Website offers Doxing-as-a-Service and customized extortion

Those posting Dox will get a commission, or they can pay to have someone's personal details exposed

Personal information is being held for ransom

There's a website on the Dark Web offering to store Dox and accept a ransom payment to have it removed; provided the person responsible for uploading the information pays a commission and a processing fee to the website for services rendered.

In addition, it also provides a Doxing-as-a-Service platform, which promises to collect a complete profile on a person for $150.

The website is Ran$umBin (Ransom Bin). Designed to be friendly, easy to use extortion service, its existence was brought to Salted Hash's attention by Cymmetria's head of threat intelligence research, Nitsan Saddan. For those not familiar, Cymmetria is a cyber deception startup founded by Gadi Evron and Dean Sysman.

"It is unknown who runs this operation, but their language and lingo, and the service's structure, suggest that these are American players. They try to promote Ran$umBin using a designated Twitter account, and have already gained some traction among cybercriminals; the service has been recommended on different forums, Dark Web and listed sites alike," Saddan said.

So what is Ran$umBin?

To understand Ran$umBin, you should first understand what Doxing is, and why it can frighten some people. Briefly, Doxing is the collection of sensitive personal information, and the publication of said information, with malicious intent.

Ransom letter sent to victims

If someone publishes a person's Dox to the Internet, there's the potential for harassment, financial fraud, and identity theft. No matter how public a someone is, having Dox posted to the Internet isn't a pleasant experience in most cases.

What Ran$umBin has done is turn Dox collection and publication into a business. According to the website, the minimum required amount of Dox accepted is "full name, address, online profiles, and at least one identifying number that cannot be publicly found such as an SSN, DLN, Credit Card info, etc."

The way the website works is simple, someone uploads Dox, the information is verified, and if it's proven to be credible (at the administrator's discretion) – it will be posted to the public.

The victim can then pay a ransom to have their information removed, but the cost depends on the category assigned to the Dox by the person who uploaded it. The categories are rather basic: miscellaneous, revenge, alleged pedophiles, famous people, and law enforcement.

A breakdown of the ransom fees and the commission paid to the person who uploaded the information is below:

commission payouts


After posting the information, the extortionist is responsible for informing the victim. If needed, a template is provided by the website, which is produced in part below:

"Dear Identity Theft Victim,

We regret to inform you that your identity has been stolen. This may include (but is not limited to) your SSN, DOB, Tax IDs, email logins, mother's maiden name, etc.

[...]

In order to remove your DOX from the site, you must pay the ransom. The longer the fee remains unpaid, the longer your identity will be public, leaving it open for people to establish bank accounts and other lines of credit with your identity...."

So far, there are only a handful of records posted to the website, but that's still far too many.

There are five people alleged to be pedophiles; four people listed under revenge (including two high school students); ten people under miscellaneous (including the CEO of Securi.net); two law enforcement officials; and two people under the famous category – Donald Trump and President Obama.

The Dox on Trump can be obtained via his tax records, and President Obama's Dox contains his Social Security Number and nothing else.

"If a person does not pay to remove their Dox it will remain there until it is paid. Any Dox, which remains unpaid for an extended period, will have its validity checked. If valid, it will remain on the site. We only delete Dox's which had the ransom paid in Bitcoin," Ran$umBin's founders explained.

Doxing-as-a-Service:

Doxing-as-a-Service offering

Ran$umBin offers a Doxing service that has three different options, depending on the type of Dox that's to be collected. The lowest amount ($40) will get a person's name, date of birth, phone number, and address. For $80, the Dox will include all of that information, plus a bit more.

However, paying $150 will result in a complete profile on an individual, from personal information on them and their relatives, to email addresses and ISP information, known passwords, banking and credit card data, driver's license number, as well as education, medical history, court, and property records.

It's worth noting that the Bitcoin wallet used to process payments for this service has received no transactions.

"The ability to sell Dox with minimal risk might appeal to many criminals, especially newcomers who don't have the right connections and can't tell who to trust. If Ran$umBin's operators are indeed Americans, their initiative might not hold for long; the North American underground market is less secretive than similar markets in Russia, Brazil or the Far East. Therefore, websites are taken down more often by authorities. For the victims' sake, let's hope that this one will suffer a similar fate," Saddan said.

Services like this are going to become more common in the future, given that information has value and holding it for ransom has become a turnkey business for criminals of all skill levels.

Fortunately, it's possible Ran$umBin will die off, as there has been little traction on the website since it was first viewed by Salted Hash, and the website's twitter feed has sat idle since February.

But sadly, that doesn't help the victims who have already had their personal details published.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.