The Dark Web and Underground Markets - April 2020 Update

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

BlueVoyant’s research of the dark web and underground markets revealed the quest for financial gain in the criminal world is as strong as ever. In February, the topics have shifted a bit and the top conversation topics in these areas revolved around CVV and BIN. PayPal was still a popular topic in February; however, its share of the conversations dropped. Cryptocurrency also dropped a bit as well as general carding conversations.

The graph below shows the sharp increase in underground conversations around CVV and BIN theft, sale, and information gathering.

In recent months, the bulk of the collaboration and illegal sales of stolen data were taking place on Special Access forums. In fact, January saw a near 10% increase in special access forum activity targeting the financial sector over December. That trend occurred for several months.

However, in February, BlueVoyant saw a shift with dark web markets taking the top spot for conversations of financially motivated cyber criminals.

Below are the most active criminal forums.

Dark web special access forums typically require some sort of clout in the criminal industry, or a sponsor to gain access. These forums typically require special permissions to interact. For the third month in a row, CardVilla Forum is the top special access forum for financially related discussions. Card Villa advertises itself as the best darknet carding forums. They offer “free dumps” and “free CVV statistics.” The site currently has over 200k members. At the time of this writing, the site is reported to receive nearly 1K unique visitors each day.

Underground forums do not necessarily require special permission and can typically be accessed by anyone. Some forum sections may be unavailable to general users; however, in general, anyone can post, reply, purchase, and sell on these forums.

The top underground forum for the month of February was “Carding Forum”. The site currently hosts over 150K users with nearly 4K unique visitors daily. The site not only offers products such as “dumps” and “fullz,” but also offers training and help for individuals interested in getting involved in this criminal enterprise.

Dark web marketplaces exist for cyber criminals to sell compromised credentials and access. These sites often sell various payment account details and credit card information along with any other data deemed valuable. Some are automated while others are heavily moderated.

Joker’s Stash maintained its dominance in the market in February and once again holds the top spot in dark web marketplaces for the month. As stated in previous reports, Joker’s Stash is a notorious marketplace, primarily English speaking, which initially focused on carding activities. The site has since beefed up operations and infrastructure to support its increasing number of supporting members and products available. The site now offers a variety of Personally Identifiable Information (PII) including social security numbers and other data that could be used in a multitude of attack vectors. Investigation into the infrastructure of Joker’s Stash revealed the team behind the site is currently operating on over 500 domains and over 50 servers.