TL;DR: Mandated MFA on Russian-language Dark Web Forum

2 minute read

TL;DR: Dark Ops First Take is a new series from our Dark Ops intelligence team that shares quick and initial observations regarding fraud and threat activity across the deep and dark web. We are sharing these fast-breaking events in near real-time; we will continue to monitor and evaluate the risk associated with the claims from these cybercriminals.

Exploit: Forum Admin Introduces Mandatory 2FA

On the popular Russian-language dark web forum, Exploit[.]in, the forum’s admin recently announced that two-factor authentication (2FA) will be mandatory. This is almost certainly in response to a substantial increase in account takeovers on the forum, which the admin confirmed is expediting this policy change. The mandate goes into effect on December 20, 2022. Those who do not enable 2FA will have their accounts deactivated.

Figure 1: Translated announcement on exploit[.]in regarding mandatory 2FA

ZeroFox additionally assesses that account takeover probably is also taking place because of the increased availability of exploit[.]in credentials in botnet logs, which are readily for sale on deep web marketplaces, such as Russian Market.

In addition to allowing threat actors to skip paying the exploit[.]in registration fees, such logs may allow actors to perform identity theft against their partners-in-crime and perform unexpected types of social engineering against their fellow forum members.

See ZeroFox in action