Russian authorities have arrested six men accused of running some of the most active online bazaars for selling stolen payment card details. The raid — the second shutdown of major card fraud shops by Russian authorities in as many weeks — comes shortly after Russia’s arrest of 14 suspected associates of the REvil ransomware gang, leaving many in the cybercrime underground wondering who might be next.
On February 7th and 8th, the domains for the Carding Shops Trump’s Dumps, Ferum shop, Sky scam and FH were confiscated from Department Ka department of Ministry of Internal Affairs of the Russian Federation which focuses on computer crime. The Carding Store websites were upgraded with a message from Dept. K asking “Who is next?”
According to cyber intelligence analysts at flash pointthe same message was added to the website for UniCCanother large and revered carding shop seized by Department K in January.
Around the same time, Trump’s Dumps and the other three stores began showing the news from Department K, the Russian state news agency TASS postponed a story He named six Russian men charged with “illegal circulation of funds”.
TASS reports that the six arrested are Denis PachevskyGeneral Director of Saratovfilm Film Company LLC; Alexander Kovalevan individual entrepreneur; Artem Bystrychan employee of Transtechkom LLC; Artem Zaitsev; an employee of Getnet LLC; and two unemployed Vladislav Gilev and Yaroslav Solovyov.
None of the arrest stories connect the men to the four carding sites. However, Flashpoint found that all of Dept. K. confiscated domains were registered and hosted by Zaitsev’s company – Get-net LLC.
“All four sites have frequently advertised each other, which is generally uncharacteristic of two card marketplaces competing in the same space,” Flashpoint analysts wrote.
Stas Alforov is research director for Gemini Advice, a New York company that monitors illegal cybercrime markets. Alforov said it is highly unusual for Russians to pursue carding sites that do not sell data stolen from Russian citizens.
“It’s not their business to bring down Russian card shops,” Alforov said. “Unless these stores somehow sold data on Russian cardholders, which they didn’t.”
Ferum Shop, which debuted in 2011, is one of the oldest observed dark web marketplaces selling card absent data (customer payment records stolen by hacked online retailers), according to Gemini.
“Every year for the past 5 years, the marketplace has been a top 5 source for non-card recordings in terms of recordings for sale,” noted Gemini. “During this period, around 66% of the Ferum Shop data records came from US financial institutions. The remaining 34% come from over 200 countries.”
By contrast, Trump’s Dumps is focused on selling card data stolen from hacked point-of-sale devices and benefited greatly from the January 2021 shutdown of Joker’s Stash, which eclipsed most other carding shops for years. Gemini found that Trump’s dumps gained around 40 percent market share after the closure of Joker and that more than 87 percent of payment card records sold come from US financial institutions.
“In the last 5 years, Ferum Shop and Trump’s Dumps added a total of over 64 million compromised payment cards,” Alforov wrote. “Based on the average demand for CP and CNP plates and the average price of $10, the total revenue from these sales is estimated at over $430 million. Based on the 20-30% commission that stores generally receive, the admins at Ferum Shop and Trump’s Dumps likely made between $86-$129 million in profits from these card sales.”
The arrest of the six men comes less than two weeks after Russian law enforcement officials arrested four suspected carders – including Andrey Sergeevich Novakthe renowned owner of the hugely popular and long-lived UniCC carding shop.
In 2018, the US Department of Justice indicted Novak and three dozen other defendants believed to be key members of “Fraud‘, a massive online cybercrime community that has cost merchants and consumers more than half a billion dollars, according to prosecutors.
According to Flashpoint, the recent arrests mark the first major action taken against Russia-based cybercriminals since March 2020, when the FSB arrested more than thirty members of an illegal card operation and accused twenty-five of them of “illegal circulation of funds”.
Dumps, or card data stolen from compromised point-of-sale devices, have become increasingly popular with fraudsters for years as more financial institutions issue more secure chip-based cards. In contrast, card-not-present data stolen from online stores remains in high demand as it helps facilitate online merchant fraud. Gemini says the supply of card-not-present data is up 50 percent in 2021 from 2020, largely due to the success of Magecart e-skimmers targeting vulnerabilities in e-commerce sites.
Alforov says while the card mill closures are oddly timed, he doubts it will in any way dwindle the supply of stolen card data. Rather, he said, some of the lower-level card shops that were previously just resellers working with Trump’s dumps, and others, are now suddenly increasing their stocks with their own new suppliers — very likely thanks to the same crooks who sold cards to the Six Men arrested in Russia this week.
“What we’re seeing now is that a lot of these reseller shops are coming into the market and saying, ‘We don’t have this order data that we got from Ferum Shop, we have our own suppliers now,'” Alforov said. “Some of the smaller stores are starting to move up the grocery chain.”