In late 2018, Terbium Labs released Trends and Projections in the Dark Web Data Trade, highlighting our predictions for the coming year. Over the coming months, we will unpack those trends in a series of blog posts highlighting the events that shaped our predictions and the developments in those trends since the beginning of the year. For the first post in this series, we unpack the increased law enforcement attention toward cyber-enabled fraud and the shift in resources allocated to taking down dark web communities trading compromised data and financial details.
Historically, much of the attention around dark web takedowns focused on physical goods, with law enforcement efforts focused primarily on drugs and weapons trafficking. In 2013, when the Justice Department executed a takedown of the infamous Silk Road Marketplace, the press release focused on the market’s drug activity, noting “drug dealers and other unlawful vendors” were using the site to “buy and sell hundreds of kilograms of illegal drugs and other unlawful goods and services.” A few years later, law enforcement executed another major takedown as part of Operation Onymous, shutting down Silk Road 2.0 and a handful of other illicit markets. With Operation Onymous, law enforcement issued more explicit language about the fraud problem likely due to a handful of the fraud-specific smaller markets in the takedown. The release noted that the “advertised goods and services included, among other things: illegal narcotics; firearms; stolen credit card data and personal identification information; counterfeit currency; fake passports and other identification documents; and computer-hacking tools and services.” Drugs and weapons held fast as the primary targets, but fraud and data compromise received honorable mentions.
Fast forward to July 2017, when the Justice Department announced the seizure of Alphabay as part of Operation Bayonet. In coverage of Operation Bayonet, the focus on drugs continued. The press release called Alphabay a “major source of fentanyl and heroin, linked to overdose deaths, and used by hundreds of thousands of people to buy and sell illegal goods and services.” In classifying Hansa Market, another large dark web market taken down in the same operation, the released put drugs front and center, claiming that “like Alphabay, Hansa Market was used to facilitate the sale of illegal drugs, toxic chemicals, malware, counterfeit identification documents, and illegal services.”
Let’s be clear: drugs are popular goods on the dark web, and in some cases, they are the dominant listings on major dark web markets. Drugs warrant attention from law enforcement, and increased rates of overdoses—particularly from fentanyl and other synthetic opioids—are an ongoing problem that demand international attention. Drugs are a problem, yes, but the drug trade should not be the sole focus of criminal takedowns. The fraud economy on the dark web is too established and too pervasive to only ever be collateral damage in the process of a drug bust.
Drugs and weapons make headlines—they seize on tangible, physical threats and a common enemy, whether violent attacks or the ongoing efforts in the so-called war on drugs. Fraud is a more insidious enemy, often dismissed as a victimless crime that causes a financial inconvenience for banks and temporary frustration for customers. For many, fraud seems unfortunate and irritating but hardly problematic on the scale of arms trafficking. This perception puts us at a dangerous disadvantage in facing the developing profile of criminal activity.
We need to change the way we think about fraud. Financial data and personal information records are listed and sold by the millions on the dark web. The compounding effects of large-scale data breaches provide more raw materials for criminals to exploit in consumer phishing schemes, credential stuffing attacks, and business email compromise. Criminals use compromised financial data for quick cash-out schemes, yes, but also more pervasively—to launder money, pay mules, and cover the operational costs of their broader criminal enterprises. Data compromise fuels fraud, and fraud fuels a wide range of other criminal activity.
Law enforcement is taking notice and taking action. In February of 2018, the Justice Department issued an indictment for members of the InFraud organization, naming thirty-six defendants “responsible for more than $530 million in losses from cybercrimes.” InFraud was a prolific syndicate with an established online presence, much like the dozens of other dedicated fraud markets that make up the backbone of the dark web fraud community. For every independent shop or isolated vendor, the dark web fraud community has thriving hubs like InFraud that provide vital marketing and communication efforts to boost fraud sales and spread institutional knowledge between fraudsters. Taking down InFraud was a key signal to the fraud community: we see you.
Later in 2018, the Justice Department circled back with yet another blow to online fraud when it announced the arrest of three members of FIN7, also known as the Carbanak group. FIN7, like InFraud, showed the scale of criminal enterprises fueled by cybercrime, as FIN7 “hacked into thousands of computer systems and stole millions of customer credit and debit card numbers, which the group used or sold for profit,” and “engaged in a highly sophisticated malware campaign targeting more than 100 U.S. companies.” FIN7, like InFraud, had been operating a successful fraud syndicate at scale for years, and we still lack a comprehensive view into the full impact and damages.
These groups weren’t the only flags for increased attention on cyber fraud in 2018. Robert Mueller cited abuse of payment processor accounts in his indictment of Russia’s Internet Research Agency, while Europol announced two successful operations against counterfeit money operations and an organized crime group specializing in financial crimes.
That brings us to 2019, where already in the first six weeks of the year law enforcement continued to focus efforts on financial fraud operations. In late January, officials took down xDedic, a dark web market well known for selling credential access to Remote Desktop Protocol (RDP) servers. The Justice Department noted that xDedic, through its trade of “compromised computer credentials and personal information” facilitated at least $68 million in fraud. Just days later, the Justice Department unsealed another indictment, announcing the extradition of 20 members of a cyber crime ring based in Romania. This group used a combination of phishing, brute force attacks, and stolen financial data to scam Americans out of millions of dollars—only to then launder the funds through cryptocurrency wallets.
It is only March, but these efforts to bust organized fraud rings and dismantle criminal enterprises abusing stolen information continue to signal an expanded focus for law enforcement. The scale of data exposure and financial compromise is increasing rapidly. Cyber criminals recognize the potential for profit using compromised data to fund operations, and businesses face increased risks as a result. There’s much work left to do. Law enforcement has had great successes in recent years, but these takedowns have only scratched the surface of a resilient fraud economy.
Click here to download a copy of Trends and Projections in the Dark Web Data Trade.