With a target reach of 44 countries, affecting nearly 135 companies and net earnings of more than $1.5 million, meet Fxmsp, the ‘Richie Rich’ of the underground market who made a fortune by selling corporate network access. This famed cybercriminal, who is a ghost in the underground forum, has been in operation for merely three years, however, has quickly learned the traits of the trade to climb up the ladder.
The Birth of Fxmsp
According to a Group-IB report, Fxmsp took to cybercrime world in September 2016 when he registered on a Russian underground forum, fuckav[.]ru. The mistakes made in his early posts indicate how naïve he was to this world and how he did not know to monetize the access and maintain persistence within the networks he had compromised. He often sought help from other users of the underground community.
The Rise and Fall
However, once he picked up the answer to “How”, he never looked back. By October 2017 he registered on multiple underground forums such as exploit[.]in and began targeting the corporate networks of the financial and hospitality sectors in Africa. This gave him the fame, but like many others, this fame got to him and thus he forgot the famous rule of the Russian underground market – “You do not go against your own country”. He tried to sell access to an ATM and to the website of two customs offices located in Russian cities. This move made his fellow members ban him from across all forums.
The Climb to the Top
Fxmsp learnt his lesson and took off all the posts related to that sell and started fresh in January 2018. With new sales seeing an exponential increase, Fxmsp collaborated with another notorious underground user known by the name of Lampeduza. Together, these two took their clientele ahead and earned $1,100,800 in exchange for the network access of companies ranging from food and hospitality to government and retail industry.
However, Fxmsp’s activity came to the fore in April 2019. According to media reports, Fxmsp had managed to compromise networks belonging to three high-profile antivirus software vendors. Fearing a hunt and backlash of his involvement, Lampeduza broke ties with Fxmsp and stated no involvement in those hacks. The duo went completely inactive post that and in late December 2019, Lampeduza, in a post on the underground forum, confirmed Fxmsp’s retirement from the cybercriminal world.
Fxmsp is one of the most prolific sellers of access to corporate networks in the history of Russian-speaking cybercriminal underground who publicly advertised the access to 135 companies in 44 countries, including in the U.S., Russia, Singapore, the U.K., and elsewhere, which brought him more than $1.5 million in profits.
Dmitry Volkov, CTO of Group-IB
Currently, it is uncertain whether his operations are truly frozen or he is still trying to penetrate the corporate network accesses, thus, researchers have advised keeping a close vigil on open RDP ports as the default RDP port 3389 can be edited by changing it to any other and hence compromise the network security of the company.
