September 5, 2021by Cybersixgill

Behind the meteoric rise of OpenBullet

A powerful, open-source penetration testing tool has become the password cracker of choice on the dark web, and its users are increasingly focused on getting access to streaming entertainment. In fact, interest in cracking Netflix passwords is almost as popular as cracking Amazon, eBay, and Walmart accounts combined.

The tool in question is known as OpenBullet, which officially launched in May 2019 (there’s some evidence that it existed well before that). Since that time, its popularity has skyrocketed, garnering 177,000 mentions across the dark web. There was an especially large spike in interest in the tool in March 2020, as COVID-19 lockdowns pushed many actors to the dark web.

Read: How to prevent and protect with threat intelligence

The reason for its popularity is simple: hackers with almost zero technical skills can use it. OpenBullet makes it easy for threat actors to automate attacks through a single console view using components that are easily bought on the dark web. Those components come in three basic forms:

Combolists: Lists of potential usernames and passwords deployed in brute force password cracking attempt

Configs: Website-specific executable code that can be used to automate attacks and log successful attempts

Proxy access: Free and paid services that anonymize a user’s presence or make it seem like they are working from a specific geographic area. These services help users evade detection by automated security defenses, as well as law enforcement. Once a threat actor has obtained a potential username and password combinations, they’ll need a script to automate the cracking attempts. Configs are scripted to work with a particular website or service - such as Walmart or Netflix, or Bank of America, three prominent targets documented in our report. The config automatically enters credentials from the list and records the authorization token for each one if successful.

An example of config for Shopify’s Oberlo website is seen below.

There were more than 80,000 posts regarding combo lists on the dark web in 2020. A single hacking forum in 2020 had more than 50,000 mentions of configs. These figures provide significant insight into the scale of interest in these topics.

Streaming services, financial services applications, and e-commerce websites were seemingly the most popular targets for password crackings. We know this by counting dark web posts in which people offer to buy configs targeting different services and websites Looking deeper into these three verticals, below is a list of the number of mentions of configs for the top three companies in each vertical:





















Financial Services

Bank of America


Financial Services



Financial Services

Wells Fargo


As you can see from the chart, streaming services lead the pack. At first glance, this result might seem a little puzzling at first glance because the conventional wisdom holds that most criminal hacking is motivated by money. The relative level of security at streaming services could explain why: some streaming services don’t require two-factor authentication by default.

It can’t be understated just how easy it is to buy configs and other attack components on the dark web. The interest in the purchase of configs, for example, could indicate that the users of OpenBullet are relatively unsophisticated. But it could also be yet another example of the dark web’s highly efficient division of labor. That is, threat actors advertise that they want to buy configs because they don’t know how to script them, but because it’s easier and faster.

Offers to sell configs outnumber posts from people seeking to buy - which may indicate that dark web actors don’t feel any pressure to build them or learn how to build them. One Discord server provides lists of users available to develop configs upon request.

For companies and security teams, the rise of plug-and-play attack tools has broadened the threat landscape. But the decentralized nature of the attack supply chain means that it is very hard for hacking plans to stay secret - if you know where to look.

Tools like OpenBullet may lower the barrier for entry into the hackerspace, but because new hackers need to buy configs and combo lists, they leave footprints on the dark web. While this report chronicles the interest in password cracking for nine companies, it shows that dark web monitoring and investigations are vital tools for the enterprise cybersecurity team.

Read the Report

You may also like

Access for Sale Blog-Thumbnail

April 16, 2024

Cybersixgill’s Access Currently for Sale - high-value intelligence just got even better

Read more
Diving into the Underground thumbnail

March 19, 2024

Take Threat Hunting to the Next Level: Create and manage your dark web persona

Read more

March 23, 2023

OpenBullet: The threat actor’s new magic bullet

Read more