Monopoly

Monopoly operates as a hacking crew that focuses on the acquisition and redistribution of personal data for illicit purposes. Its primary activity involves collecting user credentials, personal identifiers, and related information that can be leveraged for fraudulent schemes. The harvested data is subsequently packaged and offered to other criminal actors who require it for creating botnets or launching spam campaigns. By positioning itself as a supplier within the underground data market, Monopoly serves a niche that connects data thieves with end‑users seeking to monetize stolen information. This specialization places the group at a specific point in the cybercrime supply chain where raw data is transformed into tools for larger‑scale abuse.

The group’s visibility in illicit circles was highlighted in September 2015 when a rival hacking crew, w0rm, breached its systems and exfiltrated its internal database. The stolen database was then advertised for sale on an underground forum, with price points listed in United States dollars, euros, and Bitcoin. This public offering demonstrated that Monopoly maintained a repository of data substantial enough to be considered a marketable commodity by other actors. The transaction underscored the group's role as a data holder rather than merely a transient collector, indicating a level of operational persistence. Although the exact volume or composition of the data set was not disclosed, the incident confirmed that Monopoly’s assets were accessible to external attackers within the criminal ecosystem.

Monopoly’s distinguishing attribute lies in its narrow focus on trafficking user data specifically for fraud, botnet construction, and spam distribution, distinguishing it from crews that prioritize zero‑day exploits or financial theft directly. This focus implies the group has developed competencies in data aggregation, validation, and formatting to meet the specifications of downstream consumers. Unlike actors that seek to monetize data through direct fraud, Monopoly appears to operate as a wholesaler, relying on volume and reliability of its datasets to generate revenue. The lack of any publicly noted rivalry prior to the w0rm incident suggests that the group’s conflicts are typically opportunistic rather than ideologically driven. Consequently, Monopoly’s positioning within the cybercrime landscape is that of a specialized supplier whose value derives from the quality and accessibility of the personal information it controls.