Cyber Incident Victim: Verified
Date:
Jan 2021
Location:
Russia
Summary
A series of cyberattacks compromised multiple underground forums, including Verified, resulting in extensive data theft and financial losses. Attackers exfiltrated user databases containing private messages, registration details, and partially obfuscated credentials, subsequently offering them for sale on third-party platforms. In one instance, cryptocurrency worth $150,000 was diverted from the forum's wallet. Additional breaches involved credential misuse to redirect payments to fraudulent services and unauthorized server access enabling network traffic interception. While some compromised data was hashed or obfuscated, the incidents prompted user discussions about operational security changes, including abandoning email-based registrations. Forum administrators acknowledged the breaches and attempted remediation efforts in certain cases.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In January 2021, the Verified cybercrime forum, a prominent Russian-language underground platform, was compromised by unidentified threat actors. The attackers exfiltrated the forum’s database containing registered users’ data, private messages, posts, and threads. This stolen data was subsequently advertised for sale on Raid Forums with a price tag of $100,000. Additionally, the attackers transferred approximately $150,000 worth of cryptocurrency from Verified’s wallet to a wallet under their control. The breach was observed by threat intelligence firm Intel 471, which noted that the attack’s characteristics suggested it was not a law enforcement operation. Verified’s administrators did not publicly disclose remediation efforts or communications regarding the incident. This breach marked the beginning of a series of attacks targeting cybercrime forums throughout early 2021, with Crdclub, Exploit, and Maza suffering similar compromises in February and March.
The Crdclub forum was breached in February 2021 when attackers gained control of an administrator’s account, enabling them to fraudulently redirect users to a money transfer service falsely endorsed by forum admins. This resulted in an undetermined financial loss, though Crdclub’s administrators promised reimbursement to affected users and claimed no other data was compromised. In March, both Exploit and Maza forums were hacked. Attackers gained SSH access to Exploit’s DDoS protection proxy server and attempted network traffic dumping, while Maza’s users were redirected to a breach notification page upon login, accompanied by a leaked PDF containing partially obfuscated password hashes, emails, usernames, and contact details like ICQ and Skype identifiers. Flashpoint analysts confirmed the authenticity of Maza’s leaked data, noting extensive but hashed/obfuscated records. Forum users began discussing abandoning email-based registrations to reduce exposure, with some disputing the completeness of leaked datasets. No coordinated recovery efforts were reported across the forums, with responses limited to individual administrator actions like Crdclub’s reimbursement pledge.