Threat Actors launch search domains on the Surface Web, Darkweb, and Telegram
The life cycle of the compromised databases does not end with the initial leak. It is often redistributed across multiple cybercrime forums, collected by Threat Actors, aggregated, and shared again. Cyble Research and Intelligence Labs (CRIL) has observed Threat Actors (TA) offering paid and free search engines for their data collections.
On multiple occasions, we found threat actors aggregating databases to compile their own data trove, which is later leveraged to create searchable interfaces for their leaks and also offered as a paid service to the forum members. Subscriptions or donations for these sites are mostly sourced through cryptocurrency.
Furthermore, the TAs also offer lookup services for different data types referenced from the collection. The common data lookups include Social Security Numbers (SSN), credit card numbers, and identity card numbers of citizens from different countries.
Illicit Search Engines as a Service
The database compilation has led to many actors offering search engines as a service to perform lookups and verify and validate the information of interest. Such services are not just limited to the surface web and darkweb but also on Telegram.
The Threat Actor behind the alleged the leak of 22.5 million JPN (Jabatan Pendaftaran Negara) data, ‘actifedot’ have created an “OSINT search engine” of their previous leaks, including that of Malaysian citizens’ PII, their automobiles, businesses, etc. This search engine has over 100 million records collated from various leaks, predominantly belonging to Malaysian users.
Thus, Threat Actors with advanced skills in exploiting and exfiltrating data are not just bonded by financial motivation, but via such search engines, are trying to create hysteria among internet users and softly instigating them to question their governments on their data privacy.
As the website’s name suggests, this search engine currently holds 7.2 billion records, including a person’s name, license plate number, VIN (Vehicle Identification Number), username, phone number, and address.
This search engine has a unique feature where the user can leverage the search results to check if the data fields overlap with other compromised databases and can correlate their leaked information with other associated datasets (Figure 2). The website collects donations through Bitcoin.
Many search bots exist for Telegram, allowing users to find information on individuals. One such search bot is PeopleFinderDB_bot, created by two threat actors to host publicly available databases from BreachForums. There are approximately 960 million records, and the tool is also integrated with Doxbin to perform a lookup for any pastes related to the target. It is a paid Telegram bot that provides the following search services:
- Gathers information about the subject of interest
- ‘Recovers lost credentials‘Recovers lost credentials
- Can be used as a doxing tool
This website (which was not operational at the time of conducting this analysis) featured a search interface providing lookups for leaked information. A typical user had to purchase credits through several crypto options, which would be consumed for subsequent searches made on the website. This compromised data hosting domain primarily consisted of data sets from Indonesia.
- Leaked database search engine for Instagram users
This Tor-based site to search for emails and usernames related to Instagram users contains compromised data of over 462 million accounts. The actors behind this search engine have added ‘username search’ functionality from other 12 million leaked records that direct to associated leaked credentials of that user from other reported data leaks.
- Facebook account lookup
The site is hosted on a Tor network and contains 435 million Facebook user records, excluding Iranian and Moroccan users.
We also observed a threat actor by the moniker ‘thekilob’ (currently banned on the forum), who offered to sell an entire database search engine project hosted on the Tor network. Dubbed as DeepSearch, the website claims to maintain an archive of over 2 billion records from 56 data breaches.
This darkweb site, as mentioned in the excerpt below, utilizes the following infrastructure for compromised data search:
- Frontend was created using a prebuilt website template
- PHP for backend
- MySQL for user registration system
- ElasticSearch to index and render through the databases
- The project works on Red Hat Enterprise Linux
- Server access to a large database
In a separate thread, an actor provided paid access to the server with leaked databases and stealer logs.
Underground Discussions for Database Aggregation
During our research, we observed multiple actors engaging in a discussion to systemize public and private data leaks. On a popular English-speaking forum, BreachForums, we observed the administrator, pompompurin, sharing a list of files sourced from various database searching services. The admin’s motive here is to aggregate historical databases from past leaks and data breaches and quantify his collection on the forum.
We also identified a TA donjuji on the forum, who dumped archived databases from 2019-2023 containing over 2,000 databases. The TA is also known for retrieving databases from RaidForums and distributing them on other forums. This is another example of the TA maintaining a directory of databases to distribute to other members.
The discussion also extended to Russian cybercrime forums, where TAs posed similar questions.
We also found a post where TA DexterM1 compiled a list of 118 databases from the popular data breach index to search for compromised credentials – HaveIBeenPwned, that were not posted on the forum. This collectively included public, semi-public, and private data leaks/ data breaches.
In another case, we identified a Twitter user called EVIL RABBIT, archiving databases from 1990 to the present. The user claims to be a vigilante and has access to over 100 billion leaked credentials from over 11k databases. Based on the posts shared, it is likely that the actor is building a database of historical records to perform search queries on.
These services offered by Threat Actors pose a significant privacy risk to individuals, with typical risks associated with data breaches, including identity theft, and various forms of financial fraud, including tax fraud, credit fraud, false benefit claims, etc.
They can also pose risks to companies to target specific domains, keywords, and persons. Services briefly include:
- Lookup services for finding the targeted keywords in the collection of databases, e.g., a company domain, can be used for Business Email Compromise or a specific person of interest.
- Data-specific lookup services like Social Security Numbers (SSN), Identity card numbers of different countries, and Tax Identification Numbers (TIN).
- Threat actors also host marketplaces/shops to sell bulk compromised accounts from Gmail, Facebook, LinkedIn, Twitter, Instagram, and Telegram.
- Cybercriminals in the carding niche can validate credit card numbers through paid CC lookups and BIN lookup services.
- Threat Actors are also on the lookout for services to perform a mass search on a huge list of email addresses to extract all the related passwords and likely use them in password spraying or brute forcing attacks.