Notorious Russian hacker forums attacked by mysterious cyber actors
Data breaches have left forum members worried that their data may be used by law enforcement agencies to uncover their real identities

Three notorious Russian cybercrime forums have reportedly fallen victim to hacks by mysterious actors, spilling information about forum members.

Risk intelligence experts at Flashpoint say they detected a breach of the ‘elite’ Maza cybercrime forum, previously known as ‘Mazafaka’, on 3rd March 2021.

The hack exposed information of thousands of forum members, including their user id, username, email, password (hashed and obfuscated), certificate file names, certificate passwords and members contact information on Yahoo, MSN, Skype, ICQ and aim.

On Tuesday, an unknown actor dumped a file on the dark web containing the personal information of Maza members. The file was comprised of 3,000 rows and contained usernames, redacted passwords and other details, according to Flashpoint researchers, who said the leaked Maza database was legitimate and that Maza forum visitors were being redirected to a breach announcement page.

The Maza forum dates back to 2003, and its membership, which is invitation-only, comes with a fee.

The data breach at Maza comes after another major Russian-language forum ‘Verified’ suffered a compromise last month.

According to Flashpoint, Verified was abruptly revived after sitting dormant for some time by unknown admins. On 18th January, the new leadership of the forum started deanonymising former operators, raising doubts among its user base. Tens of thousands of private messages between Verified users, including deposit and withdrawal information about bitcoin, were reportedly stolen in this breach.

Another Russian hacker forum, ‘Exploit’, reportedly fell victim to a hack this week, with a forum member warning other users to be careful with registered emails across multiple forums.

The hack has left forum members worried that their data may be used by law enforcement agencies to discover their real identities.

“Only intelligence services or people who know where the servers are located can pull off things like that,” a member of Exploit forum commented, according to Krebs on Security. “Three forums in one month is just weird. I don’t think those were regular hackers. Someone is purposefully ruining forums.”

Last month, Dutch police reportedly posted “friendly” messages on two hacking forums, saying that “hosting criminal infrastructure in the Netherlands is a lost cause”.

The police messages were posted after ‘Operation Ladybird’, which saw law enforcement agencies across several countries join hands to disable Emotet, the world’s most dangerous malware botnet.

The agencies that took part in the coordinated action included the US Federal Bureau of Investigation, the Royal Canadian Mounted Police, the UK’s National Crime Agency, France’s National Police, Germany’s Federal Crime Police, the Lithuanian Criminal Police Bureau, Dutch National Police and the National Police of Ukraine.

As part of the investigation, a database containing email IDs, usernames and passwords stolen by Emotet was also uncovered by the Dutch National Police.