The Dark Web and Underground Markets – July 2020 Update

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

The graph above represents financially related topics. It is from a sample of 10,000 records from various forums and dark web markets throughout the month of June. It highlights the portion of those conversations that are related to a specific product or entity.

BlueVoyant’s research of the dark web and underground markets for the month of June shows PayPal is growing as the top topic of discussion. More than half of the postings relate to PayPal in some way. PayPal has also been added to popular tools and phishing kits. Reasons are many, including the amount of money transferred via PayPal, and the fact that PayPal accounts are almost always linked directly to financial organizations.

In the month of June, the bulk of collaboration and illegal sale and trade of stolen financial-related data once again took place on dark web markets. It expanded its popularity slightly over May. This trend started in February 2020, expanding by 15% in March and yet another 11% in April. This trend is likely due to large quantities of breached data available on dark web markets, and threat actors taking advantage of this data in an effort to extend their campaigns during the COVID-19 pandemic. Although June data shows only a slight increase for dark web markets and special access forums, overall, the trend is mostly unchanged from April.

Below are the top sites in the categories from the graph above.

Dark web special access forums typically require some sort of clout in the criminal sector, or a sponsor to access. These forums typically require special permissions to interact. Continuing it’s reign, the Carding Mafia Forum is the top special access forum for financially related discussions for the month of June. The Carding Mafia forum currently boasts over half a million members and has over 300K posts. The site includes card dumps, proxy servers, bank account dumps, PayPal accounts, tutorials, and more.

Underground forums do not necessarily require special permission and can typically be accessed by anyone. Some forum sections may be unavailable to general users; however, in general, anyone can post, reply, purchase, and sell on these forums. The top underground forum for the month of June was BlackHatWorld. The forum currently has over a million members with over 11M messages. The site offers a variety of services, tutorials, and other tools.

Dark web marketplaces exist for cyber criminals to sell compromised credentials and access. These sites often sell various payment account details and credit card information along with any other data deemed valuable. Some are automated while others are heavily moderated.

The top spot for June was once again Slilpp Market. Slilpp has always been a popular forum and has shared the top spot with Joker’s Stash as recently as November 2019; however, since March, the two sites have almost completely flip-flopped from previous months with Slilpp taking the lion’s share. Slilpp Market is a Russian- and English-speaking forum. The market is full of compromised credentials for various financial organizations and credit cards from a multitude of vendors. The market operates two sites, one on the surface web and one on the dark web.