The Underground Economist: Volume 3, Issue 9

6 minute read

Welcome back to The Underground Economist: Volume 3, Issue 5, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of May 17, 2023.

More Russian-Speaking Threat Actors Offering Deals That Impact Chinese Targets

ZeroFox researchers have observed a growing number of Russian-speaking threat actors offering deals that impact Chinese targets on the predominantly Russian language Deep Web forum “RAMP.” This goes against the notion that many Russian and Chinese language threat actors work in cooperation with each other on the criminal underground. 

In late April 2023, untested threat actor “ChinaDan” announced a data breach containing the personally identifiable information (PII) of 630 million Chinese citizens. Compromised data includes:

  • Full name
  • National ID number
  • Phone number
  • Physical address
  • Date of birth

ZeroFox researchers highlight this is likely the most substantial data breach impacting a Chinese target since threat actors leaked more than 23TB of sensitive data from the Shanghai National Police in 2022.

In early May 2023, new and untested threat actor “dayone31337_blardo” advertised network access to the Chinese telecommunications company China Telecom. The actor claims to have administrator privileges to the target’s internal network, which would be ideal for ransomware gangs. The actor specified the company generates approximately $57.7 billion USD (400 billion CNY) in revenue. 

ZeroFox researchers assess the actor is likely credible because they agreed to use an escrow service, which would require them to work with a forum administrator or middleman to complete the transaction.

Original screenshots from threat actors “ChinaDan” and “dayone31337_blardo” offering deals that impact Chinese targets

Newly Developed Stealer Malware Announced

New and untested threat actor “Mystic Stealer” announced a newly developed stealer malware, dubbed “Mystic Stealer,” on the Russian language Deep Web forum “WWH-Club.” Uniquely, this malware can change its code to avoid detection by most antivirus products. Additional features of the malware include:

  • Works on most machines that run Windows (both 32-bit and 64-bit architecture versions)
  • Written in C and Python
  • Small build size (200kb to 250kb)  
  • Runs in memory

Like most stealers, the malware collects sensitive data from a victim’s web browser, including:

  • Login credentials
  • Browser cookies
  • Payment cards
  • Cryptocurrency wallet data
  • Additional system information

ZeroFox researchers assess this new stealer malware is likely to succeed because it has already received positive feedback from peers, including the well-regarded and established threat actor “kyky12.”

Original screenshots from threat actor “Mystic Stealer” announcing a newly developed stealer malware dubbed “Mystic Stealer”

New Data Breach Search Engine Advertised

Untested threat actor “mennemmen007” advertised a new data breach search engine, dubbed “Illicit Services,” on the predominantly Russian language Deep Web forum “Exploit.” The search engine allows threat actors to query more than 13 billion records that contain the sensitive data of victims, including:

  • Full names
  • Email addresses
  • Passwords
  • Phone numbers
  • Physical addresses
  • License plate numbers
  • Birth years
  • Vehicle identification numbers (VINs)

ZeroFox researchers assess this new search engine almost certainly leverages stolen data from the “Intelligence X” search engine and data archive because the “Illicit Services” administrator shared alleged emails between the Intelligence X founder, Peter Kleissner, and a bug bounty hunter who was angry because they never received payment for disclosing a vulnerability in the Intelligence X platform. 

It is highly likely the bug bounty hunter exploited the vulnerability they discovered to steal data from the Intelligence X platform and use it to create their own, free data breach search engine to spite Kleissner.

Original post from threat actor “mennemmen007” advertising a new data breach search engine dubbed “Illicit Services”

Service That Compromises Cryptocurrency Wallets Gaining Momentum

A service that aims to compromise various cryptocurrency wallets is gaining momentum on the predominantly English language Deep Web forum “Exploit.” 

In early May 2023, new and positively trending threat actor “MarkoP0lo” claimed they successfully used the service to pocket more than $7,500 USD (4.214 ETH) from a victim’s cryptocurrency wallet. This is significant because the service now has a chance to corner the market, since there are only a few trusted vendors that compromise cryptocurrency wallets.    

The well-regarded and established threat actor “hash_attack” first announced the service in late January 2023. The announcement was initially met with skepticism from peers.

ZeroFox researchers assess the positive feedback will likely attract new threat actors to use the service because they can receive up to 75 percent of the stolen funds from a victim’s wallet.

Learn More about the Authors Behind The Underground Economist

The ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct threat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web intelligence team extends the reach of your security resources, engaging with the underground community. We give you an advantage over emerging threats and stop active threats before damage can be done. Integrated into hundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn more here.

CTA for Hitchhiker's Guide to the Dark Web

See ZeroFox in action