Scammers Are Scamming Other Scammers Out of Millions of Dollars

User complaints about being conned on cybercrime forums may unintentionally reveal their true identity.
Everyone, including the scammers themselves, is susceptible to internet fraud. According to a new investigation, hackers who use hacking forums to acquire software exploits and stolen login information are falling for scams and are being fleeced of thousands of dollars at a time. Additionally, when scammers allege that they were defrauded, they often leave a paper trail of their own personal data that might lead police and investigators to the genuine identity of the scammers.



To do commerce, hackers and cybercriminals frequently congregate in particular forums and markets. They can promote forthcoming projects they require assistance with, offer databases of credit card numbers and passwords that have been stolen from individuals, or publicize brand-new security flaws that can be utilized to access other people’s equipment or systems. These negotiations, however, frequently don’t proceed as expected.

The latest study, which was just released by the cybersecurity company Sophos, looks at these botched transactions and the complaints that consumers have made about them. According to Matt Wixey, a researcher with Sophos X-Ops who examined the markets, the number of fraudsters attempting to con other scammers on criminal forums and marketplaces is significantly greater than we first believed.

Wixey looked at three of the most well-known forums for cybercrime: Exploit, XSS, and BreachForums, which took the place of RaidForums after it was taken by US law authorities in April. Although the websites have slightly varied operational procedures, they all offer “arbitration” rooms where customers may express their grievances if they feel they have been defrauded or injured by other criminals. If someone buys malware and it doesn’t function, for instance, they could complain to the site’s management.

According to Wixey, complaints occasionally result in customers receiving their money back, but more frequently they serve as a warning to other consumers. According to the investigation, criminals on the forums have lost more than $2.5 million to other con artists over the last 12 months, which is the time frame covered by the research. According to the report, which is being presented at the BlackHat Europe security conference, some customers complain about losing as little as $2, while the median frauds on each of the sites vary from $200 to $600.

Scams take many different shapes. Some are straightforward, while others are more complex. According to Wixey, “rip-and-run” scams frequently occur in which either the customer fails to pay for the goods they have received or the vendor receives payment but fails to deliver the goods they have sold. (These are frequently referred to as “rippers. Other frauds use falsified information or ineffective security flaws: On BreachForums, a user reported that a vendor attempted to transfer them Facebook data that was already in the public domain.
In one extreme case, someone filed a lengthy complaint on the Hack forum complaining that they had given someone a Windows kernel exploit but hadn’t received the $130,000 they had promised to be paid for it. The customer promised to pay after testing the program but never came through with the money. According to a translated version of the complaint, “He provided various justifications for postponing the payment at each stage.”



According to the analysis, several accounts or individuals appeared to collaborate in several schemes. One user can introduce another to another user who has a good reputation. The victim is then directed to a fraudulent website by this accomplice. According to Wixey, a user once tried to purchase a counterfeit version of the NFT-focused game Axie Infinity. According to Wixey, “They wanted a phony clone of it with the intention of essentially siphoning off real users’ monies.” “They purchased this false copy from another party, and the bogus copy had a backdoor that allowed the stolen bitcoin to be taken.” In essence, the con artist was duped by their own con.

Since there is no honor among cybercriminals, it shouldn’t come as a surprise that they frequently try to scam one another, but the research demonstrates how common it is. Known rippers were listed in a database that had been made public by the security company Digital Shadows in 2017. Similar to this, the company discovered in 2021 that certain administrators on forums for cybercrime are defrauding their own clients. According to threat intelligence company Analyst1, there have been thousands of complaints over the previous ten years regarding criminals con artists one another. A prior TrendMicro investigation found that although forums and marketplaces contain regulations, fraudsters aren’t deterred by them. According to the company’s 2019 research, “the culprits are often those who prioritize rapid earnings above reputation.”

The Genesis marketplace, which has been active since 2017, is thought to be the source of the most organized fraud that Wixey from Sophos discovered. This marketplace offers cookies, access to data from hacked systems, and hotel login information. As part of their investigation, Sophos found a phony version of the Genesis website ranking well in Google’s search results. Wixey remarks, “This is a truly strange example. “The actual Genesis is by invitation only, but it was an extremely simple WordPress template and it requested for money.”



The counterfeit version had further strange behaviors in addition to not seeming like the genuine Genesis market: When a user clicked the copy and paste option on the page, the Bitcoin address that could be used to send money changed, and it was also being publicized on Reddit. These indicators, according to Wixey, suggested the phony may have been the result of a “coordinated” effort. The researchers found 20 websites that all seem to be related and managed by the same organization or person using information from the false Genesis website, including text fragments and bitcoin addresses. The websites were all registered between August 2021 and June 2022, and eight of them are still active. They all have the same design.

According to Wixey, the majority of these websites replicate long-gone illicit markets and demand payment from users in order to access them. The con also seems to be effective. Although he is hesitant to assert that all of the money may have originated from the fake websites, the researcher claims that the Bitcoin addresses that the scam sites pay into have received a total of $132,000 in payments. One threat user who may be responsible for the websites has been identified by Sophos as an actor going by the stage name “waltcranston.” One piece of evidence connecting the handle to the sites was a claim made on another forum by someone using the username that they were the ones who developed the bogus markets.
Despite not being able to conclusively prove that waltcranston is responsible for the network of phony websites, Wixey claims that criminals who complain about being conned and want to settle their disputes through arbitration may provide investigators with a wealth of useful information.

People who complain about frauds sometimes share screenshots that may contain more personal information than they meant since they are required to provide evidence to support their allegations. In addition to names of victims, email addresses, transaction IDs, cryptocurrency addresses, some malicious source code, and other data, Sophos claims to have seen a “treasure mine” of data. All of these characteristics might be used to learn more about the individuals hiding behind the usernames or to offer hints as to their methods of operation.

One victim of a fraud posted a screenshot of a person’s Telegram usernames, emails, Jabber chat identities, Skype usernames, and Discord usernames. Others display IP addresses and the potential locations of people. Screenshots indicate the applications individuals use, the websites they visit, and information about their computer configuration. Wixey occasionally saw information on the victims who were the focus of the cybercriminals.

Due to the nature of their work, criminals are typically highly reticent to divulge any information that may be used to identify them. Real names are not used, and anonymization services like Tor are frequently utilized instead. When it comes to fraud reports, “they normally deploy quite excellent operational security,” according to Wixey. There are just no other locations to buy so much of this things, according to these markets. The data may eventually prove to be a helpful tool for finding some of the culprits. It’s definitely a place to start, adds Wixey.



Leave a Reply

Your email address will not be published. Required fields are marked *