Cyber Incident Victim: Monopoly
Date:
Sep 2015
Location:
United States of America
Summary
The w0rm hacking group compromised rival cybercrime entity Monopoly, stealing and listing its database for sale at $500, €450, or 2.15 Bitcoin on their underground forum. This breach targeted a group specializing in trafficking user data for fraud, botnets, and spam operations, with w0rm leveraging its history of infiltrating major media outlets to execute the attack. The incident occurred without prior conflict or public rivalry, underscoring opportunistic aggression within criminal networks. While the exact contents of the exfiltrated data remain unspecified, potential impacts include exposure of Monopoly's operational assets, client information, or exploit tools, escalating risks for entities linked to both groups' illicit activities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In September 2015, the w0rm hacking crew breached the systems of rival hacking group Monopoly and offered Monopoly’s database for sale on their underground forum. w0rm, known for high-profile attacks against BBC in 2013 and Vice, CNET, and the Washington Post in 2014, operated a forum specializing in selling compromised corporate databases and zero-day exploits. Monopoly maintained a competing forum focused on distributing user credentials for fraud operations, botnet deployments, and spam campaigns. w0rm listed Monopoly’s stolen data at a price of $500, €450, or 2.15 Bitcoin—a higher valuation than their 2014 sale of Vice and Washington Post data, which had been priced at 1 Bitcoin combined. The attackers provided no justification for targeting Monopoly and displayed no indications of prior conflict between the groups. Investigators found no evidence of historical rivalry or animosity through Dark Web monitoring or social media analysis, suggesting the breach was an opportunistic business move rather than retaliatory. w0rm’s public listing included no concessions or apologies to Monopoly, treating the rival group’s compromise as a standard commercial transaction.
The contents of the stolen Monopoly database remained unverified at the time of reporting, with potential scope ranging from forum user credentials to the group’s entire repository of exploit kits and botnet control systems. The breach exposed operational risks inherent in criminal enterprises, demonstrating that even threat actors face infiltration and data theft from competitors. Monopoly’s compromised assets could have enabled further fraud campaigns if acquired by additional malicious actors through w0rm’s marketplace. No containment measures or responses from Monopoly were documented in available sources, leaving the group’s operational status post-breach unclear. The incident highlighted the absence of informal rules prohibiting inter-group attacks within the cybercriminal ecosystem, with w0rm’s actions reinforcing the transactional nature of these relationships.