Menu
Blog

The Underground Economist:   Volume 5, Issue 2

by ZeroFox Intelligence
The Underground Economist:   Volume 5, Issue 2
10 minute read

Classified U.S. Department of Defense Documents Advertised on the Deep Web

On January 25, 2025, Russian and English-speaking actor “nxe” advertised classified U.S. Department of Defense (DoD) documents for sale on the deep web forum xss. The actor claimed that the documents are highly classified and allegedly include information regarding the United States’ Nuclear Command and Control (NC2) system. The actor demanded 400,000 rubles for the confidential documents (equivalent to approximately USD 4,000) and stated they would be willing to provide a sample of the classified documents once interested buyers provide proof of funds. 

  • Nxe joined xss in September 2024, and this is their first post.
  • While use of escrow is a mandatory requirement for sellers operating on xss (as well as on other deep web forums such as BreachForums), nxe’s willingness to provide samples is a positive indicator of the actor’s credibility.
  • The actor stated that they prefer to specify all deal details in English.

It is very likely that nxe acquired the NC2 system documents from an unknown intelligence information broker on BreachForums and is now attempting to sell the data on the xss forum. ZeroFox identified a December 2024 post by nxe on BreachForums wherein the actor was looking to buy classified intelligence documents—namely, classified government or military intelligence documents of any kind. The actor claimed that he was not focused on any particular country in the post.

If nxe’s claims are credible, the sale of such data is likely to attract the attention of nation-state actors and governmental players, as well as other politically motivated cybercriminals. Such data is very likely to contain sensitive, proprietary information that would be of considerable value to adversarial actors and would likely represent a significant risk to national security operations.

IntelBroker Renounces Ownership of BreachForums 

On January 23, 2025, “IntelBroker” announced their resignation as the owner of BreachForums, citing a lack of adequate time to manage the platform. A few hours after the announcement, the actor’s status changed to "BreachForums Operative." IntelBroker further clarified that they would remain a regular member and continue posting occasionally but would no longer be part of the forum’s ownership or administration. 

  • IntelBroker has a history of advertising data breaches, illicit network accesses, and network vulnerabilities—often targeting high-profile organizations and institutions—on BreachForums. The actor has also either removed their account or changed their “moderator” status numerous times since the forum's disruption in May 2024.
  • On January 27, 2025, IntelBroker, along with their associates “EnergyWeaponUser” and “Alex218”, claimed to have breached recruiting company AsiaRecruit Malaysia (asiarecruit[.]com[.]my) and posted a database allegedly belonging to the company.

It is unclear whether IntelBroker’s stated reason for renouncing a moderator or administrator role on BreachForums is comprehensive. There is a likely chance that IntelBroker intends to place more emphasis on monetizing their expertise by conducting increased, direct network breaches. There is also a roughly even chance that the actor seeks to lessen their exposure to law enforcement activity. While it will almost certainly remain a popular illicit hacking forum in the short to medium term, there is a roughly even chance that the change in ownership by IntelBroker—who was often unofficially marketed as the “face” of BreachForums—will result in less actors frequenting the forum.

Actor Advertises Network Access to Multinational Pharmaceutical Company 

On January 18, 2025, actor "SmartDust101" posted in the dark web forum Onniforums, where they are newly registered. The actor claims to be an employee of an unspecified multinational pharmaceutical company with a 2024 annual revenue of USD 50 billion, and advertised the following services relating to leaking the organization’s information:

  • Comprehensive database access. SmartDust101 claims that they are able to provide comprehensive access to the organization’s databases, which hold data pertaining to client information that includes both public and private pharmacies, hospitals, and clinics. The actor also claims to have access to personally identifiable information (PII), likely of buyers and patients, including payment details such as international bank account numbers (IBANs) and value-added tax (VAT) numbers.
  • Technical passive reconnaissance. SmartDust101 offers to facilitate “technical passive reconnaissance” of the organization’s systems and networks. The reconnaissance allegedly includes information about remote desktop protocols (RDPs) and security infrastructure (including endpoint detection and antivirus solutions), as well as a list of local and web-based applications in use.
  • Miscellaneous. The actor claims that prospective buyers are able to propose specific requests for information, data, or actions that are not covered by the previous two offerings.

SmartDust101 specified that any activity would only be carried out if there is a very low risk of detection and identification. However, an exception is granted for “government APTs”, which SmartDust101 suggests could facilitate citizenship in their associated country in return for the services. No prices were stated in the advertisement, which is very likely indicative of a highly diverse set of offerings that require negotiation.

There is a likely chance that the advertisement is legitimate and reflective of a genuine disgruntled employee willing to sell their organization’s data. The explicit intent to use escrow for any transactions and an apparent effort to remain anonymous are reflective of increased credibility. 

  • Threat actors of all motivations and capabilities would almost certainly be interested in targeting a multinational pharmaceutical organization, given the sheer diversity of customer, proprietary, and supply-chain data likely in its possession. Such an organization is also likely to have extensive relationships with governments and critical national infrastructure such as hospitals—both of which are deemed lucrative targets across the cyber threat landscape.

If the advertised services are legitimate, then there is a very likely chance that SmartDust101 is financially motivated, with a less likely chance that the actor solely seeks to inflict punitive measures on their organization as political, ideological, or philosophical retribution. An ulterior motive of obtaining citizenship to a foreign country is also possible, though the extent to which this is a priority is unclear. This is more likely reflective of a willingness by SmartDust101 to compromise themselves for a perceived high-payoff result.

There is also a less likely chance that the advertisement represents either a scam attempt, a law enforcement operation, or a cybersecurity entity seeking to gain insight to threat actor intents and tactics, techniques, and procedures (TTPs). 

Following the post, Onniforums became inaccessible for several days. As of the writing of this report, there have been no responses to or discussion surrounding SmartDust101’s advertisement, although there is a likely chance that any correspondence would take place privately. If the services are being purchased and leveraged, a compromise of the target organization, a partner or supply-chain organization, or an associated government or customer base is very likely to occur.

Threat Actors Seeking to Exploit California Wildfire Recovery Funds 

On January 15, 2024, an untested threat actor known as “AngieJ” initiated a topical discussion regarding the exploitation of California wildfire recovery funds on the dark web forum Dread. The actor suggested that these funds could be leveraged to fraudulently illicit payouts from government authorities. AngieJ drew attention to the website hXXps://recovery.lacounty[.]gov/resources/, highlighting it as a potential focus for exploitation. It is very likely that some financially motivated actors perceive these funds as having inadequate verification processes, making them fertile ground for financial gain and posing very little risk to the scammers applying.

  • Following the outbreak of the January 2025 wildfires across California, authorities have made Federal Emergency Management Agency (FEMA) assistance funds available for residents impacted by wildfires in Los Angeles (LA) County.
  • In the thread, AngieJ criticized other members of the Dread forum for relying on outdated fraud methods, such as using financial mules and stolen payment cards.
  • The post almost certainly indicates ongoing threat actor interest in exploiting these funds via financially motivated scams. Based on previous behavior and attitudes towards disaster relief funds, it is very likely that a broader array of threat actors are interested in exploiting these funds than those identified to date.

AngieJ alluded to scams conducted during the COVID-19 pandemic as a blueprint for exploiting wildfire recovery funds. The actor elaborated on their initial post, stating that trillions of dollars in loans had been obtained from the U.S. government during the COVID-19 pandemic, specifically through the Paycheck Protection Program and Economic Injury Disaster Loans. AngieJ implied that some of these loans were obtained fraudulently and that similar scams could possibly be leveraged again, with potentially low risk to the threat actor. 

  • According to AngieJ, individuals who forged limited liability company (LLC) paperwork to secure USD 50,000 loans were often not pursued by authorities if they disappeared after receiving the funds, barring a few exceptions.

An untested actor known as "satanisyourmaster" replied to AngieJ with a lengthy post that garnered significant attention, the most relevant part of which addresses fraud related to LA wildfire recovery funds. The actor remarked, "I read the first returns through the gate have a much higher chance of being flagged for verification. So maybe wait a little. How long? Idk. But there ya go." This highlights a strategic approach for improving the success rate of applications for relief funds related to the LA wildfires, emphasizing threat actor patience to avoid early scrutiny during the verification process.

Although ZeroFox has identified no evidence that threat actors are actively—and successfully—leveraging wildfire recovery funds in financial scams, the thread indicates threat actor interest in exploiting such relief funds for this purpose. If such scams are successful, not only could they result in financial and reputational damage for state or local government authorities, they would also very likely reduce the availability of relief funds for those legitimately affected by the wildfires—as well as perpetuate the idea that these kind of schemes are a viable attack vector for bad actors.

ZeroFox Intelligence Recommendations

  • Develop a comprehensive incident response strategy.
  • Deploy a holistic patch management process, and ensure all IT assets are patched with the latest software updates as quickly as possible.
  • Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege.
  • Implement network segmentation to separate resources by sensitivity and/or function.
  • Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently.
  • Implement secure password policies, phishing-resistant multi-factor authentication (MFA), and unique credentials.
  • Configure email servers to block emails with malicious indicators, and deploy authentication protocols to prevent spoofed emails.
  • Proactively monitor for compromised accounts and credentials being brokered in deep and dark web forums.
  • Leverage cyber threat intelligence to inform the detection of relevant cyber threats and associated TTPs.

Appendix A: Traffic Light Protocol for Information Dissemination

Appendix B: ZeroFox Intelligence Probability Scale

All ZeroFox intelligence products leverage probabilistic assessment language in analytic judgments. Qualitative statements used in these judgments refer to associated probability ranges, which state the likelihood of occurrence of an event or development. Ranges are used to avoid a false impression of accuracy. This scale is a standard that aligns with how readers should interpret such terms.

Tags: Threat Intelligence

See ZeroFox in action