Cyber Incident Victim: Maza
Date:
Feb 2021
Location:
Russia
Summary
A notorious cybercrime forum known for its stringent membership process was compromised, resulting in the exposure of approximately 2,982 user records containing credentials, contact details, and certificate passwords used for secure authentication. The breach revealed communication channels like ICQ accounts, potentially aiding law enforcement investigations. Concurrently, multiple other Russian-speaking cybercrime platforms, including Verified, Dread, and Club2Crd, faced disruptive attacks involving account takeovers and scams, undermining trust within these communities. These incidents collectively demonstrated vulnerabilities within illicit online ecosystems, highlighting that even threat actors employing advanced security measures are susceptible to infiltration and operational disruption by malicious parties.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Maza cybercrime forum, also known as Mazafuka, experienced a significant security breach around February 2021, resulting in the exposure of sensitive member data. On February 16, 2021, a newly registered Twitter user contacted BleepingComputer to report the hack, sharing a screenshot as evidence of the leak. The compromised data included approximately 2,982 user records containing identifiers such as user IDs, usernames, email addresses, and redacted passwords. Additionally, the leak exposed certificate file names and their corresponding passwords—critical components of Maza’s unique authentication system, which required members to generate client certificates alongside traditional credentials for login. While the certificates themselves were not disclosed, the exposure of certificate passwords represented a partial compromise of this layered security measure. Contact details for members’ ICQ, AIM, Yahoo, MSN, and Skype accounts were also included in the breach, though not all records contained this information. The ICQ data was particularly notable due to its historical use by threat actors for covert communication, potentially providing law enforcement with actionable intelligence. Maza’s status as an elite, long-standing forum with a membership voting system made this breach especially impactful within underground circles, undermining trust in its security protocols.
This incident occurred amid a broader wave of attacks targeting Russian-speaking cybercrime platforms during February 2021. On February 15, the Verified forum was forcibly taken over by unknown operators exploiting a vulnerability to seize control of the site. Simultaneously, Club2Crd—a mid-tier carding forum—faced an account takeover of staff member "mak," whose compromised credentials were used to post fraudulent services and steal funds from users. The Dread dark web forum also implemented enhanced protective measures following disruptive attacks during the same period. These coordinated incidents highlighted systemic vulnerabilities across multiple criminal communities, with Maza’s breach exemplifying the erosion of operational security even among technically sophisticated groups. The exposure of certificate passwords and contact details not only facilitated potential law enforcement investigations but also demonstrated that threat actors themselves were increasingly vulnerable to infiltration and data theft, creating cascading distrust within these ecosystems.