FBI, Europol Detail xDedic Takedown
For years the site has served as a marketplace for attackers looking to buy hacked servers, computer credentials, and personal data belonging to U.S. citizens - until now.
For nearly five years the xDedic Marketplace has served as a one-stop shop for cybercriminals, hackers, and attackers looking to purchase hacked servers and personal data.
Authorities from the U.S., Ukraine, and Belgium, with help from Europol, put an end to the shop last week, effectively ceasing the site's operation, it was announced Monday.
As part of an international undertaking, the FBI and the DOJ, with the help of Belgium's Federal Computer Crime Unit and Federal Prosecutor's Office, the National Police and the Prosecutor General’s Office of Ukraine, and Germany's police, Bundeskriminalamt, seized xDedic's domains last Thursday.
In 2016, when researchers from Kaspersky Lab first published an investigation into xDedic, there were 70,624 unique servers from 173 countries for sale. That number jumped to around 85,000 servers in 2017.
the final xDedic lesson - network owners MUST understand their web facing properties, whether RDP services are enabled, and understand and maintain more complex but practical authentication schemes. access to many (all?) of these victims' servers was cracked online
— Kurt Baumgartner (@k_sec) January 28, 2019
Neither the DOJ or Europol shed any insight into how many servers were for sale as of last week. The agencies did say however that the website appears to have been responsible for more than $68M in fraud, from countless victims, including nearly all forms of government (local, state, federal), hospitals, transit authorities, law firms, and universities.
xDedic disappeared for a spell following Kaspersky Lab's report but resurfaced a month later in 2016 on a Tor network domain, accessible for a $50 entrance fee.
Flashpoint, in a 2017 report, found that two thirds of the servers and PCs being sold on xDedic belonged to schools and universities. The report said at the time that servers in the U.S., Germany, and Ukraine were the most targeted, something that explains why authorities from all three countries had a hand in bringing the marketplace down. Authorities didn't name who or which group may have been behind xDedic, only that its infrastructure was dismantled with help from those countries. For years however, thanks in part to the Kaspersky report, it's been posited the marketplace has been run by a Russian-speaking hacker group.
Ukraine's cyber police said Monday that all parties involved in xDedic had been detained and that investigations in Belgium, Ukraine, and the U.S. were ongoing.
In the course of an international operation the largest site xDedic was blocked for the sale of confidential information at DarkNet. All the members, who provided activities of this hacker group, were detained.https://t.co/dDzY617LQw#xDedic #darknet #cyberpoliceUkraine #europol pic.twitter.com/59PUKSz1u6
— Cyberpolice Ukraine (@CyberpoliceUA) January 28, 2019
To use xDedic, all a user looking to purchase a hacked server would have to do would be to input the price, location, or operating system of a compromised computer in order to find something to fit their preferences. To help evade detection the marketplace's operators used Bitcoin and a distributed network to obscure its admins, buyers, and sellers.
Despite existing in some form or another since 2014, it wasn't until the beginning of last year that enforcement around xDedic truly ramped up. According to Europol, the Federal Prosecutor, the Investigating Judge of Belgium, the Prosecutor General of Ukraine, Europol and Eurojust signed a joint investigative team agreement to pool their efforts around the domain seizure.
Several units of the DOJ also helped carry out the takedown, including the Office of International Affairs (OIA) and the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS).