Adversary Intelligence
9
mins read

BidenCash Business Expansion: SSH Server Access Now Available on Dark Web

BidenCash, a notorious marketplace for selling leaked credit card information, has expanded its services by offering SSH access to buyers for as low as $2. This new offering can have severe consequences for cybersecurity.

Bablu Kumar
May 16, 2023
Green Alert
Last Update posted on
February 3, 2024
Proactive Monitoring of the Dark Web for your organization.

Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
Rishika Desai

Introduction

BidenCash, a carding marketplace infamous for selling leaked credit card information, has gained significant traction since its launch in April 2022. The marketplace has recently ventured into a new area by offering SSH services to buyers for as low as USD 2. The impact of these offerings can be severe as threat actors can launch cyber attacks with the powerful processing capabilities of the servers.

In October 2022, the first dataset of 1.2 million credit cards was leaked. The datasets involved sensitive information such as Personally Identifiable Information (PII) and Social Security Numbers (SSNs) along with card details, and CVV codes. As a result, the marketplace quickly grew in popularity and experienced a significant increase in monthly visitors where February 2023 saw the highest number of visitors due to its latest release of 2 million unique credit card data in February 2023.

BidenCash's New Venture: Selling SSH Access 

In the latter part of last week, CloudSEK noticed a slight deviation from the primary business model of BidenCash, which involves selling leaked credit card information. The marketplace appears to have ventured into a new area of selling SSH access to interested buyers.

Advertisement post on the forum

As per the advertisement on a Russian-speaking underground forum, the key features provided by BidenCash ensure a smooth and efficient experience for those interested in purchasing SSH access through BidenCash. The offerings include:

 

  • Shell presence check: To ensure the presence of a shell on the target server
  • CPU and RAM information: To provide information about the server's processing power
  • Server flag information: To check for the presence of known vulnerabilities or exploits
  • Socks5 port availability check: To check if the server supports the Socks5 protocol
  • Geolocation check: To confirm the server's location
  • Checking IP addresses against blacklists Spamhaus, Sorbs.net, Spamcop, SouthKoreanNBL,

Barracuda BBL: To ensure the server's IP address is not blacklisted

  • Available filtering options include filters based on geography, architecture, presence of a shell, availability of socks5, username, etc.
  • Validity check before issuing SSH access: To guarantee the absence of dead accesses.

Different offerings based on the type of SSH servers

The advertisement also encourages other threat actors to join forces in order to expand this venture. BidenCash receives 30% in commission for each sale offered on the website. 

Commission received by BidenCash for each sale

Also Read Custom malware Kaiji targets IoT devices via SSH brute forcing

Based on this new offering, various existing sellers on different dark web forums can also begin their venture into gathering SSH accesses to monetize maximum from the marketplace. By listing their accesses on Bidencash, the threat actors can escape the negotiations cycle and traps set by security researchers on the forums.

Threat actors advertising SSH access on the same cybercrime forum where Bidencash listed their new offering

Analysis of BidenCash's SSH Inventory and Potential Earnings

After analyzing BidenCash's SSH inventory over the past five days, we've discovered that they've listed over 850 SSH servers with varying architecture, CPU configurations, and countries, among other things. The prices for these servers range from $2 (lowest) to $10 (highest).

SSH Servers from the most affected countries

Based on our rough calculations, if all 850 listed cards are sold, sellers on the marketplace stand to make an average of $3,570 every five days (or $21,420 every month), while BidenCash itself would receive $1,530 (or $9,180 every month) in commission. However, given the popularity of BidenCash, we anticipate at least a 3-fold increase in the number of listings on the marketplace that can attract more potential buyers over time.

Vouch for the Service

With the launch of the new SSH offering, threat actors have already started vouching for it on various dark web forums. Given the popularity and reputation of BidenCash in the underground market, it is highly likely that many cybercriminals may have already started purchasing these illegitimate offerings to conduct nefarious activities.

Threat actors vouching for the new SSH service

Long-term Impact

The SSH servers being offered on the BidenCash marketplace are not only cheap but also come with varying CPU configurations and processing powers. Some of the servers with admin-level or root-level access are available for as low as $10, equipped with powerful hardware specifications. We have observed some of the most powerful servers on the marketplace with 196GB RAM and 104 CPU cores.

This poses a significant risk as threat actors can leverage this power to conduct a wide range of malicious activities, such as data exfiltration, brute force and ransomware attacks, and cryptocurrency mining. Moreover, they can launch large-scale DDoS attacks to disrupt services at private and government organizations, causing significant damage to their operations and reputation.

Conclusion

With the ability to purchase powerful servers while maintaining anonymity, cyber attacks can be very difficult to thwart. The availability of SSH servers on marketplaces such as BidenCash can increase the scope and scale of attacks, making it imperative for organizations to ensure the security of their systems and keep their SSH servers secure.

Author

Bablu Kumar

Bablu is a technology writer and an analyst with a strong focus on all things cybersecurity

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Adversary Intelligence

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

Blog Image
Emerging Threats
December 7, 2023

Exploring the Dark Web: Understanding Cybersecurity Threats and Safeguarding Strategies

Discover how to navigate and protect against Dark Web threats. Learn about cyber risks, real-time monitoring, and securing your digital presence.

Blog Image
Emerging Threats
November 27, 2023

How Cybercriminals Utilize Dark Web Forums for Collaboration and Trade

Dive into the depths of the dark web, understanding its nature, operations, and the role of Tor in offering online anonymity. Discover how dark web forums function and the significance of their security measures.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Adversary Intelligence

9

min read

BidenCash Business Expansion: SSH Server Access Now Available on Dark Web

BidenCash, a notorious marketplace for selling leaked credit card information, has expanded its services by offering SSH access to buyers for as low as $2. This new offering can have severe consequences for cybersecurity.

Authors
Bablu Kumar
Bablu is a technology writer and an analyst with a strong focus on all things cybersecurity
Co-Authors
Rishika Desai

Introduction

BidenCash, a carding marketplace infamous for selling leaked credit card information, has gained significant traction since its launch in April 2022. The marketplace has recently ventured into a new area by offering SSH services to buyers for as low as USD 2. The impact of these offerings can be severe as threat actors can launch cyber attacks with the powerful processing capabilities of the servers.

In October 2022, the first dataset of 1.2 million credit cards was leaked. The datasets involved sensitive information such as Personally Identifiable Information (PII) and Social Security Numbers (SSNs) along with card details, and CVV codes. As a result, the marketplace quickly grew in popularity and experienced a significant increase in monthly visitors where February 2023 saw the highest number of visitors due to its latest release of 2 million unique credit card data in February 2023.

BidenCash's New Venture: Selling SSH Access 

In the latter part of last week, CloudSEK noticed a slight deviation from the primary business model of BidenCash, which involves selling leaked credit card information. The marketplace appears to have ventured into a new area of selling SSH access to interested buyers.

Advertisement post on the forum

As per the advertisement on a Russian-speaking underground forum, the key features provided by BidenCash ensure a smooth and efficient experience for those interested in purchasing SSH access through BidenCash. The offerings include:

 

  • Shell presence check: To ensure the presence of a shell on the target server
  • CPU and RAM information: To provide information about the server's processing power
  • Server flag information: To check for the presence of known vulnerabilities or exploits
  • Socks5 port availability check: To check if the server supports the Socks5 protocol
  • Geolocation check: To confirm the server's location
  • Checking IP addresses against blacklists Spamhaus, Sorbs.net, Spamcop, SouthKoreanNBL,

Barracuda BBL: To ensure the server's IP address is not blacklisted

  • Available filtering options include filters based on geography, architecture, presence of a shell, availability of socks5, username, etc.
  • Validity check before issuing SSH access: To guarantee the absence of dead accesses.

Different offerings based on the type of SSH servers

The advertisement also encourages other threat actors to join forces in order to expand this venture. BidenCash receives 30% in commission for each sale offered on the website. 

Commission received by BidenCash for each sale

Also Read Custom malware Kaiji targets IoT devices via SSH brute forcing

Based on this new offering, various existing sellers on different dark web forums can also begin their venture into gathering SSH accesses to monetize maximum from the marketplace. By listing their accesses on Bidencash, the threat actors can escape the negotiations cycle and traps set by security researchers on the forums.

Threat actors advertising SSH access on the same cybercrime forum where Bidencash listed their new offering

Analysis of BidenCash's SSH Inventory and Potential Earnings

After analyzing BidenCash's SSH inventory over the past five days, we've discovered that they've listed over 850 SSH servers with varying architecture, CPU configurations, and countries, among other things. The prices for these servers range from $2 (lowest) to $10 (highest).

SSH Servers from the most affected countries

Based on our rough calculations, if all 850 listed cards are sold, sellers on the marketplace stand to make an average of $3,570 every five days (or $21,420 every month), while BidenCash itself would receive $1,530 (or $9,180 every month) in commission. However, given the popularity of BidenCash, we anticipate at least a 3-fold increase in the number of listings on the marketplace that can attract more potential buyers over time.

Vouch for the Service

With the launch of the new SSH offering, threat actors have already started vouching for it on various dark web forums. Given the popularity and reputation of BidenCash in the underground market, it is highly likely that many cybercriminals may have already started purchasing these illegitimate offerings to conduct nefarious activities.

Threat actors vouching for the new SSH service

Long-term Impact

The SSH servers being offered on the BidenCash marketplace are not only cheap but also come with varying CPU configurations and processing powers. Some of the servers with admin-level or root-level access are available for as low as $10, equipped with powerful hardware specifications. We have observed some of the most powerful servers on the marketplace with 196GB RAM and 104 CPU cores.

This poses a significant risk as threat actors can leverage this power to conduct a wide range of malicious activities, such as data exfiltration, brute force and ransomware attacks, and cryptocurrency mining. Moreover, they can launch large-scale DDoS attacks to disrupt services at private and government organizations, causing significant damage to their operations and reputation.

Conclusion

With the ability to purchase powerful servers while maintaining anonymity, cyber attacks can be very difficult to thwart. The availability of SSH servers on marketplaces such as BidenCash can increase the scope and scale of attacks, making it imperative for organizations to ensure the security of their systems and keep their SSH servers secure.