Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Threat Actor Sold Access to Networks of 135 Organizations

Over a period of two years, a threat actor sold access to the compromised networks of 135 organizations in 44 countries and likely made over $1.5 million, Group-IB says.

Over a period of two years, a threat actor sold access to the compromised networks of 135 organizations in 44 countries and likely made over $1.5 million, Group-IB says.

Using the online moniker Fxmsp, the individual started selling access to company networks on October 1, 2017, and seized all activity in September 2019, several months after he came to fame for the hacking of three antivirus companies in the United States.

In May last year, Fxmsp was asking $300,000 for data exfiltrated from said organizations (likely McAfee, Symantec, and Trend Micro), including fragments of the antivirus software source code, analytical modules, design documents, and the like.

Between October 2017 and July 2018, Fxmsp sold access to compromised networks personally, but then found an accomplice who became his sales manager. The activity completely stopped in September 2019, after the hackers racked over $1.5 million in proceeds from their illegal activities (excluding sales made through private messages and access sold without naming a price).

To compromise networks, the threat actor performed attacks en masse, targeting all kinds of industries, ranging from small websites of schools to large banks and hotel chains. Between October 2017 and September 2019, the hacker advertised access to the networks of 135 companies.

In a report published this week, Group-IB reveals that the sectors hit the most were light industry, information technology, retail, government, education, hospitality, oil and energy, and financial services. A dozen other industries were hit as well. The hacker would target the Remote Desktop Protocol (RDP) for persistent access to the victim environments.

Group-IB’s security researchers believe that Fxmsp had already compromised enterprise networks by September 2016, when he first registered on an underground forum. Likely not knowing how to monetize the compromised resources, he was using the networks to mine for crypto-currency.

Advertisement. Scroll to continue reading.

Based on the hacker’s activity on underground forum fuckav[.]ru, Group-IB determined that, in addition to crypto-miners, he likely engaged in the use of the Atmos Trojan, the Metasploit PRO pentest software, and brute force attack tools.

In July 2017, he registered an account on exploit[.]in, where he focused on selling access to the compromised networks. By January 2018, he already had 18 buyers. By the end of July 2018, he was offering access to 51 companies in 21 countries.

“The cybercriminal shared the price in only 30% of cases. By that time, after 9 months of activity, the minimum average price for all visible accesses that he advertised was $268,000 (without including the sales he made through private messages),” Group-IB notes.

In July 2018, Fxmsp ceased all activity on forums, having appointed a user named Lampeduza (also known as Antony Moricone, BigPetya, Fivelife, Nikolay, tor.ter, andropov, and Gromyko on other forums) as his sales manager.

Between August and November 2018, Lampeduza shared posts advertising access to the networks of 62 new companies, with a total price for all of the access at $1,100,800. The two were banned from the forum in October, after trying to sell access to the same network to multiple cybercriminals.

The duo focused on private sales to a small circle of trusted clients, but resumed activity on other forums in March 2019. Over the course of 2019, they advertised access to corporate networks belonging to only 22 companies, with a total price of $124,100.

An investigation into the Jabber nicknames and email addresses used by Fxmsp has lead the security researchers to the conclusion that the individual behind the moniker is Andrey A. Turchin from Almaty, Kazakhstan.

“At the time of writing, Fxmsp is no longer conducting public activities. It is uncertain, however, whether he is still breaking into company networks and selling access to them. Given the risk, we deem it essential to offer universal recommendations on how to prevent attacks that bear similarities to those conducted by Fxmsp,” the researchers conclude.

Related: Russian Hackers Claim Breach of Three U.S. Anti-Virus Companies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...