers and proxies (Source: Flare)

Final Thoughts on the Black Basta Leak: A Treasure Trove to Explore

This blog offers just a glimpse into the valuable information that can be extracted and analyzed from this leak. It contains numerous threat actor handles, illicit services from cybercrime forums, contact details, cryptocurrency addresses, and identified vulnerabilities. One particularly interesting investigative approach could be leveraging these indicators to track threat actor accounts across forums, potentially uncovering their real identities. For example, this allowed the identification of several accounts on cybercrime forums of mentioned threat actors by a search in the Flare platform with their TOX IDs.

Figure 8: Black Basta threat actors found in Flare (Source: Flare)

Figure 9. Examples of threat actors selling various services on Exploit that were mentioned in the leak

Dig Further into Cybercrime with Flare Academy

Interested in following more cybercrime research? Check out Flare Academy’s training sessions, which are led by cybersecurity researchers. Check out the upcoming sessions here.

We also offer the Flare Academy Discord Community, where you can connect with peers and access training resources from the Flare Academy training.

Can’t wait to see you there!

Sources

“Black Basta – Chat Viewer,” February 2025. https://ransomware-leaks.com/.

Garrity, Patrick. “Exposing CVEs from Black Bastas’ Chats.” VulnCheck, February 24, 2025. https://vulncheck.com/blog/black-basta-chats.

Ransomwarelive. “Balck Basta – Ransomware.Live ,” March 5, 2025. https://www.ransomware.live.

Rieß-Marchive, Valéry. “Ransomware : de REvil à Black Basta, que sait-on de Tramp ?” LeMagIT, March 1, 2025. https://www.lemagit.fr/actualites/366619807/Ransomware-de-REvil-a-Black-Basta-que-sait-on-de-Tramp.

Townsend, Kevin. “Black Basta Leak Offers Glimpse Into Group’s Inner Workings.” SecurityWeek, March 3, 2025. https://www.securityweek.com/black-basta-leak-offers-glimpse-into-groups-inner-workings/.

The post Deciphering Black Basta’s Infrastructure from the Chat Leak appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Dive into the most pressing recent stories on data leaks, cybercrime, and the dark web with security researcher Nick Ascoli on the podcast Leaky Weekly.

On this episode of Leaky Weekly, Nick covers:

• PowerSchool hack
• Cracked & Nulled takedowns and arrests
• Otelier data leak
• ITRC 2024 Breach Report findings
• DeepSeek data leak

Tune in for current events on the podcast below at Spotify, at Apple Podcasts, check out the video episode on YouTube, or keep reading this article for the highlights.

These are all developing stories that we covered very briefly, so check out cybersecurity news outlets to stay up-to-date. We couldn’t cover everything in the last few weeks or so, and we’ll look into new stories and developments next time.

PowerSchool Hack

PowerSchool, a popular student information system software, used by roughly 16,000 customers that serve 50 million students, was hacked using a stolen credential, leading to exposing student data. Currently the leading narrative appears to be that stolen credentials that weren’t 2FA-enabled were available on the dark web to log in to this portal. 

Schools use this software to track information about students including their:

• Name
• Birthday
• Address
• Parents and legal guardians

Some districts also track:

• Social security numbers
• Health records
• Disciplinary records

This represents the largest leak that impacts children under the age of 18 in the United States. 

PowerSchool paid the threat actor to delete the data, which is a common practice with extortion groups. The threat actors behind the Snowflake tenant campaign also extorted victim organizations this way.

On Paying Threat Actors to Delete Data…

Extortion groups’ campaigns have been getting more coverage in the news. Victim organizations may pay the fee for threat actors to delete their stolen data (and to not release it), but there is no guarantee of this happening.

In a prominent recent example, the threat actor Waifu extorted AT&T out of over $370,000 to delete the data, which he sent a video of himself doing. However, it was well-known that he was exchanging this data with other threat actors, including making the download link public at one point.

It is possible that extortion groups have only one copy of the data and delete it when asked, but it’s safer to assume that a few other people have this data, at the very least within the extortion group itself. 

With the PowerSchool hack, the threat actor has not released the data, as it has at least not in a way that is public, made its way onto major hacking forums or cybercrime groups.

Cracked and Nulled Takedowns and Arrests

Europol and the U.S. Department of Justice announced that “Operation Talent” was responsible for the takedown of Cracked and Nulled, two major hacking forums.

The operation by the numbers (according to law enforcement):

• Two arrests (in Spain)
• Seven properties searched 
• 17 servers and more than 50 electronic devices were taken into evidence
• Roughly $310,000 in cash and crypto was found

Keep reading for an explanation of what sites were taken down and what they did.

Cracked 

Cracked is a hacking forum that has been around since 2018, a popular place for combolists, hacking tools, and people advertising services. Cracked had about four million users, and was estimated to generate – just itself, $4 million in revenue, this is not counting the many transactions it facilitated.

Nulled

Nulled has been around a bit longer, since around 2016. It had about five million users, and was estimated to generate an annual revenue of about $1 million annually.

The English-speaking and Russian-speaking cybercrime communities are mostly covered in the U.S. and EU. This includes about 100 cybercrime forums, and a handful have substantial user bases and traffic, and thus stories covered on the news. Cracked and Nulled are both included in that handful. 

Sellix and MySellix

Cracked, StarkRDP and RDP.sh used Sellix as a payment processor, and it’s well known that the original founder of Cracked was also the founder of Sellix.

Interestingly, one of Sellix’s not-seized domains Sellix.com, currently has an official statement on Operation Talent, clarifying they were not aware of any specific illegal transactions through its platform in connection with Cracked. With that said, the founder of Cracked co-founded Sellix.

StarkRDP and RDP.sh

Both StarkRDP and RDP.sh were heavily advertised on Cracked and Nulled as a place to rent virtual servers. 

Otelier Data Leak

Otelier is a popular hotel management platform used by major global hotel chains at more than 10,000 hotels. A threat actor accessed Otelier’s AWS instance from July to October 2024, and attackers claimed to have stolen about eight terabytes of data from their S3. 

This leak continues in the disturbing trend covered on this show of low effort extortion that works–extortion groups steal credentials without ransomware, tools, or malware development. As IBM X-FORCE’s 2024 Threat Intelligence Report stated, ““In this era, the focus has shifted to logging in rather than hacking in.” 

Much like the PowerSchool hack, the root cause of the leak according to Otelier is a stolen employee credential. A vast vast majority of root causes of leaks are either stolen credentials on sale on the dark web or from a stealer log.

DeepSeek Data Leak

DeepSeek accidentally exposed an internal ClickHouse database to the public. ClickHouse is a popular open source database software, and lots of organizations like eBay and Uber use it for ingesting large amounts of user activity logs from their platform activity to search for anomalies, analyze user behaviors, and train machine learning models over massive data sets. 

In this public and unauthenticated database was over a million lines of log streams containing:

• Chat history
• Secret keys
• Backend details
• And other highly sensitive information

There were several tables, and according to Wiz, the log streams were the most interesting. What they did was: 

Did active and passive DNS to find subdomains. Then, they did queries for open ports that were not the expected standard web ports, 80 and 443. From there they found two open ports that caught their eye, 8123 and 9000. They accessed the 8123 host, which was the HTTP interface for ClickHouse. Then they ran the showtables command. They saw the log_stream table in the list, ran select * from log_stream, and BOOM – had raw logs from tons of DeepSeek services, including:

• Their API backend
• Chat backend that had chat logs
• Platform backend
• Usage checker
• and probably more, but they don’t list them
  • Within these logs were columns such as:
    • Timestamp – the timestamp of the log, they found logs dating back from January 6th, 2025
    • span_name –  which referenced internal DeepSeek API endpoints
    • _service that indicated which deepseek service generated the log
    • strings.values: which were plaintext logs with chat history, API keys, backend details, and operational metadata
    • _source: which exposed the origin of the log requests, and also contained chat history, API kets, directory structure, and chatbot metadata logs 

ITRC 2024 Breach Report Findings

The ITRC (Identity Theft Resource Center), has published the 2024 Breach Report, listing the top 5 compromises by victim count, and for these breaches they sent notifications to the victims:

1. Ticketmaster Entertainment, LLC (560 million victim notices)
2. Advance Auto Parts, Inc. (380 million notices)
3. Change Healthcare (190 million notices)
4. DemandScience by Pure Incubation (121.8 million notices)
5. AT&T (110 million victim notices)

Something to note: Three of these five breaches are from one campaign targeting Snowflake accounts that did not have 2 factor authentication configured. (This is not Snowflake’s fault as their customers are responsible for their own authentication settings)

The Snowflake leak impacted over 160 companies, evidently three of these being some of the largest data breaches of the year, so that’s a wild scale.

Leaky Weekly and Flare Academy

Leaky Weekly is brought to you by Flare, the world’s easiest to use and most comprehensive cybercrime database that integrates into your security program in 30 minutes.

Flare now offers Flare Academy, which can elevate your cybersecurity career. Our (free!) training series are led by experts that cover critical topics such as threat intelligence, operational security, and advanced investigation techniques. You can also earn CPE credits toward your cybersecurity certifications. 

Join the Flare Academy Community Discord to keep up with upcoming training, check out previous training resources, chat with cybersecurity professionals (including Nick!), and more. 

The post PowerSchool Hack; Takedowns and Arrests and Leaks, Oh My!; and ITRC Breach Report Findings  appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

The data and visualizations presented on this webpage are based on information collected from January 2024 to January 2025. These graphs are static and do not reflect real-time updates or recent developments. Any trends, insights, or conclusions should be interpreted with this timeframe in mind.

Executive Summary

• Telegram remains the dominant messaging platform in the cybercriminal underground, despite recent events and concerns about security.
• Increased cooperation between Telegram and law enforcement has prompted discussions about alternative platforms, with Signal showing the most significant growth.
• Other messaging apps like Discord, TOX, Matrix, and Session play niche roles, often tied to specific cybercriminal activities or communities.
• Many threat actors use multiple messaging apps to ensure accessibility and redundancy in their communications.
• Flare’s data lake analysis shows a correlation between messaging app choice and cybercriminal user types; for example, Discord is often used by low-level or young threat actors, while TOX is favored by OPSEC-focused and ransomware cybercriminals.
• The collection of contacts shared by threat actors on cybercriminal communities allowed Flare to automatically identify other handles that they may use on different forums by correlating the contacts. 

Communicating in the Cybercriminal Underground - A Key Necessity for Threat Actors

Engaging in illegal activities within the cybercriminal ecosystem while maintaining anonymity and operational security presents a significant challenge for threat actors. Regardless of their level of technical expertise or the nature of their actions, one of  malicious actors’ primary concerns is securing communications to avoid deanonymization and prevent becoming targets of rival groups or law enforcement. 

At the same time, being easily reachable is equally important, as cybercriminals must maintain efficient and reliable channels to coordinate operations, recruit new members, and conduct illicit transactions. As a result, the balance between security and accessibility varies depending on the type of activity and the threat actor’s level of OPSEC awareness, with some prioritizing ease of communication for quick coordination while others emphasize stricter security measures to minimize exposure.

Given these problematics, cybercriminals often resort to exchanging sensitive information outside of forums, relying on messaging platforms such as Telegram, Discord, Signal, Tox, Jabber, Matrix, or Session to evade forum administrators surveillance or mitigate the fallout of potential database leaks [1]. 

For several years, Telegram has not only served as a communication tool widely praised by threat actors but has also evolved into a cybercriminal ecosystem of its own, emerging as a serious alternative to traditional cybercriminal forums. Telegram is free, valued for its user-friendly interface, API, bot deployment capabilities, support of up to 200,000 members in a group, and the possibility to share files up to 4GB in size. Nevertheless, concerns persist regarding its security. The platform does not enforce automatic encryption for all communications, and its encryption mechanism remains opaque, lacking independent expert review [2]. The rumors about the presence of its key developers in Russia have also raised alarms among the most security-conscious members of the cybercriminal community.

Eventually, the arrest of Telegram’s CEO and founder, Pavel Durov, in France the 25th of August 2024 [3], followed by the platform’s announcement of increased cooperation with law enforcement on September 23, 2024 [4] – along with the practical enforcement of this policy through the disclosure of cybercriminals’ IP addresses and phone numbers in January 2025 [5] – has sparked concern within the cybercriminal ecosystem (see Figure 1). Some threat actors started to discuss the idea of stopping using this platform or at least improving their OPSEC (see Figure 2).

However, old habits die hard. The transition from a tool that is convenient, well-integrated into existing workflows, and broadly used within the cybercriminal ecosystem is not straightforward. Telegram is far from the first messaging service to face turbulence in this sphere, yet history shows that disruptions did not lead to an immediate or complete shift away from an established platform.

Indeed, in May 2023 a small tremor shook the Russian language cybercriminal forum XSS, when the threat actor “nightly” announced that he was selling a remote code execution vulnerability and an exploit affecting the qTOX 1.17.6 messenger for 20 Bitcoins (around $550,000 at the moment of the offer). The threat actor shared a proof of concept video (see Figure 3) where he claimed being able to retrieve a user’s IP upon acceptance of a new contact [6]. The vulnerability was allegedly sold in less than a day and caused many fears among qTOX users on XSS – predominantly malicious actors involved in ransomware activities. The alleged sale of this exploit deeply worried the Russian-speaking cybercriminal community and even pushed the administrator of XSS to abandon qTOX as an official communication tool.

Both of these cases have sparked heated discussions about the right communication tool in the cybercriminal ecosystem (see Figure 4). However, several months later, it appears that things have not changed much; qTOX continues to be a niche messenger popular among a minority of threat actors and was recently updated [7], while Telegram seemingly continues to dominate as the preferred platform for cybercriminals, especially those involved in infostealer operations, carding, refund fraud, and hacktivism.

Given the significant developments affecting Telegram in 2024, we sought to examine the current state of cybercriminal communications. By analyzing Flare’s data lake, we aim to address the following questions:

• Have threat actors migrated en masse to alternative platforms since August 2024?
• Does the nature of a cybercriminal’s activity influence their choice of messaging platform?

In the following sections, we will explore these questions in depth, supported by data-driven insights.

I. Analysis of the Popularity of Messengers of the Underground: Making Sense of Raw Data

To answer aforementioned questions, we used Flare’s robust dataset. Flare has an extensive data lake of sources (i.e., market, forums, Telegram channels) focused on cybercriminal activities such as data leaks, initial access, malware, infostealers, carding, fraud, ransomware and marginally drugs. We use a subset of data consisting of 1 year (2024) of activities. These precisions are important because the data lake from which you pull information can heavily influence the output and we wanted to be as transparent as possible with our readers by explaining what our bias is. 

Let’s start by adopting a funnel approach, first looking at the raw data, then refining and analyzing it. In 2024, Flare observed that over 80 millions IDs and links to six different messaging apps were shared by individuals active on cybercriminal forums and Telegram channels (see Figures 5 and 6). While this number may seem impressive, it does not accurately reflect the reality of the cybercriminal ecosystem or the popularity of a messaging application. It is, for instance, quite natural that Telegram links are predominant on Telegram itself as they constitute links between different channels and groups on this platform. Moreover, this data contains many duplicates (i.e. links or IDs shared multiple times by the same or different threat actors).

Figure 5: This is a precise yet conservative estimate of the number of published links/IDs for various messaging apps on cybercrime forums in 2024, meaning the actual number could be slightly higher. Source: Flare.io

Figure 6: Pavel Durov was arrested on the 25th of August 2024, Telegram announced that it will increase cooperation with law enforcement on the 23rd of September 2024. No substantial impact can be observed. Source: Flare.io

For instance, in 2024, 10 threat actors in Flare’s data were responsible for the vast majority of published Discord links (see Figure 7). Removing these top 10 actors from the dataset caused the number of shared Discord invite links in our database to drop from 2.8 million to just 91,000 over the past year. Moreover, among these links numerous duplicates were present. Interestingly, the absolute majority of Discord links was published on Telegram, highlighting a clear interest for this messaging app among Telegram users.

II. Telegram Reign Continues: More Than a Messenger - The Social Network of Cybercrime

To better assess the popularity of messaging apps, let’s refine the data by focusing only on unique links and messenger IDs shared on cybercrime forums. As shown on Figure 8 below, the amount of unique links and Telegram usernames published on cybercrime forums in 2024 is incomparably higher than one of any other massaging apps. Far behind, the second and third most popular apps, Discord and Session have seemingly not clearly benefited from Telegram’s setbacks or the concerns raised by its increased cooperation with law enforcement. As of January 2025, Telegram still reigns supreme, and its usage in the cybercriminal community has not substantially dropped.

As shown in the interactive Figure 8, when only selecting Signal, this messenger seems to be the only one that has gained traction following Pavel Durov’s arrest and Telegram’s policy changes. The rise in newly shared Signal invite links between September and December 2024 strongly suggests a correlation between the timing of these events. Nevertheless, the popularity of Signal remains marginal.

Figure 8: Pavel Durov was arrested on the 25th of August 2024, Telegram announced that it will increase cooperation with law enforcement on the 23rd of September 2024. No substantial impact of these events can be observed except for Signal. Source: Flare.io

III. Correlation Between the Type of Threat Actor’s Activity and Choice of Messaging App

To answer our second question regarding the influence of threat actors cybercriminal activities over their choice of a specific messaging app, Flare has observed on which forums the majority of messaging apps links and IDs were published and what was the nature of criminal activity of threat actors that published them.

• Discord invite links were primarily found on forums like Nulled and Cracked – both recently seized by law enforcement [8] – as well as VeryLeaks and DemonForums. They were mostly published by younger individuals often present in gaming-focused communities and sometimes involved in low-level cybercrime.
• Matrix and Element protocol based IDs were mainly found on drugs focused forums like RuTOR, RCclub, BigBro and marginally on the fraud focused Probiv Russian-language forum. In Flare’s data lake Matrix and Element were predominately used by threat actors buying and selling drugs or those involved in fraud schemes.
• TOX and Jabber IDs were predominantly shared on XSS, CrdPro, BreachForums, and Exploit forums, by cybercriminals often involved in the sale of corporate accesses, ransomware, or corporate databases (see an example in Figure 9).

It is important to note that a substantial number of threat actors use multiple messaging apps simultaneously (see Figure 10). This is especially true for those offering services to other cybercriminals. Maintaining easy accessibility is essential for any commercial activity; therefore, threat actors selling services such as cryptocurrency exchange and money laundering, hosting, malware obfuscation, or development often provide multiple communication channels. The interactive Figure 11 below, highlights this reality and allows you to explore different combinations of messenger apps links and IDs found in a single forum post in 2024. Telegram in combination with other messaging apps remains the most popular combination among all others highlighting once more the resilience of this communication tool.

Figure 11: Source: Flare.io

Final Thoughts and Potential Future Research

The collection of this data has also allowed us to identify links between different messenger IDs and correlate them. As shown in Figures 12 and 13, it is possible to determine which threat actor uses which messaging app. The next step will be to include usernames, making it easier to study malicious actors and automate the discovery of their handles and communication channels—but that’s a story for another time. ;)

Figure 13: Example of a cluster of messenger IDs belonging to the same threat actor but found on different posts on forums and Telegram channels.

Dig Further into Cybercrime with Flare Academy

Interested in following more cybercrime research? Check out Flare Academy’s training sessions, which are led by cybersecurity researchers. Check out the upcoming sessions here.

We also offer the Flare Academy Discord Community, where you can connect with peers and access training resources from the Flare Academy training.

Can’t wait to see you there!

Sources

[1] Abrams, Lawrence. “BreachForums v1 Database Leak Is an OPSEC Test for Hackers.” BleepingComputer, July 24, 2024. https://www.bleepingcomputer.com/news/security/breachforums-v1-database-leak-is-an-opsec-test-for-hackers/.

[2] Green, Matthew. “Is Telegram Really an Encrypted Messaging App?” A Few Thoughts on Cryptographic Engineering (blog), August 25, 2024. https://blog.cryptographyengineering.com/2024/08/25/telegram-is-not-really-an-encrypted-messaging-app/.

[3] Melander, Ingrid, Guy Faulconbridge, and Guy Faulconbridge. “Telegram Messaging App CEO Durov Arrested in France.” Reuters, August 25, 2024, sec. Europe. https://www.reuters.com/world/europe/telegram-messaging-app-ceo-pavel-durov-arrested-france-tf1-tv-says-2024-08-24/.

[4] Sergiu Gatlan, “Telegram Now Shares Users’ IP and Phone Number on Legal Requests.” BleepingComputer, September 23, 2024. https://www.bleepingcomputer.com/news/security/telegram-now-shares-users-ip-and-phone-number-on-legal-requests/.

[5] Toulas, Bill. “Telegram Hands over Data on Thousands of Users to US Law Enforcement.” BleepingComputer, January 7, 2025. https://www.bleepingcomputer.com/news/legal/telegram-hands-over-data-on-thousands-of-users-to-us-law-enforcement/.

[6] XSS.is (ex DaMaGeLaB). “Tox 1.17.6 / RCE,” May 25, 2023. https://xss.is/threads/88898/.

[7] “Release v1.18.0 · TokTok/qTox,” GitHub, January 1, 2025, https://github.com/TokTok/qTox/releases/tag/v1.18.0.

[8] Gatlan, Sergiu. “Police Seizes Cracked and Nulled Hacking Forum Servers, Arrests Suspects.” BleepingComputer, January 30, 2025. https://www.bleepingcomputer.com/news/security/police-seizes-cracked-and-nulled-hacking-forum-servers-arrests-suspects/.

The post The Underground’s Favorite Messenger: Telegram’s Reign Continues appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Surveillance is everywhere and ingrained in our society. While privacy is a human right, we live in an era of Operational Security (OPSEC) and privacy fatigue. The technologies we use everyday collect more and more information, making many people feel hopeless about having control over their information. From painful opt-out processes to the integration of artificial intelligence (AI) that can be used to collect keystrokes, people can feel overwhelmed when they try to protect their information. 

In an attempt to protect data, many of us take steps like using proxy servers, virtual private networks (VPNs), or hardening our devices. Unfortunately, even taking these precautions may not be enough. A proxy server may not be better than a VPN if you don’t know who owns it. A VPN can have a vulnerability that compromises your ability to protect yourself, so  you need to stay aware and, possibly, shift tooling over time. Hardening your own devices may only protect you. Even if you opt out from having your data collected, most companies remove what they collected rather than altering their data collection strategies.

None of these precautions are guaranteed to work. The current environment cultivates this sense of no longer controlling your own information. However, the people who care about data protection need to keep on fighting and educating others because we do have control when we take the necessary steps. 

1. What are some ways to stay anonymous online?

No single bulletproof tool exists to help you stay anonymous online. Downloading a privacy-focused browser can help, but when someone else owns your entry or exit nodes, privacy becomes more complicated. For example, many people think that The Onion Router (Tor) is the most anonymous browser to use since it routes internet traffic through multiple volunteer-run servers to mask people’s IP addresses. However, Tor can be compromised on an exit node. 

While the Tor browser is known for its ability to anonymize traffic, you want to take a layered approach to privacy which includes finding different technologies that align with your threat profile, including:

• Browsers: Know how they collect and store data
• Email apps: Decide whether you’re ok with the provider scanning your emails to use artificial intelligence (AI) purposes
• Operating system: Understand the malware, ransomware, and encryption capabilities
• Domain Name Server (DNS): Learn about their capabilities blocking or allowing websites and services

2. What are some steps for protecting my Wi-Fi network from public discovery?

Every Wi-Fi network has a service set identifier (SSID), a unique, assigned name. Whether you change this from random numbers to something personalized like “My Iron Throne,” an app like WiGLE can compromise your privacy. For example, WiGLE is an application that takes user-submitted observations to show the different wireless networks in a given geographic location.

Tools like WiGLE only connect a Wi-Fi’s name with a geographic location. However, if you use the same SSID across multiple locations, a unique SSID increases your risk of being tracked. If you have a generic SSID like “home” compared to “My Iron Throne,” your SSID becomes more anonymous because it’s less creative. With all the different people who use “home” as an SSID, you have a name that makes pinpointing you more difficult since an app like WiGLE would have many more with that name. 

You may be using a unique SSID for a specific reason, but you should be able to explain your “why.” If your reason is “a unique SSID is more secure,” you want to focus more on having a strong password. If you want to mitigate exposure to being tracked as you travel, then having a generic SSID is likely a better option. 

3. How can I reduce risk from metadata stored in photos that I take?

Most cameras – whether they’re on a smartphone or a standalone camera – include metadata in the photo files that include the longitude and latitude of where you took the picture. If you’re taking photos and uploading them to a social media site without removing this information, then someone can find your exact location which can be important if you want to protect your physical security and privacy. 

The good news is that you can find apps that strip the metadata from the photos. One of the better apps I’ve found for metadata resistance is Session Messenger, a decentralized way to deliver messages. While Session is really good at stripping metadata to make sure that no one can use it against you to locate you, you should remember that metadata is a part of your data ecosystem. If you have a metadata leak, then someone can find you by tracking it or build a profile against you. 

4. Should I use a proprietary or DIY solution for OPSEC?

Choosing between a proprietary solution like Apple or Windows and a DIY approach relies on two things:

• Your threat profile
• Your technical capabilities

For example, if you use Apple devices and install the Proton email application, you’re using proprietary solutions. These are easy to set up, but they can have negative OPSEC consequences. If a government agency asks for the data, the company could – and should by law – provide the information. Proton mail uses end-to-end encryption, meaning that they never have unencrypted access to any of your information. While you can set this up quickly, you still have some risk from unencrypted information in iCloud or other Apple owned storage locations. 

If you take a DIY approach, you have control over data because you’re configuring and managing the technology. However, now you have to manage your own email server which is a nightmare of its own. It is extremely complicated since you need to manage reputation, sending emails, and making sure you backup everything. These challenges often mean that the privacy end doesn’t justify the work and time it takes. 

5. What are the differences between enterprise and personal emails, like Gmail and Outlook?

When we talk about enterprise and personal email applications, we really need to look at two different types of protections:

• Protecting your information from the email provider, like Gmail using it for AI integrations
• Protecting your information from the enterprise that owns a corporate email account

Protecting from the Email Provider

When you want to protect your information from an email provider, you need to start with the username. Usernames are a great way for someone to connect you to multiple accounts across different websites. For example, tools like Linkook can look up a username and all the different permutations of it to track all your accounts online. These types of tools mean that someone who starts connecting your username to different accounts could trace things back to personal information, like a seemingly anonymous Bluesky account connected with a LinkedIn account that has your name and general location. 

Next, someone could hunt through passwords to figure out who you are. In this case, if you use the same password everywhere, which we don’t recommend, they can tie it back to a username and, ultimately, your identity. 

You can reinforce good password hygiene by using a password manager, like Bitwarden, Keepass, or 1Password. If you’re evaluating different password managers to see which one fits best with your threat profile, you should be asking:

• Are they using encryption?
• What are they integrated into?

While a complex password is one step, multi-factor authentication (MFA) is better. With MFA, the application sends you a challenge question to make sure you are who you say you are. Some options for MFA can be via:

• Text message (SMS) 
• One-time password (OTP), sent as an email or text
• Authentication application, like Google Authenticator or Microsoft Authenticator, that provides a short-term, one use number to validate you

While a lot of debate can happen around best MFA options, an OTP can be a more secure option if you know the email address you’re using hasn’t been compromised. While you can use a text message to receive an OTP, this is less secure since someone can spoof and trick the recipient more easily. 

Flare Academy and OPSEC

Want to know more about OPSEC? We covered this topic in our Flare Academy training: “Deep Privacy in the Age of the Panopticon: OPSEC Fundamentals.” Join the Flare Academy Discord Community for access to the training recording and slides.

The Discord community is an educational hub designed to democratize cybersecurity knowledge with free, online training models led by subject matter experts.

You can also check out our upcoming Flare Academy trainings and register for them here.

The post 5 Questions On OPSEC Fundamentals appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

What is Flare Academy?

Training

Flare Academy offers online training modules led by subject matter experts on the latest cybersecurity threats to cybersecurity practitioners interested in progressing their education. 

These sessions cover various pressing cybersecurity topics including:

• Investigation and intelligence gathering on cybercrime forums
• Techniques for deanonymizing threat actors
• Ransomware analysis and infiltration 

And these are just the training sessions we have planned so far. Stay tuned for our future topics!

Community

The Flare Academy Discord community is an educational hub designed to democratize cybersecurity knowledge. Community members include security professionals and students who want to learn about staying ahead of evolving threats, and contribute to a safer digital world.

Flare research team members provide cutting-edge resources and collaborative discussions so Discord members can learn from and with each other.

What Can Security Practitioners Get Out of Flare Academy?

Training

There are a few areas of growth cyber practitioners can expect from Flare Academy:

• Upgrade skills and knowledge on cybercrime and cybersecurity topics
• Earn CPE credits toward security certifications

Community

Build relationships with other practitioners and students for continuous learning and engagement with the Flare Academy Discord Community

How Can You Get Involved with Flare Academy?

Training

To register for upcoming training sessions, visit https://flare.io/trainings/.

Community

Check out Flare Academy Discord Community for the recording and slides from the last workshops on Remote Desktop Protocol Interception with PyRDP and and Deep Privacy in the Age of the Panopticon: Opsec Fundamentals.

Can’t wait to see you there!

The post Flare Academy is Here! appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

The largest repackage and re-post of an old leak

In November 2024, a hacker known as “Nam3L3ss” allegedly released previously undisclosed data from the MOVEit breach in May 2023. This leak consisted of millions of records, including sensitive employee and big brand corporate information, significantly escalating the breach’s impact. Digging into this story reveals that Nam3L3ss claims to be an hacktivist freeing information from many previous breaches, not just MOVEit.

MOVEit History

MOVEit is a managed file transfer software produced by Ipswitch. Inc., now a subsidiary of Progress Software. MOVEit encrypts files and uses the FTP (file transfer protocol) to transfer data. On May 31st 2023, Progress disclosed a pre-authentication SQL Injection vulnerability in MOVEit Transfer and Cloud, later assigned CVE-2023-34362. This vulnerability turned out to be a 0-day actively exploited in the wild.

Attackers exploited this vulnerability on public-facing servers, allowing them to deploy a web shell called “LemurLoot,” disguised as legitimate ASP.NET files. This enabled the exfiltration of sensitive data from affected organizations.

In May 2023, the ransomware group Cl0p exploited the 0-day vulnerability to gain access to MOVEit instances worldwide. Cl0p published a blog post about the breach, warning affected organizations that they had until June 14th to pay a ransom or risk having their data made public. Organizations disclosed in June 2023 included the Government of Nova Scotia, BBC, British Airways, and the United States Department of Energy amongst hundreds of others.

Cl0p extorted victims over the course of June, July and August, posting batches of victims and leaking their data via Bittorrent. Then we didn’t hear from them.

The Rise of Nam3L3ss

Over a year later, Nam3L3ss claimed to have MOVEit related data from prominent companies. These leaks were not previously claimed by Cl0p and sparked theories as to the origins of this data. While these leaks appear new, they, in fact, are repacked data Cl0p’s breach. This is the largest repackaging of old information to ever happen.

The repackaged data was extracted, for now, from four compromised companies’ files from the Cl0p MOVEit breach. Nam3L3ss strategically reorganized and repackaged data from companies impacted by the MOVEit breach, presenting it in a way that emphasized high-profile clients. For example, Company A, a contractor for Company B, had its compromised files containing a directory labeled “Company B.” Nam3L3ss extracted and leaked this directory separately, branding the leak as “Company B” to amplify its significance.

This approach transformed a voluminous and unstructured leak into a targeted release, naming and organizing the leaks based on the recognizable clients rather than the original contractors. This repackaging tactic, likely aimed to maximize public attention, has the consequence of increasing pressure on the implicated companies.

Nam3L3ss is a hacktivist claiming to liberate data. He posted a manifesto on Breach forums and operates a blog at nam3l3ss.bearblog[.]dev. Here’s an excerpt from his blog:

Data I post is NOT a secret, everything I post the Criminal already have it!
It's only the Politicians, Government Agencies, and sorry to say the Public in general who have their heads buried in the sand about just how much information is floating around the internet on them, and extremely Personal information!
I am tired of Governments allowing Companies to SELL data on people and Data Brokers with terrible security or protections on their data.
Who really owns the Data on you? IS it YOUR data or do Companies OWN your private data and have a right to SELL it to anyone they desire?
Think about that for a minute, Companies treat YOU and your information as something they OWN! It does NOT belong to you they say, so they are FREE to SELL your data to whoever they want whenever they want and YOU have NO SAY!

Nam3L3ss insists he is not affiliated with Cl0p ransomware

Although he insists, see forum post screenshot below for details, we have so far confirmed that all of the repackaged breaches we looked at came from the MOVEit breach of 2023.

Here is the list of breaches he allegedly possess:

• Cl0p: 16.9TB
• Medusa: 10.3TB
• Snatch: 8.8TB
• Ragnar_Locker: 871.9GB
• Qilin: 765.5GB
• EXConfidential: 746.9GB
• Marketo: 735.9GB
• Revil-Sodinokibi-Happy[.]Blog: 569.2GB
• Lockbit: 343.2GB
• Nefilim: 314.6GB
• CL0P-TA505: 281.8GB
• Lorenz: 254.3GB
• Suncrypt: 239.0GB
• Avaddon: 200.5GB
• EVEREST: 198.3GB
• DARKSiDE: 148.2GB
• 00[.]Resort: 133.4GB
• Blackmatter: 124.3GB
• Anonymous: 123.8GB
• Conti-Ryuk: 112.2GB
• Phineas[.]Fisher: 98.7GB
• cdn.databases[.]today: 80.6GB
• PlayNews: 74.6GB
• Cuba: 70.6GB
• Ragnar: 63.5GB
• Babuk: 61.6GB
• Mount[.]Locker: 60.4GB
• ContiNews: 33.4GB
• Vice[.]Society: 16.8GB
• AtomSilo: 16.3GB
• 5c4qycmxc2xk4t6p64xyz6f4z7: 14.7GB
• Pysa: 14.3 GB
• DoppelPaymer: 6.5GB
• Lockbit2.0: 5.1GB
• Lulzsec: 5.0GB
• 0mega: 4.6GB
• f[u]ck[.]delivery: 3.1 GB
• atlaszppqsv6mu7[.]onion: 1.5GB
• nuclearleaks[.]com: 1.1GB
• RansomEXX: 1.1GB
• AvosLocker: 718.7MB
• Grief: 601.0MB
• [EXCONFIDENTIAL]: 594.1MB
• Payload[.]bin: 405.5MB
• nexeya[.]com: 89.1 MB

Repackaging Enabled by Supply Chains

These four entities were contractors for larger corporations, providing services that integrate into their operations. While a company may invest heavily in its own security infrastructure, its overall security posture is only as strong as its weakest link. Supply chain monitoring is not just a precaution but a necessity to mitigate the risk of security failures from third-party contractors and suppliers.

Flare customers can access a TLP:Amber article in our research center covering the breach victims as disclosed by Nam3L3ss as of December 6th 2024. 

We would like to thank Estelle Ruellan, Olivier Bilodeau, Tammy Harper, and Mathieu Lavoie for their help on this article.

Dark Web Investigations and Flare

The Flare Threat Exposure Management (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically scans the clear & dark web and prominent threat actor communities 24/7 to discover unknown events, prioritize risks, and deliver actionable intelligence you can use instantly to improve security.

Flare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools. Learn more by signing up for our free trial.

The post MOVEit Repackaged and Recycled appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Today, we at Flare announced our USD $30M Series B Round led by Base10 Partners with participation from Inovia Capital, White Star Capital, and Fonds de solidarité FTQ. 

We have raised CAD $9.5M to this point, and plan for this fresh round of capital to accelerate our growth. We’ve seen consistent traction with triple digit year over year growth in both 2023 and 2024, and want to build upon this. We expect to increase investments in EU expansion while also continuing to further accelerate growth in North America and Europe more broadly to strengthen cybersecurity globally. 

“What sets Flare apart is their superior data collection capabilities – providing us with actionable intelligence on attacker-used credentials and target systems that directly informs our testing,” said Kevin Johnson, CEO of Secure Ideas. “The platform integrates seamlessly into our business model, allowing us to deliver more realistic and valuable assessments to our clients. In an industry where staying ahead of threat actors is crucial, Flare’s comprehensive threat intelligence capabilities significantly outperform competing solutions.” 

This Series B funding will be instrumental in solidifying our role as the leader in Security Intelligence and Threat Exposure Management for the enterprise and mid-market. 

We’ve been focusing on leveraging the latest advancements in language models and advanced data science techniques to extract actionable insights out of one of the world’s most sophisticated cybercrime data sets. Security practitioners can be overwhelmed with the sheer volume of information to parse through, and we strive to empower them with pinpointed, useful intelligence to stay ahead of threat actors. 

“Flare’s rapid growth and relentless drive for innovation make it a natural fit for us to partner with them,” said Jason Kong, Partner at Base10 Partners. “Norman and team have taken a unique approach to threat exposure management that raises the bar in cyber intelligence, empowering security teams to stay ahead in an increasingly complex landscape. Flare’s dedication to integrating advanced language models and data science to deliver meaningful, actionable insights aligns for cybersecurity perfectly with our mission to support founders who solve real-world problems for the many, not just the few.”

We’re pretty proud of our Threat Flow module launch in August 2024, which is the security industry’s first transparent generative AI application that delivers timely, relevant, and trustworthy reports of threat actor activity on the dark web, enabling scaled research and reporting for security teams, validated with a 98% accuracy.

Industry analyst and cybersecurity thought leader Richard Stiennon, former Gartner VP and current Chief Research Analyst at IT Harvest, spoke about the impact of our innovations: “With this investment round, Flare is well-positioned to enhance its exposure data collection capabilities and advance the application of generative AI in threat intelligence use cases.”

About Flare

Flare is the leader in Threat Exposure Management, helping organizations of all sizes detect high-risk exposure found on the clear and dark web. Combining the industry’s best cybercrime database with an incredibly intuitive user experience, Flare enables customers to reclaim the information advantage and get ahead of threat actors. For more information, visit https://flare.io.

About Base10 Partners

Founded by Adeyemi Ajao and TJ Nahigian, Base10 is a San Francisco-based venture capital fund investing in founders who believe purpose is key to profits and in companies that are automating sectors of the Real Economy. Through its program the Advancement Initiative, Base10 donates a portion of firm profits to underfunded colleges and universities to support financial aid and other key initiatives. Portfolio companies include Notion, Figma, Stripe, Wealthsimple, SecureFrame, Todyl, and Riot.

The post Flare Raises $30M Series B Led by Base 10 Partners to Continue Growth in Security Intelligence and Threat Exposure Management Markets appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

The cybercrime ecosystem has had a lot happening in the past few weeks, as always. We’ve got you covered. 

Dive into the most pressing recent stories on data leaks, cybercrime, and the dark web with security researcher Nick Ascoli on the podcast Leaky Weekly.

On this episode of Leaky Weekly, Nick covers:

• USDoD arrest
• Judische/Waifu (Connor Moucka) arrest
• RedLine infrastructure takedown and arrest(s)
• MOVEit leaks

Tune in for current events on the Spotify or YouTube below (or Apple Podcasts episode here) or keep reading this article for the highlights:

USDoD Arrest

The very well-known hacktivist known as USDoD (no affiliation to the U.S Department of Defense), has been arrested by Brazilian authorities following a long career of leaking stolen data from various victims. Most recently, he attempted to broker the sale of National Public Data’s massive database of personal records.

Baptiste Robert, security researcher, along with another researcher, searched for breadcrumbs through Predicalab’s Predica Search tool that led them to USDoD’s identity.  

1. USDoD’s Twitter account, “equationcorp,” has a quote from the 2024 movie The Beekeeper, “I protect the hive. When the system is out of balance, I correct it.”
2. Searching this quote in the description of other social media profiles revealed an Instagram profile with the username “zerodaycorp” and name Luan Gonçalves, with an actual picture in the profile image.
3. This Instagram profile link is embedded in a Soundcloud profile with the username “LGB91.” This also has another photo of USDoD that when reverse image searched, points to a Medium account registered to “luanbgs22.” 

This and many other points of connection tie the same Luan Gonçalves with USDoD. 

USDoD claims Crowdstrike revealed his identity, and spoke about it in an interview with Hackread:

“So congrats to Crowdstrike for doxing me, they are late for the party, intel421 Plus and a few other companies already doxed me even before the Infragard hack. I want to say thank you, it is time to admit I got defeated and I will retire my Jersey. Yes, this is Luan speaking. I won’t run, I’m in Brazil, the same city where I was born. I am a huge valuable target and maybe I will talk soon to whoever is in charge but everyone will know that behind USDoD I’m a human like everyone else, to be honest, I wanted this to happen, I can’t live with multiple lives and it is time to take responsibility for every action of mine and pay the price doesn’t matter how much it may cost me. This is not my end. Thank you, see you around. Don’t worry Brazilian authorities, I’m coming to meet you, I’m not a threat, in fact, I can do much for my country.”

He was unmasked around August 23rd, and then was arrested a few weeks later on October 16th. 

His message is interesting, and may imply that he would cooperate with law enforcement in the future. However its interpretation is not completely clear at this time. 

Judische/Waifu (Connor Moucka) Arrest

The threat actor Judische/Waifu behind the campaign that used stolen credentials from stealer logs to target about 160 Snowflake tenants that didn’t have multifactor authentication was arrested in Canada. 

The threat actor Judische, otherwise known as Connor Moucka, has claimed to compromise various targets in the last year including major banks, telecommunications companies, and more. 

Since Moucka was arrested on a request of extradition by the United States, most news sources are guessing that he will eventually face trial in the U.S. According to the official indictment, there were co-conspirators:

• John Binns was arrested in Turkey after the U.S. indicted him for hacking T-Mobile in 2021. He has been a threat actor for a while, and operated a very large botnet, but is now in a Turkish prison allegedly fighting to avoid extradition. 

In a conversation with security researcher Brian Krebs, Moucka confessed that he believed law enforcement was coming after him and the co-conspirators. He also claimed to have made at least four million dollars from the Snowflake extortions.

Mandiant stated that Moucka has proven to be one of the most “consequential threat actors of 2024,” and mentioned that “This particular case is significant because they’ve picked up one of the tiny minority that causes disproportionate harm.”

On many cybercrime forums, there are thousands of registered members, it’s typically the same small group of threat actors doing the majority of the posting. 

RedLine & META Infrastructure Takedown and Arrests

Operation Magnus compromised the infrastructure used by the RedLine and META infostealers, which are two major infostealer variants. Shortly after taking down the infrastructure, authorities confirmed charges against the alleged administrator. 

Here’s the takedown by the numbers:

• Eurojust coordinated a takedown of three C2 servers located in the Netherlands
• Eurojust took down two domains used by the operation
• Belgian authorities arrested two suspects
• The operation took down several Telegram channels used by the operation to communicate with affiliates, sell licenses, and support customers of both infostealer variants

The first time this backend was publicly discussed was in a conference talk in 2023 by Mathieu Lavoie, co-founder and CTO at Flare, and Alexandre Cote, a malware researcher at ESET. Their research analyzed the panels and the backends, and found several strong similarities. This conclusion they drew was correct, as the law enforcement operation tied them all back to the same Russian threat actor and servers that were taken down. 

The operation’s website has a video that lists usernames that then pans to a graphic of handcuffed hands, with the voiceover stating, “we are looking forward to seeing you soon.” There will most likely be more updates on this operation in the near future. 

MOVEit Leaks 

The threat actor Nam3L3ss on released massive data leaks on BreachForums. 

Quick refresher on MOVEit: around June of 2023, a popular file transfer software called MOVEit was the target of an exploit. This basically allowed unauthenticated access to the MOVEit product.

MOVEit began to be affiliated with Nam3L3ss’s leaks because the threat actor started making leak posts mentioned MOVEit and Cl0p, which is a ransomware group, implying connections between them. 

Counter to the narrative around MOVEit and Cl0p, Nam3L3ss has been posting databases to BreachForums for free for a while. In April of this year, the threat actor posted a database leak for a particular company that later announced that they had been hacked. Nam3L3ss clarified that they didn’t hack them, but rather found those files in a SQL backup file sitting on an open AWS bucket, and linked to the bucket in their post. 

Nam3L2ss has stated across several threads that they are not affiliated with any groups, and are not a hacker. They claim that they poke around on the internet, pull files from ransom leaks, look in open cloud storage locations, FTP servers, exposed MongoDB servers, then clean up the data, before posting to BreachForums. If this is true, then none of what they are posting is actually released for the first time.

The list of leaks Nam3L3ss has posted is filled with high profile government and corporate names, and they claim they will continue posting them until the organizations start handling sensitive data more responsibly. 

Nam3L33 claims they have a lot more leaks to post, and as of the day of recording, they were actively posting. They also have mentioned they are avenging the security researcher Connor Goodwolf, who is in a public dispute with the city of Columbus, Ohio, after revealing they were victims of a ransom leak (counter to the city’s narrative that the data was all encrypted and inaccessible).

These are all developing stories that we covered very briefly, so check out cybersecurity news outlets to stay up-to-date. We couldn’t cover everything in the last few weeks or so, and we’ll look into new stories and developments next time.

Leaky Weekly and Flare Academy

Leaky Weekly is brought to you by Flare, the world’s easiest to use and most comprehensive cybercrime database that integrates into your security program in 30 minutes.

Flare now offers Flare Academy, which can elevate your cybersecurity career. Our (free!) training series are led by experts that cover critical topics such as threat intelligence, operational security, and advanced investigation techniques. You can also earn CPE credits toward your cybersecurity certifications. 

Join the Flare Academy Community Discord to keep up with upcoming training, check out previous training resources, chat with cybersecurity professionals (including Nick!), and more. 

The post Arrests, RedLine & META Infrastructure Takedown, and MOVEit Leaks appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Infostealer malware represents one of the most underrated threats to corporate and consumer information security today. These sophisticated remote access Trojans (RATs) silently infect computers and systematically exfiltrate massive amounts of sensitive information from the host to threat actors’ command and control (C2) infrastructure. Their primary targets include:

• Browser-saved credentials
• Session cookies
• Browser fingerprints
• Other sensitive system data

Once the information has been exfiltrated, it takes the form of a “stealer log,” a single discrete set of information about a user that includes a snapshot of their browser and key details about their computer. Threat actors then distribute these (either as free samples or in exchange for cryptocurrency) across principally, Telegram and Russian Market, where they are then used by other criminal actors to commit financial fraud, steal cryptocurrency, or in some cases breach major companies.

This article will dive deep into infostealer malware and provide readers with a comprehensive picture of the entire infostealer ecosystem, from malware-as-a-service distributors designing new variants of infostealers to how cybercriminals use logs to gain access to key services.

What’s in an Info(stealer) Log?

Each infostealer log represents a single user’s stolen data. Different infostealer variants pull different types of data (and malware developers in some cases compete on which data the variant they maintain steals!). For example, one variant may pull clipboard data from the user while another variant may not. There is a constant tension – the more data stolen by the infostealer variant the more likely it is to be detected and stopped by Windows Defender or an anti-virus platform.

An infostealer log with separate .txt files for different types of stolen data

Here’s what’s in the infostealer log above:

• Autofills: This folder contains stolen data related to autofill functionality from web browsers, including names, addresses, and payment details. If compromised, this data can be used for identity theft or fraudulent transactions.
• Cookies: This folder holds browser cookies, which store session data and login credentials for websites. Stolen cookies could allow attackers to bypass authentication mechanisms and hijack active sessions, leading to account takeovers.
• Discord: This folder might store session tokens or credentials related to the Discord platform. Compromising these tokens could give attackers access to the victim’s Discord account, enabling them to steal sensitive communications or impersonate the user.
• DomainDetects.txt: This text file logs domains detected or visited by the victim. It could be useful for understanding the victim’s browsing behavior or identifying phishing targets.
• FBFastCheck: This is actually an advertisement for another subscription service the channel owner offers which enables users to quickly sort through stealer logs to identify the type of credentials they are after. 
• ImportantAutofills.txt: This file stores more critical autofill information such as sensitive entries like payment cards, billing addresses, or personally identifiable information (PII) from browser autofill data.
• InstalledBrowsers.txt: A list of browsers installed on the victim’s system. 
• InstalledSoftware.txt: Contains a list of all software installed on the victim’s machine. 
• Passwords.txt: This file is critical, as it contains cleartext passwords harvested from the victim’s browser. 
• ProcessList.txt: This file logs running processes on the victim’s machine at the time of the infostealer infection. 
• UserInformation.txt: This file contains detailed information about the victim’s account or system, such as usernames, computer names, or operating system details. It also contains information about the infection date and build of the malware.

Origins: The Infostealer Malware-as-a-Service Ecosystem

The Infostealer MaaS Business Model

Modern infostealers operate within a sophisticated Malware-as-a-Service (MaaS) ecosystem. Key characteristics include:

• Distribution Channels:
  • Cybercrime forums
  • Telegram channels (including specialized channels for RAT developers)

Telegram post of a redline stealer for sale

Pricing Structure

• Standard Variants:
  • Monthly subscription model
  • Price range: $100-1000 USD
  • Payments accepted in cryptocurrency
  • Includes C2 infrastructure hosting
• Specialized Variants:
  • macOS stealers command premium pricing
  • Currently the only major variant targeting Apple ecosystems
  • Higher prices reflect limited competition in Mac malware space

MaaS vendors fulfill a critical role in the ecosystem. Malware development is difficult and time-consuming and requires substantial expertise – particularly to get around modern AV/EDR systems. By having specialized infostealer developers maintaining their own code and selling it as a service, they can leverage the economic principle of role specialization while making a significant profit, particularly for developers that build popular variants such as Redline.

Infostealer Distribution: Common Attack Patterns

After acquiring an infostealer variant, cybercriminals employ various distribution methods to infect victim systems. While multiple approaches exist, the most prevalent involves embedding malware within purported “cracked” software downloads.

Below is the typical attack flow:

1. Initial Setup
   • Threat actor purchases an infostealer variant through Telegram channels
   • Package typically includes C2 infrastructure
   • Some variants come with detailed infection pipeline documentation
2. Distribution Infrastructure
   • Creates landing pages using either paste-type sites, stolen websites, or sites hosted on bulletproof hosting
   • Uploads malicious payload to file-sharing platforms (e.g., Mega.nz)
   • Uses password protection to bypass antivirus scanning during download
3. Traffic Generation
   • Acquires compromised Google Ads accounts
   • Purchases compromised YouTube accounts
   • Use these platforms to advertise (real or fake) cracked software seeded with infostealer
4. Data Exfiltration
   • Victims download and execute the malicious files
   • Infostealer harvests various data types:
     • Login credentials
     • Browser data
     • System information
   • Stolen data is transmitted to:
     • Dedicated C2 infrastructure
     • Telegram channels (in some configurations)

While cracked software distribution is common, sophisticated threat actors may employ other techniques:

• Targeted phishing campaigns
• Watering hole attacks

One particularly interesting campaign occurred in mid-2023 and targeted potential users of the AI platform Midjourney. This campaign leveraged several of the aforementioned features – malicious google ads likely being run from compromised accounts.

A user would search for Midjourney and the first result was the now defunct  “ai.mid-journye.org” which was advertised using Google Ads. Clicking on the advertisement would bring the user to a custom build landing page.

The landing page was fairly sophisticated and well designed to entice the user to download the Windows application. Note the highlighted red “it is possible that the computer’s security systems may falsely trigger” and the lack of a MacOS option.

Info(stealer) Log Distribution 

As of November 2024, stealer logs are primarily distributed in four main ways:

• Public Telegram channels: These channels provide bulk infostealer logs packaged together (typically files with hundreds or thousands of bundled logs). Threat actors use public rooms as a way to build reputation and credibility, and in some cases to promote their private channels which require a paid monthly subscription.
• Private Telegram channels: These channels require users to pay a monthly subscription fee and sometimes limit the number of users in a specific channel (to 5-20 individuals). Prices range from $100 to $500 a month and heavily depend on the reputation of the threat actor and the frequency that new logs are published to the channel.
• Live Telegram channels: In a few instances, we’ve identified threat actors selling access to “live” logs in which Telegram serves as a backend where logs are sent directly upon a victim being infected. There is substantial time relevancy to logs – newer logs are more likely to contain unexpired session cookies and unchanged credentials – providing the threat actor maximal opportunity to gain unauthorized access to core services.
• Russian Market: Russian Market is a marketplace operating as a dark web hidden service which allows infostealer distributors to bulk upload logs that are sold for $10 each. Russian Market also enables buyers to search through logs and identify those with specific credential sets they are interested in compromising prior to purchase.

Stealer logs for purchase and download

The Time Relevancy of Infostealer Logs

Stealer logs are not all equally valuable. Brand new logs (such as those fed into a live Telegram channel) are substantially more valuable for a number of reasons to include that:

• Fresh logs are much more likely to include active session cookies which can be used to bypass MFA on web applications. To do this, threat actors use what is called an “anti-detect” browser. Stealer Logs store all of the information 
• Threat actors disproportionately value “fresh” logs due to the fact that the session cookies are more likely to be valid. 
• Utilizing new logs also makes it less likely that another threat actor has already gained access to financial resources, crypto wallets, and other data in the stealer log.

Infostealer Log Use-Cases

Infostealers have largely flown under the radar for corporate security teams, particularly those at smaller organizations or those with a less sophisticated security posture. Unfortunately they have not flown under the radar for threat actors looking for easy ways to compromise corporate IT environments. But, before we go into the business information security risks that infostealer malware and stealer logs pose, let’s talk about their more common use-cases; namely facilitating fraud and account takeover for monetary gain. 

Threat actors are primarily not looking to compromise corporate accounts, nor is it the reason that the vast majority of threat actors use them, instead a typical workflow might look something like this:

1. Threat actors process downloaded logs through specialized “checker” applications that:

• Validate session cookie authenticity
• Filter logs based on customizable parameters
• Flag high-value targets (e.g., active financial service sessions)
• Prioritize logs containing authenticated access to valuable services

The checker tool essentially serves as a triage system, allowing actors to quickly identify and prioritize the most potentially valuable compromised accounts from large batches of logs.

A threat actor uses a checker to identify high-value logs

2. The actor then uses an anti-detect browser to impersonate the victims session on specially selected financial services logs.

Screenshot of an anti-detect browser from a tutorial video on how to impersonate sessions

3. The actor gains access to the account and transfers money or otherwise buys cryptocurrency using the victim’s bank account.

Infostealer Malware and Corporate Cybersecurity

Infostealers (and stealer logs) are one of the most concerning trends for corporate cybersecurity teams today. Why? Millions of employees in the U.S. save credentials from their jobs onto their personal computers and subsequently get compromised by infostealer malware. 

We’ve seen thousands of examples to include:

• Credentials to VPN into surgery centers
• Credentials to major corporate SSO applications
• ADFS and VPN credentials
• Corporate PR accounts, CRM accounts

Threat actors (on average) don’t “target” infostealer malware campaigns at corporate employees, but by default if they infect tens of millions of computers, huge numbers of corporate credentials and session cookies are bound to show up. This is well known by ransomware groups and other criminal entities that target businesses. Both ransomware actors and initial access brokers directly leverage stealer logs and infostealer malware infections to gain access to corporate IT systems. 

To learn more about threat actors and corporate stealer logs, take a look at our report Stealer Logs, Single Sign On, and the New Era of Corporate Cybercrime.

Infostealer Malware & Initial Access Brokers

Infostealer malware is likely one of the most common ways that initial access brokers get into corporate networks. Initial access brokers (IABs) serve as a “white glove” service for ransomware groups and other criminal entities, gaining initial access to a victims corporate systems, then auctioning it off on Russian language cybercrime forums.

Forum post from initial access broker

When there are millions of corporate credentials and session cookies floating around Telegram, it defeats much of the need for threat actors to launch more complicated attacks such as spear-phishing or exploiting vulnerabilities on publicly facing hosts.

An initial access broker advertises logs for sale on the Russian language cybercrime forum XSS

For example, an attack facilitated by an initial access broker might look something like this:

1. IAB purchases an infostealer log from a dark web marketplace. The log contains credentials, session cookies, and other sensitive data from multiple victims.
2. Among the entries, they identify a high-value target: credentials for a user with an email from a mid-sized financial services firm.
3. Using a virtual private server (VPS) or proxy to match the target’s geographic location, the IAB attempts to log into the financial firm’s VPN with the stolen credentials.
4. Login is successful, and they are granted access to the internal network.
5. The IAB installs a covert remote access tool (RAT) to maintain control even if the VPN password changes.
6. They create a hidden administrator account to re-enter if the initial access point is detected or closed.
7. Using the RAT, the IAB maps the network, identifying key systems like file servers, databases, and sensitive applications.
8. They collect more internal credentials, including administrative passwords, using tools like Mimikatz.
9. The IAB gathers the details of the access they’ve achieved:

• VPN login credentials
• Privileged admin access to specific systems
• Network map and location of sensitive financial records

10. They list this package on a dark web forum, advertising it as “Administrator-level access to mid-sized financial services firm” and setting a starting price.
11. The IAB provides guidance on navigating the network and any details to ensure a smooth handoff.
12. The ransomware group uses the access to deploy ransomware across the network, encrypting financial data and issuing a ransom demand to the firm.

Stealer Logs & The Growing Cybercrime Ecosystem

It’s no secret that cybersecurity is adversarial, however in the past decade the nature of offense has changed. The cybercrime economy is vast – stretching into hundreds of millions, and actors ranging from lone wolves to highly coordinated groups leverage it to profit. 

The complexity of the ecosystem is a source of its strength. Individual vendors each specializing in particular parts of the attack chain enable role specialization which can create scalability through the “cybercrime assembly line.” If an actor had to design their own infostealer variant, distribute it, harvest credentials, and leverage them it would be a far slower process.

Monitoring for Stealer Logs with Flare

The Flare Threat Exposure Management (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically scans the clear & dark web and prominent threat actor communities 24/7 to discover unknown events, prioritize risks, and deliver actionable intelligence you can use instantly to improve security.

Our customer Victor Pettersson, CISO at Sokigo, recently said, “Stealer logs have been the [sources] where we have seen the most actionable intelligence regarding leaked credentials.”

Flare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools. Learn more by signing up for our free trial.

The post Infostealer Malware: An Introduction appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Flare recently hosted our first Threat Intel Workshop with Senior Threat Intelligence Researcher Tammy Harper. Below are some of the questions Tammy covered in improving threat intelligence collection practices.

1. How does the disruption to Telegram affect threat actors?

After the arrest of Telegram CEO in August 2024, the messaging platform that has been popular with threat actors, has begun to collaborate with law enforcement in an effort to cut down on criminal activities on the app. 

Over the last few years, threat actors have shifted their operations from traditional dark web forums so that Telegram serves as a complement or popular alternative. Now that Telegram is working with law enforcement, how does this change the cybercrime landscape?

Malicious actors are seeking out other platforms like Signal, Sessions, Matrix, Simplex, and more, but they do not have the same user experience as Telegram. For example, when comparing Telegram and Signal, Telegram is more community-forum oriented, making it easier for participants to find each other and supports social features, like stickers, that build community. From a malicious actor perspective, the file support capabilities make sharing and storing stolen information easier, too. Meanwhile, a look at Matrix shows that it has a higher potential for honeypotting which can deter threat actors. 

There are some other questions on what this change will cause, such as: will Telegram truly increase cooperation with authorities? Will Telegram become a more moderated app? But for now it may be too early to have definite answers.

2. The infrastructure and IoCs you collect, are they often this “noisy”? Often the IoCs collected by our team are clean with no reports found, making it more difficult to detect during the monitoring phase.

Security teams use IoCs in two different ways:

• Threat hunting: looking for specific forensic information or investigating an incident
• Threat intelligence gathering: looking for information on the dark web that can be linked to the organization’s IT infrastructure

When security teams collect IoCs for incident response and forensics, they take a targeted, reactive approach asking questions about:

• What machine was compromised?
• Was information exfiltrated?
• What network(s) did an attacker traverse?
• What vulnerabilities did the attacker exploit?

The IoC data is similarly streamlined, as it more likely focuses on evidence that the teams can observe in or collect from their systems like:

• Abnormal network traffic and activity detected by network monitoring tools
• Suspicious activity on specific computers or systems detected by Endpoint Detect and Response (EDR) tools
• File-based modifications indicating malicious files or malware detected from file-scanning tools
• Anomalous user or entity behavior detected through Identity and Access Management (IAM) or User and Entity Behavior Analytics (UEBA) tools

When collecting dark web threat intelligence for red teaming, security analysts are looking for clues to identify threats proactively. With a broader purpose, the valuable information is more varied and can include:

• Information about attacks targeting specific individuals, organizations, industries, or geographic regions
• Exposed credentials linked to users or organizations, including stealer logs from initial access brokers
• Data about attacks targeting zero day vulnerabilities
• Lists of compromised devices as a part of botnets for sale

In the workshop example, we reviewed a specific log belonging to a threat actor. Since the purpose was proactive identification across a system, all of the information was relevant. 

3. How much time do you spend to dwell for each threat hunting?

Gathering threat intelligence during the threat hunting process should be focused around the core question: “So what?”

With the large amount of threat intelligence available from the dark web, security analysts need to take a structured approach to their gathering and analysis so that they can remain productive without falling into rabbit holes. 

Actionable threat intelligence collection and analysis distills data into insights that enhance risk management by enabling security teams to implement proactive measures against potential attacks. For every investigation, the primary questions that security analysts should ask include:

• What does this information tell me about the potential damage the attacker can do to my organization?
• How does this information help me understand the likelihood of an attack against my organization?
• How does this information help me allocate resources required to mitigate the risks?

Asking “so what?” might feel harsh, but it helps researchers stay focused on their main goal to ensure they find relevant information that furthers the investigation. 

4. How do you determine what, who, and where you will research? Is it in response to an investigation, incident, event or out of your own interest? 

Security researchers generally build effective intelligence requirements that ask:

• What information do I need?
• Why do I need this information?
• How will this support decision-making processes?

As they build out their requirements, they should consider these three essential components:

• Subject: What specific area of interest best fits the business objectives?
• Purpose: Why is this information important to the organization’s strategic objectives? 
• Justification: How does this requirement contribute to improving cybersecurity efforts in a way that makes it a priority?

At Flare, we follow the same process, triggering investigations based on what customers need. To stay one step ahead of trends, we tailor our research to provide insights about meaningful dark web activities that help improve cybersecurity and strategic business outcomes, like:

• Changes in the ransomware ecosystem, especially as law enforcement activities interrupt large cybercriminal organizations like LockBit
• Ransomware trends,like the move to third extortion tactics where cybercriminals target the people whose data was stolen
• Evolving strategies for commodifying and monetizing attacks, like crowdsourcing a DDoS attack 

5. Do you track card leaks as well? How do you map the observed TTPs or IoCs like how do you differentiate between legitimate behavior?

The foundation of threat intelligence gathering and threat hunting are twofold:

• Use as many sources as possible
• Follow the evidence to reduce confirmation bias

Open Source Intelligence (OSINT) is publicly available information that can be categorized as:

• Passive: easily, publicly available, typically on the clear web
• Active: Publicly but less easily available, like infiltrating dark web forums that require special access, permissions, or skills

Security researchers have access to clear web OSINT that includes known:

• Vulnerabilities
• Attack tactics, techniques, and procedures (TTPs)
• Third-party vendor breaches
• Security alerts, like from the Cybersecurity Infrastructure Security Agency (CISA) or the Federal Bureau of Investigation (FBI)

Dark web threat intelligence provides contextual insight into:

• Current illicit activities and trends
• New TTPs
• Attacker motivations

By combining these different data points, security researchers can build profiles around these IPs to determine which ones are likely associated with the observed activities. 

6. Do you track card leaks? How are new sources good/validated?

Flare has a built-in capability for tracking card leaks. 

At Flare, we review the threat intelligence sources the way a security research team would, by reviewing investigational benefit and value. Some considerations include:

• How many active participants a forum, market, or illicit Telegram channel has
• How many transactions occur across a forum, market, or illicit Telegram channel
• Whether admins or mods are related to other, high profile forums, markets, or illicit Telegram channels
• How recent the latest activity was
• How often other cybercriminals discuss a new forum, market, or illicit Telegram channel

Dig Further into Threat Intel with Flare Academy

Interested in following more cybercrime research? Check out Flare Academy’s training sessions, which are led by cybersecurity researchers. Check out the upcoming sessions here.

We also offer the Flare Academy Discord Community, where you can connect with peers and access training resources from the Flare Academy training.

Can’t wait to see you there!

The post 6 Things to Know About Improving Threat Intelligence Collection appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.