Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

Hacking Timeline: Fxmsp's Rise and Apparent Fall

Group Refined Network Intrusions and Malware to Build a Better Botnet, Experts Say
Hacking Timeline: Fxmsp's Rise and Apparent Fall
Fxmsp appeared to enjoy steady business until April 2019, when it posted screenshots to back its claim that it had stolen source code from three anti-virus vendors. (Source: AdvIntel)

How long does it take to become a reliable, trusted seller in the cybercrime-as-a-service ecosystem?

See Also: Live Webinar | Combating Cyber Fraud: Best Practices for Increasing Visibility and Automating Threat Response

While the timeline, of course, depends on your skill set, security experts say that the hacking collective known as Fxmsp - a sophisticated operation with multiple divisions and affiliates, led by an individual also going by "Fxmsp" - went from seeking basic tips on cybercrime forums, to its first sale of access to high-profile targets harvested by its own botnet in only about a year (see Fxmsp Hackers Behind AV Source Code Heist: Still Operating?)

Fast forward, and less than three years after first appearing on cybercrime forums, Fxmsp had become "one of the most prolific sellers of access to corporate networks in the history of Russian-speaking cybercriminal underground who publicly advertised the access to 135 companies, which brought him more $1.5 million in profits," says Dmitry Volkov, CTO of Singapore-based cybersecurity firm Group-IB.

"Through my experience of investigating Fxmsp as a group and as an individual, I can definitely say that one thing that they had was a strategic vision," Yelisey Boguslavskiy, CEO of threat intelligence firm Advanced Intelligence - aka AdvIntel - tells Information Security Media Group. "They wanted to perfect credential stealers and Trojans, make them as small and as invisible as possible, and they perceived it as craftsmanship and art."

A Brief History of Fxmsp

Here's a timeline of how Fxmsp appeared to achieve that goal, before being driven away from the cybercrime forums the group needed to monetize those efforts:

  • September 2016: Individual known as Fxmsp registers for a Russian cybercrime forum. "His early posts indicate that Fxmsp had little knowledge about how to monetize the access and maintain persistence within the networks he had compromised," Group-IB says, noting that he was asking about crypto-mining malware and infecting systems with Trojans after gaining remote access. In addition, he made some mistakes: "Experienced users of underground forums never publish their contact details, they share them only through private messages. Fxmsp included one of his Jabber accounts, in his contact information on the forum which helped Group-IB researchers to establish his presumed identity."
  • Early 2017: Fxmsp created accounts on multiple Russian forums, including the infamous exploit.in, "where he refocused his activity and began selling access to compromised corporate networks which would later become his primary business," Group-IB says.
  • Oct. 1, 2017: "Fxmsp published his first ad for the sale of access to corporate networks," Group-IB says, advertising initially access to a Nigerian commercial bank, followed later by access to the networks of "a chain of luxury hotels, another African bank with a capitalization of $20 billion, and many other high-profile targets."
  • December 2017: Fxmsp gets banned from a Russian cybercrime forum after attempting to sell access to a hacked Russian organization. "Puffed up by his initial success, he forgot an unspoken rule in the Russian-speaking hacking community: not hacking within Russia and CIS countries," Group-IB says, referring to the Commonwealth of Independent States, which refers to nine formerly Soviet countries which remain friendly with Moscow (see: Russia's Cybercrime Rule Reminder: Never Hack Russians). In now-deleted posts, Fxmsp "had published an ad for the sale of access to an ATM and to the website of the customs office in two Russian cities," Group-IB says.
  • Jan. 17, 2018: Fxmsp reports having 18 buyers. "The business was going so well for Fxmsp that he hired a user with a nickname Lampeduza - aka Antony Moricone, BigPetya, Fivelife, Nikolay, tor.ter, andropov, and Gromyko - as his sales manager in early 2018," Group-IB says. "Promoting their services, Lampeduza wrote in one of his forum posts: "You will have access to the company's entire network ... You will become THE INVISIBLE GOD OF NETWORKS."
  • August 2018: Fxmsp the group refers to a botnet as being at the center of their operations and facilitating remote access to networks. "They were referring to themselves as the head of the R&D division actually focused on perfecting the botnet, which was apparently a credential stealer or a banker Trojan botnet," AdvIntel's Boguslavskiy says.
  • September 2018: The group complains that selling remote access to hacked networks is taking too much time. "Fxmsp complained that they put too much time into processing the accesses and that they wish to stay more focused on the botnet development," Boguslavskiy says.
  • October 2018: Fxmsp disappeared from cybercrime forums, stating it wanted to focus on their botnet, Boguslavskiy says. Group-IB suggests that the group's disappearance may be due at least in part to Fxmsp and Lampeduza's "trying to sell access to the same network to several different buyers," resulting in blowback and a potentially threatening trust in their offerings.
  • April 2019: Fxmsp reports that it's making progress on its revamped botnet and it plans to release it in July 2019, Boguslavskiy says. Later in the month, Fxmsp begins offering for sale a total of 30 TB of data - including source code - stolen from three anti-virus vendors, together with remote access to the vendors' networks, for $300,000.
  • May 9, 2019: AdvIntel releases a report documenting the anti-virus hacking and stolen-data sales efforts (see: Crime Gang Advertises Stolen 'Anti-Virus Source Code').
  • Later in May 2019: Possibly feeling the heat, "Lampeduza stated that he no longer worked with Fxmsp, denied any involvement in the high-profile hacks, and said that he had allegedly suspended their cooperation on underground forums due to the greater media attention to Fxmsp," Group-IB says, noting that Lampeduza likely continued to sell remote access to hacked networks privately.
  • Dec. 17, 2019: In a cybercrime forum post, Lampeduza reports that Fxmsp is no longer operating, Group-IB says. But Boguslavskiy says of Fxmsp: "They may be still working privately, using their botnet."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.eu, you agree to our use of cookies.