Verified crypto-exchange accounts have become a hot commodity on the dark web, with login credentials available for as little as $20, according to May data from threat intelligence firm Privacy Affairs. But the price for verified crypto accounts has been steadily rising, with some โlogs,โ a darknet slang term for stolen or nominee credentials, fetching as much as $2,650 per account, Privacy Affairs research shows.
While the U.S.-based Bittrex crypto exchange hosts the cheapest logs, Germanyโs N26 mobile banking platform claims the most expensive ones. This price increase has occurred despite a generally bearish market environment for crypto assets. Fueled by Western financial sanctions issued in retaliation for Russiaโs invasion of Ukraine, listings for verified crypto accounts have also experienced a dramatic increase over the last year, according to Russian media reports.
A January 2023 article published in Kommersant said that the volume of dark-web solicitations for verified crypto exchange accounts had already doubled over the beginning of 2022. Cybersecurity experts interviewed by Kommersant asserted that this growth is the byproduct of โrestrictions imposed by crypto exchanges against Russians.โ
Igor Sergienko, a director for the development of special services at RTK-Solar, a Russian cybersecurity firm, noted that many crypto exchanges had blocked Russian accounts or prohibited fiat withdrawals to cards issued by Russian banks in response to Ukraine-related regulatory pressure imposed by the West.
Nikolay Chursin, a threat intelligence analyst at Positive Technologies, told Kommersant that average cost of crypto exchange logs being sold on the dark web is $50. But this price is only for account login and password sets. It follows that full-dimensional Know Your Customer (KYC) kits fetch higher prices.
โFor credentials with a QR code for two-factor authentication, a full package of documents for which the account was registered, mail and Cookie (data that is stored on the computer of the account owner, by which the site recognizes him. – โbโ), the buyer will pay in an average of $300,โ said Chursin. โStarterโ KYC kits typically include account login data, backup means of obtaining access, online telephony details for receiving SMS messages, and a passport scan.
Dmitry Bogachev, a threat intelligence analyst at Jet Infosystems, told Kommersant that the price for crypto logs depends on multiple factors. Variables that can impact the price of these logs include โthe country of registration, the date of registration (the older the account, the higher the price) and the history of activity,โ according to the Kommersant report.
Generally, accounts registered in Western countries are priced higher as well. Meanwhile, there are two categories of buyers: everyday Russian crypto users who have been excluded from decentralized markets due to geopolitical strife and criminals. This post will explore various verified crypto account listings that Cryptosec analysts discovered on the deep and dark web.
Dark Web Verified Crypto Account Listings
Cryptosec analysts combed a variety of cybercriminal forums and Telegram channels and found a diverse array of advertisements for verified crytpto accounts. In the May 2023 post below, threat actor โBullFrogServiceโ solicits verified accounts for โExchanges, Banks, Crypto Cards, Virtual Cards [CIS, Europe] Binance, BUNQ, Stripe, iCard, Paysera, BitPay, Wise and othersโ on the Exploit.IN forum.
This threat actor also uses the ad to direct would-be buyers to their Telegram channel.
The BullFrogService postings above offer access to a verified IBAN account for an EU drop custodied by the BlackCat online banking service and a Binance crypto-exchange card. Both of these postings are from June 12.
Per the BlackCat postingโs product description, this solicitation offers a โverified account for the EU drop. MT IBAN, you can create virtual cards (unlimited). There are crypto-services inside the application (deposit/buy/sell/withdraw). Virtual number and documents are attached.โ The BlackCat account was being listed for $500.
The Binance card listing offers a โfully verified account for the EU drop. Binance VISA plastic card issued and received. The card can only be sent to Europe, South Caucasus, Belarus and Moldova by state mail. Documents and number included.โ This account was listed for $900.
Cryptosec analysts also identified the Rega inc Telegram channel soliciting a wide assortment of verified crypto accounts. As the reader can see the most valuable verified account listings are those that offer access to CashApp BTC ($270), Robinhood ($250), Coinzoom ($230), Moon Pay ($230), followed by Coinbase, Binance, Gemini, and other crypto exchanges that were all priced at $200.
On the Russian-language XSS cybercriminal forum, the largest cybercrime forum in operation, Cryptosec analysts also encountered this February 2023 posting from threat actor M666 titled, โVerified Accounts & Payment Systems | Casino Acc| Crypto Exchanges| Bank Accs| Digital Accounts| Fintech Banks| Merchant Accs| eWallets| Brooker| Any|.โ
The threat actor claims they have the capability to โdeliver a fully verified solution for any type of use. You just have to use your imagination and we can help you with regard to payment systems Any kind of service you need validation. (Decade of business experience).โ
M666 also notes that:
ย โWe work with strong nominees from:๐งโโ๏ธ
EUROPE; ( Hungary, Malta, Romania, Cyprus, Estonia, Latvia and Lithuania, creation possibilities for Switzerland, Belgium & UK).
AMERICA: ( US, Ecuador, Colombia, Mexico, Peru, Chile, Argentina, Dominican Republic, Brazil, Belize and Panama.)
After considering your needs, our team can recommend to you the best solution for your case.โ
Cryptosecโs exploration of XSS also revealed solicitations for verified NFT accounts. This recent posting from August 2023 is attributed to threat actor โwhitenet.โ Whitenet says he is โSelling warmed, with subs NFT accounts.โ
Specifically, โ whitenet โ says he is sellings accounts โwith Twitter Blue more than 500 tweets of various NFT / Crypto communities, more than 5k subscribers registration until 2013โ for $60. See the posting below.
Moving on from XSS, Cryptosec analysts combed the Styx Innovation Marketplace cybercriminal forum and discovered a series of solicitations for verified crypto accounts posted by Russian-language threat actor โVeriffDzen.โ
Significance
In a geopolitical risk landscape complicated by the war in Ukraine and resulting sanctions mandates being weaponized by the U.S. and EU, the growing marketplace for verified crypto accounts further complicate KYC, anti-money-laundering (AML), and sanctions compliance directives for virtual asset service providers (VASPs) and their business partners.
With the next block reward โhalvingโ event anticipated to transpire in early Q2 of next year, an occurrence that is projected by many crypto analysts to catalyze a bull market rally similar to ones experienced during previous halvings, the likelihood of amplified crypto retail adoption and usage seems more than plausible.
Backdropped, by growing geopolitical risks and uncertainty about how the war in Ukraine will resolve itself, the proliferating market for verified crypto accounts poses a serious threat to financial integrity in digital asset communities.
Compliance investigators and the law enforcement community must thus familiarize itself with the growing marketplace for verified crypto accounts and the threat actors monetizing these offerings. These measures are necessary to achieve better transparency and reduce the risks of any blind spots that may be corrupting VASPsโ KYC and related customer due diligence (CDD) operations.
While honest Russians unfairly excluded from the crypto-economy due to the military agenda of their government remain an unfortunate reality, so too does the risk of cybercriminal actors exploiting these ready-made nominee accounts for malign purposes.ย
Marin Ivezic
For over 30 years, Marin Ivezic has been protecting critical infrastructure and financial services against cyber, financial crime and regulatory risks posed by complex and emerging technologies.
He held multiple interim CISO and technology leadership roles in Global 2000 companies.