Tampa authorities shut down xDedic, a dark website known as a 'hacker's dream'

The U.S. Attorney's Office in Tampa and two European countries seized the site's domain names earlier this week.
The U.S. Attorney’s Office in Tampa has shutdown the xDedic Marketplace, a website the feds say sold access to compromised computers worldwide
The U.S. Attorney’s Office in Tampa has shutdown the xDedic Marketplace, a website the feds say sold access to compromised computers worldwide
Published Jan. 30, 2019

The dark web took a hit in recent days, thanks to an investigation run out of the federal prosecutor's office in Tampa.

Authorities shut down the xDedic Marketplace, a website that a cyber security firm once referred to as a "hacker's dream."

The site sold access to hacked servers all over the world. Buyers could search the site for information based on price, location and computer operating system, including information about U.S. residents that could be used in identity theft and other financial crimes.

The victims spanned nearly every industry, including local and state governments, hospitals, 911 emergency services, call centers, transit authorities, law firms, pension funds and universities.

On January 24, U.S. authorities, working with counterparts in Belgium and Ukraine, seized the site's domain names in the United States and Europe.

The feds estimated that the site facilitated $68 million in fraud. No arrests were announced.

While the internet is awash with bad actors willing to sell hacked information, xDedic was far more sophisticated than the typical bad actor who sells hacked information online, said Jason Mehta, a former federal prosecutor in the Middle District of Florida who investigated cyber-related crimes.

"This is not a run of the mill dark web take down," said Mehta, now a partner at the Bradley law firm in Tampa. "I think this is a potentially a very significant development."

Sites like xDedic often work below the radar and are run by professional hackers adept at masking their identities and remaining anonymous online. They are hard to track and even harder to arrest and prosecute, which helps explain why U.S. and European authorities didn't name any names.

"This game of cat and mouse in cyber related crimes is very sophisticated," Mehta said. "It is not uncommon for law enforcement to be stymied when it comes to who to arrest."

The xDedic site likely launched in 2014 and was run by a "Russian-speaking group of hackers," according to a 2016 report from Kaspersky Lab, a cybersecurity company.

By then, xDedic had created a trading platform with more than 70,000 hacked servers, including government agencies and corporations in 173 countries, Kaspersky reported

"From governmental networks to corporations, it is possible to find almost anything on xDedic for as little as $6 per server," the report said. "This one-time cost provides a malicious 'customer' with access to all the data on the server and endless other possibilities, such as using the access to launch further attacks."

An analysis of web tags showed that the cyber criminals were interested in information from a wide range of industries, including online gambling, shopping and dating, bank payments, cell phone operators, email providers, and web browsers such as Chrome, Firefox and Internet Explorer.

Want breaking news in your inbox?

Want breaking news in your inbox?

Subscribe to our free News Alerts newsletter

You’ll receive real-time updates on major issues and events in Tampa Bay and beyond as they happen.

You’re all signed up!

Want more of our free, weekly newsletters in your inbox? Let’s get started.

Explore all your options

"In addition to the lists of public websites and common software, there is specific link to software that could be used as a source of fraudulent money," the report said. "There is a strong interest in accounting, tax reporting and point-of-sale software, which apparently opens up many opportunities for fraudsters."

To access the servers, Kaspersky reported that xDedic's partners employed high-speed, trial and error programs to decode encrypted passwords, often referred to as brute-force attacks. The hackers would then install custom malware, which could harvest credit card data or other information contained on the server.

The system could be easily replicated by other bad actors, the report concluded.

Ars Technica, a technology trade publication, reported in 2016 that the marketplace could also benefit hackers known for advanced persistent threats, or APTs.

"In contrast to profit-motivated criminals who opportunistically attack any victim with weak defenses, APT actors target specific organizations or individuals, often because of the politics they espouse, the country they support, or the information they hold," the trade publication concluded.

Mehta, the former prosecutor, said he wouldn't be surprised to hear about more high-profile take downs of similar websites.

"Law enforcement is quickly realizing the seriousness and urgency of cyber threats," he said. "The FBI and other agencies are employing more and more resources to these types of crimes."

Contact Graham Brink at Follow @GrahamBrink.