Leak Zone Dark Web Forum Breach Exposes 22 Million User IPs and Locations

Leak Zone Dark Web Forum Breach Exposes 22 Million User IPs and Locations

A significant data breach has exposed sensitive information about users of Leakzone, a prominent dark web forum known for trading hacking tools and compromised accounts.

Security firm UpGuard discovered an unprotected Elasticsearch database containing approximately 22 million web request records, revealing user IP addresses, geographical locations, and internet service provider details from visitors to the illicit marketplace.

Discovery and Scale of the Breach

On July 18, UpGuard researchers identified the exposed database containing detailed logs of web traffic primarily directed to leakzone.net.

Leak Zone Dark Web Forum Breach Exposes 22 Million User IPs and Locations 3

The breach captured nearly three weeks of user activity, from June 25 through the discovery date, with approximately 95% of the 22 million records linked directly to the underground forum.

The remaining 5% included traffic to related sites such as accountbot.io, a platform specializing in selling compromised user accounts.

The database recorded roughly one million requests per day, with each request averaging 2,862 bytes in size, indicating substantial user engagement with the platform.

This volume of activity underscores Leakzone’s position as a major hub for cybercriminal activities, despite law enforcement efforts that have successfully shut down similar forums like Raid Forums in 2022 and led to arrests of Breach Forums operators in 2023.

Analysis of the exposed data revealed sophisticated privacy measures employed by Leakzone users. The database contained 185,000 unique IP addresses, significantly exceeding the forum’s registered user base of 109,000 members.

Leak Zone Dark Web Forum Breach Exposes 22 Million User IPs and Locations
Leak Zone Dark Web Forum Breach Exposes 22 Million User IPs and Locations 4

This discrepancy suggests widespread use of privacy tools to mask true identities and locations.

Approximately 5% of requests originated from public proxy servers, while evidence points to extensive VPN usage among heavy users.

The most active IP addresses were traced to Cogent Communications and other VPN providers, with unusual traffic patterns indicating multiple users routing connections through shared exit nodes.

Geographic analysis showed global participation, notably excluding direct traffic from China, suggesting Chinese users route connections through international proxy servers.

The breach highlights the delicate balance between anonymity and security in underground online communities.

While many users employed sophisticated privacy measures, nearly 39% of IP addresses appeared only once in the logs, potentially representing unprotected connections that could expose individual users to identification and prosecution.

The exposed metadata provides law enforcement agencies with unprecedented insights into the operational patterns of a major cybercriminal marketplace.

However, the prevalence of VPN and proxy usage demonstrates that experienced users of such platforms maintain awareness of surveillance risks and take active measures to protect their identities.

This incident underscores the ongoing challenges in monitoring illegal online activities while raising questions about data security practices even within criminal enterprises that prioritize user anonymity.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now


Source link