- At least four notorious Russian forums have had a data breach incident in recent months.
- The most recent concern Maza and Verified, two forums where elite hackers gather to discuss and buy stuff.
- This comes at a time when the importance of the role of cyber-crime forums was already in decline.
Four Russian forums that have hosted top-tier cyber-crime discussions in recent years have been hacked, and the data that was exfiltrated as a result of the intrusion is being leaked online. The forums are “Mazafaka” (or “Maza” or “MFclub”), “Exploit,” and “Verified,” and also “Crdclub.”
Researchers from cybersecurity firm “Intel 471” have collected evidence of the breaches and saw several instances of the data shared on other forums – or even put up for sale.
For now, the actor remains unknown, but the signs don’t point to the possibility of this being a law enforcement operation. The timeline of the attacks is given below:
- January 2021 – Verified breach – Stolen $150,000 in crypto and copied entire user database.
- February 15, 2021 – Crdclub breach – Administrator account compromise and diversion of user money.
- March 1, 2021 – Exploit breach – SSH access to an anti-DDoS server and dump of network traffic.
- March 4, 2021 – Maza breach – Stealing of user data and abuse of an admin account to redirect visitors to a breach notification page.
Considering what level of malicious actors constitutes the userbase of these forums, their user data exposure is a very serious case. Some announcements like the one from Verified’s admin attempted to play down the incident and presented a forcible reset of all user passwords as the end of the story. Also, Verified stated that the amount of money stolen isn’t that noteworthy.
In the case of Maza, the hackers stole partially obfuscated password hashes, IP addresses of first registrations, login analytics, referrers, cookies, and more, so there’s a lot of value to be found in there beyond any doubt.
Other unconfirmed sources claim that the hackers also stole Verified private messages, information about bitcoin deposits, withdrawals made on the platform, and even private Jabber contacts. That said, there may be a lot more going on than what the forum operators are willing to admit. Obviously, their platforms’ reputation and trustworthiness are on the line here, so it’s not easy to go out and concede that everything was compromised.
Already, distressed cyber-criminals are discussing their exit strategies from the whole forum space, as these platforms weren’t giving them much in recent years anyway. Maza, for example, was mainly used as a reputation index for elite actors, and users wouldn’t find many posts containing actual breach data, card packs, or new malware strains. The importance of the role of forums in the underworld was already in decline, and the recent wave of breaches only comes to underline the risks that come with having an account there.