{
	"id": "0fbd8cfa-6676-422b-a166-f498ae2640a9",
	"created_at": "2026-04-06T00:08:43.596831Z",
	"updated_at": "2026-04-10T13:12:26.638407Z",
	"deleted_at": null,
	"sha1_hash": "e5e7fbe64fb1a4245ed0e183ac568e1266624265",
	"title": "2easy now a significant dark web marketplace for stolen data",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2795300,
	"plain_text": "2easy now a significant dark web marketplace for stolen data\r\nBy Bill Toulas\r\nPublished: 2021-12-21 · Archived: 2026-04-05 18:27:17 UTC\r\nA dark web marketplace named '2easy' is becoming a significant player in the sale of stolen data \"Logs\" harvested from\r\nroughly 600,000 devices infected with information-stealing malware.\r\n\"Logs\" are archives of data stolen from compromised web browsers or systems using malware, and their most important\r\naspect is that they commonly include account credentials, cookies, and saved credit cards.\r\n2easy launched in 2018 and has experienced rapid growth since last year when it only sold data from 28,000 infected\r\ndevices and was considered a minor player.\r\nhttps://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nBased on an analysis by researchers at Israeli dark web intelligence firm KELA, the sudden growth is attributed to the\r\nmarket's platform development and the consistent quality of the offerings that have resulted in favorable reviews in the\r\ncybercrime community.\r\nCheap and valid logs\r\nThe market is fully automated, which means someone can create an account, add money to their wallets, and make\r\npurchases without interacting with the sellers directly.\r\nThe logs are made available for purchase for as low as $5 per item, roughly five times less than the average Genesis\r\nprices and three times less than the average cost of bot logs on the Russian Market.\r\nMoreover, based on actor feedback analysis from multiple dark web forums, 2easy logs consistently offer valid credentials\r\nthat provide network access to many organizations.\r\nThe 2easy homepage as seen in December 2021\r\nSource: KELA\r\nBesides the cost and validity, 2easy’s GUI is user-friendly and powerful at the same time, enabling actors to perform the\r\nfollowing functions on the site:\r\nview all URLs to which the infected machines logged in\r\nsearch URLs of interest\r\nbrowse through a list of infected machines from which credentials to said website were stolen.\r\ncheck the seller’s rating\r\nreview tags assigned by sellers, which most times include the date the machine was infected and sometimes\r\nadditional notes from the seller\r\nacquire credentials to selected targets\r\nThe only downside compared to other platforms is that 2easy doesn't give prospective buyers a preview of a sold item, such\r\nas the redacted IP address or OS version for the device the data was stolen.\r\nThe RedLine plague\r\nEach item purchased on 2easy comes in an archive file containing the stolen logs from the selected bot.\r\nThe content-type depends on the info-stealing malware used for the job and its capabilities, as each strain has a different\r\nfocus set.\r\nHowever, in 50% of the cases, the sellers use RedLine as their malware of choice, which can steal passwords, cookies, credit\r\ncards stored in web browsers, FTP credentials, and more, as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/\r\nPage 3 of 6\n\nPurchased RedLine log archive contents\r\nSource: KELA\r\nFive out of the 18 sellers active on 2easy use RedLine exclusively, while another four use it in conjunction with other\r\nmalware strains like Raccoon Stealer, Vidar, and AZORult.\r\nA 2easy seller praising the simplicity of RedLine\r\nSource: KELA\r\nWhy this is important\r\nLogs containing credentials are essentially keys to doors, whether those doors lead to your online accounts, financial\r\ninformation, or even entry to corporate networks.\r\nThreat actors sell this information for as little as $5 per piece, but the damage incurred to compromised entities could be\r\ncounted in the millions.\r\n\"Such an example can be observed through the attack of Electronic Arts that was disclosed in June 2021,\" explains KELA’s\r\nreport\r\n\"The attack reportedly began with hackers who purchased stolen cookies sold online for just $10 and continued with hackers\r\nusing those credentials to gain access to a Slack channel used by EA.\"\r\n“Once in the Slack channel, those hackers successfully tricked one of EA’s employees to provide a multi-factor\r\nauthentication token, which enabled them to steal multiple source codes for EA games.”\r\nhttps://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/\r\nPage 4 of 6\n\nPulse Secure VPN credentials available through 2easy\r\nSource: KELA\r\nThe initial access broker market is on the rise and is directly linked to catastrophic ransomware infections, while log\r\nmarketplaces like 2easy are a part of the same ecosystem.\r\nMillions of account credentials are offered for purchase on the dark web, so appropriate security measures that treat accounts\r\nas potentially compromised are needed.\r\nExamples of those measures include multi-factor authentication steps, frequent password rotation, and applying the principle\r\nof least privilege for all users.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nhttps://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/\r\nPage 5 of 6\n\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/\r\nhttps://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/"
	],
	"report_names": [
		"2easy-now-a-significant-dark-web-marketplace-for-stolen-data"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434123,
	"ts_updated_at": 1775826746,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e5e7fbe64fb1a4245ed0e183ac568e1266624265.pdf",
		"text": "https://archive.orkl.eu/e5e7fbe64fb1a4245ed0e183ac568e1266624265.txt",
		"img": "https://archive.orkl.eu/e5e7fbe64fb1a4245ed0e183ac568e1266624265.jpg"
	}
}