The Underground Economist: Volume 4, Issue 10
Welcome back to The Underground Economist: Volume 4, Issue 10, an intelligence-focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team.
The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of May 16, 2024.
BreachForums MarketPlace Seized by Law Enforcement
On May 15, 2024, the popular English-language deep and dark web (DDW) forum BreachForums was seized in an operation likely coordinated by multiple international law enforcement agencies. At the time of writing, both clearnet and onion domains display a banner stating that the sites are under the control of the Federal Bureau of Investigation (FBI) and the U.S. Department of Justice (DoJ). ZeroFox notes the possibility that the law enforcement operation is ongoing, with the potential for further disruption.
- The FBI and DoJ have allegedly taken control of the domain hosted at breachforums[.]st. Former BreachForum domains hosted at [.]cx, [.]is, and [.]vc were not operational at the time of the disruption.
- The FBI has also seized control of the BreachForums Telegram channel, announcing to users via a message that a review of the backend data will be conducted.
- There are unconfirmed reports that an alleged BreachForums moderator, “Baphomet”, has been arrested.
- The seizure follows a series of posts on the forum by well-regarded threat actor “IntelBroker” who claimed to have breached a European Intelligence Agency.
Since mid-2023, BreachForums has been one of the most popular DDW marketplaces hosting discussions surrounding malicious network access and exploitation, as well as the trading of associated goods such as personally identifiable information and personal financial information.
- A previous version of BreachedForums ran from March 2022 to March 2023 before being seized by law enforcement following the arrest of the forum’s creator, an individual known as “Pompompurin.”
- The forum’s predecessor, RaidForums, was also disrupted by law enforcement in April 2022.
In April 2024, BreachForums’ surface web domain became unusable for a short period of time. The site's administrator, Baphomet, posted a subsequent PGP-encrypted message to the forum’s Telegram channel announcing the suspension of BreachForums[.]cx and added that the forum’s [.]onion domain was still functioning. The disruption was claimed by threat actor “R00TK1T” in a Telegram post.
- R00TK1T’s involvement was quickly disputed by Baphomet, who instead blamed “the five eyes network, and various other large nations.” Baphomet also announced the resumption of the forum on the [.]st Top Level Domain (TLD).
- Given the forum’s short downtime and the lack of subsequent information posted by R00TK1T as threatened, it is unlikely that R00TK1T was involved in the site’s disruption.
ZeroFox can neither independently confirm nor deny that activity conducted by IntelBroker initiated law enforcement’s disruption to BreachForums. However, a spate of recent posts on the forum by the threat actor advertised data breaches allegedly composed of highly sensitive information.
- In April 2024, IntelBroker claimed to advertise a leaked database associated with “Space Eyes”—a geospatial intelligence company that almost certainly works with the U.S. government. Posts of this nature are not uncommon from IntelBroker; however, they are not usually advertised in clear web forums such as BreachForums[.]st.
- In May 2024, IntelBroker claimed to have breached a European intelligence agency and was selling sensitive personal data pertaining to its employees. This data was reportedly sold by IntelBroker.
Suspected Attack Planned on Global Shipping Agency
On May 8, 2024, threat actor “g77” stated in a post on the DDW community RAMP that they were seeking to obtain illicit access into the networks of global shipping entities. The threat actor did not disclose additional information regarding the requirements or subsequent intended use of the access.
- ZeroFox has observed previous activity from g77 in the RAMP forum, such as the organizing of spamming campaigns and Business Email Compromise (BEC) social engineering attacks.
G77 stated in the post that profits will be in excess of USD 100,000 per week and that network access will not be compromised. This claim is indicative of intended data exfiltration and monetization, rather than a digital extortion attack leveraging ransomware.
- The advertisement is likely aimed toward employees of global shipping organizations that are able to provide network access on an ongoing basis.
- G77 did not provide further detail as to how the potential profit would be split amongst themselves and other participants.
While there are multiple ways in which this access could be exploited for financial reward, it is unlikely that the advertised profit could be procured for significant lengths of time while simultaneously preserving network access.
Fake Tether Cryptocurrency Tokens Announced for Sale
Since the beginning of May 2024, two advertisements for the sale of fake Tether ECR20 have been offered in DDW forums. Such announcements are historically uncommon, though there is a roughly even chance that demand for these services is increasing.
Tether is a type of Stablecoin—a cryptocurrency with value that is tied to another asset. Tether is tied to the U.S. dollar, which enables a stable value in comparison to other, more volatile cryptocurrencies.
Threat actors seeking to acquire fake Tether ERC20 coins most likely intend to leverage them in malicious, fraudulent activity such as exchange or investment scams, which are often conducted via the establishment of a webpage imitating a legitimate cryptocurrency or investment platform. These will often offer unrealistic exchange rates or returns. The threat actor will then restrict victim withdrawals and steal the invested funds.
On May 10, 2024, untested actor “H45H” advertised the sale of fake Tether ERC20 tokens on the predominantly-Russian language DDW forum Exploit. The actor gave no further detail and advised interested parties to contact them via their Telegram account.
Previously on May 3, 2024, vetted English-speaking threat actor “Churk” announced the sale of fake Tether ERC20 on the Russian-speaking forum xss. Churk claimed to have “a few billion fake USDT” for sale, at a cost of 0.5–2 percent of the Tether value. Churk alleged that the fake cryptocurrency shares common identifiers with its legitimate counterpart, such as pictures and other attributes. This sale is very likely credible, given Churk’s positive reputation within the forum and explicit agreement to use the forum’s escrow service.
Churk advised that the fake USDT are not a “flash coin”, claiming to still be in possession of fake coins from 2021 that are recognized by the cryptocurrency platforms Coinbase, Metamast, Trustwallet, and Phantom. Churk conceded, however, that the fake USDT cannot be exchanged for other crypto, though they can be used “easily” in unmediated 1:1 exchange scams.
- Flash coin is a term used to describe fake cryptocurrency that disappears before its use, often shortly after arriving in a crypto wallet. They can be in a variety of formats, such as Bitcoin (BTC), Ethereum (ETH), or Ripple (XRP).
On May 13, 2024, positive reputation actor “maxim1of1” commented on the thread, warning potential buyers of multiple issues they had experienced after purchasing 2,500 fake tether tokens at a cost of USD 50. Maxim1of1 alleged that:
- The fake coin does not automatically appear in a crypto wallet, requiring it to be added manually. Maxim1of1 provided an image which suggests that the fake currency was not recognized.
- The USDT logo does not show on the tokens, resulting in the token appearing inauthentic.
Further discussion followed between several actors as to whether different cryptocurrency platforms would be more suitable for the fake Tether. Churk advised that they would address compatibility issues. Another actor, “sed”, pointed out that the most important feature of the fake Tether is that it does not disappear.
- Fake exchange and investment scams are conducted via the threat actor setting up a website imitating a legitimate cryptocurrency site, almost certainly promising unrealistic high returns and rates. These fake exchanges allow victims to deposit funds but then restrict withdrawals, or the threat actors will simply disappear with the invested money.
These two announcements indicate a roughly even chance of an increased interest in fake cryptocurrencies within DDW forums. Cryptocurrencies such as Tether are likely to be continually implicated in this activity, due in part to threat actors’ ability to emulate it, its general popularity amongst competitors, and the high degree of anonymity that can be exploited.
If threat actors are continually successful in leveraging fake cryptocurrencies for malicious purposes, it is likely that additional purchasing options will become available in DDW forums. This would very likely lead to an increased threat to both individuals and organizations that are either involved in cryptocurrency trading or accept it as tender.
Malicious AI-Enhanced Bot Announced for Sale
On May 6, 2024, untested threat actor “Average” started a thread in the Russian-speaking DDW community Exploit advertising the development of a new artificial intelligence (AI)-powered one-time password (OTP) bot that can be leveraged in two-factor authentication (2FA) bypass attacks, as well as other social engineering activity. The bot can reportedly emulate human conversation by using a “soft woman voice” and handling interruptions accordingly.
- In the post, Average embedded a screenshot of a voice chat log allegedly portraying conversation between the bot and an unknown victim. The bot presented itself as a Microsoft Outlook support representative and was allegedly able to extract an OTP from the victim.
- Average claimed that the bot can also be “trained” to perform a variety of social engineering techniques. This very likely refers to the bot's alleged ability to update its knowledge over time, using various learning methods and effectively responding to prompts.
An OTP bot is an automated program designed to steal OTPs from users by leveraging social engineering techniques to impersonate a legitimate service and bypassing any multi-factor authentication (MFA) protocols in place. By illicitly obtaining a victim's OTP, a threat actor can gain unauthorized access to the target network and conduct further malicious activity, such as data theft or deploying harmful software.
According to Average, the bot is still under development, though a beta version is available to up to three “investors”, whose funds will be used to improve the tool. In exchange, they will receive lifetime access to the service. This option was purportedly going live three days after the advertisement was published and is now very likely available.
- The bot was originally available for pre-order at a cost of USD 300, which allegedly included access to the service and lifetime support. However, the cost has since been reduced to USD 150. This is very likely due to a lack of initial interest.
- Average has offered a demonstration to interested parties and agreed to use the forum’s escrow service, both of which almost certainly increase the credibility of Average and the bot service.
The advertisement of this bot is almost certainly indicative of a growing interest in unrestricted AI tools within both DDW and open web communities. Throughout 2024, threat actors of varied motives and capabilities are very likely to increasingly seek tools able to enhance their ability to conduct malicious cyber activity.
ZeroFox Intelligence Recommendations
- Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege.
- Implement network segmentation to separate resources by sensitivity and/or function.
- Implement secure password policies with phishing-resistant MFA, complex passwords, and unique credentials.
- Leverage cyber threat intelligence to inform the detection of relevant cyber threats and associated tactics, techniques, and procedures (TTPs).
- Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently.
- Develop a comprehensive incident response strategy.
- Configure email servers to block emails with malicious indicators, and deploy authentication protocols to prevent spoofed emails.
- Deploy a holistic patch management process and ensure all IT assets are updated with the latest software updates as quickly as possible.
- Proactively monitor for compromised accounts being brokered in DDW forums.
- Configure ongoing monitoring for Compromised Account Credentials.
Tags: Breaches, Dark Ops, Threat Intelligence