Krebs on Security: Tracking a Cybercriminal Broker Using Constella Intelligence

To view the original article, please click here.


Learn how Brian Krebs was able to track the digital footsteps left by cybercriminal broker, Babam, by leveraging Constella’s cyber intelligence investigations platform.

Last week, prominent cybercrime investigative journalist, Brian Krebs, published a story on the cybercriminal network access broker, Babam, a major seller of initial access credentials to ransomware groups over the past few years. The notorious Babam was discovered using Constella Intelligence’s investigative platform.

Krebs’s story explains that cybercriminal gangs that deploy ransomware rarely gain the initial access to the targets themselves, but instead purchase access from a cybercriminal broker like Babam. The broker provides these ransomware groups with remote access credentials such as usernames and passwords.

Using Constella’s cyber intelligence platform in coordination with others, Krebs was able to track the digital footsteps left by Babam, revealing email addresses, online account registrations, usernames, passwords, domains, and multiple data breaches.

Below: a rough mind map of the connections mentioned in Krebs’s story.

Tracking Cybercriminal Broker, Babam

When tracking Babam, Krebs reported:

“According to Constella, the [email protected] address was exposed in multiple data breaches over the years, and in each case it used one of two passwords: “lebeda1” and “a123456.”

 Searching in Constella for accounts using those passwords reveals a slew of additional “bo3dom” email addresses, including [email protected]. Pivoting on that address in Constella reveals that someone with the name Vytautas Mockus used it to register an account at mindjolt.com, a site featuring dozens of simple puzzle games that visitors can play online.

 At some point, mindjolt.com apparently also was hacked, because a copy of its database at Constella says the [email protected] used two passwords at that site: lebeda1 and a123456.”

Findings related to Babam in this story were acquired by performing research using Constella Hunter, a platform for investigating threat actors and unmasking attackers that helps users efficiently attribute identities and identify further intelligence across multiple data sources simultaneously. The tool is used by government and other public agencies, top financial services organizations, and many others. Hunter provides an intuitive user experience and has recently integrated new features specifically requested by customers to speed up investigations of threat actors.