Organized Scam Unit — Behind Marketplace and Shops
With the large number of online marketplaces, people are curious to check various digital shops launched across cyberspace. Though there are many shady vendors in each marketplace, people would generally not fall as an easy prey.
But what if you come across a Marketplace with criminals presenting themselves as legitimate vendors to its users by showcasing the well-crafted product images with past dealings history (Star Rating)loaded up with fake comments?
Yes, today I came across such shop while investigating a Dark Web Site named “GiftHub” which is a PornHub themed logo, offering Gift Cards for 7 services namely:-
IKEA
BLIZZARD — BATTLE.NET
GOOGLE PLAY
BITSA
APPLE STORE
AMAZON
STEAM
PLAYSTATION
It is notable that this shop only exists in DarkWeb and can only be reachable via following URL:- http://sbxxtg7qehc6wvhl.onion/
The reviews present in this Marketplace itself made me suspicious about the service which they claim to offer.
Let’s check out the plan for the above advertised products!
STAGE — 1: TESTING THE PLATFORM
The Gift Card Generator Link claims to be generator in 60 Seconds and the balance is unknown. There are 4 plans offered:-
Email Field will not fire any confirmation emails (until payment), though its a hollow option offered as a part of Generating Gift Codes.
A bitcoin address is displayed along with the sum to be paid, as per the user’s selected bundle.
Along with the User Reviews (Comments) and Vendor Ratings, the actors had also setup a “Failed Payment” page in order to ensure user’s about the transparency offered by the them.
Initially, I suspected that this is a fake page which claims to generate Codes, but I was mistaken… They really generate codes (I bypassed the mechanism without payment).
But the Generated Codes were futile as it didn’t reap any fruitful results, as all the codes were tested on the Amazon Marketplace.
— — — — — — — — — -First RED FLAG confirmed!!! — — — — — — — — —
As I checked the comment section, it was found that all the comments were made on different dates with non-repetitive sentences. This made me somehow believe that the service may be legit as huge number of comments are in favor of the service offered. But I was skeptic to believe the genuinity of the service — Especially offered in Dark Web.
STAGE — 2 : MONIKER MAPPING
As all the comments were made on different dates, however I observed one thing strange — The Reviewer’s handle.
On a simple search of each moniker, I came to another breakthrough. All these handles were tagged as “Verified Owner” of TENEBRA Marketplace.
In total, I had performed a match for 30+ Reviewer’s Monikers in order to cross check and found out that all those are a spot match for TENEBRA Marketplace.
Some of the Monikers that exactly matches with Tenebra Marketplace Vendors are:-
redneck
openscartload
idlyrepair
nessweare
CUDDLYBEAR
DeepWater
0.slset
styin.
BIVERSJOWLANTLIA
Moogugalpostulate
HANNAHORCI0
passionalry
facezero.eiz
Truesinger
d_awayreadersavior
RESTAURANTOUTSPOKEN
whitebeardlocation
stoneweaverambiguous
stuffyfinnish
Burimand
Cerimwreck
From this, it is found that the GiftHub is either a subsidiary of TENEBRA Marketplace or directly running by TENEBRA.
— — — — — — — — — -Second RED FLAG confirmed!!! — — — — — — — —
It is also notable that the threat actors had dedicatedly spent time to post the product review in regular time intervals, so that the visitor gets the notion of genuinity while scrolling down the positive reviews.
After confirming 2 Red Flags, I just wanted to check out the Amount received by the GiftHub team in order to understand the depth of this offensive service and how it affects the Dark Web Visitors.
STAGE — 3: TRACKING TRANSACTIONS
It is found that the actors are making use of 3 BTC addresses (ATTOW). They are:-
1JPTPAAZmnanaobEJarxHoYQNX5U7Jj39t
This address is being populated while placing an order for Amazon, Blizzard, Bitsa or Steam. Till now, they have successfully defrauded 666 USD (ATTOW).
On further analysis, it is found that the first transaction hit to this address on April 2, 2020.
1DA6GgrKE1wuADgLzacbVgRfBRcFNyKsRn
This address was used for the following services — PlayStation, IKEA, Apple Store. It is found that this address had seen a surge in incoming transactions. Till now, they collected 1,696USD which seen the last network activity 20 minutes back (ATTOW).
This address had activated on March 13, 2020 when the initial transaction hit.
As compared to Amazon or Steam, it is found that there are more users for IKEA, Apple Store and PlayStation, which is evident from the transaction history.
1H1QAujkm2bcfgLLX5BhCKmfdhmYcptCyc
This address is dedicated for Google Play services. Till now, this address had seen 428 USD (ATTOW).
This address had activated on April 1, 2020 when the initial transaction hit.
From this, it can be estimated that the actors had made a sum of ~2,790 USD (ATTOW) within 2 months.
— — — — — — — — — -Third RED FLAG confirmed!!! — — — — — — — — —
As all these addresses are found to be alive since last 2 months, it can be estimated that these addresses are specially made for GifHub Campaign.
STAGE — 4: UNCOVERING TENEBRA MARKETPLACE
Tenebra is Russian Marketplace is an illegal market which exists on both Surface Web and Dark Web. The website listing includes various categories such as Carding, Counterfeits, Drugs, PayPal, GiftCards, Transfers etc.
Woah, Godfather Themed Marketplace!
It is notable that this shady marketplace have a long listing of illegal products and reviews (now we know better about Reviews) and highly notable for its shady practices on various complaint forums.
On a surface check, it is found that this market place is a big Scam and also appeared on various Dark Web Scam Lists.
In order to get a sample BTC address, I placed an order for iMac 21.5 Inch.
12ycMPnknjcmg3okF3WQWLqriQPwJ7Nijq
Received: 1,179USD
First Active: 22 March, 2020
Last Active: 23 May, 2020
We are not going to cover the whole Bitcoin address used by Tenebra Marketplace, as a sample had been provided above to understand the scenario!
Let’s get into the hosting details of TENEBRA Marketplace
Upon a WHOIS lookup, following details are found:-
Domain: tenebra-marketplace.com
Registrar: NameCheap, Inc.
Registered On: 15th January, 2020
Name: Fedor Nikolov
Organization: Anonymously
Street: Ul. Telmana 2
City: Saratov
State: Saratavskaya Oblast
Postal Code: 413121
Country: RU
Phone: +94.045227
Email ID: m.gant2016@yandex.com
Following are the Onion URLs of Tenebra Marketplace available on Dark Web:-
http://vzmvmmaldx3h7vx6.onion
http://3twqowj7hetz3dwf.onion/
http://tenebra5nlfxplf5.onion/
http://d6icqld2aunwupgp.onion/
Though the Postal Code is matching against the mentioned state, however this details are same which is for other shady businesses spotted on the Open Internet. One such case is Affidavit of Anthony Martin where few fraudulent websites were registered.
In short, this Identity (probably a busted/imaginary) had been adopted by the threat actors in order to conceal their real identity while registering domain name for malicious purposes. One such case is Alexander Volosovik — who is synonymous with Bulletproof Hosting Services — Esp. for DDoS hosting platforms.
On a deeper-down analysis, it is found that there are 287 domains registered in the name of Fedor Nikolov.
Some of them are:-
From this, it is evident that Namecheap Registration is constantly used by the threat actors to register their maliciously intended domain names.
Here are the top 10 domains which is registered under Fedor Nikolov
Now, we can only narrow down the results using IP address and Hosting details of the domain.
IP: 185.207.207.189
The service is hosted in Abelohost BV, which is a popular Dutch offshore hosing service.
As Proxy/VPN is detected, it can be assumed that the Onion services are also running on the same IP address.
By checking the hosting history of the domain, it is found that the marketplace appeared 4 months back, which marks its inception.
Hence, it is evident that the TENEBRA MARKETPLACE and GIFTHUB Shop came to live on the same time-frame and we have seen a massive uptick in the Crypto-Revenue. As there is a high return of profits from this SCAM, the same fund could be used by cyber criminals to funnel the money for other nefarious activities which may even include infamous APT Campaigns.
As the same Identity was used in other offensive services, reported the same to the Interpol as it is still functional under the nose of the Authority without gaining much traction.
Hope you enjoyed this short investigative ride! If yes, don’t forget to clap!!!
Note:- The Article is purely an Individual Research and is not subjected to be used/published anywhere without the Author’s consent.
Care to Donate for Research Purpose?
1E4v8eXjieNhKDWc5Rww84D2TXrqxcjVKZ (only BTC Accepted)
