What is cybercrime, and what is the dark web? Many people have vague thoughts about what those two phrases actually mean. This article will detail how cybercriminals use different tools and strategies to get rich anonymously with your money. This research is not intended to promote cybercrime or the dark web but will look at things from the attacker’s perspective. The methodology presented here goes deep into criminals’ steps to stay anonymous, buy credit cards, set up accounts, charge legit and fraudulent transactions through those accounts, and ultimately cash out safely.
So, what is cybercrime? Somewhat self-explanatory, cybercrime is a crime that involves a computer or computer network. The computer may have been used to commit the crime or be the target. Cybercrime may harm someone’s security or finances. We will primarily focus on fraud and the financial aspect, but hacking and network exploitation are still utilized a great deal to achieve specific goals, especially in obtaining remote connections.
What is the dark web? The dark web is the World Wide Web content that exists on darknets: overlay networks that use the Internet but require specific software, configurations, or authorization to access. It’s safe to assume the average person may have heard of the dark web but has never actually browsed it on their computer. The dark web is akin to the black market, although not all sites criminals use are Tor. Some websites that sell credit cards and markets that sell remote connections with clean IP addresses are still accessible using a standard web browser.
Now that we have a brief understanding of cybercrime and the dark web, we can go into the first and most crucial step of cybercrime; OPSEC. Short for operational security, and in this case, it basically means how not to get caught. It is vital that cybercriminals have a solid understanding and foundation on how to stay anonymous.
Cybercriminals are always aware of law enforcement and are prepared for the worst-case scenario, a raid in which their hardware is seized. Usual tactics to prevent digital forensics start with full hard drive encryption and encrypting the virtual machine disks, including the VM manager software. If caught, these measures provide plausible deniability and may take law enforcement ages to crack the encryption.
A popular method to stay safe is to use a virtual machine such as WHONIX on a Linux host operating system. Whonix: Kicksecure–based security-hardened Linux distribution. Its primary goals are to provide strong privacy and anonymity on the Internet. A popular method to stay safe is to use a virtual machine such as WHONIX on a Linux host operating system. The operating system consists of two virtual machines, a “Workstation” and a Tor “Gateway,” running Debian GNU/Linux. All communications are forced through the Tor network.
VPNs and proxies are another crucial layer of anonymity that must be configured correctly to prevent your internet traffic from being easily intercepted. VPN stands for “Virtual Private Network” and describes the opportunity to establish a secure network connection when using public networks. VPNs encrypt your internet traffic and disguise your online identity. This obfuscation makes it more difficult for third parties to track your activities online and steal data. Some best practices cybercriminals employ is to use at least two separate VPNs so that if one is compromised, the traffic still remains encrypted.
Tor, short for The Onion Router, is free and open-source software for enabling anonymous communication. It directs Internet traffic through a free, worldwide volunteer overlay network of more than seven thousand relays to conceal a user’s location and usage from anyone performing network surveillance or traffic analysis. Tor’s intended use is to protect the personal privacy of its users, as well as their freedom and ability to communicate confidentially through IP address anonymity using Tor exit nodes. Using Tor makes it more difficult to trace a user’s internet activity.
Digital forensics can read what is currently stored in memory to gain an advantage when cracking password-protected and encrypted files. Immediately killing power on a computer can be an essential tactic when fighting against forensics. It’s much easier to access a computer that is turned on and logged in. Kill Switches can be as simple as using Linux Tails on a host OS or a power cord that gets pulled out of an electrical socket when a door opens.
Crypto Currency is the Standard form of payment used in cybercrime. It funds accounts on the dark web and is used to cash out anonymously. Common cryptocurrency types include BTC, ETH, XMR, and LTC.
Monero (XMR) is a decentralized cryptocurrency. It uses a publicly distributed ledger with privacy-enhancing technologies that obfuscate transactions to achieve anonymity and fungibility. Observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories. Monero is usually the preferred cryptocurrency on the dark web as it has higher levels of anonymity.
TOR browser allows you to access hidden sites, including dark web markets. Anyone can find dark website addresses with a little effort by using Google and then the TOR browser to access the site. Most dark web markets require a deposit into the account in the form of cryptocurrency to make purchases. When making a purchase, funds are temporarily held in escrow. In the past, markets used bitcoin as the primary payment method. Monero is now the preferred method because of its higher levels of anonymity. These markets sell drugs, credit cards, and personal information; people also sell their skilled services.
We should now have a basic understanding of the very first steps cybercriminals use to start positioning themselves within the space to steal money and data. Before we move on, there are some standard dark web fraud terms used in online communications in this space that we need to understand.
CC: Short for Credit Card. It may also refer to a credit card without a three-digit security code or other information.
CCV: short for Credit Card Verification, this typically means credit cards sold with the entire credit card number, first and last name, expiration, address, zip, and three-digit security code.
FULLZ: Full Identity information of the victim, including first/last name, DOB, Address, SSN, and more. Some additional personal data included or gained from sourcing FULLZ can be resources such as background checks, credit reports, EIN, and DL numbers. Fullz are used as the backbone of information in any financial fraud scheme.
BINs: Bank Identification Numbers typically mean high-quality credit cards that should always hit, such as cards with high credit limits, low security, or world cards. BIN usually refers to a credit card’s initial sequence of four to six numbers. Markets can organize these numbers to make it easy to buy high-quality CCVs.
Clean IPs: IP addresses are usually considered residential and not on blacklists or spam lists.
RDPs: Remote Desktop Protocol, often considered a private, higher quality connection with a clean residential IP address.
SOCKS5: Cheaper, plentiful, but more unstable than an RDP connection, and many are blacklisted.
SSHs: Secure Shells, Cheaper than RDP connections but still provide a clean and stable connection, but multiple people use many of the same IPs.
Now that we have looked at some standard terms, we can move forward to how cybercriminals begin setting up their accounts.
Once their OPSEC is in a good place and provides an adequate level of safety and anonymity, they can use the dark web to access and create an account on dark web markets.
They will then fund these accounts with the market’s preferred cryptocurrency so they can make purchases such as personal information, credit cards, and services from others on the platform.
As I mentioned, not all markets are hosted on the dark web. Some are accessible by traditional methods but are buried or unlisted by Google search results and are usually only known through word of mouth by other criminals. A few of these markets and sites include social security number lookup services and credit card markets. Like many illegal websites, these sites are typically hosted in countries where the United States has little or no jurisdiction.
Cybercriminals usually start by building out a profile of the victim’s personal data they wish to use to conduct their illegal activity(Fullz). Sourcing high-quality Fullz can be done by purchasing a CCV with a good to get the Fist and Last name. Cybercriminals can then use the first and last name to look up the victim’s SSN for a small fee from the service I mentioned earlier. Now they need to know if the person’s information is high enough quality to open certain online accounts such as bank, payment processor, and other financial services.
A high fullz with a high credit score is usually needed to open many financial accounts. They need the information in the report itself and need to verify the credit score to make sure they are not wasting time later down the road. But how do cybercriminals get access to view my credit score? The answer is they will use your personal information to create an account on one of those free credit score websites. If anyone has ever tried to open an account on one of these sites, they know how hard some questions are to answer. They ask questions like ‘you took out a loan on a vehicle in 2019; what was the make and model’ and ‘which of these is a previous address that you used to live at? That’s where the background check comes in.
Cybercriminals will pay for a background check search of your first and last name from the CCV they bought. The information found in the background check is usually sufficient to answer the questions on the free credit score checking sites and view your credit score and report.
They will then package and neatly organize your information, including the CCV, SSN, background check, and credit report. They have now created an accurate, high-quality Fullz based solely on the CCV they purchased. Let’s move on to the next step of the process, how criminals use Fullz to create financial accounts.
Creating bank accounts with Fullz: Most information found on the Fullz, SSN, background check, and credit report will be required to open a bank account. These bank accounts are the basic foundation for storing and transferring most fiat money throughout the process from start to finish.
Aging bank accounts: Cybercriminals take vital steps to make their transactions look legitimate. It usually means processing multiple safe transactions and payments through the account, such as ACH, to raise the velocity of money. The longer the account goes without fraudulent transactions, the more trust it will acquire with the bank, and the more money can be transferred through it without raising red flags.
Geolocation: To create a bank account or any account that cybercriminals want to look legit, the IP address and browser fingerprint must match the information found in the Fullz as close as possible. This also includes matching the host OS, time, date, and time zone. This is typically done using static and stable connection methods with existing clean fingerprint information, such as RDPs or SSHs.
What is a payment processor? A payment processor is a vendor businesses use to manage the logistics of accepting card payments. It shuttles card data from wherever customers enter their card details to payment networks such as Stripe, PayPal, Venmo, etc. Using payment processors is how cybercriminals steal money directly from your credit card. Money can be siphoned from credit cards directly through the processor’s dashboard, but the most effective way to look legit is by setting up a fake e-commerce store. If cybercriminals put enough effort into creating a convincing enough e-commerce or other type of store, tens of thousands of dollars, if not more, can be charged through it without being shut down. Cybercriminals use the bank account they created with the Fullz they sourced to link the payment processor to their fake e-commerce account. Once their accounts are organized, set up, and aged correctly, they will begin the carding process.
The carding process is considered to be quite tricky, with payment processors and banks employing many types of security checks and flags for fraudulent charges. The criminal will first begin buying dozens of CCVs with good BINs. They will use clean connections with every CC they buy to match each card’s geolocation and browser fingerprint, then charge the e-commerce site they set up and control. CCs are run through the e-commerce site repeatedly for as long as possible before the payment processor catches on and shuts it down. Meanwhile, all this money is being transferred and deposited into the bank account previously created with the Fullz.
Anti-Fraud Measures: These measures check against geolocation, time&date, time zone, browser fingerprint, spending habits, proprietary fraud checks, and more.
Good BINs: Using high-quality cards at this stage are essential because a payment processor will shut your account down quickly if you have too many declines or chargebacks.
Declines: Card transactions considered high risk, have insufficient funds, or have incorrect information will cause a transaction to be declined. Too many declines through a payment processor will cause it to be flagged, limited, or shut down. Only charges guaranteed to pass security checks are used to build initial trust with the payment processor, so there is no chance of decline or chargeback. Methods include using gift cards or paying people online to make a purchase through the processor.
Chargebacks: Are usually considered inevitable because, eventually, some people will check their credit card accounts and statements.
Cashing out is considered to be the most challenging part of the process. I have read on forums that you should ‘never count your chickens before they hatch,’ meaning, in this case, that even if the money is in the bank account, you don’t have complete control until you cash out to bitcoin or crypto. The bank can still put a hold or outright close the account that you were working with, and all of your funds will be gone. Some criminals will have a physical debit card sent to an address they use to withdraw funds from ATMs. To stay anonymous and 100% virtual, you must have a bank account linked to a crypto exchange.
Crypto exchange verification: Cryptocurrency exchanges require a scrutinizing verification process.
This step is where cybercriminals use the services and skills of others on dark web markets to help get through this rigorous verification process.
Photoshopped Credentials: Scans of the front and back of the driver’s license, along with scans of utility bills matching the address printed on the license, are required.
People on dark web markets sell their photoshop skills and abilities to forge these documents.
So, to break everything down here is a step-by-step methodology via the dark web from an attacker’s point of view:
- Before anything else, OPSEC needs to be tested and sufficient.
- Crypto funding: Enough money in the form of crypto to deposit into accounts to make purchases.
- Buy a CC: buy a credit card to get a name and address to build a Fullz.
- SSN: Use the name on the credit card to search for a social security number.
- Create a Fullz: use name and address on CC to run a background check, and use the background check and SSN to check credit report/score.
- Buy clean proxies, RDP, or SSH to match geolocation from Fullz
- Use Fullz (background check, credit report, and SSN) to open an online bank account
- Age bank account with clean transactions such as AHC, transfers, and time
- Set up an e-commerce site and link the payment processor to the site and bank account.
- To build trust, run a few surefire transactions through an e-commerce site/payment processor.
- Buy high-quality CCVs with good BINs and buy connections matching each card’s geolocation.
- Charge CCVs through an e-commerce store/payment processor to deposit money into a bank account.
- Cash-out via crypto exchange or physical debit card.
- OPSEC is the most crucial aspect of the process, as staying undetected relies on correctly configured security.
- Almost every next step builds upon the previous, and it is essential a solid foundation is laid from the start.
- Creating high-quality Fullz and accounts with clean connections is crucial in not getting those accounts shut down and having to start over.
- Using CCVs with good BINs to make surefire charges without declines.
- Patients and skill are a must-have; some things take time
So, what can you do to protect yourself after learning the fraud process from a cybercriminal’s point of view on how they steal your money? Unfortunately, what you can do on a personal level is limited. Most of the responsibility to keep your personal and financial information safe is in the hands of banks, businesses, and credit card companies. These entities are constantly under attack by malicious hackers to steal vast swaths of personal data and sell it for profit. These companies continuously battle cybercriminals to try and keep your personal information from being compromised. Banks and credit card companies even budget for fraudulent charges because they know fraud is inevitable.
But I can still leave you with help to secure yourself and your information as best you can. To help protect against credit card fraud, I highly recommend checking your credit statements and reports often. Cybercriminals often use services to check to see if the CC they bought is active; to do this, they often link it to a website that will make small charges of less than a dollar. If you did not recently use your card, this is a huge red flag that your debit or CC has been stolen and is about to be used. People with high credit scores need to stay extra vigilant. Cybercriminals look for high credit scores and will take your personal information, including EIN, to open fake stores/shops online. These can be spotted by checking your credit report frequently and quickly disputing/removing any unknown accounts.
As for securing your devices, I highly recommend keeping your operating system up to date and ensuring you have all of the latest security patches installed. Hackers will use phishing, exploits, and social engineering to establish remote access to your devices and sell those connections on the dark web. Other criminals will then buy those connections to your computer for nefarious tasks, such as using stolen CCs to make charges or setting up a fake e-commerce store on your home IP address! The best prevention against having your computer compromised is to be extremely careful when opening email attachments. Phishing campaigns are everywhere and are specifically crafted to make you download a file or click a link. The last and easiest method to help prevent your computer from being compromised is to use a VPN; they are cheap, practical, easy to use, and well worth the money.
This article is not intended to promote cybercrime or encourage the use of the dark web. The information conveyed here results from a ton of research and time spent reading guides and posts on forums by individuals participating in this type of activity. Many steps and bits of information are intentionally left out, such as specific website URLs, vendor names, particular banks with weak security, sms verification bypasses, and much more.