April 10, 2023

A cybercrime threat group called ARES has been gaining notoriety in recent months for selling and leaking databases stolen from corporations and public authorities. The group emerged on the Telegram messaging app in late 2021 and has since been associated with the RansomHouse ransomware operation, the data leak platform KelvinSecurity, and the network access group Adrastea.

According to a report by cybersecurity firm Cyfirma, ARES displays cartel-like behavior and actively seeks affiliations with other threat actors. The group manages its own site, ARES Leaks, which offers access to data leaks from 65 countries, including the United States, France, Spain, Australia, and Italy. The website hosts leaks with all types of information, from phone numbers, email addresses, customer details, B2B, SSN, and company databases, to forex data, government leaks, and passports.

The group accepts cryptocurrency payments from members who want to access the offered data or to purchase one of the available services, which span vulnerability exploitation, pen-testing, malware development, and distributed denial of service (DDoS) attacks. Cyfirma notes that the activity on ARES Leaks increased after the shutdown of the now-defunct Breached forum.

In addition to ARES Leaks, the group also operates private and VIP channels, presumably selling more valuable data leaks from high-profile organizations. Cyfirma reports that ARES has recently initiated efforts to acquire military access and databases, actively promoting its interest through advertisements on cybercrime platforms.

The group also launched a new project called LeakBase in early 2023, which offers free databases, a market space for selling leaks, leads, exploits, and services, and an escrow payments system to inspire trust. The forum also hosts spaces for programming, hacking tips, tutorials, social engineering, penetration, cryptography, anonymity, and opsec guides and discussions.

The sources for this piece include an article in BleepingComputer.