 | After the 2025 law-enforcement action against XSS.[is] (the forum descended from DaMaGeLaB), our Ransomnews research team did a data-led breakdown of how that marketplace actually worked. Sharing the methodology and findings since they're useful for forum/OSINT work. No stolen data, credentials, usernames or IPs here - aggregates only. Highlights: - Membership skews heavily Russian-speaking: ~62% of message text is Cyrillic; the dominant webmail providers are mail.[ru] and Yandex, not Gmail.
- Posting activity follows a salaried workday curve: quiet overnight, peaks 09:00–13:00 UTC (Moscow midday), weekdays over weekends. A timezone fingerprint that's hard to fake.
- The busiest trading categories line up exactly with ransomware feedstock: infostealer logs, crypting/FUD, network access, exploits, web shells, RDP.
- Where this fits in the kill chain: Resource Development + Initial Access. Disrupting it is a left-of-boom move, and there's roughly a 19-day median between an access listing and the victim appearing on a leak site (per Intel 471).
https://preview.redd.it/3ef1tnpfrdah1.png?width=1225&format=png&auto=webp&s=e0689d6b2cea6bfa9602a105264ac092c55ea34e
[link] [comments] |
from hacking: security in practice https://ift.tt/oChkYbz
Comments
Post a Comment