Hacking Timeline: Fxmsp's Rise and Apparent FallGroup Refined Network Intrusions and Malware to Build a Better Botnet, Experts Say
How long does it take to become a reliable, trusted seller in the cybercrime-as-a-service ecosystem?
While the timeline, of course, depends on your skill set, security experts say that the hacking collective known as Fxmsp - a sophisticated operation with multiple divisions and affiliates, led by an individual also going by "Fxmsp" - went from seeking basic tips on cybercrime forums, to its first sale of access to high-profile targets harvested by its own botnet in only about a year (see Fxmsp Hackers Behind AV Source Code Heist: Still Operating?)
Fast forward, and less than three years after first appearing on cybercrime forums, Fxmsp had become "one of the most prolific sellers of access to corporate networks in the history of Russian-speaking cybercriminal underground who publicly advertised the access to 135 companies, which brought him more $1.5 million in profits," says Dmitry Volkov, CTO of Singapore-based cybersecurity firm Group-IB.
"Through my experience of investigating Fxmsp as a group and as an individual, I can definitely say that one thing that they had was a strategic vision," Yelisey Boguslavskiy, CEO of threat intelligence firm Advanced Intelligence - aka AdvIntel - tells Information Security Media Group. "They wanted to perfect credential stealers and Trojans, make them as small and as invisible as possible, and they perceived it as craftsmanship and art."
A Brief History of Fxmsp
Here's a timeline of how Fxmsp appeared to achieve that goal, before being driven away from the cybercrime forums the group needed to monetize those efforts:
- September 2016: Individual known as Fxmsp registers for a Russian cybercrime forum. "His early posts indicate that Fxmsp had little knowledge about how to monetize the access and maintain persistence within the networks he had compromised," Group-IB says, noting that he was asking about crypto-mining malware and infecting systems with Trojans after gaining remote access. In addition, he made some mistakes: "Experienced users of underground forums never publish their contact details, they share them only through private messages. Fxmsp included one of his Jabber accounts, in his contact information on the forum which helped Group-IB researchers to establish his presumed identity."
- Early 2017: Fxmsp created accounts on multiple Russian forums, including the infamous exploit.in, "where he refocused his activity and began selling access to compromised corporate networks which would later become his primary business," Group-IB says.
- Oct. 1, 2017: "Fxmsp published his first ad for the sale of access to corporate networks," Group-IB says, advertising initially access to a Nigerian commercial bank, followed later by access to the networks of "a chain of luxury hotels, another African bank with a capitalization of $20 billion, and many other high-profile targets."
- December 2017: Fxmsp gets banned from a Russian cybercrime forum after attempting to sell access to a hacked Russian organization. "Puffed up by his initial success, he forgot an unspoken rule in the Russian-speaking hacking community: not hacking within Russia and CIS countries," Group-IB says, referring to the Commonwealth of Independent States, which refers to nine formerly Soviet countries which remain friendly with Moscow (see: Russia's Cybercrime Rule Reminder: Never Hack Russians). In now-deleted posts, Fxmsp "had published an ad for the sale of access to an ATM and to the website of the customs office in two Russian cities," Group-IB says.
- Jan. 17, 2018: Fxmsp reports having 18 buyers. "The business was going so well for Fxmsp that he hired a user with a nickname Lampeduza - aka Antony Moricone, BigPetya, Fivelife, Nikolay, tor.ter, andropov, and Gromyko - as his sales manager in early 2018," Group-IB says. "Promoting their services, Lampeduza wrote in one of his forum posts: "You will have access to the company's entire network ... You will become THE INVISIBLE GOD OF NETWORKS."
- August 2018: Fxmsp the group refers to a botnet as being at the center of their operations and facilitating remote access to networks. "They were referring to themselves as the head of the R&D division actually focused on perfecting the botnet, which was apparently a credential stealer or a banker Trojan botnet," AdvIntel's Boguslavskiy says.
- September 2018: The group complains that selling remote access to hacked networks is taking too much time. "Fxmsp complained that they put too much time into processing the accesses and that they wish to stay more focused on the botnet development," Boguslavskiy says.
- October 2018: Fxmsp disappeared from cybercrime forums, stating it wanted to focus on their botnet, Boguslavskiy says. Group-IB suggests that the group's disappearance may be due at least in part to Fxmsp and Lampeduza's "trying to sell access to the same network to several different buyers," resulting in blowback and a potentially threatening trust in their offerings.
- April 2019: Fxmsp reports that it's making progress on its revamped botnet and it plans to release it in July 2019, Boguslavskiy says. Later in the month, Fxmsp begins offering for sale a total of 30 TB of data - including source code - stolen from three anti-virus vendors, together with remote access to the vendors' networks, for $300,000.
- May 9, 2019: AdvIntel releases a report documenting the anti-virus hacking and stolen-data sales efforts (see: Crime Gang Advertises Stolen 'Anti-Virus Source Code').
- Later in May 2019: Possibly feeling the heat, "Lampeduza stated that he no longer worked with Fxmsp, denied any involvement in the high-profile hacks, and said that he had allegedly suspended their cooperation on underground forums due to the greater media attention to Fxmsp," Group-IB says, noting that Lampeduza likely continued to sell remote access to hacked networks privately.
- Dec. 17, 2019: In a cybercrime forum post, Lampeduza reports that Fxmsp is no longer operating, Group-IB says. But Boguslavskiy says of Fxmsp: "They may be still working privately, using their botnet."