Once authorities shut down the AlphaBay market last July, fraudsters went scurrying elsewhere to advertise the sale of illicit and dangerous goods, personally identifiable information (PII), stolen banking credentials, and to connect with other vendors and customers.
Reddit is one surface-web avenue abused by criminals once the extensive Deep & Dark Web (DDW) marketplace went away. Reddit poses a low barrier to entry for anyone to join, helping to make it an attractive landing spot, in this case, for criminals choosing to start fraud-related subreddits.
But it hasn’t been easy-going for criminals with Reddit actively banning subreddits that host fraud-related content, as well as fake ID listings, and drug-related content that can be used by others to source drugs within the forum.
Flashpoint analysts estimate that many of these subreddits have been active for at least a year, and once Reddit is successful in banning one, another generally surfaces shortly thereafter to replace it, making it likely this trend will continue. Most of the subreddit activity includes posts soliciting fraud-related data, with potential buyers and sellers then moving to other platforms such as secure messaging applications to complete transactions.
AlphaBay was shuttered July 20, 2017 when the Department of Justice announced that U.S., European, and Asian authorities collaborated to take the market offline. The AlphaBay shutdown happened one month after Dutch authorities seized control of the Hansa market, long considered a potential AlphaBay successor. AlphaBay was described by the DOJ as being 10 times the size of the notorious Silk Road market. Silk Road and its successor Silk Road 2.0 were closed down by authorities in October and November 2013 respectively. Like Silk Road, AlphaBay not only sold stolen personal and banking information, but billions in revenue moved through its coffers via the sale of narcotics, firearms, malware, and other illicit products and services.
Analysts said that firearms listings are generally kept from illicit Reddit subreddits, and posters are also being careful not to craft listings that would invite rapid action by Reddit to take them down. Flashpoint analysts said that threat actors—and scammers looking to profit among thieves—posting to the numerous fraud-related subreddits have varied skill sets, and they frequently post listings, vendor reviews, n00b—or inexperienced—questions, and product proofs.
In the past, analysts have observed fraudsters advertising data stolen in breaches potentially affecting thousands of individuals at a time. In addition to the PII available, threat actors are also selling scans of documents necessary to carry out tax fraud. In addition to PII, those documents included the victims’ names, home addresses, Social Security numbers (SSNs), and additional tax information. Yet another post in a fraud-related subreddit listed the availability of stolen banking login information that could be used by another threat actor for cashing out.
Reddit, meanwhile, is caught in the middle with its platform likely continued to be abused in this manner as a starting point for fraudulent schemes, and unintentionally acting as an intersection of surface web and dark web markets. For their part, Flashpoint analysts assess this situation could continue until a relatively stable dark web alternative replaces the former AlphaBay Market and its associated forum.