The (Possible) Return of 2easy and What It Means for the Fraud Ecosystem

Potential return of the 2easy darknet market

On March 22, Flashpoint analysts came across a message from the darknet market 2easy stating their intention of returning to the cybercrime space.

“Good day to all. We are looking for the cause of the site’s operation problem. As soon as the information arrives, we will first inform you in this channel.”

2easy

What is 2easy and what does this mean for the fraud security landscape? Let’s find out.

The darknet black market 2easy

“Over the last past three years, 2easy has been responsible for the sale of over 1.88 million logs.”

2easy is a Russian-and English-language illicit shop that sells logs—sensitive information collected from machines infected with malware—as well as user information collected from browsers via information stealing malware. And although the 2easy marketplace does not specify the malware that was used to source specific logs, Flashpoint has observed the use of popular stealers such as Redline, Vidar, Taurus, AZORult, and Raccoon. 

Over the last past three years, 2easy has been responsible for the sale of over 1.88 million logs. 2easy has gained distinct recognition among cybercriminals dealing with stolen credentials, due to its regular supply of logs and excellent customer support. Unlike other darknet black markets that used both clearnet and Onion domains, 2easy exclusively used clearnet domains—making it more widely accessible and easier to use.

2easy’s unexpected disappearance

However, despite steady success, earlier this year Flashpoint analysts found that 2easy’s operations had suddenly ceased. Flashpoint observed that 2easy’s dedicated Telegram support channel had gone dark in mid-January, leading to the 2easy darknet market itself being inactive a month later—with all known official shop domains ceasing to operate shortly after.

The reason for 2easy’s sudden disappearance had been unknown—with no official announcement or explanation from the shop’s support as to whether the shop closed, or was renamed. However, with 2easy’s latest announcement, in the near future, the illicit shop will likely become active once again.

What this means for the fraud landscape

In our latest State of Cyber Threat Intelligence Report, we detailed how threat actors had stolen 22.62 billion credentials and personal information last year—and what they were doing with illegally obtained data. Markets like 2easy help fuel the cycle of compromised credentials in the cybercrime underground, leading to data breaches and other cyberattacks like ransomware. These markets are frequented by lower-level fraudsters, ransomware groups, and Advanced Persistent Threat (APT) groups alike turning to these shops to leverage their stolen credentials in a variety of illicit activities.

The use of credentials—obtained by stealer malware—have been tied to several high-profile breaches, with Microsoft citing its role in a cyberattack spearheaded by the data extortion group LAPSUS$. Therefore, the potential re-emergence of 2easy, in combination with other darknet markets, means that organizations will need to ensure that Fraud teams are better equipped to monitor compromised credentials and defend against potential account takeover attempts.

Stay ahead of threat actors with Flashpoint

An organization’s security capabilities are only as good as the threat and vulnerability intelligence informing their defenses. Sign up for a free trial to gain visibility into the illicit markets and communities where credentials are being sold and better protect your organization.