HexPay - A New Marketplace for Cybercriminals

This article is currently evolving and will be edited heavily over the next week.
Updated 8:03pm 8/26

HexPay - A Bastion of Criminal Activity

A new marketplace for buying malware, stolen credentials, and hacking tools has opened up on the internet, and it's getting popular fast. However, no special browser is required to view this cybercrime marketplace. In fact, one is even able to purchase said illicit goods with PayPal or Credit Card (via Stripe).

HexPay Post

Owner's post on HackForums advertising HexPay

HexPay[dot]io is website created by a HackForums user going by the alias of "Xez" (uid=1165237) to allow individuals to sell electronic items and collect payments automatically using Credit Card, PayPal and Bitcoin. The site sounds nice in theory, until the realization sets in that it is only advertised on hacking and malware marketplaces, to hackers, thieves, and shady individuals. While there are a few people selling legal products on the platform, the vast majority of the items sold on this platform range from slightly sketchy to blatantly illegal. This is just the latest service created to cater to and profit from the rapidly evolving cybercrime marketplace.

Looking specifically at the cybercrime forum HackForums, one is able to observe that a vast majority of malicious and otherwise illegal products are making use of these autobuy websites such as HexPay. HexPay however, seems to be the most prominent at the time of writing.

While it is not possible to view a complete listing of items being sold on HexPay, it is possible to viewed cached sales pages using Google, as well as make use HackForums search feature to locate hundreds of items being sold there.

Malware sold on HexPay

Malware being sold on HexPay

Locating the host of HexPay is improbable, as Cloudflare has no issue protecting malicious and illegal websites. However, emails have been dispatched to PayPal and the .io registry to obtain their viewpoints on providing services for HexPay. A fuller listing of illegal items being sold on HexPay has been provided for both of these organizations to view.

Sekure.biz has reached out to the owner of HexPay for comment. This blog post will be updated to reflect said discussion if it occurs.



Update 1:33am 8/23: HexPay has moved away from the .io TLD to avoid inevitable issues with nic.io. PayPal has reached out to me today to discuss this issue in more detail. Hopefully action is taken against account holders using this illegal marketplace. Additionally, I have reached out to EasyDNS.com, their new domain registrar, to discuss their stance on websites such as HexPay.



Update 1:18am 8/24: This will be a fair amount of new content. Before I release this blog publicly I may convert this article in a series rather than one post. "Xez" has also been made aware of this article (indexed the site on Google, whoops).

My contact on HackForums (One of the hacking forums "Xez" advertises on) who has been in communication with "Xez", the owner of HexPay, on my behalf, has relayed a very humorous excerpt of a conversation him and "Xez" have had together.

Since you are on HF, why not contact the owners of the listing directly? Unless you have solid proof that laws were broken by the owner of the the listing they will not be taken down. Many of the things you listed could be used legally, or may be legal, hence why you should contact the product owners. Not sure why you bothered with the article.

This is in response to roughly 30 abuse requests that I had compiled to have sent over to "Xez" regarding illegal products being sold on his website. I even stated specific laws within the US that each item was violating, but apparently he doesn't know how the Computer Fraud and Abuse Act works and imagines he knows better. I'm not sure if he knows how US, Canadian, EU (basically any civilized country) law works, but if someone is providing a platform for sales, and someone else is using that platform to break the law, it is up to the site owner to remove said illicit activity off of their network. Do I need to contact specific eBay users who break the law? No, I contact eBay and they remove the listing. Do I contact botnet operators and say, "excuse me, you're breaking the law, please stop?" No, I contact their hosting provider to get them removed off their network. "Xez" is either delusional or simply does not want to stop providing a platform for illegal activity. I feel the latter is probably closer to the truth.

Many of the things you listed could be used legally, or may be legal, hence why you should contact the product owners.

Lets review the content of the abuse report. One Keylogger... ok, arguable. One file hijacker... one could argue it being legal, but you'd look pretty dumb doing so. One botnet... oh dear... Two Microsoft Office exploit builders... mother of god. Six listings selling compromised or stolen accounts... yes, surely must be legal. Oh? It's not you say? Seven password crackers targeting specific institutions... I don't even know anymore. Does he actually believe what he just told us? Can he be that ignorant?

In other news. PayPal has reached out to me again and put me in contact with their security team. I hope to talk to Jack Christin directly about this in the next couple of days.

Ultimately, "Xez" is going up to bat for the cyber criminals making use of his services. It's clear he's attempting to make this a safe haven for criminals to peddle their illegal wares, and hopefully some sort action can be taken against this individual and the criminal marketplace that he runs.

7:35pm 8/26: Google has responded to our requests and has marked HexPay as potentially unsafe. Hopefully this will help move along our discussion with CloudFlare, EasyDNS and PayPal.

Blocked by Google

HexPay now blocked by Google

Note: "Xez" still has not responded to me. I think it is safe to say his abuse email is just for looks and is not actually monitored.

RSS - [email protected] - Twitter