Worm.ws was hacked earlier today where Peace of Mind hacking group leaked its database online for anyone to download.

A group of popular darknet hackers going by the handle of Peace_of_Mind have hacked and defaced the official website of w0rm.ws, an ‘invite only’ hacking and trading forum that sells stolen data and exploits to buyers.

The hackers left a deface page along with a brief message on the forum’s homepage with personal details of a man named Sarpovu Nikolai alleged by the hackers as the owner of the wOrm.ws forum. In other words, the hackers have allegedly doxed the owner of the w0rm.ws forum. It is unclear if Nikolai is the real owner of the forum but the deface page has personal details about him. That includes his date of birth, father’s name, mother’s name, nationality, residence permit and his operating system.

hacking-trading-forum-w0rm-ws-hacked-data-leaked-o1

After reading the message on the deface page, the hacking incident seems like a cyber war between underground Hell Hacking Forum and wOrm.ws.

“Hacked by Peace of Mind for fucking with Hell Forum”, according to the message from.

Hell is a darknet hacking forum which was hacked last year but surfaced back on the Internet earlier this year. However, when it comes to the leaked data we requested the data mining company Hacked-DB for a scan and here’s an in-depth data analysis.

Leaked data

In total, the entire website data including files, databases, exploits kits, user data including accounts, passwords, history, PMs, forum posts and other sensitive data has been leaked.

The hackers leaked forum’s database in a zip and SQL files. The very first file available for download is ekit.sql which contains information client-side exploits and details about exploits with Common Vulnerabilities and Exposures (CVE) in text only from. The same file is also a database for Hunter exploit kit. Furthermore, there are few links to third party exploit files.

Exploit Hunter kit

The second file in the database is ”hunter_ek.tar.7z” which is actually a full exploit folder of the targeted forum. It contains important information about the database – showing that the forum successfully created exploits for high-profile software including Adobe Flash player, Internet Explorer, Microsoft Office and PowerPoint. 

hacking-trading-forum-w0rm-ws-hacked-data-leaked-4
Screenshot from the leaked data shows a number of exploits kids being leaked online
hacking-trading-forum-w0rm-ws-hacked-data-leaked-2
Screenshot from the leaked data
hacking-trading-forum-w0rm-ws-hacked-data-leaked-3
Screenshot from the leaked data

Hacked-DB has also found Hunter Exploit kit version Hunter Framework Panel 1.0.1 installed on the server with a user account named hunter. In addition, there are some discussions related to hunters exploit kit.

hunter-exploit-kit
Screenshot of user under the Hunter Exploit kit

Remember, Hunter Exploit Kit was exposed in 2015 by ProofPoint researchers showing its activity against banking customers in Brazil. In w0rm.ws case, the Hacked-DB researchers have found the forum’s admin using Hunter exploit kit. Apart from that, the last file in the folder contains server login and timestamps details.

List of leaked exploit kits

leaked-exploit-kit

Researchers are not sure if worm.ws’ owner or users created the above-mentioned exploits.

Main database folder

The main website database folder in the leaked data is named as ‘w0rmws.tar.gz’ which shows the forum is based on outdated vulnerable vBulletin 3.8.7 forum software that resulted in massive data breaches of several gaming platforms including LifeboatDota 2Grand Theft AutoEpic Games, and Clash of kings.

Further analysis shows the main folder has several sub folders containing information about site’s html, HTTP and https codes. One text file shows an email based contact email and a secret key for the google captcha.

User data:

Researchers also found data of 323 users that includes usernames, encrypted passwords and personal messages sent by users to the forum admin asking for a refund and offering a database of a gaming forum. Here is an example pm for our readers:

hacking-trading-forum-w0rm-ws-hacked-data-leaked-4

There are several other folders showing more users’ activities and sales the forum has done since its launch but they are not as important as above mentioned analysis however Hacked-DB has issued a statement on the data according to which:

“Based on the leaked information it seems that the forum was hacked due to the old version of VBulletin with known exploits. The data basically uncover registered user accounts along with their PMs and IPs which can provide the lead if an authority will try to pursuit them. In addition, there are privately traded databases which may be only accessible to the forum users.”

This is not the first time when an underground hacking and trading forum has suffered a security breach. In fact, this year the Sh0ping.su and Nulled.io forums were hacked, leaking of thousands of stolen credit cards and exploits.

Note: 

We got the tip about this breach by Peace of Mind hackers via email however we couldn’t ask for a statement from him as any email sent to his ID would bounce back. Remember, Peace is the group of hackers who was previously selling YahooMySpace, LinkedIn, Twitter, Beautiful People, Lookbook.nu and VK.com databases on the darknet. 

At the time of publishing this article, the targeted forum was hacked but the story behind Hell Hacking Forum and worm.ws’ rivalry is still unknown.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.