The Underground Supply Chain Fueling Cybercrime: How Stolen Passwords Travel from Breach to Attack
A recent investigation by Comparitech reveals the intricate, five-stage supply chain behind stolen credentials from initial compromise to their use in ransomware, credential-stuffing attacks, and business email compromise. By analyzing over 447,000 breach-related threads across four cybercrime forums Nulled.cr (2013–2016), BreachForums (2022), RAMP (2021–2024), and its successor BreachForums (2023–2026) researchers mapped how 1.1 million user records move through the dark web economy.
The Five-Stage Pipeline of Stolen Credentials
- Origin: Passwords are first exposed via corporate breaches (e.g., LinkedIn 2012, Yahoo 2013–14) or infostealer malware (e.g., Redline, Lumma, Vidar).
- Wholesale: Initial access to networks (SSH, RDP, VNC) and ransomware recruitment are brokered on forums like RAMP, where 328 threads sold corporate network access in 2021–2024.
- Trade: Stolen data is posted, sold, or shared on forums. BreachForums (2022) hosted 10,467 breach threads, with 58% offered for free though paid markets grew rapidly. Forum admins, like BreachForums’ Pompompurin (arrested in 2023), often act as top suppliers.
- Aggregation: Credentials are deduplicated into "combolists" for credential-stuffing campaigns. Nulled.cr alone had 101,423 combo-list topics.
- End Use: Attackers deploy stolen credentials in ransomware, BEC scams, or public reports (e.g., annual password studies).
Key Insights from the Data
- Free Data Dominates: In 2014, Nulled.cr had a 70:1 ratio of free-to-paid breach posts; by 2022, BreachForums narrowed this to 1.4:1, signaling a growing paid market.
- Regional Trends: Indonesian and Chinese breaches drew more attention than Western big-tech leaks. Bjorka’s 2022 IndiHome (Indonesia’s largest ISP) leak garnered 338,345 views double the 168,051 for Facebook’s breach thread.
- Forum Resilience: Takedowns cause short-term disruptions, but replacements emerge quickly. BreachForums’ successor signed up 340,000 users in 33 months despite two shutdowns (2024, 2025).
- Infostealer Boom: The BreachForums "Stealer Logs" sub-forum grew 29-fold in seven months (March–October 2022), reflecting the rise of malware like Redline and Lumma, which steal credentials from infected devices.
- Cryptography Arms Race: Forums evolved hashing methods RAMP used bcrypt (2021–2024), while BreachForums’ 2026 revival adopted Argon2i, outpacing older MD5-based systems.
The Forums’ Roles
- Nulled.cr (2013–2016): Mass trade hub with 436,479 leak topics.
- BreachForums (2022): Mixed free/paid market; Pompompurin’s "Collection of Databreach Lists" was its most-viewed thread (352,386 views).
- RAMP (2021–2024): Russian-language wholesale market for initial access, with 328 active threads selling corporate network entry.
- BreachForums (2023–2026): Rapid growth (339,331 users in 33 months), featuring threat actors like ShinyHunters (linked to Tokopedia, Wattpad breaches).
The findings underscore how stolen credentials flow through a structured, resilient ecosystem where takedowns are temporary setbacks, and regional breaches often eclipse high-profile Western targets in underground demand.
Source: https://www.comparitech.com/news/where-do-leaked-passwords-end-up-dark-webs-credential-pipeline/
LinkedIn cybersecurity rating report: https://www.rankiteo.com/company/linkedin
Yahoo cybersecurity rating report: https://www.rankiteo.com/company/yahoo
Meta cybersecurity rating report: https://www.rankiteo.com/company/meta
Wattpad cybersecurity rating report: https://www.rankiteo.com/company/wattpad
"id": "LINYAHMETWAT1778149613",
"linkid": "linkedin, yahoo, meta, wattpad",
"type": "Breach",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology',
'location': 'Global',
'name': 'LinkedIn',
'size': 'Large',
'type': 'Social Media'},
{'industry': 'Internet Services',
'location': 'Global',
'name': 'Yahoo',
'size': 'Large',
'type': 'Technology'},
{'industry': 'Telecommunications',
'location': 'Indonesia',
'name': 'IndiHome',
'size': 'Large',
'type': 'ISP'},
{'industry': 'Retail',
'location': 'Indonesia',
'name': 'Tokopedia',
'size': 'Large',
'type': 'E-commerce'},
{'industry': 'Technology',
'location': 'Global',
'name': 'Wattpad',
'size': 'Medium',
'type': 'Social Storytelling'},
{'industry': 'Technology',
'location': 'Global',
'name': 'Facebook',
'size': 'Large',
'type': 'Social Media'}],
'attack_vector': ['Infostealer Malware',
'Initial Access Brokers',
'Credential Stuffing'],
'data_breach': {'data_encryption': ['bcrypt', 'Argon2i', 'MD5 (outdated)'],
'data_exfiltration': 'Yes',
'number_of_records_exposed': '1.1 million',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'Personally Identifiable '
'Information (PII)']},
'description': 'A recent investigation by Comparitech reveals the intricate, '
'five-stage supply chain behind stolen credentials from '
'initial compromise to their use in ransomware, '
'credential-stuffing attacks, and business email compromise. '
'The analysis mapped how 1.1 million user records move through '
'the dark web economy across cybercrime forums like Nulled.cr, '
'BreachForums, and RAMP.',
'impact': {'data_compromised': '1.1 million user records',
'identity_theft_risk': 'High',
'systems_affected': ['Corporate networks (SSH, RDP, VNC)',
'Infected devices via infostealers']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes',
'entry_point': ['SSH', 'RDP', 'VNC'],
'high_value_targets': 'Corporate networks'},
'investigation_status': 'Completed',
'lessons_learned': 'The findings underscore how stolen credentials flow '
'through a structured, resilient ecosystem where takedowns '
'are temporary setbacks, and regional breaches often '
'eclipse high-profile Western targets in underground '
'demand.',
'motivation': ['Financial Gain', 'Data Exfiltration', 'Cybercrime Ecosystem'],
'post_incident_analysis': {'corrective_actions': ['Adoption of stronger '
'hashing algorithms (e.g., '
'Argon2i)',
'Enhanced monitoring of '
'dark web forums',
'Improved incident response '
'for initial access broker '
'threats'],
'root_causes': ['Corporate data breaches (e.g., '
'LinkedIn 2012, Yahoo 2013–14)',
'Infostealer malware (e.g., '
'Redline, Lumma, Vidar)',
'Lack of strong hashing methods '
'(e.g., MD5)']},
'ransomware': {'data_exfiltration': 'Yes'},
'recommendations': ['Enhance monitoring of dark web forums for credential '
'leaks',
'Adopt stronger hashing methods like Argon2i',
'Implement multi-factor authentication (MFA) to mitigate '
'credential-stuffing attacks',
'Improve incident response plans for initial access '
'broker threats'],
'references': [{'source': 'Comparitech Investigation'},
{'source': 'Nulled.cr Forum Data (2013–2016)'},
{'source': 'BreachForums (2022, 2023–2026)'},
{'source': 'RAMP Forum (2021–2024)'}],
'threat_actor': ['Pompompurin',
'ShinyHunters',
'Bjorka',
'Initial Access Brokers'],
'title': 'The Underground Supply Chain Fueling Cybercrime: How Stolen '
'Passwords Travel from Breach to Attack',
'type': ['Data Breach',
'Credential Theft',
'Ransomware',
'Business Email Compromise (BEC)']}