KELA in the Press

  • 15.09.2021

    The five biggest ransomware attacks of the year so far

    Although the initial attack vector
    has not been officially confirmed, it is thought to have used a malicious browser update delivered via a legitimate website, according to David
    Carmiel, CEO at KELA, a provider of
    cyber threat intelligence.
    Although it is not known how elevated privileges on the system were
    obtained, Carmiel says that this
    “often happens through the use of
    known vulnerabilities and further
    social engineering”.
    He advises CIOs to implement
    security policies to ensure that all
    staff and other key stakeholders do
    not download updates without verifying their authenticity.

  • 07.09.2021

    What Is The Ideal Ransomware Victim?

    According to a new report, the ideal ransomware victim is in a lucrative commercial market in a wealthy country that uses remote desktop protocol or a VPN.

    Cybersecurity firm KELA’s report cited activity from July 2021 that indicated ransomware attackers prefer organizations in specific geographies and markets, and prefer very specific products for initial network access.

    Specifically, organizations in the U.S. with revenue of ore than $100 million are the most sought-after targets, according to KELA’s report.

  • 14.09.2021

    A look at the ransomware industry.

    Researchers at KELA have issued a report describing what ransomware operators are looking for in a potential victim:

    “In July 2021, KELA found 48 active threads where actors claimed they are looking to buy different kinds of accesses. 46% of them were created in that month, illustrating the demand for access listings.
    “40% of the actors who were looking to buy accesses were identified as active participants in the ransomware-as-a-service (RaaS) supply chain – operators, or affiliates, or middlemen.

  • 06.09.2021

    Ransomware gangs target companies using these criteria

    After examining ransomware gang’s “want ads,” cybersecurity intelligence company KELA has compiled a list of criteria that the larger enterprise-targeting operations look for in a company for their attacks.

    KELA analyzed 48 forum posts creates in July where threat actors are looking to purchase access to a network. The researchers state that 40% of these ads are created by people working with ransomware gangs.

    These want ads list the company requirements that ransomware actors are looking for, such as the country a company is located, what industry they are in, and how much they are looking to spend.

  • 06.09.2021

    This is the perfect ransomware victim, according to cybercriminals

    On Monday, KELA published a report on listings made by ransomware operators in the underground, including access requests — the way to gain an initial foothold into a target system — revealing that many want to buy a way into US companies with a minimum revenue of over $100 million.

  • 07.09.2021

    Large US businesses are hackers' ideal ransomware targets

    If you run a large, US-based non-health-care or -education company with revenue exceeding $100 million, then you will likely find yourself a victim of a ransomware attack. These organizations are the most likely ransomware victims, according to a new report by cyber security firm Kela.

    Kela searched dark web forums for hackers wanting to buy access to organizations. It found 48 active threads where hackers claimed they wanted to buy different kinds of accesses. Of those hackers, 40% were involved in ransomware in some way or another.

    Victoria Kivilevich, a threat intelligence analyst at Kela, said ransomware attackers appear to form “industry standards” defining an ideal victim based on its revenue and geography and excluding specific sectors and countries from the targets list.

  • 08.09.2021

    Researchers pinpoint ransomware gangs’ ideal enterprise victims

    Researchers with threat intelligence company KELA have recently analyzed 48 active threads on underground (dark web) marketplaces made by threat actors looking to buy access to organizations’ systems, assets and networks, and have found that at least 40% of the postings were by active participants in the ransomware-as-a-service (RaaS) supply chain (operators, or affiliates, or middlemen). The analyzed threads have provided interesting insights into how these threat actors choose their next victims.

  • 06.09.2021

    What Are Ransomware Operators Looking For?

    Analyzing how ransomware operators choose their targets makes it possible to better understand the types of companies these threat actors have on their list. In this regard, Victoria Kivilevich, Threat Intelligence Analyst at KELA has released a profile of an ideal ransomware victim based on valuable criteria for cyber attackers buying access.

  • 13.09.2021

    Bad News: Innovative REvil Ransomware Operation Is Back

    Of course, REvil is just one of many players. Indeed, Israeli threat intelligence firm Kela says that numerous ransomware operators continue to list new victims on their data leak sites. In just the past week, Kela says, it’s seen new victims listed by these 11 groups: BlackMatter, Clop, Conti, Cuba, Grief, Groove, LockBit, Marketo, Ragnar Locker, REvil and Vice Society.

  • 06.09.2021

    Criminals' Wish List: Who's Their Ideal Ransomware Victim?

    The most sought-after type of victim for ransomware-wielding attackers is a large, U.S.-based business with at least $100 million in revenue, not operating in the healthcare or education sector, for which remote access is available via remote desktop protocol or VPN credentials.

    So says Israeli threat intelligence firm Kela in a new report, rounding up dozens of active discussion threads it tracked on cybercrime forums during July that were devoted to buying initial access to networks. About half of the threads it found had been created the same month, suggesting that the market for supplying such access continues to thrive, it says.

  • 25.08.2021

    9 Takeaways: LockBit 2.0 Ransomware Rep 'Tells All'

    Want to take information security defense advice from a ransomware-wielding attacker?
    Here goes: “Employ a full-time red team, regularly update all software, perform preventive talks with a company’s employees to thwart social engineering and … use the best ransomware-fighting antivirus.”
    So says “LockBitSupp,” a representative of the LockBit 2.0 ransomware group, in a Russian-language interview with the Russian OSINT YouTube channel posted Monday, and translated into English by Israeli threat intelligence firm Kela. The BlackBerry Research & Intelligence Team says that whoever is behind the LockBitSupp handle claims to be based in China and is active on the Russian-language XSS cybercrime forum.

  • 19.08.2021

    5 Steps to Prepare an Effective Threat Intelligence Plan

    Organizations have a constant need to defend against and defeat these bad actors, but are challenged by not knowing where to look, what they should be looking at or having enough staff resources with the skills to figure it out. Even if they had those capabilities, most organizations do and should have policies that prohibit employees from searching the dark web. In some sectors, it’s even legally prohibited. The result is a lack of insight into the true threats an organization may be facing. They don’t know what’s coming until it’s too late.

  • 10.08.2021

    10 Initial Access Broker Trends: Cybercrime Service Evolves

    The rise of ransomware as a moneymaking powerhouse for online attackers parallels the services being offered by initial access brokers. Such brokers sell access as a service to others, saving them the time, effort and expense of gaining a toehold in an organization’s network.
    Initial access brokers gain first access to victims’ networks in a variety of ways – often via weak remote desktop protocol or remote management software to which they’ve gained brute force access. Sometimes, attackers exploit an unpatched vulnerability in a system. Whatever the approach, once they have access, brokers can resell it to others, sometimes more than once.

  • 14.08.2021

    Is Your Password Worth $500,000 To Ransomware Gangs?

    Research from another intelligence provider, KELA, found one example of ‘admin access’ to a $500 million revenue company network being offered for 12 BTC, or more than $500,000 at current rates.

  • 02.08.2021


    In the last year, initial access brokers, who sell ways to gain remote access to compromised devices to cybercriminals, including ransomware gangs, have posted more than 1,000 access listings for sale averaging at $5,400 for each, according to research released today by security firm KELA. Researchers confirmed that at least 262 were sold, and 28 percent of the victim entities are based in the United States, the largest share of all affected countries.

  • 02.08.2021

    Ransomware operators love them: Key trends in the Initial Access Broker space

    In a threat actor’s mind, take out the legwork, reap the proceeds of blackmail.

    Initial Access Brokers (IABs) are individuals or groups who have managed to quietly obtain access to a corporate network or system through means including, but not limited to, stolen credentials, brute-force attacks, or by exploiting vulnerabilities.

    In recent years, ransomware-as-a-service (RaaS) groups have taken an interest in these brokers, as by employing them directly or paying them a fee in return for access to a target system, they are able to avoid the first step of intrusion: the time-consuming process required to find a vulnerable endpoint.

  • 02.08.2021

    ‘Initial access brokers’ lead ransomware efforts by selling access to compromised networks

    A new report into so-called “initial access brokers” from threat intelligence firm Kela Research and Strategy Ltd. has detailed some disturbing trends in the criminal internet underworld and those involved in ransomware endeavors.

    The Kela report was based on exploring over 1,000 access listings over the last year. IABs are threat actors who sell access to malicious services and play a crucial role in the ransomware-as-a-service economy. IABs facilitate network intrusions by selling remote access to a computer in a compromised organization and link opportunistic campaigns with targeted attacks, often ransomware operators. IABs don’t undertake ransomware attacks but sell access to a compromised network that is then used by ransomware gangs and others.

  • 02.08.2021

    Initial Access Brokers Refine Their Ransomware-as-a-Service Model

    It seems that during the pandemic IABs have been busy improving their business model. New research from threat intelligence company KELA shows that pricing is often determined by company size and the level of privilege on offer within the compromised network, with $5,400 as the average price for network access, and $1,000 as the median price.

  • 02.08.2021

    Initial Access Brokers Sell a Way In, Widening the Ransomware Market

    “One major aspect of this trend is the cooperation between actors facilitated by the rise of targeted ransomware. In order to support work in scale, ransomware operators turn to partners and affiliates to fulfill their remote access needs,” said Victoria Kivilevich, threat intel analyst at KELA.

  • 02.08.2021

    KELA's "All Access Pass: Five Trends with Initial Access Brokers" Report Reveals the Inner Workings of the Ransomware-as-a-Service Ecosystem

    KELA, the global leader in actionable threat intelligence, today announced the launch of brand new research along with LUMINT, a new offering providing users with a glimpse into KELA’s latest intelligence insights from the dark web including newly listed ransomware attacks, compromised network accesses for sale in cybercrime forums, leaked databases and data dumps, and updates on trending cybercrime threats. KELA’s newly released research report, “All Access Pass: Five Trends with Initial Access Brokers,” includes an in-depth analysis of Initial Access Brokers (IAB) and their activity for a full year from July 1, 2020 to June 30, 2021.

  • 23.07.2021

    How (and Why) Hacker Forums Self-Moderate

    “Everything in moderation,” the saying goes. But it may come as a surprise that this expression even seems to apply to many of the hacker forums littered across the dark web. On the surface, these forums may appear to be a lawless landscape, but there are some activities even hacker forums ban because they tend to attract too much heat.

  • 13.07.2021

    Cybercriminals Employing Specialists To Maximize Ill-Gotten Gains

    Ransomware gangs are increasingly turning to specialists to complete their capers on corporations, according to a Dark Net intelligence provider. A report issued Friday by Tel Aviv-based Kela noted that the days when lone wolves conducted cyberattacks from start to finish has become nearly extinct. The one-man show has nearly completely dissolved, giving way to specialization, maintained the report written by Kela Threat Intelligence Analyst Victoria Kivilevich.

  • 08.07.2021

    Ransomware gangs get more professional

    Ransomware, and indeed malware generally, used to be something of a cottage industry, the preserve of individuals or small groups. But new research from threat intelligence company KELA shows that it’s becoming a highly professionalized industry.

  • 08.07.2021

    The Business of Ransomware: Specialists Help Boost Profits

    Known as “pentesters” on Russian-language cybercrime forums, RaaS operations regularly advertise for these types of individuals, seeking help with obtaining domain-level access on victims’ networks and often offering them 10% to 30% of every ransom paid by a victim, according to Kela’s report.

  • 08.07.2021

    Ransomware as a service: Negotiators are now in high demand

    On Thursday, KELA threat intelligence analyst Victoria Kivilevich published the results of a study in RaaS trends, saying that one-man-band operations have almost “completely dissolved” due to the lucrative nature of the criminal ransomware business.

  • 08.07.2021

    Ransomware gangs seek people skills for negotiations

    The increasing sophistication of the cyber criminal underground is now reflected in how ransomware operations put together their crews, seeking out specialist talent and skillsets. Indeed, some gangs are coming to resemble corporations, with diversified roles and outsourced negotiations with victims, according to new research published by Kela, a provider of threat intelligence services.

  • 26.06.2021

    Recent Cybercrime Attack Trends

    Check out KELA’s Raveed Laeb in an interview with Charlene O’Hanlon from as he sheds some light on the most recent trends in the cybercrime underground ecosystem. Raveed also dives into KELA’s industry leading technologies to explain how we can leverage these trends to track and defeat cybercriminals before they cause harm.

  • 15.06.2021

    Russian Cybercrime: Is Extradition Ahead?

    US President Joe Biden is expected to meet with Russian President Vladimir Putin today to discuss the cyber threats emerging from Russia that are targeting the whole world. In response to the expected talk today, Irina Nesterovsky, Chief Research Officer at KELA explains: “There is this common knowledge between Russian-speaking and Russia-based cybercriminals that as long as you refrain from attacking Russia or any other CIS [Commonwealth of Independent States] countries, you’re safe to a certain degree as local Russian authorities won’t hunt you.”

  • 04.06.2021

    Exclusive: Tens of thousands of Scottish public sector leaked credentials discovered on the dark web

    Kela’s RaDark tool was also deployed to simulate the reconnaissance path used by hackers have to scan network for vulnerabilities based on its ‘attack surface mapping’ capabilities. To find the best ‘vector’ for an attack, cybercriminals will often look for outdated technologies or open ports to find their way in. According to Kela’s analysis across the public sector domains, it found ‘multiple potential compromise points’, including exposed remote access services that could enable an attacker to access and further compromise a network, and outdated web technologies whose ‘inherent vulnerabilities could lead to an attack on the organisation’s website’.

  • 24.05.2021

    How ransomware groups like DarkSide became professional operations

    Once they have identified a potential target, the IAB will ‘groom’ them – they “perform some reconnaissance, escalate privileges or install further tooling,” explains Victoria Kivilevich, a threat intelligence analyst at Israeli cybersecurity company Ke La – before sharing access in exchange for a cut of the ransom. “Once a target is ripe and ready, it can be offered on cybercrime markets where ransomware affiliates can acquire it and move forward with the final attack,” says Kivilech. Last year, DarkSide posted a job advert on the dark web for an IAB with access to companies with a net worth of $400m or higher.

  • 20.05.2021


    “I think one thing is clear, cybercriminals are not still, nor are they going to be quiet and they are going to look for new ways of doing things and for this they will use all present and future technologies that will provide them with the highest level of impunity possible. The important thing is to know what they are doing and where they are doing it and to follow them (and chase them) wherever they go to be able to anticipate and avoid and / or stop their attacks.

    From another point of view, I am sure that the cyber intelligence market, or rather, the maturity in cyber intelligence of Spanish companies will be much higher than that existing today, and that in itself is a positive thing.”

  • 15.05.2021

    Colonial Pipeline Hacker DarkSide Says It Will Shut Operations

    Like many technology startups, DarkSide poured some of its revenue into
    developing new features, according to its posts in forums. In March it introduced
    DarkSide 2.0, an update to its service that came with a “call on us” feature that
    let users make internet-based calls for free to victims, according to an analysis of
    forum posts by threat intelligence firm Kela Research and Strategy Ltd.

  • 14.05.2021

    DarkSide Added ‘Toshiba France’ to Its Victim List but It Could Be the Last One

    While new victims continue to show up on Darkside’s shaming blog (as is the case with Toshiba France), we see that the aftermath of the Colonial attack has created waves in the cybercrime underground. More specifically, there are rumors stating that the DarkSide “program” is closing down, and one of the largest Russian-speaking cybercrime forums has just banned the promotion of ransomware on its platform.

  • 04.05.2021

    The REvil Ransomware Gang Lists Three New Engineering Makers as Victims

    Initial access brokers – the tier of cybercriminals who obtain network access, move laterally within the network, and eventually sell the compromised access to ransomware affiliates and gangs – generally do not sell their access to more than one buyer (out of courtesy to fellow cybercriminals). Though there are numerous initial access vectors, we presume that unpatched vulnerabilities are more common to be exploited by multiple groups for the same victim, making it a necessity for organizations to continually prioritize patching and monitor their network infrastructure.


  • 29.04.2021

    KELA Names David Carmiel New CEO; Promotes Nir Barak to Chairman of KELA Board

    We’re excited to officially announce that David Carmiel, former CTO and Chief Research Officer, has been appointed as Chief Executive Officer at KELA. Nir Barak, KELA’s former CEO and Founder has been promoted to Chairman of the Board. In his new role, David Carmiel will continue to guide KELA towards the company’s global mission of providing the world’s best intelligence solutions that empower organizations to neutralize their most relevant threats observed in the cybercrime underground. 

  • 28.04.2021

    Fourth time's a charm - OGUsers hacking forum hacked again

    OGUsers has been hacked for its fourth time in two years, with hackers now selling the site’s database containing user records and private messages. KELA shares that we will likely be seeing members shifting to other communities – and maybe even establishing new ones – given both the poor operational security and the damage to the OG brand among fraudsters and other criminal actors.

  • 28.04.2021

    MangaDex discloses data breach after stolen database shared online

    At this time, the MangaDex database is privately being circulated and has not been publicly released. However, using KELA’s cybersecurity intelligence engine DarkBeast, BleepingComputer has been able to find threat actors distributing what they claim is a MangaDex database from the March 2021 attack.

  • 26.04.2021

    Avaddon Ransomware Group Hit the Small Italian Municipality of Villafranca d’Asti

    In the last few months, KELA has observed Avaddon specifically attacking municipalities in Portugal, Italy, Brazil, France, and Czech Republic. Avaddon has released the municipalities’ sensitive data, indicating that the majority of them have not been paying the ransom demanded. Our researchers are continually monitoring Avaddon and other ransomware groups to identify if attacking municipalities could be a new trend, or if these are simply opportunistic attacks.

  • 23.04.2021

    KELA Unveils Major Updates to Industry-Leading Technology, DARKBEAST

    KELA, the global leader of actionable threat intelligence, announces today many of the recent major improvements applied to their cybercrime research and investigation technology, DARKBEAST, during Q1. KELA’s industry-leading technology helps expose underground digital dangers to its clients by collecting, analyzing, and storing data from numerous sources in the cybercrime underground and making it accessible for users to search through – saving them the time, risk, and complexity of needing to locate and access the sources themselves.

  • 06.04.2021

    REvil Group’s Failed $4 Million Extortion on Tata Steel Leads to Technical Drawings Leak

    With the aid of KELA, we were able to see technical drawings of production line machines that are marked as “Confidential,” so they’re clearly not intended for publication. This potentially means REvil doesn’t have much hope in seeing any positive development in their negotiation efforts, and they’re immediately letting valuable stuff out. We have blurred the following samples that REvil posted as proof of the compromise.

  • 30.03.2021

    Ransomware group targets universities in Maryland, California in new data leaks

    Screenshots published by the group, viewed by ZDNet via KELA’s threat intelligence suite Darkbeast, include lists of individuals and their Social Security numbers, retirement documentation, and 2019/2020 benefit adjustment requests.

  • 21.03.2021

    The NWO Is Still Recovering From Last Month’s Ransomware Attack

    According to what we were able to find with the help of KELA, the cyber-intelligence experts, the ransomware gang that hit NWO was DoppelPaymer, and the actors have already leaked a dozen files stolen from the servers of the Dutch research council.

  • 20.03.2021

    REvil Struck Laptop-Maker Acer and Demands $50 Million in Ransom

    With the help of KELA’s cyber-intelligence tools, we located the new leak site, and we got to access the documents that are used for the extortion. We have blurred the following for you to get an idea of what has been stolen from Acer’s computers.

  • 18.03.2021

    Did ‘exposed’ data on dark web lead to ransomware attack on Scottish university?

    KELA reveals that there are over 8,000 ‘leaked credentials’ – including email addresses and sometimes passwords – belonging to UHI staff and students that have been leaked or stolen and possibly traded on underground web forums. A further 100-plus ‘compromised accounts’ were also found on malicious dark web sites, including one that indicated access to Active Directory Federation Services – a software component developed by Microsoft – ‘probably related to internal systems’, according to KELA.

  • 13.03.2021

    Exchange PoC Released and APTs Gather Around Vulnerable Servers Like Piranhas

    KELA shares that numerous threat actors have shown high levels of interest in the newly released PoC exploit for Microsoft Exchange. We’ve observed that not only are APT groups showing interest driven from an espionage motivation, but cybercriminals are also showing interest as they see the potential monetary value that can be gained from exploiting this vulnerability.

  • 12.03.2021

    Darkside 2.0 Ransomware Promises Fastest Ever Encryption Speeds

    Threat intelligence experts are warning of a new version of the Darkside ransomware variant which its creators claim will feature faster encryption speeds, VoIP calling and virtual machine targeting. KELA shared with Infosecurity information posted by the Russian-speaking group to dark web forums XSS and Exploit.

  • 26.02.2021

    Identity Theft Attacks Channeled Millions in Jobless Claims to Inmates

    Covid-19 has experienced a large number of scammers engaging in identity theft and unemployment fraud, in an attempt to receive money that they aren’t eligible for. Fraudulent activities, such as identity theft, are commonly enabled through chatter and tools shared in underground forums. Today, 15 US states use to allow citizens to prove their identity online. KELA reveals that cybercriminals are actively sharing tutorials on how to create a seemingly valid profile that will ensure they get their claim approved in their state.

  • 18.02.2021

    Darknet Markets Compete to Replace Joker's Stash

    “With the heavy marketing and advertising that Brian’s Club has been investing in, it seems that the longtime attempts of marketing to credit card traders may be finally paying off now that Joker’s Stash is out of the picture,” says Victoria Kivilevich, a threat intelligence analyst with Kela. “Brian’s Club has been immodestly trying to steal the thunder by publishing an advertisement on the main page of [Russian-language forum] XSS, soon after the announcement by Joker’s Stash.”

  • 13.02.2021

    CD Projekt Red source code reportedly sells for millions in dark Web auction [Updated]

    Cyber intelligence firm KELA confirmed the authenticity of that auction, telling The Verge that forum users needed to put up 0.1 BTC (roughly $4,700 as of this writing) to participate in the bidding as a sign that offers were legitimate. The sellers also reportedly provided file listings for Gwent and the Red Engine that underlies CDPR’s games as proof that the data was authentic.

  • 11.02.2021

    Stolen CD Projekt Red Files Reportedly Now Sold After Dark Web Auction

    KELA (which previously provided The Verge with what it believes to be legitimate file lists from CD Projekt’s Red Engine) reports that an auction set up to sell the files has now been closed after a “satisfying offer” was made from outside of the forum it was being held on. That offer reportedly stipulates that the code will not be distrubuted or sold further. Cybersecurity account vx-underground also reported that it had heard the sale was completed.

  • 11.02.2021

    Hackers ask only $1,500 for access to breached company networks

    The number of offers for network access and their median prices on the public posts on hacker forums dropped in the final quarter of last year but the statistics fail to reflect the real size of the initial access market. Data from threat intelligence firm Kela indicates that many of the deals actually closed behind closed doors, a trend shaped over the past months.

  • 10.02.2021

    Cyberpunk and Witcher hackers claim they’ll auction off stolen source code for millions of dollars

    Following the recent ransomware attack on video game developer CD Projekt Red, KELA reveals that hackers are now auctioning off the source code they acquired, with a starting price of $1 million. These include source code files for both the Red Engine and CDPR game releases, including The Witcher 3: Wild Hunt, Thronebreaker: The Witcher Tales spinoff, and the recently released Cyberpunk 2077

  • 05.02.2021

    How Ransomware Is Accelerating in the COVID-19 Era

    KELA’s Ayesha Prakash, VP of Global Channels and Alliances has released her EOY blog about ransomware during the COVID era. In her blog-post, Prakash explains why COVID-19 is a curse on the world, and a gift to cybercriminals. She later explains that what organizations need now is to make cybersecurity a forefront issue, to treat it as business-critical, and as a public health risk.

  • 06.02.2021

    Experts: Foxtons Breach Was Egregor Ransomware

    Recent announcements revealed a data breach on UK-based estate agency, Foxtons. KELA threat intelligence analyst Victoria Kivilevich explains that Foxtons was actually a victim of a ransomware attack in October, and confirms that this breach does not seem to be a separate incident. Generally, ransomware gangs have taken on a trend of a double extortion tactic – where they demand two ransoms one to avoid public exposure of their data and one for unlocking their systems, it’s likely that Foxton has not yet negotiated or agreed to pay and that is why part of the data has been leaked.

  • 02.02.2021

    Ransomware Gangs are Abusing VMWare ESXi Exploits to Encrypt Virtual Hard Disks

    Threat actors have also observed selling access to ESXi instances on underground cybercrime forums last year, according to threat intelligence firm KELA. Since ransomware gangs often work with initial access brokers for their initial entry points inside organizations, this might also explain why ESXi was linked to some ransomware attacks last year.

  • 02.02.2021

    Ransomware's Helper: Initial Access Brokers Flourish

    Kivilevich writes in a new report from Kela that over the last three months of 2020, she counted 242 initial network access offers for sale across three cybercrime forums with a total asking price of $1.2 million. During that time frame, Kivilevich says, the average price per access was $6,684, the median price was $1,500 and the highest single price listed was 7 bitcoins, which at the time could have been worth about $130,000. But 24% of offers didn’t list a price.

  • 01.02.2021

    Initial Access Remains a Booming Business on the Dark Web

    The prospering of the initial access market on the dark web continues unabated, and according to a report published by KELA yesterday, it has surpassed the size of $1.2 million in Q4 2020. The cyber-intelligence firm that uses specialized tools to monitor listings across numerous dark web sites has traced 242 new listings during that period, having an average price of $6,684 and a maximum of 7 BTC.

  • 27.01.2021

    ‘’ Data Leak Exposes 2 Million Credit Score Reports

    ‘,’ an India-based online banking service that offers credit card, loan, and insurance management services for small businesses and merchants, has suffered a data breach. Due to KELA’s caching capabilities, we were able to find the first evidence of the particular dataset appearing on the dark web for sale on December 25, 2020.

  • 22.01.2021

    The State of the Dark Web: Insights From the Underground

    KELA’s researchers explain how the dark web represents a wide variety of goods and services which are traded across many different underground forums and markets. KELA explains that tapping into these forums and markets can help security teams keep up with where adversaries may be headed next.
  • 22.01.2021

    Sensitive Data of Over 325,000 Indian Users Leaked in BuyUCoin Hack

    Researchers at KELA discovered a leaked database belonging to BuyUCoin, an India-based global cryptocurrency exchange and wallet. On the same forum that the database was leaked KELA also identified leaked databases from Wongnai Media Co Ltd, Tuned Global Pvt Ltd, BuyUcoin, Wappalyzer, Teespring Inc and, which looks like the handiwork of infamous hacking group ShinyHunters.

  • 21.01.2021

    KELA Joins Cyber Security Forum Initiative (CSFI) as a Gold Sponsor in a Mission to Support National Cyber Security

    KELA is thrilled to join the Cyber Security Forum Initiative (CSFI) as a gold sponsor in a mission to support national cyber security. We’re looking forward to working alongside CSFI to make the cyber environment a safer and more secure place by providing valuable darknet threat intelligence to government, military, private sector, and academia in the US.

  • 20.01.2021

    ShinyHunters publishes 1.9M stolen user credentials from photo editing site Pixlr

    ShinyHunters, has recently been very active after going silent for some time. Over this past summer, ShinyHunters was seen publishing leaked data for free, exposing millions of personal records from all over the world, however we have not observed Shiny Hunters releasing data themselves since November. In the last few days the group has leaked databases for free – among them a Pixlr database, exposing 1.9 million user records.

  • 21.01.2021

    Threat Actor Claims to Leak 500K+ Records of C-level People from Capital Economics

    Irina Nesterovsky, KELA’s CRO said, “It was originally leaked in early January in an English-speaking forum exposing information of nearly 500K people. The second instance we saw it appearing was when an actor tried selling it in another forum claiming that he had a database “for Finance Company Including SQL” with 500K records. Later that day, the same actor leaked the database for free claiming it contained data of more than 500K C-Level executives. KELA confirmed that the same database was shared in all instances. It appears that the “500K C level” title was given to the post in order to boost the importance of the database – the entire size of the relevant user database is around 500K lines, not at all a majority of which are C-Level employees.”

  • 18.01.2021

    The ‘DarkSide’ Operators Respond to the Release of a Decryptor

    KELA reveals a Q&A published by DarkSide ransomware operators following the release of the ransomware decryption tool. Throughout the Q&A, Darkside operators stated the decryptor was used by 4 targets but 1 of them eventually paid. They also include details about how they will refund losses to affected affiliates and why it’s not happening again in the future. The free decryptor allows victims to recover their files without paying a ransom to DarkSide operators.

  • 16.01.2021

    Ransomware Disrupts Scottish Environment Protection Agency

    The Scottish Environment Protection Agency says a ransomware attack last month continues to cause serious outages and warns that ransom-demanding attackers also stole some data. KELA’s experts share that a portion of SEPA’s data (7% of what they claimed to obtain) has been released on a leak site dedicated to Conti’s ransomware victims, and therefore assess with medium confidence that that this is indeed an attack by Conti.

  • 12.01.2021

    Cyber criminals are taking aim at online gaming for their next big pay day

    Cybersecurity company Kela examined underground forums and found an ecosystem based around buying and selling initial network access to gaming companies, as well as almost one million compromised accounts of gaming employees and clients up for sale – with half of those being listed in 2020 alone.

  • 06.01.2021

    Leading Game Publishers Hit Hard by Leaked-Credential Epidemic

    In a recent scan, they found 1 million compromised credentials associated with the larger gaming universe of “clients” and also employees – half of which were for sale online. More than 500,000 of the leaked credentials pertained to employees of leading game companies, according to the report published Monday.

  • 05.01.2021

    Top gaming companies hit by major data breach, one million employees affected

    Although Kela did not disclose the specific companies affected, it did reveal that it has been monitoring underground markets for more than two-and-a-half years now and that nearly every major gaming company was affected. The compromised credentials would give attackers access to a number of important internal resources, including admin panels and development-related projects.

  • 05.01.2021

    Stolen employee credentials put leading gaming firms at risk

    More than 500,000 login credentials linked to the employees of 25 leading game publishers have been found for sale on dark web bazaars, according to a report by threat intelligence company KELA. Threat actors have been increasingly targeting the gaming industry, including by harvesting and selling access credentials into the internal systems of top-tier game companies.

  • 04.01.2021

    One Million Compromised Accounts Found at Top Gaming Firms

    As Covid-19 has taken away 2020, people around the world have begun giving the online gaming industry a chance, hence growing revenues in this industry tremendously. After scouring dark web marketplaces, KELA discovered a thriving market in network access on both the supply and demand side. This included nearly one million compromised accounts related to employee- and customer-facing resources, half of which were listed for sale last year.

  • 22.12.2020

    Safe-Inet, Insorg VPN services shut down by law enforcement

    Safe-Inet services have been running for 11 years, advertised to cybercriminals needing multiple layers of anonymity and stable connections. BleepingComputer has seen ads for Safe-Inet services on several forums for black hat activities. The one below, posted as recently as December 4 and supplied by cybersecurity intelligence firm, KELA, is from a carder forum hidden in the Tor network

  • 23.12.2020

    There’s Evidence That Ransomware Groups Are Forming Extortion Cartels

    KELA reveals another proof of ransomware groups forming cartels to intimidate victims even further. KELA recently observed MountLocker touting 5% of the data dump originally stolen by “Ragnar Locker” during a cyberattack against ‘Dassault Falcon.’ The ransomware operators claim that the listing is from one of their partners, and provide a reference link to Ragnar Locker’s extortion site, who exposed partial data of this victim earlier this month.

  • 18.12.2020

    FBI & Interpol disrupt Joker's Stash, the internet's largest carding marketplace

    Following the recent seizure of Joker’s Stash (the largest marketplace for trading stolen cards) by law enforcement, KELA reveals that the disruption was only temporary and that the market’s admins claimed the actual Joker’s Stash portal continues to work as normal, with only proxy servers having been seized.

  • 17.12.2020

    Digging the Recently Leaked Chinese Communist Party Database

    KELA analyzed and obtained a database containing details of 1.9 million Chinese Communist Party members in Shanghai, which has recently resurfaced in the darknet communities, and found that companies in which CCP members were found include Pfizer, AstraZeneca, Airbus, Boeing, HSBC, Rolls-Royce, Jaguar and more

  • 12.12.2020

    Millions of ShopBack, RedDoorz user records put on sale in hacker forums; Peatix another victim of breach

    KELA, a cybersecurity firm headquartered in Israel, told BT that 5.7 million plaintext passwords were also made available for download from a website called, though the leak does not contain emails. “It will require some work for (threat actors) to correlate emails and hashed passwords from the original leak with dehashed passwords,” the firm said.

  • 30.11.2020

    Egregor’s Latest Press Release Is a Victim Intimidation Machine

    ‘Egregor’ team has published a press release meant to intimidate victims and practically convince them to pay the demanded ransom. Spotted on the dark web by researchers of the KELA threat intelligence firm, the press release includes several key points specifically addressed to those who have not “secured a contract” with the actors

  • 27.11.2020

    Networking equipment vendor Belden discloses data breach

    American networking equipment vendor Belden said it was hacked in a press release published earlier this week. According to data provided by threat intelligence firm KELA, credentials for Belden accounts have been available on the cybercrime underground since April this year, although it’s unclear if they have been used to orchestrate this breach.

  • 27.11.2020

    A hacker is selling access to the email accounts of hundreds of C-level executives

    Attackers can use corporate credentials to monetize in many different ways – from manipulating employees to wire money through CEO scams, to exploiting them in order to move laterally in the organizations to conduct a network intrusion.
    KELA’s technologies automatically monitor closed underground forums where threat actors are regularly trading corporate credentials and other sensitive data. Contact us to learn more about how KELA can help you detect if any of your sensitive data is circulating in the Dark Net.

  • 20.11.2020

    Pakistan International Airlines data breach underscores sharp rise in illicit sales of access credentials

    KELA’s researchers said that cybercriminals advertised domain admin access to PIA’s internal network for $4,000, while its customer database was listed for $500. Initial network access in such illicit deals refers to remote access to systems in a compromised organization, while those selling it are known as remote access brokers. Rather than hack their way into corporate networks, cybercriminals often purchase such initial network access to gain a foothold, allowing them to move laterally and expand their access rights.

  • 18.11.2020

    Chinese APT10 hackers use Zerologon exploits against Japanese orgs

    KELA reveals the latest threats targeting Japanese organizations, and concludes that threat actors, Advanced APT groups and nation-state actors are considering Japanese organizations as valuable targets and are actively attacking them via opportunistic and targeted attacks.

  • 17.11.2020

    Ransomware Operator Promotes Distributed Storage for Stolen Data

    “Such servers in Iran and [other] countries will be harder to discover, block, and cease due to a lack of cooperation from local authorities,” says Victoria Kivilevich, threat intelligence analyst at Israel-based security firm KELA, which first discovered the scheme.

  • 15.11.2020

    DarkSide Ransomware's New Data Leak Service In Iran Will Spread and Store Victims' Stolen Data

    According to Bleeping Computer‘s latest report, on Nov. 12, the cybersecurity intelligence firm Kela revealed DarkSide operators’ new posted topic on a Russian-speaking hacker forum. Additionally, Bank Info Security reported that the cybersecurity firm Kela said that the hackers claim that their average ransom is between $1.6 million and $4 million.

  • 12.11.2020

    Darkside Ransomware Gang Launches Affiliate Program

    #DarkSide ransomware launches their affiliate program. For the first time ever, KELA notices the operators offering initial access brokers to directly trade with them rather than through affiliates or middlemen. It seems that DarkSide is strengthening their efforts, and we can assume to see a surge of attacks by this gang over the coming months.

  • 10.11.2020

    Hacker Sells Access to Pakistani Airlines' Network

    KELA spotted a threat actor touting domain admin access to Pakistani International Airline for $4,000 on two Russian-speaking illegal online forums and one English-speaking forum that they had been monitoring. KELA’s team had been tracking ransomware trends, exploring how initial access brokers in the cybercrime community play a role in the supply chain of this popularly deployed malware.

  • 06.11.2020

    Data-Exfiltrating Ransomware Gangs Pedal False Promises

    In terms of unusual timing, another ransomware operation has also promised to turn out the lights. “We’ve seen Suncrypt affiliates stating on Exploit” – a cybercrime forum – “that the operators told them that the program is closing,” according to Israeli cyberthreat intelligence monitoring firm Kela. “It’s a bit interesting – and even suspicious – to see two major ransomware groups shutting down their operations around the same time.”

  • 04.11.2020

    23,600 Hacked Databases have Leaked from a Defunct 'Data Breach Index' Site

    More than 23,000 hacked databases have been leaked from the site archive of, a private service advertised on hacking forums to other cybercriminals. For the past several months, KELA’s technologies have been monitoring data from, prior to the site’s seizure in mid-September. As part of KELA’s leaked credential monitoring KELA’s clients have already had visibility into this site, and have already been alerted on any of their data that may have been leaked in these compromised database feeds.

  • 22.10.2020

    As Dark Net Endangers Enterprises, MSSPs Need New Tools

    One cybersecurity intelligence firm, Kela, intends to help MSSPs do just that with its new platform, IntelAct. The technology, Kela says, allows MSSPs to track and intercept any mentions of their clients’ network infrastructure, vulnerabilities or exposures in the dark net. This turns the attackers’ edge against them, remediating issues before they become breaches, the vendor says. IntelAct is fully automated, scalable, and requires no installation or network access.

  • 22.10.2020

    KELA Launches New Technology for Attack Surface Intelligence

    KELA announces today the release of their latest proprietary technology – IntelAct, allowing 100% automated monitoring of an organization’s attack surface. KELA’s Dark Net experts launch a new technology enabling organizations to receive real-time, automated alerts of their exposure in the Dark Net.

  • 16.10.2020

    В сентябре 2020 года торговать доступом к взломанным сетям стали в три раза чаще

    Специалисты KELA пишут, что проиндексировали 108 объявлений, размещенных на популярных хакерских форумах, и подсчитали, что совокупная стоимость предложенных хакерами доступов равняется 505 000 долларов США. Причем около четверти лотов в итоге были проданы злоумышленникам, желающим атаковать те или иные компании.

  • 14.10.2020

    'Network access' sold on hacker forums estimated at $500,000 in September 2020

    As ransomware attacks continue to rise, initial access brokers are repeatedly being seen as key players by selling network access to ransomware operators as an initial entry point into victims’ networks. In September alone, KELA detected over 108 accesses for sale at a total value of USD 500,000 – 3 times higher than the numbers gathered in the previous month.

  • 25.09.2020

    Why Encrypted Chat Apps Aren't Replacing Darknet Markets

    Some markets have moved to drop illegal drugs and begun adopting an “automarket” approach that focuses on self-fulfilled sales of malware, stolen databases, login credentials and other hacking and cybercrime tools and services, the Kela researchers say. Criminals’ thinking, they note, appears to be that by not selling drugs, and with malicious “cyber” tools existing in a legal gray zone in many jurisdictions, such markets will be less likely to get disrupted.

  • 23.09.2020

    Hackers Sell Access to Your Network Via Remote Management Apps

    In a report shared with BleepingComputer, cyber intelligence company KELA was able to determine that the offer was for Zoho’s ManageEngine Desktop Central, a management platform that lets administrators deploy patches and software automatically on network machines, as well as troubleshoot them through remote desktop sharing.

  • 22.09.2020

    CISA Warns of Notable Increase in LokiBot Malware

    Credentials stolen via LokiBot usually end up on underground marketplaces like Genesis, where KELA suspects LokiBot is the second most popular type of malware that supplies the store.

  • 18.09.2020

    Why Darknet Markets Persist

    Kivilevich and Raveed Laeb, Kela’s product manager, tell ISMG that it’s important to distinguish between the two types of darknet markets: drug marketplaces and cyber-focused marketplaces selling such things as malware, stolen databases and login credentials. “We also see sales of illicit and counterfeit goods – money, watches and stuff like that – but most of the time, that’s not the actual focus,” they say.

    More recently, the sale of cyber goods has been migrating to what the darknet community calls “autoshops,” meaning they sell goods and services in a highly automated manner. Kela refers to this as the “servitization” – meaning selling not just goods but also services and outcomes – of the underground ecosystem.

  • 16.09.2020

    LockBit Ransomware Launches Data Leak Site to Double-Extort Victims

    KELA has been closely tracking new monetization methods employed by ransomware operators. One common method has been ransomware gangs stealing the data before encrypting it in order to use it as leverage in ransom negotiations, and many times including that data in data leak sites. Riding on this trend, LockBit ransomware has just launched a new data leak site to be used as part of their double extortion strategy to scare victims into paying ransom.

  • 14.09.2020

    Hacked: 'Best Australian Financial Data' for Sale on the Dark Web

    Victoria Kivilevich, threat intelligence analyst at Israeli intelligence firm KELA – which discovered the breaches of Australian financial data – said there had been an increase in attacks in recent years, and also RaaS, or ransomware-as-a-service; hackers were also often working together.“The most popular ransomware strains are operated by cybercriminals looking for financial gain,” Ms Kivilevich said. “Chasing profits, ransomware actors are always inventing new methods of intimidating victims.”

  • 01.09.2020

    KELA Names Ayesha Prakash as Vice President of Global Channels and Alliances

    We’re excited to officially welcome Ayesha Prakash to our team as our new Vice President of Global Channels and Alliances. Ayesha joins KELA to build and evolve the company’s strategic alliances and expand KELA’s global engagement with channel and technology partners. We’re excited to have her on board and are looking forward to see what we will accomplish together!

  • 26.08.2020

    With Empire Gone, Patrons Eye Other Illegal Darkweb Markets

    Israeli cyber threat intelligence monitoring firm, KELA has provided BleepingComputer with information on the matter, along with screenshots.

    The company analyzed forums where darknet surfers frequent, and have offered insights on their footsteps.

  • 25.08.2020

    More Ransomware Gangs Threaten Victims With Data Leaking

    KELA’s latest research analyzes the recent rise of ransomware attacks and how that rise has introduced new methods of monetization allowing ransomware gangs to monetize bigger and better. This research laid out the top 6 trends observed by ransomware groups in the underground ecosystem and shared how these new methods are likely to spread.

  • 12.08.2020

    Avaddon Ransomware Joins Data-Leaking Club

    Israeli cybersecurity intelligence firm Kela shared that the operators behind Avaddon announced their data-leaking site via a Russian-language cybercrime forum. So far, the ransomware gang has listed one victim – a construction firm – from which 3.5 MB of allegedly stolen documents have been leaked.

    “The attackers published a sample of the obtained data, including information related to the company’s activity in the U.K., Mexico, Philippines, Malaysia and Thailand,” Kela tells Information Security Media Group.

  • 11.08.2020

    Avaddon Ransomware Operators Have Launched Their Data Leak Site

    Cybersecurity intelligence firm Kela was the first to report that the Avaddon ransomware operators have announced on a Russian-speaking hacker forum their new data leak site.

  • 10.08.2020

    Avaddon Ransomware Launches Data Leak Site to Extort Victims

    KELA shared with BleepingComputer that the Avaddon ransomware operators have announced on a Russian-speaking hacker forum this weekend that they have launched a new data leak site. KELA has shared that until now, only one victim has been listed – a US-based construction company.

  • 05.08.2020

    Hacker Leaks Passwords for 900+ Enterprise VPN Servers

    KELA’s #DARKBEAST has helped ZDNet obtain a copy of a recently leaked list of plaintext usernames and passwords for 900+ Pulse Secure VPN enterprise servers. If compromised, these Pulse Secure VPN servers can provide hackers easy access to a company’s entire internal network.

  • 27.07.2020

    Email is Still a Hacker's Wonderland, They Could Take or Leave Slack

    Cybersecurity researchers from KELA found about 17,000 Slack credentials for sale across 12,000 Slack workspaces in cybercrime online markets. While “many access types — webshells on online stores, RDP servers or corporate email inbox access — are a highly sought-after resource driving thriving markets,” no one is really buying Slack credentials, according to KELA.

  • 23.07.2020

    Les Comptes Slack N'intéressent pas les Cybercriminels

    En utilisant sa plateforme de renseignements sur les menaces, KELA a cherché à obtenir des références Slack sur les marchés de la cybercriminalité, pour tenter de voir si ce vecteur de menace était populaire parmi les cybercriminels. L’entreprise affirme avoir trouvé plus de 17 000 références Slack récemment mises en vente en ligne sur des forums de piratage et sur des marketplace de références, comme Genesis.

  • 23.07.2020

    The “Bitcoin Twitter Hack” May Have Started With a Slack Compromise

    KELA has found that there were at least 17,000 Slack credentials sold in the ‘Genesis Store’ alone, priced between $0.5 and $300, depending on how valuable they were. While a connection with the recent Twitter hack isn’t based on concrete evidence, there are indications pointing to this scenario.

  • 23.07.2020

    Slack Credentials Abundant on Cybercrime Markets, But Little Interest from Hackers

    Following reports that last week’s Twitter hacks may have been due to credentials stolen from an internal Slack channel, KELA decided to dive deeper into this topic, and found that currently more than 17,000 Slack credentials for roughly 12,000 Slack workspaces are being sold on underground cybercrime markets.

  • 14.07.2020

    MGM Hotel’s 2019 Data Leak Might Have Affected 142M People, Not 10.6M

    threat research firm KELA notified the publication about posts on Russian security forums that advertised MGM data breach affecting more than 200 million customers.

    In the past few years, hackers have attacked several hotels to steal customer data. In March, Marriott Hotels was breached impacting more than 5.2 million people.

  • 14.07.2020

    Millions of Logins from UK Ticket Site for Sale on Dark Web

    KELA discovered a database of 4.8 million records posted for sale, belonging to a leading provider of ticket services for live shows in the UK. KELA’s intelligence team told Infosecurity Magazine that they acquired a sample of 10,000 records in order to analyze this data. Following analysis, KELA deducted that the leak affects users in the UK, US, New Zealand, Australia, South Africa, Germany, France and a few others, some of which belong to governmental domains.

  • 14.07.2020

    British e-Ticketing Service Breach Resulted in 4.8 Million Records Now for Sale

    Intelligence analysts at KELA discovered a database of 4.8 million records, containing emails and passwords, belonging to a leading provider of ticket services for live shows in the UK. The database was posted on July 8, 2020 on an underground forum by a newly registered threat actor, called “JamesCarter”, for $2500. KELA managed to acquire a sample of the database containing about 10,000 email addresses, and found that only about 300 email addresses were duplicates, deducting that the full leak likely consists mostly of unique combinations.

  • 14.07.2020

    A Hacker is Selling Details of 142 Million MGM Hotel Guests on the Dark Web

    In an exclusive today on ZDNet, KELA shares that the breached MGM database, originally reported to have 10.6 million records actually contains nearly 200 million. The hotel’s database resurfaced in the dark web this past weekend. This wasn’t the only time it resurfaced though. KELA’s intelligence team told ZDNet back in February that the MGM data had been circulating and was being sold in private hacking circles since at least July 2019.

  • 04.07.2020

    Hacked: Thousands of MyGov Accounts for Sale on the Dark Web

    The compromised accounts were detected by Israeli intelligence firm KELA, which specialises in dark web threat intelligence and offers its clients a real-time dark web search engine called Darkbeast.

    KELA threat intelligence team leader Elad Ezrahi said the MyGov accounts were extracted from more than 2000 compromised computers, or “bots”. Botnets are networks of compromised machines controlled by a single actor.

  • 03.07.2020

    The Details of 384,319 BMW Owners Are for Sale on the Dark Web

    KELA researchers have shared one of their most interesting recent findings with TechNadu, and it looks like it concerns BMW and 384,319 of its customers in the UK. Apparently, the prolific hacking group that is known as “KelvinSecurityTeam” has posted a database they acquired when hacked ‘’ This is the same group of actors that recently sold databases from 16 companies, including the business consulting firm “Frost & Sullivan.”

  • 03.07.2020

    500,000 BMW, Mercedes and Hyundai Owners Hit by Massive Data Breach

    The personal information of almost 400,000 UK-based BMW customers is being sold to the highest bidder on an online black market, according to Tel Aviv-based darknet intelligence experts KELA.

    Hackers at a group called KelvinSecurity Team have gained access to a BMW customer database and listed it for sale on an underground forum used by cybercriminals.

  • 02.07.2020

    BMW Customer Database for Sale on Dark Web

    KELA found a database of UK car owners offered for sale on an underground forum, which was initially described as BMW customers’ database affecting 384,319 customers. The data was posted by the KelvinSecurityTeam. KELA obtained the database and found that it contains almost 500,000 customers’ records from 2016-2018. The exposed data includes initials and surnames, emails, addresses, vehicle numbers, dealer names, and more; it affects owners of different cars in the UK.

  • 02.07.2020

    Robolox Accounts Hacked with Pro-Trump Messages

    Hackers have breached more than 1,800 Roblox accounts and defaced user profiles with messages in support of Donald Trump’s reelection campaign. With the help of threat intelligence firm KE-LAZDNet was able to identify multiple web pages containing large lists of Roblox usernames and cleartext passwords.

  • 29.06.2020

    KELA Launches Sensitive Hostname Detection

    KELA is proud to announce the launch of Sensitive Hostname Detection. As part of this addition, KELA’s RADARK now automatically alerts users on sensitive webpages that may be exposed to the public internet.

    Get in touch with us today to learn more about how KELA detects vulnerabilities in your organization’s Internet-facing infrastructure.

  • 17.06.2020

    Oz Sites Being Sold On The Dark Web

    Elad Ezrahi, Threat Intelligence Team Leader at the Israeli intelligence company KELA, told the Australian Financial Review: “If the web shell enables the actor to abuse the mail server of the compromised website, the actor could use it to send spam and phishing emails… if the compromised site is of a governmental entity, for example, the consequences can be notably severe.”

  • 16.06.2020

    Hacked: Aussie Websites for Sale on Dark Web

    Elad Ezrahi, Threat Intelligence Team Leader at Israeli Intelligence company KELA, said web shells could be used for nefarious purposes. Remote access markets served as a gateway for obtaining data, he said.

  • 03.06.2020

    KELA Acknowledged in Gartner's Market Guide for Security Threat Intelligence Products and Services 2020

    Nir Barak, CEO and Founder of KELA shares, “Since KELA’s establishment we have been investing significant efforts to make sure that our technologies and services are perfectly applicable to what is required by security and intelligence teams. In our opinion, being acknowledged as a vendor of dark and deep web monitoring by our wide and global customer base, and now also by Gartner, definitely makes it seem like our team’s arduous work is making an impact, and gives us validation that we are growing on the right path.”

  • 03.06.2020

    Ransomware Gangs Team Up to Form Extortion Cartel

    KELA shares intelligence from their daily ransomware monitoring with specialists from Bleeping Computer. “BleepingComputer was told by cyber intelligence firm KELA that the Maze operators added the information and files for an international architectural firm to their data leak site.”

  • 27.05.2020

    26 Million LiveJournal Credentials Leaked Online, Sold on the Dark Web

    With the help of threat intelligence firm KELA, ZDNet has confirmed the existence of the LiveJournal stolen database and has tracked down copies and mentions of user data in multiple locations across the hacking underground.

  • 21.05.2020

    KELA Extends Intelligence Monitoring Capabilities with Access to Instant Messaging Groups & Real-Time Image Searching

    KELA announced today the capability of automatically searching through images and chatter in instant messaging groups, through DARKBEAST, their proprietary Dark Net threat hunting platform. The expansion of KELA’s data lake to include instant message groups, such as closed Telegram groups and Discord channels, is meant to provide partners and clients with added intelligence from different high-quality and curated sources.

  • 21.05.2020

    Hacker Selling 40 Million User Records from Popular Wishbone App

    Since Have I Been Pwned allows users to hide their email from public searches, we also verified these emails against a private platform managed by threat intelligence KELA, which has also been indexing and tracking data leaked in older breaches.

  • 16.05.2020

    Cybercrime Marketplace MagBo Selling Access to 43,000 Hacked Websites

    According to the latest report from threat intelligence firm KELA, MagBo is offering access to over 43,000 hacked servers and some of these belong to state and local governments, ministries, financial institutions, and health care facilities.

  • 15.05.2020

    Hackers Preparing to Launch Ransomware Attacks against Hospitals Arrested in Romania

    According to threat intelligence provided by cyber-security firm KELA, the PentaGuard group has been around since 2000, when they were involved in mass-defacements of several government and military websites, including the website of Microsoft Romania.

  • 15.05.2020

    Loja de crimes cibernéticos está vendendo acesso a mais de 43.000 servidores hackeados

    Um relatório da empresa de inteligência sobre ameaças KELA mostra a recente evolução do MagBo. A pesquisa foi feita em conjunto pelo KELA e o site ZDNet.

  • 16.05.2020

    The “MagBo” Portal Offers Access to Thousands of Hacked Servers

    KELA researchers report that the daily server additions to the market are between 200 and 400, and the number of daily transactions is approximately 200. There are 190 unique sellers who have something to offer on MagBo, while the cost to access each server depends on its type.

  • 15.05.2020

    Access to Thousands Hacked Servers Being Sold Online

    The infamous MagBo platform is known to have offered almost 150,000 different compromised websites, with over 200 daily transactions a day and over 200 to 400 new additions on the platform each day. According to data from KELA, “190 different threat actors currently have active listings on the market.”

  • 15.05.2020

    Cyberkriminelle verkaufen Zugang zu mehr als 43.000 gehackten Servern

    Cyberkriminelle verkaufen über einen Online-Marktplatz namens MagBo Zugangsdaten für mehr als 43.000 gehackte Server. Das geht aus einer Analyse der Threat-Intelligence-Firma Kela hervor. Demnach gilt MagBo als einer der größten Marktplätze für kompromittierte Server.

  • 16.05.2020

    43,000 Hacked Servers up for Sale on Cybercrime Marketplace

    More than 43,000 hacked servers are currently for sale on online cybercrime marketplace MagBo, according to new research from threat intelligence firm KELA and ZDNet.

  • 15.05.2020

    KELA Sees MagBo Remote Access Market Booming During Pandemic

    Threat intelligence company KELA has reported a boom in Remote Access Markets during the pandemic. Remote Access Markets sit on the Darknet and provide attackers with details on compromised websites and services. It means that attackers don’t have to waste time trying to steal credentials to gain access to those websites.

  • 14.05.2020

    KELA Expands Their Intelligence Data Lake with Real-Time Monitoring of Remote Access Markets

    As servitization of the underground world continues to thrive, KELA Targeted Cyber Intelligence, a global Dark Net threat intelligence provider, announces today the addition of a new information source type to their technologies – Remote Access Markets.

  • 14.05.2020

    A Cybercrime Store is Selling Access to More than 43,000 Hacked Servers

    Over the years, the site has boomed, to put it lightly. Since it launched in 2018, KELA says the site has sold access to more than 150,000 sites, with 43,000 still being up for sale as of this week. KELA product manager Raveed Laeb says they’ve tracked 190 different threat actors selling hacked servers on the site.

  • 13.05.2020

    KELA Announces the Addition of Featured Queries to Their DARKBEAST Platform

    KELA Targeted Cyber Intelligence, a global Dark Net threat intelligence provider, announces today the addition of Featured Queries to DARKBEAST – their proprietary Dark Net search engine and investigation platform — helping their users stay informed on the most relevant underground threats.

  • 09.05.2020

    Cyber Security Today – Canada hit by COVID cheque fraud; Webex, Teams under attack, more COVID email scams and three big data breaches

    According to an Israeli security company called KELA criminals soon began selling editable digital copies of cheques on the dark web. A criminal can either purchase a digital file and fill in their own name or have a criminal service do the editing for them.

  • 05.05.2020

    Behind the Scenes of Dark Net Market Closures and Their Consequences

    Like every free market, the Dark Net economy sees its many rises and falls. Sites come and go, just like brick and mortar stores open and close. Yet in recent months, we’ve seen a large number of sizeable illicit Dark Net sites closing, and smaller niche ones taking their place.

  • 07.04.2020

    Threat Actor Selling Access to a Canadian University’s Domain

    A Canadian university’s network may be at risk from a cyber attack, according to KELA, an Israeli threat intelligence firm.

    Irina Nesterovsky said this threat actor seems to specialize in brute-forcing RDP (remote desktop) servers, running an affiliate program with other threat actors for this purpose.

  • 30.03.2020



  • 10.03.2020

    Malware Unfazed by Google Chrome's New Password, Cookie Encryption

    Genesis, one underground shop for browser data kept using the original version of the malware and suffered grave losses when Chrome 80 came along, as uncovered by KELA researchers towards the end of February.

  • 07.03.2020

    Telus-Owned Koodo Mobile Announces Data Breach, Stolen Info for Sale

    Raveed Laeb of cybersecurity intelligence firm, KELA has told BleepingComputer that Koodo accounts are being sold on various dark web web sites.

    “A different market – one that specializes in automated selling of access to compromised accounts – currently offers over 21,000 Koodo accounts,” Laeb told BleepingComputer.

  • 26.02.2020

    A Small Change To Google Chrome Hits Cybercrime Marketplace Hard

    Raveed Laeb is a product manager for KELA, a threat intelligence firm that uses sophisticated, automated tools to keep tabs on the countless gigabytes of stolen data being traded on Darknet forums and marketplaces. He’s been investigating Genesis for quite some time and recently released an in-depth report on his findings so far.

  • 29.02.2020

    Релиз Chrome 80 помешал работе малвари AZORult и маркетплейса Genesis

    Специалисты компании KELA обратили внимание, что у торговой площадки Genesis, где торгуют не просто личными данными пользователей, но готовыми виртуальными личностями, возникли серьезные проблемы.

  • 26.02.2020

    Chrome 80 Update Cripples Top Cybercrime Marketplace

    According to new research shared with ZDNet this week by threat intelligence firm KELA, the Genesis Store is currently going through a rough patch, seeing a 35% drop in the number of hacked credentials sold on the site.

    KELA says Genesis administrators are currently scrambling to fix their inventory deficit and feed the store with new credentials before customers notice a drop in new and fresh listings.

  • 24.02.2020

    KELA Wins InfoSec Award at RSA Conference 2020

    “We are very pleased to receive this prominent cybersecurity award, and it’s an honor to be selected from a wide selection of top-notch companies that were in the running for this prize. Our hard work has paid off in being recognized as global leaders in threat intelligence,” said KELA COO Eran Shtauber.

  • 21.02.2020

    Exclusive: Details of 10.6 Million MGM Hotel Guests Posted on a Hacking Forum

    According to Irina Nesterovsky, Head of Research at threat intel firm KELA, the data of MGM Resorts hotel guests had been shared in some closed-circle hacking forums since at least July, last year. The hacker who released this information is believed to have an association, or be a member of GnosticPlayers, a hacking group that has dumped more than one billion user records throughout 2019.

  • 22.02.2020

    MGM Customer Data Has Been on Dark Web for Six Months

    Irina Nesterovsky, head of research at cyber intelligence firm KELA, claimed that the most recent upload of breached data on nearly 10.7 million hotel customers was simply a repackaged bundle — as often happens on the dark web.

  • 20.02.2020

    Tokyo 2020: The Dark Web is Hacker Gold

    What treasures can hackers find on the dark web, how have these been used in the past, and what might threat actors be planning for Tokyo this summer? Here are the top four threats that KELA’s research team has been monitoring recently on the dark web

  • 03.02.2020

    Outing Cyber-Criminals Puts a Face on Cyber-Crime

    Online threat actors are just plain criminals – like 36-year-old Aleksandr Alekseyevich Korostin from Sigayevo, Sarapul District, Udmurtiya Republic, Russia – hiding behind anonymity as SaNX. – OPINION by KELA Cyber Intelligence Center

  • 04.02.2020

    アンダーグラウンドのサイバー犯罪エコシステム、 企業の攻撃表面を縮小するためのインテリジェンスの活用


  • 31.01.2020

    「対米報復はサイバー」 イラン、銀行狙い準備か イスラエル軍元高官が警告


  • 24.01.2020

    Cyber Gangsters Publish Staff Passwords Following ‘Sodinokibi’ Attack on Car Parts Group Gedia

    The threat marks a disturbing change in tactics by the crime groups behind the Sodinikobi ransomware, said Irina Nestrovosky, head of research for Israeli security company and specialist in darknet threat intelligence, KELA, which monitors hacking groups.