Threat Management, Threat Intelligence, Incident Response, TDR

Access to 70,000 hacked servers sold on hacker marketplace; industry reacts


Researchers discovered a hacker marketplace on the Dark Web selling access to more than 70,000 hacked computer servers.

The cybercriminal marketplace xDedic, which appears to have been active since 2014 and grew more popular in mid-2015, was discovered by Kaspersky Lab researchers and a Europe-based internet service provider, a Kaspersky Lab blog post stated.

For $6 per server, a hacker can buy access to data on the compromised servers and use the servers to launch malicious attacks. These infected servers include those managed by governments, corporations and universities, according to Kaspersky. The most-affected countries on the Russia-based criminal marketplace are Brazil, China, Russia, India, Spain, Italy, France, Australia, South Africa and Malaysia.

Industry veterans view the marketplace as a troubling escalation of data that been sold on criminal marketplaces. “It's a graduated process from selling credential access to server access to more detailed records on those servers being most expensive (like health care records) – each costing significantly more but having longer use cycles in cyber-crime world as you move up the tiers,” wrote Ann Barron-DiCamillo, CTO of Strategic Cyber Ventures and former director of the Department Homeland Security's U.S. Computer Emergency Readiness Team, in an email to

There has been a proliferation of criminal marketplaces on the Dark Web offering a range of information and services, including ‘one-stop' ransomware services and personally identifiable information pilfered from state organizations.

Israel Barak, Cybereason's CISO and head of incident response, views the sale of direct access to networks as a new threat that will affect remediation priorities. “The immediate implication is that the traditional model that corporations use to remediate risks based on threat level needs to be changed,” he told He warned that any threat, including click-fraud or adware attacks, can quickly escalate to more sophisticated attacks as a result of platforms like xDedic.

Cytegic CEO Shay Zandani noted that the platform has been brought on by an increase in the complexity and sophistication of cybercriminals. The dark web, he told “is full of forums that buy, sell and share knowledge and tools.”

“Those compromised computers can be monetized by hacking groups in any number of ways – ideas and business models that are just now emerging or have yet to emerge,” Zandani added.

In an email to, Kaspersky Lab director of global research and analysis team Costin Raiu wrote, “The xDedic underground marketplace is a large one, with many players and victims, and it takes time to fully uncover and analyze this.  The investigation is ongoing.”

The platform is a “very disturbing trend,” according to Ron Heinz, managing director at Signal Peak Ventures. “Advanced persistent threat hacking, once the domain of deeply resourced state sponsored actors has now unfortunately moved into the broader market,” he wrote to

Paul Kraus, president and CEO at Eastwind Networks, called the sale of access to hacked servers “a hacker's dream,” in an email to “This market has passed the 18 month barrier which usually signals a startup will succeed. I believe this underground market will make becoming a hacker even easier,” he noted.

Other pros view the platform as highly suspicious. Red Cell Infosec CEO Dominique Davis told that the low price point is a likely indicator that the platform may have been launched by “a lone wolf” or the intelligence community – likely Russian intelligence – in order to catch would-be aspiring cybercriminals.

Indeed, Russia government has cracked down on hackers in recent weeks. Earlier this month, 50 hackers alleged to have been involved in a campaign targeting Russian banks were arrested by Russian police. The Russian government will announce new measures intended to fight against bank and credit-card credential thieves.

“If anyone actually tried to purchase one of these, it would lead to their immediate arrest,” Davis said. “This doesn't pass the sniff test.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.