Imperial Market TorGrid Hidden Links

Hackers Are Selling More Than 85,000 MySQL Databases on a Dark Web Portal

Hackers break into databases, steal their content, hold it for ransom for 9 days, and then sell to the highest bidder if the DB owner doesn't want to pay the ransom demand. More than 85,000 MySQL databases are currently on sale on a dark web portal for a price of only $550/database.

The portal, brought to ZDNet's attention earlier today by a security researcher, is part of a database ransom scheme that has been going on since the start of 2020. Hackers have been breaking into MySQL databases, downloading tables, deleting the originals, and leaving ransom notes behind, telling server owners to contact the attackers to get their data back.

While initial ransom notes asked victims to contact the attackers via email, as the operation grew throughout the year, the attackers also automated their DB ransom scheme with the help of a web portal, first hosted online at and, and then moved an Onion address, on the dark web.

Victims who access the gang's sites are asked to enter a unique ID, found in the the ransom note, before being presented with the page where their data is being sold. If victims don't pay within a nine-day period, their data is put up for auction on another section of the portal.

The price for recovering or buying a stolen database must be paid in bitcoin. The actual price has varied across the year as the BTC/USD exchange rate fluctuated but has usually remained centered around a $500 figure for each site, regardless of the content they included.

This suggests that both the DB intrusions and the ransom/auction web pages are automated and that attackers don't analyze the hacked databases for data that could contain a higher concentration of personal or financial information.

Signs of these ransom attacks have been piling up over the course of 2020, with the number of complaints from server owners finding the ransom note inside their databases popping up on Reddit, the MySQL forums, tech support forums, Medium posts, and private blogs.

Bitcoin addresses used for the ransom demands have also been piling up on, a website that indexes Bitcoin addresses used in cybercrime operations. These attacks mark the most concerted effort to ransom SQL databases since the winter of 2017 when hackers hit MySQL servers in a series of attacks that also targeted MongoDB, Elasticsearch, Hadoop, Cassandra, and CouchDB servers as well.


Read Comments & Discuss This Article on Dread

Share this article

  • The Deep Web
  • Cryptocurrencies
  • Darknet Markets
  • Cybersecurity & ...
  • Editor's Picks
A darkweb cocaine and heroin trafficker has
Sensitive information of over 100 million debit
Police have arrested a man who hired a gang of
An "immature" MDMA dealer who used his own name
Hackers break into databases, steal their
Personal data is being sold on the dark web for
Cybercriminals can use stolen information for
Ireland’s crime gangs have increased their use of
The CCB caught the programmer while they were
  • 1
  • 2
  • 3
Submarine   Hidden Links   Onion Scanner


Visit Our Friends

Subscribe to Our Newsletter

Enter your email to receive our monthly newsletter!
We use cookies to improve our website. By continuing to use this website, you are giving consent to cookies being used. More details…