Heart of Darkness: Inside the Darknet Markets that Fuel Financial Cybercrime

Dec. 5, 2018 | by Daniel Shkedi

Countless articles have been written about the techniques cybercriminals use to harvest personal information and about ways to prevent online identity theft. However, less attention has been given to the economic engines that grease the wheels of financial cybercrime. Fraudsters have realized that the dark web provides a full cloak of anonymity, creating fertile ground for new darknet markets to surface and a strong incentive for criminals to launch cunning cyberattacks.

In 2013, the FBI, after a lengthy investigation, was able to shut down the Silk Road darknet market, which was known by many as the “Amazon of the dark web.” Since then, new markets have emerged, and in many cases have surpassed the original sites in terms of illegal goods, buyer/seller rankings, and anonymous payments through cryptocurrencies. According to rankings by numerous dark web forums, the largest darknet markets in terms of volume are the following: Dream Market, Wall Street Market, Tochka, Rapture Market, CannazonI, and Berlusconi.

Though most of the illegal trade on the dark web is in drugs, weapons, stolen electronics, hacking-as-a-service, and hit squads, there is also a robust market for stolen personal information and hacking toolkits. Social security numbers go for as little as $1 and demand for malware creation is three times greater than supply.

In this blog, we’ll focus on the stolen information and hacking tools sold on the dark web and how cybercriminals later use their purchases for fraud attempts and to fuel financial cybercrime.

Online Identity Theft and Darknet Markets

The series of massive data breaches in recent years has resulted in approximately 9.7 billion data items leaked to the internet and the dark web. The leaked data includes names, addresses, social security numbers, credit card numbers, passport details, and medical records. Despite the damage to the public from these incidents, data breaches have become quite common, fueling a black market of personal information and stolen identities on the dark web.

Cybercriminals use stolen data from online identity theft for various types of fraud. One of the most prevalent is account opening fraud using a stolen or synthetic identity. Using fake identities, fraudsters can apply for credit cards, debit cards, or small loans ($500-$1000). Second, fraudsters can use stolen digital identities to form dummy companies, build a credit history, and commit fraud on a larger scale.

Screen Shot 2018-12-05 at 12.57.15 PM    Screen Shot 2018-12-05 at 12.57.21 PM

Left: A darknet site offering a fake U.S citizenship kit for sale: passport, SSN, driver’s license and birth certificate for 0.218 bitcoin ($1400 at the time). Right: A site selling stolen/fake driver licenses (by U.S state) for $200 in bitcoin per item. Source: BioCatch/Daniel Shkedi.

Another popular ‘commodity’ on darknet markets is Social Security Numbers (SSN) used for account opening fraud. Since the SSN is typically used as a primary form of identification in the U.S., there is increased demand for these items, particularly SSNs that belong to young children. SSNs that belong to infants or young children are valuable to fraudsters because children do not have credit histories that can be retrieved from credit bureau databases. As a result, fraudsters can evade standard credit checks.

Top: A cyber-criminal trying to sell children SSNs with birth certificates on a hacking forum. Bottom: Another cyber-criminal trying to sell lists of stolen SSNs in the same forum. Source: BioCatch/Daniel Shkedi.

Stolen Credit Cards, Stolen Credit Cards Everywhere

One of the first things you notice while browsing through darknet markets is the astounding number of stolen credit, debit, and prepaid cards as well as hacked PayPal accounts for sale. Fraudsters use numerous techniques to steal CC information, including card skimming. Criminals install a micro card reader in ATMs, which scan data from magnetic stripes, and hidden cameras to harvest a victim’s PIN number. Later, CC information or fake cards using stolen information is sold in the darknet markets.

Like any trading system, these items have a price range. Prepaid cards issued by American Express and Visa with a balance of $2000 are sold for $130-$140 per card. Hacked PayPal accounts with a balance of $2500-$8000 are sold for $130-$350 per card.

 Screen Shot 2018-12-05 at 12.58.32 PM Screen Shot 2018-12-05 at 12.58.36 PM

Left: Hacked PayPal accounts for sale in darknet markets. Right: Stolen prepaid cards (AMEX and Visa) for sale. Source: BioCatch/Daniel Shkedi.

The results are devastating for organizations in the online payments game. Recently, fraud rates at PayPal-owned Venmo rose from 0.25% of overall Venmo volume in January 2018 to 0.40% in March. Credit card theft is part of the problem. Criminals can use stolen CCs to and send money through the app.

Hacking Toolkits for Financial Cybercrime

Darknet markets offer a variety of hacking tool packs, including banking Trojans, spyware, exploits, ransomware, and social engineering tools. These kits typically feature hundreds of tools with very friendly interfaces that do not require advanced technical skills. The toolkits are used for a variety of cyberattacks, including:  

  1. Account Takeover: Fraudsters take over genuine users’ accounts from afar and illegally transfer money.

  2. Information/Identity Theft: Fraudsters use keyloggers or other malware to steal personal information, digital identities, passwords, and financial information.

  3. Ransomware: Ransomware is a malicious code that encrypts files or restricts access to files in order to extort ransom money.

Screen Shot 2018-12-05 at 12.59.25 PM Screen Shot 2018-12-05 at 12.59.29 PM

Left: The classic Zeus banking Trojan for sale on Dream Market. Price: $4-$10.5 per download. Right: A hacking tool pack with 400 tools (e.g, RATs, malware) for sale on the Wall Street market in the darknet. Source: BioCatch/Daniel Shkedi.

Despite tireless efforts by the FBI, Interpol, Europol, and other government agencies to penetrate the “heart of darkness,” it seems nearly impossible to eradicate illegal trade in darknet markets. Beside a few wins, like the AlphaBay and Hansa takedowns, it appears that fraudsters’ technical sophistication and evasiveness gives them an advantage in the “cat and mouse” game with the authorities.

Going forward, we can expect this war of attrition to continue, as darknet markets fuel financial cybercrime. Governments and firms have no choice but to fortify their systems and acquire cutting-edge defenses that can detect and prevent new account fraud, account takeovers, malware, and remote attacks. Behavioral biometrics technology is leading the way, fundamentally reforming fraud detection and authentication for the better.

Using machine learning to establish identity based on user-device interactions, behavioral biometrics overcomes the shortcomings of the traditional authentication process. The dark web will remain a lucrative market for cybercriminals, but behavioral biometrics will reduce the value of the information and exploits bought and sold there.

Learn more about behavioral biometrics and the fight against fraud and cybercrime in our primer on the technology and its future.

Topics: Banking / Financial Services, Fraud