Cyber Incident Victim: Crdclub
Date:
Feb 2021
Location:
Russia
Summary
A cybercrime forum experienced a breach where attackers compromised the administrator's account, enabling them to redirect users to a fraudulent money transfer service and divert an unspecified sum. The forum's administrators pledged to reimburse affected customers, with no additional data reported as compromised. This incident was part of a broader campaign targeting multiple underground platforms, where attackers stole and leaked user databases—including credentials, private messages, and cryptocurrency—and in some cases sold the data or transferred digital assets. The breaches involved SSH access to infrastructure and attempts to intercept network traffic, prompting discussions among users about operational security. Experts assessed the incidents as unlikely to be law enforcement actions due to their nature.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between January and March 2021, a series of breaches impacted four prominent Russian-language cybercrime forums, beginning with Verified in January, followed by Crdclub in February, and concluding with Exploit and Maza in March. The attacks exhibited varying methodologies and outcomes across the forums. Threat intelligence firm Intel 471 confirmed the pattern of intrusions, noting the incidents did not bear characteristics typical of law enforcement operations. In January, attackers compromised Verified, exfiltrating user databases containing registration details, private messages, posts, and threads. This data was subsequently advertised for sale on Raid Forums at a price of $100,000. Additionally, $150,000 in cryptocurrency was transferred from Verified’s wallet to an attacker-controlled account.
The Crdclub breach occurred in February 2021 when attackers gained unauthorized access to the forum administrator’s account. This access enabled threat actors to impersonate administrators and fraudulently endorse a money transfer service to forum users. The deception led to an unspecified financial loss as users diverted funds to the fraudulent service under false pretenses. Crdclub administrators publicly acknowledged the breach, pledged to reimburse affected users, and stated no additional data compromise occurred beyond the financial fraud. Concurrently, March attacks targeted Exploit and Maza forums. Exploit’s breach involved unauthorized SSH access to a proxy server used for DDoS protection, alongside attempted network traffic dumping. Maza’s compromise resulted in user redirection to a breach notification page upon login, accompanied by a leaked PDF containing partially obfuscated user credentials, email addresses, and communication platform identifiers. Flashpoint analysts validated the Maza dataset, noting extensive but partially obscured records, including hashed passwords. Forum users subsequently discussed operational security changes, such as avoiding email-based registrations, reflecting heightened concerns over exposure risks.