Blockchain & Cryptocurrency , Cryptocurrency Fraud , Cybercrime as-a-service

Darknet Market Selling Social Security Numbers Is Shut Down

24M US Citizens Listed on SSNDOB Marketplace - But Have All Domains Been Seized?
Darknet Market Selling Social Security Numbers Is Shut Down
Banner posted on the web pages of the four seized SSNDOB domains (Source: ISMG)

SSNDOB, a darknet marketplace selling stolen U.S. Social Security Numbers and dates of birth data of individuals, has been shut down, according to the Department of Justice. The takedown, it says, was the result of a multiagency effort, involving the Criminal Investigation Cyber Crimes Unit of the Internal Revenue Service, the Federal Bureau of Investigation's Tampa Division, the Department of Justice's Office of International Affairs, and law enforcement agencies of Cyprus and Latvia.

See Also: Enabling Government for Modernized IT

The federal agencies seized four websites selling personally identifiable information of individuals in the United States, operating under the SSNDOB Marketplace banner, the DOJ statement says. They include ssndob[.]ws, ssndob[.]vip, ssndob[.]club and blackjob[.]biz. But there are indications, outlined below, suggesting that not all domains have been seized.

An Active, Accessible Domain?

In 2013, independent security blogger Brian Krebs found, as part of his investigation into the Dun & Bradstreet, LexisNexis and Kroll Background America hack, that the SSNDOB marketplace had been operational from at least 2011. The marketplace, he said at the time, sold Social Security numbers, birthdates and other personal data of U.S. residents for a per-record price of between 50 cents and $2.50 and charged $5 to $15 for credit checks. The domain Krebs investigated was ssndob[.]ms. It is currently inaccessible.

But a separate domain, found by Information Security Media Group, also claims to be the SSNDOB Marketplace and appears to be both active and accessible on the open internet. The image below shows a redacted version of the domain name and its Onion link.

An active domain, claiming to be the SSNDOB marketplace, on the open web (Source: ISMG)

The DOJ and the Department of the Treasury did not respond to ISMG's request for information about the authenticity of this domain.

Domain monitoring site Whois indicates that the domain has been active since September 2017 and was last updated in May 2022. It is registered in Russia, and the registrar is Hong Kong-based company NiceNIC International Group.

Details of the domain claiming to be SSNDOB (Source: Whois.com)

Operations and Obfuscation

Admins of the SSNDOB Marketplace scoped for potential buyers of stolen data on the darknet markets or on underground forums, the DOJ statement says. It also says the marketplace provided customer support functions that were monitored by the operators, who tracked those who visited the marketplace and the flow of funds from the customers' accounts to their own accounts or wallets after a purchase was made.

The operators evaded detection by using online monikers unrelated to their true identities, maintaining servers in different parts of the world and ensuring that buyers paid only via digital tokens, such as bitcoin, the DOJ says.

"The SSNDOB Marketplace has listed the personal information for approximately 24 million individuals in the United States, generating more than $19 million USD in sales revenue," the DOJ says.

Crypto Connection

SSNDOB accepted bitcoin and litecoin - a peer-to-peer bitcoin spinoff - in exchange for its services, blockchain intelligence firm Chainalysis says. The payments system has received a total of $22 million in bitcoin, as part of 100,000 transactions, since it was set up in April 2015, the report says.

"That works out to roughly $220 per transfer on average, and a median payment size of $80, which matches what we'd expect for individual purchases of PII," the report says. But the company also noticed larger transfers, some to the tune of $100,000 worth of bitcoin, "suggesting that some power users are buying PII from the service in bulk."

Chainalysis says that "most funds sent to SSNDOB have come from centralized and P2P cryptocurrency exchanges, as well as other services." At 10%, the proportion of funds that were sent to SSNDOB through cryptocurrency ATMs is also higher than average, the report says.

Link to Joker's Stash

It appears that the SSNDOB Marketplace had a working relationship with the now-defunct Joker's Stash, an underground marketplace that specialized in the sale of stolen payment card data (see: Joker's Stash Reportedly Shutting Down Operations).

Illicit funds transfer from exchanges and crypto ATMs to SSNDOB, flowing to Joker's Stash marketplace (Source: Chainalysis)

"Between December 2018 and June 2019, SSNDOB sent over $100,000 worth of bitcoin to Joker's Stash, suggesting the two markets may have had some relationship to one another, including possibly shared ownership," the Chainalysis report says.


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.