Russian Hacker ‘Sheriff’ Continues Attack Spree, Sells 62,000 eToro Accounts

Top hackers on Russian-speaking cybercriminal underground are making various deals to gain maximum profits, either by selling access to compromised accounts or auctioning stolen data from previous attacks. A threat actor dubbed Sheriff was seen making a similar offer for several active accounts on a cybercrime forum.

Sheriff targets eToro

Sheriff’, a threat actor who is known for its specialization in targeting banks, financial institutions, and government agencies, was found selling active accounts of eToro users.
  • Earlier this month, ‘Sheriff’ advertised an auction for 62,000 accounts of eToro, a social trading platform.
  • The offer included login credentials, contact numbers, postal addresses, and balances for a starting price of $1,500.

Recent attacks by Sheriff

Sheriff, which uses brute-forcing and credential-stealing malware and Citrix remote desktop protocol (RDP) exploits, has been involved in several cyberattacks in the past few months.
  • In June 2020, Sheriff held Citrix RDP access to a European construction company focused on oil projects and advertised access to 3,200 cPanel accounts.
  • In May 2020, they gained admin access to an e-commerce organization's WordPress plugin and information on about 815,000 orders.

Connections with REvil’s syndicate

Recently, cybersecurity firm AdvIntel found a connection between REvil operators and several other threat actors including Sheriff, all being part of a network intrusion-focused criminal syndicate.
  • REvil gang has recently deepened its cooperation with Sheriff. It is believed that REvil used a new alias ‘unknown,’ which is similar to the group’s “UNKN” alias, to interact with the Sheriff.
  • Besides Sheriff, the REvil gang is also in close contact with several other threat groups, namely Kerberos and Energydrinkkk, all apparently working together as a crime syndicate.