On July 18, cybersecurity firm UpGuard discovered an unauthenticated Elasticsearch database containing approximately 22 million web request records, primarily tied to the notorious cracking and leaking forum leakzone.net. The breach provides an unprecedented window into the real traffic patterns and user behaviours on a site associated with trading hacked credentials, illegal data dumps, and cybercrime toolkits.
What Was Exposed?
- 22 million web request records (June 25, 2025 onward)
- Each entry logged:
- Target domain (95% were to leakzone.net)
- User IP address (considered personal data under GDPR)
- Metadata: ISP, geolocation, request size, proxy/VPN usage
Attribution and Verification
- Leakzone.net traffic dominated the logs (95% of entries)
- Secondary site: accountbot.io (2.7%)—a known illicit account marketplace
- Researchers registered a test account; their IP immediately appeared in the logs, confirming authenticity
Anonymity Falls Apart: The Anatomy of Visitor Traffic
Unique IPs: Not Just Human Users
- 185,000 unique IP addresses—far more than the forum’s 109,000 registered users
- Explanation: Many visitors used proxies, VPNs, or dynamic cloud IPs to obscure their true identities
Proxy and VPN Usage
- 5% of requests and 2.1% of IPs were flagged as using public proxies
- Top “heavy use” IPs belonged to known VPN providers (e.g., Cogent Communications)
- Heavily used VPN IPs suggest mass aggregation and less frequent rotation, making them more block-list susceptible
Global Reach and the China Exception
- Traffic originated globally but notably excludes China, likely due to users there tunneling via international proxies
- Major cloud providers (Amazon, Microsoft, Google) hosted considerable traffic, with other addresses mapping to Lithuania, UAE, and similar VPN exit nodes
Lighter Footprints: One-Time and Infrequent IPs
- 39% of all IPs show up only once—many are likely users not taking anonymization seriously, or bots/scrapers/hunters from cybersecurity firms
Why This Leak Is So Significant
- IP addresses = de facto identity for many online interactions—now exposed for tens of thousands of users
- Even those using VPNs or public proxies are not immune; aggregation patterns can sometimes be traced and blocked
- The dataset reveals the limits of operational security: sophisticated users cluster around VPNs, but lapses and varied behaviors create exposure points
Implications for Threat Intelligence, Law Enforcement, and Privacy
- The leak serves as a goldmine for tracking cybercrime/infosec threats, as it reveals behavioral patterns, possible botnets, and major network infrastructure used for illicit activity
- For law enforcement, clustering and frequency analysis can unmask persistent actors, especially those using poorly rotated proxies
- Visiting leakzone.net is not a crime, but this breach is a stark warning that digital anonymity is fragile and that even browsing habits can become public—sometimes with legal or reputational consequences