Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,199
- Points
- 113
Most experienced cybercriminals often hide their real identity by using pseudonyms. However, some hackers don't really care about their anonymity. One such example is hacker x999xx, which provides access to corporate networks for various ransomware groups. Details about the hacker's life were revealed by Brian Krebs in his blog.
Hacker x999xx, a well-known Initial Access Broker (IAB), sells remote access credentials and databases with personal and financial information. In February 2019, the analytical company Flashpoint named x999xx one of the most active participants in the cybercrime forum Exploit, where he regularly sold stolen databases and network accounts.
In August 2023, x999xx sold access to a real estate software company. In July 2023, he offered for sale social security numbers, names and dates of birth of citizens of one of the US states. In June 2023, x999xx put up for sale 80 databases of the largest Australian retail company.
Hacker x999xx started his activity in 2009 on the Verified forum under the address maxnm@ozersk [.] com, which was used more than 10 years ago to create an account in VKontakte under the name Maxim Kirtsov from Ozersk. The "maxnm" profile shows the date of birth on September 5, 1991. In 2014, Kirtsov registered on the Zloy forum with the address maxnmalias-1@yahoo[.] com, which was later used to create an account on cdek.ru under the name Maxim Georgievich Kirtsov.
Until 2009, x999xx used the pseudonym Maxnm on various Russian-language cybercrime forums, such as Spamdot, Exploit, and Damagelab. A search by the name of Kirtsov Maxim Georgievich revealed many accounts registered to the address maksya@icloud [.] com. The address was used 10 years ago to create an account on imageshack[.] com under the name x999xx, which contains screenshots of bank accounts, correspondence with other hackers, and hacked sites.
On Kirtsov's VKontakte page, you can also find photos of cars and domestic plants that match the photos on his imageshack account. In 2012, Kirtsov was an employee of the Ozersk Institute of Technology of the National Research Nuclear University.
On the Vkontakte page, Kirtsov's occupation includes a website called ozersk [.] today, which at first glance looks like a blog about life in Ozersk. However, in 2019, the information security company Recorded Future discovered that this domain was used to host the Cobalt Strike server.
According to the service data DomainTools.com, ozersk[.]today was registered to the email address dashin2008@yahoo.com , which was also used to register approximately 20 other domains, including x999xx[.]biz. Almost all domains were registered to Maxim Kirtsov.
In correspondence with KrebsOnSecurity, Kirtsov confirmed that he is x999xx. Maxim does not consider himself guilty of extortion, but is more focused on data collection. In his posts on forums, Kirtsov mentioned that he never attacks objects in his own country and is not afraid of prosecution as long as his activities are aimed at foreign targets.
The history of x999xx reminds us that many cybercriminals consider themselves inviolable as long as they stay in a certain territory. Despite this, Western law enforcement agencies use psychological operations to deal with such criminals, infiltrating their networks and breaking their trust in each other.
This is what they did with LockBit, taking over the group's infrastructure. In addition, in May, Operation Endgame hijacked more than 100 servers used for major malware campaigns using programs such as IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC.
• Source: https://krebsonsecurity.com/2024/07/the-not-so-secret-network-access-broker-x999xx/
• Source: https://www.securitylab.ru/news/549803.php
Hacker x999xx, a well-known Initial Access Broker (IAB), sells remote access credentials and databases with personal and financial information. In February 2019, the analytical company Flashpoint named x999xx one of the most active participants in the cybercrime forum Exploit, where he regularly sold stolen databases and network accounts.
In August 2023, x999xx sold access to a real estate software company. In July 2023, he offered for sale social security numbers, names and dates of birth of citizens of one of the US states. In June 2023, x999xx put up for sale 80 databases of the largest Australian retail company.
Hacker x999xx started his activity in 2009 on the Verified forum under the address maxnm@ozersk [.] com, which was used more than 10 years ago to create an account in VKontakte under the name Maxim Kirtsov from Ozersk. The "maxnm" profile shows the date of birth on September 5, 1991. In 2014, Kirtsov registered on the Zloy forum with the address maxnmalias-1@yahoo[.] com, which was later used to create an account on cdek.ru under the name Maxim Georgievich Kirtsov.
Until 2009, x999xx used the pseudonym Maxnm on various Russian-language cybercrime forums, such as Spamdot, Exploit, and Damagelab. A search by the name of Kirtsov Maxim Georgievich revealed many accounts registered to the address maksya@icloud [.] com. The address was used 10 years ago to create an account on imageshack[.] com under the name x999xx, which contains screenshots of bank accounts, correspondence with other hackers, and hacked sites.
On Kirtsov's VKontakte page, you can also find photos of cars and domestic plants that match the photos on his imageshack account. In 2012, Kirtsov was an employee of the Ozersk Institute of Technology of the National Research Nuclear University.
On the Vkontakte page, Kirtsov's occupation includes a website called ozersk [.] today, which at first glance looks like a blog about life in Ozersk. However, in 2019, the information security company Recorded Future discovered that this domain was used to host the Cobalt Strike server.
According to the service data DomainTools.com, ozersk[.]today was registered to the email address dashin2008@yahoo.com , which was also used to register approximately 20 other domains, including x999xx[.]biz. Almost all domains were registered to Maxim Kirtsov.
In correspondence with KrebsOnSecurity, Kirtsov confirmed that he is x999xx. Maxim does not consider himself guilty of extortion, but is more focused on data collection. In his posts on forums, Kirtsov mentioned that he never attacks objects in his own country and is not afraid of prosecution as long as his activities are aimed at foreign targets.
The history of x999xx reminds us that many cybercriminals consider themselves inviolable as long as they stay in a certain territory. Despite this, Western law enforcement agencies use psychological operations to deal with such criminals, infiltrating their networks and breaking their trust in each other.
This is what they did with LockBit, taking over the group's infrastructure. In addition, in May, Operation Endgame hijacked more than 100 servers used for major malware campaigns using programs such as IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC.
• Source: https://krebsonsecurity.com/2024/07/the-not-so-secret-network-access-broker-x999xx/
• Source: https://www.securitylab.ru/news/549803.php
