red 
The Federal Bureau of Investigation (FBI) has announced the seizure of SSNDOB – one of the most popular online sellers of stolen ID information. According to the seizure notice, the SSNDOB processed over $19 million worth of sales using cryptoassets.
Notice of seizureThe US Department of Justice alleged that the service sold the illegally obtained personal information of 24 million victims – including names, dates of birth and Social Security numbers. The seizure was carried out on June 7 in cooperation with the authorities from Latvia and Cyprus.
Criminals – sometimes called “card skimmers” – typically obtain personal or credit card information by hacking into online databases or by “skimming” payment cards with malware at point-of-sale terminals.
These are then sold on illegal sites like SSNDOB for as little as $3. Customers can use these stolen credentials to fake their identity or buy goods or services using someone else’s money.
The seizure marks a further blow to the already burdened market for stolen data on the dark web. Starting from the apparent “retirement” of market leader UniCC in January 2022, sellers representing three-fifths ($1 billion) of the market have since closed, gone bankrupt or been seized by authorities.
Websites associated with SSNDOB now display a seizure notice.
Elliptical analysis: a troubled criminal enterprise struggling to survive
The stolen data market was once a lucrative criminal industry, with sellers making at least $1.6 billion in Bitcoin since 2013. Credit cards, stolen IDs, fake passports, compromised login credentials, and privacy browsing solutions were openly sold on forums , Telegram channels and dark web markets.
So where did it all go wrong for this dreaded billion dollar criminal market?
Between January 12 and February 9, 2022, several prominent carding sites – including the top five by bitcoin revenue – were either seized or disappeared.
Some such as C2Bit and All World Cards have shut down and disappeared with customers’ money – also known as “exit fraud” – after Russia’s Federal Security Service (FSB) likely scared them off with seizures and arrests. Another prominent marketplace called BriansClub temporarily disappeared, but returned shortly thereafter without any explanation. Russia’s FSB reportedly seized another 90 lesser-known supplier locations in March.
In December 2021 – just one month before visible shutdowns began – closed or seized sites controlled over 85% of the trade in stolen data. As one Twitter user described it, their departure was seen by some as “the probable death of the carding scene”. Hydra – formerly the Dark Web’s leading marketplace with more than $5.1 billion in Bitcoin sales processed – also sold stolen data to German authorities seized it in April.
The remaining stolen forums and vendor websites are gripped by a noticeable level of paranoia as seizures and shutdowns continue. Bitcoin payments for stolen data have more than halved since November 2021 – it was $19.3 million (down from over $43 million) in March 2022.
The void created by the departure of key players has motivated an increase in the number of new, low-quality entrants who want to take their places. Some used increasingly catchy names and marketing tactics.
One new store – BidenCash – has adopted the tactic of the now-confiscated Trump’s Dumps carding shop to use the likeness of a sitting US president for its branding. It has since become an “official sponsor” of the widely used illegal card forum.
BidenCash entered the market in April 2022.
However, new entrants have so far largely struggled to gain a loyal customer base – most likely due to a significant loss of trust from remaining customers. The chatter on the data-stolen forums makes this sentiment all too clear; Consumers are quick to label new sellers as ‘scam’ and suspect foul play as soon as their deposit arrives moments too late.
Forums are also full of complaints about the poor quality of sales data – an increasing number of outages are “dead” (ie canceled and unusable). And the global economic crisis also did not bypass this market. Indeed, one site that typically sold batches of personal IDs for around $20 in December is now charging $36 for the same product.
The sentiment around this illegal criminal market – along with the continued departure or seizure of prominent sellers – indicates that this once fearsome enterprise is a far cry from what it once was. Recent trends and the latest seizure notice underscore that the stolen data company’s return to its former lucrative days remains a distant prospect as its fight for survival continues.
How we can help
Elliptic’s internal research team continues to actively monitor illicit activity on the dark web and flag newly discovered illegal services in its tools. In particular, the rise of exit scams and subsequent attempts to launder illegal earnings by sellers of stolen data who leave, pose a risk to services dealing with cryptoassets.
Virtual asset service providers can use Elliptic’s wallet review and transaction monitoring solutions to manage their exposure to illicit funds generated by these entities. See our 2022 typologies report for the latest money laundering trends or contact us for a demo.
