Known as xDedic, the market has a catalog of over 70,000 compromised servers for sale, Kaspersky Lab said Wednesday.
The servers are in 173 countries and used by governments, businesses and universities. The owners likely have no idea they’ve been hacked, the security firm said.
Hackers at xDedic breached many of the servers through trial-and-error using different passwords. They catalogued the servers' software, browsing history and other details buyers might like to know.
"It is a hacker’s dream, simplifying access to victims, making it cheaper and faster, and opening up new possibilities for both cybercriminals and advanced threat actors," Kaspersky said.
Criminal hackers can use the servers to send spam, steal data such as credit card information, and launch other types of attack.
“Purchasing access to a server located in a European Union country government network can cost as little as $6,” the security firm said.
Once buyers have done their work, the merchants put the server back up for sale. The inventory is constantly evolving.
Kaspersky said it learned of xDedic from a European ISP. The marketplace appears to have been created by Russian speakers, but they may not be affiliated with those selling on the site.
xDedic has flourished for two years and had 416 sellers as of May. Nine percent of the servers on sale are in Brazil, 7 percent in China and 6 percent in Russia. The biggest location is identified as "other," at 51 percent.
Kaspersky said it was able to identify some of the victims and notify them. It published a more complete report about xDedic here. The market place is located within the "deep web," meaning it's not discoverable by the major search engines. The site appeared to be down on Wednesday.