Hacker Fxmsp Made $1.5 Million Selling Access to Corporate Networks

Over a three-year period, the hacker known as Fxmsp compromised around 135 companies in 44 countries worldwide. According to conservative estimates, Fxmsp’s profits during his active years could have reached $1.5 million (about 100 million rubles), not including private sales, listings without specified prices, or repeat sales of access to victim company networks.

Information regarding Fxmsp’s suspected identity has already been handed over to international law enforcement agencies. Although Fxmsp had been mentioned in public sources before, Group-IB has, for the first time, provided a detailed account of the investigation and previously undisclosed facts. It is possible that the hacker is still active, continuing to breach company networks and posing an ongoing threat. In light of this, researchers have published a report containing not only data on Fxmsp’s tools and tactics but also their recommendations for protection to help prevent future crimes.

Rise of Corporate Network Access Sales

Group-IB Threat Intelligence experts began noticing an increase in offers related to the sale of access to corporate networks starting in 2017, coinciding with Fxmsp’s emergence on the hacker scene. At that time, forums were mostly flooded with offers for access to hacked websites, individual servers, and accounts. However, in the second half of 2017, Fxmsp became the most prominent player and absolute leader in the “elite” niche of selling access to corporate networks.

Over time, Fxmsp set a new trend in the underground community, turning access sales from a product into a service—providing privileged access to victim company networks for his clients.

Fxmsp’s Activity and Influence

Fxmsp’s main period of activity was in 2018. Afterward, the niche was vacant for a while, but starting in early 2019, new cybercriminals began to follow in his footsteps, adopting Fxmsp’s techniques. According to Group-IB’s research, since the beginning of 2020, more than 40 cybercriminals have been practicing Fxmsp’s “craft” on underground forums. In total, over 150 listings for access to corporate networks in various industries have been posted during this time.

The experts’ report traces Fxmsp’s activities from his first registration on an underground forum to his disappearance from hacker platforms. Fxmsp did not specialize in compromising specific companies. His top three targets were light industry enterprises, IT service providers, and retailers. Among Fxmsp’s victims were some major players: four companies were listed in the 2019 Global 500 | Fortune ranking. His track record also includes banks, energy companies, telecom operators, and organizations in the energy sector. One of these organizations suffered a ransomware attack in the summer of 2020, by which time Fxmsp’s services had not been offered on underground markets for eight months.

Operations and Partnerships

Together with his accomplice, known as Lampeduza—who handled advertising and transaction support—Fxmsp offered access to 135 companies in 44 countries between October 2017 and September 2019. These countries included the USA, Russia, the UK, France, Italy, the Netherlands, Singapore, Japan, Australia, and many others. Despite the unwritten rule in the underground community not to target “RU” (Russian companies), Fxmsp sold two listings involving Russian victims, for which he was banned by forum moderators, but this did not stop him.

The Group-IB report is named after one of Lampeduza’s promotional posts. Having earned a reputation in the underground community, the group gained regular clients. Lampeduza was involved only at the monetization stage, while Fxmsp handled all stages of the attack, including scanning IP ranges for open RDP port 3389, brute-forcing, establishing persistence in the network, and installing backdoors.

Public Exposure and Ongoing Threat

The nickname Fxmsp became widely known in May 2019 after media reports that the Fxmsp group was selling source codes for at least three unnamed antivirus products, valuing them at $300,000. One of the companies later partially confirmed the breach, though they assessed the incident as non-critical. However, by the time the news broke, Fxmsp had already ended his “public” activities.

Researchers emphasize that the most prolific “access seller” likely remains at large, posing a threat to companies across a wide range of industries, regardless of their country.

“Selling access to corporate networks is still a relatively rare service, available on a limited number of underground resources, mainly Russian ones. More than 130 organizations worldwide have suffered from Fxmsp’s activities, making him one of the most dangerous criminals in his field, possibly still active today. We hope our research will help speed up the detection and arrest of the criminal hiding under the nickname Fxmsp and his associates, and discourage others from following in his footsteps. That’s why we decided to provide an extended version of our report to international law enforcement agencies and to publish available materials on Fxmsp’s tools and tactics, showing how to protect against such attacks,”