Cybercriminals launched “Leaksmas” event in the Dark Web exposing massive volumes of leaked PII and compromised data

Cyber Threat Landscape

27 Dec 2023

Dark Web, Data Breach, Data Leak, Privacy, Personal Data, PII, 2024

Cybercriminals launched “Leaksmas” event in the Dark Web exposing massive volumes of leaked PII and compromised data

Even as the New Year approached and the world celebrated the festive Christmas season, the cybercriminal community did not pause their activities. Instead, they marked the holiday season in their unique way. On Christmas Eve, Resecurity observed multiple actors on the Dark Web releasing substantial data dumps. These were the result of data breaches and network intrusions to a variety of companies and government agencies. Numerous leaks disseminated in the underground cyber world were tagged with 'Free Leaksmas,' indicating that these significant leaks were shared freely among various cybercriminals as a form of mutual gratitude.

Ironically, this display of generosity among cybercriminals is far from a cause for celebration for victims globally. It will inevitably result in them facing a host of adverse effects, such as account takeovers (ATO), business email compromises (BEC), identity theft, and financial fraud. Significantly, the data breaches weren't confined to the United States; they extended globally, impacting individuals in a wide range of countries including France, Peru, Vietnam, Italy, Russia, Mexico, the Philippines, Switzerland, Australia, India, South Africa, and even mixed international sources. This widespread geographical distribution highlights the extensive global reach and severe impact of these cybercriminal activities.

A significant event during the 'Leaksmas' in the Dark Web involved the release of a large dataset from Movistar, a leading telecommunications provider in Peru. This dataset contained over 22 million records, including customers' phone numbers and DNI (Documento Nacional de Identidad) numbers. The DNI, being the sole identity card recognized by the Peruvian Government for all civil, commercial, administrative, and judicial activities, makes its exposure on the Dark Web a serious threat, potentially leading to widespread identity theft and fraud. This incident underscores the critical need for robust Digital Identity Protection programs, particularly in Latin America, where there is an escalating trend of cyber-attacks resulting in major data breaches and significant damages.

On Christmas, a government agency in Chile experienced a security breach.

In another incident targeting the Asia-Pacific region, cybercriminals released a substantial leak involving one of the major credit services in the Philippines. The perpetrators disclosed over 15.77 GB of data in this breach.

The "Leaksmas" event continued with another significant breach, this time involving a French company. Approximately 1.5 million records from this company were shared freely on the Dark Web.

Cybercriminals also "gifted" a leak involving 1.4 million records, associated with a project that was later acquired by Klarna, a Swedish fintech company. Interestingly, rumors of a potential data breach had been circulating since 2022, and several users had received notifications regarding it. However, the complete data dump had not been freely available on the Dark Web until this event.

Returning to the Asia-Pacific region, another significant leak that was freely shared on the Dark Web involved a Vietnam-based fashion store. This breach exposed over 2.5 million victim records. Such a database is a valuable asset for spammers and illegal affiliate marketing specialists, offering them the potential to generate substantial profits during the winter holiday season.

An additional noteworthy leak involved a hacked online military gear shop based in Italy. While the database contained only 2,000 records, the nature of the audience – individuals interested in military gear – makes it particularly attractive to foreign cyber actors, especially those with a focus on defense-related information.

The perpetrators also targeted India, a country known for its vast economy and rapid pace of digitization.

On Christmas, there was a relatively new leak involving a sushi restaurant network from Russia, comprising over 164,052 records. This dataset was notable for not having been previously seen on the Dark Web, making it potentially of particular interest to certain actors.

There was a significant leak involving over 2 million records of banking customers from Mexico. It's highly probable that these records were obtained directly from a breached financial institution, a lending provider, or a telemarketing operator that specializes in generating leads for the financial industry. Interestingly, this particular dataset had been previously offered for sale but became freely available during this event. Our assessment suggests that this data might have originated from an older breach, possibly dating back to 2021-2022. Despite its age, the information remains relevant in 2024, as it's unlikely that all the affected individuals would have updated their personal information since the breach.

Another significant incident involved a massive data leak from ESSEMTEC.

In addition to these individual leaks, the perpetrators also released larger compilations of data, consisting of multiple separate data breaches. Some of these were extensive packages, known as combo-lists, containing millions of records that included emails and passwords.

"All I want for Christmas is the destruction of the government."

The most prominent figures in the data leaking activity on the Dark Web during the Christmas period were undoubtedly the actors from SiegedSec. They gained particular notoriety for previously releasing exfiltrated data from the Idaho National Labs.

The group SiegedSec has made public claims about successfully hacking into unspecified government resources. Before this, they had celebrated a successful attack on Shufersal, Israel's largest supermarket chain, which they referred to as a “Christmas Gift” in support of Palestine. They also targeted BEZEQ! and Cellcom, one of Israel's leading telecommunications companies. It's worth noting that there have been claims from some groups about ending their associations with SiegedSec due to their stance, but the authenticity of these claims has not been fully verified.

In their Christmas message, SiegedSec mentioned the exfiltration of citizen data, suggesting that we can anticipate more unexpected actions from them in the upcoming year.

Christmas Gifts from Notorious “Five Families”

Just before Christmas Eve, an alliance of several hacktivist groups, collectively known as the “Five Families,” executed a data leak involving a Chinese clothing store, affecting over 1 million records. Additionally, the group publicly acknowledged their ambitious intentions for the upcoming year 2024, indicating plans to release more leaks. They also conveyed their regards to their audience in this announcement.

The "Five Families" group also carried out leaks involving an Indian resource and a South-African medico-legal association.

Allies of GhostSec, affiliated with Stormous (a ransomware group), contributed to the campaign by releasing a substantial leak from an online computer shop in Uzbekistan. This breach impacted over 500,000 records.

Resecurity had previously reported on the "Five Families" in the context of the activities of the "Ransomed.VC" ransomware group. A week before Christmas, this group established their own marketplace for trading data leaks, featuring various compromised data from diverse regions including the U.S., Canada, Russia, China, Iran, UAE, India, Brazil, and the European Union. The new operators of the group promoted this marketplace through Telegram to attract new sellers and buyers.

Anticipating the Christmas season, the group disseminated several data leaks from the Asia-Pacific region, particularly focusing on Thailand, a country renowned as a favorite international tourist destination for winter holidays.

Cybercriminals dealing in stolen payment data also viewed the Christmas season as an opportune time to attract new buyers by offering discounts. Some underground shops provided substantial markdowns, with discounts reaching up to 40% on compromised online banking and e-commerce accounts.

Underground vendors offering 'look-up services', commonly utilized by fraudsters for activities like loan application fraud, identity theft, and online banking theft, also participated in offering significant discounts. These services become particularly relevant during the holiday season, a time when fraudsters actively exploit vulnerabilities in anti-fraud systems and target e-commerce and marketplace platforms.

During the Christmas season, some underground credit card (CC) shops were offering substantial discounts, with some going as high as 50% off. This was a special promotional effort for the festive period. Additionally, cybercriminals were in a hurry to sell credit cards that had the most imminent expiration dates. Their goal was to offload these cards as quickly as possible before the new year began, to avoid losing potential profits from cards becoming invalid.

Significance

Just a few days before Christmas, over 50 million records containing information about consumers from around the world have been leaked on the Dark Web. The actual damage resulting from this activity could potentially amount to millions of dollars. Mitigating this damage is particularly challenging due to the intricate interconnection between personal data and digital identity. For the average consumer, changing this information in practice is a complex and often difficult process.
The approach of winter holidays has a notable impact on the underground economy, serving as a catalyst for cybercriminals to intensify their activities and release their most lucrative offerings on the Dark Web. During this period, there is an expected increase in financial fraud and activities driven by financial motives, as these actors take advantage of the festive season to escalate their illicit operations.
The scope and geographical reach of cybercriminal activity are boundless, transcending all borders. While North America has traditionally been a primary target, there is a growing interest in other regions, particularly Latin America (LATAM) and Asia-Pacific (APAC). These areas are experiencing a rapid evolution in the digital economy, marked by the emergence of new fintech products and marketplaces. This growth, however, is also attracting malicious actors who aim to exploit these developments to defraud consumers.
Digital identity continues to be a primary focus for cybercriminals. These malicious actors are actively seeking out sensitive personal identifiable information (PII), exploiting vulnerabilities in insecure web applications, software applications, and network services. Their goal is to access and misuse this critical personal data, highlighting the ongoing threat to digital identity security.