Compromised Server Credential Seller Sentenced in Florida, but Server Sales Still a Threat

17MAY2022 – Gary Warner

This week the US Attorney’s Office in the Middle District of Florida announced that Glib Oleksandr Ivanov-Tolpintsev, a 28 year old hacker from Chernivtsi, Ukraine, would be sentenced to four years in prison for his role as a vendor on the xDedic Marketplace.

The court documents don’t actually name xDedic regarding this case, however, it was the Middle District of Florida that seized the server in January of 2019, and Glib is described as participating as a vendor on the marketplace from 2017 to 2019.

The new press release from Justice describes the Marketplace as offering “more than 700,000 compromised servers for sale, including 150,000 in the United States and at least 8,000 in Florida.”

For most people, xDedic came to the public eye when Kaspersky reported in May 2016 that 70,624 compromised servers were available for sale on the marketplace. At the time, the average cost for a userid and password that would provide access to a compromised server was $6.  Shortly thereafter, the admin of the site announced that beginning in April 2017, it would cost $250 to join the forum, and that the join fee would increase to $500 six months after that.

xDedic used several forums to offer help to those who were compromising servers.  For example, in June 2018, he offered a new RDP client that hackers should use to replace the Windows client with a more resilient and feature-rich RDP.  (The screenshots have been translated for convenience.)

Later, he recommended a command for wiping all system logs from a server:

The xDEDIC[.]biz website was seized in January 2019, also by the Middle District of Florida, which helped us confirm this was the Marketplace in question.

At DarkTower, we practice the proverb that “birds of a feather flock together.” How do we apply such a concept when considering information like server sales?  We know that xDedic was the premiere site for selling of hacked servers.  We know many forums where the admin of the xDedic Marketplace recruited hackers and advertised his platform.  So, if we visit the forums where xDedic was active, who is actively selling these services now?

After the xDedic[.]biz website was seized by law enforcement, the operators of the site merely shifted to a new domain name and kept running their business.  “Dedic” was an abbreviation of “Dedicated” which sometimes leads to funny Google Translate issues.  The Russians often refer to a single Dedicated server as a деда (Deda) or multiple servers as дедики.  Since деда also means “grandfather,” we get statements in XDED’s advertisements such as “before buying a grandfather” ( перед покупкой деда ).

XDED[.]ru, xded[.]org, and xded[.]biz are all the same site, as is the TOR site, z27jflykecyifoefvikrqxrkqizzmvcflc7md4gg2gvdjppni4yrz5qd[.]onion

Using language similar to the original xDedic, as recently as March 2022, XDED describes themselves by saying, “We recruit server suppliers for cooperation on mutually beneficial terms,” and gives the disclaimer, “We do not brutalize servers; we provide a platform for sellers to sell their servers.”

XDED[.]ru was advertised in at least the following two dozen criminal forums between September 2019 and May 13, 2022. While it is significant that the original server was seized, all of the domains below are examples of currently online, mostly Russian cybercrime forums that continue to sell illicit goods and services, including compromised server accounts.

XDEDIC is member #1134190 on ALTENEN[.]is
XDED is member #14482 on ASCARDING[.]com
XDED is member #360080 on BHF[.]la
XDED is member #12055 on BLACKBONES[.]net
XDED.RU is member (unknown) on BPCFORUM[.]ru
XDEDIC is member #925372 on CARDERS[.]zone
XDED is member #7889 on CARDINGWORLD[.]ru
XDED is member #69419 on CCCC[.]sh
XDEDRU is member #2935485 on CRACKED[.]io
XDED is member #185404 on CRDCLUB[.]su (where he was active TODAY!)
XDED is member #38054 on CRDPRO[.]cc
XDED is member #16827 on CVVBOARD[.]org
XDED is member #137713 on DARKNET[.]sb
XDED is member #161079 on DUBLIKAT[.]club
XDEDRU is member #1019675 on FOG[.]ac
XDED is member #120194 on FORUMTEAM[.]site
XDED is member #9315 on h0st3[.]cc
XDED is member #41618 on IFUD[.]cf
XDED is member #100902 on MIPPED[.]com
XDED is member #22243 on MMO-DEV[.]info
xDEDIC is member #14648 on MOON[.]ug
XDEDRU is member (unknown) on PROLOGIC[.]su
XDED is member #141491 on UFOLABS[.]net
XDED is member #335233 on YOUHACK[.]xyz

The service still sells servers, currently listing 2,250 of them in their inventory, with approximately 600 of them in the United States. While this is a far cry from the 700,000 servers described in the court documents, please remember this is only what is for sale right now.  We do not know over what period of time the 700,000 were sold.

Reviewing the list of servers based on the USA, it seems that the primary collection are cloud-based servers which have been compromised by the sellers who are providing them.  Prices range from $6 to $10. Several dozen servers, whose ISP is not listed, do seem to be potentially hacked “non-Cloud” servers.

Of the available servers in the United States, 132 are hosted by Microsoft and 113 are from Amazon. CNServers, Digital Ocean, GigeNet, Vultr (as The Constant Company), QuadraNet, SoftLayer, and System In Place are all well represented as well.

An interested buyer can check to preview more details about the server, including whether it already appears on any Blacklists, and for a small fee, check the IP address.

The XDED FAQ makes it clear that you are buying the use of a userid and password (with Administrator rights, if you so choose) which will be uniquely yours.  While they warrant that you can log in, once you have established contact, the account is yours for as long as you can keep control of the box.  If the server’s owner discovers your account and deletes it or resets the password, the warranty is void.

The case of XDEDIC makes a strong argument that just because a server is seized, or a criminal is sentenced, doesn’t mean the case is no longer useful for further intelligence.  In this case, we find the servers still being hacked, stolen, and sold, as well as 24 online criminal forums that could also benefit from being seized and analyzed.  DarkTower is standing by to help!