BLOG

The Underground Economist: Volume 2, Issue 23

4 minute read

Welcome back to The Underground Economist: Volume 2, Issue 23, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of December 9, 2022.

Russian Forum ‘Exploit’ Requiring Users To Enable Multi-Factor Authentication

The administrator of the Russian language Deep Web forum “Exploit” has announced that all users will soon be required to enable multi-factor authentication (2FA) on their accounts. The forum is implementing the change because an increasing number of threat actors are compromising Deep and Dark Web forum accounts, likely to avoid having to pay registration fees or to scam their peers. 

The forum’s competitor, “XSS,” has also made changes recently to deter fraud, mandating that all forum users make transactions via an automated escrow service. 

“Exploit” users have until December 20, 2022 to enable 2FA, or their accounts will be disabled.

Actor Selling Root Access To 2,000 Compromised Linux Web Servers

New and untested threat actor “AxisWeapon” advertised root access to more than 2,000 compromised Linux servers running Hestia Control Panel on the predominantly Russian language Deep Web forum “XSS.” In addition to the web panels, the actor said the servers can also be accessed via Secure Shell (SSH), a protocol designed for remote administration. A skilled threat actor can almost certainly utilize these web servers for various cyber-attacks, including:

  • Botnet creation
  • Spread additional malware
  • Perform domain hijacking
  • Leak sensitive data
  • Launch phishing or spam campaigns


ZeroFox researchers assess the actor likely exploited a new vulnerability in Hestia because of the high number of servers available, indicating that more threat actors are successfully compromising Linux-based machines.  

Actor Claims Data Outlines Cyber-Attacks Launched By Chinese Government

New and untested threat actor “WoyouLuma” advertised 613 MB of sensitive data outlining various cyber-attacks allegedly launched by the Chinese government against targets worldwide on the predominantly Russian language Deep Web forum “Exploit.” Compromised data includes:

  • The real identities of more than 100 state-sponsored threat actors
  • Information about various China-based companies that allegedly supported the attacks
  • A list of the alleged targets
  • Internal communications between the threat actors involved
  • Evidence of corruption in the Wuhan policy agency

The actor charged $10,000 USD per document or $150,000 USD for the complete dataset. They also offered to sell the personally identifiable information (PII) of individual threat actors for $1,000 USD per person.

ZeroFox researchers assess the announcement of this data likely indicates that there is a government insider leaking secrets about China’s cyber warfare operations because the actor claims the information was obtained firsthand from the Chinese Ministry of State Security. 

Original post from threat actor “WoyouLuma” advertising 613 MB of sensitive data outlining various cyber-attacks allegedly launched by the Chinese government against targets worldwide 

Well-regarded threat actor and established intel broker “Spectre” leaked the sensitive Outlook data of two Iranian Ministry of Foreign Affairs employees on their Telegram channel “Spectre’s Intel Repository” (AKA “intelrepo”). In addition to email messages, the leaked files likely contain other sensitive data, including calendar events and contacts. The actor claims they disclosed the files in support of the Iranian demonstrators protesting the current regime, specifically the morality police. 


In November 2021, “Spectre” advertised another data leak related to the Saudi Arabian government on the now defunct English language Deep Web forum “RaidForums.” Similarly, the actor obtained the leak from the email inboxes of Saudi military officials.  

For more insights and information on improving your threat intelligence strategy, download our Buyers Guide for Threat Intelligence.

See ZeroFox in action