Leak Zone Dark Web Forum Database Exposes 22 Million Users’ IP Addresses and Locations

A major cybersecurity breach has exposed the browsing activities of users visiting one of the internet’s most notorious illegal marketplaces. 

On Friday, July 18, cybersecurity firm UpGuard discovered an unprotected Elasticsearch database containing approximately 22 million records of web requests, with 95% of traffic directed to leakzone[.]net, a prominent “leaking and cracking forum” that facilitates the distribution of hacking tools, exploits, and compromised accounts. 

Key Takeaways
1. 22 million records from the dark web forum Leakzone exposed user IP addresses and locations.
2. 185,000 unique IPs compromised despite VPN/proxy use by visitors accessing illegal content.
3. Digital anonymity failed, potentially enabling law enforcement to track cybercriminals.

Each database entry contained critical user information, including IP addresses, geographic locations, and internet service provider metadata, creating a comprehensive map of visitor activity to the underground cybercrime platform.

Exposes 22 Million Leakzone Records

The exposed Elasticsearch database contained records spanning from June 25 to the time of discovery, capturing approximately one million requests per day with a median request size of 2,862 bytes. 

The database schema revealed that 185,000 unique IP addresses accessed the platform during this three-week period, significantly exceeding Leakzone’s registered user base of 109,000 accounts, according to the UpGuard report.

This discrepancy indicates sophisticated privacy protection measures employed by users, including the use of dynamic IP addresses and proxy servers.

Technical analysis revealed that approximately 5% of requests (1,375,599 total records from 3,983 IP addresses) were routed through public proxies, identified through database fields marked as “is_proxy” and “proxy_type” with values of “PUB”. 

More significantly, investigators identified evidence of extensive VPN usage, particularly through Cogent Communications infrastructure, where the third, fourth, and sixth most active IP addresses all belonged to this VPN service provider. 

The traffic distribution pattern suggested these heavily-used IP addresses represented VPN exit nodes serving multiple users rather than individual connections.

The leaked data presents severe privacy implications for users of the illicit forum, as IP addresses are classified as Personally Identifiable Information (PII) under GDPR regulations due to their capability for cross-platform user identification. 

Geographic analysis revealed global traffic distribution with notable exceptions, particularly the absence of direct connections from China, suggesting Chinese users route traffic through proxy servers in other countries. 

Cloud service providers, including Amazon, Microsoft, and Google, appeared prominently in the traffic logs, indicating users leverage mainstream infrastructure for anonymization purposes.

The breach highlights the vulnerability of users seeking anonymity on illegal platforms. While 39% of IP addresses appeared only once in the logs, potentially representing users without VPN protection, the concentration of traffic through identifiable VPN services creates new opportunities for surveillance. 

Particularly given recent law enforcement successes including the arrest of the suspected administrator of the XSS[.]is Russian hacking forum.

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now