For the second time in two years, the contents of the darknet payment card marketplace Swarmshop have been removed and posted to a competing underground forum, Group-IB reports. The content includes data on more than 600,000 payment cards as well as administrator, seller and buyer information.
While underground hacker forums get hacked from time to time, cardshop breaches do not happen very often. In addition to buyers' and sellers' data, such breaches expose massive amounts of compromised payment and personal information of regular users. Although the source remains unknown, it must be one of those revenge hacks cases. This is a major reputation hit for the illicit cardshop as all the sellers lost their goods and personal data. The cardshop is unlikely to restore its status
Investigators suspects the theft was conducted by some of Swarmshop's users. "This is a major reputation hit for the illicit card shop as all the sellers lost their goods and personal data. The card shop is unlikely to restore its status." News flash, bad actors will steal from each other.
The researchers point to two pieces of evidence that indicate revenge was the motivation. In the first attack that took place in January 2020, the individual said he wanted to sell the data in order to destroy Swarmshop. In the March 2021, case the information was provided for free. Two Swarmshop users attempted to inject a malicious script searching for website vulnerabilities in the contact information field, Group-IB says, pointing out that it's not clear if this was related to the data theft.
The stolen content contained more than 12,000 records belonging to the card shop's administrators, sellers and buyers, including their nicknames, hashed passwords, contact details, history of activity and current balance, Group-IB says. Also stolen was data for 623,000 payment cards issued in the U.S., Canada, U.K., China, Singapore, France, Brazil, Saudi Arabia and Mexico; about 500 sets of online banking account credentials; and more than 69,000 U.S. Social Security numbers and Canadian Social Insurance numbers, the report says.
The security firm characterizes Swarmshop as midsize marketplace that deals in stolen personal and payment records. The researchers believe it opened in April 2019, and as of March, it had about 12,000 marketplace traders who collectively had about $18,000 in their accounts for future payments. Group-IB notes that in January 2020, about 485,000 Swarmshop records were stolen and then moved to the underground forum to be offered for sale. The thief posted a screenshot supposedly taken of Swarmshop's admin panel on the other forum's chat board.
"The Russian-speaking admins of the card shop never commented on this thread; their website, however, went down temporarily due to 'the transfer to the new server,'" Group-IB says. In the 2020 incidents the attacker said in a post that he wanted to sell the data in order to destroy Swarmshop.
In March, a new Swarmshop marketplace member posted Swarmshop admin credentials that were stolen in 2020 on some of its forums. The Swarmshop admins claimed this information was old and the passwords had been changed. "A week after the post, Swarmshop users were redirected to an under-maintenance page when trying to log in. At the same time, card shop users reported problems with their account balance," Group-IB says.
Group-IB's breakdown of the Swarmshop records exposed in the recent leak found records for four administrators, 90 sellers and 12,250 users who have purchased stolen data from the shop. The researchers found 62% of the 623,000 payment card records came from U.S. banks, 14% from China, about 3% each from the U.K., Canada, and France and about 1% or less from Singapore, Brazil, Saudi Arabia and Mexico.
"In addition to stolen bank cards, the database revealed 498 sets of online banking account credentials and 68,995 sets of U.S. Social Security Numbers and 597 Canadian Social Insurance Numbers," the report says. Since the start of the year, law enforcement has been cracking down on darknet markets. In January, Europol worked with other agencies to take down DarkMarket and arrest its operator. Europol estimates DarkMarket had more than 500,000 users and generated more than $170 million in revenue.
Also in January, the administrator of Joker's Stash believed to be the largest darknet seller of stolen credit cards - announced the carding site would close the following month. This decision came one month after the FBI and Interpol temporarily disrupted the market's operation.
See: https://redskyalliance.org/xindustry/who-will-become-joker-s-stash-s-successor
Several competing payment card trading sites - including Brian's Club, Yale Lodge and Vclub quickly moved to grab Joker's Stash's customer base.
Red Sky Alliance has been has analyzing and documenting cyber threats and groups for over 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. Many past tactics are reused in current malicious campaigns.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
• Website: https://www.wapacklabs.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
TR-21-112-003_How_to_Steal_Already_Stolen.pdf
Comments