On Friday, July 18, cybersecurity firm UpGuard discovered a significant security breach involving an unauthenticated Elasticsearch database containing approximately 22 million records of web traffic.
The exposed data revealed extensive visitor activity to Leakzone.net, a prominent underground forum known for distributing hacking tools, exploits, and compromised accounts.
Each database object contained sensitive information, including domain requests, user IP addresses, geolocation data, and internet service provider metadata, providing unprecedented insight into the digital footprints of users accessing illicit cybercrime marketplaces.
Attribution Confirm Leakzone Traffic Patterns
The leaked database schema revealed that 95% of the 22 million records were directed to leakzone.net, with the remaining 2.7% targeting accountbot.io, a marketplace for selling compromised user credentials.
UpGuard researchers verified the attribution by registering an account with Leakzone and confirming their IP address appeared in the logs, definitively linking the database to the forum’s web traffic.
The temporal analysis showed records spanning from June 25 to the discovery date, with approximately one million daily requests averaging 2,862 bytes per request – metrics consistent with a moderately successful website operation.
Technical Analysis Reveals Anonymization Attempts
The dataset contained 185,000 unique IP addresses, significantly exceeding Leakzone’s registered user base of 109,000 members, indicating widespread use of anonymization techniques.
Approximately 5% of requests originated from public proxy servers, identified through database fields marking “is_proxy” and “proxy_type” values of “PUB,” accounting for 1,375,599 records across 3,983 IP addresses.
Further analysis revealed a heavy concentration of traffic through VPN services, particularly three IP addresses operated by Cogent Communications that collectively generated around 600,000 records.
The traffic distribution exhibited characteristics of a truncated normal distribution, suggesting coordinated VPN usage rather than organic user activity.
Security Implications and Digital Privacy Concerns
The geographic distribution of IP addresses reflected global internet infrastructure patterns, notably excluding direct Chinese traffic, which researchers attributed to mandatory proxy routing.
Cloud service providers, including Amazon, Microsoft, and Google, featured prominently among the traffic sources, while 39% of IP addresses appeared only once in the logs – likely representing unprotected users connecting without VPN services.
This incident underscores the fragility of digital anonymity, as highlighted by recent law enforcement successes, including the arrest of XSS.is forum administrator.
The leak serves as a stark reminder that even sophisticated privacy measures can be compromised, exposing the digital identities of users engaged with underground cybercrime communities despite their technical countermeasures.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The exposed data revealed extensive visitor activity to Leakzone.net, a prominent underground forum known for distributing hacking tools, exploits, and compromised accounts.){kind=link}