Hackers Hit 9 Countries, Expose 623,036 Payment Card Records

Hackers are hacking hackers.

Group-IB researchers on Thursday said in a blog that user data of the Swarmshop card shop – which trades in stolen personal and payment records – was leaked online on March 17 and posted on a different underground forum that contained 12,344 records of the card shop admininstrators, sellers and buyers.

The leaked data also included the victims’ nicknames, hashed passwords, contact details, history of activity, and current balance. The database also exposed all compromised data traded on the website: This included 623,036 payment card records issued by banks from the United States, Canada, the United Kingdom, China, Singapore, France, Brazil, Saudi Arabia, and Mexico. There were also 498 sets of online banking credentials and 69,592 sets of U.S. social security numbers and Canadian social insurance numbers.  

While the source of the breach remains unclear, the researchers say the exposed records show that two card shop users tried to inject a malicious script searching for website vulnerabilities in the contact information field. The Group-IB report said that “it’s impossible” to determine if the two events are connected to the breach.

According to Group-IB researchers, Swarmshop has been operating since at least April 2019 and by March 2021, it had a user base of more than 12,000 and more than 600,000 payment card records on sale. The total amount deposited on all the accounts was $18,145.73 by March 2021 — a low number, because users of card shops don’t tend to store large sums on their accounts and top-up the balance to make payments when necessary.

“Hackers have been hacking other hackers for decades,” said Tyler Shields, chief marketing officer at JupiterOne. “What better way to gain access to new hacking tools, dumps, cards, personally identifiable information, and other items of value than hacking the people who are stealing it in the first place. It comes as no surprise that there have been multiple successful breaches against Swarmshop. Cybercriminals have trouble with security just like everyone else. It just goes to show you that cyber security is a difficult problem no matter who you are.”

This breach shows that no one is immune from a cyberattack, including the cybercriminals themselves, said Naveen Sunkavally, chief architect at Horizon3.AI.

“What’s most concerning is the proliferation of user credit card information and online banking credentials,” Sunkavally said. “Attackers don’t need to hack in using zero days like in the movies. They often can just log in with credentials they’ve stolen from efforts like this. Now, factor in that so many people reuse their credentials across different systems and all the open source information attackers have at their disposal. Attackers can use these credentials against a variety of systems, rarely triggering any security events, because they look like legitimate users. In the end, regular users are the ones who lose the most.”

Chad Anderson, senior security researcher at DomainTools, added that even in the larger commodity malware space, hackers attempt to target the tools of other hackers and use vulnerabilities in malware to infect each other’s tools.

“The best analogy to think about this, though it falls down if you look too far into it, would be to think of these groups as gangs with their various territories,” Anderson said. “When they see another carder shop growing it becomes a natural target to claim back some of their user base.”