Someone Is Hacking the Hackers

Someone Is Hacking the Hackers
Photo: NICOLAS ASFOURI / AFP, Getty Images

In the latest in a string of “hits” on Russian dark web forums, the prominent crime site Maza appears to have been breached by a hacker earlier this week.

This is kind of big news since Maza (previously called “Mazafaka”) has long been a destination for all assortment of criminal activity, including malware distribution, money laundering, carding (i.e., the selling of stolen credit card information), and lots of other bad behaviour. The forum is considered “elite” and hard to join, and in the past, it has been a cesspool for some of the world’s most prolific cybercriminals.

Whoever hacked Maza netted thousands of data points about the site’s users, including usernames, email addresses, and hashed passwords, a new report from intelligence firm Flashpoint shows. Two warning messages were then scrawled across the forum’s home page: “Your data has been leaked” and “This forum has been hacked.” 

KrebsOnSecurity reports that the intruder subsequently dumped the stolen data on the dark web, spurring fears among criminals that their identities might be exposed (oh, the irony). The validity of the data has been verified by threat intelligence firm Intel 471.

This hack comes shortly after similar attacks on two other Russian cybercrime forums, Verified and Exploit, that occurred earlier this year. It’s been noted that the successive targeting of such high-level forums is somewhat unusual. Criminal hackers have been known to hack each other, but is that what is happening here?

The short answer is: It’s currently impossible to know. Some users of the site Exploit have alternately hypothesised that the takedowns were not the result of some rival hacker gang but, instead, a law enforcement action. Krebs records one dark web user having theorised:

“Only intelligence services or people who know where the servers are located can pull off things like that…Three forums in one month is just weird. I don’t think those were regular hackers. Someone is purposefully ruining forums.”

Flashpoint’s report similarly shows discussion of the attacks having potentially been the result of government intervention. If the attacks are a policing tactic, it is a fairly new one:

Exploit actors also note an increase in attacks over the past months (attempted DDoS of Exploit, Verified compromise, and now Maza), and think the attackers could potentially be forum insiders or law enforcement. Finally, Exploit users note that if the attackers were law enforcement, that this is a new tactic to shut down cybercriminal activity and degrade trust across forums.

Whoever is responsible, it’s not clear that they’ve dealt a death blow to Maza or other affected sites. Maza has been breached before (it was previously compromised back in 2011), and such breaches are not necessarily indicative of “permanent shutdowns,” said Flashpoint researchers.