Russian authorities have followed up the REvil ransomware bust with a crackdown on forums that specialize in trading stolen credit card details, leaving cybercriminals over there despondent and predicting the end of days.
Users of the illicit platforms – known as carding forums – have been falling over themselves to see who can post the gloomiest forecast, with one declaring the recent government swoop as “the most scary moment in carding history”. Another decried the crackdown as a “nightmare for people in this business”, while a third even declared: “at this rate there won’t be a Russian darknet by the end of this year.”
Perhaps their gloomy predictions are well founded, and if so cybersecurity specialists have good reason to cheer. The latest move by Russia, a “special law enforcement operation” conducted by its Internal Affairs Ministry, has led to the arrest in recent weeks of at least ten suspects thought to be involved in online credit card fraud.
During this period the carding forums Trump’s Dumps, Ferum, Sky-Fraud, and RDP shop UAS all ceased to exist. The closures were linked to the recent arrests by Digital Shadows, which trawled cybercriminal forums and found a trove of panicky quotes from spooked crooks splashed across the dark web.
A fond farewell to criminal enterprise
Long-standing carding forum UNiCC also announced its retirement, in a post published on English- and Russian-language darknet sites.
The criminal group’s declaration added a more enterprising twist to the recent slew of statements by rattled cybercriminals, as it paid tribute to its loyal customer base in a message that might be described as corporate in tone.
"Thanks to everyone who has been part of us for years,” it said. “To loyal partners, clients, and colleagues who assisted us in many ways, I would separately thank each one but it is not professional. If I or some of our team members failed your expectations – we [are] truly sorry."
Cybersecurity analysts had another reason to laugh when the disbanded forum insisted that the reasons behind its retirement were age and health concerns. "Don't build any conspiracy theories about us leaving,” the statement insisted. “It is a weighted decision, we are not young and our health does not allow us to work like this any longer."
In keeping with its chosen theme of false legitimacy, UniCC added that its customers would have ten days to spend outstanding funds deposited with its site, assuring vendors that they would be “paid up to the last cent.”
Is Russia a new nemesis?
Russia - long touted as a tacit enabler of cybercriminals based on its own territory – broke with form earlier this year when it arrested key members of the notorious REvil ransomware group, thought to have clocked up $200million in illicit earnings during its lifetime.
The high-profile bust left formerly cocky cybercriminals openly contemplating whether a stint in jail would be better served in the US or on home soil.
And judging by an ominous concealed threat from the Internal Affairs Ministry, other carding platforms can expect to face difficulties, too. The question “which of you is next?” was found embedded in the source code linking to the ministry’s seizure notice of UniCC – a fact not lost on an already timorous cybercriminal fraternity.
“Hard times have come,” declared another disgruntled threat actor, clearly upset at feeling threatened. “Take care of yourself and remember your safety.” Another veteran cyber crook could only agree, advising: “Everything has changed – go on vacation!”
But not all of the darkweb’s digital ne'er-do-wells are prepared to give up that easily, it seems. One carding forum, Brian’s Club, tried to reassure the fraternity after its site too went down, suggesting that it was simply trying to change up operation tactics to stay one step ahead of the newly zealous Russian cyber police.
“My dear fellow crooks!” it declared, “Brian’s Club has been relocating for the past few days and now the servers are prepared for a launch next week. Thanks for your understanding and I appreciate your patience!”
Alas for the bold cyber rascals – as of last week, the digital doors to Brian’s Club remained closed.
Bleak outlook for card crooks?
What the future holds for carding forums – at least those based in Russia – is at best uncertain. Even sites that haven’t yet been targeted by the authorities will face increased skepticism from formerly loyal users who no longer feel they can depend on their security, according to Digital Shadows.
One threat actor quoted by the site put it succinctly – “no cards equals no work equals no money” – while another predicted a prolonged stint of retirement for carders, perhaps in the hope that Russia will forget its newfound zeal over time. Another user was even more pessimistic, and said carding had been “dead since 2018.”
Recent evidence would suggest that there might be some truth to this last statement, with carding revenues declining sharply in the first half of 2021.
Perhaps one can’t expect criminals who feel the world owes them a living to show persistence in the face of adversity, or maybe the downbeat predictions are simply an overreaction – but for now it seems as though carding will be low on the agenda for internet scammers based in Russia.
That said, nothing is a certainty and one can never be too careful. Here are a few tips on how to avoid having your card details stolen:
How to protect yourself against phishing
* Use unique and complex passwords for all of your online accounts. Password managers help you generate strong passwords and notify you when you reuse old passwords.
* Use multi-factor authentication (MFA) where possible.
* Beware of any messages sent to you, even from your Facebook contacts. Phishing attacks will usually employ some type of social engineering to lure you into clicking malicious links or downloading infected files.
* Watch out for any suspicious activity on your Facebook or other online accounts.
More from cybernews:
Subscribe to our newsletter