Category Archives: Deep Web

BidenCash leaks 2.1M stolen credit/debit cards

The dark web carding site BidenCash recently leaked for free a collection of approximately 2 million stolen payment card numbers.

An archive containing 2.1 million stolen payment card numbers is available for free to commemorate the anniversary of the dark web carding site BidenCash.

The dump was released on February 28, it was published through the Russian-speaking cybercrime forum XSS. The decision to release free samples aims at attracting new customers and gain notoriety in the cybercrime ecosystem.

Flashpoint researchers who analyzed the collection reported that the text file leaked by BidenCash includes credit card numbers along with cardholder’s personally identifiable information (PII) (name, address) and financial data such as the  full card number, expiration date, CVV code, and bank name.

The experts reported that about 70% of the cards have expiration dates in 2023, while 50% of the cards belong to US-based cardholders.

Researchers from threat intelligence firm Cyble who analyzed the leak, reported that it contains at least 740,858 credit cards, 811,676 debit cards, and 293 charge cards. The experts pointed out that the risk is higher for debit card holders than credit card holders, due to different fraud protection.

The following table reports the most records leaked by country are:


Even if some of the payment cards are expired, threat actors can use the data to carry out multiple attacks against the victims, including spear-phishing attacks and financial scams.

“The presence of email addresses and full information (commonly referred to as “Fullz” by cybercriminals) will make the victims of this leak vulnerable to other attacks, such as phishing, identity theft, and scams, long past the expiration of their card details.” states Cyble.

In October 2022, the operators behind the popular dark web carding market ‘BidenCash’ released a dump of 1,221,551 credit cards to promote their underground payment card shop

Underground carding marketplaces are crucial components of the cybercrime ecosystem, they facilitate the sale and purchase of payment card data. One of the most popular carding site was Joker Stash, its operators retired in February 2021 and shut down their servers and destroyed the backups.

According to Forbes, the administrator has amassed a billion dollars worth of Bitcoin with its activity.

After the retirement, other carding websites such as ‘Ferum Shop’, ‘UAS’, and ‘Trump Dump’ gained popularity in the underground marketplace.

“Since that time, we saw a rise in the emergence of several new debit and credit card shops to fulfill the illicit demand for compromised payment cards.” continues Cyble.

‘BidenCash’ was launched in April 2022 and was considered a low-profile credit card shop. The ability of its operators to periodically release fresh dumps and promotional lots for free increased rapidly increased its popularity.

In June 2022, BidenCash released over 7.9 million payment card data dating from 2019 to 2022 on a cybercrime forum. However, the dump only contained 6,581 records exposing credit card numbers.

Banking institutions should monitor the dark web for the offering of credit/debit cards to prevent fraudulent activities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BidenCash)

Threat actors claim access to Telegram servers through insiders

Researchers reported that a threat actor claims to provide access to internal servers at Telegram for $20,000.

SafetyDetectives reported that a member of a dark web marketplace is claiming to provide access to internal servers at Telegram for $20,000.

The seller claims that the access is permanent because is provided by insiders that are staff members of the company. 

“The SafetyDetectives research claims that access to the market is not possible via the surface web (or clear web).” reported the website GBHacker. “It provides counterfeit electronics, money, drugs, illegal software, stolen databases, cracking tools, counterfeit weapons, and carding data dumps.”

Source GBhackers

The seller pointed out that they aren’t offering stolen accounts or channels, either providing remote access.

The seller started offering the access with an ad that was posted on the dark web marketplace on November 16th, 2022.

Below is the adv published by the experts:

“Accessing telegram servers. I have access to the Telegram servers through my employees. I can get any information for you!
Do not write if you are financially unable to pay!
Hacking telegram is not possible! All information is taken from servers!
Timing 2-4 days!”

The seller also offers an archive containing the correspondence for a period of six months.

At this time is not possible to determine the authenticity of the claims, however the alleged presence of insiders represents a serious threat to the company that is hard to eradicate.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Telegram)

[adrotate banner=”5″]

[adrotate banner=”13″]

Resecurity Released a Status Report on Drug Trafficking in the Dark Web (2022-2023)

Cybersecurity firm Resecurity published report on drug trafficking marketplaces currently operating in the Dark Web

Resecurity, a Los Angeles-based cybersecurity and risk management provider has released an eye-opening report on drug trafficking marketplaces currently operating in the Dark Web. The report highlights a rapidly growing shadow economy, and new communication methods such as proprietary Android-based mobile apps criminals developed allowing them to migrate from traditional communication channels.

According to experts, following the takedown of the Hydra Marketplace by Germany’s Federal Criminal Police Office in a joint operation with the FBI, DEA, IRS Criminal Investigations, and Homeland Security Investigations (HSI) in April 2022, at least 10 darknet markets (DNMs) have risen to fill the regional void for drugs and other illicit goods.

Resecurity outlined a new marketplace called “Kraken”, which emerged right at the start of 2023 following the Christmas holidays and was designed in Hydra’s best tradition. Launched by the WayAWay Market founders, it has already accumulated over 1,720 reputable sellers and shops selling illicit goods.

At the end of 2022, major Dark Web drug markets were worth an estimated $315 million annually according to the United Nations Office on Drugs and Crime (UNODC). Resecurity estimates this figure to be significantly higher in 2023, the annual sale of illegal drugs on the Dark Web for 2022 exceeded $470 million – which is the result of increased geopolitical tensions, global pandemics, and the unprecedented growth of the international shadow economy.

The Resecurity® Hunter unit performed an extensive analysis of current trends and dynamics related to the underground economy around active DNMs leveraging technical means and human intelligence (HUMINT) sources. The research aims to provide awareness for international law enforcement, cybercrime investigators and intelligence professionals.

Based on the details provided in the released report over the summer of 2022, most pop-up markets on the dark web were primarily fighting for brand recognition, much like a ‘cyber-90s’ type of environment. Resecurity detailed the increasing tensions between different influence groups behind illegal marketplaces in Dark Web – attacking each other, performing DDoS attacks and trying to abuse the reputation of competitors to capture a bigger market share.

Notably, a dominating number of actors moved from the now closed Hydra to new marketplaces, and have started leveraging alternative digital channels – customized mobile apps and Instant Messengers (IM) including Telegram. Some channels have been identified by Resecurity; they are oriented towards English / German speaking audiences. The ecosystem of drug sales on the Dark Web pose threats internationally, several epicenters primarily concentrated in Eurasia and Central Asia and actively used for drugs trafficking are outlined in the report.

Resecurity has identified multiple drug shops on the Dark Web providing customers with customized Android-based mobiles with pre-installed apps used for purchases and secure communications, as well as sending instructions to couriers. The significance of this trend is increasing OPSEC measures (of threat actors) and a visible shift from traditional communication channels and apps to proprietary (developed by other actors operating in the Dark Web). These mobile apps are actively used by criminals to facilitate purchases, transactions, logistics, and to chat with their customers. Such interactions could be to discuss physical drop off points with specific instructions for example: The physical drop location with GPS coordinates, if buried then how deep it’s been buried at a specific GPS location, a photo of the location to help the buyers pinpoint the exact spot may also be included.

As the illicit trade of drugs continues to flourish in the dark web, it has become very clear illegal narcotics are not the only substances booming in Q1 of 2023. Resecurity noticed a sharp increase in demand for prescription pharmaceuticals. Such pharmaceuticals include Adderall, Atomoxetine, Mersyndol Forte Codeine, Morphine Zomorph Ethypharm, Oxycontin, and many others that are readily available on DNMs. Aside from prescription pharmaceuticals used to treat conditions such as extreme pain, anxiety, ADHD, Insomnia and many other ailments, male performance drugs such as Viagra, Cialis, and Kamagra Oral Jelly are also seeing a spike in popularity.

With counterfeit prescription Pharmaceuticals flooding the dark web, damage to both people and the legitimate pharmaceutical companies is becoming ever clearer.

Counterfeit prescription drugs can be difficult to spot, as they are often made to look like the real thing. They may have fake labels, packaging, and even holograms, making them indistinguishable from legitimate medications. In some cases, the drugs may contain only a small amount of the active ingredient, or none at all, meaning they are ineffective at best and potentially dangerous at worst. The consequences of taking counterfeit prescription drugs can be serious and even life-threatening. These drugs may contain toxic or unregulated ingredients that can cause serious side effects, including organ damage, heart attack, stroke, and even death. In addition, taking these drugs may delay or prevent proper treatment for the underlying medical condition, leading to further complications.

The best way to protect yourself from counterfeit prescription drugs is to only buy medications from reputable sources. This includes licensed pharmacies, either in person or online, that require a prescription from a licensed healthcare provider. It is also important to be aware of any red flags that may indicate a fake or unlicensed pharmacy, such as offers of prescription drugs without a prescription, extremely low prices, or unprofessional websites. Counterfeit prescription drugs sold on the dark web pose a serious threat to public health. These drugs may be ineffective or contain harmful ingredients and can have potentially deadly consequences for those who take them. To protect yourself and your loved ones, it is important to only buy medications from reputable sources and be aware of any red flags that may indicate a fake or unlicensed pharmaceuticals.

Resecurity forecasts an active growth curve in the Dark Web ecosystem centered around illegal drugs and counterfeit pharmaceuticals in light of  post-pandemics and complicated geopolitical agendas preventing law enforcement from operative cooperation. Resecurity provides specialized intelligence products for law enforcement which help track underground activity, and highlights the need to build advanced tactics towards threats originating from the Dark Web. 

The complete report is available on the REsecurity website.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Drug Trafficking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Zombinder APK binding service used in multiple malware attacks

Zombinder is a third-party service on darknet used to embed malicious payloads in legitimate Android applications.

While investigating a new malware campaign targeting Android and Windows systems, researchers at Threat Fabric discovered a darknet service, dubbed Zombinder, used to embed malicious payloads in legitimate Android apps.

The campaign involved the Ermac Android banking Trojan along with desktop malware such as Erbium, Aurora stealer, and the Laplas “clipper”.

This campaign infected thousands of systems, experts reported that the Erbium stealer successfully exfiltrates data from more than 1300 victims.

While investigating Ermac’s activity, the experts spotted an interesting campaign masquerading as application for Wi-Fi authorization. The tainted apps were distributed through a bogus website containing a single page with only two buttons. Clicking on the “Download for Android” button leads to downloading the Ermac malware.

The Ermac variant employed in the attack has the following capabilities:

  • Overlay attack to steal PII
  • Keylogging
  • Stealing e-mails from Gmail application
  • Stealing 2FA codes
  • Stealing seed phrases from several cryptocurrency wallets

Experts also observed threat actors masquerading as malicious apps as browser updates. 

“However, another detail drew our attention: some of the downloaded apps were not directly Ermac, but a “legitimate” app that, during its normal operation, installed Ermac as payload targeting multiple banking applications” reads the analysis published by Threat Fabric. “Such apps disguised as modified version of Instagram, WiFi Auto Authenticator, Football Live Streaming, etc. The package names were also the same as for legitimate applications.”

The experts discovered that the malicious apps were created with the Zombinder APK binding service that is advertised on the dark web since March 2022.

According to the experts, the binding service part of a wider project that is an obfuscation tool that is used by multiple threat actors. 

The latest campaign analyzed by the researchers that involved the Zombinder service was distributing Xenomorph banking trojan masquerading as VidMate application. 

“Modern threat landscape becomes more and more sophisticated where actors combine multiple approaches in malware development, distribution, operation as well as in performing fraud itself involving multiple tactics at the same time.” concludes the report. “New tools appear to make malware less suspicious or more trustworthy for victim which results in more successful fraud cases. Moreover, targeting multiple platforms, actors are able to reach wider “audience” and steal more PII to utilize in further fraud.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Zombinder)

[adrotate banner=”5″]

[adrotate banner=”13″]

Exclusive: The largest mobile malware marketplace identified by Resecurity in the Dark Web

Resecurity has identified a new underground marketplace in the Dark Web oriented towards mobile malware developers and operators.

“In the Box” dark web marketplace is leveraged by cybercriminals to attack over 300 financial institutions (FIs), payment systems, social media and online-retailers in 43 countries

Resecurity, the California-based cybersecurity company protecting major Fortune 500 companies, has identified a new underground marketplace in the Dark Web oriented towards mobile malware developers and operators. The marketplace is known as “InTheBox”, and has been available for cybercriminals in the TOR network from at least the start of May 2020, however since then it has transformed from a cybercriminal service operating privately into the largest marketplace known today for it’s sheer number of unique tools and so called WEB-injects offered for sale. 

Such malicious scenarios are purposely developed by fraudsters and used for online-banking theft and financial fraud. Web-injects are integrated into mobile malware to intercept banking credentials, payment systems, social media and email provider credentials, but it doesn’t end there, these malicious tools also collect other sensitive information such as credit card information, address details, phone and other PII. This trend comes from the “Man in The Browser” (MiTB) attacks and WEB-injects designed for traditional PC-based malware such as Zeus, Gozi and SpyEye. Later, cybercriminals successfully applied the same approach to mobile devices, because modern digital payments are extremely interconnected when it comes to mobile applications used by consumers. 

According to the experts from Resecurity, the identified “In The Box” marketplace may now proudly be called the largest and most significant catalyst for banking theft and fraud involving mobile devices. The significance of findings is highlighted by the quality, quantity and spectrum of the available malicious arsenal. Currently, cybercriminals are offering over 1,849 malicious scenarios for sale, designed for major financial institutions, ecommerce, payment systems, online retailers, and social media companies from over 45 countries including the U.S, the U.K, Canada, Brazil, Colombia, Mexico, Saudi Arabia, Bahrain, Turkey, and Singapore. The supported organizations targeted by cybercriminals include Amazon, PayPal, Citi, Bank of America, Wells Fargo, DBS Bank, etc. During November 2022 the actor arranged a significant update of close to 144 injects and improved their visual design.

The operators behind “IntheBox” marketplace are closely connected to developers of major mobile malware families including Alien, Cerberus, Ermac, Hydra, Octopus (aka “Octo”), Poison, and MetaDroid. Cybercriminals rent mobile malware based on a subscription-based fee ranging from $2,500 – $7000 and in some cases task underground vendors to develop purposely designed injects for particular services or applications to ensure successful credential theft on mobile devices. Such malicious scenarios are designed identically to their legitimate counterpart applications but contain fake forms which intercept the logins and passwords of the victim. In addition to that, the mobile malware enables criminals to intercept 2FA code sent via SMS by the bank or to redirect an incoming call containing verification details. As the years pass, the malware market for mobile banking has become extremely mature, and most Dark Web actors stopped selling it, they’ve switched over to potentially renting, or to privately using it.

Every year, the number of mobile-oriented malware increases exponentially. According to independent studies, almost every 1 in 5 users on mobile devices may be compromised with mobile malware. The bad actors leverage smart tactics to bypass anti-fraud filters and conduct banking theft confirming all verification codes without looking suspicious – using amounts above limits and sending them in parts. The amount of typical banking theft varies between $5,000 – $15,000 per consumer and $50,000 – $250,000 per enterprise depending on the size and business activity. In total, the loss from fraud exceeds 5,6 billion USD in 2022. In combination with other types of fraud such as business email compromisation, money laundering and investment scams that create a huge shadow economy with trillions of dollars circulating in the underground.

“The cybercriminals are focusing on mobile devices more than ever, because modern digital payments are impossible without them. Successful disruption of mobile malware networks and associated cybercriminal services is crucial for protecting financial institutions and consumers around the world” – said Christian Lees, Chief Technology Officer (CTO) of Resecurity. “With the rapid growth of fraudulent activity in our post-pandemic world, bad actors continue to upgrade their tooling arsenal to attack customers of major financial institutions (FIs), e-commerce platforms and online marketplaces allowing them to benefit from the upcoming Christmas and New Year’s holidays. According to collected statistics in Q4 2022 by Resecurity®, Digital Forensics & Incident Response (DFIR) engagements conducted on Fortune 500 companies from multiple regions including North America, APAC, LATAM and Middle East & North Africa (MENA). Cybercriminals are especially successful when attacking mobile devices and leveraging gained access for further unauthorized access and financial theft.” – he added. 

The catalyst behind mobile banking malware distribution was uncovered by Resecurity’s HUNTER unit, who investigate cybercrime activities by hunting the actors behind it in close collaboration with international law enforcement agencies and industry partners. 

The intelligence behind the architecture, ecosystem, profiles of actors and acquired malicious scenarios have been shared with FS-ISAC and Google Security Team so the defenders can develop signatures and tactics to properly protect mobile users. The majority of mobile malware supported by “InTheBox” is oriented towards devices using Google Android, that’s why proactive intelligence sharing with the Google Security Team will facilitate enhanced consumer protection, saving millions of USD in light of the upcoming Christmas and Winter Holidays, known as the peak of fraudulent activity because of the increase in online transactions and payments.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Dark Web)

[adrotate banner=”5″]

[adrotate banner=”13″]

Threat actors are offering access to corporate networks via unauthorized Fortinet VPN access

Cyble observed Initial Access Brokers (IABs) offering access to enterprise networks compromised via a critical flaw in Fortinet products.

Researchers at Cyble have observed initial access brokers (IABs) selling access to enterprise networks likely compromised via a recently patched critical flaw, tracked as CVE-2022-40684, in Fortinet products.

In early October, Fortinet addressed the critical authentication bypass flaw, tracked as CVE-2022-40684, that impacted FortiGate firewalls and FortiProxy web proxies.

The company explained that an attacker can exploit the vulnerability to log into vulnerable devices.

“An authentication bypass using an alternate path or channel [CWE-88] in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” reads the customer support bulletin issued by the company.

The company urged customers to address this critical vulnerability immediately due to the risk of remote exploitation of the flaw.

The vulnerability impacts FortiOS versions from 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1, and FortiProxy versions from 7.0.0 to 7.0.6 and 7.2.0

The cybersecurity firm addressed the flaw with the release of FortiOS/FortiProxy versions 7.0.7 or 7.2.2.

The company also provides a workaround for those who can’t immediately deploy security updates.

Customers that are not able to upgrade their systems should restrict access to their devices to a specific set of IP addresses.

On October 18, Fortinet confirmed the critical authentication bypass vulnerability is being exploited in the wild.

“Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device’s logs: user=”Local_Process_Access”” continues the advisory.

proof-of-concept (PoC) exploit code for the CVE-2022-40684 flaw has been released online. The public availability of the PoC exploit code can fuel a wave of attacks targeting Fortinet devices.

In October, the Shadowserver Foundation reported that more than 17K Fortinet devices exposed online were vulnerable to attacks exploiting the CVE-2022-40684 flaw, most of them in Germany and in the US.

Now Cyble researchers reported more than 100,000 FortiGate firewalls accessible from the internet that may be targeted by threat actors if not patched yet.

Threat actors might exploit the vulnerability to perform malicious activities such as:

  • Modify the admin users’ SSH keys to enable the attacker to log in to the compromised system.
  • Add new local users.
  • Update networking configurations to reroute traffic.
  • Download the system configuration.
  • Initiate packet captures to capture other sensitive system information.
  • The sensitive system information, system configurations, and network details might be further distributed over the darkweb

“While during routine monitoring, researchers at Cyble observed a Threat Actor (TA) distributing multiple unauthorized Fortinet VPN access over one of the Russian cybercrime forums,” reads the analysis published by Cyble.

“While analyzing the access, it was found that the attacker was attempting to add their own public key to the admin user’s account. As per intelligence gathered from sources, the victim organizations were using outdated FortiOS. Hence, with high confidence, we conclude that the Threat Actor behind this sale exploited CVE-2022-40684.”

Cyble researchers observed that threat actors have been targeting Fortinet instances since October 17, 2022.

“The authentication bypass vulnerability in Fortinet products allows an unauthenticated attacker to perform operations on the administrative interface. With large numbers of exposed assets that belong to private-public entities exposed over the internet, the vulnerability falls under the critical category.” concludes the post. “Publicly distributed Proof of Concepts (POCs) and automation tools have made it more convenient for attackers to target victim organizations within a few days of the announcement of the new CVE.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)

[adrotate banner=”5″]

[adrotate banner=”13″]

Experts investigate WhatsApp data leak: 500M user records for sale

Cybernews investigated a data sample available for sale containing up-to-date mobile phone numbers of nearly 500 million WhatsApp users.

Original post published by Cybernews:

On November 16, an actor posted an ad on a well-known hacking community forum, claiming they were selling a 2022 database of 487 million WhatsApp user mobile numbers.

The dataset allegedly contains WhatsApp user data from 84 countries. Threat actor claims there are over 32 million US user records included.

Another huge chunk of phone numbers belongs to the citizens of Egypt (45 million), Italy (35 million), Saudi Arabia (29 million), France (20 million), and Turkey (20 million).

The dataset for sale also allegedly has nearly 10 million Russian and over 11 million UK citizens’ phone numbers.

The threat actor told Cybernews they were selling the US dataset for $7,000, the UK – $2,500, and Germany – $2,000.

Such information is mostly used by attackers for smishing and vishing attacks, so we recommend users to remain wary of any calls from unknown numbers, unsolicited calls and messages.

WhatsApp is reported to have more than two billion monthly active users globally.

Upon request, the seller of WhatsApp’s database shared a sample of data with Cybernews researchers. There were 1097 UK and 817 US user numbers in the shared sample.

Cybernews investigated all the numbers included in the sample and managed to confirm that all of them are, in fact, WhatsApp users.

The seller did not specify how they obtained the database, suggesting they “used their strategy” to collect the data, and assured Cybernews all the numbers in the instance belong to active WhatsApp users.

Cybernews reached out to WhatsApp’s parent company, Meta, but received no immediate response. We will update the article as soon as we learn more.

The information on WhatsApp users could be obtained by harvesting information at scale, also known as scraping, which violates WhatsApp’s Terms of Service.

This claim is purely speculative. However, quite often, massive data dumps posted online turn out to be obtained by scraping.

Meta itself, long criticized for letting third parties scrape or collect user data, saw over 533 million user records leaked on a dark forum. The actor was sharing the dataset practically for free.

Days after a massive Facebook data leak made the headlines, an archive containing data purportedly scraped from 500 million LinkedIn profiles had been put for sale on a popular hacker forum.

Leaked phone numbers could be used for marketing purposes, phishing, impersonation, and fraud.

“In this age, we all leave a sizeable digital footprint – and tech giants like Meta should take all precautions and means to safeguard that data,” head of Cybernews research team Mantas Sasnauskas said. “We should ask whether an added clause of ‘scraping or platform abuse is not permitted in the Terms and Conditions’ is enough. Threat actors don’t care about those terms, so companies should take rigorous steps to mitigate threats and prevent platform abuse from a technical standpoint.”

If you want to know how to prevent data leaks, read the original post published by CyberNews.

About the author: Jurgita Lapienytė Chief Editor at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WhatsApp)

[adrotate banner=”5″]

[adrotate banner=”13″]

US DoJ seizes $3.36B Bitcoin from Silk Road hacker

The U.S. Department of Justice condemned James Zhong, a hacker who stole 50,000 bitcoins from the Silk Road dark net marketplace.

The US Department of Justice announced that a man from Georgia, James Zhong, has pleaded guilty to wire fraud after stealing more than 50,000 bitcoins from the Silk Road.

Zhong pled guilty to money laundering crimes, he exploited a flaw in the Silk Road that allowed him to withdraw more Bitcoin than he deposited on the dark web marketplace. The man funded nine fraudulent accounts with an initial deposit of 200 to 2,000 bitcoin and then triggered 140 withdrawal transactions in rapid succession.

“JAMES ZHONG pled guilty to committing wire fraud in September 2012 when he unlawfully obtained over 50,000 Bitcoin from the Silk Road dark web internet marketplace.  ZHONG pled guilty on Friday, November 4, 2022, before United States District Judge Paul G. Gardephe.” reads the press release published by DoJ. “On November 9, 2021, pursuant to a judicially authorized premises search warrant of ZHONG’s Gainesville, Georgia, house, law enforcement seized approximately 50,676.17851897 Bitcoin, then valued at over $3.36 billion.”  

The authorities seized the stolen funds on November 2021, at the time it was the biggest-ever seizure of cryptocurrency. The US authorities are seeking to forfeit, collectively, approximately 51,680.32473733 Bitcoin.

Law enforcement located 50,491.06251844 Bitcoin of the approximately 53,500 Bitcoin Crime Proceeds. The funds were stored in an underground floor safe and on a single-board computer hidden in the Zhong’s house. The police also recovered $661,900 in cash (25 Casascius coins (physical bitcoin)) along with 11.1160005300044 additional Bitcoin, and four one-ounce silver-colored bars, three one-ounce gold-colored bars, four 10-ounce silver-colored bars, and one gold-colored coin. 

In August 2017, Bitcoin split into two cryptocurrencies, traditional Bitcoin and Bitcoin Cash (“BCH”).

At the time, Zhong received 50,000 Bitcoin cash and the Bitcoin Cash was converted into 3,500 Bitcoins, this means that Zhong totaled 53,500 Bitcoin.

In March 2022, Zhong opted to surrender an additional 825.4 Bitcoins to the authorities, and in May 2022, he provided another 35.5 Bitcoin.

“James Zhong committed wire fraud over a decade ago when he stole approximately 50,000 Bitcoin from Silk Road.  For almost ten years, the whereabouts of this massive chunk of missing Bitcoin had ballooned into an over $3.3 billion mystery.  Thanks to state-of-the-art cryptocurrency tracing and good old-fashioned police work, law enforcement located and recovered this impressive cache of crime proceeds.” said U.S. Attorney Damian Williams. “This case shows that we won’t stop following the money, no matter how expertly hidden, even to a circuit board in the bottom of a popcorn tin.”

 ZHONG is scheduled to be sentenced on February 22, 2023, at 3:00 p.m. 

“ZHONG, 32, of Gainesville, Georgia, and Athens, Georgia, pled guilty to one count of wire fraud, which carries a maximum sentence of 20 years in prison.” concludes DoJ.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)

[adrotate banner=”5″]

[adrotate banner=”13″]

German BKA arrested the alleged operator of Deutschland im Deep Web darknet market

German police arrested a student that is suspected of being the administrator of ‘Deutschland im Deep Web’ (DiDW) darknet marketplace.

Germany’s Federal Criminal Police Office (BKA) has arrested a student (22) in Bavaria, who is suspected of being the administrator of ‘Deutschland im Deep Web’ (DiDW) darknet marketplace.

The darknet marketplace has gone off early this year, with more than 16,000 registered users, 72 of whom were active traders.

The Darknet marketplace was a crucial service for drug trafficking in the cybercrime underground for several years. 

“The arrest took place on Tuesday, October 25. As part of the police measures, two residential properties were also searched with the participation of a ZCB public prosecutor and numerous items of evidence, including computers , data carriers and mobile phones, were seized.” reads the press release published by BKA. “The measures carried out were preceded by months of undercover and technically demanding investigations in order to be able to identify and finally arrest the suspects who were acting anonymously on the dark web.”

The DiDW Darknet marketplace first appeared on the threat landscape in 2013. In 2016, the perpetrator of the shooting spree in Munich claimed to have bought the murder weapon and ammunition on the platform. As a result, the darkweb marketplace was shut down in 2017 by the BKA also arrested its operator and sentenced him to seven years in prison in 2018.

Since 2018, two new versions of the marketplace have been published under the name “Deutschland im Deep Web “, on which drugs in particular were traded under the self-imposed motto “No control, everything allowed”.

“The current criminal proceedings are directed against the operator of the third version of the Darknet platform. He is said to have administered them since November 2018. The accused is suspected of operating a criminal trading platform on the Internet in accordance with Section 127 of the Criminal Code.” continues the announcement. “The law provides for a prison sentence of one to ten years.”

This week, the British hacker Daniel Kaye (aka Bestbuy, Spdrman, Popopret, UserL0ser) (34) was charged by the U.S. DoJ for allegedly running the ‘The Real Deal’ dark web marketplace.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Deutschland im Deep Web)

[adrotate banner=”5″]

[adrotate banner=”13″]

British hacker arraigned for running The Real Deal dark web marketplace

A popular British hacker was charged by the U.S. authorities for allegedly running the ‘The Real Deal’ dark web marketplace.

The British hacker Daniel Kaye (aka Bestbuy, Spdrman, Popopret, UserL0ser) (34) was charged by the U.S. DoJ for allegedly running the ‘The Real Deal’ dark web marketplace.

The man was charged with access device fraud and money laundering conspiracy.

“Kaye allegedly operated The Real Deal, a Dark Web market for illicit items, including stolen account login credentials for U.S. government computers; stolen account login credentials for social media accounts and bank accounts; stolen credit card information; stolen personally identifiable information; illegal drugs; botnets; and computer hacking tools.” reads the press release published by DoJ. “The market was organized into categories, such as “Exploit Code,” “Counterfeits,” “Drugs,” “Fraud & More, “Government Data,” and “Weapons.””

The now-defunct Real Deal marketplace was used by crooks to sell and buy illegal goods and services, including narcotics, hacking tools and stolen login credentials.

According to the indictment, Kaye offered for sale on The Real Deal login credentials for U.S. government computers belonging to the U.S. Postal Service, the National Oceanic and Atmospheric Administration, the Centers for Disease Control and Prevention, the National Aeronautics and Space Administration, and the U.S. Navy. The man, along with other individuals of a gang known as “thedarkoverlord,” trafficked in stolen social security numbers. Kaye laundered cryptocurrency obtained from the illegal The Real Deal operation through the mixing service

“While living overseas, this defendant allegedly operated an illegal website that made hacking tools and login credentials available for purchase, including those for U.S. government agencies,” said U.S. Attorney Ryan K. Buchanan. “This case is a timely reminder, during National Cybersecurity Awareness Month, that federal law enforcement will make those accused of breaking U.S. laws face their day in court, regardless of where they reside in the world.”

Kaye also trafficked login credentials for Twitter and LinkedIn accounts. The man is suspected to have run The Real Deal marketplace between early 2015 and November 2016 when it was shut down.

Kaye made a name for himself as the developer and seller of the GovRAT malware that his “customers” used to hack U.S. government agencies [PDF].

Kaye was arrested by U.K.’s National Crime Agency (NCA) in February 2017. In June 2017, Kaye pleaded guilty in court to hijacking more than 900,000 routers from the network of Deutsche Telekom.

The man used a custom version of the Mirai IoT malware.

Kaye is also known as the author of the GovRAT malware, he offered the source code of the RAT, including a code-signing digital certificate, for nearly 4.5 Bitcoin on the TheRealDeal black market.

The man was overseas when the indictment was filed, in September 2022 he consented to his extradition from Cyprus to the U.S.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, The Real Deal)

[adrotate banner=”5″]

[adrotate banner=”13″]