How Threat Actors Use Underground Marketplaces | Intel471 Skip to content
blog article

How Threat Actors Use Underground Marketplaces

Sep 22, 2022
Adobe Stock 316912806

Cybercrime is a profitable business. But exactly how lucrative is it? According to one recent report, Americans lost $6.9 billion to online scams in 2021, up from $3.5 billion in 2019. And the average annual ‘salary’ of criminal hackers ranges from $50,000 to more than $2 million. Considering that a hacker’s operating overhead is almost nil and the chances of prosecution and conviction are low, it’s easy to see why this is an attractive business model for some.

But where and how is all this underground commerce transacted? Increasingly, it takes place in marketplaces - cyber underground marketplaces.

What are the marketplaces?

Underground marketplaces operate like legitimate online marketplaces, such as Etsy or Facebook Marketplace, where vendors advertise their products and prices. And underground marketplace vendors receive most of their revenue from selling products, with marketplace owners receiving commissions on all sales.

So, if you are a consumer of nefarious products, dozens of sites make it easy for you to buy or rent bots and botnets, stolen passwords or compromised login credentials, malware, stolen financial and healthcare data and hacking tools, etc. Researchers report the two of the most active bot marketplaces in 2021 were Russian Market and Genesis. Russian Market was also the place to find the largest selection of login credentials.

How threat actors use underground marketplaces to buy and sell ‘bots’

Underground marketplace sellers typically obtain their wares via data breaches. They often use information stealer malware, aka ‘infostealers,’ to collect data from infected systems. These can include usernames, passwords, payment card details, cryptocurrency wallets, etc. Infostealers work to covertly access applications where data is stored, often from a compromised internet browser, and transmit the data back to the criminal organization.

Underground marketplace customers place orders through the market’s website and get their orders fulfilled by sellers. Access to marketplaces differs from marketplace to marketplace. Some are accessed using the ‘surface web’. However, a number of underground marketplaces are only accessible through Tor or I2P, adding an extra layer of encryption, thus making browsing and transactions hard to trace. Marketplace customers set up accounts and add funds to their accounts, usually using cryptocurrency (Bitcoin and Monero being popular choices). Some marketplaces such as Genesis accept payment in USD. Once set up, users browse and buy, much like any other marketplace.

Underground marketplaces have led to numerous security incidents in the past year

Intel 471 has identified numerous security incidents linked to marketplaces. The following examples demonstrate the scope and breadth of these criminal sites and their operators:

  • RussianMarket: The RussianMarket is a multifunctional venue trading a wide range of digital goods, from compromised remote desktop protocols (RDP) and secure shell (SSH) access credentials to PayPal accounts and payment card data. Active since at least 2014, the RussianMarket appears to be a successor of FlyDed, a popular marketplace of compromised hosts and dedicated servers. It has been free to register an account on the RussianMarket since 2019.

  • BriansClub: BriansClub is an underground store that has been active since 2015 and sells stolen payment card information, including payment card dumps and so-called CVV kits (packages of cardholder data containing card numbers, expiration date, etc.). The store features compromised cards with high validity rates, which means many cards have not been flagged or disabled, as well as compromised personally identifiable information (PII). The BriansClub’s main page lists the latest news and recent additions to the online shop’s inventory. The store has a built-in online payment processing system, and customers can receive up to a 15% discount based on their total deposits. The shop can be reached on both the regular web and via the Tor network.

  • CVV[.]ME: CVV[.]ME is a fully automated web-based service selling compromised payment card dumps and CVV kits. Active since at least 2014, the shop operator is an underground Russian-speaking actor. The marketplace features an English-language interface, with some information duplicated in Russian. The service allows clients to register for free and to refill account balances automatically through one-time generated bitcoin or Litecoin cryptocurrency wallets. Additionally, compromised payment card data for the marketplace allegedly is verified with the Try2check validity checker.

  • Hydramarket: Hydramarket was an underground marketplace active from 2015 to April 2022. While most of its transactions were illegal drug sales, Hydra was known for offering forged documents, credit card information, personal data, digital services and mixing services designed to launder cryptocurrency. It also provided exchange services that allowed clients to trade cryptocurrency for Russian rubles and, in some cases, even for physical cash bundles buried in the ground during a dead drop. On April 5, 2022, German and U.S. federal government law enforcement agencies announced the seizure of the website’s Germany-based servers and cryptocurrency assets. Before the closure, it was the longest-running underground marketplace with 17 million registered customers.

The future of marketplaces

In the future, cyber underground marketplaces will likely continue to trade goods. Moreover, with surface web marketplaces such as Genesis continuing to operate in the clear and therefore increasing exposure, they will have a continuous stream of customers interested in purchasing nefarious goods. History has shown that when global and local economies are in retreat, individuals can make cash by both buying and selling compromised assets.

To remedy and mitigate underground marketplaces, law enforcement is required to reduce the stream of users accessing these websites on the clear web, leaving only those hosted on Tor or I2P accessible. That may be a big ask of authorities who tend to be under-resourced in this space and to truly curb underground commerce, a focused law enforcement effort is needed.