Analysis of the emerging Darth Maul eCrime Market
Active since at least August 2021, a new English-speaking threat actor calling themselves "1977" has developed and advertised a new eCrime market on multiple underground forums called Darth Maul Shop. This blog aims to highlight some of the key aspects of a new emerging eCrime market, analyze its reception by other threat actors, and discuss the underground cybercrime communities making money buying and selling credentials without launching any intrusions themselves.
If you want to learn more about Initial Access Brokers (IABs), SentinelOne recently shared a good up-to-date overview of this type of threat actor and how they interface with various ransomware groups and the types of services they offer. These IABs can be just as dangerous as the ransomware groups themselves, as they are capable of infiltrating a target network and achieving the privileges of "Domain Admin (DA) access with reach to over 10,000 hosts."
The eCrime market has also shifted recently with the arrival of a new and improved Genesis market, which has been active since 2017 and is one of the largest of the underground economy alongside RussianMarket, 2EasyShop, and xLeet. Sophos researchers recently covered how Genesis sells stolen credentials, cookies, and digital fingerprints that are gathered from compromised systems, providing not just the data itself but well-maintained tools to facilitate its use.
Darth Maul (aka 1977.SH) eCrime Market
The interesting thing about Darth Maul shop is there are very little mentions of it across the usual OSINT sources, despite existing for around one year. A cursory search across some of the eCrime forums, paired with a little Google dorking, revealed over a dozen accounts for the admin of Darth Maul market.
Rivals on other Underground Forums
The basis of this blog actually began because a 106.42MB file called "darth-maul_shop_logs.txt" was uploaded to VirusTotal on 13 May 2022 containing what appears to be (unconfirmed) all the scraped logs stored in the site.
Further research into the TXT file, uncovered that the Darth Maul market got off to a bit of a rocky start. Back in February 2022 when the market was trying to attract new users, some members on the infamous Breached[.]co forum leaked the entire collection of logs from the site for anyone to download from anonymous file-sharing Cloud services, such as Mega[.]nz and Anonfiles[.]com. Looks like there really is no honor among thieves.
This is a hugely embarrassing event for the Darth Maul market admin "1977" who will now been by other cybercriminals as an incompetent threat actor who cannot secure the data of their market's users. The market is seemingly struggling to grow as a result.