July 14, 2015
-
Nicholas Albright
,

Hell Forum Administrator Arrested and Charged for Credit Card Skimming

<p>Following up on my blog post on <a href="https://www.threatstream.com/blog/monitoring-anonymizing-networks-tor-i2p-for-threat-intelligence">TOR and I2P Intelligence Monitoring</a>, we are closely tracking the arrest of the forum administrator who utilized the TOR network to hide his illegal activies. </p><p>33 year old Ping, who's real name was outted by members of the Hell Forum, was mentioned in a number of media reports from Calgary police and covered by the <a href="http://calgaryherald.com/news/crime/police-charge-two-in-credit-card-skimming-scheme">Calgary Herald</a>. The article points to an arrest on or about June 17, 2015.  </p><p>Coincidentally, this arrest was announced just days after Fox News quoted a security researcher about the suspected OPM data on the Hell Forum. </p><p>Ping is the Administrator of a popular Hacking/Cracking/Carding forum known as Hell, which was only accessible over the TOR network. The forum was abruptly shuttered last night (July 13th) after he notified a forum moderator of his arrest last month in Canada. </p><p><img alt="" src="https://cdn.filestackcontent.com/KyatVfvzRNCVHYpRFRXh" style="width: 400px; height: 500px;"/></p><p>Additionally, ping's private security blog has been taken off line. Analysts have observed over the last three weeks that Ping's online demeanor has changed. Sharing data, source code and exploits freely was part of his personal style, something he built a reputation for. However, recently he had started hording troves of data supplied by his members, claiming to be validating the dumps. Access to the data stores was limited to those who would pay. </p><p>This change in character lead many to believe that he was working for law enforcement and the investigating teams were analyzing the data leaks, then using the payment processing to build cases against others.</p><p>Ping's board increased in popularity when an individual claiming he had data from the OPM breach posted to the main site. As a teaser, the individual provided ~20,000 records that appeared to be federal in nature. It was later verified that the data dump was not OPM related, but likely a breach of another federal system in 2013. A second dump of data is still available on an Onion site, reportedly under the control Forum staff who paid for the data dump. The drop site, `http://agcv47dxxqxqkmw3.onion/Hacked_Data/` has a number of data leaks. Most of the leaks are archived and encrypted using RAR. A small collection of the leaks utilize the passwords: `mQINBFUiprYBEADKX+oGpwzjjQ7bUr7XUjfP5C/xCR3dQfdcmflkBf3HdK7ARZ3p`, `58iY0pmkQa6EMlNFXcBt75QW3wUFxSFrfy2aN2D/+UTCz/H08Q6wMNITyvtXy5uc`,  `http://hell2bjhfxm77htq.onion/ping`, or `http://hell2bjhfxm77htq.onion/pingsec`. The passwords for the other data leaks have not been disclosed, including the second batch of data believed to be from the federal breach in 2013. </p><p>This could be an interesting turn of events for underground forums which required validation and verification to access content. I'm sure many of the existing members are worried about their email addresses, which were required for access to the site. Those members who did not use anonymizing email services could be linked to malicious activity, even indirectly.  Private messages and other forum related data may help law enforcement build cases against others, flipping or turning individuals to work for law enforcement in exchange for reduced sentences.<br/>  </p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.