Active since at least August 2021, a new English-speaking threat actor calling themselves “1977” has developed and advertised a new eCrime market on multiple underground forums called Darth Maul Shop. This blog aims to highlight some of the key aspects of a new emerging eCrime market, analyze its reception by other threat actors, and discuss the underground cybercrime communities making money buying and selling credentials without launching any intrusions themselves.
If you want to learn more about Initial Access Brokers (IABs), SentinelOne recently shared a good up-to-date overview of this type of threat actor and how they interface with various ransomware groups and the types of services they offer. These IABs can be just as dangerous as the ransomware groups themselves, as they are capable of infiltrating a target network and achieving the privileges of “Domain Admin (DA) access with reach to over 10,000 hosts.”
The eCrime market has also shifted recently with the arrival of a new and improved Genesis market, which has been active since 2017 and is one of the largest of the underground economy alongside RussianMarket, 2EasyShop, and xLeet. Sophos researchers recently covered how Genesis sells stolen credentials, cookies, and digital fingerprints that are gathered from compromised systems, providing not just the data itself but well-maintained tools to facilitate its use.
Darth Maul (aka 1977.SH) eCrime Market
The interesting thing about Darth Maul shop is there are very little mentions of it across the usual OSINT sources, despite existing for around one year. A cursory search across some of the eCrime forums, paired with a