Welcome back to The Underground Economist, an intelligence focused blog series illuminating Dark Web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the Dark Web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the Dark Web and criminal underground. Here’s the latest for the week of October 18th, 2021.
White House Market Announces Retirement, AlphaBay Resurfaces
In late September 2021, staff members of the popular White House Market (WHM) shared a message explaining their decision to retire the privacy centric Dark Web marketplace nearly two years after it launched, claiming they have reached their—unknown, but very likely profit driven—goal. New user account registration and ordering have been disabled, but the marketplace will remain open long enough for users to complete any pending transactions and withdraw funds from their accounts.
Shortly before WHM announced its retirement, AlphaBay also re-emerged as a sublist on the well-regarded Dark Web portal “Dread”. The original AlphaBay launched in 2014 and quickly became one of the largest Dark Web marketplaces of its time. It was shut down by the U.S. government in 2017. The administrator of the new AlphaBay—who goes by the same “DeSnake” alias as one of the cofounders of the original marketplace—reacted to the WHM announcement by offering free vendor bonds and discounts to WHM refugees.
Much like WHM, the new AlphaBay will exclusively accept Monero as payment; however, communications on the newly relaunched marketplace will not be PGP encrypted and verified by default, like WHM. Although rumors have surfaced speculating whether the new AlphaBay is a honeypot, there is excessive positive chatter around its return across the Dark Web. Researchers note a high volume of products and listings continue to be posted to the new marketplace as former WHM users migrate over.
Threat Actor Offering $5,000 USD To Alter Online Test Scores For Optometry Exam
New and untested threat actor “ndy4g” is offering $5,000 USD in Bitcoin to anyone who can successfully gain unauthorized access to the website for the U.S. National Board of Examiners in Optometry (NBEO) and change online test scores on the Dark Web marketplace known as “KickAss”.
The test scores are tied to a series of exams that current students and recent graduates must pass to become certified optometrists. The actor claims more information will be provided to the individual who agrees to the job.
Well-regarded threat actor “Hide01” replied to the original post, indicating jabber user “[email protected]” would likely be able to alter the test scores. Researchers note “Hide01” is one of the most reputable members of the “KickAss” marketplace and recently set up an online community for Iranian threat actors.
New Tool Steals Login Credentials From Vulnerable SQL Databases
In early October, well-regarded threat actor “corptoday” advertised a new tool called “DumpFinder” that exploits known vulnerabilities in SQL databases to steal email addresses and passwords (both hashed and plaintext) on the Russian language Dark Web forum exploit[.]in. The actor claims the tool was designed to complement another successful tool they developed, dubbed “AdminFinder”, that has capabilities to extract administrator passwords. It is not clear if “AdminFinder” steals the passwords from vulnerable SQL repositories or databases. Researchers note the new “DumpFinder” tool is likely to increase the number of compromised databases, and by extension, credential stuffing attacks. The price to rent the tool is $2,000 per month, with a $500 discount for current users of the “AdminFinder” tool.
About the Writers of The Underground Economist: The ZeroFox Dark Ops Team
ZeroFox’s Dark Ops team operates amongst the criminal underground community. Our global threat hunting and Dark Web intelligence team extends the reach of your security resources by engaging with the underground community, bolstering your capabilities in an effort to give you an advantage over emerging threats and stop active or future attacks before damage can be done. Embedded into hundreds of Dark Web communities where few possess the cultural or language expertise to infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to your threat intelligence requirements. Engage directly with the team here.