One of the oldest and most elite cybercrime forums, Maza, appears to have been hacked by an unknown fellow hacker or hackers. The breach follows a series of attacks targeting mostly Russian-speaking cybercrime forums. This time the loot is considerable. It includes Maza users’ usernames, hashed passwords, email addresses, and other contact details.
Elite Hacker Forum
Maza, previously known as Mazafaka, is one of the oldest and most elite cybercrime forums. It’s been the go-to destination for all sorts of cybercriminals since at least 2003. Malware distribution, money laundering, selling stolen credit card information… it all happens here.
The group is called “elite” because it is quite hard to get into. The language of communication is Russian, prospective members have to pay “insurance”, and at least three existing members have to vouch for a new member to join. Furthermore, the forum is not accessible and even invisible without a special encryption certificate supplied by forum administrators.
Some of the forum’s administrators are quite notorious. Aleksei Burkov, for example, who is thought to serve as an administrator for Maza and at least one other hacker forum, was extradited from Israel to the US in late 2019. He pleaded guilty to charges related to his operation of two fraudulent websites, one of them called “Cardplanet”, and was sentenced to nine years in prison in May 2020.
Breach on Maza
Flashpoint researchers detected the breach on Maza on 3 March. They also obtained leaked data, including user IDs, usernames, email addresses, passwords, and more. In total, roughly 3,000 rows of Maza user records were exposed. The attackers then posted a warning message on the website saying “Your data has been leaked / This forum has been hacked.”
“While the compromised data appears to be extensive, it’s worth noting that the passwords have been hashed and most other data fields included in the dump have been hashed or further obfuscated”, said Flashpoint in a post on their website.
Notably, some of the leaked credentials include ICQ (I seek you) numbers linked to accounts. Security researchers can use this information to triangulate accounts and nicknames across different forums and trace them back to a single user. This could then reveal the hackers’ real-life identity. It goes without saying that this is a scary scenario for most Maza users.
Who Is the Culprit?
Little is known about the hackers who successfully compromised Maza. Insiders believe that government authorities were behind the attack and posted a “friendly warning” to deter cybercriminals and avert illegal activities. The fact that the stolen data was dumped on the dark web, however, seems to indicate otherwise.
Maza was previously hacked in 2011. The alleged culprit back then was a rival hacking group, DirectConnection. A couple of weeks later, someone hacked DirectConnection in return. So, although it’s not common, it’s certainly not unusual for cybercriminals to hack each other.
This time, however, it seems something else is going on. The breach on Maza follows a series of attacks on mostly Russian-speaking hacker forums. It’s at least the 4th such incident in a month. The hack illustrates how no one is safe from cyberattacks, including the cybercriminals themselves.
On 20 January, the well-established Russian forum, Verified, was taken over without warning. The site was then redirected to a different server, that was completely under the control of hackers. Moreover, the hackers stole $150,000 worth of cryptocurrency from Verified’s wallet. To play “safe”, Verified administrators reset everyone else’s codes and forcibly reset users’ passwords.
A week later, on 27 January, an extensive international operation led by Dutch police, severely disrupted the Emotet botnet. Law enforcement mapped Emotet’s entire infrastructure and took control of the network from the inside. Next, they posted a warning on hacker forums urging users to “think again” when looking for another botnet. “Everyone makes mistakes. We are waiting for yours”, the message said.
Earlier this week, another hacker forum, called Exploit, also experienced some issues. One of the administrators announced that a proxy server the forum used to protect themselves against denial-of-service (DDoS) attacks had been accessed on 27 February. Some hackers now think that someone is “purposefully ruining forums” to degrade trust across forums and deter wannabee cybercriminals.