Dark Web Forum Arrests, Columbus Ransomware Attack Updates, and American Background Info Data Leak

Keeping up with the world of cybercrime is important but can often feel overwhelming for security practitioners.

Leaky Weekly is a podcast hosted by security researcher Nick Ascoli as he dives into the most pressing stories on data leaks, cybercrime, and the dark web in the last week or so.

On this episode of Leaky Weekly, Nick covers:

• Recent dark forum arrests for LockBit and Bohemia 
• Updates on the City of Columbus attack costs
• Potential data leaks from another American public record and background research company, MC2

Tune in for current events on the podcast below or keep reading this article for the highlights.

Dark Web Forum Arrests 

Global law enforcement agencies continue to pursue cybercriminals, tracing them across the dark web. 

LockBit 

Europol announced four new arrests connected to LockBit while the UK sanctioned 15 Russian citizens allegedly related to Evil Corp. A look at the history shows how intertwined LockBit and Evil Corp are:

• 2014: Evil Corp forms then releases the Dridex banking malware that was also used as a rentable botnet and for deploying BitPaymer ransomware
• 2019: Key Evil Corp members leave and move on to other malware projects
• 2019: LockBit is developed and released
• 2021-2023: LockBit becomes the most popular and prolific ransomware, pioneering the Ransomware-as-a-Service (RaaS) business model
• 2022: Evil Corp member using the handle Beverly becomes a LockBit affiliate
• 2024: Operation Cronos completed takedown of LockBit infrastructure, removing 34 servers from operation. 

The additional Operation Cronos arrests include a suspected LockBit developer, and the National Crime Agency’s report “Evil Corp: Behind the Screens” provides further details about these connections. 

The UK’s sanctions make any payments to these parties illegal under the country’s Anti-Money Laundering Act, making ransomware payments illegal. 

Bohemia Market

Dutch police arrested and seized assets related to the Bohemia market and its sister market Cannabia. While primarily a drug market, it supported additional dark web market products, like fake identification, forged checks, and malware. 

The Dutch police claim that this market processed approximately 82,000 transactions every month, noting that during its business month, September 2023, it processed about 12 million Euros.

The asset seizure is the newest update. The Bohemia market’s old onion link is live again, displaying a law enforcement banner that contains a link to another onion site that lists individuals by their darknet market usernames. While the web page says these individuals have been arrested, a reviewed sample for the usernames failed to show news stories, law enforcement press releases, or articles referencing them.

Law enforcement banner on Bohemia market lists arrested threat actors and their usernames

City of Columbus Security Incident Update

The last episode of Leaky Weekly discussed the security incident linked to the Rhysida ransomware group. The city then sued the independent security researcher for sharing information about the leaked dataset with the media. 

Since then, the city requests additional $3 million in funding to manage the investigation, including up to:

• $2,401,052 for forensics and monitoring to understand the attack and determine the data posted to the dark web
• $1,644,348 for the initial estimated costs of Experian credit and dark web monitoring, but these costs could change based on actual enrollments
• $1,952,100 for legal fees related to incident response
• $1,000,000 for continued systems, endpoint, and cyber threat monitoring
• $300,000 for legal fees related to litigation
• $2,500 for expenses like hard drives and tools

Despite these estimated set aside emergency funds currently totalling $7 million, the Director of the Department of Technology noted that they still need to restore 22% of access systems, likely increasing the total costs further. 

These updates provide some additional insight:

• Costs: Expanding the budget from the initial $2.4 million to $7 million indicates that the complete costs may not be fully determined yet.
• Public relations: Suing the security researcher impacted the city’s reputation with the security community and the impacted individuals, especially since anyone with a TOR browser could easily access the exposed data. 

MC2 Data Leak

MC2 Data, a company used for running public records and background searches, had a publicly accessible database lacking any authentication, exposing user information for the over 2 million people purchasing background checks. According to Cybernews, database access was secured prior to publishing the article. The database contained information like:

• IP address
• User agent
• Encrypted password
• Partial payment information

Similar to the National Public Data (NPD) leak earlier this year, MC2 Data is a parent company that owns several background check subsidiaries, including:

• privaterecords.net 
• privatereports
• peoplesearcher
• PeopleSearchUSA

Currently, this appears to be a security research team identifying and reporting an exposure then publishing an article after giving the company notice. While no cybercriminal organizations are reporting this data for sale or compromised, it was exposed from at least August 7 to September 25, 2024. Organizations should remember that cybercriminals sometimes exchange data within their groups, leaving the affected company, journalists, and general public unaware of the data leak. 

Despite the data being public record, these leaks remain impactful. When compiled and stored in easily parsable JSON format, cybercriminals can easily use the information in a variety of ways, including:

• Automated cybercrime campaigns
• Bot dialing operations
• Phishing scam

These are all developing stories that we covered very briefly, so check out cybersecurity news outlets to stay up-to-date. We couldn’t cover everything in the last few weeks or so, and we’ll look into new stories and developments in two weeks.

Brought to you by Flare, Threat Exposure Management solution that empowers organizations to proactively detect, prioritize, and mitigate types of exposures commonly exploited by threat actors. Sign up for our free trial here.