Someone Is Hacking Cybercrime Forums and Leaking User Data

Since the beginning of this year, an unknown threat actor has been hacking cybercrime forums and leaking user data publicly or offering it for sale.

At least four such forums have been breached to date, namely Verified in January, Crdclub in February, and Exploit and Maza in March. All are predominantly Russian-language forums and saw their breaches publicly disclosed elsewhere.

Intelligence firm Intel 471, which has been closely following the hacks, says that, while the identity of the actor behind the attacks is unknown, the public nature of the attacks eliminates the possibility of a law enforcement operation.

In January, a threat actor announced on underground forum Raid Forums that they breached Verified, an established Russian-language cybercrime forum. The adversary said they had Verified’s entire database, containing details on all registered users, including private messages, posts, threads, and hashed passwords.

The hacker, who apparently was able to transfer $150,000 worth of cryptocurrency out of Verified’s wallet, was offering the database for $100,000.

In February, the administrator account of cybercrime forum Crdclub was hacked, which allowed the threat actor behind the compromise to lure forum customers into using a fraudulent money transfer service and divert an unknown amount of money from the forum.

This week, both the Exploit and Maza underground forums were hacked. The attacker apparently gained secure shell (SSH) access to an Exploit proxy server destined for distributed denial-of-service (DDoS) protection, and also attempted to dump network traffic.

“Users on the Exploit forum are discussing moving away from using emails to register on forums as recent disruption efforts may have increased exposure of their online activities. Others are claiming that the database leaked by the attack ..