600,000 Payment Cards Stolen From Swarmshop Darknet MarketGroup-IB: Administrator, Seller and Buyer Data Also Stolen
For the second time in two years, the contents of the darknet payment card marketplace Swarmshop have been removed and posted to a competing underground forum, Group-IB reports. The content includes data on more than 600,000 payment cards as well as administrator, seller and buyer information.
Group-IB suspects the theft was conducted by some of Swarmshop's users.
"Although the source remains unknown, it must be one of those revenge hacks cases," Group-IB says in a report issued Thursday. "This is a major reputation hit for the illicit card shop as all the sellers lost their goods and personal data. The card shop is unlikely to restore its status."
The researchers point to two pieces of evidence that indicate revenge was the motivation. In the first attack that took place in January 2020, the individual said he wanted to sell the data in order to destroy Swarmshop. In the March 2021, case the information was provided for free.
Two Swarmshop users attempted to inject a malicious script searching for website vulnerabilities in the contact information field, Group-IB says, pointing out that it's not clear if this was related to the data theft.
The stolen content contained more than 12,000 records belonging to the card shop's administrators, sellers and buyers, including their nicknames, hashed passwords, contact details, history of activity and current balance, Group-IB says.
Also stolen was data for 623,000 payment cards issued in the U.S., Canada, U.K., China, Singapore, France, Brazil, Saudi Arabia and Mexico; about 500 sets of online banking account credentials; and more than 69,000 U.S. Social Security numbers and Canadian Social Insurance numbers, the report says.
Group-IB has notified the national CERTS in all affected countries.
The security firm characterizes Swarmshop as midsize marketplace that deals in stolen personal and payment records. The researchers believe it opened in April 2019, and as of March, it had about 12,000 marketplace traders who collectively had about $18,000 in their accounts for future payments.
Group-IB notes that in January 2020, about 485,000 Swarmshop records were stolen and then moved to the underground forum to be offered for sale. The thief posted a screenshot supposedly taken of Swarmshop's admin panel on the other forum's chat board.
"The Russian-speaking admins of the card shop never commented on this thread; their website, however, went down temporarily due to 'the transfer to the new server,'" Group-IB says.
In the 2020 incidents the attacker said in a post that he wanted to sell the data in order to destroy Swarmshop.
In March, a new Swarmshop marketplace member posted Swarmshop admin credentials that were stolen in 2020 on some of its forums. The Swarmshop admins claimed this information was old and the passwords had been changed.
"A week after the post, Swarmshop users were redirected to an under-maintenance page when trying to log in. At the same time, card shop users reported problems with their account balance," Group-IB says.
Group-IB's breakdown of the Swarmshop records exposed in the recent leak found records for four administrators, 90 sellers and 12,250 users who have purchased stolen data from the shop.
The researchers found 62% of the 623,000 payment card records came from U.S. banks, 14% from China, about 3% each from the U.K., Canada, and France and about 1% or less from Singapore, Brazil, Saudi Arabia and Mexico.
"In addition to stolen bank cards, the database revealed 498 sets of online banking account credentials and 68,995 sets of U.S. Social Security Numbers and 597 Canadian Social Insurance Numbers," the report says.
Underground Market Crackdown
Since the start of the year, law enforcement has been cracking down on darknet markets.
In January, Europol worked with other agencies to take down DarkMarket and arrest its operator. Europol estimates DarkMarket had more than 500,000 users and generated more than $170 million in revenue (see: Massive DarkMarket Underground Marketplace Taken Down).
Also in January, the administrator of Joker's Stash - believed to be the largest darknet seller of stolen credit cards - announced the carding site would close the following month. This decision came one month after the FBI and Interpol temporarily disrupted the market's operation (see: Joker's Stash Reportedly Shutting Down Operations).
Several competing payment card trading sites - including Brian's Club, Yale Lodge and Vclub - quickly moved to grab Joker's Stash's customer base.