We interviewed Se7en, the founder of Exodus Market, a platform for selling infostealers logs. This market, active for almost a year, has been expanding its business in recent months and is becoming an increasingly popular alternative to what is currently the most popular market, Russian Market.

The market, accessible at the urls indicated within our project (https://github.com/fastfire/deepdarkCTI/blob/main/markets.md) provides a very simple and direct user interface that allows you to search for logs using different filters (country, city, operating system, vendor, type of stealer, link, username, domain). The price of each single log varies between $3 and $44.
With a minimum deposit of $200 it is possible to generate invitations. Deposits can be made with cryptocurrency (BTC, LTC, XMR, TRC-20).

There are currently 6 sellers in the market, but the most active one (over 420,000 logs uploaded) is connected to the market’s administration team. There are currently about 500,000 logs in the market, 80% of which are retrieved using the Lumma infostealer, the rest using Redline, Rhadamanthys, Stealc and to a lesser extent Vidar.
In recent weeks, log uploading to the market has been constant.

Inside the market there is a support section and a section that shows your orders.

🧱 Genesis & Vision
Q: How many people are there to manage the market?
A: Due safety concerns, we can’t disclose this information.

Q: Where are you geographically located?
A: We are based off Russia.

Q: When was Exodus Market created?
A: Exodus Market was established on July 27, 2024.

Q: Did you already have collaboration relationships with other markets?
A: No.

Q: What motivated you to create this market? Was there a specific gap or failure in other marketplaces that inspired its foundation?
A: The creation of our market was driven by a combination of factors, primarily the seizure of Genesis Market by law enforcement. This event highlighted a significant gap in the market for fresh, reliable logs, which many clients depend on. Seeing an opportunity, we decided to step in and fill this void by selling our own high-quality logs directly to our clients.

Additionally, we observed that a large number of sellers were operating on Telegram, taking advantage of its platform to sell logs. While this method has been effective for now, we recognize that it is not a sustainable long-term solution. The recent arrest of Pavel Durov, the owner of Telegram, has added a layer of uncertainty to the future of these operations. We anticipate that many of these sellers will eventually need to move their operations to more stable and secure platforms.

Our market aims to provide a durable and trustworthy alternative, ensuring that sellers and buyers have a reliable space to conduct their business without the looming threat of platform instability or legal action. By offering a secure and user-friendly environment, we hope to attract both existing and new clients, solidifying our position as a leading marketplace in the industry.

Q: How has the market evolved since its inception? Can you describe its key milestones or changes in focus over time?
A: Since our inception, the market has undergone significant evolution, adapting to the changing needs of our users and the landscape of our industry. Here are some key milestones and shifts in our focus:

Early Days and Exodus Market Launch:
Initially, when Exodus Market was launched, we operated as the sole seller, providing a direct sales model to our customers. This approach allowed us to establish a strong foundation and build trust with our early users.

Transition to a Multi-Vendor Platform:
Recognizing the potential for growth and diversification, we shifted our model to a multi-vendor platform. This change enabled other vendors to upload and resell logs and accounts, with Exodus Market taking a commission on each transaction. This shift moved us from a direct sales model to a platform-as-a-service approach, creating a more dynamic and competitive marketplace.

Expanding Our Offerings:
Following the downfall of Brains Club, we identified an opportunity to expand our services further. We are in the planning stages of launching our own version of a CC shop, which will complement our existing offerings and provide additional value to our users. Alongside this, we are developing our own version of the Exodus Browser, enhancing the user experience and security for our community.

Future Updates and Innovations:
While we can’t disclose all our upcoming updates, we are continuously working on new features and improvements to stay ahead of the curve. Our focus remains on providing a secure, reliable, and innovative platform for our vendors and customers alike.

Q: Are you planning to add to the market a feature that shows for each log the date of compromise, the date of exfiltration (assuming that the date visible now is the date of upload to the market)?
A: We previously had a feature displaying the date of exfiltration and upload for each log. However, due to security concerns, we removed the exfiltration date. Currently, only the upload date is shown. We may re-introduce this feature in the future with enhanced security measures.

🧪 Comparison with Other Markets
Q: How would you differentiate your market from Genesis or Russian Market, both in terms of technology and community philosophy?
A: While it’s true that all markets ultimately aim to generate revenue, our approach and focus set us apart from competitors like Genesis and Russian Market. Here’s how:

Technology and Innovation:

User Experience: We prioritize a seamless and intuitive user experience. Our platform is designed to be easy to navigate, ensuring that both vendors and buyers can conduct their business efficiently and securely.
Security: We employ state-of-the-art security measures to protect our users’ data and transactions. Our commitment to security goes beyond just technology; it’s a core part of our operational philosophy.
Innovative Features: We continuously develop and integrate new features based on user feedback and market trends. This includes our plans to launch a CC shop and an enhanced browser, providing added value to our community.

Community Philosophy:

Customer Satisfaction: Our primary philosophy is centered around customer satisfaction. We believe that happy clients are the key to our success. By providing excellent service and a reliable platform, we ensure that our users return and recommend us to others.
Vendor Support: We offer a supportive environment for our vendors, providing them with the tools and resources they need to succeed. Our commission structure is designed to be fair and transparent, fostering a mutually beneficial relationship.
Community Engagement: We actively engage with our community, valuing their feedback and incorporating it into our development process. This collaborative approach helps us stay aligned with the needs and expectations of our users.

While making money is a common goal, our focus on superior technology, unmatched security, and a community-driven philosophy differentiates us from Genesis and Russian Market. We strive to be more than just a marketplace; we aim to be a trusted partner for our users, providing them with the best possible experience.

Q: What is the commission that Exodus keeps for each transaction?

A: We currently take a 25% commission on each transaction. Given the high volume of users on our market, this commission is relatively small compared to their potential earnings.

Q: What operational or security mistakes do you think led to the fall of Genesis Market, and how are you avoiding them?
A: The seizure of Genesis Market by authorities highlighted several operational and security mistakes that led to its downfall. One of the primary issues was their server configuration: Genesis Market’s real backend server was directly linked to their domain and was unencrypted. This made it vulnerable to seizure, as authorities could simply change the DNS and take control of both the domain and the server.

To avoid this fate, we have implemented a more robust and secure infrastructure:

Reverse Proxy Setup: Our domain is pointed to a front server, which acts as a reverse proxy. This front server is linked to our backend Tor onion server. This setup ensures that even if the front server or domain is compromised, our real backend server remains online and accessible through the Tor network.

Enhanced OPSEC: We have taken extensive operational security (OPSEC) measures to avoid being tracked. This includes supporting Monero for transactions, which adds a layer of anonymity and makes it nearly impossible to trace the flow of funds.

Encrypted Communications: All communications between our servers and users are encrypted, ensuring that even if interceptor tries to monitor or tamper with the data, they will be unable to do so without detection.

By learning from the mistakes of Genesis Market and implementing these security enhancements, we aim to provide a more secure and resilient platform for our users.

🔐 Seller Vetting & Log Curation
Q: How do you verify or onboard sellers who submit logs? Is there a vetting process to prevent fake or reused data?
A: We require new sellers to submit 20-30 logs for initial review. Our checkers verify these logs for authenticity. To prevent exit scams, we also take a $500 bond from each seller. This process helps ensure that only genuine and high-quality logs are sold on our platform.

Q: Are logs categorized or scored based on type (e.g., corporate vs personal) or malware family (e.g., Lumma, RedLine)?
A: Yes, we categorize logs using a sophisticated algorithm. This makes it easy for clients to find what they need by searching through our database of 500,000 logs in less than 3 seconds.

Q: Is there any collaboration or overlap between your market and developers of infostealers, or is the market agnostic to the tools used?
A: We do not disclose this information as it could aid federal investigations.

🧠 Market Structure & Trust Mechanisms
Q: What kind of reputation system is in place for both buyers and sellers? How do you prevent scams or duplicate listings?
A: Our upload mechanism checks the functionality of logs and removes duplicates to protect customers from scams. After each purchase, buyers can leave feedback, rating the experience as Positive, Neutral, or Negative. This feedback system helps maintain a transparent and trustworthy environment for all users. Additionally, we monitor both buyers and sellers to ensure the integrity of our marketplace.

Q: How is customer support or dispute resolution handled, if at all?
A: We handle customer support and dispute resolution by carefully reviewing each ticket. If we determine that the logs are of poor quality, we refund the buyer and deduct the funds from the vendor. However, if we find that the buyer has used an incorrect setup, we assign the fault to the buyer and reject the refund. This ensures that disputes are resolved fairly and efficiently.

🛡 Infrastructure & Operational Security
Q: What hosting strategies or providers are used to avoid takedowns? Is bulletproof hosting still effective today?
A: We use a white-collar hosting company for our front servers, which act as proxies linked to our onion backend. This setup ensures that even if our domains are seized, our backend remains secure and operational through the Tor Network. We do not disclose our specific providers to avoid potential targeting. Bulletproof hosting is largely a myth. These providers often use reputable hosting companies and accept cryptocurrency while saving minimal personal information about their clients. However, they are not truly bulletproof, as evidenced by raids on notable hosting companies like Cyber Bunker. Using a real company name for such services would be risky, and many have been compromised.

Q: Do you implement any decentralization (e.g., mirrors, Tor-only access, blockchain features) to improve resilience?
A: Yes, our domain is linked through a proxy to our hosted onion domain. When you access our website, you are routed through the Tor network, ensuring that you are on the Tor onion itself. This setup enhances our resilience and ensures that our platform remains accessible even if our clearnet domain is compromised.

Q: How often do you rotate infrastructure or domains, and do you anticipate hosting supply issues due to recent takedowns?
A: Rotating infrastructure and domains is an ongoing process for us. It’s a constant game of cat and mouse with law enforcement. If a domain is taken down, we simply move to the next one. The feds typically focus on following the money to locate and take down the operators permanently. We do not foresee significant hosting supply issues due to recent takedowns, as we have strategies in place to adapt and continue operations seamlessly.

🔥 Lumma Stealer Infrastructure Seizure
Q: How has the recent seizure of parts of the Lumma Stealer infrastructure impacted your operations? Were any logs or sellers tied to it?
A: The seizure of Lumma Stealer’s infrastructure has had minimal impact on our operations. Lumma was known for stealing logs from its clients and reselling them secretly, which we were aware of and warned our sellers about. We had already stopped using Lumma, and while some of our sellers may have used it in the past, the downfall of Lumma has not affected our business. New stealers are being developed faster than ever, ensuring a continuous supply of logs for our marketplace.
Lumma is still active. We were in their private channels until they deleted them due to an FBI agent’s presence, who was warning that they would take down any new domains Lumma operators set up. We saw the message from the FBI agent but do not have a screenshot. Currently, we don’t know the exact state of their infrastructure, but we are aware that they are still operational. Authorities do face challenges in destroying such malware infrastructures, as they often use fast-flux networks and can quickly set up new systems to continue operations.

Q: Do you anticipate greater pressure from law enforcement following these seizures? How are you adapting operationally or legally?
A: We are not anticipating any greater pressure from law enforcement following these seizures. We are taking a wait-and-see approach to monitor the situation and adapt our operations as needed.

🌐 Vision and Outlook
Q: What’s the future of log markets in your opinion? Do you see this economy shifting more toward private telegram deals, closed channels, or remaining open-market based?
A: I believe the log markets will continue to thrive, especially if Telegram increases its ban on malware actors. Currently, many sellers are still openly selling logs on Telegram, but this platform is becoming increasingly risky due to law enforcement’s effective use of it to track and apprehend cybercriminals. I firmly believe that the safest approach is to avoid Telegram altogether and utilize the Tor Network and Monero for transactions. This combination ensures maximum privacy and security. Many people will likely be taken down in the near future if they continue to rely on Telegram. Make privacy great again!