In an odd twist of fate, last week, The Hacker News reported that an elite hacker and cybercrime forum called Maza was hacked by another cyber terrorist group. Even in the world of cybercrime, there appear to be no boundaries. This is the fourth hacker forum to be breached since January 1.
On March 3, an unknown party or hacking conglomerate breached the Maza website stealing members’ names, usernames, email addresses, and hashed passwords. Some of the member data was leaked on the site with a message that read “Your data has been leaked” and “This forum has been hacked.”
The entire data pool included 3,000 members, and the page included a link to a PDF file with a more substantial sample to download.
Who is Maza?
Maza, formerly known as Mazafaka, according to The Hacker News is an “elite, invite-only Russian-language cybercrime forum known to be operational as early as 2003, acting as an exclusive online space for exploit actors to trade ransomware-as-a-service tools and conduct other forms of illicit cyber operations.”
Maza now joins the ranks of Verified, Crdclub, and Exploit, who was hacked and breached earlier this year. Hacked in January, Verified not only lost their entire database to hackers, but the culprits also transferred $150,000 of cryptocurrency out of their Bitcoin account. However, the site has rebounded and was back in business as of February 18.
The Crdclub breach was less intrusive, and other than admin credentials, it appears no other data was stolen or leaked. Threat researchers theorize the theft was for defrauding customers. The Hacker News explains, “By doing so, the actor behind the attack was able to lure forum customers into using a money transfer service that was allegedly vouched for by the forum’s admins,” Intel 471 said. “That was a lie and resulted in an unknown amount of money being diverted from the forum.”
Prior to the Maza violation, Exploit cybercrime forum experienced a distributed denial-of-service (DDoS) attack.
Who is Responsible?
The hacker groups themselves believe that the attacks are coming from a government intelligence agency aimed at putting them out of business or at the very least disrupting their operations. However, with their real-life identities on display, some of these hackers are concerned.
Threat researchers Flashpoint noted that “the Russian sentences on the Maza forum’s notification page were possibly translated using an online translator but added it’s unclear if this implies the involvement of a non-Russian speaking actor or if it was deliberately used to mislead attribution.”
What Does it All Mean?
Although threat assessors like Intel 471, who first reported the data breach, don’t know who is behind the attacks or what their endgame is, they did note that “While Intel 471 isn’t aware of anyone claiming responsibility for the breaches, whoever is behind the actions has indirectly given researchers an advantage,” the company concluded. “Any information unearthed from the breaches aids in the fight against these criminals due to the added visibility it gives security teams who are tracking actors that populate these forums.”
Much like other crime syndicates, cybercriminals tend not to attack one another; they usually work together to share malware, ransomware, and other defrauding tools and resources. Cybercrime, however, is a big business with a lot of profit at stake. If the individual groups have decided to weed out the competition through disruption and exposure, it could only mean good things for the victims. If the attacks are coming from government agencies aimed at reducing the number of viable threats and exposing these people so they can be apprehended and punished, great! The fewer players in the game, the better.