Full Report
A Kosovo national has been extradited to the United States to face charges of running an online cybercrime marketplace active since 2018. [...]
Analysis Summary
# Threat Actor: BlackDB Marketplace Operators (Associated with Masurica)
## Attribution & Identity
The individual is identified as Masurica (first name not fully specified in the provided text), who was the lead administrator of the online criminal marketplace BlackDB.cc. This individual was extradited from Kosovo to face charges in the United States. Masurica is associated with the operation of the BlackDB marketplace.
## Activity Summary
Masurica was the lead administrator of **BlackDB.cc**, an online criminal marketplace active since 2018 (seven years prior to the filing date mentioned in the article's context, suggesting operations spanned from approximately 2018). This marketplace was used to illegally sell various illicit goods to cybercriminals. The specific charges brought against Masurica involve five counts of fraudulent use of unauthorized access devices and one count of conspiracy to commit access device fraud. This activity is part of broader recent law enforcement actions, including the seizure of the Rydox cybercrime marketplace and the shutdown of the Manson market and Crimenetwork in Germany.
## Tactics, Techniques & Procedures
The provided text focuses on the *business model* of the C2/marketplace rather than specific malware execution TTPs, but the observed "technique" involves:
- **Facilitating Criminal Enterprise (Marketplace Operations):** Operating a platform to facilitate the sale of stolen data (access devices, credentials, PII) to other cybercriminals.
- [No specific MITRE ATT&CK IDs explicitly mentioned for the administrator's actions, as the focus is on the marketplace itself.]
## Targeting
- **Sectors:** Not explicitly listed, but the *products sold* implies targeting sectors where data/credentials are obtained (Finance, personal data holders, corporations).
- **Geography:** The majority of the stolen Personally Identifiable Information (PII) sold on the marketplace was reported to be **from the United States**.
- **Victims:** Individuals whose credit card information and PII were stolen and sold via the BlackDB marketplace. Law enforcement operations related to the wider cybercrime ecosystem mentioned the arrest of Kosovo nationals (Ardit Kutleshi, Jetmir Kutleshi, and Shpend Sokoli) running the **Rydox** marketplace.
## Tools & Infrastructure
- **Malware families used:** None explicitly listed for Masurica or BlackDB administration.
- **Infrastructure (C2, domains, IPs):** The primary infrastructure mentioned is the criminal marketplace domain: **BlackDB.cc**.
* Defanged URL: hxxps://BlackDB.cc
## Implications
The successful extradition and charging of a key administrator like Masurica highlight significant international collaboration (FBI, Kosovo Police, DOJ OIA) aimed at dismantling critical pieces of the Cybercrime-as-a-Service (CaaS) ecosystem. The sustained operation of BlackDB for seven years suggests a resilient and established platform catering directly to actors involved in financial fraud, identity theft, and tax fraud. Its removal disrupts the supply chain for these secondary criminal activities.
## Mitigations
Given the nature of the threat (a vendor of stolen credentials):
- **Supply Chain Defense:** Organizations must maintain rigorous defense against credential stuffing and account takeover attempts, as compromised credentials are a primary commodity sold by these platforms.
- **Strong Authentication:** Implement Multi-Factor Authentication (MFA) universally to mitigate the risk posed by stolen account/server credentials.
- **Monitoring for PII:** Continued monitoring for leaked customer PII and credit card data on dark web marketplaces is essential for proactive response.