Fxmsp Group Made Millions by Selling Network Access

The Fxmsp hacker group has evolved from a newbie hacker in 2016 to one of the major players of the Russian-speaking underground forums. Since the time when the group started targeting corporate networks, it has stopped acting alone and expanded into a team.

Fxmsp breaching networks

Fxmsp had set a trend of selling network access credentials, that led in the second half of 2019 to almost doubling the number of network access sellers specialized in corporate intrusions. As of the latest reports, the group has breached networks of at least 135 companies in 44 countries.
  • In June, Group-IB said that the group had targeted small and medium-sized enterprises (SME), government organizations, banks, and Fortune 500 companies and made at least $1.5 million by selling network access.
  • In May 2019, Fxmsp was advertising both source code and network access of three antivirus companies in the U.S. for $300,000. The group also offered screenshots of folders containing 30 terabytes of data extracted from the breached networks.
  • In the same month, the Fxmsp chat logs revealed the names of compromised antivirus companies as Symantec, McAfee, and Trend Micro, with file timestamps, actor commentary, source code, and walkthrough of the actual code.

Other notable Fxmsp activity

In November 2018, Fxmsp compromised the private information of up to 500 million guests of the world's largest hotel chain, Marriott International. The group had access to the database since 2014.

More about Fxmsp group

  • In 2016, when Fxmsp was first identified, it was a part of the hacking part of a crew (GPTitan), which was assisted in their work by two other crews, one in China and one in the U.S.
  • The group advertised on multiple forums using the aliases - Lampeduza, Antony Moricone, BigPetya, Fivelife, Nikolay, tor.ter, Andropov, and Gromyko. The human identity behind these aliases is believed to be Andrey Turchin (allegedly of Kazakhstan).

Stay safe

Restrict the network and traffic access and monitor it on a regular basis. Use both the machine and user authentications in a single authorization to validate the authenticity to secure network access.