Cyber Incident Victim: eToro
Date:
Jul 2020
Location:
United States of America
Summary
A threat actor known as "Sheriff" advertised approximately 62,000 compromised accounts from a social trading platform, including login credentials, phone numbers, addresses, and balance information, with auctions starting at $1,500. The actor, linked to REvil ransomware operations, specialized in financial sector breaches and exploited Citrix server vulnerabilities via brute-force attacks and credential-stealing malware. Additional cybercriminals were observed selling similar account data across multiple forums, targeting financial institutions, government agencies, and corporate networks. The compromised accounts enabled unauthorized fund withdrawals or fraudulent trading activities, while broader network intrusions facilitated ransomware attacks and data theft across sectors like energy, education, and cloud computing.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 3 actors | Available to members | Available to members |
Description
On July 6, 2020, a threat actor using the alias "Sheriff" advertised an auction for 62,000 active eToro accounts on a cybercrime forum. The listing included login credentials, phone numbers, postal addresses, and account balance information, with bidding starting at $1,500 and increasing by $500 increments. Sheriff asserted all credentials were functional, enabling buyers to withdraw funds or conduct trades benefiting their interests. Security researcher Bank Security identified additional actors selling compromised eToro accounts across multiple forums, providing proof of access. These sellers also offered accounts for numerous financial platforms including Advcash, Binance, Neteller, PayPal, and Skrill. Attempts by Bank Security to alert eToro, Neteller, Skrill, and Binance via Twitter support channels received no response.
Analysis by cybersecurity firm Advance Intelligence revealed Sheriff operated beyond account sales as a significant network intrusion specialist collaborating with the REvil ransomware group. Sheriff specialized in brute-force attacks and credential-stealing malware targeting financial institutions, government agencies, and corporations. Documented breaches included a major investment fund, a U.S. cybersecurity firm, universities in Australia/Canada/U.S., and companies in construction, transportation, and cloud services. Sheriff exploited vulnerabilities in Citrix servers through open Remote Desktop Protocol connections, aligning with REvil's preferred intrusion methods. The actor maintained direct communication with REvil's "UNKN" persona and was identified as part of REvil's recruitment of top-tier hackers for corporate network access. Additional collaborators included "Energydrinkkk," who sold access to energy sector networks and expressed intent to enable ransomware attacks. These activities demonstrated an underground ecosystem where threat actors monetized compromised credentials and network access through auctions, direct sales to ransomware operators, and coordinated extortion operations.