Threat Research

The scammers who scam scammers on cybercrime forums: Part 3

A shadowy sub-economy is more than just a curiosity – it’s booming business, and also an opportunity for defenders. In the third part of our series, we look at the curious case of twenty fake marketplaces.

In the first chapter of this series, we provided an overview of the hidden sub-economy of scammers who scam scammers, and in the second we examined the wide variety of scams and tricks within it.

The third chapter is a little different. It covers a specific scam we uncovered during our research, which we highlight because of its scale, levels of coordination, and apparent success.

The curious case of twenty fake marketplaces

During our research into Genesis Market, we found a clearnet site (genesismarket[.]org) that looked nothing like the genuine Genesis Market site but appeared prominently in search engine results.

A screenshot of a fake Genesis Market site, showing a welcome message and a table of credit card numbers, blurred

Figure 1: The fake Genesis Market site

We quickly determined that the site didn’t seem to be connected to the genuine Genesis Market. For one thing, the site demands a $100 USD deposit, whereas the real Genesis is invitation-only.

A demand for $100 on the fake Genesis site

Figure 2: The deposit demand on the fake Genesis site

The site asks users to pay in Bitcoin or Monero:

A Bitcoin deposit page, listing a BTC address

Figure 3: The fake site’s deposit page

This, and a few other elements (such as the ‘lost password’ button not redirecting anywhere, and some falsified ‘forum posts’) led us to assume it was a crude, low-effort, one-off scam, designed to take advantage of inexperienced researchers, would-be threat actors, and the generally curious.

A forum post on one of the fake marketplaces which lists the forum 'rules'

Figure 4: Some of the low-effort fake forum posts

But three things piqued our curiosity.

The first was that the onion link on the homepage doesn’t link to an onion site at all, but to genesismarket[.]org/benumbiernqlud55izbw4mdubush4zhzpg4rw3c2j6ew3ggpzbb7gdqd[.]onion. Benumb is a carding site, and we wondered if someone from that marketplace was running the scam and had made a mistake with the link.

The second thing was that the Copy address button on the deposit page triggers some JavaScript, which copies a different Bitcoin address to the clipboard:

A screenshot showing the Firefox browser inspector relating to the 'Copy Address' button

Figure 5: Clicking the ‘Copy address’ button results in a different address being copied to the clipboard

And the third was that someone had actively advertised this site on Reddit, which suggested the scam might be more coordinated than we first thought:

A Reddit post which advertises the fake Genesis Market site

Figure 6: A now-deleted Reddit post advertising the fake site

We visited the ‘Benumb’ link and found a site set up in exactly the same way, with the same demand for $100 (albeit with different Bitcoin and Monero addresses):

A fake Benumb site

Figure 7: The fake Benumb page, with an ironic phishing warning

A Bitcoin deposit page for the fake Benumb site

Figure 8: The fake Benumb’s wallet page

And when we looked at the credit card numbers on the homepage, we discovered that they were identical to the ones listed on the fake Genesis site.

The fake Benumb homepage, with credit card numbers in the background

Figure 9: The credit card numbers and details on the fake Benumb homepage…

The same credit card numbers on the fake Genesis Market site

Figure 10: …which are exactly the same as those on the fake Genesis site

We started querying search engines for portions of the text, the credit card details, and the cryptocurrency addresses, to find other sites created by the same scammer.

All in all we found twenty sites, registered between August 2021 and June 2022, which we assess with high confidence are operated by the same individual or group. Virtually all of them imitate existing or defunct criminal marketplaces (including multiple scam versions of Genesis, Benumb, UniCC, and Pois0n), ask for an activation deposit of $100, and have a similar look and feel. Some employ the same clipboard substitution quirk, and some don’t. We also observed a few other minor differences, like background color or slight modifications to the spiel.

The fake Yale Lodge homepage

Figure 11: A scam version of YaleLodge, a criminal marketplace

The fake WWH Club site, with the same activation notice

Figure 12: A scam version of another marketplace, WWH Club

The fake Brian's Club, with a similar template to the other scam sites

Figure 13: A scam version of Brian’s Club, yet another criminal marketplace

The fake UniCC site, again with a similar template

Figure 14: A scam version of the UniCC carding site (the genuine site closed in January 2022). Note that this site also contains a link to the fake Benumb site

The fake Pois0n CC site, again using a similar template

Figure 15: A scam version of Pois0n, another criminal marketplace

Along the way, we found evidence that the scammer was advertising other sites on Reddit:

A Reddit post advertising the fake Benumb[.]cards site

Figure 16: A Reddit post promoting one of the fake Benumb sites

We did find one anomaly – a site called ‘Cashout Guide’, which claims to teach users carding and fraud (for a fee, naturally) – which nonetheless has a similar appearance to the scam marketplaces:

The cashout[.]guide site

Figure 17: Available tiers on the Cashout Guide site

Of the twenty sites we found, thirteen are no longer active. Most are clearnet sites, although we discovered three onion sites (and one clearnet site masquerading as an onion site).

Here’s a full list, along with the associated Bitcoin addresses and registration information (where available):

Site WHOIS registration Registrar BTC 06/09/2021 Tucows 1QF54J6rXoo53ig93XgqX7rXtWSC2zemnS
18EFRk7XtHLPXnGDkz2Z9g2Juk5pppaWgH 09/05/2022 Porkbun 15NGE3k3RsCw4dFRVXYjpW2xsNyT96hNuE 22/02/2022 Tucows 1Q5AKMFfhV2jTu1Jjpm1pMP7qabApe9Xr 09/02/2022 Namecheap 1Q5AKMFfhV2jTu1Jjpm1pMP7qabApe9Xr 28/08/2021 Tucows 1QF54J6rXoo53ig93XgqX7rXtWSC2zemnS 09/02/2022 Tucows 1QF54J6rXoo53ig93XgqX7rXtWSC2zemnS 09/02/2022 Tucows 1KjZcgsTh9SZJiLDHBYQem96Z4CwbgQPL2 22/04/2022 Tucows 14KRaiCZp2zYPyRqVd3AHbyjT6qPcSnMKn 22/04/2022 Namecheap N/K 27/04/2022 Tucows 18EFRk7XtHLPXnGDkz2Z9g2Juk5pppaWgH N/K Namecheap N/K 27/04/2022 Namecheap N/K 08/04/2022 Tucows N/K 10/03/2022 Hosting Concepts B.V. 14ZFe4BH5FdfvdyndxfK4rwJtf3oPHjTgS 17/02/2022 N/A bc1qn2gfx8x9t234s8ncs80k3mrf5359g34xkxj0j8
benumbiernqlud55izbw4mdubush4zhzpg4rw3c2j6ew3ggpzbb7gdqd.onion N/A N/A 15NGE3k3RsCw4dFRVXYjpW2xsNyT96hNuE
shops4knpoaodqdvs3tgzctkwk2cot6nggtyfpfxjuno23brpzpaquyd.onion N/A N/A 1FWrm3Z1g2W4kEQXgsUyHXEk2S9dTVK54P
j4j245araf5zxzd6z342a7cmakooyx3g7rt4oluffu6zimjshtbkpsid.onion N/A N/A N/K 23/06/2022 Gransy s.r.o. bc1q2jw57fy5cf5rrdcdjcdwz34nln5xmycpunzay8 07/06/2022 Porkbun N/K

Table 1: The sites we discovered

When we collated information from all the Bitcoin addresses (by design, the balances of Monero addresses are hidden), we found that this scam network has been lucrative. Together, those addresses have received over $132,000 – and most of it has been withdrawn, leaving a total balance of only $1,633.34.

We can’t say for certain whether all the inputs to those addresses are related to the scam (i.e., we don’t know if the scammer has used them for other business), and in a few cases, the timelines didn’t add up (a few addresses made their first transaction before the associated site(s) were registered, so some inputs may have been unrelated to the scam). But even taking those examples out, there was still $87,676 going into those wallets.

One big question remained: who was behind the scam?

We found something we thought might be a clue: on some sites, the footer contains a link to a website called darknet[.]markets (there appear to be a few versions of this site with very similar content, including darknetmarket[.]org and dark[.]markets).

A screenshot of one of the scam marketplaces, with a prominent footer linking to darknet[.]markets

Figure 18: A link to darknet[.]markets on the scam site unic[.]cards

These sites are indexes of dark web criminal marketplaces, for visitors interested in drugs sales, carding, and cryptocurrency exchanges. Not only do they look similar to the scam marketplaces (and with similar hosting/registration details), they also list several of the fake marketplaces we discovered.

The carding section on one of the index sites, which prominently lists some of the scam marketplaces

Figure 19: The ‘carding’ section on dark[.]markets

Most of the activation notices on the scam marketplaces mention a carding forum on the criminal marketplace Dread (also known as Café Dread). We searched the names of the index sites on Dread, and found a post by a user called waltcranston (the username is likely inspired by the television series Breaking Bad), who claimed to have created them:

A Cafe Dread post by waltcranston in which the user says they have made a website and want it to become a 'one-stop shop for everything related to darknet markets'

Figure 20: waltcranston’s post (now deleted)

We also found at least one Dread user who seemed to fall for one of the scams:

A Cafe Dread user asks if it's normal to wait for 2 hours when they've sent $100 for Benumb activation

Figure 21: A Dread user’s post 

We dug further into the index sites, and found waltcranston listed prominently in the ‘Drug Markets’ section:

The 'drugs' section on one of the index sites, which advertises 'Walt Cranston's Meth Delivery Service'

Figure 22: waltcranston’s onion link on one of the index sites

waltcranston is a self-proclaimed methamphetamine dealer on both Dread and other marketplaces such as Alphabay. By their own admission they’re based in the US:

A post by waltcranston in which the user says "They are getting stricter here in the US too..."

Figure 23: waltcranston claims to be based in the US

Their website appears to use a similar template to the scam marketplaces, and the clearnet version has similar hosting and registration details:

waltcranston's meth delivery site, which offers methamphetamine for sale

Figure 24: waltcranston’s vendor site

We also found that one of the fake forum posts on at least one of the scam marketplaces was written by a waltcranston:

A screenshot of one of the fake forum posts from a scam marketplace, which was written by a waltcranston

Figure 25: A forum post on one of the fake Benumb marketplaces

waltcranston uses both Bitcoin and Monero, as shown in this post:

A post by waltcranston on Cafe Dread

Figure 26: In a post relating to their methamphetamine business, waltcranston confirms they use both Bitcoin and Monero

And several of waltcranston’s posts indicate a familiarity with criminal marketplaces and an open-minded attitude towards phishing and scamming, particularly when it comes to imitating specific marketplaces:

A post by waltcranston on Cafe Dread

Figure 27: waltcranston recommends Genesis Market to another user

A post by waltcranston on Cafe Dread

Figure 28: waltcranston passes on some advice regarding phishing sites “tailor-made to a specific market or shop”

A post by waltcranston on Cafe Dread

Figure 29: waltcranston suggests running a phishing site to another user

A post by waltcranston on Cafe Dread

Figure 30: waltcranston with a tongue-in-cheek quote about vendors turning to scamming

A Dread user had come to the same conclusion as us, publicly posting this accusation:

A post by a user on Cafe Dread which accuses waltcranston of running multiple scam sites

Figure 31: A Dread user calls out waltcranston for running some of the scam marketplaces we discovered

waltcranston did not confirm or deny the allegation in his responses, although other Dread users chipped in:

Reactions from Dread users to the allegations against waltcranston

Figure 32: Some Dread users condemned scammers

In the above conversation, the accuser suggests a possible motivation for waltcranston running these scamming sites – retirement from dealing methamphetamine.

Other Dread users were more apathetic about the situation:

More reactions from Cafe Dread users on the allegation

Figure 33: Two Dread users less concerned about scammers

We should point out here that most of this evidence is circumstantial, and we didn’t find any discrete identifiers which link waltcranston to the fake marketplaces.

In the final part of our series, due out Wednesday 28 December, we’ll show why this subject matters. Scam reports are a rich, and underexplored, source of intelligence; threat actors are aware that criminal forums are monitored, and so often employ good operational security – but when they’re victims of crime themselves, not so much. Because forum rules demand proof to support scam allegations, wronged threat actors will often post screenshots of private conversations and source code, identifiers, transactions, chat logs, and blow-by-blow accounts of negotiations, sales, and troubleshooting. We’ll share some case studies and wrap up our series with some recommendations and ideas for future research.

Leave a Reply

Your email address will not be published. Required fields are marked *