There is a stage in many real-world investigations that always plays out in the same way, yet rarely features in public reports. When the attacker is already inside, has a clean and silent foothold, and can see files, processes and users but they lack the real key: reliable, stable administrative privileges that can be exploited. The ones that allow you to disable controls without making a sound, move from machine to machine, deploy payloads, and extract data in bulk. At that stage, the most valuable asset isn’t a miraculous exploit, but something far more down-to-earth: the hash of a privileged credential.
From foothold to ‘lockdown’: when the hash isn’t enough
The typical scenario is this. Initial access was gained in some way, often rather unglamorous: phishing, reused credentials, a poorly configured VPN, an exposed application, a forgotten low-privilege account. Then begins the harvesting of anything that can be reused for lateral movement. We’re not always talking about plaintext passwords; on the contrary: often they are hashes, tickets, or derivatives that allow you to impersonate someone else without raising too much alarm. At some point, a high-value hash turns up, perhaps belonging to a local admin, a domain admin, or a strategic service account. This is where many attackers get stuck. With a hash, you can do things, but not everything. There are situations where you actually need the password, or its equivalent, to bypass policies and controls, change configurations, and remain inside the system over time. And that is when the ‘market’ opens up.
Why offline cracking is so popular with attackers
A hash is the cryptographic fingerprint of a password. If you can work with it offline, outside the victim’s network, it becomes a whole different ball game. No lockouts, no rate limiting, no MFA getting in the way, no geofencing. You have your own hardware or rented services; you try combinations at industrial scale, in parallel, and no one on the other side sees the activity in real time. The difference from online attempts is huge: online you’re slow and constrained by policies; offline you’re fast, scalable, and difficult to attribute whilst it’s happening. The actual speed depends on the hashing algorithm, the parameters, the salts, and the iterations. Well-configured ‘slow’ hashes are a concrete barrier. ‘Fast’ hashes or weak derivatives turn the password into an easy target.
Inside paid threads: a marketplace with rules
In Russian-speaking forums, there are threads dedicated to paid cracking requests which, on closer inspection, look more like a small marketplace with its own rules than a messy noticeboard. They work because they reduce friction between supply and demand, increase speed and limit disputes.
Anyone opening a request must provide the bare minimum to make the job feasible: the hash or a set of hashes, the algorithm or at least the context from which they originate, a clear timeframe that effectively creates an implicit SLA, the price and the payment method, often in bitcoin unless otherwise specified. The more details provided, the shorter the turnaround times; for example, by indicating whether the hash already appears in known databases or by offering clues to guide the choice of dictionaries.
There is also a rule that triggers the competition: the first to deliver gets paid. This reduces average response times, attracts more operators to the same job and spreads the risk of failure across many. If one person fails, someone else probably will succeed. For the defender, this detail carries weight: the resilience of the attack grows simply through the network effect.
Minimal arbitration mechanisms act as the glue: if someone delivers on time, the requester must pay; if someone claims to have cracked it, they must prove it and deliver; there are escrow arrangements or interim proofs to limit scams, and bans as a deterrent. It doesn’t eliminate fraud, but it raises the cost of malfeasance and sustains a shadow economy that operates on simple rules.
The ban that says a lot: no wallet hashes
An interesting detail is the explicit ban on hashes linked to wallets such as Electrum, Ethereum or MetaMask. We’re not talking about ‘password hashes alone’ here. Publishing such material is practically like handing over access to a wallet. The forum bans them because they trigger immediate thefts, unmanageable disputes and unwanted attention. It’s a clear indication of the operational maturity of these spaces.
The uncomfortable lesson: ‘complex’ does not mean ‘secure’
Crackers don’t succeed by randomly trying every letter of the alphabet. They succeed because they know people and their habits. They don’t start with blind brute force, but with selected dictionaries, combinations, rules, linguistic transformations and recurring corporate formats. They narrow down the search space, eliminate the improbable and target the plausible. Over time, they learn where it’s worth persisting and how much to charge. In practice, they aren’t looking for just any password, but the most likely one given that organisation’s context.
Where the chain really breaks
If we look at the kill chain, cracking-as-a-service becomes a relative problem if you cut off the ecosystem’s oxygen, i.e. the input: the usable hash. This does not mean waging a crusade against hashes, which exist by definition, but drastically reducing the chances that they are extracted or that, once obtained, they are actually useful.
The first step is to prevent privileged accounts from logging on interactively to at-risk endpoints. Administrators should not browse the web, read emails or carry out day-to-day tasks on ‘normal’ machines. Identity separation is key: one account for day-to-day use and one for privileged activities, on dedicated, hardened workstations. This single measure significantly reduces the likelihood of a valuable hash ending up in the clutches of an infostealer.
Next, you need to restrict the tools and permissions that allow access to sensitive processes and in-memory credentials, increase visibility into anomalous access to authentication components, and monitor dumping attempts and suspicious patterns. Updates and hardening where credential thefts have historically been concentrated are trivial only on paper, but they make all the difference.
It also makes sense to reduce the value of the password itself. For privileged access, where applicable, use phishing-resistant MFA. For passwords, implement policies favouring long, unpredictable passphrases, avoiding common corporate patterns such as month-year, company name plus a symbol, seasons or product names. A password manager reduces password reuse and incremental variations that invariably end up in attackers’ dictionaries.
Finally, we must work on resilience even in the event that a password is compromised: least privilege, segmentation, administrative tiering, rotation and secure management of service and local credentials, avoiding replicated static passwords. And above all, the ability to quickly spot authentication anomalies and lateral movement, to react before the damage becomes structural.
Why all this is relevant
Because it captures an operational reality we often underestimate: the modern attacker does not need to excel at everything. They may be mediocre in the initial phase, mediocre in persistence, mediocre in cracking. All they need is to know how to buy, at the right moment, the expertise they lack, with ready-made rules of the game and fixed timelines. If the asset they acquire is an admin password, time becomes the defender’s only real enemy. It is no surprise that in those threads the key question is “how current is this credential?”. It is the metric that separates any old hash from a paying order.
Analysis by Vasily Kononov – Threat Intelligence Lead, CYBEROO
