JACK OF ALL TRADES — Tale of a Scammer
Uncovering a Stealthy Network of Scam Markets on Dark Web & Deep Web
This article exposes one of the most popular Scammers of the Dark Web who poses to offer a wide array of Offensive Services to Dark Web Netizens, by setting up lucrative and promising Websites on the Darknet. Scammers always use the Visual Deception technique to coax the visitors to the sites, which eventually prompts them to pay for the malicious services as “advertised”. Hence, this is the most non-offensive method to earn in Cryptos for the fraudsters as the scammer is not directly targeting anyone, instead earmarking the weaknesses of the public for the weaker ones to fall for it.
As a result, this Scammer/Group had collected ₹2.5Cr ($344K) in 8-Month time frame!
While surfing the Dark Web, we often come across various offensive services such as Hacking as a Service (HaaS), Malware Shops, DDoS Attack Panel Rental, Database Trading, Drug Marketplaces, Ransomware Affiliation, Child Porn Stream etc. Although there are very few genuine (offensive) services running on the Dark Web, it is difficult to tail fraudulent services for a pair of fresh eyes.
One such attractive service picked up my interest to slide down the rabbit hole that opened plenty of doors of “so-called” services on the Dark Web.
HUNTINGTON BANK — SELLS BANK LOGS
Selling Banking Credentials (Logs) on underground marketplaces is one of the day-to-day activities. One of the long standing Carding Marketplace named Joker’s Stash announced their retirement by February 15,2020 as their Blockchain DNS sites (.bazar sites) and Tor Network were seen gone down due to the repeated Europol Intervention, hence preparing for a safe escape before getting busted.
This service offers various Bank Login Credentials such as Citi, Chase, Barclays, RBC, PNC etc at affordable prices with high balances. But this service is absolutely Fraudulent SCAM which will get unfolded in the coming interaction.
On proceeding to purchase anything from the list, you will be displayed the Bitcoin Address of the Fraudster.
Now, let’s checkout the Blockchain activities of this address. On mapping the address, it is found that the fraudster had extorted $12,000+ in a 7-Month time frame from the Dark Web Visitors effortlessly.
Note: The IP Address found in the transaction is not related to the fraudster. It is a Bitcoin Node which relayed the transaction, hence cannot be attributed to the person.
After analyzing the amount (as $12K is not a tiny amount), it can be assumed that the whole amount is not being extorted with a single “Bank Log” Scam Campaign as this website is not much popular. There may be more to it.
So, we can make this Bitcoin Address as an Anchor Point to unfold the rest of the chained scam series on Dark Web.
TAILING BITCOIN ADDRESS
By mapping 112FWGSL2q7rVTgabQuJbo3WwKid8dMEtj address, the Search Result did not return much juicy information. Checking with various Blacklist Services or Block lists, came to know that the address is not yet reported by anyone (ATTOW), hence increasing the chances of the fraudster to extort money with more advertised hoax services on Dark Web.
By digging deep, it is found that the first victim’s transaction entered into the Blockchain of fraudster on July 21, 2020 and the latest transaction was made on February 7, 2021, which underlines the fact that the actor is continuously gaining more traction day by day.
It is only at this moment where the chain of SCAM Campaigns got unfolded when the Bitcoin Address was fed into OnionSearch page:
DIG DEEP INTO RABBIT HOLE — TRACKING BITCOIN MOVEMENT
Here is the detail breakdown of various Bitcoin Addresses (only frequent nodes) which is (in)directly linked with our Base Address
Note: Represented each Bitcoin address with starting 3–4 letters in order to make it less clumsy.
In total, there are 13 Bitcoin addresses found, which are (in)directly linked to “Huntington Bank Log” scammer Bitcoin Address:112FWGSL2q7rVTgabQuJbo3WwKid8dMEtj
They are:-
112FWGSL2q7rVTgabQuJbo3WwKid8dMEtj : $15,187.08 (Hot Wallet)
3P2gQmykdffckRyRL9EakkGAkNyyYbppwJ : $60,463.11 (Private-Cold)
3CfDE4F5U1HM3YTiTovCsGLmGjSt1vwwJK : $112,288.36 (Private-Cold)
1H8DYgdqCk6EcN97QdWGFT8NEmw4nNmx6e : $79,254.37
12jW3fUExT1nT8LzjpSWEPj7oQ9GKhUiDC : $452.25
1KVcVCbvCrC9VfBJ2PVan2yq83swCQuRAZ : $9,901.98
1LBgNR7yZ3T9yKViKK9iFPfBSjY5psEd4E : $45,652.50
1NDyJtNTjmwk5xPNhjgAMu4HDHigtobu1s : $139,067,778,452.03 (Binance Hot Wallet)
18gDXp3gPVEyzv83MkdKvBe4ymDft7MxDu : $645.66
1QATskw4LGVjhfB5UPZwiyVLKP9zdPcKir : $1,269.85
1JfGB73xdPjpKT9q99osSpfSFamFUeTdjy : $5,317.79
1KVnrXbAxwshAtAJAowTGHxBey6ath1xyY : $614.46
3Qt13BF5Mivqcfb8bbEwjDkNCn5kvFyrVB : $11,928.94
Note: It is to be noted that the addresses listed above are only the ones which are in the frequent contact list of the base address. Some are Cold Wallets (where money rests) while others are Hot Wallets (where money transits from wallet-to-wallet like Exchanges). The highlighted (bold) addresses are the ones which are Cold Wallets.
Note 2: It is also interesting to note that 2 addresses have received incoming transactions from the official address of Binance Hot Wallet 1NDyJtNTjmwk5xPNhjgAMu4HDHigtobu1s. Those 2 Addresses are:-
1KVcVCbvCrC9VfBJ2PVan2yq83swCQuRAZ
1H8DYgdqCk6EcN97QdWGFT8NEmw4nNmx6e
Note 3: It can be assumed that the scammers had directly associated Binance for any means of transaction for any return transaction, which is unclear at the moment.
Another Wallet Address used by the same Scammer is: 1QATskw4LGVjhfB5UPZwiyVLKP9zdPcKir which reaped $800+ in 1 month, which will be unveiled in the upcoming case studies.
Total amount amassed from these shops is $344,000+ in 8 months. i.e. ₹2.5Cr in 8 Months!
DIGGING DEEP — ANALYZING “FRAUDULENT” SCAM SERVICES
On feeding the single Bitcoin Address, it is found that the actor is associated with various wide-variety of scams being hosted on Darknet Market. Some of them are:-
ECash Sell : satangroup@tutanota.com
Professional Hackers Team: satangroup@tutanota.com
BitStore- Selling Gadgets : bitcoinking@tuta.io
BTC Purchase: Hackedbtcwlalets@pm.me
Profit Money Market : legitseller2020@protonmail.ch
Prepaid Cards : authentic21@tuta.io
Master Card VISA : dwverified@protonmail.com
Scam List : tormagazine@tutanota.com
ICO Cliqs — Buy CC : blackmarket21@tuta.io
PayPal Master : authentic21@tuta.io
Crown Black Market — Buy PP, WU, CC: authentic21@tuta.io
Whatsapp Hack : satangroup@protonmail.com
Facebook Hack : satangroup@protonmail.com
BEST Market — Amazon Login : blackmarket21@tuta.io
Hacking Zone : dwverified@protonmail.com
MatchFix: dwfixedmatches@tutanota.com
Bitcoin Mining : smarthacker2012@protonmail.com
BTC Wallet Shop : authentic21@tuta.io
BTC Generator
Degyo BTC Generator
Bitcoin Doubler
BuiltWithBitcoin — Charity Program
Trusted DW Site — A list of Onions : Accepts as donation
Bitcoin Wallet Destroyer — Hack any BTC Wallet
Shop Card — Card Selling
BuyPrivKey — Buy Hacked Crypto Wallets
Smart Coin — BTC Doubling
Wallet Get — Hacked BTC Wallets — bitcoinking@tuta.io
Hire a Cyber Hacker — Service -satangroup@tutanota.com
Bank Hacking Software — satangroup@tutanota.com
Phantom Hackers — satangroup@tutanota.com
Pathfinder Botnet — satangroup@tutanota.com
Hacktivist World — satangroup@tutanota.com
DXELITE Market — legitseller2020@protonmail.ch
Kuganzo Shop — authentic21@tuta.io
Grove Drugs — authentic21@tuta.io
Western Union — authentic21@tuta.io
Forum Verified Sellers — authentic21@tuta.io
Scam Advisor — authentic21@tuta.io
Dumps PayPal — authentic21@tuta.io
BlackMarket Activities — blackmarket21@tuta.io
Zeal Assistant — blackmarket21@tuta.io
Note: If you want to check the Onion list, you may refer here.
Now, it is found that the actor is maintaining 40+ Active Onion sites for different purposes with 11 Email IDs (may be more than this), which opens up a large number of Income Streams for the person/group to get profiteered on Dark Web.
It is also notable that the actor is also providing support over Telegram channels namely:-
atn4ever
torverified
rioverified
WOLF IN SHEEP’S CLOTHING — ACCEPTING DONATION VIA PUBLIC SERVICES
It is notable that the actor had also hosted public interest websites like List of Onions, Scam List and Charity Program, publicizing the same Bitcoin Address to receive payments in the form of Donation.
The above listed site is dedicatedly for reporting Scam Sites on Dark Web. Ofcourse, none of his sites are present on this list. From the site, we can assume that the name of the person is NADIM (could be a pseudonym or may be the real name).
Moving on the Charity Platform on Dark Web, the actor had already set up a phishing website of BuiltWithBitcoin which is a Global Charity Program Initiative led by Paxful to support African Schools using Bitcoin, in order to lure the Dark Web visitors.
Scam Advisor is a spin-off for Trip Advisor with a similar font and logo, used by the same scammer.
However, there is a difference in the listed Bitcoin Address: 1QATskw4LGVjhfB5UPZwiyVLKP9zdPcKir. Then how did we find the connection between the 2?
Here it is…
The registered email address is: dwverified@protonmail.com (which is already present in our address base who runs MasterCard Scam that exposes old BTC Address 112FWGSL2q7rVTgabQuJbo3WwKid8dMEtj). Hence, making it clear that both BTC addresses belongs to the same person/group.
DEEP WEB MARKETS: EXPOSING SURFACE WEB SHOPS
As we have seen plenty of Onion Scam sites running by the same Scammer (Huntington Bank Log) on Dark Web, let’s shed some light on Deep Web Activities.
During the investigation, it is found that the scammer runs various surface web stores on the surface web. Let’s deep dive into the details:-
CASE 1: Toring.store
This site has been uncovered with the help of email dorking: bitcoinking@tuta.io (which is already in our WatchList).
The site is active since November 2020. By checking the hosting provider data, following data is found:-
As we now know the IP address, by doing a reverse IP search, uncovered 15 domains hosted on 62.182.86.39 which is mapped to Ukraine. They are:-
It is notable that DarkWebFixedMatches was also present in our WatchList earlier, hence it can be assumed that the same Scammer/Group is powering the listed sites with different Bitcoin addresses. [We will not be tailing each listed site as the Modus Operandi of these are same with different addresses]
NOTE:- It is notable that popular Dark Web Forums namely “darkwebforums” and “Altenen” also backed up by the same Scammer/Group tracked to 62.182.86.39. I also made a tweet a month back, regarding the same before uncovering this large scam.
CASE 2: Truemoney.store
This site had been uncovered with the help of email dorking: blackmarket21@tuta.io (which is already in our WatchList). Moreover, the same is also present in above domain list.
The site has been active since December 2020.
The above discussed 2 cases are obtained directly from the Scammer’s given email address in our WatchList. We will not be delving more deep into the other sites at this moment.
From the above listed surface domains, we came to know that the Scammer is interested in “.store” TLDs mainly.
MINDSET OF SCAMMER
It is important to understand the psychology of Scammers before dissecting any scam. No scammer will halt their operations with a single campaign, hence a series of scams will be followed. In order to target a larger audience, different interests/themes are being chosen by the fraudster. Undoubtedly, Bitcoin Doubling, Bitcoin Giveaway, Carding and Hack Service tops the list, as these are the favorites among Dark Web visitors with limited computer literacy. Before scrutinizing the possibilities of such services, most of the visitors get lured with the visual appeal of the “SCAM” landing pages. Because, visual representation provides a sense of authenticity to the viewers which ultimately falls for the scam.
From this detailed investigation, it is transparent that : though there are many shops set up by scammers on both Dark and Surface Web, the defrauded money ultimately would be channelized to the core wallet addresses (Cold Wallet Addresses referred earlier). It is also notable that the Scammer had recently registered more new websites, in order to reap maximum profit without indulging in any serious crimes, hence making it as one of the long-standing Stealthy Crime Network.
KEY-TAKEAWAYS
Cyber Criminals can set up such SCAM sites on a large scale, in order to raise large amounts without directly infecting anyone with Ransomware/other malicious deliverables.
If a Bitcoin address (found on a Scam site) has a large number of transaction logs (when viewed in Blockchain), then the scammer has set up many similar services on the Dark Web.
This is also a form of Passive Income for Cyber Criminals or a Long Term Investment Policy without raising red flags.
Criminals use their own alternate stores/shops/services as advertisements on visitor’s site to drive more traffic to these parallel hosted services.
Including the past Bank Hack Incidents under the belt of scammers to lure inexperienced users like this, which would prompt the visitors.
Google is not always the best friend to find about Bitcoin Addresses, and can rely on Onion Search Engines (if you don’t use any tools).
Check for the Blacklist activities of Bitcoin Address listed on various platforms like BitcoinWhosWho or Bitcoin Abuse.
Be a responsible InfoSec contributor by flagging malicious Bitcoin Addresses to the said platforms.
========================================
If you have enjoyed this article, you may enjoy this one too! Just, give a try :-)
Follow me on Twitter for interesting DarkWeb/InfoSec Short findings! ;-)
Note:- The Article is purely an Individual Research and is not subjected to be used/published anywhere without the Author’s consent.
