Mass Mobilization on the Dark Web: 300,000 Users Gain Ransomware Tools Following LiteLLM Hack
In a significant escalation of cybercrime, hackers are preparing to equip over 300,000 users from dark web forums with ransomware tools, leveraging stolen data from recent supply chain attacks. This alarming development follows the LiteLLM hack, which compromised a widely used Python library integral to numerous AI projects.
Over the past month, the open-source community has faced a series of supply chain attacks targeting code repositories, creating a cascading effect. When one repository is compromised, it leads to more developers pulling the infected code, which in turn infects their repositories. This cycle has spread across platforms such as GitHub, NPM, and PyPI, among others.
The most notable incident was the breach of LiteLLM, a Python library that boasts 97 million monthly downloads. For a brief period of three hours, anyone who downloaded this library inadvertently received powerful credential-stealing malware. At this rate, it is estimated that around 400,000 systems worldwide could have been infected.
The threat actors behind this operation, known as TeamPCP, claimed to have exfiltrated approximately 300GB of data from over 500,000 compromised systems. They have since announced a partnership with a prominent illicit forum and a collaboration with a ransomware gang. Their plan involves inviting over 300,000 registered forum users to become ransomware affiliates, providing them with tools to encrypt and extort companies. Essentially, they are mobilizing the dark web to capitalize on the stolen data.
While claims made by threat actors on dark web forums are often exaggerated or misleading, the implications of this development could be severe for thousands of developers, the companies they represent, and the cybersecurity community at large. If even a small fraction of the invited users engage, this could potentially create the largest cybercrime operation in history, surpassing any previous organized cybercrime cartel.
Cybercrime Forum Consolidation
Before this announcement, the dark web had already seen a significant centralization of communication among cybercrime forums. These underground platforms have long competed for dominance, with authorities frequently targeting the largest, such as BreachForums. Recently, a rival forum called Breached, led by the administrator known as HasanBroker, effectively absorbed the remnants of BreachForums.
BreachForums, which previously had around 4,000 registered users, has now incorporated all 324,000 users from BreachForums, whose data was exposed in a hack. HasanBroker has claimed victory over BreachForums and warned that any attempts to revive the competing service will be met with resistance. The forum has even begun branding itself with the BreachForums name, despite retaining its original domain.
BreachForums has also announced a partnership with Lapsus$, a well-known threat actor, further solidifying its position in the cybercriminal landscape.
A Major Announcement: “This is the Beginning of Something Massive”
Following the LiteLLM hack, TeamPCP, the BreachForums (now Breached), and the ransomware operator Vect have formed a significant partnership. They have invited other users to collaborate, announcing that all members of the forum, including those imported from BreachForums, will receive a personal Vect affiliate key.
One of the forum owners, using the alias “vect,” stated, “Today marks a historic moment for the underground community. This is the beginning of something massive.” This partnership allows cybercriminals to distribute ransomware tools to anyone willing to participate, promising support to those who gain initial access, including assistance with deploying ransomware.
The Vect Ransomware Group has confirmed its collaboration with TeamPCP, stating their readiness to deploy ransomware across all companies affected by the recent supply chain attacks. This alliance has been corroborated on TeamPCP’s Telegram channel and by the forum’s moderator, who expressed pride in partnering with what he considers one of the most sophisticated ransomware programs available.
New Ransomware Model Would Completely Eliminate Trust
Traditionally, ransomware operations have functioned with a tightly controlled core team that recruited a small, vetted group of affiliates. For instance, the LockBit operation had only opened 73 affiliate accounts before facing major disruptions. This model allowed for better control over high-value targets and ensured a level of expertise among affiliates.
However, the Vect Ransomware Group’s approach of distributing ransomware keys to anyone effectively eliminates the trust element, making anyone an affiliate. Even prior to the LiteLLM hack, Vect had been advertising positions for negotiators, requiring only basic skills such as speaking English and knowledge of anonymity, offering a 5% cut of the ransom.
This strategy resembles the “Levée en masse” from the French Revolutionary Wars, which replaced a professional army with mass mobilization. Instead of relying on seasoned cybercriminals, ransomware operations may devolve into a disorganized crowd of thousands, likely unpredictable even to their organizers.
This new model could significantly scale up ransomware operations, complicating efforts to disrupt them. The lack of trust between operators and affiliates may lead to multiple attempts to extort the same victims, reducing the likelihood of payment as there would be no guarantees regarding the restoration or deletion of data.
Even if only a small fraction of the forum members join Vect, this could lead to the largest cybercrime operation ever. While individual collaborators have already made their mark through high-profile breaches, the effectiveness of this partnership in executing successful ransomware operations remains to be seen.
For further insights into the implications of these developments, refer to the original reporting on the LiteLLM hack and its aftermath, as detailed in publicly available cybernews.com reporting.
For the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
