Business Continuity Management / Disaster Recovery , Cybercrime , Fraud Management & Cybercrime
An internal conflict caused a leak of hacker data, darkweb forum owners say
Soumik Ghosh •
January 17, 2022
According to security experts, passwords, decryption keys, multi-factor authentication codes, and stealer logs of threat actors using file-sharing website Doxbin have been leaked online. Hackers regularly use Doxbin to dump their victims’ personally identifiable information.
The leaked data, available for free on darknet forum RaidForums, contains personally identifiable information of an undisclosed number of Doxbin users – both hackers and their victims – according to information provided by threat intelligence firm Cyble and independent researcher and threat hunter Troy Hunt have been gathered.
This incident appears to be different from previously observed data dumps, as the leaked data contains highly sensitive information such as plain-text passwords, multifactor authentication codes, stealer logs, and chat histories of known threat actors.
According to a tweet from Hunt, founder of data leak tracking website Have I Been Pwned, as of Jan. 8, 380,000 email addresses were shared online across user accounts and doxes.
New Sensitive Breach: On the “doxing” website Doxbin, 380,000 user account and dox email addresses were breached and shared online this week. Extensive personal information in Doxes was also disclosed. 27% were already there @haveibeenpwned. Read more: https://t.co/bkFyrWCxMj
— Have I been pwned (@haveibeenpwned) January 8, 2022
At last count on Thursday, Cyble estimated that more than 700,000 email addresses were leaked. The information disclosed includes identities of threat actors’ family members, IP addresses, and geolocation, the Cyble report said.
The doxed information contains critical, work-related information that can be exploited in phishing attacks, Cyble says. It warns that there could be a surge in malicious activities like identity theft as a result of the leak.
Importance for threat actors
Based on dark web chatter observed by Cyble, it appears that the leaked dox contains information that may reinforce or confirm law enforcement’s investigative work, says Dhanalakshmi PK, the company’s senior director of malware and intelligence research.
When asked if the leaked information could help law enforcement agencies track down threat actors, Dhanalakshmi says the leaked information could be aliases used by threat actors and therefore may not be genuine. But she says it could help authorities verify information about the threat actors.
Dhanalakshmi tells Information Security Media Group that the leak could affect the activities of alleged threat actors such as Pompompurin and Omnipotent. The latter is the admin of RaidForums.
Other threat actors, she adds, could use the leaked data to their own advantage. Take stealer logs for example: A stealer is a Trojan used by attackers to collect information from their victims’ systems. It enables cyber criminals to quickly search through huge amounts of data.
Cyble’s report provides a snapshot of the leaked information and shows how a victim was infected with a mercury grabber – a thief used by ransomware groups.
“We have observed cases where forums have imploded, revealing information about admins and moderators of said forum. These forums also compete for user time and retention,” says Dhanalakshmi.
This is not a new phenomenon. In August 2021, an insider received leaked data about ransomware group Conti after a dispute. At the time, Sophos researchers said the data leak “didn’t really matter much” because ransomware-as-a-service groups tend to keep details about decryption keys and extortion payments to themselves.
Sophos added that the leak would not help ransomware victims decrypt encrypted files as the decryption keys would not be disclosed. However, the Doxbin data leak contains decryption keys.
An act of vengeance?
KT and Brenton describe themselves as the owners and administrators of Doxbin in a note posted on the company’s website that offers an explanation of the source of the leak.
The note states that Doxbin was sold to 16-year-old user Arion Kurtaj, aka “White”, in November 2021. However, failing to make any significant progress with the platform, he put Doxbin up for sale and was offered a deal by Brenton and KT.
After the deal, White was “demoted from the community Discord server as he was no longer part of the project,” the note said. This prompted White to steal the community’s Discord, retake control and eventually lose the user database in retaliation, the note said.
After disclosure, Doxbin’s new owners discovered that White had modified the source code to log all login attempts in plain text.
Administrators have warned users that anyone who logs in between November 9, 2021 and January 4, 2022 risks having their Doxbin passwords logged in in the clear.
KT and Brenton say the leaked data contains extremely important information, such as: B. hashed Bcrypt passwords, blacklist information and secret codes for two-factor authentication.
Doxbin’s administrators admit that the compromised information poses a serious problem and will have a “heavy impact” on its reputation.