Cyber Incident Victim: Nulled
Date:
May 2020
Location:
United States of America
Summary
Multiple cybercrime forums, including Nulled, experienced unauthorized database breaches resulting in public exposure of user information. The compromised platforms, frequented by hackers to exchange illicit resources such as malware and stolen data, had their sensitive content indexed by a breach lookup service, enabling potential misuse by malicious actors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In May 2020, the cybercrime forums Nulled.ch, Sinful Site, and SUXX.TO experienced security breaches resulting in the theft and public leakage of their user databases. Cyble, a threat intelligence firm, identified and obtained these databases during the same month, confirming their exposure through its research team. The forums served as centralized platforms for hackers and cybercriminals to exchange illicit resources, including stolen data, malware, hacking tools, and instructional materials. The compromised databases contained user registration details, though specific data fields were not disclosed in available reporting. Cyble publicly announced the discovery on May 24, 2020, noting that the leaks occurred earlier that month but did not specify the exact breach dates or intrusion methods. No forum administrators or threat actors claimed responsibility for the breaches at the time of disclosure. The incident marked a significant exposure of underground community members' identities and activities.
Cyble indexed the stolen databases in its AmIBreached data breach notification service, enabling individuals to verify whether their credentials appeared in the leaked records. This action constituted the primary documented response to mitigate credential reuse risks stemming from the breach. The exposure potentially endangered forum participants by revealing pseudonymous identities and contact information, increasing their susceptibility to law enforcement scrutiny or rival threat actor targeting. No forum remediation efforts, user notifications, or restoration activities were reported in available sources. The leaks occurred amid broader targeting of cybercrime platforms, as evidenced by the simultaneous compromise of three distinct communities. Cyble's disclosure did not address whether the breaches originated from external attackers, insider threats, or security deficiencies within the forum infrastructures. The incident demonstrated operational security vulnerabilities within closed cybercriminal ecosystems typically assumed to have robust protective measures.