Russian hacker forum Maza was hacked

[German]I already came across the information from Flashpoint a few days ago, according to which the Russian-language hacker forum Maza itself was hacked. It seems that credentials of users in other forums have been published.


Security vendor Flashpoint published the story in this article in early March. Maza has been in operation as a Russian-language hacker forum since 2003. The forum had highly restricted member access, which was by invitation only and charged a fee. On the forum, a number of well-known Russian-speaking cybercriminals and financial fraudsters shared information about their operations. Many of these actors began their respective cybercrime activities as early as the mid- to late-1990s. 

Forum hacked

Nun ist Now it has come to Flashpoint's attention that the forum has been hacked by an unknown attacker. Little is known at this time about the attackers who successfully compromised Maza. After the successful takeover of Maza, the unknown attackers posted a warning message to forum members that read, "Your data has been leaked" and "This forum has been hacked."

Flashpoint analysts note that the Russian phrases on the warning page were likely translated using an online translator. It is unclear whether this automatic translation indicates that a non-Russian-speaking actor is responsible, or whether this service was used as a red herring.

Big hack, details remain unclear

Flashpoint analysts managed to successfully obtain the supposedly leaked data. The compromised data does appear to be extensive. However, both the passwords and most other data fields in the dump are hashed or have been obfuscated. The Maza data included in the dump includes the following:

Passwort (gehasht und verschlüsselt)
Icq (wenn verfügbar)
Aim (wenn verfügbar)
Yahoo (wenn verfügbar)
Msn (wenn verfügbar)
Skype (wenn verfügbar)


This hack appears to be causing significant uncertainty in the Russian-speaking cybercriminal scene. Flashpoint is actively monitoring cybercriminals' discussions about Maza across the cybercrime forum ecosystem. Distressed cybercriminals consider options and exit strategies, and comment on recent disruptions of many elite services and communities.

Users of the Exploit forum, also in Russian, are now discussing not logging into forums via email, as the recent hacks may have increased exposure of their online activities. Others claim that the database leaked by the attackers is either old or incomplete. In any case, the recent increase in attacks on Russian cybercrime forums is particularly worrisome for cybercriminals.

Exploit forum members also notice an increase in attacks in recent months (attempted DDoS on Exploit, verified compromise, and now Maza). Some cybercriminals think the attackers may be forum insiders or law enforcement. Exploit users note if the attackers were law enforcement, this is a new tactic to disrupt cybercriminal activity and weaken trust in forums. One user warned other users to be careful with registered emails across multiple platforms.

News of the Maza attack follows a successful breach of the established Russian forum Verified on January 20, 2021. Less than a month later, on February 18, 2021, the new Verified admins announced permanent ownership and began de-anonymizing the previous operators, known as "INC," "VR_Support," and "TechAdmin." The new admins pointed out that the previous operators had recorded the IP addresses of every Verified user when they joined the forum. This resulted in a total collection of 3,801,697 IP addresses.

Maza was previously hacked on February 18, 2011, with the data of more than 2,000 users compromised by cybercriminals along with all forum correspondence. Shortly after this Maza hack in 2011, another attack was carried out on the Russian cybercrime forum DirectConnection, whose administrator was the famous "k0pa", Aleksei Burkov. It is interesting to note that the above-mentioned admin named INC was also a Maza moderator. It seems that the "golden times", when hackers were unchallenged among themselves, are over in this scene as well.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *