Search

Four Scenarios of Attacks on DarkWeb Forums - Adversarial Perspective & Post-Incident Analysis

Updated: Oct 7, 2021

By Anastasia Sentsova, Andrew Mincin, & Yelisey Boguslavskiy

Three of the oldest and most elite DarkWeb forums were hacked over the past two months which led to the disclosure of the personal information of its members. A follow-up evaluation determined that one of these forums are currently inaccessible, which may be attributed to law enforcement or rival community actions. AdvIntel investigates the underground environment and open sources on a subject of intelligence related to the breach to uncover possible scenarios of attacks defined by the top-tier members of the Russian-speaking cybercrime community.


Executive Summary

  • AdvIntel uncovers adversarial perspective on possible scenarios of attacks on three of the oldest Russian-language forums: Exploit (breach not confirmed, but the forum was down), Verified, and Maza (Mazafaka).

  • Four of the main interpretations of the events observed to be discussed by the cybercrime community members include:

1) Hacktivists group efforts

2) US law enforcement actions as a reaction to a continuous ransomware threat from the Russian-speaking DarkWeb community

3) Internal showdowns between underground communities

4) Regional law enforcement effort

  • The review of the DarkWeb chatter and the adversarial perspective analysis can add crucial predictive insights into the new strategies, methods, and approaches which the DarkWeb community may undertake in order to reorganize and increase its anonymity and security.

  • This adversarial analysis enables the establishment of efficient preventive strategies utilizing the known weak points of the DarkWeb community social and technical infrastructures and assists in conducting advanced HUMINT operations and threat actor engagements.

Background


On January 21, 2021, the admin of the top-tier DarkWeb forum, Verified, operating under the alias “AdminSupport” (alias obfuscated), announced that the forum's BTC wallet was hacked and members' accounts might have been compromised. In addition, Verified’s database was observed to be offered on an English-language entry-level RaidForums on January 20, 2021, for $100,000 USD. Leaked data included member registration data, private messages, posts, and threads.


Our BTC wallet was hacked, fortunately, we did not store large amounts there, but still the incident is not pleasant. The admin figured out the problem and now everything is OK. After clarifying the circumstances, the admin suggested that THEORETICALLY accounts on the forum might have been compromised (the probability is small, but it exists). In our business, it is better to play it safe and we decided to reset the codes for everyone. Just write them down and use it from now on.”

Admin of Verified forum announced hack of BTC wallet and possible compromise of forum members credentials on February 21, 2021

(Source: verified[.]ms)

On March 1, 2021, an admin of the Exploit forum announced that on February 27, 2021, their monitoring system detected an unauthorized secure shell (SHH) access to a proxy-server of its hosting provider FlowSpec. This is used for protection from distributed denial-of-service (DDoS) attacks. Additionally, an attempt to dump network traffic was detected. This incident led to a blocking of the hosting provider account that has since been restored.


On March 3, 2021, the top-tier vetted Maza forum database was leaked on the DarkWeb containing more than 3,000 rows of the forum’s member data, including usernames, email addresses, and links to instant messengers, such as Skype, MSN, and Aim. While Exploit and Verified were brought back to life and seem to operate at a normal pace, the Maza forum is still observed to be down (at the time of this writing).


On March 4, 2021, an Exploit admin confirmed that the personal data of the forum members was not compromised and that servers are under constant supervision.

Exploit moderator confirmed that none of the forum members’ data were compromised on March 4, 2021

(Source: exploit[.]in)

Timeline of Verified, Exploit, and Maza DarkWeb forums breaches

(Source: AdvIntel)


These forum breaches resulted in the disclosure of cybercriminals’ personal information containing usernames, passwords, e-mails, and alternative channels of communication such as ICQ, Skype, Yahoo, and MSN that may be used for identity attribution.


Three main interpretations discussed across the DarkWeb include:


1) Hacktivist groups that announced the hack of underground forums on February 18, 2021

2) US law enforcement actions in response to attacks by Russian hackers on the US government and business sectors and as a reaction to a continuous ransomware threat from the Russian-speaking DarkWeb community

3) Internal showdowns between underground communities seeking a redistribution of power to establish control over forums and to get access to their financial and informational resources


The open-source investigation also revealed a Telegram channel “Слёзы DarkMoney,” which profiles cybercriminals. According to the channel, the Exploit forum has been fully controlled by law enforcement since July 2019 after SBU (Security Service of Ukraine), Europol, and Interpol arrested and recruited the admins. If it is confirmed to be true, one additional scenario of attacks might be added to the scene:


4) Regional law enforcement effort of combating cybercrime and destabilize the underground community


AdvIntel investigates all four possible scenarios of attack on underground forums based on the intelligence related to the compromise that was collected across DarkWeb and open source such as Telegram.


Investigative Analysis


Scenario 1


The first version observed to be widely discussed across the DarkWeb refers to the possibility of attack by hacktivists who might be working on their own or by the order of government authorities. The version is supported by the fact that stolen databases began to widely appear at open sources and might be used to de-anonymize underground forum members involved in cybercrime.


Suspicion fell on TeaMp0isoN, the team consisting of blackhats and hacktivists operating since 2009. The group is very well known for its attacks on the United Nations, NASA, NATO, Facebook, and other high-profile entities over the course of 2011 and 2012.


On February 18, 2021, TeaMp0isoN announced a hack of a similar underground forum “Unknown[.]eu,” “r00tsecurity,” and “yah-kings”.

TeaMp0isoN shared an announcement of hacking of three underground forums “Unknown[.]eu”, “r00tsecurity” and “yah-kings” on December 18, 2020


Along with the announcement, the group published personal data of the members of all three DarkWeb communities including usernames, emails, passwords, and IPs.

An announcement of a hack was accompanied by personal data of forums members including usernames, emails, and IPs


Scenario 2


Another possibility that has been theorized in underground communities is that the attack was perpetrated by a US law enforcement agency. This would have been an alleged retaliation to Russian cyberattacks on the US government and the business sectors.


On March 4, 2021, a threat actor operating under the alias “mcgep” (alias obfuscated) suggested that the US government had targeted underground forums in response to attacks on SolarWinds, a notable software developer that was attacked by the group of alleged state-backed Russian hackers back in December 2020.

Threat actor “mcgep” suggests that the attack might be a retaliation of US law enforcement

(Source: RaidForums[.]com)


A threat actor operating under the alias “realsteel” (alias obfuscated) shared their beliefs that attacks might be a part of a global initiative against Russian-speaking cybercriminals.


“There is nothing unusual and surprising in attacks on such forums, Americans accuse Russian hackers of working with the Russian government. Therefore, it might be part of a global initiative. DarkWeb forum members should be more careful and take security measures more seriously from now on.”

Threat actor “realsteel” believes that attacks might have been a part of a global initiative against the Russian underground

(Source: exploit[.]in)


Members of RaidForums have engaged in speculating the possible motives for the attack, as well as the perpetrators. On March 4, 2021, a threat actor operating under the alias “blackjack” (alias obfuscated) went so far as to suggest banning Russian IPs from accessing the forum. This highlights the paranoia many members of these underground communities have incurred as the result of the attacks that they associated with the US law enforcement retaliation.

Threat actor “blackjack” suggested banning Russian IPs from accessing the forum in order to prevent an attack from the US law enforcement which may target the forum due to the presence of Russian-speaking cybercriminals

(Source: Raidforums[.]com)


A threat actor operating under the alias “advokat” (alias obfuscated) also supports the idea of the involvement of US law enforcement as a reaction to a continuous ransomware threat from the Russian-speaking DarkWeb community.


This is clearly the FBI's playing on us. They understand that all cryptolockers are sitting on these forums and they got really tired of them. They have no other options besides trying to lock us up in our own environment.”

Threat actor “advokat” suggests involvement of US law enforcement in attacks on DarkWeb forums (Source: exploit[.]in)


Scenario 3


The third interpretation is an internal showdown among underground community members seeking a redistribution of power to establish control over forums and get access to their financial and informational resources.


In support of this version, forum members that performed attacks require heavy knowledge of forums' operational insights, access to the internal environment, as well as massive resources. For instance, during the attack on Exploit, intruders were able to get Exploit secure shell (SHH) access to a proxy-server hosted by Flowspec. This is used for protection from distributed denial-of-service (DDoS) attacks.


Some members advocate that an attack had been carried out by a hosting provider that might have an SSH key or passwords.


“These are not hackers, they accessed the server through SSH. Yes, this is hosting provider admins. Who else had a key? Hosters had it, am I right?”

Forum member advocated that hosts might have been behind an attack on March 1, 2021

(Source: exploit[.]in)


It is worth mentioning that a Flowspec representative engaged in a conversation discussing possible upcoming attacks at the end of 2020. It became known on January 20, 2021, when the Exploit admin shared a chat history between a Flowspec representative and an underground forum member operating under the alias “agent007” (alias obfuscated). In this chat, agent007 warned the representative about an upcoming attack and recommended to “stop providing hosting service to Exploit forum”.

Exploit admin shared a chat history of Flowspec representative with forum member sweetmika7 warning about the upcoming attack

(Source: exploit[.]in)


Below is a part of the chat discussion shared by the Exploit admin on January 20, 2021:


Translated from Russian:


agent007, [24.11.20 14:24]

And yet, just between us. It would be better for you to stop serving the Exploit domain or you’ll get an unexpected gift for New Year and instead of celebrating, you will have to work on those network issues


flowspec_online, [24.11.20 14:32]

more details please

flowspec_online, [24.11.20 14:32]

if you may

flowspec_online, [24.11.20 14:32]

Are these ugly competitors planning DDoS attacks?


agent007, [24.11.20 14:33]

Well, let's say, there is info that they will put you down


flowspec_online, [24.11.20 14:33]

Facedown to the floor?

flowspec_online, [24.11.20 14:33]

Or by the attack?


AdvIntel comment: “Facedown to the floor” is a figure of speech, meaning an arrest by law enforcement.


agent007, [24.11.20 14:33]

They will put the network down.


flowspec_online, [24.11.20 14:33]

The whole network?


agent007, [24.11.20 14:33]

Not your network though


In this scenario, the main interest of competitors is likely high revenue obtained from the commission for illegal transactions that might count in millions of dollars. In addition to financial resources, intruders might seek exclusive access to the data containing vulnerabilities, leaked information, and other data held by forum members.


Scenario 4


The open-source investigation also revealed a Telegram channel “Слёзы DarkMoney,” which profiles cybercriminals. According to the channel, the Exploit forum has been fully controlled by law enforcement since July 2019 after SBU (Security Service of Ukraine), Europol, and Interpol arrested and recruited forum admins. “For Exploit users - your forum was sold, Admin’s friend Vladimir put the right code. Good luck everybody and don't trust anyone!”

Admin of Telegram Channel “Слёзы DarkMoney” warned Exploit users that their forum is transparent for the law enforcement

(Source: Telegram Channel “Слёзы DarkMoney”)


As per the channel's admin, the Exploit forum is being monitored by law enforcement along with another crucial BHF DarkWeb forum. By recruiting forum admins, it became possible to modify code allowing to collect the personal correspondence, logging IP + DATE of visits, all profile changes, fingerprints to track forum members on the forum as well as on other forums to tie actors to one person. The information is planned to be used by law enforcement to hunt down the main players of forums. "They will use this information to hunt key personalities. These are 50-100 people."


In support of their theory, channel admin shared that Exploit servers have been moved in July 2019.The servers have been moved. Do I need to clarify that they have been moved under the control of our friends? (To those of future prisoners who still believe in the Exploit)”

Channel admin demonstrates new servers associated with the Exploit forum on July 18, 2019

(Source: Telegram Channel “Слёзы DarkMoney”)


If it is confirmed to be true, one additional possibility of recent attacks might be added to the scene: an attempt of the law enforcement effort of combating cybercrime and destabilizing underground communities. It is a common law enforcement technique to keep criminals divided, preventing them from working collaboratively, thus breaking down a sense of community among actors. It also opens the possibility that this coordinated attack on older Russian-language forums could eventually lead to an attack on other highly-trafficked sites.


Some of the DarkWeb forum members shared opinions about the involvement of law enforcement in order to destabilize underground communities. Thus, On March 4, 2021, a member of the Exploit forum operating under the alias “cracker” (alias obfuscated) offered a proposal that tactics related to forum hacks have changed. The current purpose for hacking a forum could be to deplete the cooperation and trust threat actors establish with each other in these underground communities.


In order to destabilize underground communities, law enforcement might have decided to shut down some of them. “Yes, it is known that law enforcement has been quietly monitoring forums to hunt down its members. So, tactics may have changed, perhaps they work according to the following logic: ‘There will be no forums, there will be no trust between everyone, less cooperation, more difficult to find partners - fewer attacks.’”

Threat actor “cracker” suggested the involvement of law enforcement in order to destabilize underground communities

(Source: exploit[.]in)


Another threat actor operating under the alias “Motorola15” (alias obfuscated) shared similar thoughts about the destabilization of the underground community and urged forum members to be more careful.


I agree with the version about government involvement. Considering that the dumps are leaked to the public, they are trying to create chaos and mistrust between members. It also opens a possibility to de-anonymize individuals. I think that attempts to attack Exploit will continue. There was also DDoS on XSS, but who knows what else is going on behind the scenes. We should be more careful, turn on 2FA and change emails that theoretically might have been compromised over the last years.”

Threat actor “Motorola15” supports the idea about the involvement of law enforcement and an attempt to destabilize the underground community

(Source: exploit[.]in)


Conclusion


As of today, the Verified forum works at a normal pace while the Maza forum is still down since the day of the initial attack. It is still unclear if the Maza forum has shut down permanently, and if it ever will be brought back. The Exploit forum is also currently operating.


Attacks on the “old guard” Russian-language forums have left threat actors to surmise the motive, the perpetrator, and if the attacks may occur once again. These breaches have alerted members of forums across the DarkWeb to the possibility that their site and information may be the next target.


The review of the DarkWeb chatter and the adversarial perspective analysis can add crucial predictive insights into the new strategies, methods, and approaches which the DarkWeb community may undertake in order to reorganize and increase its anonymity and security. This adversarial analysis enables the establishment of efficient preventive strategies utilizing the known weak points of the DarkWeb community social and technical infrastructures and assists in conducting advanced HUMINT operations and threat actor engagements.


Anastasia Sentsova investigates cybercrime at Advanced Intelligence, LLC, with a specific focus on the Eurasian Region's state and non-state threat actor groups. She recently graduated from Zicklin School of Business, Baruch College with a Bachelor's Degree in Computer Information Systems and a minor in communication studies. Anastasia became interested in cybersecurity in school and currently pursuing her career in the field. With a background in journalism and strong intercultural communication skills, she is eager to contribute to the field and to the establishment of a more secure future.


Andrew Mincin investigates data breaches, financial fraud, and other criminal schemes. at Advanced Intelligence, LLC, He is a recent graduate from SUNY Maritime College with a Bachelor of Science in International Transportation & Trade. Motivated by the cybersecurity threats posed on global supply chains, he has focused his career path to help safeguard the many industries contributing to world trade.


Yelisey Boguslavskiy currently oversees AdvIntel's research and investigative and security operations. He leads AdvIntel's Security & Development Team, conducting advanced HUMINT and SIGINT investigations into cyber fraud, ransomware, APT threats, political manipulation, and violent extremist propaganda conducted through digital infrastructure. Yelisey is an author of "Security Pragmatism: The Peripheral Alliance" – a non-fiction monograph that follows 30 years of security and intelligence cooperation between Turkey, Iran, and Israel from 1947 to 1977 and beyond. Prior to Advanced Intelligence LLC, Yelisey worked as an investigator in the business intelligence community, including Kroll, a division of Duff & Phelps. He holds an M.A. degree in Security Policy Studies from the Elliott School of International Affairs of the George Washington University.


Advanced Intelligence is an elite threat prevention firm. We provide our customers with tailored support and access to the proprietary industry-leading “Andariel” Platform to achieve unmatched visibility into botnet breaches, underground and dark web economy, and mitigate any existing or emerging threats.


advanced-intel.com