War = 62% Decline in Stolen Cards

10945933054?profile=RESIZE_400xThe Russian invasion of Ukraine in early 2022 appears to have led to a double-digit decrease in stolen payment card records published to the dark web, according to researchers.

In a recent report, investigators analyzed detailed threat intelligence gleaned from the cybercrime underground to compile a report.  It reported a 24% year-on-year decrease in the volume of card-not-present records on dark web carding shops in 2022 to 45.6 million and a 62% slump in card present records, to 13.8 million.

Researchers traced this significant decline to two key events at the start of the year. The first was an unexpected crackdown by the Russian state on cybercrime groups, which included arrests of suspected members of the REvil ransomware collective.  “The governing theory is that Russia sought to signal its intent to cooperate with the West against cybercrime should the West acquiesce to Russian demands regarding Ukraine,” the report claimed.[1]

Whatever its intent, the clampdown had a chilling impact on card fraud from the second half of February to April, including the shuttering of several top-tier carding shops, Recorded Future said.

However, what came next arguably had an even bigger impact. “After April, slack carding demand and depressed volumes of ‘fresh’ records were likely a result of Russia’s war,” the report continued.  “It is highly likely that the war has significantly impacted Russian and Ukrainian threat actors’ ability to engage in card fraud as a result of mobilization, refugee and voluntary migration, energy instability, inconsistent internet connectivity and deteriorated server infrastructure. Russian-occupied areas of the Donbas region of Ukraine were long suspected to have hosted cyber-criminal server infrastructure.”

As a result, the future of the card fraud market will depend on external events, the report concluded.  “Should Russia’s unprovoked war in Ukraine continue, the factors influencing regional threat actors’ ability to engage in card fraud will likely persist, and threat actors’ ability to engage in card fraud will remain lower than before the war, even as they continue to adapt,” it noted.  “If the war should end, monitoring the region’s post-war economies will be crucial to determine whether the conditions and incentives exist for a renewal or possibly even an increase in card fraud activity.”

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com      

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings


[1] https://www.infosecurity-magazine.com/news/russias-ukraine-62-slump-stolen/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!