“Karma” is defined as “What goes around, comes around.” When Karma is at play, there is no need for revenge. Just sit back and wait. And if one is lucky, they might be able to witness Karma take its course. That day is here! Believe it or not, but a group of cybercriminals, who go by an alias name of “Swarmshop” on the underground forums selling stolen credit/debit card data, has been hacked.
Swarmshop’s Data Hacked
Swarmshop is a mid-sized store for stolen personal and payment records. The card shop has been operational since at least April 2019, and by March 2021, it had more than 12,000 users. The total amount deposited in user accounts was at $18,145.73 by March 2021, as users of card shops do not store large amounts of money on their accounts and top up the balance to make payments if necessary.
Coming to the leaked database, Group-IB, a global cyberthreat intelligence company, first discovered this data set on March 17, 2021. On analyzing the data further, it was traced back to the user data of the Swarmshop card shop operators. The leaked database was posted on a different underground forum and contained 12,344 records of the card shop’s four admins, 90 sellers, and 12,250 buyers. The data was so detailed that it included their nicknames, hashed passwords, contact details, history of activity, and the current balance in their wallet.
Other Data Leaked
In addition to user data, the database exposed all compromised data traded on their forum, including 623,036 payment card records issued by the banks from the U.S., the U.K., Canada, China, Singapore, France, Brazil, Saudi Arabia, and Mexico.
Also, 498 sets of online banking account credentials and 69,592 sets of U.S. Social Security Numbers (SSN) and Canadian Social Insurance Numbers (SIN) were leaked from the Swarmshop.
While the source of the breach remains unclear, the exposed records show that two users of the card shop attempted injecting a malicious script searching for website vulnerabilities in the contact information field. It’s impossible to determine if the two events are connected to the breach.
Not the First Time
Interestingly, Swarmshop was targeted by fellow cybercriminals earlier in January 2020 as well. And the same story had played out. The card shop’s records were leaked on an underground forum by a user likely motivated by revenge.
The user wanted to sell the Swarmshop user database and posted an alleged screenshot from the card shop’s admin panel.
The Russian-speaking admins of the card shop never commented on this thread, however, the website went down temporarily due to “the transfer to the new server.”
Now, more than a year later, when a newly registered user posted a similar thread with the link and a password to the database of the Swarmshop card shop on different forums, the admins of the card shops eluded the argument saying it came from the last year’s breach which they have already “fixed.”
A week after the appearance of the post, Swarmshop users were redirected to an under-maintenance page when trying to log in. The users were then recommended to change the passwords shortly after the breach report came out.
What the Experts Say…
Dmitry Volkov, Group-IB CTO, whose team unearthed and studied the entire Swarshop data hacking incident, said,
While underground forums get hacked from time to time, card shop breaches do not happen very often. In addition to buyers’ and sellers’ data, such breaches expose massive amounts of compromised payment and personal information of regular users. Although the source remains unknown, it must be one of those revenge hacks cases. This is a major reputation hit for the card shop as all the sellers lost their goods and personal data. The shop is unlikely to restore its status.