The Dark Web and Underground Markets - June 2020 Update

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

BlueVoyant’s research of the dark web and underground markets revealed that the quest for criminal financial gain is as strong as ever. In April, the topics remained fairly consistent with March with only a few minor shifts. PayPal fraud regained the top topic of conversation during the month of April.

In the month of April, the bulk of collaboration and illegal sale and trade of stolen financial data once again took place on dark web markets. This trend started in February, expanding by 15% in March and yet another 11% in April. This trend is likely due to large quantities of breached data available on dark web markets, and threat actors extending their campaigns during the COVID-19 pandemic.

Dark web special access forums typically require some sort of clout in the criminal industry, or a sponsor to access. These forums typically require special permissions to interact. Continuing its reign, CardVilla Forum is the top special access forum for financially related discussions for the month of March.

Card Villa advertises itself as the best dark-net carding forum. They offer “free dumps” and “free CVV statistics.” The site currently has over 200k members. The site is reported to receive nearly 1k unique visitors each day.

Underground forums do not necessarily require special permission and can typically be accessed by anyone. Some forum sections may be unavailable to general users; however, in general, anyone can post, reply, purchase, and sell on these forums.

The top underground forum during the month of April was “PRTship Carding forum. The site is primarily English speaking and boasts over 100K members with nearly 150K posts as of this report. The site sells all things related to carding and PII for the purpose of fraud. Posts on other popular forums indicate that there may be no honor among the thieves present on the site. Several have indicated they have been “scammed” while trying to conduct transactions on the forum.

Dark web marketplaces exist for cyber criminals to sell compromised credentials and access. These sites often sell various payment account details and credit card information along with any other data deemed valuable. Some are automated while others are heavily moderated.

The top spot for April was once again Slilpp Market. Slilpp has always been a popular forum and has shared the top spot with Joker’s Stash as recently as November 2019. Since March, the two sites have almost completely flip-flopped from previous months with Slilpp taking the lion’s share.

Slilpp Market is a Russian- and English-speaking forum. The market is full of compromised credentials for various financial organizations and credit cards from a multitude of vendors. The market operates two sites, one on the surface web and one on the dark web.