Ulterior motives and influence operations

This write-up will be a little shorter, it is just an anecdotal evidence that sometimes things in Cybercrime aren’t as they seem to be, often a lot more sinister.

Earlier this week I noticed an actor was trying to sell access to three of the largest mobile companies in Iraq:

He was even kind enough to provide some samples:

I was interested in finding out more about this access considering it seemed odd he hacked three different large mobile companies in the same country.

I started talking to him and asked how much he’s asking for the database, he replied saying the price is $40,000.

Now I’m familiar with prices of hacked databases and that is an insanely high amount, almost as if he doesn’t really want to sell it…

He also gave me a link to his site which is available on the Darknet:

We can see he is offering to sell his access, along with some really sketchy description about himself and how to handle business with him.

I scrolled down a bit and turns out this guy also tried to sell access to the Ministry of Foreign Affairs of Iraq:

And to the The Council of Cooperative Health Insurance of Saudi Arabia:

I started looking into his usernames and found out he’s been around since June 2019 and offered his network accesses on several hacking forums.

I even found he was using NordVPN through some IRC he posted in, that shows he has some OPSEC which is mandatory by state actors:

Anyways, I told him $40,000 is a bit high but that I would still love to get a sample from the database and after going back and forth he accepted and sent me a sample:

We can see here a list of numbers which are close to each other numerically speaking, which would make sense in a database taken from the company.

It also has names which are something he would only have if he actually has the database, so I decided to check if they check out.

In order to do that, I tried adding every single one of the phone numbers as a contact to Telegram, if a user was found using that number, I would delete him as a contact and it would reveal the name he used for the account:

I would then compare the name in Telegram to the name that appears on the database, in that case:

Database: 9647801205008, Zaid Ibrahim Abdullah (Translated)

Telegram: 9647801205008, Amir al-Ajili (Translated)

Turns out that that hacker must have fabricated the database because I haven’t found a single match between the database and Telegram…

Anyways, I started getting suspicious about him and added him via Telegram instead of XMPP (which was my initial way of contacting him), when asked again about the price he arbitrarily said the price is ~$10,000:

Now the strange thing about the entire interaction with this person is that after I received the samples from him and insisting $40,000 is a bit too high for me, he didn’t try lowering the price.

I find it weird because I already confirmed he is selling fake data which is worthless and practically made it clear to me that he is trying to scam.

If he is trying to scam and I am going along with his scam, asking to lower the price by just a bit, he should have had no problem in letting me pay him $20,000 or even $5,000 but he didn’t, which leads me to thinking he actually doesn’t want to sell this database and it is only a facade.

I tend to believe he wants to make someone think he has this database for some sort of an influence operation with unknown purposes.

What do you think?

Connect with me — https://www.linkedin.com/in/alon-gal-utb/