Turning Specialized Platform Data Breaches into Defensive Insights

Background: Since the beginning of the internet, a variety of communities have existed, ranging from hacking and malware development groups to those involved in insider information sales and illegal pharmacy platforms. Among these, some communities are dedicated to sharing and selling breached data, which can be used for both legitimate and illegitimate purposes. Recently, data from a prominent platform was released, including user details such as IP addresses, registration IPs, internal message logs, and payment information. This platform's purpose was to sell breached data, which organizations face on a daily basis.

Saga of that story: In April 2022, the platform's infrastructure was seized as a result of an international law enforcement operation. In March 2023, the founder of that platform was arrested. The key to identifying the platform’s owner was a seemingly simple piece of metadata, which appeared in other data leaks. In April 2023, a similar platform exposed[.]vc was created with the goal of continuing the activities of the previous one. Almost immediately, information from the previous platform's user database, which included approximately 100 pieces of metadata per registered user—such as IP addresses, email addresses, usernames, registration IPs, webpages, and other contact details—was put up for sale.

After the newly created platform disappeared, it was replaced by another platform with the domain REDACTEDNAME[.]VC (the root domain was redacted). However, this new domain was also eventually seized by law enforcement. The platform was then migrated to a new domain and infrastructure.

Recently, an unknown person publicly released the database from the old one platform (whose founder had been arrested). This database was made available in both SQL and JSON formats and contained full information about users, wallets, messages, posts, threads, and more.

As a defender, several useful pieces of information can be derived: Threat Intelligence: Email Addresses and IP Logs: Collecting registered user email addresses and IP logs can be valuable for threat intelligence. This information may help in the future to de-anonymize individuals involved in attacks against your organization’s protection layers. However, it’s important to remember that some individuals in the list may be ethical specialists or legitimate users.

Tracking Digital Footprints: Identifying Threat Actors: If your organization has previously been targeted by the platform, the leaked data can assist in tracking the digital footprint of threat actors. By analyzing this data, you can gain insights into their activities and connections, helping to better understand and mitigate threats.

Leak Analyze: The countries listed in this analysis represent the IP addresses from which users have registered. However, this does not necessarily indicate that the users are physically located in these countries. The results should be interpreted with caution, as several factors can influence the IP address data. For example, users may be accessing the site through VPNs or other proxy services that could mask their true location. Therefore, the IP address information reflects where the connection appears to originate rather than the actual geographic location of the users.

---

Afghanistan: 10

---

Albania: 230

---

Algeria: 783

---

Andorra: 17

---

Angola: 13

---

Anguilla: 1

---

Argentina: 791

---

Armenia: 57

---

Aruba: 6

---

Australia: 3960

---

Austria: 1042

---

Azerbaijan: 186

---

Bahamas: 18

---

Bahrain: 90

---

Barbados: 8

---

Belarus: 157

---

Belize: 6

---

Benin: 37

---

Bhutan: 4

---

Bolivia (Plurinational State of): 64

---

Bosnia and Herzegovina: 119

---

Botswana: 14

---

Brazil: 2991

---

Brunei Darussalam: 32

---

Bulgaria: 818

---

Burkina Faso: 2

---

Cambodia: 420

---

Cameroon: 37

---

Canada: 3529

---

Cape Verde: 3

---

Cayman Islands: 1

---

Chile: 367

---

China: 2883

---

Colombia: 328

---

Costa Rica: 85

---

Cote D'ivoire: 78

---

Croatia: 207

---

Cuba: 6

---

Curacao: 4

---

Cyprus: 80

---

Czechia: 571

---

Denmark: 561

---

Dominican Republic: 156

---

Ecuador: 129

---

Egypt: 1207

---

El Salvador: 32

---

Equatorial Guinea: 3

---

Eritrea: 3

---

Estonia: 259

---

Eswatini: 3

---

Ethiopia: 38

---

Falkland Islands [Malvinas]: 1

---

Faroe Islands: 1

---

Fiji: 4

---

Finland: 737

---

France: 4683

---

French Guiana: 2

---

French Polynesia: 4

---

Gabon: 1

---

Gambia: 1

---

Georgia: 274

---

Germany: 5653

---

Ghana: 165

---

Greece: 488

---

Greenland: 8

---

Guadeloupe: 4

---

Guam: 6

---

Guinea: 3

---

Guinea-Bissau: 1

---

Guyana: 3

---

Haiti: 7

---

Honduras: 27

---

Hungary: 480

---

Iceland: 72

---

India: 4255

---

Indonesia: 56712

---

Iran (Islamic Republic of): 224

---

Iraq: 774

---

Ireland: 470

---

Israel: 992

---

Italy: 2202

---

Jamaica: 22

---

Japan: 3445

---

Jordan: 235

---

Kazakhstan: 161

---

Kenya: 176

---

Kiribati: 3

---

Korea (the Republic of): 906

---

Kuwait: 91

---

Kyrgyzstan: 37

---

Lao People's Democratic Republic: 13

---

Latvia: 227

---

Lebanon: 113

---

Lesotho: 1

---

Liberia: 2

---

Libya: 260

---

Liechtenstein: 7

---

Lithuania: 631

---

Luxembourg: 255

---

Madagascar: 13

---

Malawi: 2

---

Malaysia: 1021

---

Maldives: 17

---

Mali: 5

---

Malta: 37

---

Marshall Islands: 2

---

Mauritania: 16

---

Mauritius: 46

---

Mexico: 2022

---

Micronesia (Federated States of): 3

---

Moldova (the Republic of): 178

---

Monaco: 5

---

Mongolia: 41

---

Montenegro: 26

---

Morocco: 1406

---

Mozambique: 12

---

Myanmar: 86

---

Namibia: 11

---

Nauru: 1

---

Nepal: 158

---

Netherlands (Kingdom of the): 5678

---

New Caledonia: 11

---

New Zealand: 408

---

Nicaragua: 21

---

Niger: 7

---

Nigeria: 544

---

North Macedonia: 100

---

Norfolk Island: 5

---

Norway: 629

---

Oman: 75

---

Pakistan: 4324

---

Palestine: 80

---

Panama: 54

---

Papua New Guinea: 28

---

Paraguay: 31

---

Peru: 661

---

Philippines: 1275

---

Poland: 1972

---

Portugal: 788

---

Puerto Rico: 35

---

Qatar: 96

---

Romania: 1310

---

Russian Federation: 1733

---

Rwanda: 5

---

Saint Kitts and Nevis: 9

---

Saint Lucia: 3

---

Saint Martin (French part): 2

---

Saint Pierre and Miquelon: 1

---

Saint Vincent and The Grenadines: 2

---

Samoa: 2

---

San Marino: 3

---

Sao Tome and Principe: 2

---

Saudi Arabia: 651

---

Senegal: 19

---

Serbia: 571

---

Seychelles: 14

---

Sierra Leone: 3

---

Singapore: 5798

---

Sint Maarten (Dutch part): 1

---

Slovakia: 225

---

Slovenia: 111

---

Solomon Islands: 2

---

Somalia: 14

---

South Africa: 429

---

Spain: 2368

---

Sri Lanka: 117

---

Sudan: 30

---

Suriname: 9

---

Sweden: 2445

---

Switzerland: 1065

---

Syria (Syrian Arab Republic): 38

---

Taiwan (Province of China): 2339

---

Tajikistan: 6

---

Tanzania: 29

---

Thailand: 729

---

Timor-Leste: 8

---

Turkey (Turkiye): 4545

---

Turkmenistan: 1

---

Uganda: 24

---

Ukraine: 740

---

United Arab Emirates: 612

---

United Kingdom of Great Britain and Northern Ireland: 6323

---

United States of America: 30006

---

Uruguay: 72

---

Uzbekistan: 49

---

Vanuatu: 1

---

Venezuela (Bolivarian Republic of): 147

---

Vietnam: 2053

---

Yemen: 46

---

Zambia: 4

---

Zimbabwe: 17

Conclusion: By analyzing such leaks, we can enhance our defensive strategies, particularly during the post-mortem phase of incident response. This data can provide valuable insights into attack vectors, help identify potential sources of threats, and inform our response strategies. In some cases, analyzing leaks can assist us in achieving our goals related to incident response, improving our overall security posture.