Exploring the Weird World of Account Generators – Part two: Trials and Tribulations

DRAFT COPY

If you’re reading this, it’s because I’ve sent you this link to gather some feedback. I haven’t decided if, when, and how I will publish this story. Please do not share this link.


 

Welcome to Part Two of a multi-part series exploring the underground Account Generating scene. If you haven’t already, read part one first.

Hypergen

In 2015, ‘Xez launched a new service called HyperGen at the domain hypergen.pw. Hypergen was promoted on Hackforums as the leading account generator, although this was contested by a friendly rival, Bluffer – another account generating operator. Hypergen was becoming extremely popular, and had amassed a large userbase of over twenty-six thousand by June, 2016. Operating HyperGen wasn’t without complications, however.

Records show that hypergen.pw was purchased in October 2015 under a fake name, and registered to an address in Bulgaria. The website was originally hosted by offshore hosting provider AbeloHost. AbeloHost describe their service as valuing data and customer privacy, and permit the hosting of adult content, gambling, and “movie” websites. However, Abelo explicitly forbids certain types of content from being hosted on their platform, such as fraud, scams, and password guessing services. Early in 2016, Hypergen seems to have experienced distributed denial of service (DD0S) attacks and the HyperGen homepage temporarily displayed a landing page announcing that they were moving to a new hosting provider that offered DDoS protection.

Shortly after, Abelo terminated Hypergen’s account. This may have been due to a policy violation, or due to prolonged DDoS attacks on the Hypergen website, which may have been impacting other Abelo customers. It’s also possible that by the time the account had been suspended, Hypergen had already found a new home using the domain Hypergen.ch, and so the operator simply stopped paying for Abelo’s hosting.

Hypergen.ch was registered under the same name as the one used to register hypergen.pw, but this time with an address in the United States.

A video uploaded to YouTube in June 2016 by a customer received nearly thirty thousand views. The recording provides a detailed account of the Hypergen experience:

https://www.youtube.com/watch?v=RhloEZYQHqc

Several things about this video stood out to me. Firstly, the statistics on the dashboard show that there are 26,051 registered users and over 1 million credentials had been generated for users.

Secondly, Hypergen makes no attempt to ignore the fact that these are actually real peoples accounts that are being provided to its customers. This is evident in one of the updates posted in the news feed:

To make accounts last longer, please login using the following url … With this login URL, the owner is not notified and the accounts will last a lot longer!

Perhaps most perplexing revelation was which services Hypergen was offering. While some of the services could be expected, such as Netflix, Spotify, Hulu, and WWE Network, others were downright creepy. Facebook, Instagram, Twitter, and Reddit were among social media accounts that strangers on the internet could purchase access to. Another YouTube video uploaded by separate customer demonstrates using Hypergen to generate Instagram credentials, and the in the video, the customer logs into the Instagram account.

The consequences of providing this access are multifaceted. There are the obvious privacy concerns when you consider the contents of private messages between individuals, identity fraud, and the fact that Facebook, Instagram and Twitter can be used to authenticate with third party services.

Equally as concerning is the sale of eBay accounts – as a bad actor could log in and change the payment details of a sellers eBay store and funnel the store’s proceeds into their own accounts. It’s impossible to say if this happened, but what other use would someone have for another’s eBay account? Similarly, Uber accounts could be used to charge rides to an unsuspecting users’ credit card. The same goes for online gaming services such as Playstation Network, Origin, and UPlay where it’s possible to enable ‘one click purchases’.

Some of the services available were just strange: Fitbit, Pintrest, and Dominoes – but once you have a way to monetise stolen credentials, there isn’t much more effort required to write a script for just about any service you can think of to expand the offering, and this is what Hypergen did.

Finally, Hypergen offered a referral program to encourage its customers to drive more business to the website. Customers could receive cash kickbacks for each new user who registered using a referral. The account generating scene was competitive, with plenty of alternatives to Hypergen. In ‘Xez’s own words, one would need their service to bring something new to the table in order to stand out.

The Tables are Turned

Hackforums is a strange place. It’s hard to understand exactly what is allowed to be posted there and what is prohibited. There is a section called Social Media Hacks, where users will often ask if anyone can assist them with breaking into someone’s Instagram account. There is a section called Website and Forum Hacking, where a user makes a post explaining that he has hacked into a forum database and provides a list of hashes asking if anyone can assist in cracking them. These kinds of activities seem to be allowed, however, one user was banned simply for asking why selling ransomware was not allowed, so there did seem to be some code of conduct, though I wasn’t able to find a complete list of rules anywhere.

One post made by ‘Xez was a several paragraph plea to reverse the decision to ban posts about account generators. It seemed to have worked, as several operators continued to advertise their services. In such a fickle place, it would be easy to unexpectedly find yourself on the other side of the ban hammer. Such was the case of a user who went by the name ‘insaneasusual‘. For reasons unclear, insaneasusual was banned from posting on Hackforums sometime in 2016. insaneasusual believed that they were banned unfairly and hadn’t broken any rules. insaneasuaul was frustrated and wanted to react somehow, but they were unable to create any threads or make any posts. So out of other options, they decided to take action against Hackforums’ vendors instead…

In May 2016, Hypergen was compromised and the email address, username, IP address, and hashed password for all registered users was leaked online.

On the 21st of May, a user created a threat titled, Hypergen Database Leaked [CHECK HERE FOR UPDATES]. In a response to the thread, ‘Xez confirmed the leak, announcing that Hypergen was the victim of an SQL Injection attack – a type of web application attack where the underlying database is accessed directly by an attacker. This didn’t only happen to Hypergen, several other account generators, all using the same source code, including an account generator run by Bluffer, also had their users’ details leaked around the same time. ‘Xez asked all users to reset their passwords on any other services where they used the same password and advised that they were forcing password resets for Hypergen.

Another Hackforums user replied to the thread, revealing that all the account generators were hacked by insaneasusual, who had posted the leaked databases to their Twitter account. A screenshotted conversation between a forum user and insaneasusual showed that insaneasusual was upset about getting banned and attacked Hypergen and the other websites as they were out of options.

‘Xez tried to assure Hypergen users that they were taking the steps to secure Hypergen, and that it had been taken down temporarily while security was being tightened up. Several users criticised ‘Xez for storing passwords as un-salted MD5 hash values, and accused them of being an incompetent web developer due to the weaknesses in the website. ‘Xez retorted that they had just been lazy, rather than incapable, and simply failed to inspect the source code they’d purchased for security vulnerabilities. ‘Xez also announced that a bug bounty program would be introduced to help uncover and patch vulnerabilities in the website.

Shortly after, users who had been discovered in the Hypergen data breach began receiving emails from an unknown actor requesting payment in bitcoin or else their information would be handed over to the authorities. A concerned Hackforums user who received one such email posted a screenshot of the email to Hackforums. The email had correctly provided the users real name and their workplace. A bitcoin wallet address was provided to send payment. Other Hackforums users dismissed the extortion attempt, saying not to worry about it and that they wouldn’t get into any trouble simply for having an account.

Hypergen Extortion Email. Blue redactions by myself.

Irony is like a self-fulfilling prophecy. Often the word is used to describe a coincidence, something unfortunate, or situation that is to be expected – or in other words, the exact opposite of irony. That the word itself is so heavily misappropriated is one of the best examples of irony there is. An account generating website having it’s user database leaked and monetised, resulting in the operator of that service asking users to reset their passwords and warning them not to reuse passwords across multiple websites has to be a close second.

Under New Management…?

In mid-November 2016, visitors of HyperGen were automatically redirected to wickedgen.com where they were greeted with the following message:

The announcement explains that HyperGen was under new management and is now operating as WickedGen. Previous users of HyperGen were encouraged to migrate their accounts over to the new platform and to contact the new owners with any queries. What isn’t clear is who these new operators were…

When I came across this archived message, I wondered whether HyperGen had ever truly be sold, or if this was a red herring. ‘Xez had tried selling 48hourcodes.com previously, so this wasn’t out of character – but 48hourcodes.com wasn’t generating any revenue, and HyperGen seemed to be doing well. Plus, we have the benefit of already knowing that the same person who was charged for running HyperGen was also charged with running WickedGen. I have a theory here:

‘Xez talked candidly about living in Australia, their age, studying web development at TAFE, and the usual adolescent drama. ‘Xez may have realised that up until now, they’d been careless with their operational security, leaving breadcrumbs that may lead back to themselves as the owner and operator of the website. It was time to tighten up security, stop being the face of the website and become a faceless entity. To do this, ‘Xez would fabricate the sale of HyperGen to afford themselves plausible deniability.

To test this theory, so I spent some time trying to tie the operation of WickedGen back to ‘Xez or Hypergen. Historical records don’t reveal much about the registrant of the domain. It was first registered on September 29th, 2016, shortly before taking over HyperGen. The registrant was listed as Ruben (last name redacted) with a Proton Mail email address, and a Romanian physical address. Proton Mail is a privacy focused email provider that offers end-to-end encryption.

Initially, WickedGen’s website and DNS settings were being hosted by ITItch.com, a now-defunct domain registrar and hosting provider with a PO Box in Christchurch, New Zealand (it seems me that IT Itch were not actually being run out of NZ*). IT Itch advertised themselves as providing “anonymous web hosting with bitcoin payment by default“, and boasted a 100% non-compliance rate when dealing with take-down notices.

Shortly after launching, WickedGen’s name server settings were pointed to Cloud Flare. This would have obfuscated the true IP address of the web server, as well as providing some protection against DDoS attacks. In spite of this, WickedGen also experienced issues with web hosting.

In January 2018, after about a year of operation, visitors of WickedGen were redirected to a landing page hosted by Neocities, announcing that WickedGen’s web hosting account had been terminated by their hosting provider. Subsequent updates explained that they were having issues restoring their website from backups.

Notice the American spelling of the word ‘apologize’. Australia uses the British English ‘apologise’.

This turned out to be the end of WickedGen. It never came back online. The redirect to the Neocities landing page remained in place until October, (the actual Neocities page is still online), before wickedgen.com simply displayed a generic ‘Website Unavailable’ page. It’s since been purchased by a domain squatter hoping to profit off the sale, an only slightly more legitimate use of the domain than the account generating service. A fitting end. I’m still unsure if ‘Xez was ever behind WickedGen.

Coming in Part three

  • Account Generator operators team up to form AccountBot.
  • Tip offs from the FBI lead to arrests in two countries.
  • Court cases play out in Australia and the United States.

 

*Unrelated, but interestingly, IT Itch shutdown inĀ  December 2020 without a clear explanation, giving customers just 30 days to migrate any services before all they were permanently deactivated, which caused frustrations for some users. Note the American spelling of the word ‘apologize’. New Zealand uses the Queen’s English, ‘apologise’.