How Dark Web Data Helps to Discover the Hackers Behind Hacking Forums

Posted on November 23, 2020 by Avishag Yulevich

read the article

Recently, through our monitoring of dark web data, Webhose was able to confirm that several hacking forums on the dark web have been hacked, leading us in the cyber world to believe that criminals can never be taken at their word.

This is surprising because on the dark web it often seems as though criminals have an unspoken code of honor. Like many mainstream sites on the open web, many of the dark web marketplaces have strict rules about behavior. SilkRoad’s admin Ross Ulright didn’t allow activity related to child pornography, stolen goods, or fake degrees. Hansa market banned the sale of fentanyl before it was shut down in June 2017.

So you might assume that a hacking forum on the dark web would be safe from being hacked by other hackers.

Well, as it turns out, you can’t assume anything with dark web criminals. 

What it Means to Hack a Hacking Forum 

First, let’s take a moment to make sure to understand what constitutes a hacking forum:

A hacking forum is an online discussion where cybercriminals can communicate with one another to gain information related to all types of illicit activities, including hacking, hacking and cracking tools, and tutorials, data leaks, and more. Since these tools and discussions are centered around illegal activities, however, it’s critical that these hacking forums protect user anonymity. 

When a hacking forum is hacked, it means the database of the users was leaked and personal details like IP addresses and emails were exposed to the public. These details can be used by law enforcement to unveil the users’ true identity.

Here is a quick overview of three different hacking forums that were recently hacked: 

1. The BHF Russian Hacking Forum 

  • Name of Hacking Forum: BHF
  • Size of the forum: Over 198K members with over 6M posts (as of October 2020)
  • Types of content shared on the forum: Sharing and trading of various illegal cyber crimes such as hacking tools, software, leak accounts, tutorials, DDoS attacks, etc.
  • Estimated date of breach: Early September 

The popular BHF Russian hacking forum was shut down on the 9th of September.  Although BHF had shut down many times before, it seems that this time was different. At the time it was shut down, Webhose monitored a lot of conversations on the dark web that attempted to explain what happened. Most of the posts referring to the BHF shutdown claimed that the forum was hacked, and the user database was leaked. It is important to note, though, that our analyst could not detect solid evidence of this online.

However, the Webhose cyber endpoint was able to detect a new Telegram group named “Слив BHF” that claimed that the forum was hacked.

Post from the Telegram group “Слив BHF” that claims that the forum was hacked in the cyber endpoint

This same Telegram group also promised to release details and data about the BHF forum after it gained 2.5K followers. Here at Webhose, we have also seen evidence of posts in a hacker forum claiming that BHF has been hacked three times already, specifically mentioning BHF’s correspondence with XenForo Support (a commercial internet forum software package that BHF uses).

A post in Ukranian that explains that BHF was hacked from the cyber endpoint
The continuation of the above thread in a hacker forum explaining that BHF was hacked 3 separate times and mentioning the use of 3rd party software package XenForo Support

A couple of days later, on September 11th, the forum launched an official channel denying the leak and offered an explanation of what had happened: The forum had been shut due to a technical problem that turned users into admins. Some of the users were abusing the site and had made changes to it. The admin shut down the server to stop users from continuing to make changes. At the same time, he tried to back up the site and lost three days of content while doing so. (It took him three days because he did not use the system admins for help).

BHF’s official TG channel denying the breach

The site returned online on September 12th. 

As of now, the information found on the dark web about the site’s shutdown is contradicting, and the case remains shrouded in mystery.

2. The OGusers Hacking Forum

  • Name of Hacking Forum: OGusers
  • Size of the forum: Over 27K members with over 1M posts (as of October 2020)
  • Types of content shared on the forum: A market for buying and selling “OG” (original gangster) usernames which refer to usernames that are considered desirable. This includes hijacked social media accounts, SIM swappers’, stolen phone numbers, and Bitcoin accounts.
  • Estimated data of breach(s): May 2019 and April 2020  

Unlike the BHF hack, cybersecurity experts have confirmed that the OGusers hacking forum has been hacked multiple times. 

In May 2019, the forum suffered its first data breach. The breach exposed a database backup from December 2018 which was published on a rival hacking forum. The database included 161k unique email addresses from both the 113K forum users as well as other tables in the database. The exposed data also included usernames, IP addresses, private messages, and passwords stored as salted MD5 hashes.

Post announcing May 12th 2019 leak of OGUsers in a hacking forum in the cyber endpoint

The second data breach occurred on April 2nd when a rival forum dumped the OGUsers’ database of about 200,000 user records onto the dark web. Ace, the forum’s administrator, wrote that it appeared that someone was able to breach the server through a malicious web shell in an avatar uploaded in the forum software that enabled access to the database from April 2nd.

Post announcing April 2nd leak of OGUsers in a hacking forum in the cyber endpoint

3. The WeLeakData Hacking Forum

  • Name of Hacking Forum: WeLeakData
  • Size of the forum: Not Available 
  • Types of content shared on the forum: A forum and marketplace discussing, trading, and selling leaked databases and combolists. The forums also included activities like credit card fraud, hacking tools, software, and tutorials. The forum used Shoppy, an e-commerce platform to manage its membership system and ensure the site functions smoothly.
  • Estimated data of breach(s): January and May 

Similar to the OGusers hacking forum, WeLeakData was also reported to have been breached multiple times. 

The first breach occurred in January when the website temporarily went offline. Many members of the forum then claimed that the website was taken down by the FBI. A couple of months after the surprise shutdown, one member of the forum made a seemingly exaggerated statement, claiming that the forum was taken down by a massive coordinated cyberattack so massive that it led to the eventual closure of the forum in April. This statement was later corroborated by researchers at Cyble who were informed by an anonymous member of the forum that a massive cyber attack had indeed taken down the website, resulting in its eventual closure in April.

Rumors began circulating that the operator may have been arrested and that the forum database had been stolen or sold to another member.

The second breach occurred at the beginning of May when a dump from WeLeakData.com’s database from January 9th was found being sold on dark web marketplaces. The dump contained members’ login names, email addresses, hashed passwords, and IP addresses that they registered and posted under, in addition to the content from private messages.

Post seeking the WeLeakDatabase in a hacking forum from the cyber endpoint
Post announcing sale of WeLeakData database from May in the cyber endpoint

Cyble also stated that the same database was also used to launch a new site called Leaksmarket.com, whose forum contains the same posts, private messages, and users that were in the dump. 

There are unconfirmed reports in the dark web market that the WeLeakData.com owner has been arrested as part of Europol’s recent crackdowns. 

Mitigating Data Breaches with Dark Web Monitoring 

The trading of databases is, unfortunately, a regular occurrence on the darknets. The recent hacks from these prominent hacking forums demonstrate how easy it is for anyone to have their private data hacked and exposed. After all, if cyber criminals find it difficult to keep their data safe, then everyone should beware. 

Webhose’s data breach detection service is a one-stop-shop for discovering personally identifiable information (PII) that has been breached. We continuously update our repository with over 5 million records daily from both the data breach detection repository and cyber data. That’s how we deliver organizations the freshest data, most recent leaks and full context of the leaks to help keep data safe.

Context is particularly crucial for these types of breaches. When information from the data breach detection service is combined with Webhose Cyber API, we can better understand the context of a breach and then more effectively analyze its risk. By connecting the various data points together in different parts of the dark web, we can even find the actor or source responsible for the leak and deanonymize actors or groups responsible for the leak. 

Cybercriminals on the dark web should beware. 

Want to learn more about the comprehensive sources we cover from the deep and dark web? Contact one of our data experts to learn more today!