Security Experts:

Connect with us

Hi, what are you looking for?



Someone Is Hacking Cybercrime Forums and Leaking User Data

Since the beginning of this year, an unknown threat actor has been hacking cybercrime forums and leaking user data publicly or offering it for sale.

Since the beginning of this year, an unknown threat actor has been hacking cybercrime forums and leaking user data publicly or offering it for sale.

At least four such forums have been breached to date, namely Verified in January, Crdclub in February, and Exploit and Maza in March. All are predominantly Russian-language forums and saw their breaches publicly disclosed elsewhere.

Intelligence firm Intel 471, which has been closely following the hacks, says that, while the identity of the actor behind the attacks is unknown, the public nature of the attacks eliminates the possibility of a law enforcement operation.

In January, a threat actor announced on underground forum Raid Forums that they breached Verified, an established Russian-language cybercrime forum. The adversary said they had Verified’s entire database, containing details on all registered users, including private messages, posts, threads, and hashed passwords.

The hacker, who apparently was able to transfer $150,000 worth of cryptocurrency out of Verified’s wallet, was offering the database for $100,000.

In February, the administrator account of cybercrime forum Crdclub was hacked, which allowed the threat actor behind the compromise to lure forum customers into using a fraudulent money transfer service and divert an unknown amount of money from the forum.

This week, both the Exploit and Maza underground forums were hacked. The attacker apparently gained secure shell (SSH) access to an Exploit proxy server destined for distributed denial-of-service (DDoS) protection, and also attempted to dump network traffic.

“Users on the Exploit forum are discussing moving away from using emails to register on forums as recent disruption efforts may have increased exposure of their online activities. Others are claiming that the database leaked by the attackers is either old or incomplete,” threat intelligence company Flashpoint notes.

Maza, an invite-only cybercrime forum active since 2003, was displaying a data breach notification on March 3, most likely the work of the hacker who managed to take over the forum.

A PDF file accompanying the announcement contained over 3,000 rows, including usernames, email addresses, various contact details, and partially obfuscated password hashes.

“Our initial analysis found that a portion of the leaked data correlated with our previous research findings, which confirms that at least some of Maza’s databases was breached,” Intel 471 said.

To date, no one appears to have claimed responsibility for the breaches, but the perpetrator’s actions could provide security researchers with increased visibility into who is using these cybercrime forums.

Related: Underground Carding Marketplace Joker’s Stash Announces Shutdown

Related: Pandemic-related Supply Chain and Money Laundering Woes in the Dark Web

Related: Collection of South Korean, U.S. Payment Cards Emerges on Underground Market

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...