Cyble Research & Intelligence Labs’ (CRIL) ongoing monitoring of Dark-web logs and marketplaces indicates that certain emerging shops from this year are trying to gain more traction and customers on their platforms by conducting advertising campaigns promoting their illicit activities on well-known forums. 

This blog analyzes the recently announced new platform of Exodus Market logs and the history of emerging and seized key players in the infostealer and botnet logs marketplace industry. 

Exodus Market Re-emerges  

Exodus Market for Logs was first announced on the Cracked forum on February 10, 2024, by the user of the same name, “ExodusMarket”, after being officially launched at the end of January 2024. The initial domain for the logs platform was changed twice, once in March 2024 and again on July 16, 2024. 

Figure 1. Initial advertisement of Exodus Market in February 2024. 

On July 23, the threat actor promoted the new domain. To attract more customers, the threat actor offered free registration to new users using a referral code. 

Figure 2. The second advertisement of Exodus in July 2024. 

The advertised post indicates that after successfully migrating to the new domain, the  TA is trying to attract customers as an alternative to other marketplaces, especially after users’ exodus from the well-established Genesis Marketplace. There are uncertainties regarding the migration of the main domain several times in the last half year.  

One cause could be the intensification of LEA operations, which led to the takedown of botnet infrastructures and markets/forums and the arrest of their operators and owners. Based on these events, the owners of dark web platforms are continuously trying to migrate their infrastructures to bulletproof hosting services to ensure the privacy of their customers and a safe place for their illegal operations. 

Another cause could be an attempt of an exit scam in the Exodus Market group, which would lead to migrating the infrastructure to a new configuration that would avoid actions that could destroy the entire reputation gained. However, there are no threads or posts identified in the Darkweb forums or Telegram that indicate any red flags with the platform in the recent period. On July 16, the TA indicated on Telegram that customers with accounts on the old platform needed to raise a ticket to recover the funds on the new market site.  

Overview of Exodus Market 

Our analysis of ExodusMarket activity on Cracked reveals the possible creator of the site, who has been active since 2020 on the forum under the alias “Kira3301” and is an active website developer with a high reputation for their projects. The market owner replied on February 12 to the thread Kira3301, saying thanks for the project results. Furthermore, an analysis of Kira3301’s other themes and the login mechanism used in other projects shows similarities with the ExodusMarket platform.  

The Exodus Market is a simple website with few features that are already included in other log markets. The TA claims to have over 7,000 bots in 192 countries, and prices range from $3 to $10 per bot. The payment methods accepted are Bitcoin, Monero, and Litecoin, and the user must deposit the cryptocurrency in the platform’s deposit box.  

Figure 3. The main page of the Exodus Market. 

Figure 4. Payments methods. 

The bots tab on the platform offers preview information such as resources accessed by the bot, the date of addition and the last data collected, prices, country, and operating systems, along with the first two parts of the IP address.  

Figure 5. The bots section. 

Additionally, the platform includes a ticketing service for customer issues and a wiki tab that is intended to contain general information but is incomplete at the time of writing. 

Figure 6. Wiki section of the market. 

The TA advertises the benefits and new features that provide more traction to the market: 

• Over 10,000 new logs are added daily. 
• Increased privacy with moderators. 
• Filters for logs for easy searching in the platform. 
• Promises to add multi-commerce, multi-vendor system and antidetect browser for injecting logs directly from exodus market to the browser. 

The market has a Telegram channel to communicate officially with its customers. However, the number of subscribers and views is low, demonstrating a lower number of possible customers. Our analysis of the channel’s historical communications shows several changes in the domains that hosted the platform. Furthermore, the investigation shows that the TA previously offered installers for InfoStealers and RATs for $150 and mentoring sessions for the use of InfoStealers.  

Figure 7. Telegram channel. 

A timeline of info stealer markets 

• Advertised starting with February 2018 and seized in April 2023: Genesis Market was one of the largest infostealer markets until an FBI-led operation seized its clear web domains and placed it on the U.S. Treasury Department’s sanctions list. 

• Available since February 2019: The Russian Market has remained a key player in the cybercrime industry, offering other illicit products, in addition to logs, at prices ranging from  $10 to over $400. 

• Available since January 2020: 2Easy, which grew slowly at the beginning, benefited from the seizure of the Genesis market, which spurred customer migration and rapid growth of the marketplace. 

• Created in October 2020 and active until December 2021: The Amigos Market, whose primary source of logs was RedLine infostealer, competed with the Russian Market until its closure in 2021. 

Figure 8. Timeline of logs markets activity. 

In addition to these established platforms, CRIL has observed several decentralized Russian-speaking markets with a high number of subscribers, especially on Telegram channels that advertise credentials from infostealers (i.e., “log clouds”). However, these channels are often unreliable and short-lived. 

Conclusion 

Law enforcement initiatives such as Operation Endgame, which disrupted multiple infrastructures of the Bumblebee, IcedID, Pikabot, SystemBC, SmokeLoader, and Trickbot botnets, and those that dismantled ransomware groups like Lockbit and ALPHV demonstrate high efficiency as deterrence strategies for the criminal ecosystem.  

A notable benefit of these efforts is the forced changes in infrastructure, as seen with the Exodus market this year and previously with three iterations of the notorious RAID forums.  Takedowns and disruptions of threat actors’ activities can induce operational errors that generate more leads, bringing investigators closer to apprehending them. 

Recommendations 

Infostealers pose a potent threat to individuals and organizations, particularly in recent times when they have adapted to be stealthier, more evasive, and more potent. 

To avoid infostealer threats, Users should be wary of installing pirated software or suspicious files, as these are often used as vehicles to deliver infostealer malware, and organizations should 

1. Users should always download software/apps from known and trusted sites. 
2. Enterprise IT should not allow employees to access corporate infrastructure from their personal devices. Employees should be educated on their responsibilities in ensuring the organization’s security and should be aware of best practices. 
3. Seize the initiative via adopting early threat intelligence solutions to proactively monitor for threats. 
4. Keep an eye on the usual suspects. Monitoring known Threat Actors and groups on the darkweb can alert organizations to potential upcoming malware campaigns and targets, allowing them to take steps to secure themselves. 
5. Create a robust Incident Response Plan to react in the event of a compromise.  
6. Secure the broader supply chain of vendors and partners so that cyber threats do not laterally affect the firm’s ecosystem.  
7. Practice the Least Privilege principles when access to sensitive information is restricted to those who need to know.  

Related