Security

Authorities shut down xDedic marketplace for selling hacked servers

The domain for xDedic has been seized as well.

In a joint operation, the Federal Bureau of Investigation (FBI) and authorities from several European countries have successfully taken down xDedic, a notorious dark web marketplace known for selling stolen digital goods such as login credentials, identity cards, and hacked servers.

The operation was carried out on January 24th after several houses in nine locations in Ukraine were searched by law enforcement authorities as part of two criminal investigations into the xDedic Marketplace. As a result, three suspects were questioned while in Germany authorities confiscated IT infrastructure related to the marketplace.

xDedic was home to tens of thousands of hacked servers belonging to businesses and private users. The marketplace worked in such a way that hackers would compromise servers through RDP (Remote Desktop Protocol) without owner’s knowledge and then sold it on xDedic in as little as $6 to $10,000 each.

The investigators believe that xDedic “facilitated more than $68 million in fraud” while its administrators used Bitcoin as a mode of payment to hide their tracks. Although the site offered compromised servers from around the world the list of victims in the United States includes government institutions, hospitals call centers, accounting and law firms, metropolitan transit authorities, pension funds, universities, and even the emergency service 911.

Currently, those visiting xDedic’s website can see a deface page left by the FBI explaining that the domain has been seized.

This domain has been seized. This domain for xDedic has been seized by the Federal Bureau of Investigation pursuant to a seizure warrant issued by the United States District Court for the Middle District of Florida under the authority of 18 U.S.C. § 981 (b) as part of coordinated law enforcement action.

Here is a full preview of the page:

Authorities shut down xDedic marketplace for selling hacked servers

In 2016, Kaspersky Lab published a report on xDedic revealing that the site was being operated by Russian speaking individuals. “The one-time cost gives the malicious buyer access to all the data on the server and the possibility to use this access to launch further attacks. It is a hacker’s dream, simplifying access to victims, making it cheaper and faster, and opening up new possibilities for both cybercriminals and advanced threat actors,” the report said.

Authorities shut down xDedic marketplace for selling hacked servers

Servers purchase form

“As soon as the Belgian and American criminal investigators discovered that they had shared common targets and goals, they worked together closely. In the course of 2018, Eurojust held two two-day coordination meetings, with Belgium, the USA, Ukraine, and Europol, to plan the actions, provide support for the issuing and execution of the European Investigation Orders, and deal with any judicial obstacles,” Eurojust said in a press release.

It is noteworthy that at the time of publishing this article, another marketplace called Blackpass was also selling compromised servers. According to McAfee’s Advanced Threat Research Team who initially reported on Blackpass’s activity selling RDP (including one belonging to a high-profile airport) access has become a “huge business” opportunity for cybercriminals.

Comment here