Last week, Kaspersky Lab security researchers shared research on xDedic, a shady marketplace where access to hacked servers was being sold, and revealed that it spotted over 70,000 items for sale.
While that figure alone is impressive, it seems that it is only the tip of the iceberg. The real number of hacked servers that have been traded on xDedic since October 2014, when it first appeared, is around three times larger, the researchers have recently discovered.
Soon after the initial report on xDedic emerged online, the marketplace was closed. This isn’t a surprise, since many cybercriminals prefer to go into hiding as soon as their nefarious activities are made public. What’s interesting, however, is that, as soon as the marketplace went down, Kaspersky Lab received information on the servers that were traded on it.
According to a new blog post, a whopping 176,000 unique hacked servers were traded on xDedic between October 2014 and February 2016. The data set they received shows all entries until the end of the day February 29, 2016, and supposedly comes from a person who had access to detailed information on the servers traded on the marketplace.
Kaspersky Lab researchers were provided with a list of IP addresses and date information, which they managed to link to some of the servers already spotted on xDedic. After verification, they assumed that the newly provided data was real, and managed to update their previous analysis accordingly.
Following the update, the United States was the most affected country when it comes to compromised servers sold on xDedic, with 60,081 records. The United Kingdom follows with 8,817 servers, trailed by Brazil (8,770 servers), Canada (6,112), France (5,973), Spain (5,954), Australia (5,855), Russia (5,608), Italy (5,536), and Germany (4,988).
Based on the new data, the United States accounts for 34% of the hacked servers, while the UK and Brazil account for 5% each. According to Kaspersky, the new data, which places the US, UK, Canada, and Germany on top 10 most affected countries, shows a more realistic picture of all compromised servers than what their previous data revealed.
The researchers also say that the source of this data, which remains anonymous, is either someone who has been constantly monitoring the xDedic marketplace and also had access to full IP information, or someone who had advanced access to the backend. Moreover, they explain that the servers they previously saw on the marketplace were only those less desirable, which also explained their low price.
“For us it was yet another confirmation that when it comes to cybercrime, we often see just the tip of the iceberg. The reason why the xDedic marketplace looked smaller to the buyer is because the most desirable servers were often sold almost as soon as they were added to marketplace, leaving only the least interesting and unwanted servers for sale,” the researchers say.
The most expensive server on xDedic was $6,000, researchers reveal, while adding that only around 50 servers cost more than $50 and that all of them were in the United States. Apparently, a group called “Narko” had the top 10 most expensive servers on the marketplace, but the researchers couldn’t explain why their servers were more expensive than others, nor where they were located exactly.