Analysis of Related Threat Actors: DarkRaaS and CornDB

In October and November 2024, two notable threat actors, DarkRaaS and CornDB, emerged on BreachForums, displaying striking similarities in their operations, targets, and methodologies. This analysis examines the activities of these actors and the evidence suggesting their likely connection.

DarkRaaS/bashify

DarkRaaS, an initial access and data broker, first appeared on BreachForums in October 2024, claiming affiliation with the DarkSide ransomware operation on his first post on the forum. DarkSide, infamous for the 2021 Colonial Pipeline attack, rebranded as BlackMatter and is closely tied to now defunct ALPHV (BlackCat) through shared personnel, tactics, and technical overlap, with many researchers viewing ALPHV as a direct continuation of DarkSide. However, this connection is questionable and currently there is no evidence that DarkRaaS is closely related to DarkSide.

DarkRaaS activities were marked by consistent use of plural pronouns (“we”) in communications, suggesting group operations. The actor mostly focused on Israeli targets, both government-related and private. Although their motivation remains unclear, their choice of targets suggests a geopolitical, anti-Western stance.

According to KELA, DarkRaaS claimed to have targeted nine Israeli entities during October with data theft and other attacks. This includes selling 85,000 customer records from a loan company, as well as multiple types of access to the assets of various organizations: a municipality’s cloud network, an Israeli clothing company’s cloud network Omall, CRM systems of a large marketing company, an Israeli medical agency, servers of a technological college, an Israeli energy company, a leading financial conglomerate in Israel.

While mostly targeting Israeli entities, DarkRaaS expanded their reach to include organizations across multiple countries, including the UAE, Bulgaria, Pakistan, Colombia, Turkey, Argentina, and Singapore. On November 5, 2024, the actor rebranded their forum presence, changing their moniker to “bashify”.

 

  Initial post by DarkRaaS, with the actor claiming to be from the DarkSide ransomware operation

CornDB

Shortly after DarkRaaS’s last communications under this handle, CornDB registered on BreachForums on November 9, 2024. Their operational patterns showed remarkable parallels to DarkRaaS, with a focus on Israeli targets and similar communication style, including group references. Their targeting included organizations such as access to a large telecommunication company, as well as information related to companies in Israel of multiple sectors – energy, financial, and municipality, while also extending to targets in Malaysia and the United States.

Evidence of Connection

KELA’s investigation has uncovered multiple indicators suggesting a strong connection between these actors. The temporal relationship between these actors presents a particularly noteworthy pattern. While there was a brief overlap in activity after CornDB’s registration on November 9, with bashify making three additional posts until November 12, the overall pattern suggests a coordinated transition rather than concurrent operations.

Moreover, the linguistic analysis revealed nearly identical phrasing in forum posts and consistent use of collective pronouns. Their operational patterns aligned precisely, with identical cryptocurrency payment preferences for Bitcoin, Ethereum, Litecoin, and Monero, along with a primary focus on Israeli targets and similar posting patterns and timing.

The most compelling evidence comes from the use of a shared TOX ID across both accounts. On November 11, bashify advertised an Italian gambling database using TOX ID: 811CB399F20173BF39A9DEDB048E8296AF0BB9AD101A088E1F01DF895CDE295F3DC6286A7CC6. This exact same TOX ID appeared consistently in CornDB’s contact information across their posts. The post was later edited by bashify to a different TOX ID.

Similar phrasing made by both actors in their posts

Posts in which both actors used the same TOX ID

Conclusion

Based on the evidence compiled by KELA, particularly the shared TOX ID and operational similarities, it appears highly likely that DarkRaaS/bashify and CornDB are either the same actor or closely connected members of the same operational group. The timing of their activities, identical targeting preferences, and critical sharing of the same TOX ID, provide strong support for this conclusion.

To protect privacy, we have withheld the names of the impacted victims; however, Israeli companies concerned about potential exposure are encouraged to reach out to us directly for further insights and assistance.

Although there has been high activity regarding Israeli targets and some data leaks are shared publicly for verification, the actors’ reputations cannot be definitively established, particularly concerning access broker sales. Both actors have accumulated only a small number of positive reputation points on the forum, and their threads have not generated significant public discussion. However, it’s worth noting that substantial interaction may occur through private messaging. Given their targeting patterns of high-profiled victims and operational similarities, these actors warrant continued monitoring.

Try for Free

Discover the power of KELA’s intelligence platform firsthand. Gain access to actionable insights, uncover critical risks, and explore the depths of the cybercrime underground—all tailored to help you stay ahead of threats. Try for Free.