{ "id": "bcda4214-a939-441d-960d-f2d822a46843", "created_at": "2026-04-06T00:18:38.224397Z", "updated_at": "2026-04-10T03:33:47.76085Z", "deleted_at": null, "sha1_hash": "5b6e29d95325c9ae19327fdbdb3c3c622204a551", "title": "Data leak marketplaces aim to take over the extortion economy", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2475350, "plain_text": "Data leak marketplaces aim to take over the extortion economy\r\nBy Lawrence Abrams\r\nPublished: 2021-05-07 · Archived: 2026-04-05 22:34:29 UTC\r\nCybercriminals are embracing data-theft extortion by creating dark web marketplaces that exist solely to sell stolen data.\r\nLong before ransomware gangs started extorting victims through the use of stolen data, other threat actors had already been\r\nusing this practice.\r\nOne well-known and highly publicized hacker who performed this practice was The Dark Overlord, who stole data and\r\ndemanded ransoms from Disney, Netflix, and insurance companies.\r\nhttps://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nThe Maze Ransomware group revolutionized ransomware operations in 2019 by adopting a double-extortion strategy.\r\nUsing ransomware data leak sites, Maze warned victims that they would publicly leak stolen data if victims did not pay a\r\nransom.\r\nOther gangs quickly adopted this extortion tactic.\r\nSome threat actors have told BleepingComputer that the practice of stealing data and threatening to release it often generates\r\nmore ransom payments than the loss of encrypted files.\r\nYou can see this shift in tactics with Babuk ransomware's recent announcement that they would no longer encrypt devices\r\nand are moving solely to data-theft extortion.\r\nThe rise of stolen data marketplaces\r\nWith breaches happening almost every day, and governments issuing heavy fines for the exposure of personal information,\r\nthreat actors are now capitalizing on these fears by using dedicated marketplaces that sell stolen data.\r\nWhile dark web marketplaces for illicit goods are not new and have been used to sell stolen data in the past, they were not\r\ndesigned solely for data-theft extortion.\r\nRecently, BleepingComputer has identified two new marketplaces called Marketo and File Leaks created to sell data to other\r\nthreat actors or back to the victim themselves. In addition, there is one marketplace called 'Dark Leak Market' that appears to\r\nhave been created in 2019.\r\nDark Leak Market\r\nThe oldest of these marketplaces is Dark Leak Market who has been selling stolen data since 2019.\r\nThe data sold at this site ranges from $100 to $9,000 and has been gathered from ransomware gang's data leak sites and\r\nhacking forums, such as RaidForums. \r\nhttps://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/\r\nPage 3 of 6\n\nDark Leak Market\r\nUsing KELA's DarkBeast intelligence platform, BleepingComputer found a post by REvil Ransomware's Unknown\r\nconfirming that the data is being resold from other data leaks.\r\nPost by REvil Ransomware's Unknown calling the site a scam\r\nMarketo marketplace\r\nLast month, threat actors launched a new marketplace called Marketo, with the owner contacting journalists and security\r\nresearchers to promote the site.\r\n\"We would like to present the new marketplace Marketo, soon to be the best place to find, buy and sell any information\r\nabout any company,\" a threat actor behind Marketo emailed BleepingComputer.\r\nMarketo leaked data marketplace\r\nWhen we asked if this data was stolen as part of their own attacks or others, they stated, \"It is a marketplace for people who\r\nhave information for sale, we don't hack companies.\"\r\nThey also claimed to be against ransomware and are not affiliated with \"those who block networks and extort funds.\"\r\nWhile most of the data found on the site does not appear to be associated with known ransomware attacks, that does not\r\nmean they are not hosting data from those types of attacks.\r\nhttps://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/\r\nPage 4 of 6\n\nBleepingComputer was recently alerted by someone in the automotive cybersecurity industry who saw data on Marketo for\r\na dealership known to have recently suffered from a ransomware attack.\r\nFile Leaks marketplace\r\nThe File Leaks marketplace was launched in April 2021 and dumps all of the stolen data at once, telling victims to contact\r\nthem to pay to remove it.\r\nThe File leaks marketplace is the smallest of the sites, with two victims from Italy and one from India.\r\nFile Leaks marketplace\r\nPaying the ransom is throwing money away\r\nAs we reported in November, victims should never pay a ransom for stolen data as there is no guarantee that their data will\r\nbe deleted and not sold to other threat actors.\r\nRansomware negotiation firm Coveware told BleepingComputer that cybercriminals are increasingly failing to keep their\r\npromises after a ransom was paid.\r\nIn some cases, victims who paid were later extorted again using the same data, or the threat actors leaked the data anyway.\r\nFurthermore, as shown by the Dark Leak Market, once data is leaked, there is no way to contain it as it spreads between\r\ndifferent hacking forums and sites frequented by threat actors.\r\nWith this in mind, Coveware tells victims always to expect the following if they decide to pay a ransomware gang not to\r\nleak data:\r\nThe data will not be credibly deleted. Victims should assume it will be traded to other threat actors, sold, or held for a\r\nsecond/future extortion attempt\r\nStolen data custody was held by multiple parties and not secured. Even if the threat actor deletes a volume of data\r\nfollowing a payment, other parties that had access to it may have made copies so that they can extort the victim in the\r\nhttps://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/\r\nPage 5 of 6\n\nfuture\r\nThe data may get posted by mistake or on purpose before a victim can even respond to an extortion attempt\r\nInstead, data theft victims should always treat an attack as a data breach and properly disclose the breach to all customers,\r\nemployees, and business partners to prevent them from being harmed by the stolen data.\r\nUpdate 5/7/21 11:14 AM EST: We incorrectly stated Lorenz is a data leak marketplace, when in fact it is a ransomware\r\ngroup's data leak site. Thx to Andre Gironda for the correction.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/\r\nhttps://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/" ], "report_names": [ "data-leak-marketplaces-aim-to-take-over-the-extortion-economy" ], "threat_actors": [ { "id": "9639c065-3fa6-432f-9cbd-5708500c4eaa", "created_at": "2022-10-25T16:07:23.255684Z", "updated_at": "2026-04-10T02:00:04.506059Z", "deleted_at": null, "main_name": "Overlord Spider", "aliases": [ "The Dark Overlord" ], "source_name": "ETDA:Overlord Spider", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434718, "ts_updated_at": 1775792027, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5b6e29d95325c9ae19327fdbdb3c3c622204a551.pdf", "text": "https://archive.orkl.eu/5b6e29d95325c9ae19327fdbdb3c3c622204a551.txt", "img": "https://archive.orkl.eu/5b6e29d95325c9ae19327fdbdb3c3c622204a551.jpg" } }