Cyber Incident Victim: Sheriff
Date:
Jul 2020
Location:
United States of America
Summary
A threat actor known as Sheriff advertised the sale of 62,000 compromised eToro trading platform accounts containing login credentials, personal information, and account balances, while simultaneously collaborating with the REvil ransomware group to facilitate corporate network intrusions. Specializing in financial sector attacks, Sheriff employed brute-force techniques and credential-stealing malware to breach organizations including investment funds, cybersecurity firms, universities, and transportation companies, predominantly exploiting vulnerabilities in Citrix remote desktop servers—a method aligned with REvil's operational patterns. The actor's activities demonstrated connections to high-profile cybercriminal ecosystems, with interactions between Sheriff and REvil's operatives indicating coordinated efforts to monetize network access through ransomware attacks and underground sales of stolen data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 3 actors | Available to members | Available to members |
Description
On July 6, 2020, a threat actor using the alias "Sheriff" advertised an auction for 62,000 active eToro social trading platform accounts on a Russian-language cybercrime forum. The listing included login credentials, phone numbers, postal addresses, and account balances, with bidding starting at $1,500 and increasing by $500 increments. Sheriff claimed all credentials were verified and functional, enabling buyers to withdraw funds or conduct fraudulent trades. Security researcher Bank Security identified parallel advertisements for compromised accounts across multiple platforms including Neteller, Skrill, Binance, PayPal, and cryptocurrency exchanges, though attempts to alert affected companies via Twitter support channels received no response. This mass credential sale demonstrated Sheriff's operational reach beyond initial appearances as a low-level actor.
Further investigation by Advance Intelligence revealed Sheriff's significant role in corporate network intrusions through brute-force attacks and credential-stealing malware, specializing in financial institutions, government agencies, and critical infrastructure. Between May and June 2020, Sheriff advertised administrative access to a European construction firm, 3,200 cPanel accounts, and 815,000 e-commerce orders from an unspecified organization. The actor exploited vulnerable Citrix remote desktop connections to compromise targets including a major U.S. investment fund, cybersecurity company, universities across Australia/Canada/U.S., and logistics/cloud computing providers. Forensic evidence showed direct collaboration with REvil ransomware operators through their "UNKN" persona, with Sheriff providing network access that aligned with REvil's Citrix-based intrusion patterns. This partnership placed Sheriff among REvil's recruited "top talent," alongside specialists like "Energydrinkkk" who sold energy sector access for ransomware deployment. The incidents exposed systemic vulnerabilities in financial platforms and corporate remote access systems, enabling both direct financial theft through account takeovers and downstream extortion via ransomware payloads.