An underground marketplace hosted on the Dark Web that sells access to thousands of hacked servers belonging to governments, businesses and universities has resurfaced after being exposed earlier this year by cybersecurity researchers.
The market, called xDedic, was found by Kaspersky Lab to be selling access to roughly 70,000 compromised web servers in over 150 countries across the globe. After reports about its existence spread, the websites administrators shut up shop.
Now, according to UK cybersecurity firm Digital Shadows, the criminal market has resurfaced on a Tor network domain with one crucial difference: it now demands a $50 (£38, €45) enrolment fee for access.
In an incident report shared with IBTimes UK, researchers said they discovered a post on a Russian-language forum referring to the return of xDedic on 24 June. The message, reportedly send by a user who had an "established reputation" on the forum, featured a link to the Tor domain.
"The new xDedic site was found to be identical in design to the previous site and although discussion in the [forum] thread indicated that accounts on the previous site had not been transferred to the new site, accounts could be freely registered," Digital Shadows said.
It continued: "However, following registration, accounts had to be credited with $50 in order to activate them. Searches indicated that the new xDedic domain had also been shared on a French language dark web criminal site, but with the exception of Tor domain aggregation lists could not be located elsewhere."
In the incident report, Digital Shadows believed it was likely xDedic would resurface eventually based on its previous 'popularity' and 'likely profitability'. "This development has likely corroborated this assessment," the researchers said.
As the website is hosted on Tor, the cybersecurity firm was unable to analyse its traffic volumes to check how many visitors xDedic is attracting.
The firm said: "It [is] assessed as a realistic possibility that at the time of writing, awareness that the site had returned was relatively low. However, as the previous site was attracting 30,000 users a month at the time it closed down, it [is] assessed as likely that awareness and use of the new site will increase in the immediate to mid-term future."
In response to the news, Kaspersky Lab told Threatpost: "We are aware of reports of the return of xDedic and are monitoring the situation. We have a policy to share the findings of cybercriminal research with the relevant law enforcement agencies, and we have already done so in the case of xDedic."
In its initial findings, Kaspersky said each purchase on xDedic came bundled with software that could be used to help launch distributed-denial-of-service (DDoS) attacks, orchestrate spam campaigns or exploit point-of-sale (POS) retail systems.
"From government networks to corporations, from web servers to databases, xDedic provides a marketplace for buyers to find anything," it said in a blog post. "And the best thing about it – it's cheap. Purchasing access to a server located in a European Union-country government network can cost as little as $6 (£4).
"The one-time cost gives a malicious buyer access to all the data on the server and the possibility to use this access to launch further attacks. It is a hacker's dream, simplifying access to victims, making it cheaper and faster, and opening up new possibilities for both cybercriminals and advanced threat actors."