Darknet Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 16 May 2024 10:54:45 +0000 en-US hourly 1 https://wordpress.org/?v=78815 200474804 BreachForums is Seized, Again, FBI Puts a Banner https://gridinsoft.com/blogs/breachforum-is-seized-again/ https://gridinsoft.com/blogs/breachforum-is-seized-again/#respond Wed, 15 May 2024 15:49:24 +0000 https://gridinsoft.com/blogs/?p=22089 BreachForums, one of, if not the biggest Darknet forum, is once again seized by law enforcement. On Wednesday afternoon, May 15, 2024 its main page shows the FBI banner that says about the forum taken over. There are also some details that may point at the detainment of its current administration. BreachForums is Taken Down… Continue reading BreachForums is Seized, Again, FBI Puts a Banner

The post BreachForums is Seized, Again, FBI Puts a Banner appeared first on Gridinsoft Blog.

]]>
BreachForums, one of, if not the biggest Darknet forum, is once again seized by law enforcement. On Wednesday afternoon, May 15, 2024 its main page shows the FBI banner that says about the forum taken over. There are also some details that may point at the detainment of its current administration.

BreachForums is Taken Down by the FBI, Again

On May 15, both the clear web mirror and the Darknet version of the BreachForums started to display the FBI banner. Neither FBI nor other law enforcement agencies mentioned on the banner published any details regarding the operation. The forum was changing its top-level domains lately, probably maneuvering from the takeovers of the server infrastructure. Was not really effective, by the looks of it.

BreachForums FBI banner

BreachForums is a major Darknet forum that also serves as a marketplace for various illegal things. Malware, leaked data, hacker services and many other things are (or should I say “were”?) for sale here. It saw a major spike in popularity after law enforcement disrupted another underground forum – RaidForums.

That is not the first time the FBI disrupted BreachForums operations. Back in March 2023, they put the forum offline, but in a different manner – by detaining one of its admins, Pompompurin a.k.a Conor Brian Fitzpatrick. At the same time, feds took quite a lot of data from his computer, putting other admins at risk. This, in fact, was the primary reason for the forum to go offline at that time.

Baphomet claim day1
Message that Baphomet posted as soon as the information about the Pompompurin detainment appeared

Three months after though it resurfaced, keeping the same format and some of the admins. Group of hackers known as ShinyHunters claimed to be leading the forum’s resurrection. After another month or two, the Darknet facility was running as nothing ever happened. Until this day, of course.

What happened to BreachForums?

I suppose that the FBI managed to seize their network infrastructure, same as they did to several threat actors throughout the last 8 months. The guess is backed by the fact that BreachForums recently went through several TLD changes: from the post-revival breachforums[.]is, that was holding for over half a year, to breachforums[.]cx, and shortly after – to breachforums[.]st. I can hardly imagine what this can be done for, if not for covering the tracks and/or escaping the chase.

But regardless of the way this was done, the result is rather striking. Aside from the forum itself, law enforcement agencies managed to take over the Telegram channel of the forum. As proof, they posted this pretty message from the account of Baphomet, the longtime BF administrator.

Telegram chat BreachForums

This action accompanies a few details from the banner they’ve posted on the Breach main page. Along with the BreachForums logo, they added profile pictures of two admins, Baphomet and The Jacuzzi, with jail bars put on top. That probably supposes the FBI now has access to all the data about the forum admins, or even probably detained them.

Since this all happened just hours ago, and there is no official information from the law enforcement agencies, more and more details will likely surface later on. I will update the post as they appear.

The post BreachForums is Seized, Again, FBI Puts a Banner appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/breachforum-is-seized-again/feed/ 0 22089
LabHost Phishing Service Taken Down by Police https://gridinsoft.com/blogs/labhost-phishing-service-taken-down/ https://gridinsoft.com/blogs/labhost-phishing-service-taken-down/#respond Fri, 19 Apr 2024 16:32:44 +0000 https://gridinsoft.com/blogs/?p=21478 Authorities have seized the LabHost phishing service, accused of stealing personal information from victims worldwide. This service specialized in creating fake websites to harvest user data illegally. However, law enforcement agencies have taken down in a series of coordinated raids in several countries. LabHost reportedly accumulated data on nearly half a million credit cards and… Continue reading LabHost Phishing Service Taken Down by Police

The post LabHost Phishing Service Taken Down by Police appeared first on Gridinsoft Blog.

]]>
Authorities have seized the LabHost phishing service, accused of stealing personal information from victims worldwide. This service specialized in creating fake websites to harvest user data illegally. However, law enforcement agencies have taken down in a series of coordinated raids in several countries. LabHost reportedly accumulated data on nearly half a million credit cards and secured over a million passwords.

Police Operation Halts LabHost Phishing Service

In a sweeping international law enforcement operation, authorities have dismantled a notorious cybercrime syndicate. They arrested 37 individuals linked to the LabHost phishing service. So, between April 14 and 17, a coordinated effort led by Europol resulted in the arrest of 32 individuals. This included four individuals in the U.K. who were responsible for developing and running a service. Additionally, 70 addresses were searched worldwide as part of this operation.

Seized website screenshot
Screenshot of LabHost’s seized website

This global initiative, codenamed “Nebulae,” targeted a network accused of pilfering sensitive personal information from countless victims worldwide. Thus, the Australian Joint Policing Cybercrime Coordination Centre (JPC3) has successfully taken down 207 servers that hosted phishing websites created through the LabHost service. The Metropolitan Police in the U.K. has also announced the arrest of four individuals involved in running the service’s website, along with the original developer of the platform.

What Is LabHost?

LabHost (lab-host[.]ru) is a service recognized as one of the most expansive Phishing-as-a-Service (PhaaS) operations. It specializes in crafting deceptive websites that mimic reputable banks and institutions to harvest user data illegally. Europol, spearheading the effort, detailed that LabHost offered its illicit services through two distinct packages—a suite targeting brands primarily in the U.S. and Canada and a more global suite excluding these regions.

Labhost user interface screenshot
Labhost user interface

Subscription rates ranged from $179 to $300 per month, attracting many cybercriminals seeking to exploit unwary internet users. LabHost provided phishing kits for various services, including Spotify, postal and toll services, and even insurance providers. The platform simplified the phishing operation by managing the backend infrastructure, thus enabling criminals to launch attacks with minimal technical effort.

Financial Gains and Global Impact

The effectiveness of LabHost’s infrastructure was alarmingly evident in the number of its victims. According to Trend Micro, over 164,000 individuals in Australia and the U.K. had been duped into submitting their details on these fraudulent pages. The phishing sites were sophisticated enough to fool users into entering sensitive information. Among others were credit card numbers, passwords, and even two-factor authentication codes.

The U.K. Metropolitan Police highlighted the financial scale of this criminal enterprise, estimating that LabHost had amassed around £1 million from its illegal activities. The service reportedly accumulated data on nearly half a million credit cards and secured over a million passwords.

The post LabHost Phishing Service Taken Down by Police appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/labhost-phishing-service-taken-down/feed/ 0 21478
xDedic Marketplace Members Detained In International Operations https://gridinsoft.com/blogs/xdedic-members-detained/ https://gridinsoft.com/blogs/xdedic-members-detained/#respond Mon, 08 Jan 2024 20:04:22 +0000 https://gridinsoft.com/blogs/?p=18849 The infamous xDedic Marketplace, known for its illicit trade in compromised computers and personal data, has been effectively dismantled. 19 persons related to the marketplace were detained. The overall operation is the result of joint effort of law enforcement from 11 countries. xDedic’s Actors Face US Courts Although the actual seizure of xDedic happened almost… Continue reading xDedic Marketplace Members Detained In International Operations

The post xDedic Marketplace Members Detained In International Operations appeared first on Gridinsoft Blog.

]]>
The infamous xDedic Marketplace, known for its illicit trade in compromised computers and personal data, has been effectively dismantled. 19 persons related to the marketplace were detained. The overall operation is the result of joint effort of law enforcement from 11 countries.

xDedic’s Actors Face US Courts

Although the actual seizure of xDedic happened almost 5 years ago, in 2019, the overall process of its members’ detainment took quite some time. The diverse nationalities of the charged defendants posed a unique challenge, as many hailed from countries that do not extradite their nationals. However, diligent efforts led to the charging and/or extradition of 17 defendants to the United States.

The extensive investigation was spearheaded by the Tampa Division of the Federal Bureau of Investigation. It also involved the Tampa Field Office of Internal Revenue Service – Criminal Investigation. Assistance was provided by various international and national agencies, highlighting the importance of global cooperation in combating cybercrime. The cases are currently being prosecuted by 3 Assistant United States Attorneys.

What is xDedic?

xDedic was a notorious online marketplace on the dark web, known for selling compromised computer credentials. These credentials included usernames and passwords. It facilitated the illegal sale of access to over 700,000 hacked servers worldwide. These servers included those in government, healthcare, and transportation sectors. Cybercriminals used xDedic to buy credentials to servers, enabling them to commit various illegal activities like ransomware attacks. The site was known for its sophisticated operational security and use of cryptocurrency, making it difficult to track the identities of its users and the locations of its servers.

 xDedic marketplace
Stolen Credentials on xDedic Marketplace for Sale

Seizure of xDedic

The turning point in this saga came in January 2019 when the U.S. Attorney’s Office for the Middle District of Florida, in collaboration with international law enforcement agencies, seized xDedic’s domain names and dismantled its infrastructure. This operation, which involved authorities from Belgium, Ukraine, Europol, the Dutch National Police, and the German Bundeskriminalamt, effectively ended the marketplace’s operations​​.

Following the marketplace’s shutdown, efforts shifted towards bringing those responsible to justice. Nineteen individuals have been charged in connection with the marketplace, facing a range of offenses from cyber fraud to money laundering. The charges reflect the seriousness of the crimes associated with the xDedic marketplace.

High-profile figures like Alexandru Habasescu and Pavlo Kharmanskyi, administrators of xDedic, were apprehended and sentenced to prison. Habasescu, the technical brain behind xDedic, was arrested in the Spanish Canary Islands, while Kharmanskyi was detained at the Miami International Airport. Other significant arrests included Dariy Pankov, who was a major seller on the site. Also arrested was Allen Levinson, a prolific buyer with a specific interest in U.S.-based Certified Public Accounting firms.

Recommendations and future outlook

The shutdown of xDedic Marketplace was a significant victory in the ongoing battle against cybercrime. Significant, but not the turning point: numerous other marketplaces appeared afterwards, including infamous Breached Forums, Genesis and RaidForums. When the servers are shut down, but the actors remain free, that is just the matter of time when and where they will be back into business.

When we talk about the detainment of those actors, things are obviously different. This not only proves that it is impossible to be safe and commit cybercrimes, it also shows that even a 5 year term is not long enough to avoid the punishment. Will this work as a stop sign for others? Not likely, but they will barely miss that info either.

xDedic Marketplace Members Detained In International Operations

The post xDedic Marketplace Members Detained In International Operations appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/xdedic-members-detained/feed/ 0 18849
Plume Hacked, Data Leaked in the Darknet https://gridinsoft.com/blogs/plume-hacked/ https://gridinsoft.com/blogs/plume-hacked/#respond Thu, 16 Nov 2023 10:06:43 +0000 https://gridinsoft.com/blogs/?p=17653 An anonymous hacker posted about a Plume data breach on the Darknet. The hacker says they have stolen the personal information of millions of users and threaten to release the data unless the company pays them a ransom. What is Plume? Plume Design, Inc. develops and sells smart home Wi-Fi mesh networking systems. Its flagship… Continue reading Plume Hacked, Data Leaked in the Darknet

The post Plume Hacked, Data Leaked in the Darknet appeared first on Gridinsoft Blog.

]]>
An anonymous hacker posted about a Plume data breach on the Darknet. The hacker says they have stolen the personal information of millions of users and threaten to release the data unless the company pays them a ransom.

What is Plume?

Plume Design, Inc. develops and sells smart home Wi-Fi mesh networking systems. Its flagship product, the Plume SuperPod, is a mesh Wi-Fi system that uses AI to optimize network performance. Plume also provides software features such as parental controls, network security, and motion sensing. ISPs, cable companies, and telecoms use the company’s technology.

It works as a Software-as-a-Service (SaaS) specializing in smart Wi-Fi solutions, cloud management, and AI-driven security services. Operating in over 45 countries, the company boasts a significant user base, claiming to serve more than 55 million homes and small businesses.

Plume Data Breach Details

Plume, a leading provider of smart WiFi services, finds itself at the center of a potential data breach. The attackers have purportedly posted gigabytes of user data on a prominent data leak forum. The breach, if confirmed, could impact millions of Plume’s customers and staff members. Attackers claim to have successfully infiltrated Plume’s systems, making off with a substantial 20GB of data from the company’s WiFi database. This trove of information reportedly encompasses more than 15 million lines, featuring diverse user profiles, including mobile app users, customers, and even Plume’s internal staff.

Data leak post screenshot
Data leak post

The attackers said the dataset encompasses sensitive information like email addresses, device details, carriers, first and last names, iOS and Android versions, and more. As for the company’s reaction, Plume’s response to the claims has been prompt, acknowledging the alleged breach and initiating an internal investigation. A representative from Plume stated, “We are aware of the claim, and our teams are actively investigating the situation.”

Data Sample Validation

The research team has delved into the data sample provided by the attackers, affirming that the sample aligns with the details outlined in the attackers’ statements. However, the lack of a complete data set from the attackers raises questions about the authenticity of the leaked information. Without a comprehensive dataset, whether the compromised data genuinely belongs to Plume or was sourced from an alternative origin remains uncertain.

Notably, the attackers have taken an unconventional approach by creating an X account and announcing the alleged breach on social media platforms. This departure from traditional covert channels raises some eyebrows within the cybersecurity community. In contrast, attackers typically opt for discreet methods when publicizing their exploits.

Potential Impacts

As Plume’s investigative teams delve deeper into the situation, users are advised to remain vigilant and consider implementing additional security measures. While the company is actively addressing the claims, the potential exposure of sensitive information necessitates a proactive approach from users to safeguard their data.

The post Plume Hacked, Data Leaked in the Darknet appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/plume-hacked/feed/ 0 17653
Malware Propagation On Darknet Forums https://gridinsoft.com/blogs/malware-propagation-darknet/ https://gridinsoft.com/blogs/malware-propagation-darknet/#respond Wed, 21 Jun 2023 09:53:22 +0000 https://gridinsoft.com/blogs/?p=15429 The forums on the dark web are well-known for being a hub of cybercriminal activity, including an auction system. Here, bad actors can trade tips on hacking, share samples of malware, and demonstrate how to exploit vulnerabilities. For those who develop malware, Darknet communication platforms, specifically forums, became a perfect marketing platform. The developers of… Continue reading Malware Propagation On Darknet Forums

The post Malware Propagation On Darknet Forums appeared first on Gridinsoft Blog.

]]>
The forums on the dark web are well-known for being a hub of cybercriminal activity, including an auction system. Here, bad actors can trade tips on hacking, share samples of malware, and demonstrate how to exploit vulnerabilities. For those who develop malware, Darknet communication platforms, specifically forums, became a perfect marketing platform. The developers of questionable or dual-purpose software appreciate such a law-free place as well. Here, I’ve picked 6 malware samples that are promoted actively on the Darknet.

EvilExtractor Stealer

The developers of EvilExtractor present it as a legitimate subscription-based tool. However, researchers have discovered that it has been advertised to threat actors on multiple hacking forums since 2022. Attackers use it to steal sensitive information, particularly data from web browsers. Kodex created it and it has been regularly updated since its release in October 2022.

EvilExtractor Stealer
Screenshot of EvilExtractor for sale on Darknet Forum

Most infections occurred due to a phishing campaign. There attackers sent account confirmation requests with a compressed executable attachment resembling a legitimate PDF or Dropbox file. Fortinet discovered several such attacks. When the target opens the file, a PyInstaller file is executed, which launches a .NET loader that further launches an EvilExtractor executable using a base64-encoded PowerShell script. To avoid detection, the malware checks the system time and hostname on launch to determine if it is running in a virtual environment. If it is, the malware will exit.

Trigona affiliate program

One of the Darknet forums offers an affiliate program Trigona. The Trigona ransomware was initially detected in October 2022 and has gained notoriety for exclusively demanding ransom payments in Monero cryptocurrency. In the short time it has been active, this group has victimized people globally.

Trigona affiliate program
Screenshot of Trigona Ransomware ransom note

Trigona is a group that hacks into victims’ devices and encrypts all their files, except those in specific folders such as the Program Files and Windows directories. Additionally, they steal sensitive documents and add them to their dark web leak site before encrypting them. This program provides ransomware-as-a-service (RaaS) and has several capabilities:

  • The Tor network’s admin panel comes equipped with end-to-end encryption for all data.
  • Storing leaked databases on the cloud.
  • Cross-platform build with cryptographically advanced encryption.
  • DDoS capabilities.
  • Call facilities for countries across the globe.

Shadow Vault – MacOS Stealer

A malware called RedLine Stealer is being sold on underground forums. It is specifically designed to target users of MacOS. A harmful software known as malware is designed to extract sensitive information from internet browsers, such as saved login details, autocomplete data, and credit card information. Once installed on a computer, it takes an inventory of the system, collecting details like the username, location data, hardware configuration, and information on installed security software. The latest versions of RedLine can even steal cryptocurrency. This malware targets FTP and IM clients and can upload and download files, execute commands, and periodically send information about the infected computer.

  • This software has a keylogging function that records keystrokes and creates several copies of the stolen data. These copies are saved in various locations so the information can still be retrieved even if deleted.
  • The extractor can grab data from Metamask, Exodus, Coinomi, Binance, Coinbase, Martian, Atomic, Phantom, Trust, Tron Link, Kepler, etc.
  • This software can be installed using either PKG or DMG file formats.
  • The process of extracting data from Apple devices’ keychain database is encrypted, making it difficult to detect the amount of stolen information and avoid being caught.

Mystic Stealer’s rise

A new version of Mystic Stealer, version 1.0, was released in late April 2023, but an updated version, 1.2, was quickly launched in May, indicating that the project is actively being developed. The seller is advertising the malware on various hacking forums, such as WWH-Club, BHF, and XSS, and is available for rent to interested parties.
Mystic is capable of stealing login credentials from nearly 40 different web browsers, such as Chrome, Edge, Firefox, and Opera (but not Safari), as well as over 70 browser extensions, including Coinbase Wallet, Dashlane, and LastPass.

Mystic Stealer’s rise
Screenshot of Mystic Stealer on Hacker forum
  • The Mystic Stealer is capable of operating on different Windows versions, ranging from XP to 11, and is compatible with 32-bit and 64-bit OS architectures.
  • It works in a computer’s memory to avoid detection from anti-virus software.
  • The C2 communication is encrypted using a unique binary protocol over TCP. Also, any stolen data is directly sent to the server without being stored on the disk.
  • Mystic performs multiple anti-virtualization checks, including examining the CPUID information to confirm that it is not being run in a sandboxed environment.

Akira ransomware

In March of 2023, cybercriminals began using a new ransomware called Akira. This ransomware encrypts data and changes the filenames of all affected files by adding the extension “.akira”. It also creates a ransom note called “akira_readme.txt”. The letter claims that the company’s internal infrastructure has been partially or fully shut down and that all backups have been deleted.

The attackers also state that they obtained important corporate data before encryption. The ransom note offers a negotiation process with reasonable demands and promises not to ruin the company financially. It includes instructions on accessing a chat room through a Tor browser and a login code. The attackers emphasize that the quicker the company responds, the less damage will be caused. Akira has released information about four individuals on their data leak website. The amount of leaked data varies from 5.9 GB for one company to 259 GB for another.

LummaC2 Stealer

In December 2022, LummaC2 was introduced on cybercrime forums. Since then, it has been continuously developed and has become a highly advanced yet reasonably priced information-stealing malware. This malware, available as a service, is around 150-200 KB in size and is designed to extract data from several browsers, such as Chrome, Chromium, Mozilla Firefox, Microsoft Edge, and Brave. Its primary target is the latest Windows operating system, from 7 to 11.

Recent updates have been made to LummaC2 that involve improving its security by redesigning the modules used for creating harmful builds and receiving stolen logs. Additionally, a new module with a load balancer already added. The developers have also advertised their MaaS on a well-known Russian language forum frequently used by RaaS operators to promote their affiliate and partnership programs.

So what?

Darknet forum sites provide their member’s anonymity, letting them freely share their ideas, thoughts, and expertise. As a result, these online communities are valuable intelligence sources for cybersecurity professionals. The impact of the dark web on businesses across various industries highlights the need for a thorough understanding of cyber threats and effective defensive strategies.

To safeguard your organization from the dangers of the dark web and stay one step ahead of cybercriminals, it’s essential to adopt a proactive approach. Cybersecurity experts monitor threat actor communities on the clear and dark web, illicit Telegram channels, and other messengers.

Law enforcement recently shut down the widely popular Darknet forums. As a result, the Darknet community is curious to see which forums will take their place. The Popular Forums provided a one-stop-shop for a vast amount of data, with vetted postings, and users considered it a reliable intermediary for vendor transactions. However, the increased popularity of leak-focused Telegram channels and sites indicates a trend toward decentralization. This trend highlights that small groups and individuals are selling leaked data, not just ransomware groups. Therefore, individuals have more decentralized options to buy, sell, and download leaked data.

Malware Propagation On Darknet Forums

The post Malware Propagation On Darknet Forums appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/malware-propagation-darknet/feed/ 0 15429
BreachForums Is Back Online, Led by ShinyHunters https://gridinsoft.com/blogs/breachforums-is-back-online-shinyhunters/ https://gridinsoft.com/blogs/breachforums-is-back-online-shinyhunters/#respond Thu, 15 Jun 2023 11:10:18 +0000 https://gridinsoft.com/blogs/?p=15309 BreachForums, an infamous Darknet forum that was shut down in late March 2023, is back online since approx. June 13 2023. After 3 months offline, it is revived by a hacker group called ShinyHunters. But will Breached be as successful as they used to be? What is BreachForums? Breached Forums used to be a massive… Continue reading BreachForums Is Back Online, Led by ShinyHunters

The post BreachForums Is Back Online, Led by ShinyHunters appeared first on Gridinsoft Blog.

]]>
BreachForums, an infamous Darknet forum that was shut down in late March 2023, is back online since approx. June 13 2023. After 3 months offline, it is revived by a hacker group called ShinyHunters. But will Breached be as successful as they used to be?

What is BreachForums?

Breached Forums used to be a massive Darknet forum that was acting not only as a communication platform but also as a black market. Hackers from all over the world were selling databases of leaked credentials, banking cards, data stolen from corporations and so forth. Its popularity peaked in early summer 2022, after the FBI closed another Darknet forum – RaidForums – and detained its administrator.

Though, the same but different fate was against BreachForums. One day, Conor Brian Fitzpatrick a.k.a. Pompompurin made a mistake that cost him his freedom – logged into his account without using VPN. That immediately revealed his IP address, and just in a couple of days, pleasant men in uniform were at his doorstep. Despite the servers not being accessed by the law enforcement directly, the other admin of BreachForums decided to shut off the forum, as there was a risk that law enforcement would find him as well.

Baphomet Finalstatement
The second admin’s statement regarding BreachForums shutdown

But, as it turns out, there could be life after death. In late May 2023, several places posted information regarding the Breach revival by ShinyHunters. This infamous gang states they will take over the Breached Forums and run it despite the hazards from the enforcement agencies. And now it is confirmed – BreachForums is back online.

BreachForums Are Revived by ShinyHunters

Probably, the most obvious sign of recognition for the cybercrime gang is the article on Wikipedia. Black hat hackers from ShinyHunters are known for hacking into Microsoft, Bonobos, NitroPDF and many others – enough to get an ill fame. Being active since 2020, they quickly gained a considerable number of victims, especially for peaky guys that are not attacking everyone they see. Despite the detainment of one of their crew members in Morocco, the gang keeps going and, what’s more important, expanding their activities.

BreachForums Back Online
First message on the recovered BreachForums site

The “takeover” of BreachForums is probably the new vector of cybercrime gang development – in all senses. It is probably the first time when a full-fledged cybercrime gang will have an entire forum under their control. Such a behaviour is also a definite sign of hackers having no fairness before law enforcement. This forum was – and still is – a subject of FBI investigation, thus claiming its possession is dangerous to say the least. Possibly, Baphometh, the second admin of Breached, joined or sold all the assets related to this forum to the gang.

Conflict with other forums

Obviously, after the Breached shutdown in late March, its numerous alternatives popped out. Though fellow hackers did not haste using them, because of fears these platforms may be controlled by the FBI or other law enforcement. To bait people, these forums were claiming “cooperation with Breached”, which forced Baphometh to publicly reject any relations. Though some black markets, like Exposed Forum, went further, putting to use incriminating banners like the one they currently have.

Exposed forums rant
Banner by the ex-ExposedForum URL that incriminates BreachForums admins of bad OPSEC

Possibly, such a decision and reaction from Exposed admin(s) is dictated by the Breached resurgence. Having to compete with such a large and widely-known brand is pretty tough, thus selling off is an obvious decision. But for me, it looks like shutting down the honeypot which will not be able to attract enough crooks after the rebirth of Breached. This guess is complemented with what appears to be the IP address and hosting name of the Breached back-end server. It is known that the FBI accessed (part of) the network infrastructure of BreachedForums – that’s why, exactly, it was disabled. And I doubt feds are generous enough to allow some hackers to mess around this information.

What then?

It will be pretty interesting to see the fate of such an ambitious step. As I said, after the Breached Forums shutdown, a lot of its alternatives appeared. Some even provided themselves with “promotion” – like Exposed forum, that posted the leaked database of RaidForums. Two months of shutdown never was a pleasant thing for popularity – thus the only thing we can do is simply spectate.

For now, I can warn you about using all such forums. Being a cybercriminal’s nest, any Darknet forum accumulates tons of illegal stuff. Touching it, even if it is a database leaked a couple of years ago, may be the reason for law enforcement to pay a visit to your settlement. Moreover, such places commonly swirl with pitfalls where you can be tricked to install malware. And it is good to remember that all such places are thoroughly controlled by the FBI and other enforcement agencies. Everything you say can and will be used against you!

The post BreachForums Is Back Online, Led by ShinyHunters appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/breachforums-is-back-online-shinyhunters/feed/ 0 15309
RaidForums Leaked, Data of Almost 500,000 Users Published https://gridinsoft.com/blogs/raidforums-data-breach/ https://gridinsoft.com/blogs/raidforums-data-breach/#respond Tue, 30 May 2023 16:48:56 +0000 https://gridinsoft.com/blogs/?p=14813 RaidForums, the former leader among the underground forums, now suffers the user data leak. Besides being shut down in April 2022, it is still susceptible to data breach. The data of a black market is now given for free… on another black market. What is RaidForums? RaidForums is an ex-leader among Darknet marketplaces and forums… Continue reading RaidForums Leaked, Data of Almost 500,000 Users Published

The post RaidForums Leaked, Data of Almost 500,000 Users Published appeared first on Gridinsoft Blog.

]]>
RaidForums, the former leader among the underground forums, now suffers the user data leak. Besides being shut down in April 2022, it is still susceptible to data breach. The data of a black market is now given for free… on another black market.

What is RaidForums?

RaidForums is an ex-leader among Darknet marketplaces and forums that was used to sell different sorts of data. Stolen credentials, PIIs, accesses to the network and data stolen from various sources – hackers flooded it with their stuff. However, it all ended in April 2022, after the successful Operation Tourniquet, initiated by the FBI. The law enforcement managed to seize the servers and detain the forum’s admin – Diogo Santos Coelho.

RaidForums main page
RaidForums’ main page – back when it was active

Nature abhors vacuum, thus the crowd migrated from the wiped platform to other forums. The new favourite – BreachForums – was swirling with criminal activity for almost a year, until the other successful FBI operation. In March 2023, one of the forum admins was detained, and another considered shutting it down due to the danger of the FBI taking over it.

RaidForums Data Leaked

On May 29, on a new favourite among Darknet forums – Exposed, that popped out after the Breached collapse – a database of RaidForum users was published. The one who released it is a forum admin, nicknamed The Impotent. The leaked database contains records (usernames, passwords, emails and even avatars) of over 478,000 users. This leak size is incredible, especially considering that RaidForums had only 550,000 users at the time of its seizure.

RaidForums leak
Post that announces the data leaked from RaidForums

Though, as Exposed users who got their hands on the actual database say, it is not complete. Not all of the records have all the data sets mentioned in the leak announcement. Nonetheless, the fact that the data regarding all the users from the ceased forum is now publicly available, is tremendous. The admin refused to share the source of such a leak, but probably this data was already processed by law enforcements who managed to take over the forum. I.e., there is nothing particularly new or deanonymizing, though such a leak available to everyone may be dangerous for ex-users of the RaidForums.

Now what?

As I’ve just mentioned, the RaidForums leak creates privacy and account theft dangers to everyone present in the leaked database. Even though ones who were anywhere near the law enforcement’s interests already got a visit from men in uniform, email+password pair may give out a lot of information. For brute forcers, this data will be a great addition to their databases – and be sure, they will use it. Fortunately, the database was already indexed by services that track exposed data.

If you used RaidForums but don’t see your account in the leak/on the checkup sites, it will still be a good idea to change your password. In the modern threat landscape, this procedure is recommended to perform once a quarter. The more symbols and randomness you use – the less susceptible you are to brute force attempts.

The post RaidForums Leaked, Data of Almost 500,000 Users Published appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/raidforums-data-breach/feed/ 0 14813
BreachForums is down. Things got worse? https://gridinsoft.com/blogs/breachforums-shutdown/ https://gridinsoft.com/blogs/breachforums-shutdown/#comments Mon, 20 Mar 2023 16:25:06 +0000 https://gridinsoft.com/blogs/?p=13860 Recently, one of BreachForums administrators nicknamed PomPomPurin was arrested by the FBI. That event took place on March 17, 2023, and since then, another administrator of that forum assured that BreachForums activity will not be interrupted or influenced. However, since 19:00 GMT of March 19, the page is not available. What is BreachForums and who… Continue reading BreachForums is down. Things got worse?

The post BreachForums is down. Things got worse? appeared first on Gridinsoft Blog.

]]>
Recently, one of BreachForums administrators nicknamed PomPomPurin was arrested by the FBI. That event took place on March 17, 2023, and since then, another administrator of that forum assured that BreachForums activity will not be interrupted or influenced. However, since 19:00 GMT of March 19, the page is not available.

What is BreachForums and who is PomPomPurin?

BreachForums is one of the biggest online communities dedicated to hacking, data leaks, malware and so forth. It goes deeply beyond the boundaries of legitimacy and is considered one of the Darknet markets. It contains numerous offers of leaked data for sale – mainly from corporations and government organisations. BreachForums also was a place to post bids for access to corporate networks and databases with data of specific groups of people. Despite such illegal content, it was available from the surface Web, yet some sections were Darknet-only. The fact that the FBI is interested in stirring this snake ball is estimated.

On March 17, 2023, one of the administrators of BreachForums, PomPomPurin a.k.a Conor Brian Fitzpatrick was detained. The FBI arrested him in his house in Peekskill, NY. That fact was approved by another “chief” of the forum, nicknamed Baphomet. He noticed that Pom did not appear online for over a day without any warning. After that, he banned both the forum account and server infrastructure access of the detainee. Baphomet additionally pointed out that BreachForums’ work will not be interrupted, as he has enough access to maintain the servers. As it turned out, something went wrong.

PomPomPurin account banned
Blocked account that belonged to PomPomPurin

BreachForums website is not available

On March 19, 2023, users noticed that BreachForums is not accessible. When trying to access the surface Web version, the server returns 502 error code. It also says “Looks like we have got an invalid response from the upstream server. That’s all we know”. The Darknet version shows an Onionsite Not Found error, which generally stands for the situation when servers that were holding the website are not operating. At a glance, it looks like the FBI proceeded from PomPomPurin detainment to seizing the servers.

Breached Forums Onionsite
Error returned by the Onion version of BreachForums

Baphomet claimed that there is no danger of the FBI taking over the infrastructure, both physically and technically. Nonetheless, after the BreachForums shutdown, he reappeared with another message. It says that currently Baph does his best to migrate the servers and reconfigure everything as quickly as possible. He also tries to give no chance for law enforcement to reveal it.

BreachForums migration
Baphomet message regarding ongoing works

That contrasts with his claims in the forum post, where he says about doing constant monitoring of logs to uncover anything that may be a sign of infrastructure compromise. If he suddenly decided to migrate the infrastructure – probably the FBI found a way to access it despite the blocks deployed by Baphomet. Another possible cause is that Pompompurin was pretty talkative, especially considering the possible softening of punishment for cooperation.

Baphomet claim day1
Message that Baphomet posted as soon as the information about the detainment appeared

This or another way, BreachForums is likely entering troubled times. Even if the migration ends up successful, law enforcement may still be on the trail. Possibly, Baphomet is the next to face nice men in uniform – just because of his decision to take over the forum controls. Still, nothing points to the impossibility of the Breached Forums returning and running in a usual manner – as if nothing happened.

Update for 21.03.2023

A message in the BreachForums Telegram channel appeared, claiming that Breached Forums will not be continued. The channel that most likely belongs to the aforementioned Baphomet, posted the following message:

Baphomet TG post
Baphomet’s post in Telegram community

“I will be taking down the forum, as I believe we can assume that nothing is safe anymore”. That already says a lot regarding what happened to Breached Forums after the PomPompurin detainment. Though Baphomet still has a bit of hope, saying that he will establish another Telegram group, where he will notify about possible betterment.

Even more interesting details appear in the text file that Baph offers to download. It finally sheds light on the FBI’s part in this action. It says that Baph detected login activity on one of the non-essential servers on March 19, 2023 – two days after Pom’s arrest. Thus it is logical to assume that law enforcement succeeded at taking over PomPomPurin’s computer and accessing it. The server contained enough information to compromise source code, user information, configurations and other things.

Baphomet Finalstatement
Baphomet’s final statement regarding BreachForums

BreachForums epitaph

It is not completely clear whether Baphomet will use assets from BreachForums or not. He states that a number of other hacker forums’ admins and representatives contacted him, offering certain deals. Baph promises “to build a new community that will have the best features of Breached”. Yet, by these words, the actor confirms that BreachForums are completely ceased, with no chance to return.

Breached Forums saw their major boost after the RaidForums shutdown back in April 2022. A huge community of hackers was seeking another place to communicate, and exchange experiences and stolen data. Pom’s brainchild was first on hand. Moreover, he was brave enough to post an offer to join his forum right under the FBI’s Twitter post regarding the RaidForums shutdown.

Pompompurin FBI raidforums

Will the hacker community suffer because of such a loss? Most probably, other hacker sites will witness a spike in activity – nature always abhors a vacuum. Another edge of the “problem” is a slowdown in hacker operations: there is no usual place to sell the stolen and buy the needed access or applications. Nonetheless, they will definitely adapt to the situation, and we will see the outcome in the near future.

BreachForums is down. Things got worse?

The post BreachForums is down. Things got worse? appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/breachforums-shutdown/feed/ 4 13860
Cybersecurity Experts Discovered a New Stealc Infostealer https://gridinsoft.com/blogs/new-infostealer-stealc/ https://gridinsoft.com/blogs/new-infostealer-stealc/#respond Wed, 22 Feb 2023 09:22:49 +0000 https://gridinsoft.com/blogs/?p=13453 ekoia experts report that a new infostealer, Stealc, has appeared on the darknet, and is gaining popularity among criminals due to aggressive advertising and similarities to malware such as Vidar, Raccoon, Mars, and Redline. Let me remind you that we also wrote that Djvu Ransomware Spreads via Discord, Carrying RedLine Stealer, and also that NetSupport… Continue reading Cybersecurity Experts Discovered a New Stealc Infostealer

The post Cybersecurity Experts Discovered a New Stealc Infostealer appeared first on Gridinsoft Blog.

]]>

ekoia experts report that a new infostealer, Stealc, has appeared on the darknet, and is gaining popularity among criminals due to aggressive advertising and similarities to malware such as Vidar, Raccoon, Mars, and Redline.

Let me remind you that we also wrote that Djvu Ransomware Spreads via Discord, Carrying RedLine Stealer, and also that NetSupport and Raccoon Stealer malware spreads masked as Cloudflare warnings.

Also information security specialists reported that Raccoon malware steals data from 60 different applications.

For the first time, analysts noticed the advertisement of the new malware back in January, and in February it began to actively gain popularity.

On hack forums and Telegram channels, Stealc is advertised by someone under the nickname Plymouth. He says that the malware is a “non-resident stealer with flexible settings and a convenient admin panel.”

new infostealer Stealc
Advertisement Stealc

In addition to the usual targeting of data from browsers, extensions and cryptocurrency wallets for such malware (the malware targets 22 browsers, 75 plugins and 25 desktop wallets), Stealc can also be configured to capture certain types of files that the malware operator wants to steal.

new infostealer Stealc
Configuration Instructions for Browser Attacks

The advertisement notes that when developing Stealc, its authors relied on solutions already existing “on the market”, including Vidar, Raccoon, Mars and Redline.

Sekoia analysts noticed that Stealc, Vidar, Raccoon, and Mars have in common that they all load legitimate third-party DLLs (eg sqlite3.dll, nss3.dll) to steal sensitive data. The researchers also say that the organization of communication with the control server of one of the samples of the new stealer they analyzed is similar to Vidar and Raccoon.

In total, the researchers identified more than 40 Stealc C&C servers and several dozen malware samples. According to them, this indicates that the new malware has aroused considerable interest among the cybercriminal community.

new infostealer Stealc
Malware development

One of Stealc’s distribution methods that researchers have already discovered is YouTube videos that describe how to install the cracked software and contain links to download sites. In such programs, a stealer is built in, which starts working and communicates with the control server after the installer is launched.

new infostealer Stealc
Site distributing stealer

According to experts, hacker clients with access to the Stealc administration panel can generate new stealer samples, and this increases the chances of the malware leaking and making it available to a wider audience in the future.

The post Cybersecurity Experts Discovered a New Stealc Infostealer appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/new-infostealer-stealc/feed/ 0 13453
How to Access the Dark Web Safely: Useful Tips for the Darknet https://gridinsoft.com/blogs/access-dark-web-darknet-safely/ https://gridinsoft.com/blogs/access-dark-web-darknet-safely/#respond Tue, 11 Oct 2022 15:27:41 +0000 https://gridinsoft.com/blogs/?p=10971 Is the dark web legal? Despite Darknet’s association with illegal activity, accessing and browsing the dark web is legal. However, most Darknet websites are used for criminal activities – such as buying drugs, money laundering, and trading stolen credentials. If your personal information is exposed through a data breach, spyware, or phishing attack, there’s a… Continue reading How to Access the Dark Web Safely: Useful Tips for the Darknet

The post How to Access the Dark Web Safely: Useful Tips for the Darknet appeared first on Gridinsoft Blog.

]]>
Is the dark web legal?

Despite Darknet’s association with illegal activity, accessing and browsing the dark web is legal. However, most Darknet websites are used for criminal activities – such as buying drugs, money laundering, and trading stolen credentials. If your personal information is exposed through a data breach, spyware, or phishing attack, there’s a good chance it will show up on the dark web, where you can wait for your buyer. You may have heard the infamous stories about Silk Road, the first online Darknet platform used to sell illegal drugs for bitcoins, launched back in 2011.

Unfortunately, there are a lot of similar platforms today. However, there are more unpleasant things like Besa Mafia, a marketplace for violent activities such as robberies, contract murders, sex trafficking, blackmailing, arms dealing, and terroristic acts organisation. As unrealistic as it sounds, this is a criminal world that exists and trades online with real consequences. However, not all activities on the Darknet are illegal. For example, Facebook and the New York Times have websites accessible through the Darknet. It seems like a paradox, the Darknet itself is not unlawful, yet it is often used for illegal things. Let’s dig deeper to clarify the Darknet and how it differs from the network we know.

What is the dark web?

The Darknet is a part of the global Internet hidden from search engines. It allows you to browse websites anonymously using disguised IP addresses. The Darknet can only be accessed through the Tor browser, preventing tracking and ad targeting. As mentioned above, the Darknet is often used for illicit trade. This is why scammers and abusers buy and sell stolen databases, which in turn may contain usernames and passwords, email addresses, phone numbers, home addresses and other confidential information. The World Wide Web can be divided into three levels: the surface web, the deep web, and the Darknet.

The surface web

The surface web (indexed or visible web) is web content indexed by search engines. Anything you can find with a Google search is part of the surface web. You can see this web part and access it in normal browsing – that’s just the tip of the iceberg.

The deep web

The deep web is the next layer. Although “deep web” and “dark web” are used interchangeably, they are not the same. The deep web contains material that is not indexed by search engines. You may be surprised, but you go to the deep web every day because it makes up about 90% of the entire web. For example, your Facebook posts are not indexed and cannot be found through Google search. Your mailbox and online banking are unreachable through a web browser – all this is a deep web. In other words, these are parts of the Internet that are not themselves hidden, but other users cannot access them. Sometimes the term “deep web” is misused when what is meant is “dark web”.

The dark web (Darknet)

There is another part of the Internet. Here it is already called the dark web. Darknet websites are so hidden that they cannot, in principle, be accessed using regular browsers without special tools. Instead, the Darknet can only be accessed using Tor browser or its analogs. Additionally, there are plugins for Chrome and Firefox that can make the Darknet pages reachable for your regular browser – but they lack anonymity settings offered by Tor.

How to Access the Dark Web Safely: Useful Tips
The visual structure of the Internet

Difference between a dark web and a surface web

At first glance, dark websites are similar to ordinary websites. They contain text, images, interactive content, and site navigation buttons. But there are some differences.

  • Naming structure. Domain addresses of the Darknet websites end exclusively on .onion, instead of our usual .com or .net.
  • Complex URLs. Along with this, the URL characters preceding .onion look like an incoherent set of characters compared to the addresses we’re used to. They are also nearly impossible to remember. For example, SecureDrop is a Darknet site that allows whistleblowers to send confidential information or anonymous tips to news organizations. It also contains sites for major news organizations such as The Guardian, The Washington Post, and The Associated Press.
  • Frequent address changes. While most websites on the surface web try to make it as easy to remember and find as possible, the Darknet is the opposite Darknet sites often change their URLs to maximize privacy.

Darknet lives in the Tor ecosystem, whose name is an acronym for “The Onion Router“, so Darknet can only be accessed using the Tor browser or with a regular browser but with the installation of additional plug-ins. However, the security of this method will be much lower, so Tor is still the best solution. It is free, open-source software that uses a global network of servers to help you stay anonymous on the Internet.

Legal uses of the Darknet

While for some people, the Darknet is the source of all trouble, for others, it can be a chance to save their lives. For example, since no one controls anyone here, some human rights organizations use the Darknet to help people in regions without freedom of speech to escape political persecution and flee to another country. There are also special Darknet messengers that are untraceable. Sure, both these things may have an application for outlaw purposes as well, but statistic shows the contrary. Most such facilities really help people to communicate and plan their actions with no risk to be caught by law enforcement.

How does Tor work?

When you access the Internet via Tor, your data goes through several stages of encryption, routed through random servers called “nodes”. So, each node decrypts your data one layer at a time and then sends it to its intended Darknet destination. This type of layered encryption means that each node in the chain only knows where your data came from and which server to send it to next, and that’s it. This makes it very difficult to track your Darknet activity from start to finish. However, you shouldn’t confuse Tor with a VPN, which uses tunnels to protect your data. Tor’s encryption system ensures that your activities are anonymous and hides the host sites. This explains why this ecosystem is a favorite place for those who engage in criminal activity. Nevertheless, many legitimate reasons exist to use Tor to explore the Darknet.

How to Access the Dark Web Safely: Useful Tips
When your traffic passes through a node, the encryption “layer” is removed. The output node deletes the last encryption level. It cannot see your location or IP address, but it can see your activity if you visit an unsecured website.

How can I get into the Darknet?

Unfortunately, most Darknet sites are used for illegal activities. Therefore, it is essential to understand that this environment can be dangerous. If you ignore precautions and look for problems on the Darknet, you are likely to find them. However, if you use it for legitimate purposes and act cautiously, you can have a safe experience. Here’s how to access the Darknet safely:

Use anti-malware protection

Whether you use a surface network, a deep network, or a dark network, you need to have robust protection for your devices against malware. This will prevent unwanted software from being installed on your device.

Download Tor Browser

Now that your anti-virus software is active and a VPN enabled, you can start downloading and installing Tor from the official website. The first time you start Tor Browser, you will see a window allowing you to change some settings if necessary. You may want to return to them later, but for now, try to connect to the Tor network by pressing the “Connect” button.

Go to the Darknet website you want to visit

Next, you need to find some .onion sites. For example, you can visit The Hidden Wiki. To do so, go to:

http://zqktlwiuavvvqqt4ybvgvi7tyo4hjl5xgfuvpdf6otjiycgwqbym2qad.onion/wiki/index.php/Main_Page (only works in the Tor browser). This page contains links to other dark websites.

How to Access the Dark Web Safely: Useful Tips
This is what The Hidden Wiki looks like

How to use dark web safe

The main rule when using the Darknet is “safety first”. So be vigilant and follow these guidelines to stay safe on the Darknet:

Follow only trusted URLs

The .onion websites themselves won’t hurt you if you have a secure connection. However, you might stumble across some illegal websites or sensitive content by mistake. So be careful and filter the sites you intend to access.

Be careful what you share

The Darknet is an unregulated site and a breeding ground for illegal activity. Once again, ensure you only visit .onion sites you trust and do not share personal information.

Don’t download files

Just like a surface web, a dark web can contain malware. Apparently, the chance of getting something malicious to your system in the Darknet is way higher. Do not download anything that you are not 100% sure is safe to avoid the risk of compromising your data.

Don’t transfer money to anyone

Although some dark online stores may be legitimate, it’s best not to take any chances if you’re not 100% sure of their reliability. The Darknet is crawling with scammers, and most of them are waiting for a moment to scam you.

Keep your software up to date

Sometimes updates come at the most inopportune moment and are occasionally annoying. However, it is a necessary part of using any software product. System updates and any software updates are designed to keep you safe. Update them on time, including Tor and anti-malware software. You may have a good and legitimate reason to go into the dark web. However, it would help if you did so with caution because even unknowingly, you can unknowingly break the law by working online.

Can I browse the surface web with the Tor browser?

Actually, yes, but it can be uncomfortable. Although Tor gives you access to sites in the .onion ecosystem, you can also use it to browse regular websites for added security and privacy. However, due to certain features, this will not be a pleasant user experience. First, many websites block Tor users because they cannot track you, and user data collection greatly benefits websites. Although the use of Tor is legal, law enforcement doesn’t like it, so just using the Top browser can already attract attention. That’s why you should only use it in conjunction with a VPN. Finally, since Tor’s encryption system is very complicated, traveling from browser to server over the network can be very slow. If fast browsing is essential to you, this is probably not the right way to surf the web daily.

The post How to Access the Dark Web Safely: Useful Tips for the Darknet appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/access-dark-web-darknet-safely/feed/ 0 10971