Cybercriminals are buying and selling access to hacked website management panels at scale, with compromised cPanel credentials emerging as one of the most actively traded commodities in underground markets. New research from Flare exposes a structured ecosystem operating across fraudulent Telegram channels, where valid hosting credentials change hands at commodity-level prices.
Over a seven-day monitoring period, Flare researchers analyzed more than 200,000 posts referencing cPanel access across tracked criminal groups. Roughly 90% were duplicates, pointing to a highly commoditized market where a smaller pool of unique listings gets amplified thousands of times to maximize reach and buyer exposure.
Why cPanel Is a Target
cPanel is one of the most widely deployed Linux-based web hosting control panels globally. It manages hosting accounts, domains, mail services, databases, DNS zones, SSL certificates, and file systems from a single interface. According to Shodan, more than 1.5 million internet-connected servers run cPanel software, with over 1 million of those located in the United States alone.
That concentration makes it an attractive target. A single set of valid credentials unlocks a broad attack surface without triggering the alerts that brute-force or malware-based intrusions typically generate.
What Attackers Can Do With It
Once inside a cPanel environment, a threat actor can operate with considerable freedom. Flare’s research outlines the range of actions that become available:
- Deploying backdoors or creating new admin accounts for persistent access
- Installing malware or attempting privilege escalation to root
- Launching phishing kits hosted under a legitimate domain name
- Creating SMTP accounts to run phishing or spam campaigns at volume
- Exfiltrating databases containing personally identifiable information and stored secrets
In shared hosting environments, the risk multiplies. A single compromised cPanel account can expose dozens of domains simultaneously. Because attackers authenticate with valid credentials, conventional security controls may miss the intrusion entirely. Early abuse often looks mundane: quiet outbound mail, hidden file uploads, nothing that immediately signals a breach.
More Read
How Credentials Get Stolen
Attackers reach cPanel environments through several well-established routes. Credential theft remains the most common, driven by phishing, password reuse from prior data breaches, credential stuffing, and automated brute-force attacks against exposed login portals. Configuration errors compound the exposure: sensitive files left publicly accessible, weak passwords, and the absence of multi-factor authentication all lower the barrier significantly.
Vulnerable web applications hosted on the same server provide another entry point. Outdated installs of WordPress, Joomla, or Drupal, along with unpatched plugins, allow attackers to upload web shells or escalate privileges. From there, they can harvest stored credentials, read configuration files like wp-config.php, and eventually pivot to full cPanel control.
Automation has industrialized all of this. Botnets continuously scan for exposed login panels, known CVEs, and common misconfigurations. Access that is gained gets monetized quickly, either through direct exploitation or resale in underground markets where buyers are ready to deploy the credentials immediately for spam infrastructure, phishing campaigns, or site defacement.
The Flare findings reflect a market that runs less on sophisticated hacking and more on volume, speed, and the sheer number of misconfigured or neglected hosting accounts sitting exposed on the internet.
Photo by David Moorhouse on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
