Dark Web Greed and Grudges: A Hacker Soap Opera

Author: Editorial Team

Cryptocurrency exchangers store enormous amounts of funds, so it should come as no surprise that they are an increasingly attractive target for hackers. But now there’s a new element in this saga to contend with: hackers exposing data breaches as a way to air their grievances and promote personal feuds. Take the well-known Bitmax Crypto Exchange case as an example. The database was exposed on Raidforums because of a feud between different threat actors. Let’s take a closer look at how this came to be.

Hacker Feud Amplified: GnosticPlayers 

GnosticPlayers was a regular poster on dark web forums, offering databases for sale to other forum users. The poster claimed responsibility for the June account hijacking attack on XRP Ledger wallets on the cryptocurrency database GateHub, which drained $10 million dollars. 

Figure 1: The GateHub database leaked, where $10 million was stolen. 

We’ve since learned that GnosticPlayers was not one person, as previously assumed, but three different threat actors. The group has since split up, but the first two members used GnosticPlayers1 (now known as Nclay) and GnosticPlayers2 (now known as Gabriel) as aliases in recent posts.

Nclay was the mastermind behind the GateHub attack. He continuously provided hacked databases, while Gabriel sold them on the infamous Dream Market, using the nickname GnosticPlayers. Nclay and Gabriel then teamed up with Maxime Thalet, a hacker with multiple aliases, including Rawdata and DDB. 

Figure 2: GnosticPlayers2, Gabriel, explaining their side of the story and the creation of GnosticPlayers.

Subscribe to our blog for more dark web content

Nclay divided the stolen $10 million from the GateHub hack between himself, Gabriel and Maxime. The group maintained a successful operation for a while – until issues began to arise. 

Gabriel, posting as GnosticPlayers2, claimed Nclay spent their money on “cars and fake friends” and demanded that both he and Maxime return their $3 million to him. This tore the group apart and prompted Nclay to post the the Bitmax Crypto Exchange database for free. Databases such as Bitmax Crypto Exchange are usually sold for large sums of money, but, in this case, it was publicly exposed, so anyone with visibility into the forum could download and use it. 

The events were tracked by dark web user Jimmy Russel below:

Figures 3-5: Jimmy Russel shares a consolidation of the posts from GnosticPlayers1 regarding the recent drama. 

Drama on the Dark Web is more common than you think…

Figure 6: GnosticPlayers1, or Nclay, posting the Bitmax Crypto Exchange database for free.

Why This is Significant

From a dark web perspective, hacker conflicts such as this one are impacting the underground trading of database breaches. Instead of dealing with issues directly, threat actors are making database dumps freely available to the “general public” on the dark web. 

Additionally, personal feuds between threat actors could lead to damaged relationships on the dark web, which could, in turn, pave the way for new threat actors to “step up” and pick up where their counterparts left off. 

From the perspective of security teams, following dark web drama and relationships between threat actors can help organizations more accurately understand leak patterns – or, at the very least, know where to look when a breach occurs. 

GroupSense has extensive experience analyzing the dark web and helping organizations obtain detailed and finished intelligence on the ever-evolving threat landscape, data breaches and exposed vulnerabilities. Reach out to us to learn how we can help your organization.