Breached shutdown sparks migration to ARES data leak forums

A threat group called ARES is gaining notoriety on the cybercrime scene by selling and leaking databases stolen from corporations and public authorities.

The actor emerged on Telegram in late 2021 and has been associated with the RansomHouse ransomware operation and the data leak platform, KelvinSecurity, and the network access group Adrastea.

ARES Group manages its own site with database leaks and a forum, which may fill the void left by the now defunct Breached forum.

Cyfirma reports that ARES displays a cartel-like behavior, actively seeking affiliations with other threat actors.

ARES showcasing its collaborations (Cyfirma)

ARES Leaks

ARES Leaks is a platform hosted on the regular web that offers access to data leaks from 65 countries, including the United States, France, Spain, Australia, and Italy.

The website hosts leaks with all types of information, from phone numbers, email addresses, customer details, B2B, SSN, and company databases, to forex data, government leaks, and passports.

The group accepts cryptocurrency payments from members who want to access the offered data or to purchase one of the available services, which span vulnerability exploitation, pen-testing, malware development, and distributed denial of service (DDoS) attacks.

According to Cyfirma, the activity on ARES Leaks increased on the heels of Breached shutting down.

At the end of 2022, ARES sought to hire malware developers and expert pen-testers who could work in Syria, offering payment in cryptocurrency.

ARES seeking to hire IT experts (Cyfirma)

ARES also operates private and VIP channels, presumably selling more valuable data leaks from high-profile organizations.

Cyfirma reports that ARES has recently initiated efforts to acquire military access and databases, actively promoting its interest through advertisements on cybercrime platforms.

LeakBase

LeakBase launched in early 2023 and it is another project supported by the ARES threat group. Aggressive promotion and Breached hacker forum closing its doors caused many users to sign up.

It is hosted on the clear web and free for anyone to join, offering free databases, a market space for selling leaks, leads, exploits, and services, and an escrow payments system to inspire trust.

The forum also hosts spaces for programming, hacking tips, tutorials, social engineering, penetration, cryptography, anonymity, and opsec guides and discussions.

The LeakBase forums (BleepingComputer)

LeakBase is a far cry from Breached at this time, but its reputation appears to be growing and it could soon become a significant hub for information and services for cybercriminals.

ARES seems to be a well-organized threat group that kept expanding operations and services to cover all major cybercrime interests.

Cyfirma believes that ARES sees the shutdown of Breached as an opportunity to accelerate its growth and to establish its position in the cybercrime market.