A Russian cybercrime forum on the dark web has been taken down by hackers, who have also stolen data on the website’s users.
The attack on the ‘Maza’ (originally ‘Mazafaka’) forum was discovered by cyber threat intelligence company Flashpoint.
Unknown attackers were able to take over the website and post a warning message to forum members claiming: “Your data has been leaked” and “This forum has been hacked.”
Having been started in 2003, the forum is used by a community of sophisticated and experienced criminals and fraudsters.
Analysts at Flashpoint were able to obtain what purports to be the leaked data which contains usernames, email addresses and other contact details. The company noted that the passwords and some of the other data fields have been hashed or further hidden.
According to another cyber intelligence firm, Intel 471, the leaked data is most likely authentic.
“Initial analysis of the leaked data pointed to its probable authenticity, as at least a portion of the leaked user records correlated with our own data holdings,” Intel 471 said.
The Maza takeover comes after a series of recent attempted and successful attacks on other Russian cybercrime forums.
Back in January, another Russian hacker forum, Verified, which was a popular space for highly skilled Eastern European hackers and associates to discuss criminal ventures, was hit by a cyberattack.
An actor claimed that they had taken information on all Verified’s registered users, including private messages, hashed passwords, posts, and threads. In addition, they had transferred $150,000 worth of cryptocurrency from Verified’s wallet to their own.
It was brought back a month later, with its leadership having been ‘usurped’ by new administrators.
They claimed that the site’s previous admins had locked them out of Verified’s former domains and that they had seized control due to poor security offering inadequate user protection.
The forum reappeared with new web domains and admins, though many cybercriminal users were suspicious of the new operators’ intentions and credibility.
- Scottish Apprenticeship Week | Old and new skills in cybersecurity
- International Women’s Day | Supporting diversity in the workplace
- Working from home set to stay for public sector employees
According to Intel 471, a fourth forum was hit in February. Crdclub announced that an attack had compromised the administrator’s account. This saw the actor trick forum customers into transferring them money. In addition, another forum, Exploit, was hit by an attempted DDoS attack which may have compromised a proxy server used by the forum.
It is currently unknown if the attacks are linked, or if it is law enforcement or other cyber criminals perpetrating the attacks. According to users of the Exploit forum, the attacks would be a new tactic by law enforcement to shut down cybercriminal activity.
According to Intel 471, the public nature of the attacks means that law enforcement is unlikely to be behind them.
The attacks have been making cybercriminals wary of how they share data and coordinate online.
For Maza, this is not the first time it was breached – a similar hack struck the website in 2011, compromising data. However, the website was not taken down and continued operating.
As such, the long-term consequences of the latest attack may well be limited.