Inside The Dark Net Markets For Stolen Credit Cards

A new report shows the true breadth of these illegal "card shop" operations

Photo Illustration: Diana Quach
Apr 20, 2016 at 8:00 PM ET

Online criminal black markets are selling hacked credit card data—and a single site was in possession of over $400 million worth of stolen financial data obtained by a single cyber crime group. That’s according to a new report out Wednesday from cybersecurity companies FireEye and iSIGHT, which provides a look at the criminal underground where Americans’ financial and personal information goes to the highest bidder.

These so-called “card shops,” password protected online marketplaces for hacked financial data, exist on the dark net, a hidden corner of the internet that’s unreachable using traditional search engines and requires the use of a specialized software like Tor.

One card shop, unnamed by the report, advertised nearly 20 million stolen credit card numbers at once. With stolen U.S. credit card numbers going for roughly $21 apiece at the time, that would have been enough for vendors on that site alone to reap $400 million. Though, due to a variety of factors, including the fact that the value of stolen credit card numbers depreciate very quickly over time, the numbers would likely have sold for much less.

Most of those card numbers, many of which belonged to Americans, were plundered from the massive corporate data breaches that occurred over the past few years. The report, titled Follow The Money, is focused on the activities of one cybercrime group, FIN 6, since 2014 and does not detail the specific breaches or indiscriminate phishing campaigns from which the millions of card numbers originated. The teams of researchers examined activity on digital bazaars dating back to 2014, and found that the supply of stolen financial information is only outpaced by the demand.

“There are any number of card shop sites that are active at a given time,” John Miller, FireEye’s director of Threatscape Cybercrime, told Vocativ. “Very small shops might sell thousands of pieces of card data and large ones will sell millions, and often millions that are associated with just one breach.”

According to Miller, the shops allow its criminal customers to search for-sale credit card data based on specific banks, location and other factors. By using a card stolen from a New Yorker in New York City, the logic goes, a criminal is less likely to trip up fraud alerts triggered when cards are used for atypical purposes, or far from the cardholder’s home. This kind of advanced search feature is just one example, researchers say, of criminal card shops responding to users’ concern about avoiding detection.

“The amount of collaboration between criminals is amazing,” said Etay Maor, senior fraud prevention strategist at IBM Security. “It’s people all over the world.”

Maximizing the return on investment in all that information seems to be the largest challenge for hackers. If hackers access 100 million card numbers as part of a retail breach, researchers say, they’ll rush as many numbers as possible to market, before victims or the hacked retailer learn of the breach and shutdown affiliated accounts, rendering those card numbers useless.

“Cybercriminals are aware that once they make these cards available, the news will get out,” said Nart Villeneuve, principal threat intelligence analyst at FireEye. Card shops that don’t require an invitation or password to log on make it easier for criminals to rip each other off, often by selling the number to a card that’s already been canceled.  

Years of research show that dark net card shops are sophisticated criminal enterprises, often with roots in Eastern Europe. Many times, they have built e-crime businesses that look a lot like legal companies.

Credit card numbers are only a part of that. Often, other sellers on the same markets where credit cards are available advertise strains of malicious software, as well as updates and other services meant to ensure that malware, such as ransomware or computer viruses, keeps working when security features are updated to stop it. The corporate mentality is also on display when sellers of all kinds respond to customer reviews and complaints.

One of the busiest markets on the dark net is AlphaBay, a bustling forum where vendors sell everything from drugs and weapons to various strains of malicious software. Users need only create an account to peruse the illicit goods. The site, which launched in December 2014, ranks among the biggest online hubs of criminal activity. It’s managed to stay online despite the media attention surrounding its sale of possibly stolen Uber and TalkTalk account information. Credit card information is far more typical fare, with sellers advertising, for example, 10 MasterCard accounts for $10, in just one of thousands of similar listings.

AlphaBay, while busy, is a low-level site for stolen financial information and where fake accounts are frequently bought and sold.

As is common on the dark net, transactions are made in bitcoin, and store operators build up their reputation by allowing customers to submit positive and negative feedback. Alpha Bay sellers are rated on a vendor trust scale of one to 10, with established sellers generally responding quickly to customer complaints and shipping to customers all over the world.

“Great seller! As described and more,” wrote one satisfied customer who appears to have purchased stolen identification records and credit card information. “A terrific collection of useful things, from fraud to fun!”