Examine our research from the last year in the ReliaQuest 2024 Annual Cyber-Threat Report
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 26, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Arguably the biggest cybersecurity event of the year so far was the Russian Federal Security Service (FSB) arresting suspected members of the REvil (aka Sodinokibi) ransomware group on 14 Jan 2022. News of this operation, which reportedly occurred at the request of US authorities, rocked the cybersecurity community and has led to endless debates about the arrests’ implications and likely impact on the cybercriminal ecosystem. While media headlines focused on the REvil operation, though, cybercriminal forum users had started to notice alarming changes in the carding sphere. In this blog, we’ll take a look at the latest law enforcement operations against carding-focused threat actors and explore how cybercriminals reacted to developments plus their predictions for the future.
On 12 Jan 2022, representatives of the long-standing carding platform UniCC posted on several cybercriminal forums to announce the site operators’ retirement (see Figure 1). The statements thanked UniCC’s “loyal partners, clients and colleagues” and warned against creating “conspiracy theories” about the site’s closure. The announcement explained, “we are not young and our health do not allow us to work like this any longer.” UniCC customers would have ten days to spend any funds deposited into the site and vendors would be “paid up to the last cent”. The post ended by cautioning against following “any fakes tied to our comeback.. Another well-known carding platform, Joker’s Stash, broadcast a similar message at the time of its own closure almost one year earlier, declaring that any future reincarnations of the site would be illegitimate as its owners had no plans to return.
On 22 Jan 2022, a message appeared on UniCC’s domains declaring that the Russian Internal Affairs Ministry had shut down the site as part of a “special law enforcement operation.” Cybercriminal forum users highlighted that the source code for the seizure notice featured an ominous hidden question: “Which of you is next?” News also broke that, in cooperation with US law enforcement, the FSB had detained four alleged members of the hacking group “The Infraud Organization,” including the group’s organizer Andrey Novak, who was also the UniCC administrator.
Cybercriminal forum users immediately began to wonder what linked the takedown notice on UniCC, the FSB arrests, and the UniCC operators’ retirement announcement just ten days earlier. One user mused, “probably they were sensing something like this, or they were tipped off. but FSB was faster”. Another asked, “So he decided to give up the business, and as soon as he ceased to be needed, he was busted? Or was he taken and [the retirement message] written on his behalf?” A different user guessed that US law enforcement agencies “already had info on these guys” and decided to act once they saw the retirement announcement, explaining that Joker’s Stash “had been missed in the same way”. Other threat actors wasted little time trying to interpret events, and quickly began looking for suggestions for alternative platforms to replace the seized websites. One user complained that they had not been able to find “any good shop besides UNICC and JOKER. But they’re both gone now” (see Figure 2).
A few days later, on 07 Feb 2022, media outlets announced that the Russian Internal Affairs Ministry had arrested six more individuals, citing the same charges linked to selling stolen credit card information that had been leveled at the four individuals detained on 22 Jan 2022. Almost simultaneously, on 07 and 08 Feb 2022, the domains for several carding platforms displayed the same seizure notice seen on UniCC’s URLs: announcing that the Russian Internal Affairs Ministry had shut down the site as part of a “special law enforcement operation” (see Figure 3). Affected platforms included long-time mainstays of the carding scene, such as Trump’s Dumps, Ferum, and Sky-Fraud, as well as the RDP shop UAS. Cybercriminal forum members again wondered how this latest round of arrests linked to the carding sites’ seizures. Some users observed that one of the arrested individuals, Artem Zaytsev, headed up “Get-Net,” the domain registrar for the four sites.
Reaction to the developments on cybercriminal forums was mixed. Many forum users characterized the series of arrests as catastrophic. A carding forum user described the developments as the “most scary moment in the carding history.” They continued that they had “never seen this before,” and said the current situation represented a “nightmare for people involved in this business” (see Figure 4). A different threat actor agreed, posting, “at this tempo there won’t be a Russian darknet by the end of the year.” They quipped, “what will Krebs write about?”, referring to the information security researcher Brian Krebs.
Others explored more nuanced aspects of the developments. A user on a prominent Russian-language forum connected the incidents with the hacks of the forums Mazafaka and Verified, which took place in 2021, suggesting that login credentials from these hacked sites were used to target other platforms. A different user associated the law enforcement operations with cybercriminal forums’ former tolerance of ransomware, commenting: “You know who to thank for this […] if in 2020 we started speaking out against lockers here, the crowd would have been downvoted.” Still another mused, “Joker knew something when they closed their shop a year ago,” referring to the February 2021 closure of the Joker’s Stash carding platform.
Some threat actors looked to the future and wondered how the next few weeks and months would pan out. A carding forum user predicted that “some partial restore will happen in some days or weeks” because some of the seized carding shops “were also reselling direct suppliers.” They explained that “these suppliers are safe and they will have to supply stuff to keep their wallets warm.” Another user guessed that carding would “move to Telegram.” Others highlighted the increased importance of operational security, with one commenting ominously, “Hard times have come. Take care of yourself and remember your safety” (see Figure 5). A well-respected member of another long-standing carding forum agreed, warning, “EVERYTHING has changed, go on vacation!”
The atmosphere of uncertainty and distrust dominating cybercriminal forums is causing threat actors to assume the worst when previously-stable sites become inaccessible – a trend that is likely to continue throughout 2022. For instance, in the wake of the 07/08 Feb 2022 seizure notices on carding sites, forum users raised the alarm when the domains for the credit card platform Brian’s Club became inaccessible. A few days later, the service’s administrator announced, “My dear fellow crooks! Brian’s Club has been relocating for the past few days and now the servers are prepared for a launch starting next week. Thanks for your understanding and I appreciate your patience!”. At the time of writing, though, the domains are still not functional.
We saw a similar story with the carding site All World Cards, with forum users initiating panicked posts on cybercriminal forums to report a message left on the All World Cards platform on 09 Feb 2022 that read, “Due to recent events, we are going on vacation for 2 weeks. Bases from sellers will be automatically added to the shop. The ticket system is temporarily unavailable. Thank you for understanding! We’ll be back soon, so don’t worry! And remember, if our store is down, then we are under DDoS attack. We will make the next payments to sellers on February 20.” At the time of writing, All World Cards is still not accessible, and forum users have reported that the site had disabled the refund option for all cards.
In these unstable times, carders are left in a tricky position. As we’ve seen with All World Cards and Brian’s Club, existing sites that appear to have survived the takedown will probably be viewed with suspicion every time they encounter problems. Users may begin to abandon sites whose security they cannot trust. Yet there are fears that any new sites that spring up to replace the ousted platforms could be law enforcement honey pots designed to steal users’ information and provide intelligence for law enforcement. As one threat actor put it, if there are no reliable carding platforms, “there are no cards = no work = no money.” Predictions of a mass move to Telegram are complicated by many threat actors’ inherent distrust of the platform and fears over its lack of security. One user speculated that carders will simply “stop working for some time” due to the arrests and takedowns.
There’s also more to the story than these latest developments. Here at Digital Shadows (now ReliaQuest), we’ve observed threat actors complaining for many months now that the quality of credit card details for sale on criminal platforms has been decreasing — including on some of the seized sites. In response to the latest developments, one carder on a prominent cybercriminal forum complained, “It was obvious that [carding] did not have long left. They explained, “the risk-cost-reward ratio was simply unrealistic”, due to “the validity of the cards and tightening the screws”. Another user opined that carding has been “dead since 2018”. Viewed in this light, these law enforcement takedowns could just represent another blow to a carding community that has been struggling for some time. Yet the carding scene has been battling on, so it seems unlikely that cybercriminals will do as some forum users joked, and go to work in the “factories.” We saw one threat actor commenting that although now would be a “great time” if “someone has long wanted to retire,” the carding world would “be ok for the rest of the hard workers.”
Digital Shadows (now ReliaQuest) will continue to watch developments in the carding landscape closely, looking for any indications as to which way the wind might be blowing and where the newest threat will originate from. Digital Shadows (now ReliaQuest)’ SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) service features a constantly-updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. If you’d like to access the library for yourself, you can sign up for a free seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.