KELA in the Press

  • 26.02.2021

    Identity Theft Attacks Channeled Millions in Jobless Claims to Inmates

    Covid-19 has experienced a large number of scammers engaging in identity theft and unemployment fraud, in an attempt to receive money that they aren’t eligible for. Fraudulent activities, such as identity theft, are commonly enabled through chatter and tools shared in underground forums. Today, 15 US states use ID.me to allow citizens to prove their identity online. KELA reveals that cybercriminals are actively sharing tutorials on how to create a seemingly valid profile that will ensure they get their claim approved in their state.

  • 18.02.2021

    Darknet Markets Compete to Replace Joker's Stash

    “With the heavy marketing and advertising that Brian’s Club has been investing in, it seems that the longtime attempts of marketing to credit card traders may be finally paying off now that Joker’s Stash is out of the picture,” says Victoria Kivilevich, a threat intelligence analyst with Kela. “Brian’s Club has been immodestly trying to steal the thunder by publishing an advertisement on the main page of [Russian-language forum] XSS, soon after the announcement by Joker’s Stash.”

  • 13.02.2021

    CD Projekt Red source code reportedly sells for millions in dark Web auction [Updated]

    Cyber intelligence firm KELA confirmed the authenticity of that auction, telling The Verge that forum users needed to put up 0.1 BTC (roughly $4,700 as of this writing) to participate in the bidding as a sign that offers were legitimate. The sellers also reportedly provided file listings for Gwent and the Red Engine that underlies CDPR’s games as proof that the data was authentic.

  • 11.02.2021

    Stolen CD Projekt Red Files Reportedly Now Sold After Dark Web Auction

    KELA (which previously provided The Verge with what it believes to be legitimate file lists from CD Projekt’s Red Engine) reports that an auction set up to sell the files has now been closed after a “satisfying offer” was made from outside of the forum it was being held on. That offer reportedly stipulates that the code will not be distrubuted or sold further. Cybersecurity account vx-underground also reported that it had heard the sale was completed.

  • 11.02.2021

    Hackers ask only $1,500 for access to breached company networks

    The number of offers for network access and their median prices on the public posts on hacker forums dropped in the final quarter of last year but the statistics fail to reflect the real size of the initial access market. Data from threat intelligence firm Kela indicates that many of the deals actually closed behind closed doors, a trend shaped over the past months.

  • 10.02.2021

    Cyberpunk and Witcher hackers claim they’ll auction off stolen source code for millions of dollars

    Following the recent ransomware attack on video game developer CD Projekt Red, KELA reveals that hackers are now auctioning off the source code they acquired, with a starting price of $1 million. These include source code files for both the Red Engine and CDPR game releases, including The Witcher 3: Wild Hunt, Thronebreaker: The Witcher Tales spinoff, and the recently released Cyberpunk 2077

  • 05.02.2021

    How Ransomware Is Accelerating in the COVID-19 Era

    KELA’s Ayesha Prakash, VP of Global Channels and Alliances has released her EOY blog about ransomware during the COVID era. In her blog-post, Prakash explains why COVID-19 is a curse on the world, and a gift to cybercriminals. She later explains that what organizations need now is to make cybersecurity a forefront issue, to treat it as business-critical, and as a public health risk.

  • 06.02.2021

    Experts: Foxtons Breach Was Egregor Ransomware

    Recent announcements revealed a data breach on UK-based estate agency, Foxtons. KELA threat intelligence analyst Victoria Kivilevich explains that Foxtons was actually a victim of a ransomware attack in October, and confirms that this breach does not seem to be a separate incident. Generally, ransomware gangs have taken on a trend of a double extortion tactic – where they demand two ransoms one to avoid public exposure of their data and one for unlocking their systems, it’s likely that Foxton has not yet negotiated or agreed to pay and that is why part of the data has been leaked.

  • 02.02.2021

    Ransomware Gangs are Abusing VMWare ESXi Exploits to Encrypt Virtual Hard Disks

    Threat actors have also observed selling access to ESXi instances on underground cybercrime forums last year, according to threat intelligence firm KELA. Since ransomware gangs often work with initial access brokers for their initial entry points inside organizations, this might also explain why ESXi was linked to some ransomware attacks last year.

  • 02.02.2021

    Ransomware's Helper: Initial Access Brokers Flourish

    Kivilevich writes in a new report from Kela that over the last three months of 2020, she counted 242 initial network access offers for sale across three cybercrime forums with a total asking price of $1.2 million. During that time frame, Kivilevich says, the average price per access was $6,684, the median price was $1,500 and the highest single price listed was 7 bitcoins, which at the time could have been worth about $130,000. But 24% of offers didn’t list a price.

  • 01.02.2021

    Initial Access Remains a Booming Business on the Dark Web

    The prospering of the initial access market on the dark web continues unabated, and according to a report published by KELA yesterday, it has surpassed the size of $1.2 million in Q4 2020. The cyber-intelligence firm that uses specialized tools to monitor listings across numerous dark web sites has traced 242 new listings during that period, having an average price of $6,684 and a maximum of 7 BTC.

  • 27.01.2021

    ‘Chqbook.com’ Data Leak Exposes 2 Million Credit Score Reports

    ‘Chqbook.com,’ an India-based online banking service that offers credit card, loan, and insurance management services for small businesses and merchants, has suffered a data breach. Due to KELA’s caching capabilities, we were able to find the first evidence of the particular dataset appearing on the dark web for sale on December 25, 2020.

  • 22.01.2021

    The State of the Dark Web: Insights From the Underground

    KELA’s researchers explain how the dark web represents a wide variety of goods and services which are traded across many different underground forums and markets. KELA explains that tapping into these forums and markets can help security teams keep up with where adversaries may be headed next.
  • 22.01.2021

    Sensitive Data of Over 325,000 Indian Users Leaked in BuyUCoin Hack

    Researchers at KELA discovered a leaked database belonging to BuyUCoin, an India-based global cryptocurrency exchange and wallet. On the same forum that the database was leaked KELA also identified leaked databases from Wongnai Media Co Ltd, Tuned Global Pvt Ltd, BuyUcoin, Wappalyzer, Teespring Inc and Bonobos.com, which looks like the handiwork of infamous hacking group ShinyHunters.

  • 21.01.2021

    KELA Joins Cyber Security Forum Initiative (CSFI) as a Gold Sponsor in a Mission to Support National Cyber Security

    KELA is thrilled to join the Cyber Security Forum Initiative (CSFI) as a gold sponsor in a mission to support national cyber security. We’re looking forward to working alongside CSFI to make the cyber environment a safer and more secure place by providing valuable darknet threat intelligence to government, military, private sector, and academia in the US.

  • 20.01.2021

    ShinyHunters publishes 1.9M stolen user credentials from photo editing site Pixlr

    ShinyHunters, has recently been very active after going silent for some time. Over this past summer, ShinyHunters was seen publishing leaked data for free, exposing millions of personal records from all over the world, however we have not observed Shiny Hunters releasing data themselves since November. In the last few days the group has leaked databases for free – among them a Pixlr database, exposing 1.9 million user records.

  • 21.01.2021

    Threat Actor Claims to Leak 500K+ Records of C-level People from Capital Economics

    Irina Nesterovsky, KELA’s CRO said, “It was originally leaked in early January in an English-speaking forum exposing information of nearly 500K people. The second instance we saw it appearing was when an actor tried selling it in another forum claiming that he had a database “for Finance Company Including SQL” with 500K records. Later that day, the same actor leaked the database for free claiming it contained data of more than 500K C-Level executives. KELA confirmed that the same database was shared in all instances. It appears that the “500K C level” title was given to the post in order to boost the importance of the database – the entire size of the relevant user database is around 500K lines, not at all a majority of which are C-Level employees.”

  • 18.01.2021

    The ‘DarkSide’ Operators Respond to the Release of a Decryptor

    KELA reveals a Q&A published by DarkSide ransomware operators following the release of the ransomware decryption tool. Throughout the Q&A, Darkside operators stated the decryptor was used by 4 targets but 1 of them eventually paid. They also include details about how they will refund losses to affected affiliates and why it’s not happening again in the future. The free decryptor allows victims to recover their files without paying a ransom to DarkSide operators.

  • 16.01.2021

    Ransomware Disrupts Scottish Environment Protection Agency

    The Scottish Environment Protection Agency says a ransomware attack last month continues to cause serious outages and warns that ransom-demanding attackers also stole some data. KELA’s experts share that a portion of SEPA’s data (7% of what they claimed to obtain) has been released on a leak site dedicated to Conti’s ransomware victims, and therefore assess with medium confidence that that this is indeed an attack by Conti.

  • 12.01.2021

    Cyber criminals are taking aim at online gaming for their next big pay day

    Cybersecurity company Kela examined underground forums and found an ecosystem based around buying and selling initial network access to gaming companies, as well as almost one million compromised accounts of gaming employees and clients up for sale – with half of those being listed in 2020 alone.

  • 06.01.2021

    Leading Game Publishers Hit Hard by Leaked-Credential Epidemic

    In a recent scan, they found 1 million compromised credentials associated with the larger gaming universe of “clients” and also employees – half of which were for sale online. More than 500,000 of the leaked credentials pertained to employees of leading game companies, according to the report published Monday.

  • 05.01.2021

    Top gaming companies hit by major data breach, one million employees affected

    Although Kela did not disclose the specific companies affected, it did reveal that it has been monitoring underground markets for more than two-and-a-half years now and that nearly every major gaming company was affected. The compromised credentials would give attackers access to a number of important internal resources, including admin panels and development-related projects.

  • 05.01.2021

    Stolen employee credentials put leading gaming firms at risk

    More than 500,000 login credentials linked to the employees of 25 leading game publishers have been found for sale on dark web bazaars, according to a report by threat intelligence company KELA. Threat actors have been increasingly targeting the gaming industry, including by harvesting and selling access credentials into the internal systems of top-tier game companies.

  • 04.01.2021

    One Million Compromised Accounts Found at Top Gaming Firms

    As Covid-19 has taken away 2020, people around the world have begun giving the online gaming industry a chance, hence growing revenues in this industry tremendously. After scouring dark web marketplaces, KELA discovered a thriving market in network access on both the supply and demand side. This included nearly one million compromised accounts related to employee- and customer-facing resources, half of which were listed for sale last year.

  • 22.12.2020

    Safe-Inet, Insorg VPN services shut down by law enforcement

    Safe-Inet services have been running for 11 years, advertised to cybercriminals needing multiple layers of anonymity and stable connections. BleepingComputer has seen ads for Safe-Inet services on several forums for black hat activities. The one below, posted as recently as December 4 and supplied by cybersecurity intelligence firm, KELA, is from a carder forum hidden in the Tor network

  • 23.12.2020

    There’s Evidence That Ransomware Groups Are Forming Extortion Cartels

    KELA reveals another proof of ransomware groups forming cartels to intimidate victims even further. KELA recently observed MountLocker touting 5% of the data dump originally stolen by “Ragnar Locker” during a cyberattack against ‘Dassault Falcon.’ The ransomware operators claim that the listing is from one of their partners, and provide a reference link to Ragnar Locker’s extortion site, who exposed partial data of this victim earlier this month.

  • 18.12.2020

    FBI & Interpol disrupt Joker's Stash, the internet's largest carding marketplace

    Following the recent seizure of Joker’s Stash (the largest marketplace for trading stolen cards) by law enforcement, KELA reveals that the disruption was only temporary and that the market’s admins claimed the actual Joker’s Stash portal continues to work as normal, with only proxy servers having been seized.

  • 17.12.2020

    Digging the Recently Leaked Chinese Communist Party Database

    KELA analyzed and obtained a database containing details of 1.9 million Chinese Communist Party members in Shanghai, which has recently resurfaced in the darknet communities, and found that companies in which CCP members were found include Pfizer, AstraZeneca, Airbus, Boeing, HSBC, Rolls-Royce, Jaguar and more

  • 12.12.2020

    Millions of ShopBack, RedDoorz user records put on sale in hacker forums; Peatix another victim of breach

    KELA, a cybersecurity firm headquartered in Israel, told BT that 5.7 million plaintext passwords were also made available for download from a website called Hashes.org, though the leak does not contain emails. “It will require some work for (threat actors) to correlate emails and hashed passwords from the original leak with dehashed passwords,” the firm said.

  • 30.11.2020

    Egregor’s Latest Press Release Is a Victim Intimidation Machine

    ‘Egregor’ team has published a press release meant to intimidate victims and practically convince them to pay the demanded ransom. Spotted on the dark web by researchers of the KELA threat intelligence firm, the press release includes several key points specifically addressed to those who have not “secured a contract” with the actors

  • 27.11.2020

    Networking equipment vendor Belden discloses data breach

    American networking equipment vendor Belden said it was hacked in a press release published earlier this week. According to data provided by threat intelligence firm KELA, credentials for Belden accounts have been available on the cybercrime underground since April this year, although it’s unclear if they have been used to orchestrate this breach.

  • 27.11.2020

    A hacker is selling access to the email accounts of hundreds of C-level executives

    Attackers can use corporate credentials to monetize in many different ways – from manipulating employees to wire money through CEO scams, to exploiting them in order to move laterally in the organizations to conduct a network intrusion.
    KELA’s technologies automatically monitor closed underground forums where threat actors are regularly trading corporate credentials and other sensitive data. Contact us to learn more about how KELA can help you detect if any of your sensitive data is circulating in the Dark Net.

  • 20.11.2020

    Pakistan International Airlines data breach underscores sharp rise in illicit sales of access credentials

    KELA’s researchers said that cybercriminals advertised domain admin access to PIA’s internal network for $4,000, while its customer database was listed for $500. Initial network access in such illicit deals refers to remote access to systems in a compromised organization, while those selling it are known as remote access brokers. Rather than hack their way into corporate networks, cybercriminals often purchase such initial network access to gain a foothold, allowing them to move laterally and expand their access rights.

  • 18.11.2020

    Chinese APT10 hackers use Zerologon exploits against Japanese orgs

    KELA reveals the latest threats targeting Japanese organizations, and concludes that threat actors, Advanced APT groups and nation-state actors are considering Japanese organizations as valuable targets and are actively attacking them via opportunistic and targeted attacks.

  • 17.11.2020

    Ransomware Operator Promotes Distributed Storage for Stolen Data

    “Such servers in Iran and [other] countries will be harder to discover, block, and cease due to a lack of cooperation from local authorities,” says Victoria Kivilevich, threat intelligence analyst at Israel-based security firm KELA, which first discovered the scheme.

  • 15.11.2020

    DarkSide Ransomware's New Data Leak Service In Iran Will Spread and Store Victims' Stolen Data

    According to Bleeping Computer‘s latest report, on Nov. 12, the cybersecurity intelligence firm Kela revealed DarkSide operators’ new posted topic on a Russian-speaking hacker forum. Additionally, Bank Info Security reported that the cybersecurity firm Kela said that the hackers claim that their average ransom is between $1.6 million and $4 million.

  • 12.11.2020

    Darkside Ransomware Gang Launches Affiliate Program

    #DarkSide ransomware launches their affiliate program. For the first time ever, KELA notices the operators offering initial access brokers to directly trade with them rather than through affiliates or middlemen. It seems that DarkSide is strengthening their efforts, and we can assume to see a surge of attacks by this gang over the coming months.

  • 10.11.2020

    Hacker Sells Access to Pakistani Airlines' Network

    KELA spotted a threat actor touting domain admin access to Pakistani International Airline for $4,000 on two Russian-speaking illegal online forums and one English-speaking forum that they had been monitoring. KELA’s team had been tracking ransomware trends, exploring how initial access brokers in the cybercrime community play a role in the supply chain of this popularly deployed malware.

  • 06.11.2020

    Data-Exfiltrating Ransomware Gangs Pedal False Promises

    In terms of unusual timing, another ransomware operation has also promised to turn out the lights. “We’ve seen Suncrypt affiliates stating on Exploit” – a cybercrime forum – “that the operators told them that the program is closing,” according to Israeli cyberthreat intelligence monitoring firm Kela. “It’s a bit interesting – and even suspicious – to see two major ransomware groups shutting down their operations around the same time.”

  • 04.11.2020

    23,600 Hacked Databases have Leaked from a Defunct 'Data Breach Index' Site

    More than 23,000 hacked databases have been leaked from the site archive of Cit0Day.in, a private service advertised on hacking forums to other cybercriminals. For the past several months, KELA’s technologies have been monitoring data from Cit0Day.in, prior to the site’s seizure in mid-September. As part of KELA’s leaked credential monitoring KELA’s clients have already had visibility into this site, and have already been alerted on any of their data that may have been leaked in these compromised database feeds.

  • 22.10.2020

    As Dark Net Endangers Enterprises, MSSPs Need New Tools

    One cybersecurity intelligence firm, Kela, intends to help MSSPs do just that with its new platform, IntelAct. The technology, Kela says, allows MSSPs to track and intercept any mentions of their clients’ network infrastructure, vulnerabilities or exposures in the dark net. This turns the attackers’ edge against them, remediating issues before they become breaches, the vendor says. IntelAct is fully automated, scalable, and requires no installation or network access.

  • 22.10.2020

    KELA Launches New Technology for Attack Surface Intelligence

    KELA announces today the release of their latest proprietary technology – IntelAct, allowing 100% automated monitoring of an organization’s attack surface. KELA’s Dark Net experts launch a new technology enabling organizations to receive real-time, automated alerts of their exposure in the Dark Net.

  • 16.10.2020

    В сентябре 2020 года торговать доступом к взломанным сетям стали в три раза чаще

    Специалисты KELA пишут, что проиндексировали 108 объявлений, размещенных на популярных хакерских форумах, и подсчитали, что совокупная стоимость предложенных хакерами доступов равняется 505 000 долларов США. Причем около четверти лотов в итоге были проданы злоумышленникам, желающим атаковать те или иные компании.

  • 14.10.2020

    'Network access' sold on hacker forums estimated at $500,000 in September 2020

    As ransomware attacks continue to rise, initial access brokers are repeatedly being seen as key players by selling network access to ransomware operators as an initial entry point into victims’ networks. In September alone, KELA detected over 108 accesses for sale at a total value of USD 500,000 – 3 times higher than the numbers gathered in the previous month.

  • 25.09.2020

    Why Encrypted Chat Apps Aren't Replacing Darknet Markets

    Some markets have moved to drop illegal drugs and begun adopting an “automarket” approach that focuses on self-fulfilled sales of malware, stolen databases, login credentials and other hacking and cybercrime tools and services, the Kela researchers say. Criminals’ thinking, they note, appears to be that by not selling drugs, and with malicious “cyber” tools existing in a legal gray zone in many jurisdictions, such markets will be less likely to get disrupted.

  • 23.09.2020

    Hackers Sell Access to Your Network Via Remote Management Apps

    In a report shared with BleepingComputer, cyber intelligence company KELA was able to determine that the offer was for Zoho’s ManageEngine Desktop Central, a management platform that lets administrators deploy patches and software automatically on network machines, as well as troubleshoot them through remote desktop sharing.

  • 22.09.2020

    CISA Warns of Notable Increase in LokiBot Malware

    Credentials stolen via LokiBot usually end up on underground marketplaces like Genesis, where KELA suspects LokiBot is the second most popular type of malware that supplies the store.

  • 18.09.2020

    Why Darknet Markets Persist

    Kivilevich and Raveed Laeb, Kela’s product manager, tell ISMG that it’s important to distinguish between the two types of darknet markets: drug marketplaces and cyber-focused marketplaces selling such things as malware, stolen databases and login credentials. “We also see sales of illicit and counterfeit goods – money, watches and stuff like that – but most of the time, that’s not the actual focus,” they say.

    More recently, the sale of cyber goods has been migrating to what the darknet community calls “autoshops,” meaning they sell goods and services in a highly automated manner. Kela refers to this as the “servitization” – meaning selling not just goods but also services and outcomes – of the underground ecosystem.

  • 16.09.2020

    LockBit Ransomware Launches Data Leak Site to Double-Extort Victims

    KELA has been closely tracking new monetization methods employed by ransomware operators. One common method has been ransomware gangs stealing the data before encrypting it in order to use it as leverage in ransom negotiations, and many times including that data in data leak sites. Riding on this trend, LockBit ransomware has just launched a new data leak site to be used as part of their double extortion strategy to scare victims into paying ransom.

  • 14.09.2020

    Hacked: 'Best Australian Financial Data' for Sale on the Dark Web

    Victoria Kivilevich, threat intelligence analyst at Israeli intelligence firm KELA – which discovered the breaches of Australian financial data – said there had been an increase in attacks in recent years, and also RaaS, or ransomware-as-a-service; hackers were also often working together.“The most popular ransomware strains are operated by cybercriminals looking for financial gain,” Ms Kivilevich said. “Chasing profits, ransomware actors are always inventing new methods of intimidating victims.”

  • 01.09.2020

    KELA Names Ayesha Prakash as Vice President of Global Channels and Alliances

    We’re excited to officially welcome Ayesha Prakash to our team as our new Vice President of Global Channels and Alliances. Ayesha joins KELA to build and evolve the company’s strategic alliances and expand KELA’s global engagement with channel and technology partners. We’re excited to have her on board and are looking forward to see what we will accomplish together!

  • 26.08.2020

    With Empire Gone, Patrons Eye Other Illegal Darkweb Markets

    Israeli cyber threat intelligence monitoring firm, KELA has provided BleepingComputer with information on the matter, along with screenshots.

    The company analyzed forums where darknet surfers frequent, and have offered insights on their footsteps.

  • 25.08.2020

    More Ransomware Gangs Threaten Victims With Data Leaking

    KELA’s latest research analyzes the recent rise of ransomware attacks and how that rise has introduced new methods of monetization allowing ransomware gangs to monetize bigger and better. This research laid out the top 6 trends observed by ransomware groups in the underground ecosystem and shared how these new methods are likely to spread.

  • 12.08.2020

    Avaddon Ransomware Joins Data-Leaking Club

    Israeli cybersecurity intelligence firm Kela shared that the operators behind Avaddon announced their data-leaking site via a Russian-language cybercrime forum. So far, the ransomware gang has listed one victim – a construction firm – from which 3.5 MB of allegedly stolen documents have been leaked.

    “The attackers published a sample of the obtained data, including information related to the company’s activity in the U.K., Mexico, Philippines, Malaysia and Thailand,” Kela tells Information Security Media Group.

  • 11.08.2020

    Avaddon Ransomware Operators Have Launched Their Data Leak Site

    Cybersecurity intelligence firm Kela was the first to report that the Avaddon ransomware operators have announced on a Russian-speaking hacker forum their new data leak site.

  • 10.08.2020

    Avaddon Ransomware Launches Data Leak Site to Extort Victims

    KELA shared with BleepingComputer that the Avaddon ransomware operators have announced on a Russian-speaking hacker forum this weekend that they have launched a new data leak site. KELA has shared that until now, only one victim has been listed – a US-based construction company.

  • 05.08.2020

    Hacker Leaks Passwords for 900+ Enterprise VPN Servers

    KELA’s #DARKBEAST has helped ZDNet obtain a copy of a recently leaked list of plaintext usernames and passwords for 900+ Pulse Secure VPN enterprise servers. If compromised, these Pulse Secure VPN servers can provide hackers easy access to a company’s entire internal network.

  • 27.07.2020

    Email is Still a Hacker's Wonderland, They Could Take or Leave Slack

    Cybersecurity researchers from KELA found about 17,000 Slack credentials for sale across 12,000 Slack workspaces in cybercrime online markets. While “many access types — webshells on online stores, RDP servers or corporate email inbox access — are a highly sought-after resource driving thriving markets,” no one is really buying Slack credentials, according to KELA.

  • 23.07.2020

    Les Comptes Slack N'intéressent pas les Cybercriminels

    En utilisant sa plateforme de renseignements sur les menaces, KELA a cherché à obtenir des références Slack sur les marchés de la cybercriminalité, pour tenter de voir si ce vecteur de menace était populaire parmi les cybercriminels. L’entreprise affirme avoir trouvé plus de 17 000 références Slack récemment mises en vente en ligne sur des forums de piratage et sur des marketplace de références, comme Genesis.

  • 23.07.2020

    The “Bitcoin Twitter Hack” May Have Started With a Slack Compromise

    KELA has found that there were at least 17,000 Slack credentials sold in the ‘Genesis Store’ alone, priced between $0.5 and $300, depending on how valuable they were. While a connection with the recent Twitter hack isn’t based on concrete evidence, there are indications pointing to this scenario.

  • 23.07.2020

    Slack Credentials Abundant on Cybercrime Markets, But Little Interest from Hackers

    Following reports that last week’s Twitter hacks may have been due to credentials stolen from an internal Slack channel, KELA decided to dive deeper into this topic, and found that currently more than 17,000 Slack credentials for roughly 12,000 Slack workspaces are being sold on underground cybercrime markets.

  • 14.07.2020

    MGM Hotel’s 2019 Data Leak Might Have Affected 142M People, Not 10.6M

    threat research firm KELA notified the publication about posts on Russian security forums that advertised MGM data breach affecting more than 200 million customers.

    In the past few years, hackers have attacked several hotels to steal customer data. In March, Marriott Hotels was breached impacting more than 5.2 million people.

  • 14.07.2020

    Millions of Logins from UK Ticket Site for Sale on Dark Web

    KELA discovered a database of 4.8 million records posted for sale, belonging to a leading provider of ticket services for live shows in the UK. KELA’s intelligence team told Infosecurity Magazine that they acquired a sample of 10,000 records in order to analyze this data. Following analysis, KELA deducted that the leak affects users in the UK, US, New Zealand, Australia, South Africa, Germany, France and a few others, some of which belong to governmental domains.

  • 14.07.2020

    British e-Ticketing Service Breach Resulted in 4.8 Million Records Now for Sale

    Intelligence analysts at KELA discovered a database of 4.8 million records, containing emails and passwords, belonging to a leading provider of ticket services for live shows in the UK. The database was posted on July 8, 2020 on an underground forum by a newly registered threat actor, called “JamesCarter”, for $2500. KELA managed to acquire a sample of the database containing about 10,000 email addresses, and found that only about 300 email addresses were duplicates, deducting that the full leak likely consists mostly of unique combinations.

  • 14.07.2020

    A Hacker is Selling Details of 142 Million MGM Hotel Guests on the Dark Web

    In an exclusive today on ZDNet, KELA shares that the breached MGM database, originally reported to have 10.6 million records actually contains nearly 200 million. The hotel’s database resurfaced in the dark web this past weekend. This wasn’t the only time it resurfaced though. KELA’s intelligence team told ZDNet back in February that the MGM data had been circulating and was being sold in private hacking circles since at least July 2019.

  • 04.07.2020

    Hacked: Thousands of MyGov Accounts for Sale on the Dark Web

    The compromised accounts were detected by Israeli intelligence firm KELA, which specialises in dark web threat intelligence and offers its clients a real-time dark web search engine called Darkbeast.

    KELA threat intelligence team leader Elad Ezrahi said the MyGov accounts were extracted from more than 2000 compromised computers, or “bots”. Botnets are networks of compromised machines controlled by a single actor.

  • 03.07.2020

    The Details of 384,319 BMW Owners Are for Sale on the Dark Web

    KELA researchers have shared one of their most interesting recent findings with TechNadu, and it looks like it concerns BMW and 384,319 of its customers in the UK. Apparently, the prolific hacking group that is known as “KelvinSecurityTeam” has posted a database they acquired when hacked ‘bmw.com.’ This is the same group of actors that recently sold databases from 16 companies, including the business consulting firm “Frost & Sullivan.”

  • 03.07.2020

    500,000 BMW, Mercedes and Hyundai Owners Hit by Massive Data Breach

    The personal information of almost 400,000 UK-based BMW customers is being sold to the highest bidder on an online black market, according to Tel Aviv-based darknet intelligence experts KELA.

    Hackers at a group called KelvinSecurity Team have gained access to a BMW customer database and listed it for sale on an underground forum used by cybercriminals.

  • 02.07.2020

    BMW Customer Database for Sale on Dark Web

    KELA found a database of UK car owners offered for sale on an underground forum, which was initially described as BMW customers’ database affecting 384,319 customers. The data was posted by the KelvinSecurityTeam. KELA obtained the database and found that it contains almost 500,000 customers’ records from 2016-2018. The exposed data includes initials and surnames, emails, addresses, vehicle numbers, dealer names, and more; it affects owners of different cars in the UK.

  • 02.07.2020

    Robolox Accounts Hacked with Pro-Trump Messages

    Hackers have breached more than 1,800 Roblox accounts and defaced user profiles with messages in support of Donald Trump’s reelection campaign. With the help of threat intelligence firm KE-LAZDNet was able to identify multiple web pages containing large lists of Roblox usernames and cleartext passwords.

  • 29.06.2020

    KELA Launches Sensitive Hostname Detection

    KELA is proud to announce the launch of Sensitive Hostname Detection. As part of this addition, KELA’s RADARK now automatically alerts users on sensitive webpages that may be exposed to the public internet.

    Get in touch with us today to learn more about how KELA detects vulnerabilities in your organization’s Internet-facing infrastructure.

  • 17.06.2020

    Oz Sites Being Sold On The Dark Web

    Elad Ezrahi, Threat Intelligence Team Leader at the Israeli intelligence company KELA, told the Australian Financial Review: “If the web shell enables the actor to abuse the mail server of the compromised website, the actor could use it to send spam and phishing emails… if the compromised site is of a governmental entity, for example, the consequences can be notably severe.”

  • 16.06.2020

    Hacked: Aussie Websites for Sale on Dark Web

    Elad Ezrahi, Threat Intelligence Team Leader at Israeli Intelligence company KELA, said web shells could be used for nefarious purposes. Remote access markets served as a gateway for obtaining data, he said.

  • 03.06.2020

    KELA Acknowledged in Gartner's Market Guide for Security Threat Intelligence Products and Services 2020

    Nir Barak, CEO and Founder of KELA shares, “Since KELA’s establishment we have been investing significant efforts to make sure that our technologies and services are perfectly applicable to what is required by security and intelligence teams. In our opinion, being acknowledged as a vendor of dark and deep web monitoring by our wide and global customer base, and now also by Gartner, definitely makes it seem like our team’s arduous work is making an impact, and gives us validation that we are growing on the right path.”

  • 03.06.2020

    Ransomware Gangs Team Up to Form Extortion Cartel

    KELA shares intelligence from their daily ransomware monitoring with specialists from Bleeping Computer. “BleepingComputer was told by cyber intelligence firm KELA that the Maze operators added the information and files for an international architectural firm to their data leak site.”

  • 27.05.2020

    26 Million LiveJournal Credentials Leaked Online, Sold on the Dark Web

    With the help of threat intelligence firm KELA, ZDNet has confirmed the existence of the LiveJournal stolen database and has tracked down copies and mentions of user data in multiple locations across the hacking underground.

  • 21.05.2020

    KELA Extends Intelligence Monitoring Capabilities with Access to Instant Messaging Groups & Real-Time Image Searching

    KELA announced today the capability of automatically searching through images and chatter in instant messaging groups, through DARKBEAST, their proprietary Dark Net threat hunting platform. The expansion of KELA’s data lake to include instant message groups, such as closed Telegram groups and Discord channels, is meant to provide partners and clients with added intelligence from different high-quality and curated sources.

  • 21.05.2020

    Hacker Selling 40 Million User Records from Popular Wishbone App

    Since Have I Been Pwned allows users to hide their email from public searches, we also verified these emails against a private platform managed by threat intelligence KELA, which has also been indexing and tracking data leaked in older breaches.

  • 16.05.2020

    Cybercrime Marketplace MagBo Selling Access to 43,000 Hacked Websites

    According to the latest report from threat intelligence firm KELA, MagBo is offering access to over 43,000 hacked servers and some of these belong to state and local governments, ministries, financial institutions, and health care facilities.

  • 15.05.2020

    Hackers Preparing to Launch Ransomware Attacks against Hospitals Arrested in Romania

    According to threat intelligence provided by cyber-security firm KELA, the PentaGuard group has been around since 2000, when they were involved in mass-defacements of several government and military websites, including the website of Microsoft Romania.

  • 15.05.2020

    Loja de crimes cibernéticos está vendendo acesso a mais de 43.000 servidores hackeados

    Um relatório da empresa de inteligência sobre ameaças KELA mostra a recente evolução do MagBo. A pesquisa foi feita em conjunto pelo KELA e o site ZDNet.

  • 16.05.2020

    The “MagBo” Portal Offers Access to Thousands of Hacked Servers

    KELA researchers report that the daily server additions to the market are between 200 and 400, and the number of daily transactions is approximately 200. There are 190 unique sellers who have something to offer on MagBo, while the cost to access each server depends on its type.

  • 15.05.2020

    Access to Thousands Hacked Servers Being Sold Online

    The infamous MagBo platform is known to have offered almost 150,000 different compromised websites, with over 200 daily transactions a day and over 200 to 400 new additions on the platform each day. According to data from KELA, “190 different threat actors currently have active listings on the market.”

  • 15.05.2020

    Cyberkriminelle verkaufen Zugang zu mehr als 43.000 gehackten Servern

    Cyberkriminelle verkaufen über einen Online-Marktplatz namens MagBo Zugangsdaten für mehr als 43.000 gehackte Server. Das geht aus einer Analyse der Threat-Intelligence-Firma Kela hervor. Demnach gilt MagBo als einer der größten Marktplätze für kompromittierte Server.

  • 16.05.2020

    43,000 Hacked Servers up for Sale on Cybercrime Marketplace

    More than 43,000 hacked servers are currently for sale on online cybercrime marketplace MagBo, according to new research from threat intelligence firm KELA and ZDNet.

  • 15.05.2020

    KELA Sees MagBo Remote Access Market Booming During Pandemic

    Threat intelligence company KELA has reported a boom in Remote Access Markets during the pandemic. Remote Access Markets sit on the Darknet and provide attackers with details on compromised websites and services. It means that attackers don’t have to waste time trying to steal credentials to gain access to those websites.

  • 14.05.2020

    KELA Expands Their Intelligence Data Lake with Real-Time Monitoring of Remote Access Markets

    As servitization of the underground world continues to thrive, KELA Targeted Cyber Intelligence, a global Dark Net threat intelligence provider, announces today the addition of a new information source type to their technologies – Remote Access Markets.

  • 14.05.2020

    A Cybercrime Store is Selling Access to More than 43,000 Hacked Servers

    Over the years, the site has boomed, to put it lightly. Since it launched in 2018, KELA says the site has sold access to more than 150,000 sites, with 43,000 still being up for sale as of this week. KELA product manager Raveed Laeb says they’ve tracked 190 different threat actors selling hacked servers on the site.

  • 13.05.2020

    KELA Announces the Addition of Featured Queries to Their DARKBEAST Platform

    KELA Targeted Cyber Intelligence, a global Dark Net threat intelligence provider, announces today the addition of Featured Queries to DARKBEAST – their proprietary Dark Net search engine and investigation platform — helping their users stay informed on the most relevant underground threats.

  • 09.05.2020

    Cyber Security Today – Canada hit by COVID cheque fraud; Webex, Teams under attack, more COVID email scams and three big data breaches

    According to an Israeli security company called KELA criminals soon began selling editable digital copies of cheques on the dark web. A criminal can either purchase a digital file and fill in their own name or have a criminal service do the editing for them.

  • 05.05.2020

    Behind the Scenes of Dark Net Market Closures and Their Consequences

    Like every free market, the Dark Net economy sees its many rises and falls. Sites come and go, just like brick and mortar stores open and close. Yet in recent months, we’ve seen a large number of sizeable illicit Dark Net sites closing, and smaller niche ones taking their place.

  • 07.04.2020

    Threat Actor Selling Access to a Canadian University’s Domain

    A Canadian university’s network may be at risk from a cyber attack, according to KELA, an Israeli threat intelligence firm.

    Irina Nesterovsky said this threat actor seems to specialize in brute-forcing RDP (remote desktop) servers, running an affiliate program with other threat actors for this purpose.

  • 30.03.2020

    東京五輪と銀行を脅かすもう1つの「ウイルス

    セキュリティー会社「KELA」のニール・バラクCEOは、サイバー犯罪の増加に警鐘を鳴らす。KELAによると、ダークネットでの地下マーケットは階層状になっている。フェイスブックの「いいね」ボタンのように、口座情報の販売など悪事で実績を挙げた参加者には得点が付き、さらにランクの高いスペースに進める仕組みだ。

  • 10.03.2020

    Malware Unfazed by Google Chrome's New Password, Cookie Encryption

    Genesis, one underground shop for browser data kept using the original version of the malware and suffered grave losses when Chrome 80 came along, as uncovered by KELA researchers towards the end of February.

  • 07.03.2020

    Telus-Owned Koodo Mobile Announces Data Breach, Stolen Info for Sale

    Raveed Laeb of cybersecurity intelligence firm, KELA has told BleepingComputer that Koodo accounts are being sold on various dark web web sites.

    “A different market – one that specializes in automated selling of access to compromised accounts – currently offers over 21,000 Koodo accounts,” Laeb told BleepingComputer.

  • 26.02.2020

    A Small Change To Google Chrome Hits Cybercrime Marketplace Hard

    Raveed Laeb is a product manager for KELA, a threat intelligence firm that uses sophisticated, automated tools to keep tabs on the countless gigabytes of stolen data being traded on Darknet forums and marketplaces. He’s been investigating Genesis for quite some time and recently released an in-depth report on his findings so far.

  • 29.02.2020

    Релиз Chrome 80 помешал работе малвари AZORult и маркетплейса Genesis

    Специалисты компании KELA обратили внимание, что у торговой площадки Genesis, где торгуют не просто личными данными пользователей, но готовыми виртуальными личностями, возникли серьезные проблемы.

  • 26.02.2020

    Chrome 80 Update Cripples Top Cybercrime Marketplace

    According to new research shared with ZDNet this week by threat intelligence firm KELA, the Genesis Store is currently going through a rough patch, seeing a 35% drop in the number of hacked credentials sold on the site.

    KELA says Genesis administrators are currently scrambling to fix their inventory deficit and feed the store with new credentials before customers notice a drop in new and fresh listings.

  • 24.02.2020

    KELA Wins InfoSec Award at RSA Conference 2020

    “We are very pleased to receive this prominent cybersecurity award, and it’s an honor to be selected from a wide selection of top-notch companies that were in the running for this prize. Our hard work has paid off in being recognized as global leaders in threat intelligence,” said KELA COO Eran Shtauber.

  • 21.02.2020

    Exclusive: Details of 10.6 Million MGM Hotel Guests Posted on a Hacking Forum

    According to Irina Nesterovsky, Head of Research at threat intel firm KELA, the data of MGM Resorts hotel guests had been shared in some closed-circle hacking forums since at least July, last year. The hacker who released this information is believed to have an association, or be a member of GnosticPlayers, a hacking group that has dumped more than one billion user records throughout 2019.

  • 22.02.2020

    MGM Customer Data Has Been on Dark Web for Six Months

    Irina Nesterovsky, head of research at cyber intelligence firm KELA, claimed that the most recent upload of breached data on nearly 10.7 million hotel customers was simply a repackaged bundle — as often happens on the dark web.

  • 20.02.2020

    Tokyo 2020: The Dark Web is Hacker Gold

    What treasures can hackers find on the dark web, how have these been used in the past, and what might threat actors be planning for Tokyo this summer? Here are the top four threats that KELA’s research team has been monitoring recently on the dark web

  • 03.02.2020

    Outing Cyber-Criminals Puts a Face on Cyber-Crime

    Online threat actors are just plain criminals – like 36-year-old Aleksandr Alekseyevich Korostin from Sigayevo, Sarapul District, Udmurtiya Republic, Russia – hiding behind anonymity as SaNX. – OPINION by KELA Cyber Intelligence Center

  • 04.02.2020

    アンダーグラウンドのサイバー犯罪エコシステム、 企業の攻撃表面を縮小するためのインテリジェンスの活用

    サイバー犯罪のプラットフォームとしても利用されている「ダークネット」。しかし、その実態は決して闇の中に完全に隠されたものではない。実際にダークネットの中ではどのようなことが起きているのか、どのようにサイバー犯罪から組織を守ればいいのか、KELAのCarmiel氏が語った。

  • 31.01.2020

    「対米報復はサイバー」 イラン、銀行狙い準備か イスラエル軍元高官が警告

    イスラエル軍サイバー諜報(ちょうほう)部隊(通称8200部隊)調査開発部門の元高官、ニル・バラク氏が毎日新聞のインタビューに応じた。バラク氏はイラン革命防衛隊「コッズ部隊」のソレイマニ司令官が米軍に殺害された今月3日以降、「イラン系有力ハッカー集団の動きが活発化している。米大手金融機関や証券市場への攻撃準備を進めている模様だ」と語った。司令官殺害に対する新たな報復攻撃の可能性があるという。【大治朋子】

  • 24.01.2020

    Cyber Gangsters Publish Staff Passwords Following ‘Sodinokibi’ Attack on Car Parts Group Gedia

    The threat marks a disturbing change in tactics by the crime groups behind the Sodinikobi ransomware, said Irina Nestrovosky, head of research for Israeli security company and specialist in darknet threat intelligence, KELA, which monitors hacking groups.

  • 23.01.2020

    Travelex Hackers Shut Down German Car Parts Company Gedia in Massive ‘Cyber Attack’

    Maya Steiner, threat intelligence team leader at Kela, said: “This is a continuation of the recent ‘attack and brag’ streak of the group. This is the second time they have released ‘proof’ documents, and the first where they announce that they are starting to release full data from a company that has failed to pay.”

  • 14.01.2020

    Will This Be the Year of the Branded Cybercriminal?

    All businesses evolve and adapt to their environments. Businesses in the Dark Web are no exception. In the burgeoning and nearly unpoliceable business climate that is the Dark Web, it’s only natural that businesses should become more “professional” — both in their revenue models and in their practices. We saw this happen in 2019 and expect even greater movement in this direction in 2020.

  • 13.01.2020

    Travelex Begins to Restore Foreign Exchange Services Two Weeks After ‘Sodinokibi’ Attack

    Irina Nesterovsky, head of research for Israeli security company and specialist in darknet threat intelligence, Kela, which identified the post, said it marked a significant change of tactic for the crime group, which first appeared in April 2019.

    “This is the first time that the group behind Sodinokibi published alleged proof of their attack,” she said. “While not mentioning explicitly Travelex – this is definitely a nod towards them and any other company that would be attacked by the operators of the ransomware, and refuses to pay.”

  • 09.01.2020

    Travelex Hackers Threaten to Sell Credit Card Data on Web

    Irina Nesterovsky, head of research for Israeli security company and specialist in darknet threat intelligence, Kela, which discovered the post, said evidence from underground forums strongly linked UNKN to Sodinokibi.

    “There is a discrepancy between what Travelex is saying and what these guys claim. You can’t always rely on the predator of the criminal, but there is a high probability they are correct,” she said.

  • 03.12.2019

    Cybersecurity Predictions For 2020

    “Cybercriminals will continue to heavily invest in their businesses as new monetization channels emerge. During the past 3 years, the underground economy has experienced a shift in how cybercriminals are monetizing their end products, from concentrating efforts on manual transactions and listings in markets, to focusing on sales of credentials, network access and sophisticated fraud methods…”

  • 20.11.2019

    Disney Responds to Disney Plus Hacked Accounts: ‘No Evidence of a Security Breach’

    Currently, there are nearly 80,000 compromised Netflix accounts for sale from one single market, on offer for an average one-time payment of $6 per account, according to KELA, an Israeli threat-intelligence provider.

  • 07.11.2019

    ビットコインは今、闇社会の「基軸通貨」になった

    「ダークネットで人知れず行われている取引の通貨は、以前は米ドルだったが、いまはビットコインなどの仮想通貨(暗号資産)だ」。日本事業CEO、ドロン・レビット(44)は説明を始めた。仮想通貨は現金や預金と違ってダークネット内で受け渡しを完了できるため、捜査当局がすべて追跡するのは難しいという。

  • 12.05.2019

    Japan's Quest For Smart Automation Brings It To Israel

    Executives from Israeli cyber intelligence firm, KELA Group, which monitors hacking threats in the dark recesses of the Dark Net –recently met with a large Japanese carmaker with news that it was wide open to a particularly vicious hacking attack called WannaCry.

  • 11.04.2019

    「サイバー脅威を分かってない」弱点だらけの日本企業に寄せられる、大きな期待

    最近、日本の当局や大手民間企業にも情報を提供しているイスラエルの脅威インテリジェンス企業であるKELA社の日本代表と話す機会があった。そして、脅威インテリジェンスの実態と日本をどう見ているのかについても聞いてみた。

  • 27.02.2019

    KELA Targeted Cyber Intelligence Announces New Products

    KELA Targeted Cyber Intelligence announces a new version of its cyber threat intelligence platform, RADARK, and launches the all-new DARKBEAST search engine.

  • 17.05.2018

    Vector Hands $50M To Israeli Cyber-security Firm KELA

    The KELA Group, an Israeli provider of advanced cyber intelligence software and solutions, has landed $50m in fresh funding.

  • 16.05.2018

    KELA Group Receives $50M Investment from Vector Capital

    The KELA Group (KELA), a rapidly growing, Israel-based provider of advanced cyber intelligence software and solutions, today announced a $50M equity investment from San Francisco-based Vector Capital.

  • 03.06.2017

    Japan Taking Cues From Israel on Cyber Security

    With the internet playing an ever-growing role in society, it is impossible for humans to protect networks and devices alone. The Kela Group has developed a system to automatically detect signs of an attack.

  • 20.06.2017

    地銀など7行の偽サイト出現 ケラ社が発見

    イスラエルの情報セキュリティー会社、ケラグループは日本の地方銀行やインターネット銀行など7行の偽サイトを発見し、警察庁に通報した。

  • 11.04.2018

    データが危ない!

    誰でもハッカーになれる時代。イスラエルの世界的セキュリティー企業KELAグループに、ハッキングの実態を聞いた。

  • 07.04.2018

    五輪前 狙われやすい

    元イスラエル軍の情報部隊を中心につくる世界有数のサイバー空間諜報会社KELAが今秋にも日本法人を設立する。

  • 08.02.2017

    Software Helps Banks Hold on to Their Money

    Time was when you wanted to pull off a big bank heist, you drove slowly up in the dark, jimmied the door lock and then blew open the safe. Such online thievery doesn’t surprise The sales director for KELA Targeted Cyber Intelligence, a Tel Aviv-based software producer that scans the Darknet for hackers trying to attack a company’s database. By alerting a company to such a possibility, KELA’s software helps keep such hackers at bay.