This article has originally appeared on Cybercrime Diaries

On February 20, 2025, the cybersecurity community received an unexpected stroke of luck as internal strife seemingly spread within the infamous Black Basta ransomware group. On that day, an unknown individual using the alias ExploitWhispers released a file on Telegram, allegedly containing the group’s internal chat logs. The file was a JSON dataset comprising of 196,045 messages from a Matrix/Element chat, primarily in Russian, spanning from September 18, 2023, to September 28, 2024.

While the true identity of the leaker and their actual motives remain unknown, ExploitWhispers accused Black Basta of crossing a red line by targeting Russian banks. A preliminary analysis suggests that most, if not all, of the leaked data appears legitimate. However, the possibility of data manipulation cannot be entirely ruled out.

Black Basta is a ransomware-as-a-service (RaaS) group that emerged in April 2022 and has since attacked over 500 organizations worldwide across various sectors, including healthcare, manufacturing, and utilities. Notable victims include Ascension, Dish Network, Maple Leaf Foods, BT Group, and Rheinmetall. According to estimates published by The Record in November 2023 the group received over 100 million dollars in ransom payments to that date. However, since January 2025 no new victims have been reported and the group’s leak site is presently down, suggesting that an internal conflict could have shaken up the group.

Figure 1: Ransomware victims per country for Black Basta (Source: Ransmware.live)

Back in 2022, this RaaS was founded by Conti Team 3, also known as Tramp’s team, which remained in control of the group during the period covered by the leak. In the leaked chat, Tramp appears under the aliases gg and aa. An investigation by LeMagIT, supported by external sources, confirmed that the likely real identity of this threat actor is Oleg Nefedov, a Russian citizen originally from Yoshkar-Ola.

While extensive research has already been published, providing insights into who Nefedov is and which vulnerabilities the group exploited, this short blog focuses on Black Basta’s internal organization. Additionally, this will offer a glimpse into how and where the group hosted and obfuscated its leak site and C2 servers.

Back in 2022, this RaaS was founded by Conti Team 3, also known as Tramp’s team, which remained in control of the group during the period covered by the leak. In the leaked chat, Tramp appears under the aliases gg and aa. An investigation by LeMagIT, supported by external sources, confirmed that the likely real identity of this threat actor is Oleg Nefedov, a Russian citizen originally from Yoshkar-Ola.

While extensive research has already been published, providing insights into who Nefedov is and which vulnerabilities the group exploited, this blog will primarily focus on Black Basta’s internal organization. This offers a look into how and where the group hosted and obfuscated its leak site and C2 servers.

Key Observations from the Leak and Available Information

• The true identity of the group’s leader, Tramp (aka gg), is possibly Oleg Nefedov, a 35-year-old Russian citizen from Yoshkar-Ola, who is officially known as a successful entrepreneur, but claims to be protected by powerful friends allowing him to pursue his malicious endeavors. 
• Black Basta operates as a highly structured and hierarchical organization, with at least two offices, likely located in Moscow or its outskirts.
  • Group members have several different specializations focusing on areas such as infrastructure management, initial access, malware and C2 obfuscation, development, and negotiations.
  • A key distinction existed between threat actors who were employees of the group—working under Tramp’s direct and strict supervision in office settings—and more independent operatives, known as pentesters or affiliates, working online.
  • These independent affiliates were often Tramp’s former associates from other illicit operations, such as Conti RaaS or banking trojans. They operate within their own teams, using distinct tools, methods, and internal hierarchies. This division sometimes leads to tensions between them and Black Basta’s core management.
  • The group periodically changes Matrix servers for OSPEC reasons. In September 2024, Tramp decided to migrate to a new server. This can also be explained by Tramp’s brief arrest that almost resulted in an extradition from Armenia during a vacation trip in June 2024. 
• Black Basta members are active on major Russian-language cybercrime forums such as XSS, Exploit, and RAMP, where they purchase services from other threat actors. These services include crypting (payload obfuscation), hosting, spam campaigns, exploits, and initial access to compromised networks.
• The group’s leak site, admin panel, and C2 servers were primarily hosted on legitimate providers such as Hetzner, but these were acquired through third-party resellers that specialized in server rentals and accepted cryptocurrency payments.
  • Infrastructure obfuscation appeared to be a more viable strategy than relying on bulletproof hosting. However, bulletproof hosting services, such as Gerry, were used for deploying abuse-resistant C2 servers for Cobalt Strike and for fast-flux capabilities, which helped conceal the real IP addresses of domains.
• Overall, the leak of this chat underscored once again that a substantial part of cybercriminal activity takes place outside forums or public chats, with the latter being just the tip of the iceberg.

Black Basta’s Organization and Internal Hierarchy

A statistical analysis of the leaked data provided valuable insight into the group’s hierarchy. The most active user—by far—was the leader, Tramp, also known as “gg” (@usernamegg in the Figure 2 below). He was responsible for coordinating other members, developing new methods for obtaining initial access, participating in attacks, handling negotiations, and maintaining strict control over his employees. He enforced this control by personally visiting both offices where they operated.

Lapa is the second most active user, he can be described as a senior “pentester” who seemingly knew Tramp before joining the chat in September 2023. The majority of messages from this user were related to access to corporate networks of victims. There are also active external pentesters such as “w.”

Figure 2: Black Basta members by number of messages (Source: Flare)

The periods of activity and the nature of messages itself indicate that the group had specifically defined and organized vacations periods, like in January or June 2024 when almost all activity stopped.

Figure 3: Messages per Week on Black Basta (Source: Flare)

Another notable observation was the distinct structure of the usernames present in the chat. Usernames composed of the word “username” followed by two letters—such as “gg” (aka Tramp), “ww”, “tt”, or “ss”—and hosted on the bestflowers247.online Matrix server appeared to belong to Black Basta’s core members (example: @usernamegg:bestflowers247.online). These threat actors were directly managed by Tramp, who also provided them with their Matrix accounts.

This structure clearly distinguished them from other members of the chat, who used their own Matrix servers, had different username formats, and operated more independently. These independent actors, that can be in fact considered as affiliates, often referred to their own teams and other threat actors who were not part of the chat.

This differentiation is also highlighted in the graph below, where it can be seen that core members remained active for a much longer period than external ones. However, some noticeable discrepancies suggest that the data might be incomplete or that certain core members were simply dismissed in June 2024.

For instance, no disputes or conflicts were recorded for core members such as “ww”, “mm”, “zz”, or “cc”, yet the chat abruptly stopped in June 2024. This indicated the following possibilities: that the dataset is likely incomplete or that these members moved to another communication channel.

Figure 4. Black Basta members and their first and last messages (Source: Flare)

Analysis of the various exchanges between members in the chat led to deciphering their main roles and specializations within Black Basta. As shown in the graph below—and accessible through the provided link—the group could be divided into the following specialties:

• Leadership and management: Led by gg, also known as Tramp.
• Infrastructure management, servers, and hosting payments: Handled by yy, also known as bio.
• Internal pentesters and support: A group working directly under Tramp’s command from two offices. These members were strictly monitored, often asking for his permission even to step away from their computers for a few minutes. Notable members included nn, ww, zz, and others.
• External affiliates: More independent and experienced, often operating with their own teams. They were particularly active in obtaining initial access and conducting social engineering attacks. For instance, Kortez was frequently mentioned as the leader of another malicious group working alongside blood, adm, nickolas, and u123.
• Coders and programmers: Mostly seasoned malware developers such as n3auxaxl, also known as mekor, and chuk. They were responsible for developing new malware, including the group’s Pikabot, which consisted of a downloader/installer, a loader, and a core backdoor component. Black Basta occasionally hired additional coders, though this appeared to be one of the hardest roles to fill.
• Crypting and obfuscation specialists: Primarily a small group of two individuals. One notable figure was muaddib6, also known as Bentley, who may have been the infamous Russian threat actor Vitaly Kovalev.
• Social engineering experts: Specialized in gaining initial access by targeting high-value companies. They used tactics such as impersonating IT support personnel, calling employees, and convincing them to install AnyDesk to deploy malware.
• Brute-force and password de-hashing specialists: At least two threat actors focused specifically on these techniques.

Black Basta’s Internal Structure

Figure 5: Black Basta’s Internal Structure (Source: Flare)

Black Basta’s Infrastructure: Hosted in Germany and Obfuscated

Thanks to this preliminary work, which helped identify the main specialization of each threat actor active in the chat, it became easier to determine where to look for specific information, such as details about the group’s infrastructure.

According to the previous paragraphs and Figure 5, the threat actor yy, also known as bio, was responsible for Black Basta’s hosting, websites, and penetration testing servers.

As illustrated in Figure 6 below and in the graph available here, the group’s most critical servers were likely purchased from VPSKot, a company accepting cryptocurrency payments and reselling servers from legitimate hosting providers unaware of their real customers. One such provider was the German company Hetzner, where Black Basta hosted its Onion websites like the administrative panel, blog, and Element/Matrix chat service in September 2023.

Black Basta’s Key Servers in September 2023

Figure 6: Black Basta’s Key Servers (Source: Flare)

The examination of yy’s messages from November 2023 also gives an interesting glimpse into how Black Basta deployed Cobalt Strike on servers and obfuscated them behind proxies. Cobalt Strike is a post-exploitation framework commonly used by red teams and cybercriminals to establish command and control, move laterally within networks, and execute malicious payloads.

The group seemingly used bulletproof hosting (BPH) but rather marginally, mainly preferring to acquire many servers from « grey » and offshore hosting companies to rotate their servers and obfuscate their sensitive infrastructure. One BPH that was still mentioned multiple times in the leak, referred to as « the Abkhaz hosting », was a service advertised by the threat actors « gerry », one of the most prominent illicit hosting presently active on Russian-language cybercrime forums.

Black Basta’s Cobalt Strike Servers and Proxies in November 2023

Figure 7: Black Basta’s Cobalt Strike servers and proxies (Source: Flare)

Final Thoughts on the Black Basta Leak: A Treasure Trove to Explore

This blog offers just a glimpse into the valuable information that can be extracted and analyzed from this leak. It contains numerous threat actor handles, illicit services from cybercrime forums, contact details, cryptocurrency addresses, and identified vulnerabilities. One particularly interesting investigative approach could be leveraging these indicators to track threat actor accounts across forums, potentially uncovering their real identities. For example, this allowed the identification of several accounts on cybercrime forums of mentioned threat actors by a search in the Flare platform with their TOX IDs.

Figure 8: Black Basta threat actors found in Flare (Source: Flare)

Figure 9. Examples of threat actors selling various services on Exploit that were mentioned in the leak

Dig Further into Cybercrime with Flare Academy

Interested in following more cybercrime research? Check out Flare Academy’s training sessions, which are led by cybersecurity researchers. Check out the upcoming sessions here.

We also offer the Flare Academy Discord Community, where you can connect with peers and access training resources from the Flare Academy training.

Can’t wait to see you there!

Sources

“Black Basta – Chat Viewer,” February 2025. https://ransomware-leaks.com/.

Garrity, Patrick. “Exposing CVEs from Black Bastas’ Chats.” VulnCheck, February 24, 2025. https://vulncheck.com/blog/black-basta-chats.

Ransomwarelive. “Balck Basta – Ransomware.Live ,” March 5, 2025. https://www.ransomware.live.

Rieß-Marchive, Valéry. “Ransomware : de REvil à Black Basta, que sait-on de Tramp ?” LeMagIT, March 1, 2025. https://www.lemagit.fr/actualites/366619807/Ransomware-de-REvil-a-Black-Basta-que-sait-on-de-Tramp.

Townsend, Kevin. “Black Basta Leak Offers Glimpse Into Group’s Inner Workings.” SecurityWeek, March 3, 2025. https://www.securityweek.com/black-basta-leak-offers-glimpse-into-groups-inner-workings/.

The post Deciphering Black Basta’s Infrastructure from the Chat Leak appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

The data and visualizations presented on this webpage are based on information collected from January 2024 to January 2025. These graphs are static and do not reflect real-time updates or recent developments. Any trends, insights, or conclusions should be interpreted with this timeframe in mind.

Executive Summary

• Telegram remains the dominant messaging platform in the cybercriminal underground, despite recent events and concerns about security.
• Increased cooperation between Telegram and law enforcement has prompted discussions about alternative platforms, with Signal showing the most significant growth.
• Other messaging apps like Discord, TOX, Matrix, and Session play niche roles, often tied to specific cybercriminal activities or communities.
• Many threat actors use multiple messaging apps to ensure accessibility and redundancy in their communications.
• Flare’s data lake analysis shows a correlation between messaging app choice and cybercriminal user types; for example, Discord is often used by low-level or young threat actors, while TOX is favored by OPSEC-focused and ransomware cybercriminals.
• The collection of contacts shared by threat actors on cybercriminal communities allowed Flare to automatically identify other handles that they may use on different forums by correlating the contacts. 

Communicating in the Cybercriminal Underground - A Key Necessity for Threat Actors

Engaging in illegal activities within the cybercriminal ecosystem while maintaining anonymity and operational security presents a significant challenge for threat actors. Regardless of their level of technical expertise or the nature of their actions, one of  malicious actors’ primary concerns is securing communications to avoid deanonymization and prevent becoming targets of rival groups or law enforcement. 

At the same time, being easily reachable is equally important, as cybercriminals must maintain efficient and reliable channels to coordinate operations, recruit new members, and conduct illicit transactions. As a result, the balance between security and accessibility varies depending on the type of activity and the threat actor’s level of OPSEC awareness, with some prioritizing ease of communication for quick coordination while others emphasize stricter security measures to minimize exposure.

Given these problematics, cybercriminals often resort to exchanging sensitive information outside of forums, relying on messaging platforms such as Telegram, Discord, Signal, Tox, Jabber, Matrix, or Session to evade forum administrators surveillance or mitigate the fallout of potential database leaks [1]. 

For several years, Telegram has not only served as a communication tool widely praised by threat actors but has also evolved into a cybercriminal ecosystem of its own, emerging as a serious alternative to traditional cybercriminal forums. Telegram is free, valued for its user-friendly interface, API, bot deployment capabilities, support of up to 200,000 members in a group, and the possibility to share files up to 4GB in size. Nevertheless, concerns persist regarding its security. The platform does not enforce automatic encryption for all communications, and its encryption mechanism remains opaque, lacking independent expert review [2]. The rumors about the presence of its key developers in Russia have also raised alarms among the most security-conscious members of the cybercriminal community.

Eventually, the arrest of Telegram’s CEO and founder, Pavel Durov, in France the 25th of August 2024 [3], followed by the platform’s announcement of increased cooperation with law enforcement on September 23, 2024 [4] – along with the practical enforcement of this policy through the disclosure of cybercriminals’ IP addresses and phone numbers in January 2025 [5] – has sparked concern within the cybercriminal ecosystem (see Figure 1). Some threat actors started to discuss the idea of stopping using this platform or at least improving their OPSEC (see Figure 2).

However, old habits die hard. The transition from a tool that is convenient, well-integrated into existing workflows, and broadly used within the cybercriminal ecosystem is not straightforward. Telegram is far from the first messaging service to face turbulence in this sphere, yet history shows that disruptions did not lead to an immediate or complete shift away from an established platform.

Indeed, in May 2023 a small tremor shook the Russian language cybercriminal forum XSS, when the threat actor “nightly” announced that he was selling a remote code execution vulnerability and an exploit affecting the qTOX 1.17.6 messenger for 20 Bitcoins (around $550,000 at the moment of the offer). The threat actor shared a proof of concept video (see Figure 3) where he claimed being able to retrieve a user’s IP upon acceptance of a new contact [6]. The vulnerability was allegedly sold in less than a day and caused many fears among qTOX users on XSS – predominantly malicious actors involved in ransomware activities. The alleged sale of this exploit deeply worried the Russian-speaking cybercriminal community and even pushed the administrator of XSS to abandon qTOX as an official communication tool.

Both of these cases have sparked heated discussions about the right communication tool in the cybercriminal ecosystem (see Figure 4). However, several months later, it appears that things have not changed much; qTOX continues to be a niche messenger popular among a minority of threat actors and was recently updated [7], while Telegram seemingly continues to dominate as the preferred platform for cybercriminals, especially those involved in infostealer operations, carding, refund fraud, and hacktivism.

Given the significant developments affecting Telegram in 2024, we sought to examine the current state of cybercriminal communications. By analyzing Flare’s data lake, we aim to address the following questions:

• Have threat actors migrated en masse to alternative platforms since August 2024?
• Does the nature of a cybercriminal’s activity influence their choice of messaging platform?

In the following sections, we will explore these questions in depth, supported by data-driven insights.

I. Analysis of the Popularity of Messengers of the Underground: Making Sense of Raw Data

To answer aforementioned questions, we used Flare’s robust dataset. Flare has an extensive data lake of sources (i.e., market, forums, Telegram channels) focused on cybercriminal activities such as data leaks, initial access, malware, infostealers, carding, fraud, ransomware and marginally drugs. We use a subset of data consisting of 1 year (2024) of activities. These precisions are important because the data lake from which you pull information can heavily influence the output and we wanted to be as transparent as possible with our readers by explaining what our bias is. 

Let’s start by adopting a funnel approach, first looking at the raw data, then refining and analyzing it. In 2024, Flare observed that over 80 millions IDs and links to six different messaging apps were shared by individuals active on cybercriminal forums and Telegram channels (see Figures 5 and 6). While this number may seem impressive, it does not accurately reflect the reality of the cybercriminal ecosystem or the popularity of a messaging application. It is, for instance, quite natural that Telegram links are predominant on Telegram itself as they constitute links between different channels and groups on this platform. Moreover, this data contains many duplicates (i.e. links or IDs shared multiple times by the same or different threat actors).

Figure 5: This is a precise yet conservative estimate of the number of published links/IDs for various messaging apps on cybercrime forums in 2024, meaning the actual number could be slightly higher. Source: Flare.io

Figure 6: Pavel Durov was arrested on the 25th of August 2024, Telegram announced that it will increase cooperation with law enforcement on the 23rd of September 2024. No substantial impact can be observed. Source: Flare.io

For instance, in 2024, 10 threat actors in Flare’s data were responsible for the vast majority of published Discord links (see Figure 7). Removing these top 10 actors from the dataset caused the number of shared Discord invite links in our database to drop from 2.8 million to just 91,000 over the past year. Moreover, among these links numerous duplicates were present. Interestingly, the absolute majority of Discord links was published on Telegram, highlighting a clear interest for this messaging app among Telegram users.

II. Telegram Reign Continues: More Than a Messenger - The Social Network of Cybercrime

To better assess the popularity of messaging apps, let’s refine the data by focusing only on unique links and messenger IDs shared on cybercrime forums. As shown on Figure 8 below, the amount of unique links and Telegram usernames published on cybercrime forums in 2024 is incomparably higher than one of any other massaging apps. Far behind, the second and third most popular apps, Discord and Session have seemingly not clearly benefited from Telegram’s setbacks or the concerns raised by its increased cooperation with law enforcement. As of January 2025, Telegram still reigns supreme, and its usage in the cybercriminal community has not substantially dropped.

As shown in the interactive Figure 8, when only selecting Signal, this messenger seems to be the only one that has gained traction following Pavel Durov’s arrest and Telegram’s policy changes. The rise in newly shared Signal invite links between September and December 2024 strongly suggests a correlation between the timing of these events. Nevertheless, the popularity of Signal remains marginal.

Figure 8: Pavel Durov was arrested on the 25th of August 2024, Telegram announced that it will increase cooperation with law enforcement on the 23rd of September 2024. No substantial impact of these events can be observed except for Signal. Source: Flare.io

III. Correlation Between the Type of Threat Actor’s Activity and Choice of Messaging App

To answer our second question regarding the influence of threat actors cybercriminal activities over their choice of a specific messaging app, Flare has observed on which forums the majority of messaging apps links and IDs were published and what was the nature of criminal activity of threat actors that published them.

• Discord invite links were primarily found on forums like Nulled and Cracked – both recently seized by law enforcement [8] – as well as VeryLeaks and DemonForums. They were mostly published by younger individuals often present in gaming-focused communities and sometimes involved in low-level cybercrime.
• Matrix and Element protocol based IDs were mainly found on drugs focused forums like RuTOR, RCclub, BigBro and marginally on the fraud focused Probiv Russian-language forum. In Flare’s data lake Matrix and Element were predominately used by threat actors buying and selling drugs or those involved in fraud schemes.
• TOX and Jabber IDs were predominantly shared on XSS, CrdPro, BreachForums, and Exploit forums, by cybercriminals often involved in the sale of corporate accesses, ransomware, or corporate databases (see an example in Figure 9).

It is important to note that a substantial number of threat actors use multiple messaging apps simultaneously (see Figure 10). This is especially true for those offering services to other cybercriminals. Maintaining easy accessibility is essential for any commercial activity; therefore, threat actors selling services such as cryptocurrency exchange and money laundering, hosting, malware obfuscation, or development often provide multiple communication channels. The interactive Figure 11 below, highlights this reality and allows you to explore different combinations of messenger apps links and IDs found in a single forum post in 2024. Telegram in combination with other messaging apps remains the most popular combination among all others highlighting once more the resilience of this communication tool.

Figure 11: Source: Flare.io

Final Thoughts and Potential Future Research

The collection of this data has also allowed us to identify links between different messenger IDs and correlate them. As shown in Figures 12 and 13, it is possible to determine which threat actor uses which messaging app. The next step will be to include usernames, making it easier to study malicious actors and automate the discovery of their handles and communication channels—but that’s a story for another time. ;)

Figure 13: Example of a cluster of messenger IDs belonging to the same threat actor but found on different posts on forums and Telegram channels.

Dig Further into Cybercrime with Flare Academy

Interested in following more cybercrime research? Check out Flare Academy’s training sessions, which are led by cybersecurity researchers. Check out the upcoming sessions here.

We also offer the Flare Academy Discord Community, where you can connect with peers and access training resources from the Flare Academy training.

Can’t wait to see you there!

Sources

[1] Abrams, Lawrence. “BreachForums v1 Database Leak Is an OPSEC Test for Hackers.” BleepingComputer, July 24, 2024. https://www.bleepingcomputer.com/news/security/breachforums-v1-database-leak-is-an-opsec-test-for-hackers/.

[2] Green, Matthew. “Is Telegram Really an Encrypted Messaging App?” A Few Thoughts on Cryptographic Engineering (blog), August 25, 2024. https://blog.cryptographyengineering.com/2024/08/25/telegram-is-not-really-an-encrypted-messaging-app/.

[3] Melander, Ingrid, Guy Faulconbridge, and Guy Faulconbridge. “Telegram Messaging App CEO Durov Arrested in France.” Reuters, August 25, 2024, sec. Europe. https://www.reuters.com/world/europe/telegram-messaging-app-ceo-pavel-durov-arrested-france-tf1-tv-says-2024-08-24/.

[4] Sergiu Gatlan, “Telegram Now Shares Users’ IP and Phone Number on Legal Requests.” BleepingComputer, September 23, 2024. https://www.bleepingcomputer.com/news/security/telegram-now-shares-users-ip-and-phone-number-on-legal-requests/.

[5] Toulas, Bill. “Telegram Hands over Data on Thousands of Users to US Law Enforcement.” BleepingComputer, January 7, 2025. https://www.bleepingcomputer.com/news/legal/telegram-hands-over-data-on-thousands-of-users-to-us-law-enforcement/.

[6] XSS.is (ex DaMaGeLaB). “Tox 1.17.6 / RCE,” May 25, 2023. https://xss.is/threads/88898/.

[7] “Release v1.18.0 · TokTok/qTox,” GitHub, January 1, 2025, https://github.com/TokTok/qTox/releases/tag/v1.18.0.

[8] Gatlan, Sergiu. “Police Seizes Cracked and Nulled Hacking Forum Servers, Arrests Suspects.” BleepingComputer, January 30, 2025. https://www.bleepingcomputer.com/news/security/police-seizes-cracked-and-nulled-hacking-forum-servers-arrests-suspects/.

The post The Underground’s Favorite Messenger: Telegram’s Reign Continues appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

The largest repackage and re-post of an old leak

In November 2024, a hacker known as “Nam3L3ss” allegedly released previously undisclosed data from the MOVEit breach in May 2023. This leak consisted of millions of records, including sensitive employee and big brand corporate information, significantly escalating the breach’s impact. Digging into this story reveals that Nam3L3ss claims to be an hacktivist freeing information from many previous breaches, not just MOVEit.

MOVEit History

MOVEit is a managed file transfer software produced by Ipswitch. Inc., now a subsidiary of Progress Software. MOVEit encrypts files and uses the FTP (file transfer protocol) to transfer data. On May 31st 2023, Progress disclosed a pre-authentication SQL Injection vulnerability in MOVEit Transfer and Cloud, later assigned CVE-2023-34362. This vulnerability turned out to be a 0-day actively exploited in the wild.

Attackers exploited this vulnerability on public-facing servers, allowing them to deploy a web shell called “LemurLoot,” disguised as legitimate ASP.NET files. This enabled the exfiltration of sensitive data from affected organizations.

In May 2023, the ransomware group Cl0p exploited the 0-day vulnerability to gain access to MOVEit instances worldwide. Cl0p published a blog post about the breach, warning affected organizations that they had until June 14th to pay a ransom or risk having their data made public. Organizations disclosed in June 2023 included the Government of Nova Scotia, BBC, British Airways, and the United States Department of Energy amongst hundreds of others.

Cl0p extorted victims over the course of June, July and August, posting batches of victims and leaking their data via Bittorrent. Then we didn’t hear from them.

The Rise of Nam3L3ss

Over a year later, Nam3L3ss claimed to have MOVEit related data from prominent companies. These leaks were not previously claimed by Cl0p and sparked theories as to the origins of this data. While these leaks appear new, they, in fact, are repacked data Cl0p’s breach. This is the largest repackaging of old information to ever happen.

The repackaged data was extracted, for now, from four compromised companies’ files from the Cl0p MOVEit breach. Nam3L3ss strategically reorganized and repackaged data from companies impacted by the MOVEit breach, presenting it in a way that emphasized high-profile clients. For example, Company A, a contractor for Company B, had its compromised files containing a directory labeled “Company B.” Nam3L3ss extracted and leaked this directory separately, branding the leak as “Company B” to amplify its significance.

This approach transformed a voluminous and unstructured leak into a targeted release, naming and organizing the leaks based on the recognizable clients rather than the original contractors. This repackaging tactic, likely aimed to maximize public attention, has the consequence of increasing pressure on the implicated companies.

Nam3L3ss is a hacktivist claiming to liberate data. He posted a manifesto on Breach forums and operates a blog at nam3l3ss.bearblog[.]dev. Here’s an excerpt from his blog:

Data I post is NOT a secret, everything I post the Criminal already have it!
It's only the Politicians, Government Agencies, and sorry to say the Public in general who have their heads buried in the sand about just how much information is floating around the internet on them, and extremely Personal information!
I am tired of Governments allowing Companies to SELL data on people and Data Brokers with terrible security or protections on their data.
Who really owns the Data on you? IS it YOUR data or do Companies OWN your private data and have a right to SELL it to anyone they desire?
Think about that for a minute, Companies treat YOU and your information as something they OWN! It does NOT belong to you they say, so they are FREE to SELL your data to whoever they want whenever they want and YOU have NO SAY!

Nam3L3ss insists he is not affiliated with Cl0p ransomware

Although he insists, see forum post screenshot below for details, we have so far confirmed that all of the repackaged breaches we looked at came from the MOVEit breach of 2023.

Here is the list of breaches he allegedly possess:

• Cl0p: 16.9TB
• Medusa: 10.3TB
• Snatch: 8.8TB
• Ragnar_Locker: 871.9GB
• Qilin: 765.5GB
• EXConfidential: 746.9GB
• Marketo: 735.9GB
• Revil-Sodinokibi-Happy[.]Blog: 569.2GB
• Lockbit: 343.2GB
• Nefilim: 314.6GB
• CL0P-TA505: 281.8GB
• Lorenz: 254.3GB
• Suncrypt: 239.0GB
• Avaddon: 200.5GB
• EVEREST: 198.3GB
• DARKSiDE: 148.2GB
• 00[.]Resort: 133.4GB
• Blackmatter: 124.3GB
• Anonymous: 123.8GB
• Conti-Ryuk: 112.2GB
• Phineas[.]Fisher: 98.7GB
• cdn.databases[.]today: 80.6GB
• PlayNews: 74.6GB
• Cuba: 70.6GB
• Ragnar: 63.5GB
• Babuk: 61.6GB
• Mount[.]Locker: 60.4GB
• ContiNews: 33.4GB
• Vice[.]Society: 16.8GB
• AtomSilo: 16.3GB
• 5c4qycmxc2xk4t6p64xyz6f4z7: 14.7GB
• Pysa: 14.3 GB
• DoppelPaymer: 6.5GB
• Lockbit2.0: 5.1GB
• Lulzsec: 5.0GB
• 0mega: 4.6GB
• f[u]ck[.]delivery: 3.1 GB
• atlaszppqsv6mu7[.]onion: 1.5GB
• nuclearleaks[.]com: 1.1GB
• RansomEXX: 1.1GB
• AvosLocker: 718.7MB
• Grief: 601.0MB
• [EXCONFIDENTIAL]: 594.1MB
• Payload[.]bin: 405.5MB
• nexeya[.]com: 89.1 MB

Repackaging Enabled by Supply Chains

These four entities were contractors for larger corporations, providing services that integrate into their operations. While a company may invest heavily in its own security infrastructure, its overall security posture is only as strong as its weakest link. Supply chain monitoring is not just a precaution but a necessity to mitigate the risk of security failures from third-party contractors and suppliers.

Flare customers can access a TLP:Amber article in our research center covering the breach victims as disclosed by Nam3L3ss as of December 6th 2024. 

We would like to thank Estelle Ruellan, Olivier Bilodeau, Tammy Harper, and Mathieu Lavoie for their help on this article.

Dark Web Investigations and Flare

The Flare Threat Exposure Management (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically scans the clear & dark web and prominent threat actor communities 24/7 to discover unknown events, prioritize risks, and deliver actionable intelligence you can use instantly to improve security.

Flare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools. Learn more by signing up for our free trial.

The post MOVEit Repackaged and Recycled appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Cybercriminals seem to always be looking for new and innovative ways to commit their crimes more efficiently. In the past, the dark web and parts of the deep web were some of the most common places where you can find cybercriminals committing their schemes. However, many criminals have moved over to more secure online messaging apps, such as Telegram, in order to continue their illicit activities publicly. 

In recent years, Telegram has become increasingly popular for cybercriminals to create channels for individuals and groups to engage in criminal activity. This is due in part because Telegram allows for users to have end-to-end encrypted messaging capabilities, providing it is a secure platform to connect and communicate with others freely. Telegram also provides its users with more anonymity than other online messaging apps which makes it an attractive and easy avenue for illicit activities to occur without the ramifications of being caught by law enforcement.

The result of this increased criminal activity on secure messaging apps like Telegram has made it harder for authorities to proactively monitor and regulate illicit activities and content shared openly in these illicit communities. In this post we will cover why illicit Telegram channels are a growing issue, the common types and characteristics of these channels, risks and challenges related to these channels, and ways to mitigate the impact of these growing illicit communities.

Illicit Telegram Channels: Why are they a Growing Issue?

The rise of Telegram and similar style encrypted messaging platforms have allowed countless users to connect and message others with more anonymity. While there are many channels on the platform that are used for legitimate communication possibilities to build private communities, a lot of channels have also been created for more nefarious reasons. The privacy of Telegram messaging has allowed more criminals and other malicious actors to grow illicit Telegram channels and communities specifically to conduct criminal activities.

One of the main reasons that Telegram has become a large hub for illicit activities is due to the ease of use and accessibility for users to locate and join many of these channels quickly. Although many of the illicit channels researched did require approval to join, there were numerous others that required no approval and were easily searchable once the app was downloaded successfully. For example, users can search for the criminal activity group they want to join of their choice and search the results to join the channels that fit their results successfully.

Another reason that illicit Telegram channels have been growing in popularity, is due in part to the rise in cryptocurrencies and other forms of digital currencies. Many cryptocurrencies offer users a greater level of anonymity and untraceability when it comes to exchanging payments between individuals and malicious groups regularly. Cryptocurrencies such as Bitcoin and Etherum are often some of the most commonly used on illicit Telegram channels since they are the most adopted forms of cryptocurrency used globally.

Many illicit Telegram channels also have increased in popularity given they often allow criminals to collaborate and share latest exploits with one another. The rise of online messaging apps, like Telegram, have allowed cybercriminals to connect and create more communities from all over the world. Additionally, many of these individuals and groups are more than willing to assist those new to cybercrime the ability to learn how to conduct attacks, hack, or conduct criminal activities themselves with the help of those more seasoned and experienced in these activities.

Common Types and Characteristics of Illicit Telegram Channels

On Telegram there are many different types of channels that users can search for on the platform. Some of these channels can be fully legitimate and others nefarious. The illicit type of channels that can be found on the app can range from everything regarding financial fraud to radical organizations communicating their latest extremist activities and content.

Many of these channels we studied in our in-depth research uncovered several different types of common criminal activity found to be popular on Telegram. The following are several of the most common types of illicit channels found on Telegram and the tactical characteristics surrounding the criminal activity that can be found on them.

1. Carding

Carding is one of the most commonly found illicit activities that is conducted on Telegram. Carding is essentially the practice of stealing credit card information from victims through various methods that can include phishing, skimming, and data breaches. Criminals will then take that information and sell it within the Telegram channel for a small fee.

What makes carding so lucrative, profitable, and popular among these illicit communities is the ease of use on the app and the accessibility. More seasoned hackers can sell their payload from a data breach or multiple successfully phishing attacks to others. For example, if a hacker is able to steal information from a large batch of victims then they can sell that data for a small profit.

Many cybercriminals can also employ and program bots to post credit card information across multiple channels, increasing their profitability. Additionally, these channels can also allow criminals to easily share, collaborate, and sell carding tools, guides and training to help other malicious users conduct their own schemes successfully.

2. Bank Account Logins

Bank account logins are another popular type of illegal activity that can be seen on many of the Telegram fraud channels found on the app regularly. Similar to carding, selling victim bank account information on Telegram can result in a high payout for criminals. This is due to the ease of access to stolen funds with minimal effort from purchasers on the channel.

Criminals that sell bank account logins often will find this type of malicious activity in high demand and low risk for getting caught by law enforcement. This can equal the seller to make a good profit on the payload successfully. Many of these cybercriminals often will acquire the information from phishing attacks or through large data breach batches acquired from hacking.

Selling bank account logins on illicit Telegram channels is also not limited to just bank account information. Several of the illicit Telegram channels we researched also offered account logins for payment apps. Users on the channels can also purchase account logins for other applications as well, like streaming services.

3. DDoS

Over the past few years, secure messaging apps like Telegram have also been host to illicit channels that connect threat actors from all over the world without selling any stolen data. These channels are often made up of hackers that join together to conduct distributed denial of service (DDoS) attacks. While they may not be selling victim information like in the illicit channels that conduct carding or sell bank logins, these types of channels can still be dangerous to organizations around the world.

Due in part to the security and anonymity of Telegram messaging within channels is that it can allow for multiple parties to participate in active attacks against nation-states along organizations and businesses more effectively. These DDoS illicit Telegram channels allow hackers to also utilize bots to aid in the orchestration of their attacks.

4. Botnets

Botnets have been used on illicit Telegram channels for a variety of reasons. Oftentimes botnets involve a network of compromised devices that are controlled and commanded by centralized servers. The administrators of these botnets, commonly known as botmasters, can then carry out a multitude of attacks against targets. These attacks can often include DDoS attacks, spamming, phishing attacks, credential stuffing, and other malicious activities.

Botnets are attractive to cyber attackers given that they can yield more anonymity plus also allow for increased reach and flexibility with the infected devices when deployed appropriately. Many botmasters will also often sell other botnets within illicit Telegram channels in order to help other criminals increase their own attack vectors successfully.

5. SIM Swapping

Another notable issue that can occur on illicit Telegram channels is the process of SIM swapping. SIM swapping is essentially a form of cyber attack that allows a hacker to take over control of someone else’s mobile phone to use for illicit purposes. For example, an attacker can phish or social engineer an intended target to provide information regarding their account associated with their carrier. Once they successfully receive the information needed they can then transfer the phone number to the separate SIM card that the attacker has acquired access to.

SIM card swapping can also allow cybercriminals to intercept any activity that would occur on that phone and the associated number to it include access to SMS based 2-factor authentication (2FA). While many mobile phone carriers have taken measures to crack down more on SIM swapping to protect their customers, the problem can still occur throughout illicit Telegram channels.

6. User Data Lists

User information and data lists, also known as combolists, have become an increasingly important component of some of the information being sold and shared on illicit Telegram channels. These combolists are often used by cybercriminals in order to carry several different types of attacks such as credential stuffing and account takeovers. Often this information is acquired through data leaks or phishing attacks which is then openly shared, traded, or sold for cryptocurrency amongst criminals.

These combolists are often constructed with a large amount of sensitive user data that can include email addresses, usernames, passwords, security questions and answers, and access token information or API keys for bypassing authentication security on websites or applications. Combolists often are sold, shared, or traded on illicit Telegram channels in large amounts of data sets which can allow criminals to receive the information in bulk.

Combolists can be lucrative to acquire on illicit Telegram channels given they can provide cybercriminals widespread access to unauthorized access capabilities to conduct further attacks on organizations. They also provide a large amount of easy distribution in bulk and return on the purchase or trade given if some of the user data is not pliable to gain access to, there may still be a large amount of other combos that hackers can still steal from within the greater combolist they acquired.

7. Russian Hacktivism

Over the past few years hacktivism has been a growing issue Telegram due to the ease of access between multiple hacker groups. Among many of the illicit Telegram groups researched, Russian hacktivism was the most prominent. Many of the present Russian hacktivist groups that use Telegram do so in order to communicate, recruit, and share resources and tools with other hackers with the goal of joining their cause.

The issue with the Russian hacktivism on illicit Telegram channels is that it allows these groups to increase their attack vector and reach, causing more damage to targets. It can allow for more rapid information dissemination and radicalization among groups looking to share, train, and recruit more hackers to join their cause. More threat actors can then create more successful attacks against targeted organizations. This can also open up targeted organizations and businesses to the possibility of cross-border attacks for multiple different countries and hacker groups. Ultimately making the attack surface harder to manage against threat actors that join in these hacktivist groups.

8. Stealer Logs

Stealer logs are often another valuable item that is commonly sold on illicit Telegram channels. Many times these stealer logs can also contain data that includes passwords, usernames, credentials, credit card numbers, and other PII. In contrast to combolists, stealer logs are often data that has been collected via malware disruption from the victims of infected devices. These logs are then sold and distributed to other criminals for their own malicious use which can include conducting their own attacks against organizations.

Challenges Related to Illicit Telegram Channels

As the rise of criminal activity and illicit channels on Telegram continues to increase, the app has attempted to take measures to mitigate these issues more effectively. Within their Terms of Service agreement, Telegram states that by joining users agree to not engage in illicit activity. Users are often encouraged to report any criminal channels or activity on the app directly. Although Telegram has stated that it does not support or condone any illicit activity on the app, many countries have enforced bans from using the app legitimately.

Many individuals and companies have continued to be targeted by cybercriminals using Telegram due to the illicit channel activity that can occur on the app regularly. Here are some of the risks and challenges that many organizations continue to face from the online criminal activity still occurring on Telegram:

1. Data breaches – countless illicit Telegram channels often will sell user data, personally identifiable information (PII), account logins, credit card information, and other confidential information obtained through various methods to the other criminals for a profit.

2. Reputational damage – organizations can face the ramifications of malicious content or data shared on illicit Telegram channels. This can cause brands to lose profits, shareholders, and stock values due to reputational damage. 

3. Difficulty in monitoring criminal activity – Telegram’s purpose is to provide end-to-end encrypted messaging for users of the platform. Although it can be a secure way to communicate with others, the lack of stored metadata, such as IP addresses, associated with the app can make it challenging for organizations to proactively mitigate the criminal activity targeted at them when conducted on the platform. 

4. Operational disruptions – the amount of malware and DDoS attacks that can be spread and shared within many illicit Telegram communities can cause operational damages to companies. For instance, some criminally motivated DDoS groups can promise to take an organization’s website offline for up to 24 hours or more. This can cause disruptions to daily operations, systems, and supply chains.

5. Intellectual property piracy – in addition to data leaks, cybercriminals can leak confidential data from organizations within illicit Telegram channels regularly. This malicious content can be shared openly about organizations which can include their copyrighted content, trade secrets, controlled data, and other confidential information pertaining to that organization. It can lead to brand damage, financial losses, and more. 

6. Legal fines and penalties – the malicious content that can be shared with others on illicit Telegram channels can ultimately cost businesses legal fines and penalties. Even organizations who have enlisted practical cybersecurity measures can still become a target victim within some of these illicit communities. 

How Flare Helps Safeguard Against Illicit Telegram Channels 

Your digital footprint in today’s threat landscape is critical to protect against attackers. As the growth of illicit Telegram channels steadily continues, Flare provides you with comprehensive threat intel support to better protect your organization’s exposure more successfully. By employing our data leak monitoring, Flare administers 24/7 monitoring capabilities to ensure data leaks are prevented and your intellectual property is protected. With Flare’s user-friendly dashboard and multiple application integration abilities, you can rest easy knowing your high-risk exposures are mitigated effectively. Register for your free trial today, to get started. 

The post The Typology of Illicit Telegram Channels appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Back in 2018, the Center for Strategic and International Studies came to the conclusion that cybercrime cost the world an approximate $600 billion annually, nearly 1% of global GDP. The cyber threat landscape has been constantly evolving, and the amount of money lost to cybercrime has only been increasing. According to IBM, the cost of data breaches has increased 12.7% in the last two years, and the number of cybercrime incidents has never been higher. Unfortunately, all evidence seems to point towards this tendency maintaining its course, as threat actors are always looking for ways to improve their attacks and gain in efficiency.

A factor that may be contributing to the sophistication of threat actors is the commodification of cybercrime. Just like legitimate modern supply chains, we are seeing a niche specialization and efficiency gains as a result of threat actors becoming proficient at one specific part of the cybercrime supply chain. The adoption and evolution of the “as a Service” (aaS) business model in the cybercrime industry has increased the ease of committing cybercrime; providing easier and convenient access to advanced tools and services to even the least evolved of threat actors.

Anything as a Service

The expanding adoption of Ransomware as a Service (RaaS) allowed ransomware group LockBit to gain in notoriety and volume, to the point of being the most active ransomware in the world.  Following an aaS model, the LockBit ransomware is being used by affiliates and Initial Access Brokers (IAB) to infect a targeted organization and extract payments, after which the LockBit group may keep up to ¼ of the ransom payment. This division of labor allows each concerned party to refine their operation; with the RaaS operators focusing on improving and updating their malicious software, and affiliates/IABs to develop and optimize ways to penetrate systems.

Following the same idea, it should come as no surprise to see the aaS model being adopted at large in other aspects of cybercrime; malicious actors offering Phishing as a Service, where threat actors can easily set-up phishing pages from various phishing kits offering on rented Virtual Private Servers (VPS); botnet operators renting their infrastructure in order to perform a Distributed Denial of Service (DDoS) attack on a targeted network (DDoS as a Service); Stealer Malware developers being able to focus on developing malware by following the Malware as a Service model, for example, the RedLine stealer malware; or even sometimes all of the above.

This evolution in the cybercrime supply chain represents a major concern for everyone, and a growing challenge for the cybersecurity industry as a whole. The ease of use provided by those services, as well as a comprehensive support system provided by the service operators, may well lead to increased adoption of sophisticated tools as well as a new generation of threat actors attracted to the ease of use offered. The refinement of the tools available to threat actors, paired with the ease of (relatively) anonymous communication the Telegram message application provides, will undoubtedly lead to an increasing amount of advanced threats tomorrow’s organizations will have to face.

Cyber attacks are, and will remain, a major issue for today’s organizations. Being better prepared starts with knowledge; knowing how threat actors operate, their tactics and their techniques is of vital importance. This can help in being able to respond to the inevitable cyber attacks and mitigate their impact.

Disrupt the Cybercrime Supply Chain with Flare

As threat actors’ methods develop in complexity, cyber teams need to stay ahead of them. Accelerate your organization’s threat identification speed by five times with Flare. Book a demo to learn how Flare can help your team.

The post The Cybercrime Assembly Line appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

ToRReZ market administrator’s announcement.

Although ToRReZ’s listing volume was greatly dominated by illicit substances, with nearly two thirds of their listings being in the “Drugs and Chemicals” category, ToRReZ also hosted a large offering of fraud and other cybercrime related listings. Considering ToRReZ hosted 2683 vendors, with 1412 of those active on the market in the last 7 days, and about 15% of the total of all currently active darknet market listings, their departure will leave, as mrblonde puts it, “quite a big gap in darknet markets”.

Current Statistics of the market
Format: total / last 7 days

ToRReZ Market’s listings

One thing that is interesting to read in mrblonde’s goodbye letter is the following: “While choosing a new market, please use your common sense. I would personally avoid any “established” market as [the] older they get, [the] bigger chance of collapsing is. Please give a chance to the smaller markets, which are not [as] loud as others. This is exactly how we became no1 – being quiet and doing our job, serving customers 24/7 for 675 […] days.”
It is true that bigger markets indeed leave room for a possible exit scam, when the market administrators find they have made a sufficient profit, or an honorable retirement like it seems to be in this case. However, small markets, on the other hand, often have difficulty gaining traction due to a lack of trust from buyers. After all, markets often act as an escrow for transactions and are also the medium with which “disputes” between buyers and vendors may occur; both operations necessitate a trustworthy relationship between all parties involved. Ultimately, most buyers follow their favorite and trusted vendors to the market where they will be migrating.

A Dread thread with vendors announcing where they will keep doing business.

With many big markets exiting the darknet market scene recently, it sure makes for an interesting turn of events! Of course, the darknet market ecosystem is ever changing, and Flare will do its best to keep you up to date with everything in that regard.

The post ToRReZ Market Shutting Down appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Updated: November 26th, 2021
As the article below is a bit out of date, here’s a breakdown of most of the large changes in the dark web marketplace scene:

1. Empire Market exit scammed in August 2020
2. DarkMarket was sized in January 2021
3. Yellow Brick exited a few days after DarkMarket
4. BigBlue was seized by Interpol in April 2021
5. Aurora exit scammed a week later
6. White House Market retired in October 2021

Who is the current darknet market leader? Dark0de.

– – – – – – — – – – – – – – – — – – – – – – – – – – – – — – – – – – – – – – – – – – – – – – – – – – – — – –

One of the biggest dark web marketplaces, White House Market (WHM), officially announced its retirement on October 1st, 2021.

“We have reached our goal and now, according to plan, it’s time to for us to retire. Effective immediately user registration and ordering have been disabled, everything else (yes, withdrawals included) is working as usual.”

In the darknet market scene, most markets usually run away with user funds (commonly known as an exit scam) or go offline after a law enforcement operation. In the case of White House Market, the market is “graciously” leaving the scene whilst finalizing orders. This is unusual, to say the least.

Click on the image to zoom it.

WHM launched in August 2019 and heavily dominated the darknet market scene during its 2 years of operation. In the darknet community, WHM was known for its robust security practices such as enforcing all communication through PGP and only accepting XMR for transactions  At the time of their retirement, WHM had 49,352 active listings, about 3,450 active sellers, and a whopping 819,490 order feedbacks. It is safe to say their absence will leave a major hole in the darknet market economy.

Now one question remains: Where will buyers and users flock to?

As we all know, the shutting down of a market never slows down the darknet economy, it’s only a matter of knowing where transactions will take place next.

In White House Market’s goodbye letter the market suggested users to migrate to some specific types of darknet markets. The market commented , “ any market can disappear at any time and for whatever reason (exit scam, law enforcement operation, hack, technical issue and so on) but markets like Monopoly (true wallet-less,  direct deal) and Versus (enforced multisig) greatly minimize damage. You can also give a chance to new markets, we all have to start somewhere.”

In addition to WHM’s recommendation, we have also seen an uptick in AlphaBay’s popularity.

Last month saw the sudden revival of AlphaBay Market, an immensely popular market back in its glory days (2014-2017). AlphaBay’s online presence came to an abrupt stop after a Law Enforcement operation tracked down the market’s administrator and the servers on which the market was hosted.

At its prime, AlphaBay was ten times the size of its predecessor, Silk Road (which was busted in October 2013). The market had over 369,000 listings, 400,000 users, was facilitating US$600,000-$800,000 of transactions per day, and had reportedly built a strong reputation.

Now that AlphaBay’s ex-administrator DeSnake has relaunched the famous darknet marketplace, is WHM’s retirement the push he needed to bring AlphaBay back to the level they were in their glory days? Some Dread users seem to think so.

One thing is for certain, AlphaBay Market saw the opportunity and acted on it by waiving the  vendor registration fee for any vendors who are migrating from WHM.

After DarkMarket shut down earlier this year we predicted and witnessed the rise of WHM. As WHM has now shut down, we will of course be monitoring who will become the new leader of the darknet. Darknet marketplaces are an important hub when it comes to all things fraud related and we will ensure that we provide the greatest visibility of these marketplaces for the best prevention we can offer.

The post White House Market Is Officially Retiring appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

The US Department of Justice has taken down Slilpp, following an international collaboration between different law enforcement agencies. Slilpp emerged in 2012 and was one of the largest marketplaces for stolen credentials. According to specialized media, the FBI seized the website and placed a warning on the website.

Although it has only recently been publicized this takedown seems to have happened about a month ago. We have come across various posts in our database of people searching for the new Slilpp since May 1st 2021.

According to conversations held on some of the chat groups we are monitoring, people have been asking for the new Slilpp domain. The same question was posted on almost every single group in our database. In some cases, people even offered to pay for the link to the new domain.

A Slilpp dedicated chat group was still active at the time of writing, with a total of 554 subscribers.

Filling the Void

Scammers have been taking advantage of the void left by Slilpp with fake scamming pages. We  found two domains linking to Slilpp clones. The clones looked like Slilpp and contained text such as “slilpp new domain” and “slilpp onion link” in an attempt to improve their Search Engine ranking. Both sites use encrypted connections and have certificates verified by Cloudflare (issued on April 12, 2021) and Sectigo Limited (issued on May 24, 2021). This is likely used to make the scam page more trustworthy. Also, the WHOIS record for one of the clones shows it was created back in March, about one month before we first started seeing people asking for the new domain.

This is likely an attempt to steal money and account credentials from other malicious actors. These credentials could then be used to access accounts on other markets.

The website is a frontend copy of the original, with a captcha field that is the same on the homepages of both domains mentioned, regardless of how many times the website is being accessed. This is a static, useless field just to make the website appear more legitimate. There are no dynamic elements. Users can enter any username and password, without even having an account, and they will be immediately logged in.

Once logged in, no matter what you choose, the page doesn’t change. 

Additionally, the cart stays empty even after adding items:

In order to purchase information, the user is expected to fund their account by sending money to a Bitcoin address. Interestingly, one of the bitcoin addresses we found on the clones actually started receiving money last week, which indicates that the scammers may indeed be making money from this scheme.

Since June 6, “This address has transacted 16 times on the Bitcoin blockchain. It has received a total of 0.01717567 BTC ($691.87) and has sent a total of 0.01574938 BTC ($634.42). The current value of this address is 0.00142629 BTC ($57.45),” says data from Blockchain.com, at the time of writing.

However, according to Walletexplorer.com, the wallet has received a total of 0,29716661 BTC since 2021-02-01. That’s close to USD $12,000.

Aged like Wine

The WHOIS record of the domain we found says the domain was created last October. A quick Google search revealed a Google Support post with the link:

It appears this user was attempting to scam people back when Slilpp was still online, but is only now making money from it. A quick look at the Slilpp channel on reddit shows that the whole subreddit is dedicated to phishing users looking for a new working domain.

Additionally, we found that the same user is potentially associated with Joker Stash malicious websites, which may also be scams.

Conclusion

This is not the first time we detected copycats of popular markets. Knock-offs are not a surprise considering the constant complaints we have been reading on the channels we are monitoring, where malicious actors are accusing others of trying to scam the community by impersonating notorious criminal groups, creating clones of popular markets or simply selling fake databases or carding methods. 

One of the most notorious clones was of the Silk Road, which significantly affected the criminal underground when it was taken down by US law enforcement in 2013. The shutdown of multiple markets in the past years has automatically opened the door for malicious actors to manipulate the industry’s desperation for markets similar in size and scope. Based on the chat groups, forums and markets we have been monitoring for the past year at least, we have noticed an increase in market fragmentation, which may, in the future, make it more challenging for law enforcement to track down all the channels that keep popping up.

Research conducted by Luana Pascu and Francis Labelle

The post Slilpp Users Scammed Following Darknet Market Takedown appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

In our ransomware report from late 2020, we explained how some ransomware groups were offering their services to others. Ransomware-as-a-Service (RaaS) has become popular and generated much discussion on the criminal underground. It represents an easy and accessible way for malicious actors to earn a few dollars.

In our report, we mentioned that ransomware groups were wary of the attention that hacking into sensitive organizations generated. These groups, for example, wanted nothing to do with malicious actors hacking into hospitals, government computers and schools. Public hacks brought bad publicity, attention from law enforcement, and were ultimately bad for business.

Colonial Pipeline Hacking

The attack against a major American pipeline, Colonial Pipeline, brought this issue to the forefront of news and cybersecurity discussions over the past weeks. The company was severely crippled by a ransomware attack that left it with no other choice but to shut down its pipeline, creating a massive inflation on gas pump prices. The pipeline remained closed for a few days, until a USD$4.4 million ransom was paid, and operations could be resumed.

Government agencies recommend that companies do not pay ransoms, no matter what the costs of not paying are. This is in line with the traditional ‘no negotiation with terrorists’ that we have heard so many times. It is believed that if companies stopped paying ransoms, then the ransom problem would go away. Malicious actors would move on to new activities that generated a better pay day.

Cancelling Ransomware Services

In the wake of the Colonial Pipeline attack, three large forums from the criminal underground decided to ban discussions and advertisements related to ransomware. This ban impacts ransomware-as-a-service advertisements, but also all other discussions of ransomware for sale in a more traditional sense. These forums effectively acted to make the RaaS disappear, and go even deeper underground, erasing a significant part of its recent history.

This is a significant but not unprecedented move. The criminal underground had in the past canceled advertisements and the sale of child pornography, weapons, poisons and hard drugs like fentanyl. It was believed these would not only draw too much attention from the media, legislators and law enforcement, but also to be too small of a market to generate revenue significant enough to compensate for the trouble they created.

Cancelling certain products made them much more difficult to find, even on the dark web. They also eliminated many of the regulations afforded by dark web marketplaces. As such, buyers and sellers now have to enter riskier transactions where they can more easily be taken advantage of. This ends up creating a lemon market, where lots of activity still happens, but in a more chaotic environment.

Looking Ahead at New Opportunities

These cancellations suggest that the media can influence the criminal underground. This is a major development, as social pressure could help us get rid of some of the most harmful aspects of the criminal underground.

Future news reports that would, for example, concentrate on small and medium business payday fraud could help draw malicious actors away from this practice, and prevent creating more victims of this extremely damaging fraud. Indeed, most small and medium businesses have no insurance or recourse when their lines of credit and bank accounts are emptied by malicious actors, and sometimes even have to go bankrupt because of the hack. We often feel powerless against malicious attacks, but this is a clear sign that organizing a response to attacks can help make them more difficult in the future.

Whether it comes as a service or from direct attacks, it is clear that ransomware is not a problem that is going away anytime soon. The Colonial Pipeline attack has shown that it was possible to make millions of dollars in a matter of days with this attack. This is simply too good of an opportunity to pass, and we expect malicious actors to continue their ransomware attacks. Access to this malware may now be more difficult however, and only be provided through chat rooms with little moderation. Access could also move to decentralized marketplaces and private markets.

In a sense, the media has managed to make it more difficult for unconnected malicious actors to get into the ransomware game. This may not change the focus of cybersecurity teams in the future, but it will at the very least reduce the number of opponents they have to face, and may make their job just a little easier.

The post Cancel Culture Reaches the Criminal Underground appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

A 0-day is a software vulnerability that is unknown to its software maker. 0-days are perhaps the most valuable type of exploits out there simply because they can be used with an incredibly high chance of success, and often for an extended period of time. With no knowledge of a flaw, a software maker is unlikely to publish a fix, and the actions of the attackers can probably go undetected for quite some time.

The Market for 0-Day Vulnerabilities

0-days were once associated with Nation States that had the necessary resources to probe software and find unknown vulnerabilities. Over the past two decades however, private researchers and malicious actors have also been hunting and finding their own 0-days.

For the former, there is likely to be a high payday for reporting the vulnerability through a bug bounty program. There are also conferences dedicated to the identification of 0-days such as Pwn2Own, but not the publication of the details of the vulnerability. For the latter, 0-days represent a valuable tool to stealthily launch attacks that can generate up to millions of dollars in profit.

Private companies now also operate as brokers, buying 0-days from researchers, and selling them to intelligence and law enforcement agencies. These brokers offer hundreds of thousands of dollars for each 0-day, and appear to be turning quite a healthy profit from reselling the 0-days.

No matter how 0-days come to be known and shared, in all of the above examples, 0-days remain private and shared among a small circle of people. They in essence keep a veil of secrecy and mystery that has enshrined them since the first days of the computer age.

0-Days Moving Into the Spotlight

The secrecy that surrounds 0-days explains why the launch of a very public 0-day marketplace is so surprising. Our intelligence team has found that the dark web is now the host to a very active marketplace where 0-days can be bought. As shown in the image below, the m marketplace promises:

• Fully document 0-days that can be exploited quickly
• Fast delivery
• Satisfaction guaranteed, though no refunds are promised

Another surprise comes from the high profile 0-days that are advertised on the website. These include SMS interception, SIM card exploitation, mobile phone takeovers and social media account takeovers. These are all incredibly valuable 0-days that could be leveraged for damaging attacks against individuals and organizations. Their price, from a few hundred to a few thousands US dollars appears to be much smaller than what we have seen in other public displays of 0-day pricing where the most valuable are worth hundreds of thousands of dollars.

The marketplace appears lastly to be selling the same exploit to multiple individuals. The website indeed presents ratings which appear to represent past sales, with a 5-star rating associated with it. The most popular 0-days have apparently been sold hundreds of times, suggesting that the marketplace is already incredibly active.

A Public and Visible Presence

The popularity of the platform could be explained by its marketing campaigns on social media like Instagram and YouTube. The market has its own account with hundreds of subscribers. There, it publishes information and videos of the 0-days, as well as explanations on how to use the site. The whole customer journey is presented and potential customers can see what to expect when they purchase a 0-day account. It shows how payments in cryptocurrencies can be sent, and that bit.ly is used to deliver the files once the purchase is complete.

Threats Only Get Better, Not Worse

Bruce Schneier famously said that threats only get better, and not worse. This new marketplace is a good example of this mantra, and a lesson to be learned for security professionals. It represents yet another example of the democratization of the most sophisticated attacks down to malicious actors who need no technical knowledge. 0-days that target large communication networks and communication software are significant threats and must be detected as quickly as possible. This is why we have added this marketplace as a source of information that we monitor on a daily basis to identify quickly any new significant 0-day.

Using this information, security teams can better understand the risks associated with using specific tools and networks. They can also better understand the security posture of companies. Indeed, some appear to be more targeted than others by malicious actors, and to be taken over more easily. These may represent unnecessary risks for your organizations and could perhaps be replaced by more secure software that does not fall to malicious actors as easily.

What makes the success of platforms possible is the visibility of the marketplaces and it will also be interesting moving forward to monitor how malicious actors are allowed to operate on social media. Their presence there represents an advantage of terms of visibility for the malicious actors, but also an investigation opportunity for law enforcement to gather intelligence on the individuals that operate these platforms. We look forward to better understanding just how law enforcement will react to this shift towards visibility, and if those brazen enough to go there will be the first ones to be shut down in the end.

The post 0-Day No Longer Best Kept Secrets On The Internet appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.