The Underground Economist: Volume 2, Issue 12

5 minute read

Welcome back to The Underground Economist: Volume 2, Issue 12, an intelligence focused blog series illuminating Dark Web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the Dark Web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the Dark Web and criminal underground. Here’s the latest for the week of July 8, 2022.

New Ransomware Project Open To Affiliates

New and untested threat actor “MNSTR” advertised a new ransomware-as-a-service (RaaS) project, dubbed “MONSTER”, on the Russian language Dark Web forum “RAMP”. This marks the second time in the past month that ZeroFox researchers have observed a ransomware gang advertising an affiliate program on the forum. This comes after months of silence from ransomware groups across the underground, indicating ransomware attacks are likely to rise. Features of the ransomware include:

  • Does not contain software dependencies 
  • Works on machines that run any version of Windows
  • Displays list of files being encrypted
  • Automatically changes permissions to take full control of files
  • Ends running processes to encrypt more files
  • Empties Recycle Bin and deletes Restore Points to make recovery more difficult
  • Encrypts hidden partitions
  • Scans for files and shared folders across the network

The actor also specified that this ransomware checks the location and validates the IP address of a target to avoid spreading the malware in CIS countries. This differs from previous ransomware variants that leveraged system language information to make that distinction. ZeroFox researchers assess that this change in behavior is likely due to more publications advising organizations to install Russian language keyboards on their systems to avoid malware triggering on their systems, forcing ransomware developers to adjust their methods.

The threat actor agreed to split the profits from any successful ransom payments 80-20 in favor of affiliates.

Original post from threat actor “MNSTR” advertising a new ransomware-as-a-service (RaaS) project.

Discord Spamming Service Announced

Moderately credible threat actor “Maduro” announced their new Discord spamming service on the Russian language Deep Web forum exploit[.]in. The actor claims that this service can send messages en masse to all users on a server, regardless of whether that server is public or not. The actor claims that operators can also specify which servers they would like to target by providing them with the appropriate channel invite codes.  

Threat actors with the requisite technical skills could leverage this service to:

  • Increase web traffic to malicious websites
  • Spread malware
  • Compromise cryptocurrency wallets

Prices for the service vary depending on the number of messages a threat actor would like to send, from $125 USD for 5,000 messages to $9,900 USD for 1,000,000 messages.

If legitimate, ZeroFox researchers assess that this service will likely lead to an increase in spam campaigns across Discord, since it effectively lowers the technical bar of entry for threat actors looking to launch these attacks.  

Original post from threat actor “Maduro” announcing their new Discord spamming service.

Threat Actor Scheme Targets Wealthy Cryptocurrency Investors

Untested threat actor “millyrock59” is looking for partners who can supply them with databases that contain the PII of wealthy cryptocurrency investors, on the Russian language Deep Web forum exploit[.]in. The actor claims they can scan these datasets for AT&T email domains and reset the passwords to perform account takeovers. Some of the alleged email domains include:


The actor or group claims that they have previously compromised AT&T email accounts associated with different cryptocurrency wallets and tax services to identify their victims’ cryptocurrency assets and seed recovery phrases. 

ZeroFox researchers assess that this threat actor could be exploiting a vulnerability in Yahoo Mail, since the AT&T email domains they referenced leverage this service.

Original post from threat actor “millyrock59”, who is looking for partners to supply them with databases that contain the PII of wealthy cryptocurrency investors.

New Telegram Shop Selling Compromised Facebook & Google Accounts

Well-regarded and established threat actor “fooble” advertised a new, automated Telegram shop that specializes in the sale of compromised Facebook and Google accounts on the Russian language Deep Web forum exploit[.]in. This follows a recent trend observed in the underground as more threat actors are leveraging automation to streamline their operations. Services such as Telegram offer threat actors a cheaper, more secure alternative to traditional shops on the Deep or Dark Web. 

According to the actor, this new shop has Facebook accounts with spending limits between $250 USD to $1,500 USD from the U.S. and various European countries. The price per account starts at $0.30 USD.

The shop also has Google Pay and Gmail accounts from $0.40 USD each.

Additionally, the actor takes requests to check their logs for additional compromised accounts for services other than Facebook or Google for a minimum of $100 USD per request. 

See ZeroFox in action