Hackers are planning to equip over 300,000 dark web forum users with ransomware, inviting them to exploit stolen data from recent supply chain attacks. This follows the LiteLLM hack, which compromised a massively popular Python library integrated across thousands of AI projects.
Over the past month, the open source community has suffered wave after wave of supply chain attacks targeting code repositories, causing a domino effect.
One repository gets compromised – more developers pull it – their repositories get compromised – more developers pull them – their code now also contains malware. This chain expanded across GitHub, NPM, PyPI, coding tool extensions, and more.
The largest piece to fall was LiteLLM, a Python library used by major AI projects worldwide that has 97 million monthly downloads. For three hours, anyone who downloaded it also received powerful credential-stealing malware.
At a constant rate, that would be about 400,000 infected systems worldwide.
The threat actors behind it – TeamPCP – boasted to a few external security researchers that they managed to exfiltrate 300GB of data from over 500,000 infected systems.
Now it appears that they’re unable to digest the whole elephant.
The hackers have announced a partnership with a major illicit forum and collaboration with a ransomware gang. They plan to send invites to over 300,000 registered forum users to become ransomware affiliates, who will receive access to tools to encrypt and extort companies. Basically, they’re hiring the whole dark web to work on the stolen data.
Threat actors’ claims published on dark web forums are often exaggerated or false. However, even if partially true, this development might bring severe implications for thousands of developers, the companies they work for, and the cybersecurity community as a whole.
If even a small fraction joins the conglomerate, it might spawn the largest cybercrime operation in history, potentially dwarfing any previous organized cybercrime cartel.
Cybercrime forum consolidation started first
Before this announced event could occur, the dark web experienced a major centralization of communication. Underground cybercrime forums have long competed for dominance, with authorities repeatedly seizing the largest platform – BreachForums.
Recently, a rival forum, Breached, led by admin HasanBroker, seemingly obliterated the remaining mirrors or clones of BreachForums.
Not only that. Breached, which claimed to have 4,000 registered users, incorporated all 324,000 BreachForums users, whose data was exposed after a hack, as well as the contents.
HasanBroker, who previously called himself the father of BreachForums, claimed victory and warned that any attempts to restore the competing service will be hunted. Now they’re also branding themselves with the BreachForums name, even though the domain names remain unchanged.
The forum quickly announced a partnership with Lapsus$, a major threat actor.
It’s still to be seen whether the forum establishes itself as the cybercriminals’ go-to marketplace.
A major announcement: “This is the beginning of something massive”
After the massive LiteLLM hack, the attackers behind it, TeamPCP, the forum BreachForums (Breached), and the ransomware operator Vect announced a major partnership, inviting others to collaborate.
The threat actor announced that all users on the forum, including those imported from the BreachForums carcass, will receive a personal Vect affiliate key.
“Today marks a historic moment for the underground community,” posted one of the forum owners, using the alias “vect.”
“This is the beginning of something massive.”
Basically, cybercriminals are handing out access to ransomware tools to anyone interested and promising support to any member who gains initial access, including support for deploying ransomware.
“Additionally, Vect Ransomware Group is now partnering with TeamPCP, the operators behind the latest Trivy / LiteLLM supply chain compromises. Together, we are ready to deploy ransomware across all affected companies that got hit by these attacks, and we won’t stop there,” the hackers said.
This alliance was separately confirmed on TeamPCP’s Telegram channel, as well as the forum’s moderator.
“I want to proudly announce our partnership with the Vect group, which I personally find – one of the most sophisticated ransomware programs I have seen,” HasanBroker posted.
Vect ransomware operators further confirmed they’ll be sending keys to forum members via direct messages, expressing hopes that they’ll build the operation that “ransomware ecosystem will remember for years.”
“We will pull off even bigger supply chain operations.”
New ransomware model would completely eliminate trust
Traditionally, ransomware gangs operated as services with a tight core team, which recruited small, closed crews of affiliates. For example, LockBit, the former flagship operation in the scene, had only opened 73 affiliate accounts before its major disruption.
Vetted affiliates allowed better control of high-value targets to attack and maintain a level of expertise. Even under tight control, affiliates often behaved unpredictably, breached operational protocols, switched teams, or even failed to restore the encrypted data after the ransom was paid.
The Vect Ransomware approach, handing ransomware keys to anyone, completely eliminates the trust element, making anyone an affiliate.
Even before the LiteLLM hack, Vect ransomware posted jobs for anyone with a phone, capable of speaking English, and knowledgeable about anonymity to serve as its negotiators for a 5% cut.
It is similar to “Levée en masse” from the French Revolutionary Wars – a decree replacing a professional army with mass mobilization, allowing Napoleon to achieve major victories.
Instead of professional cybercriminals, ransomware might become a disorganized, undisciplined crowd of thousands, likely unpredictable even to its organizers.
This approach is likely to massively scale up the ransomware operations and make it harder to disrupt, but no betting means that infiltration by authorities is trivially easy – there will be zero trust between the operator and affiliates.
An uncontrollable crowd of cybercriminals might attempt to extort the same victims multiple times, and they will be less likely to pay, with zero guarantees that their data will be restored or deleted.
Even if a small fraction of the quoted forum member ranks join Vect, it is likely to become the largest cybercrime operation ever. While individual collaborators have already established themselves through high-profile breaches, it remains to be seen whether the partnership will be a successful ransomware operation.
Unlock more exclusive Cybernews content on YouTube.
Click Here For The Original Source.
