Skip to content

Threat actor from a Russian operated crime forum targeting users in Ireland

  • by
osint forum ireland leak

A file containing breached or leaked data of over 28.000 people living in Ireland has recently surfaced on one of the clearnet data leaks forums. Now, as far as breach records go, this one is a very structured and clean Excel file containing email addresses, names, surnames, general locations and phone numbers. Usually data dump files are bulky and messy, which is not the case here. But, first things first.

This research was initiated after an anonymous tip off from a reader. A big thank you is owed to the person who flagged this to me – and a big thank you is hereby expressed.

The dump file was originally posted on Saturday, 2nd of December at 2:39PM.

I apologise for the redacted screenshot content, but I don’t want to further victimise the people whose details are in the leak by showing too much information that would lead to their identification.

NB: If you have a genuine, legitimate interest in this (government employee, press or cybersecurity researcher, etc.), you can contact me about it on the email address provided at the end of this post.

osint forum ireland leak 1

The dump file is hosted externally from the crime forum. At the time of this research, and according to the external website’s content download counter, it was downloaded only 12 times.

The file does not contain any credit card details or any other information that could be easily monetised by cyber criminals. The fact that it’s being shared for free suggests its perceived low value, but naturally the personal information within can be used to conduct random phishing, spam and automated voicemail scam attacks, as well as more targeted attempts against profiled targets.

The origin of the data dump file is unclear and while the metadata analysis offers some insights, they cannot be taken for granted as metadata – as we all know – is easily manipulated.

file_name
 ********.xlsx [REDACTED]
file_size
 1659 kB
file_type
 XLSX
file_type_extension
 xlsx
mime_type
 application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
zip_required_version
 20
zip_bit_flag
 0x0006
zip_compression
 Deflated
zip_modify_date
 1980:01:01 00:00:00
zip_crc
 0xa458f7aa
zip_compressed_size
 378
zip_uncompressed_size
 1556
zip_file_name
 [Content_Types].xml
application
 Microsoft Excel
doc_security
 None
scale_crop
 No
 
links_up_to_date
 No
shared_doc
 No
hyperlinks_changed
 No
app_version
 14.03
creator
 Acer
last_modified_by
 Acer
create_date
 2022:06:29 16:21:11Z
modify_date
 2022:06:29 16:27:23Z
category
 application

The creation and modification date above can indicate that this is not a new file and that it has been around for the last year or so. Then again, those values could have been manipulated.

The name in the creator field, “Acer”, might suggest that the origin of this data could be the massive 2021 data breach from Acer – or maybe not.

I took a sample of 10 email addresses from the file and checked them against the Acer dump records – there were no matches found.

The motivations of the threat actor who is posting a cleaned up, fraud-ready file for free that contains details of only Irish residents are unclear, but sure as hell they are not friendly.

After initially thinking he could be posting in order to gain notoriety and cybercrime “street cred”, I researched the user’s activities on the forum in question as well as other forums. He is by far the most active user on that particular forum, based on their own forum credits count:

osint forum ireland leak 2

Note that I use “he” deliberately – threat actors should remember that data breaches are a double edged sword and their own leaked credentials from the past can be used against them in the same way they use them against their victims (minus the scam / financial fraud aspects).

It’s worth noting that the forum where this and other similar content is being posted is registered anonymously and operated from a hosting IP address in the Netherlands by a company based in Macao. However, even a cursory examination of the site reveals that the forum is operated by russian speakers, based on the following facts:

osint forum ireland leak 3
  • The language choice between US English and RU – no other option available.
  • Crawl rules User-Agent is set to Yandex.
  • Every “Like” is instead a “Лайк” ;))
  • The community rules state that posting data related to russia is prohibited.

In the famous last words of the US President Bush on the topic: “the Cold War is over; Russia is a friend; Russia is not an enemy”…

If you have a legitimate interest in more details about this research, email me on info@osintme.com.

Leave a Reply

Your email address will not be published. Required fields are marked *