Incident Overview

A threat group called SnowTeam, posted by the actor BlackSnow, has announced the launch of Leak Bazaar, a closed corporate data exchange platform built to solve what they describe as the "refusenik" problem in ransomware: when a target's corporate network is compromised and terabytes of data are exfiltrated, but the victim refuses to pay the ransom, leaving the operator with data that's difficult to monetize through traditional data leak sites.

Leak Bazaar positions itself as infrastructure that converts raw stolen data into structured, buyer-ready intelligence products. The platform's processing pipeline works in four stages:

• Automation and ML Filtering: The server cluster hardware-filters system junk (OS backups, DLLs, ISO files) and performs deep NLP analysis of text arrays. A professional mathematician is responsible for the filtering algorithms' mathematical model.
• DBMS Reverse Engineering: Server-side parsers automatically analyze raw database dumps from SQL, SAP, and Oracle exports, extracting financial transactions, payroll records, and contractor data into clean Excel/CSV exports. This feature is currently in beta.
• Cataloging: Processed material is automatically categorized into high-margin segments: quarterly financial reports (QFR), M&A data, R&D (source code and development), and personal data.
• Manual Validation: In-house analysts perform final manual review of all extracted data before it reaches the storefront, ensuring quality control.

The platform also markets itself as a ransomware negotiation pressure tool, claiming that processed analytical reports can uncover "skeletons in the closet" such as evidence of working with OFAC/SDN sanctioned individuals, shadow accounting, and unissued financial reports, which can strengthen extortion leverage during negotiations.

For buyers, the platform offers a differentiated purchasing model where you can buy only the specific data segment you need (R&D, financials, etc.) rather than an entire raw dump. Two purchase options are available: exclusive (full price, data removed after sale, seller gets 70%) or shared (half price, data remains available for resale, seller continues earning 70% on each subsequent sale). The platform accepts data from RaaS operators, initial access brokers, and independent pentesters, with unlimited seats for collaboration.

Data submission requirements are strict: must be exclusive (unpublished), primarily English language, minimum 100GB volume (preferably 1TB+), from companies with revenue of $10M or above, and prioritizing technical development, biotechnology, chemistry, pharmaceuticals, law, insurance, and finance sectors.