A cybercriminal known as ‘vebxpert’ has recently been identified as selling unauthorized access to the customer relationship management (CRM) systems of two companies, one based in India and the other in South Africa. The alarming listings were discovered on a cybercrime forum and have raised significant concerns about data security and the emerging market for corporate access credentials.
In the first case, the threat actor claims to have gained access to the CRM system of an Indian bank with a substantial workforce of nearly 6,000 employees and an annual revenue of below USD 720 million, equivalent to approximately Rs 6000 crore. The listing, priced at USD 300 (approximately Rs 25,000), includes login credentials that allegedly provide the ability to view and edit over 200,000 documents within the system.
To lend credibility to potential buyers, the seller is offering escrow services, a common method used in cybercrime circles to minimize the risk of scams between threat actors and buyers. Although the specific name of the bank remains undisclosed and visual evidence has not yet been shared, the extent of the claimed access and the volume of documents involved suggest that the system in question likely contains a significant amount of business-critical and potentially sensitive customer data.
In a separate listing, ‘vebxpert’ is also offering access to the CRM portal of a South African business services company. The system supposedly holds the personal and business information of 36,000 customers, and the access is being sold for USD 100 (about Rs 8,300). This access includes various sensitive modules such as live chat transcripts, contact lists, project details, employee data, and information related to service desk tickets.
Notably, the actor has mandated that all communication related to potential deals occur exclusively via qTox, an encrypted peer-to-peer messaging platform favored for its anonymity in underground forums. Escrow services are again provided in this instance, reflecting an effort to reassure potential buyers about the legitimacy of the listing.
What is striking about both instances is the lack of direct identification. The names of the affected companies have been kept confidential, a tactic often employed by threat actors to prevent premature attention or interference before a sale is finalized. While this approach may raise doubts about the authenticity of the claims, it does not eliminate the associated risks. Comparable anonymous listings in the past have led to the exposure of genuine high-profile breaches once validated by third parties.
Access to CRM platforms presents a particularly severe threat as these systems serve as central hubs for business operations and customer interactions. Unauthorized access could enable malicious actors to extract sensitive data, impersonate employees, initiate phishing attacks, or manipulate records without authorization. In regulated sectors like banking, a breach of this nature could trigger scrutiny from compliance regulators and result in reputational harm.
Given the critical role that CRM systems play in organizational functions, these listings should serve as a stark warning for businesses worldwide. Are your systems adequately safeguarded? Do you have oversight over who can access your data and how easily that access could be traded?
These inquiries are increasingly pertinent as threat actors target internal tools and platforms that numerous organizations still neglect to fortify with robust authentication, access controls, or timely updates.
While ‘vebxpert’ has yet to present concrete evidence, the potential repercussions of verified unauthorized access are too substantial to overlook. Cybersecurity teams in India and South Africa are likely in a heightened state of vigilance, actively monitoring for signs of compromise. The crucial question now transcends identifying the current victims—it extends to determining how many more entities may be at risk of exploitation.