The Dark Web and Underground Markets - May 2020 Update

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

BlueVoyant’s research of the dark web and underground markets revealed that the topics remained fairly consistent between February and March, with only a few minor shifts. PayPal regained some of its popularity, but CVVs were still on top. In the month of March, the bulk of collaboration and the illegal sale and trade of finance-related data once again took place on dark web markets. February’s trend was expanded dramatically in March by 15%. Below are the top sites in the categories from the graph above. Dark web special access forums typically require some sort of clout in the criminal industry, or a sponsor. These forums ordinarily require special permissions to interact with. CardVilla Forum is the top special access forum for finance-related discussions for the month of March. Card Villa advertises itself as the best darknet carding forum. They offer “free dumps” and “free CVV statistics.” The site currently has over 200k members. At the time of this writing, the site is reported to receive nearly 1K unique visitors each day. Underground forums do not necessarily require special permission and can typically be accessed by anyone. Some forum sections may be unavailable to general users; however, in general, anyone can post, reply, purchase, and sell on these forums. The top underground forum for the month of March was “Hack Forums.” The site is primarily made up of English-speaking users with over 25% of traffic coming from the United States. As of this writing, the site currently has nearly 60 million posts and over 4.5 million users. Hack Forums is widely reported as associated with criminal activity. Dark web marketplaces exist for cyber criminals to sell compromised credentials and access. These sites often sell various payment account details and credit card information along with any other data deemed valuable. Some are automated while others are heavily moderated. The top spot for March was Slilpp Market. Slilpp has always been a popular forum and shared the top spot with Joker’s Stash as recently as November 2019; however, in the month of March, the two sites have almost completely flip-flopped with Slilpp taking the lion’s share. Slilpp Market is a Russian- and English-speaking forum. The market is full of compromised credentials for various financial organizations and credit cards from a multitude of vendors. The market operates two sites, one on the surface web and one on the dark web.