For $2, automated dark web marketplaces sell email accounts to corporate customers

To meet a rising demand from hackers, cybercrime marketplaces sell stolen email addresses at as low as $2. These email addresses are used for email compromise, phishing attacks and initial access to networks.

This trend has been closely monitored by analysts at Israeli cyber-intelligence company KELA. They have reported at least 225,000 email addresses for sale on underground market.

Xleet, Lufix and Lufix are the largest webmail stores. They claim to have access to more than 100k corporate email accounts. Prices range between $2 to $30 for high-desired organizations.

Webmail shop offers


These accounts are typically stolen by password cracking or credential stuffing. They may also have their credentials stolen using phishing or purchased from cybercriminals.

Hackers can use corporate email accounts to launch targeted attacks such as social engineering (Spear-phishing), email compromise (BEC), and network penetration.

Webmail auto-shops are on the rise

Over the last couple years, sales of corporate email access has remained stable in cybercrime. Threat actors selling “combolists” of email to various companies on major hacking forums have been a part of the trend.

Combo list sold on ‘Breached’ forums


Ransomware-agent ‘Everest” offered $15,000. access to the email accounts of an aerospace company in a high-profile recent case.

Bulk and curated deals require a lengthy negotiation with the seller as well as taking some risk about the claims. The demand for corporate email continues to rise.

This is why automated webmail shops such as Xleet and Odin have been created. These allow cybercriminals easy access to email accounts they choose.

The main page of the Xleet shop


explains that many of these shops offer advanced functions such as proofs that webmail access works.

These proofs can include performing an email check to confirm access, or taking a screenshot from the compromised account’s inbox.

The checker system incorporated on all four shops


Office 365 accounts are the most popular, accounting for nearly half of all webmail listed. Next, hosting providers such as cPanel and GoDaddy follow closely.

Providers of email accounts on offer


These sellers don’t use aliases, but conceal behind masking systems that assign them numbers. Odin provides more information about sellers such as the total number of sales, the items sold and the user ratings.

Seller details on Odin


Odin and Xleet provide additional information about how webmails were sourced. These categories include “hacked”, ‘cracked”, logs, or “created.” But, the overwhelming majority (98%) of webmails in Xleet are either “hacked”, or “cracked.”

Logs are stolen email credentials by malware. “Created” is a new account that was created using compromised administrator accounts.

These markets have made it necessary to require password resets on all platforms and services to make compromised credentials obsolete.

These threats are often posed by compromised webmail addresses. It is important to use strong passwords (longer), and train personnel to recognize phishing email.