BleepingComputer cybersecurity experts: The malware group submitted a ZIP archive with the decryptors to VirusTotal and now it plans to switch to cryptojacking.
Recorded Future cyber security experts: The cybercrime hacker behind the Collection #1 is dubbed C0rpz
The hacker who primarily collected the Collection #1, probably the biggest archive of leaked credentials ever, is dubbed C0rpz. He has been identified by the Recorded Future cyber security experts. He sold the over 770 million email addresses and 21 million passwords to other two cyber crooks: Sanix and Clorox. The company analyzed the complete dump on January 19, 2019 and confirmed that many of the account credentials contained in Collection #1 are from a wide variety of previous data breaches, some of which are two to three years old, and may not contain newly compromised accounts. Multiple threat actors claimed to be the source of them and were distributing these databases throughout the Dark Web, including “Clorox.” However, Recorded Future assesses with moderate confidence that the original creator and seller of Collection #1 was the actor “C0rpz.”
A hacker named Clorox tried to resell the biggest archive of leaked credentials ever, which contains seven databases. The one unveiled by Troy Hunt is incomplete
According to Recorded Future, Insikt cyber security Group discovered a forum post created by Clorox, who posted seven URLs to separate databases hosted on the file sharing service MEGA. In total, the archives contained 993.53 GB of data with three different variations of user credentials: email addresses and passwords, usernames and passwords, and cell phone numbers and passwords. In the forum post, the malicious hacker linked to the Troy Hunt article, claiming that his database is incomplete and is only a fraction of the original Collection #1. Furthermore, he stated that this one was being sold on a different forum by another party, who then took down the original files that were hosted on different URLs on MEGA. Troy Hunt, according to Clorox, was able to download one of these databases and further analysis showed another individual, C0rpz, who claimed to be the original creator and seller of Collection #1.
The cyber security experts: The actor Sanix did the same, but has been banned from the hacking forums. C0rpz posted links to MEGA sharing Collection #1 free of charge to the community. Meanwhile, another hacker from a well-known Russian forum was observed sharing a large db of 100 billion user accounts
C0rpz, the cyber security experts found, stated that another forum member, “Sanix,” purchased Collection #1 fand then attempted to resell it to other people. Sanix was the individual identified by Brian Krebs in his article “773M Password ‘Megabreach’ is Years Old,” and the Recorded Future analysis confirmed that this is the same individual who attempted to sell the database originally created by C0rpz. Sanix has since been banned from the forum, and C0rpz has posted links to MEGA sharing Collection #1 free of charge to the community. Moreover, another hacker from a well-known Russian forum was also observed sharing a large database of 100 billion user accounts, which possibly has some of the same datasets found in Collection #1. He posted both a magnet link and a direct download link to the archive. Explaining that it also contains the data leaked referenced in Troy Hunt’s article.