Leak of stolen card records exposes data of Brazilians

A huge cache of user and administrator data from Swarmshop, a website for buying and selling stolen credit cards and bank details, was leaked onto a different dark web forum than what was used as a repository. The information comes through a report published on Thursday, 8, by the threat research firm Group-IB.

According to the company’s survey, 623 thousand records of stolen cards were leaked, as well as information from the administrator, seller and buyer. Group-IB researchers found that 62% of this total came from US banks, 14% from China, about 3% each from the UK, Canada and France and about 1% or less from Singapore, Brazil, Saudi Arabia and Mexico.

Grupo IB suspects that the theft was carried out by some users of Swarmshop. “Although the source remains unknown, it must be one of those cases of revenge hacks,” the company said in the report. “This is a big blow to the reputation of illicit card stores, as all the sellers have lost their products and personal data. The card store is unlikely to regain its status. ”

The researchers point to two evidences that indicate that the motivation was revenge. In the first attack in January 2020, an individual said he wanted to sell the data to destroy the Swarmshop.

Two users of Swarmshop tried to inject a malicious script in search of website vulnerabilities in the contact information field, says Group-IB, pointing out that it is not clear whether this was related to data theft.

Previous incident

The stolen content contained more than 12,000 records belonging to the card store’s administrators, sellers and buyers, including their nicknames, hashed passwords, contact details, activity history and current balance.

Group IB notified incident response and treatment centers (CERTs) in all affected countries.

The security company characterizes Swarmshop as a medium-sized market. Researchers believe it opened in April 2019 and, in March, had about 12,000 brokers who, together, had about $ 18,000 in their accounts for future payments.

Look this
Brazil accounts for 45.4% of card leaks in 2020
VISA warns of card theft using web shells

Grupo IB notes that in January 2020, about 485,000 Swarmshop records were stolen and then moved to the clandestine forum for sale. The thief posted a screenshot allegedly taken from the Swarmshop admin panel on the chat forum on the other dark web forum. “The managers of the Russian-speaking card shop have never commented on this; their website, however, temporarily fell due to the ‘transfer to the new server ”, says Group-IB.

In last year’s incident, the attacker said in a post that he wanted to sell the data to destroy the Swarmshop. In March, a new member of Swarmshop posted site administrator credentials that were stolen on some of its forums. Swarmshop administrators claimed that this information was old and that passwords had been changed.

Damage analysis

Group IB’s analysis of the Swarmshop records exposed in the recent leak found records from four administrators, 90 vendors and 12,250 users who purchased stolen data from the store. “In addition to the stolen bank cards, the database revealed 498 sets of online bank account credentials and 68,995 sets of U.S. social security numbers and 597 Canadian social security numbers,” the report states.

Since the beginning of the year, law enforcement officials have been cracking down on darknet markets, dark web stores. In January, Europol worked with other agencies to take down DarkMarket and arrest its operator. Europol estimates that DarkMarket had more than 500,000 users and generated more than $ 170 million in revenue.

Also in January, the administrator of Joker’s Stash, considered the biggest seller of stolen credit cards on the dark web, announced that the carding site would be closed the following month. This decision came a month after the FBI and Interpol temporarily halted market operations. Several competing payment card trading sites, including Brian’s Club, Yale Lodge and Vclub, quickly conquered the Joker’s Stash customer base.