How Hackers Ransom MySQL Databases on the Dark Web

Currently more than 85,000 MySQL databases are listed for sale on the dark web, each typically priced at about $550.

Hackers steal these databases, download the tables, delete the original files, and leave a ransom note that instructs the server owner to contact them to retrieve the data.

Initially the ransom note required victims to email the attackers, but as the operation scaled, the criminals built an automated portal hosted on sqldb.to and dbrestore.to accessible via the Tor network.

Victims who visit the site and enter the ID number left in the ransom note are shown a page displaying their data for sale.

If payment is not received within nine days, the data is moved to a separate page where it is auctioned to the highest bidder.

All transactions for recovering or purchasing the stolen databases must be made in Bitcoin; price fluctuations follow the BTC/USD rate, but the typical cost remains around $500 per site.

The entire intrusion, ransom note, and auction website are fully automated, meaning attackers do not manually assess whether the stolen data contains high‑value personal or financial information—a small consolation for victims.

In 2020 ransomware incidents continued to rise, with victims posting ransom notes on Reddit, MySQL forums, technical support forums, Medium articles, and personal blogs.

Bitcoin addresses used for these extortions are tracked on BitcoinAbuse.com, and attacks on MySQL, MongoDB, Elasticsearch, Hadoop, Cassandra, and CouchDB databases have persisted since the winter of 2017.