



According to the survey, a crew member hiring a hacker is targeting Belarusian presidential candidates, cryptocurrency exchange executives, human rights activists, and journalists.

An unprecedented peep of Operation Hacker for Hire under getty reveals 3,500 targets, including Belarusian presidential candidate, Uzbek human rights activist, and crypto exchange. What are their main targets? Gmail, Protonmail, Telegram accounts for people Paymaster wants to spy on.

Digital research bets look very different from the traditional image of a detective camping in a black-filled van. Ask Feike Hacquebord, a cybersecurity researcher based in the Netherlands. When he was lucky in October 2020, he was tracking the activity of a crew of hackers called RocketHack behind the computer screen. Data collected by his employer, Trend Micro, showed the web page RocketHack used to monitor the victims. No password was required to enter, which effectively gave him a view of the manufacturing site of the operation of hiring a lively hacker.

This breakthrough has led to the discovery that the Russian-speaking RocketHack crew has quietly broke into as many as 3,500 personal email and Telegram accounts, PCs and Android phones over the past four years. According to Hacquebord, it ranges from journalists, human rights activists and politicians to telecommunications engineers and IVF doctors across dozens of clinics.

His findings break into people’s digital life for the highest bidders, alongside established (controversial) businesses like the Israels NSO Group, which serves law enforcement agencies hacking devices. It provides amazing evidence that there is a player underground industry like Rocket Hack. Whether it is a government, corporate espionage client, stalker, or abusive spouse.

RocketHacks’ business model is simple, according to a Hacquebords report presented to Forbes prior to its release at the Black Hat Europe Security Conference Wednesday. Track the most private and personal data of businesses and individuals and sell it to anyone who wants to pay for it. For that. In addition to people’s access to email, the crew also sells call log logs from Cell Tower, airline data, and banking information, Hacquebord told Forbes.

RocketHacks’ main hacking methods are emails containing links to fake Google Gmail login pages, and phishing using encrypted email services such as Protonmail and Telegram. In a 2018 ad from a hacker, a security-focused Protonmail breach was the most expensive service at 50,000 rubles ($ 700 at today’s exchange rates), costing 40,000 rubles to crack a Gmail account. It was suggested that this would take place. However, there is evidence that some Russian email providers have some deep access, as they offer to access their accounts without the need to fool users with phishing emails.

One of RocketHack's underground forum ads that promises to break into Gmail, Protonmail, and other online accounts for just a few hundred dollars.

Group IB

Its customer list remains unclear, but it is diverse and may include nation-state customers. The target list included two Belarusian presidential candidates and one member of the opposition in a country where oppressive governments are trying to crack down on opposition. It also targeted the personal emails of the Minister of Defense of Eastern European countries and the former heads of unspecified intelligence agencies. This year, all government officials from Ukraine, Slovakia, Russia, Kazakhstan, Armenia, Norway, France and Italy were targeted. As detailed by Singapore-based cybersecurity firm Group-IB, previous advertisements in underground forums offered to have crew members check personal credit history, and they are international. Showed if desired by law enforcement agencies.

Hacquebord claimed that RocketHack had carried out a number of hacks against Uzbek human rights activists and journalists, previously detailed by Amnesty International and the Canadian nonprofit Equalit.ie. This included the editor-in-chief of a media website in Uzbekistan. More than 25 journalists around the world are also targeted.

It was a surprise to Hacquebord that as many as 70 IVF doctors were hacked. Russian tax officials were also on the hacker’s hit list. RocketHack may not have targeted these individuals for any particular reason, but researchers say they knew so much personal data that they could be sold in the future. They seem to be looking for sources and information, perhaps to sell more.

For financial-focused attacks, we have set up various phishing sites for cryptocurrency exchanges and cryptocurrency wallets. According to research, one particular focus was the London-based cryptocurrency exchange Exmo. RocketHack chased not only customers but also Exmo executives. One of the company’s managers was reportedly kidnapped in Kiev, Ukraine in 2017 and then thrown out of a highway vehicle by his prisoners. (Exmo did not respond to comment requests at the time of publication.)

In addition to phishing, the group operates malware to spy on Android and Windows devices, researchers added. He discovered that Android spyware has a module for snooping WhatsApp, recording calls and tracking locations.

12 victims a day

The group is not slowing down. Every day, Hacquebord sees the victims of the new Rocket Hack. Every day, there are probably dozens of new targets, he says.

They speak Russian, but their origin is a mystery. Oleg Dyorov, head of the research unit at Singapore-based cybersecurity firm Group-IB, said the hacking crew served in 2017 with encrypted messaging software Jabber, often focusing on VK. He said he seemed to be guessing. Because social networks are popular in post-Soviet countries, this could provide a basis for attackers to speculate that they may have customers from the post-Soviet region, Dyorov said. Added.

RocketHack is just one of many underground operators offering services to hire such hackers. As researchers at cyber intelligence company Intel471 told Forbes, the account hijacking market is very lucrative, and as RocketHack shows, it hasn’t put much effort into doing significant damage.

Cybercriminals work in a relatively competitive environment, Dyorov added.

Hacquebord has notified only a handful of hacked RocketHack victims. However, after watching the group for over a year, he will inform law enforcement agencies about Rocket Hacks’ activities. He doesn’t know what effect it will have. He added that many countries may consider their cyber mercenaries to be national assets. Therefore, it is difficult to simply tell them to shut down.

