Si Cyber Intel: Bat9hack Continues To Target Financial Organisations
Bat9hack is gaining popularity in the underground forums for its fraudulent cyber-antics primarily against large financial organisations. The cyber-criminal is a Russian-speaking hacker registered on a number of Russian and English-speaking dark forums. Bat9hack is a proficient carder who uses various strains of malware to target large financial organisations and users worldwide.
Bat9hack’s primary mode of attack, most recently against the US, is money laundering and information fraud as well as other malicious financial fraud techniques.
Most recently Bat9hack disguised itself as the website federaltaxpay[.]com, which imitated an authorised United States Internal Revenue Service payment processor and lured users into using it by offering a whopping 50% discount.
Researchers at the Insikt Group believe that Bat9hack has teamed up with or operates within a cyber-criminal group on the dark web who maintain a number of forums.
The Bat9hack threat actor was referenced 7367 times in various forums. Out of those 741 references were in the last 60 days and 5015 references on various InfoSec sources.
Graph shows recent events involving bat9hack
Source: Recorded Future
Insikt Group made the following observations about bat9hack:
- The actor’s primary modus operandi is fraudulent activities
- The actor advertised the website federaltaxpay[.]com, which emulated an authorized United States Internal Revenue Service payment processor.
- The actor operates within a cyber-criminal group that maintains multiple accounts on the dark web forums.
- There are indicators that bat9hack or members of their criminal group reside in Russia and/or Ukraine.
The below timeline highlights the various fraudulent activities performed by this adversary.
Timeline of fraudulent activities
Source: Recorded Future
- bat9user01, bat9user1s, blackuser01, bat9user, bat9ha, bat9hacks, bat9hacker, user01, user0133, miewjeg73hader, metyjiag4j6khepa, Topic by Taxess, xack, Identifiers.
- federaltaxpay[.]com (currently defunct)
- Email address:
- https://twitter.com/federaltaxpay/ (currently defunct)
- https://t.co/dzNL5vgQCM (currently defunct)
- https://t(.)co/7o60aaenNA (currently defunct)
- Vasya Jjolika
- IP addresses:
- 184.108.40.206 (Netherlands)
- 220.127.116.11 (Russia)
- 18.104.22.168 (United States)
- 22.214.171.124 (United States)
- 126.96.36.199 (United States)
- 188.8.131.52 (United States)
- 184.108.40.206 (Netherlands)
- eBay accounts:
- Legal entity:
- Federal Tax Pay LLC
- Update your security controls (Network and Endpoint) to block and alert on the above Indicators
- Only file taxes via the official Internal Revenue Service website (irs.gov), or through reputable tax preparation services
- Payment processors will never provide any discounts. Any service that does should be considered fraudulent
- Always check suspicious domain URLs via antivirus software
Taking into consideration multiple attack vectors of the actor, including financial and PII fraud, money laundering, malware utilization, Insikt Group recommends the following:
For information about Si Cyber’s services, please contact firstname.lastname@example.org.