Resecurity has identified the newly launched STYX Marketplace which focuses primarily on financial fraud, money laundering, and identity theft. Some examples of the specific service offerings marketed on STYX include cash-out services, data dumps, SIM cards, DDOS, 2FA/SMS bypass, fake and stolen ID documents, banking malware and much more. Financial fraud is one of the key catalysts of the commercial cybercriminal ecosystem, enabling bad actors to profit from credential theft in the online banking and e-commerce sectors.
The marketplace opened sometime around January 19, 2023, but earlier mentions of its launch were noted by Resecurity analysts on the Dark Web in early 2022. Back then, the actors behind STYX Marketplace were building out the platform’s built-in escrow module, which enables the brokering of transactions between buyers and sellers of illicit cybercriminal products and services.
Once a new user registers and is granted access to the STYX marketplace, the registrant is greeted with a vast selection of services to browse through. STYX also offers a Trusted Sellers section, presumably where the admins of STYX have vetted reliable vendors, before whitelisting them. Some of the service descriptions are limited – the marketplace connects actors via Telegram contacts and various automated bots as a security measure.
Should the user wish to purchase any of presented services, they must first fund their STYX wallet by transferring the amount specified by their chosen purchase in either Bitcoin (BTC), Ethereum (ETH), or Tether (USDT).
Tools to Bypass Anti-Fraud Filters
Resecurity analysts first noted mentions about STYX Marketplace in multiple Telegram groups that provide private access to tools frequently used for online-banking theft and fraud like anti-detects, device fingerprint emulators and spoofers.
Cybercriminals use such tools to bypass anti-fraud solutions and access compromised accounts. These fraud tools work by using granular digital identifiers like stolen cookie files, physical device data, and network settings to fool bank and e-commerce anti-fraud systems and impersonate legitimate customer logins.
One notable STYX Marketplace product is listed by “Enclave Service”, a reputable service on the Dark Web that provides tools for identity spoofing and anti-fraud bypass.
Notably, some of these tools have been re-designed and optimized for mobile devices. Previously, tooling was geared more towards PC-based user-spoofing tools like Vektor T13, Antidetect 4 Patreon, and other. Tools like Vektor T13 and others are particularly favored by the cybercriminal community due to their strong customer support and diligent software updates.
The bypass of banks’s existing customer authentication and fraud-prevention solutions requires special attention, which Resecurity will address in a separate research publication. In Q1 2023, Resecurity observed a significant spike in interest from bad actors seeking these tools, as well as the emergence of new fingerprint spoofing and anti-detect products on the Dark Web.
Compromised Payment and Personal Data for Sale
In the heart of STYX Marketplace, members can browse vendor listings for compromised online-banking, credit cards, cryptocurrency, e-commerce account credentials, as well as stolen credit card data. Bad actors are especially focusing on defrauding “digital banks” and VCC (virtual credit cards).
Besides payment data, threat actors are also monetizing stolen Personal Identifiable Information (PII). One reputable STYX Marketplace vendor focused on stolen PII is the “Fraud Store”.
“Fraud Store” provides an interactive Telegram bot that enables the automation of PII data sales.
Another credible Styx vendor is “Bearss”, a provider that specializes in selling large volumes of stolen social security numbers (SSNs) and ID-related data.
“Bearss” features stolen SSN and ID data for victims in the U.S., Canada, Netherlands, the U.K, and other countries.
Beyond stolen PII, Bearss also sells stolen business data. Typically, this information is exploited for Tax Fraud and other forms of business scams. One example of the latter is COVID-19 relief fraud, a theft bonanza that saw scammers potentially swindle over a $100 billion from the U.S. government.
Threat actors capture exploitable business data via a variety of different intrusion vectors. Favored data theft channels involve the hacking of web resources that process business loan data, phishing attacks targeting CPAs, social engineering, and other scams.
Underground Lookup Services
Resecurity analysts also identified multiple “checking services,” which allow threat actors to collect data about a targeted individual. Typically, these resources are used by actors as victim reconnaissance tools to enhance their odds of successfully compromising their bank or credit card accounts.
“Kraken” is one notable lookup service that has been listed on STYX Marketplace virtually since the platform launched:
The service is accessible via Telegram and enables users to search by a targeted victim’s driver’s license (DL) or SSN. Kraken also provides the extraction of Credit Reports, both on individuals and organizations. Typically, the fraudsters use compromised or purchased access via a reputable credit bureau’s third party and exploit their services for illegal purposes. Data sold by Kraken and similar vendors helps fraudsters to pass various verifications and authenticate a victim’s identity when committing fraud.
The scope of cybercriminal lookup services is not limited exclusively to PII data based on ID, DL or SSN. For example, “NZI Lookup” enables fraudsters to extract banking statements. Bank statements can help threat actors simulate a victim’s established financial behavior, before committing actual theft. Instead of logging directly into a compromised online-banking account, threat actors can leverage compromised credentials exchanged via third-party fintech SaaS solutions like Plaid, Yodlee, Finicity, which are widely used in the financial industry.
The price for Kraken’s services start at $20 (per account check), with possible discounts for bulk orders.
Fake IDs and “Drawing” Services
Another significant product offering on STYX are fake IDs and document forgery. With over 900 positive reviews listed on other cybercriminal websites and markets, “Podorozhnik” is one of the most credible vendors operating on STYX. His services are widely used by Dark Web actors to pass selfie and ID verifications required by digital banks, cryptocurrency platforms, and e-commerce systems.
Beyond the the U.S. market, Podorozhnik serves threat actors targeting victims in over 65 other countries. This threat actor has been operating in the cybercriminal ecosystem for over 2 years.
Podorozhnik shares samples of his work on his Telegram channel. The threat actor provides examples of various documents, starting with passports, SSN cards, banking statements and credit cards. Illustrating the high-quality of Podorozhnik’s work, are fake documents he has shared in the name of David Beckham and Joseph Biden.
The service is delivered manually, but the end product is exceptionally high-quality. According to this threat actor, his clients were able to bypass automated Know Your Customer (KYC) checks conducted by some of the most specialized fraud prevention vendors used by major payment systems and online-marketplaces. These services scan the documents to recognize the key fields (lastname, firstname, DOB, etc.) to compare with the original identifying information submitted by users.
Another notable vendor offering services similar to the above is “AnyDocs.” This provider also offers additional document types not supported by Podorozhnik.
One particularly well-crafted AnyDocs offering is the generation of driving license bar codes in PDF417 (Portable Data File) format. This credential validator is rendered in a 2D, stacked linear barcode format used in a variety of applications, including transport, ID cards and inventory management.
Telephone and E-Mail Flood – Fraud-as-a-Service
Vendors who provide telephone and e-mail flood services represent another noteworthy STYX Market seller category. These services are extremely useful when the victim’s bank account has been already compromised and the fraudster needs to block the account owner from any contact with the institution’s anti-fraud team. In exploitation scenarios, this compliance unit may call a victim to confirm suspicious account activity or send a text message or email.
To prevent that customer interaction from taking place, fraudsters use flooding services to inundate a victim’s phone and email accounts with a high volume of calls and messages, which can drown out bank communications.
HubExpert is one reputable vendor who specializes in account flooding. According to the vendor’s service offering, HubExpert’s operators are continuously working to improve the fraud tool’s delivery mechanisms.
The service supports flooding with calls, SMS and e-mails.
An hour of flooding starts at $4, with price varying on the amount of communication channels specified by buyers. 24-hours of multi-threaded flooding is priced at around $150.
The service also offers flexible API, enabling the automation of follow-on attacks.
E-mail flood prices are cheaper, with an hour costing roughly $12. “Flood Studio” is a high-credibility vendor that solicits e-mail flooding services.
Once an order is placed, the victim will receive multiple e-mail notifications primarily coming from third-party online services. Threat actors deploy a mass-registration engine that enables them to generate a large number of accounts with further alerts about activation. that’s why typically such e-mails go through spam filters.
Money Laundering – the Catalyst of Shadow Economy
One of the central pieces of STYX Marketplace is money laundering. Resecurity identified multiple underground vendors providing cash-out services from stolen VCC, banking, e-commerce and cryptocurrency exchange accounts.
“Verta” is one such vendor who specializes in processing funds stolen via Business Email Compromise (BEC) scams and other fraudulent transfers. This threat actor also charges a relatively high 50% commission for their cash-out services. The Verta service is accessible via Telegram and Jabber, following the initial vetting of cybercriminal customers. This vetting includes information about threat actors’ sources of stolen funds.
The minimum amount of funds Verta will process starts at $15,000 (for personal accounts) and $75,000 (for business). Typically, cybercriminal cash-out providers eschew processing lower transaction amounts because they do not justify their risk.
Notably, the commission on processing stolen funds from VCC is significantly higher compared to ACH/WIRE transfers. For example, the reputable underground vendor, “Chponk Family”, takes up to 80%. Less reputable vendors perform this service for 60%.
Another STYX Marketplace cash-out provider is “ZelleCash”. This vendor offers a broad coverage of VCC cash-outs and charges up to 83% commission.
Originally, this service established its credibility on the Dark Web by successfully processing funds stolen from Zelle accounts, charging 55% next-day payout.
In response to heightened Zelle fraud, the Federal Reserve has proposed new anti-fraud tools to enhance consumer protection .
Resecurity also identified a group of trending cash-out vendors that charge commissions based on the exact BIN of the card and brand of gift card. The commission spread depends on the popularity of the service/bank, the complexity of cash-out process, including the tactics the launderers will have to deploy to successfully circumvent a payment platform’s anti-fraud filters.
Some of these threat actors use more sophisticated techniques, including their own merchant terminal and NFC-enabled processing systems .
“Slava044” aka “egg_nfc” is one of the more sophisticated cash-out vendors identified by Resecurity. While relatively new to STYX Marketplace, they have long established their credibility as a cash-out provider in various cybercriminal communities.
This threat actor’s services support multiple geographies, including the Middle East, and the European Union (EU).
Translation |
The best cash-out service of your material with OTP from Egg NFC Cash-out in EU & USA NFC POS – 60-65% We accept: Priorities geographies: - We will provide the best percentage for volume |
This type of fraud has become more popular due to increased support for NFC and greater availability/adoption of applications that store payment data for contactless payments.
“Parlamenter VCC” is another reputable cash-out vendor with listings on STYX Marketplace. This threat actor differentiates themselves by specializing in cashing-out stolen funds from Apple Pay (with POS terminal) and other U.S.-based online merchants.
Parlamenter VCC service offerings cover cash-out processing for North American markets, in addition to merchant accounts registered by fraudsters in the UAE, EU, and Kazakhstan.
Another notable STYX Marketplace cash-out vendor is “Wonderland service”. This threat actor charges 50% commission on the amount of funds laundered via financial institutions based in UAE. As one of the options of receiving payments the actors offer Apply Pay.
Around March 28, this threat actor started to offer cash-out via their own “reliable USA-based merchant”. Resecurity assesses that Wonderland threat actors opened fraudulent merchant accounts, posing as legitimate businesses with viable revenues. This type of scheme may only work for a certain period of time, typically shuttering when the acquiring bank contacts the merchant customer about high numbers of chargeback complaints. The solution is designed to receive stolen funds from compromised credit cards via merchant registered on 'money mule' based in the U.S.:
In the post above, the Wonderland vendor states that they can also assist with cashing out funds of a “different nature”, while maintaining “confidentiality” in Kazahstan. The actors are able to receive funds based on credit card number or via banking transfer in EUR, USD and other currencies.
Wonderland service has also a wide network of 'money mules' internationally and offers cash-outs in EU countries like Poland, Slovakia, Czechia, Germany, Romania and Bulgaria.
Another significant category of STYX Marketplace money-laundering service providers offer newly registered banking accounts and credit cards. These offerings are in high demand on the Dark Web and are widely used by cybercriminals to launder stolen funds or funnel them via vast networks of money mules. KYC and fraud prevention teams have a difficult time identifying these ‘funnel’ accounts because customer activity and value transfer often mirrors legitimate user behavior, with non-suspicious transaction indicators.
“Zen Crew” is one reputable STYX vendor that specializes in the sale of funnel accounts. This threat actor has been operating since August 2021, with a presence on Telegram and multiple carding communities favored by experienced cybercriminals.
Using a diffuse network of money mules, Zen Crew provides account opening services at various financial institutions (FIs) in the U.S., the UK and Canada. Notably, once the account and card has been issued, they provide an option to physically ship the latter to the buyer. But in some cases, buyers do not even require a debit or credit card, as a photo of the card the remote use of the account and will be often be enough to effectively facilitate illicit transactions and cash-outs.
Zen Crew offers different prices, based on the FI or service specified by threat actors for account opening. Beyond consumer account, Zen Crew can also register PayPal Business accounts with merchant terminals, thus enabling buyers to process fraudulent credit and debit card transactions.
Some actors refer to Zen Crew’s offerings as a “drop service” (meaning, those accounts will be used as accounts on which they will “drop” stolen funds). Resecurity identified multiple STYX Marketplace listings for verified accounts, which can similalry be used as drops.
Nevertheless, such accounts may have to be verified with the ‘real’ accountholder’s identity. As such, buyers exploiting them may be limited to cash-outs only. In these cases, accounts are exploited for money laundering (for example, when receiving and distributing stolen funds). Notably, the price of such account varies on the FI and geography where the FI is based.
Resecurity also identified listings for verified VCC drop accounts.
For buyers to operate VCC drops, vendors must supply them with an e-sim or virtual number access.
The prevalence of these listings on cybercriminal marketplaces remains a big challenge for bank fraud- prevention and KYC teams. It is not possible to effectively prevent frauds of this nature, without prior knowledge about account owners facilitating this activity or actionable intelligence regarding the underground services selling them.
Resecurity collected intelligence on multiple illicit funnel accounts being offered for sale on the Dark Web. This threat intelligence enabled several major FIs in the U.S. and abroad to detect similarities in account openings, transactions anomalies, and mailing addresses used by fraudsters. This intelligence also helped FIs map out the network of ATMs frequently used by the ‘money mule’ rings co-opted by fraud leaders. The timely exchange of this information can help banks better detect threat actors exploiting VCC accounts for money laundering and other fraudulent purposes.
Manuals and Tutorials
STYX Marketplace also offers a trove of tutorials for cybercrime and fraud. The review of some of these guides may be helpful for cybersecurity awareness and risk management. The tutorials cover the process of opening new accounts in digital banks and e-commerce systems, committing tax fraud and using ChatGPT for malicious purposes.
Significance
- STYX Marketplace is a leading example of emerging cybercriminal platforms that service financially-motivated threat actors involved in online-bank theft and other fraudulent activities. The launch of this Dark Web marketplace confirms that threat-actor category remains highly active and is poised for significant growth.
- The majority STYX Marketplace vendors specialize in fraud and money laundering services targeting popular digital banking platforms, online-marketplaces, e-commerce and other payment applications. The geographies targeted by these threat actors are global, spanning the U.S., EU, UK, Canada, Australia and multiple countries in APAC and Middle East.
- Money laundering services (advertised at STYX and other marketplaces) started to support new jurisdictions, including the Middle East, which previously not widely visible in cybercriminal service listings. With the mass-adoption of digital banking and e-commerce, financial institutions in the Middle East are bound to face the same KYC and fraud problems as organizations in North America, EU and the UK. As such, the tracking of ‘money mules’ needs to become a core component of financial crime risk management at every FI.
- The banking sector remains vulnerable to threats related to identity authentication. Cybercriminals are leveraging weaknesses in KYC verification process, while also leveraging new tactics to plant money mules in FIs to facilitate cash-outs and other laundering services.