623M credit card data leaked from darknet marketplace
Swarmshop, a cyber card shop was recently compromised by hackers who managed to extract user data relating to stolen credit/debit cards and then release it on the Internet.
This was reported by the Group-IB researchers – according to them, the extracted data was leaked on another cyber-underground forum that rivals Swarmshop.
Card shops such as Swarmshop are cybercrime sites where criminals can upload and sell stolen details about user payment cards. According to the Group-IB report, the data extracted from Swarmshop contains the records of 623,036 cards registered in the U.S., the U.K., Canada, Mexico, China, Brazil, and Saudi Arabia. Approximately 63% of the stolen payment cards information is from the U.S.
In addition, the researchers have found that the compromised database also contained details from 498 online banking accounts and from 69,592 Canadian Insurance Numbers and U.S. Social Security Numbers.
Lastly, the leaked database also contained information about 12,344 card shop admin accounts. This data includes passwords, usernames, balances, contact info, sales records, etc.
The timestamps of the latest user activity suggests that the leaked data is recent, according to the Group-IB researchers. They note that cybercriminals targeting other cybercriminals isn’t a new practice, and it is an effective way of acquiring valuable new information and hacking tools. Furthermore, this isn’t the first similar breach of Swarmshop, showing that hackers, too, like everyone else, face difficulties with cybersecurity.
Information about the Swarmshop hit
The Swarmshop payment cards shop is a Russian language, mid-sized hacker forum that has been around since April 2019, or earlier. The researchers point out that the size of this cybercriminal forum has increased by nearly 250% since the start of 2020. Only within the last month, the volume of illegally traded records on the site has gone from 485,617 to 623,036.
The collective amount of money contained within the accounts available on Swarmshop during March, the month when the forum got compromised, was $18,145.73
The researchers explain that the users of payment card forums such as Swarmshop rarely keep a lot of money in their profiles. It is highly likely that the actual profit of the shop owners is much greater than what it may seem from the currently available data.
Currently, it is unknown where the breach came from, but apparently two users of the forum have tried to attack the site with a malware script that was supposed to exploit any potential weaknesses in the contact details field. Whether those breaching attempts were successful and are the ones that led to the data leak, however, remains unclear.
In January last year, there was a similar attempt to breach the database of Swarmshop, when an unknown actor claimed that they were selling user info acquired from the hacker forum, accompanying their post with a screencap of the Swarmshop’s admin interface. It is not known whether the current breach was performed by the same actor/actors.
The research team of Group-IB suspects that the attack must have been a type of “revenge hack” intended to fully take out Swarmshop. Since all sellers on the hacking forum have lost all data they could potentially sell, it is highly unlikely that Swarmshop would recover from that hit.
This idea is supported by the Netenrich CISO, Chris Morales, who comments that whether a business is legal or not, it would still be faced with the same obstacles, including competition that tries to take it out. According to him, the goal of this hit is probably not only profit but also revenge or possibly even glory within the hacking community.