Sberbank, a Russian majority state-owned bank, seems to be in the eye of the storm.
Since the outbreak of the Kremlin’s aggression in Ukraine, dark web marketplaces have seen a downpour of stolen Russian credit card data. Researchers link the sudden influx to the hacktivists’ retaliation against Russia.
Cyber threat intelligence company Cyberint suggested that the lion’s share of the leaked credit cards are issued by Sberbank. Following the three months since the start of the Russian invasion, the company observed over 110,000 leaked Sberbank cards, representing 18% of the global incidents in this period.
In the three months prior to Russia’s invasion, Cyberint observed around 12,300 leaked Sberbank’s credit cards (4% of the leaked credit card credentials).
“Sberbank of the Savings Bank of the Russian Federation accounted for about a third of all bank assets in Russia. Our team has detected multiple threat groups that have already recently compromised this bank, such as DoomSec and Ares, and breached data published on Telegram channels,” the company told Cybernews.
Leaked credit card data includes card number, expiration date, and CVV code – everything one needs to make an online transaction. Cyberint believes that many of the cards are still valid and unrelated to earlier incidents when Sberbank customers were exposed.
In 2019, the Kommersant newspaper reported that the personal information of up to 60 million Sberbank customers ended up on the black market. The following day, Sberbank issued an official statement to downplay the situation, claiming they were investigating an incident that could have affected 200 people.
“Credit cards are much newer. It is the work of a group of hackers which are experts in carding and phishing,” Cyberint said.
Carding refers to the unauthorized use of stolen credit card information. It might include buying prepaid gift cards to cover up the tracks of criminals, exploiting personal data, or money laundering. The carding market encompasses two segments: selling card data in text format (card number, expiration date, cardholder’s name, address, and CVV) and card dumps (information taken from the card’s magnetic stripe).
“The main rise in the leaked credit cards is due to a significant specific leak of credit cards collected by an underground marketplace named @ccantipbot. This marketplace, which is operated via Telegram bot, allows hackers to buy and receive fresh stolen credit cards,” Cyberint said.
@ccantipbot, the company said, is operated by hackers focused on skimming credit card details.
On 22 May, an anonymous actor from Russia published a list of tens of thousands of stolen credit cards collected by the threat actor group all the way back to 2021.
“Although the exact reason for the leak was not revealed, the Cyberint team believes it is highly possible that this is due to the Russian-Ukrainian conflict, similar to the Conti Group leak. It is possible that an individual working within the group and access to its internal systems has published all the data the group has collected to shut them down,” the company said.
It noted that @ccantipbot is not responding to any request to buy new credit card data, potentially due to the above leak.
"Another option for the leak purpose is to create a major impact on the credit card issuer by supporting fraud activities against their customer or forcing the bank to shut down tens of thousands of credit cards to reduce potential fraud, causing immediate dissatisfaction,” Cyberint said.
More from Cybernews:
Subscribe to our newsletter