Last week we reported on the xDedic underground marketplace that
facilitated the selling and buying of access to compromised RDP servers.
We counted over 70,000 hacked server accounts from 173 countries for
sale on the marketplace. After the public announcement the xDedic
website very quickly went offline, thanks to the cooperation of several
major ISPs. However, it seems that this was not the end of the story.
The day after the announcement, an anonymous source from a Lithuanian IP
address posted an unusual comment on our blog using the alias “AngryBirds.”
We usually take such comments with a pinch of salt and generally don’t
pay too much attention to comments with strange links. However, this
time the links pointed to a series of pastes on the popular resource
Pastebin, which in turn contained long lists of IP addresses and date
One such paste contains about 19,000 records. The author of the comment
mentioned that the list of pastes is related to hacked servers from the
xDedic marketplace. At first glance it looked real – the earliest date
was close to the time when the first servers were listed on xDedic
(according to our records the first server was added in November 2014).
However, we were slightly sceptical and decided to validate the list
before making use of it. With this blogpost we share the results of that
validation and our thoughts on the data we received.