Group-IB, a threat hunting and adversary-centric cyber intelligence company, discovered that user data of the Swarmshop card shop have been leaked online on March 17, 2021. The database was posted on a different underground forum and contained 12,344 records of the card shop admins, sellers and buyers including their nicknames, hashed passwords, contact details, history of activity, and current balance.

The database exposed:

  • All compromised data traded on the website, including 623,036 payment card records issued by the banks from the USA, Canada, the UK, China, Singapore, France, Brazil, Saudi Arabia, Mexico; 498 sets of online banking account credentials and 69,592 sets of US Social Security Numbers and Canadian Social Insurance Numbers. Group-IB notified the national CERTs in the above-mentioned countries about the breach so they could take the necessary steps to mitigate the threat.
  • Compromised payment and personal data traded on Swarmshop. The dump contained 623,036 payment card records, 62.7 percent of which were issued by the US banks. Other records were issued by the financial institutions from China (14.02%), the UK (3.24%), Canada (3.09%), France (3.07%), Singapore (1.6%), Brazil (1.32%), Saudi Arabia (0.99%), and Mexico (0.86%).
  • 498 sets of online banking account credentials and 68,995 sets of US Social Security Numbers and 597 pieces of Canadian Social Insurance Numbers.

According to Group-IB Threat Intelligence and Attribution system, Swarmshop is a mid-size "neighborhood" store for stolen personal and payment records. The cardshop has been operating since at least April 2019, and by March 2021, it had more than 12K user base and over 600K payment card records on sale. The total amount deposited on all the accounts was at $18,145.73 by March 2021 — users of card shops do not store large amounts of money on their accounts and top up the balance to make payments if necessary.

Interestingly, it is not the first time Swarmshop has been targeted by fellow cybercriminals, says Group-IB.  "In January 2020, the cardshop’s records were leaked on an underground forum. The user, likely motivated by revenge, wanted to sell the Swarmshop user database and posted a screenshot allegedly from the cardshop’s admin panel. The analysis of the freshly exposed database found that the information was new as it indicated the latest user activity timestamps. In total, the databased revealed the records of 4 cardshop admins, 90 sellers, and 12,250 buyers of stolen data, including their nicknames, hashed passwords, account balance, and contact details for some entries," the report says.

Tyler Shields, CMO at JupiterOne, explains, "Hackers have been hacking other hackers for decades. What better way to gain access to new hacking tools, dumps, cards, personally identifiable information (PII) and other items of value than hacking the people that are stealing it in the first place. It comes as no surprise that there have been multiple successful breaches against Swarmshop. Cybercriminals have trouble with security just like everyone else. It just goes to show you that cybersecurity is a difficult problem no matter who you are."

Naveen Sunkavally, Chief Architect at Horizon3.AI, agrees this is nothing new. "This breach continues to show that no one is immune from cyberattacks, including cybercriminals themselves. What's most concerning is the proliferation of user credit card information and online banking credentials. Attackers don't need to hack in using zero days like in the movies; often they can just log in with credentials they've stolen from efforts like this. Now, factor in that many people reuse their credentials across different systems and all the open source information attackers have at their disposal. Attackers can use these credentials against a variety of systems, rarely triggering any security events, because they look like legitimate users. In the end, regular users are the ones who lose the most."

“This once again demonstrates that all businesses have the same concern of compromise, both legal and illegal," says Chris Morales, Chief Information Security Officer at Netenrich.  "Honor among thieves has always been a Hollywood myth. Above and beyond the normal for profit attack motive we most often focus on, ego is still very much a motive too.”