UpGuard discovered an unauthenticated Elasticsearch database containing 22 million records of user traffic for hacking forum leakzone.net.
On Friday, July 18 UpGuard discovered an unauthenticated Elasticsearch database containing about 22 million objects. Each of the objects was a record of a web request containing the domain to which the request was sent, the user’s IP address, and metadata like their location and internet provider. In this case, 95% of the requests were sent to leakzone.net, a “leaking and cracking forum” in the tradition of Raid Forums. This sizeable data set can thus give us an inside view of visitor activity to a very active website used for the distribution of hacking tools, exploits, and compromised accounts.
About Leakzone
Leakzone is part of a long line of forum sites that trade in illicit cyber materials like lists of usernames and passwords, pornography collections, and hacking tools. While law enforcement has shut down many other clearweb leak sites in that time period– the original Raid Forums was seized in 2022, and the founder of its replacement, Breach Forums, was arrested in 2023–Leakzone has survived. Archive.org shows the site beginning to take off in the second half of 2020 and continuing on to the present.
Attribution
On initial inspection of the exposed data, we saw that “leakzone.net” was mentioned very frequently in the “domain” field of the database schema. After downloading the available data, we were able to confirm that 95% of records named leakzone.net, making this data almost entirely about traffic to that site. The second most common domain, mentioned in 2.7% of records, was accountbot.io, a site for selling compromised accounts. In all, there are 281 unique values, though the other sites have only a fraction of the traffic and include mainstream sports and news sites– unaffiliated sites that may have been mentioned in the logs as part of redirects from Leakzone.
...
Significance
The IP addresses, and what they tell us about visitors to Leakzone and its ilk, are the most interesting part of the collection. GDPR even classifies client IP addresses as PII because of their utility for identifying a person across web properties.
Public Proxies
The data set contained 185k unique IP addresses– more than Leakzone’s entire user base of 109k, which certainly wouldn’t have all been using the site during this time period. (If they had 100% of their users active during a three week period they would be the most successful website of all time). The most likely explanation for the number of unique IPs is that some users were routing traffic through servers with dynamic IP addresses to hide their real IP addresses.
Cybersecurity researchers are analyzing about 200,000 messages from inside the high-profile Black Basta ransomware operation that were leaked recently.
Discover how Recorded Future uses infostealer logs to identify CSAM consumers and trends. Learn key findings and mitigation strategies.
I stumbled upon an intriguing concept presented by Will Thomas (BushidoToken) in his blog post titled “Unmasking Ransomware Using Stylometric Analysis: Shadow, 8BASE, Rancoz.” This concept revolves around utilizing stylometry to identify potential modifications in new ransomware variants based on existing popular strains. If you’re interested, you can read the blog post here. (Notably, Will Thomas also appeared on Dark Net Diaries, discussing his tracking of the Revil ransomware.)
A Ukrainian cybersecurity researcher has released a huge batch of data that came from the internal systems of the Conti ransomware gang. The researcher released the
Un trentenaire estime que le journal des connexions à la plateforme des supports de cours de son école a été utilisé contre lui abusivement.
