2easy: A Rising Darknet Marketplace for Stolen Data

By Ava McKinneyOnline Safety

2easy Darknet Marketplace Gains Popularity

According to analysts at KELA, the darknet marketplace 2easy is rapidly gaining traction and is becoming a significant player in the sale of stolen data. The company’s report states that the stolen information being sold was collected from approximately 600,000 devices infected with malware.

On 2easy, the main items for sale are so-called “logs”—archives of data stolen by malware from compromised browsers and systems. Typically, these dumps include login credentials, cookies, and saved bank card information.

Growth and Reputation of 2easy

2easy was launched back in 2018, but it has shown rapid growth since last year. Not long ago, the site was selling data from only 28,000 infected devices and was considered a minor player in the market. KELA experts believe this sharp rise is due to the platform’s development and the consistent quality of its offerings, which have earned 2easy a strong reputation and popularity within the hacker community.

How 2easy Works

The 2easy site is fully automated, allowing anyone to create an account, add funds to their wallet, and make purchases without directly interacting with sellers. Data is available for purchase at an average price of $5—about five times cheaper than on the Genesis marketplace and three times less than the average price on the Russian black market.

Experts note that 2easy’s graphical interface is user-friendly and allows users to:

  • View all URLs where infected machines have logged in
  • Search for specific URLs of interest
  • See a list of infected machines from which credentials for a given site were stolen
  • Check seller ratings
  • Review tags assigned by sellers, which usually include the date the machine was infected and sometimes additional notes
  • Obtain credentials for selected targets

Limitations and Malware Used

KELA points out that the main drawback of 2easy is that the platform does not allow potential buyers to preview the goods—such as edited IP addresses or OS versions of the devices from which the data was stolen—before purchase.

Each “lot” bought on 2easy comes as an archive containing the stolen logs from the selected bot. The type of content depends on the specific malware and its capabilities. However, in 50% of cases, sellers use the RedLine stealer, which can steal passwords, cookies, bank card data stored in browsers, FTP credentials, and more.

Five out of the eighteen sellers operating on 2easy use only RedLine, while the others use additional malware, including Raccoon Stealer, Vidar, and AZORult.

Risks and Real-World Impact

KELA analysts warn that these logs and the information they contain often become the key to breaching corporate networks. For example, during the Electronic Arts attack revealed in June 2021, hackers purchased stolen cookies online for just $10 and used them to access EA’s Slack channel. Once inside Slack, the hackers tricked an EA employee into providing a multi-factor authentication token, which allowed them to steal source code for several games.

Leave a Reply