The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

FBI, Europol Detail xDedic Takedown

by Chris Brook on Monday January 28, 2019

Contact Us
Free Demo
Chat

For years the site has served as a marketplace for attackers looking to buy hacked servers, computer credentials, and personal data belonging to U.S. citizens - until now.

For nearly five years the xDedic Marketplace has served as a one-stop shop for cybercriminals, hackers, and attackers looking to purchase hacked servers and personal data.

Authorities from the U.S., Ukraine, and Belgium, with help from Europol, put an end to the shop last week, effectively ceasing the site's operation, it was announced Monday.

As part of an international undertaking, the FBI and the DOJ, with the help of Belgium's Federal Computer Crime Unit and Federal Prosecutor's Office, the National Police and the Prosecutor General’s Office of Ukraine, and Germany's police, Bundeskriminalamt, seized xDedic's domains last Thursday.

In 2016, when researchers from Kaspersky Lab first published an investigation into xDedic, there were 70,624 unique servers from 173 countries for sale. That number jumped to around 85,000 servers in 2017.

Neither the DOJ or Europol shed any insight into how many servers were for sale as of last week. The agencies did say however that the website appears to have been responsible for more than $68M in fraud, from countless victims, including nearly all forms of government (local, state, federal), hospitals, transit authorities, law firms, and universities.

xDedic disappeared for a spell following Kaspersky Lab's report but resurfaced a month later in 2016 on a Tor network domain, accessible for a $50 entrance fee.

Flashpoint, in a 2017 report, found that two thirds of the servers and PCs being sold on xDedic belonged to schools and universities. The report said at the time that servers in the U.S., Germany, and Ukraine were the most targeted, something that explains why authorities from all three countries had a hand in bringing the marketplace down. Authorities didn't name who or which group may have been behind xDedic, only that its infrastructure was dismantled with help from those countries. For years however, thanks in part to the Kaspersky report, it's been posited the marketplace has been run by a Russian-speaking hacker group.

Ukraine's cyber police said Monday that all parties involved in xDedic had been detained and that investigations in Belgium, Ukraine, and the U.S. were ongoing.

To use xDedic, all a user looking to purchase a hacked server would have to do would be to input the price, location, or operating system of a compromised computer in order to find something to fit their preferences. To help evade detection the marketplace's operators used Bitcoin and a distributed network to obscure its admins, buyers, and sellers.

Despite existing in some form or another since 2014, it wasn't until the beginning of last year that enforcement around xDedic truly ramped up. According to Europol, the Federal Prosecutor, the Investigating Judge of Belgium, the Prosecutor General of Ukraine, Europol and Eurojust signed a joint investigative team agreement to pool their efforts around the domain seizure.

Several units of the DOJ also helped carry out the takedown, including the Office of International Affairs (OIA) and the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS).

Tags: Cybercrime

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • The Five Stages of Threat Hunting
  • A Proactive Approach to Threat Hunting
  • Expert Tips

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.