Cyber Incident Victim: Basetools
Date:
Oct 2017
Location:
United States of America
Summary
A hacker breached the Basetools underground forum, demanding a $50,000 ransom to prevent leaking stolen data to law enforcement. The compromised forum, hosting over 150,000 users and 20,000 illicit tools for trading payment card data and hacking services, had its admin credentials, server access details (including RDP, SSH, shells, backdoors, and spambots), and multiple data breach dumps exposed. The attacker claimed retaliation against forum administrators for manipulating seller rankings and earnings statistics, specifically alleging favoritism toward a reseller named "RedHat." The incident forced the forum offline, with significant implications for its user base due to the exposure of sensitive operational and user data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around October 24, 2017, the underground hacking forum Basetools.ws was compromised by an individual using the Twitter handle @0xScripts, who identified themselves as "mat." The attacker gained unauthorized access to the forum's administrative systems, exfiltrating sensitive data including user records, administrator credentials, and operational details. Basetools.ws served as a marketplace for illicit goods and services, hosting over 150,000 registered users and listings for more than 20,000 hacking tools, stolen payment card data, compromised account credentials, and other cybercrime-related assets. The attacker publicly disclosed samples of the stolen data to substantiate the breach, including an image of the Basetools admin panel and login details for the site administrator, complete with IP address information. This evidence was shared with cybersecurity news outlet Security Affairs to verify the intrusion's authenticity.
Following the breach, @0xScripts issued a ransom demand of $50,000 to the forum operators, threatening to release the entire stolen dataset to U.S. law enforcement agencies if payment was not made. The compromised data included credentials for Remote Desktop Protocol (RDP) servers, shells, backdoors, spambots operating on compromised websites, SSH server access, and dumps from multiple prior data breaches. The attacker claimed dual motivations: financial gain and retaliation against Basetools administrators for allegedly manipulating marketplace statistics to favor a specific vendor named "RedHat," which consistently occupied top placement in reseller rankings despite purported irregularities. By October 28, 2017, the Basetools.ws forum was offline, though it remained unclear whether this was a defensive measure by administrators or a result of attacker interference. The breach posed significant operational and legal risks to the forum's user base, as exposure of the stolen data could facilitate law enforcement identification of participants in illicit activities. No public confirmation of ransom payment or subsequent data release was documented in the immediate aftermath.