In DarkOwl’s Darknet Marketplace Snapshot blog collection, our researchers provide short-type perception into quite a lot of darknet marketplaces: in search of tendencies, exploring new marketplaces, examining admin and vendor activities, and providing a bunch of insights into this transient and infrequently criminal nook of the web. This edition features Styx market.

What's Styx Market?

Styx is a darknet market promoting illegal techniques for committing fraud, money laundering, and access to stolen knowledge. Chatter on the darknet around Styx market first appeared in 2020 before the marketplace officially opened in mid-January 2023.

Figure 1: Captcha to Styx Market; Source: Styx Market

Styx market offers stolen data in addition to a wide range of merchandise for conducting unlawful cyber actions. Examples embody 2FA/SMS bypass, Business Full Info/Tax, Installs for stealer, Anti-detect browsers, laundry providers, FB/Google logs, Cashout Banks/VCC, Credit Cards (CC), Crypto-mixer, Stealer companies, Search for BG/SSN/DOB, RDP (distant desktop protocol)/ VDS (digital detected server) /VPS (digital private server), and lots of more. Table of definitions could be found at the bottom of this weblog, right here.

Figure 2: Homepage of Styx Market; Source: Styx Market

Infrastructure of Styx Marketplace

Styx marketplace is divided into 5 principal sections: the main web page, trusted sellers, auto ESCROW, news, and a filters section to seek for specific merchandise on the left facet.

The primary page of the marketplace has posts by customers promoting what they sell in the marketplace. The users have usernames that are not assigned and may be customized. Nearly all of the location is in English and due to this fact simple to navigate for English-audio system. However, many listings and names of distributors are in Russian. This consists of distributors on the Trusted Sellers page. Vendors on a trusted sellers page have typically been vetted by the administration working the site, and subsequently are extra "trustworthy".

DarkOwl analysts assess many refined darknet actors are Russia-based mostly. Therefore, the fact that some distributors and their listings are Russia-affiliated adds to the legitimacy of the market. There are noticeable spelling errors all through the location in among the listings posted by distributors. In some circumstances, an inventory will include each a Russian and English translation. A few of the filters that can be utilized to search for specific merchandise or items provide a Russian translation proper subsequent to them.

Many sorts of stolen or leaked knowledge for sale are supplied in listings. Listings might be found on the principle web page, under News, and sure sorts of information might be searched for with the filter bar. Looking at particular person listings, the non-public knowledge out there bought is noticeably largely from the West. The varieties of knowledge for sale are usually PII (private identifiable information) and credentials - data that can be utilized for fraud and scams. For example, a hacked database of U.S. payday loans is available for $90. There are additionally national Spanish identification cards obtainable. Many overseas governments issue nationwide identification playing cards to their citizens that are used while voting, traveling, applying for government benefits, and are utilized by regulation enforcement for identification purposes. Other personally identifiable information from the EU corresponding to credentials are offered in a number of listings. However, multiple APAC (Asia Pacific) nations and Middle Eastern international locations are additionally present on the site.

For cost, Styx market has its personal ESCROW-enabled fee system. In response to the phrases and situations of the marketplace’s auto-ESCROW, the utmost amount a transaction can be is $1,000,000 USD. The ESCROW system can be utilized by consumers and sellers for dispute resolution. They'll invite an Arbitrator by clicking on a assist button. The Arbitrator takes 4% of every arbitration, and their resolution is last.

The infrastructure of Styx Market relies heavily on a Telegram element.

In some instances, the "contact seller" button on the marketplace will lead on to a Telegram channel. Vendors who rely on Telegram will usually have multiple channels tied to their vendor shop- one for administrative assist and one other for selling their merchandise.

Figure 3: Trusted Sellers of Styx Market; Source: Styx Market

Give attention to Financial Crime

Nearly all of services on the marketplace seem like monetary. Customer info for digital banking providers similar to Chime and PayPal are listed in addition to more conventional banks including Capital One Bank, Wells Fargo, Citi Bank, and Old National Bank, amongst others. Access to cryptocurrency exchanges and Bitcoin platforms are prevalent throughout the positioning; websites resembling Crypto[.]com, Coinbase, BitRue, Kraken, and others are listed by sellers to offer access to compromised accounts or to facilitate cashing out illicit funds. It’s unclear from research which these accounts are supplied for, but historically now we have seen them used for both.

Figure 4: Wells Fargo Account; Source: Styx Market

Figure 5: KYC Binance Tutorial; Source: Styx Market

The products and information accessible on Styx can be used to help a cybercriminal at each stage within the strategy of financial fraud. This could begin with social engineering emails concentrating on CEOs, utilizing lookup services to find and gather data on focused individuals as reconnaissance equivalent to a mother‘s maiden title or the title of a household pet and past addresses to help entry accounts, and creating accounts to drop and launder cash. Lookup services are utilized by cybercriminals and dangerous actors for reconnaissance. They use lookup service information to assist them pass verification and authenticate their victim’s id when they are committing fraud.

Figure 6: Telegram Channel for a Lookup Service on Styx Market; Source: Telegram

☀️Search manually:

DOB ($2)

EIN ($10)

☀️Search by way of API:

DL ($8)

SSN ($8)

⚙️Connect to the API and search 24/7

Styx market additionally provides money out and cash laundering services. Multiple vendors claim to supply this service, and each has their very own requirements. For instance, the vendor "Verta" sometimes charges a 50% fee. They also have requirements for the minimal amount of money wanted for a switch: $15,000 minimal per transfer to a private account and $75,000 minimum per switch to a enterprise account.

Figure 7: Verta Requirements; Source: Telegram

Facilitating monetary crime seems to be a serious part of the providers supplied on Styx marketplace. Cash out distributors require vital minimums of money for his or her services. Cash out services are used to turn illicit Bitcoin into fiat forex. This can be a problem if the service, such as Coinbase, requires customers to use their real identification and to show that the crypto funds are legal -neither of which a darknet actor would do.

Banks are cautious of cryptocurrencies’ hyperlinks to the darknet and will seemingly be hesitant to money out giant sums of crypto, or will raise a pink flag and require extra documentation. Darknet cash out companies help darknet actors cash out their illegal cryptocurrency by utilizing their own methods to avoid the system. Exact methods are hard to come back by as distributors don’t publish what they're profiting from. However, a technique includes using multiple Bitcoin wallets, operating them through personalised mixers, and discovering a Bitcoin purchaser who offers money in change. Another approach is to send Bitcoin to an organization that will charge a pay as you go debit card.

Cash out services usually have minimums and high commissions, indicating that their buyer base are actors with illicit cryptocurrency beneficial properties who've enough funds that the money out might be useful to them despite the excessive commission. These indicators could point out that Styx market has been designed and built for users who're already experienced in cybercrime, since they appear to have entry to a excessive amount of illicit funds.

Unique Characteristics of Styx Market

DarkOwl analysts have observed a singular characteristic of Styx market is its interconnectedness with Telegram. For each itemizing, the consumer has the option to get involved with the seller directly to purchase the merchandise. A "Get in Contact" button will either deliver the person to a web page with a chat box on the marketplace itself, or the person might be taken to a Telegram channel. The Telegram channels are a mix of bots or direct access to the sellers themselves. Some Telegram channels, corresponding to the cash laundering service "Verta", are utilized by the sellers to make public their terms of service and to publish positive critiques of their providers. Positive customer critiques are key to gaining belief within the darknet neighborhood.

Limited descriptions of merchandise are given on the location and customers are often re-directed to a specific Telegram channel of that vendor. The Telegram channels are either a channel for direct messages to the seller or are the seller’s help Telegram channel.

A Telegram channel is used to broadcast info to a large audience; only admins are capable of submit and there will be a limiteless variety of subscribers. A public group is much like a channel, however all subscribers can publish within the chat. Public channels have a username, and anyone can be part of. Private channels are solely accessible if a consumer is added by the owner or receives a personal hyperlink to affix. Analysts have observed that it is not uncommon for darknet distributors to have multiple Telegram accounts, where each is used for a special function. One may be just for help, one could be for posting new products, and yet another is likely to be for direct messages to the admin.

Figure 8: Link to Deviant Shop’s Telegram from Styx Market; Source: Styx Market

In the Telegram channels, descriptions of products and availability are shared. Buyers may also get photos of the kind of products they're looking to purchase as proof.

Figure 9: Deviant Shop Telegram Channel; Source: Telegram

A look at the Vendors of Styx Market

To know if a darknet marketplace is refined, it will be significant to assess the legitimacy and level of sophistication of its vendors. Trustworthy darknet marketplaces usually tend to have distributors with a considerable darknet footprint. More legitimacy is afforded to a vendor if they have been promoting for multiple years, throughout different marketplaces, and have been evaluated to be trustworthy and not a scammer. Using DarkOwl Vision, the darknet, and darknet-adjoining sites DarkOwl analysts looked at vendors from Styx market to assessment the vendor’s footprints across the darknet. The presence on the darknet of the distributors will doubtless indicate if distributors on Styx market are refined hackers or skids.

The vendor store "Valera888" sells PII, such as national identification documents, on Styx market. Using DarkOwl Vision, this similar vendor’s username was discovered on darknet carding sites, a preferred darknet Russian hacking discussion board, and more darknet marketplaces courting back to 2019. Although the same username on Styx has been used throughout darknet marketplaces previously there isn't any manner to inform if the same particular person is behind these accounts. In the past they've been related to selling CVVs and non-public software. The username may very well be related to the identical user since they seem to comply with a pattern promoting personal information, however this is unconfirmed.

Figure 10: Mapping Valera 888 with information from DarkOwl Vision

"337 Diller" is a vendor on the trusted distributors page of Styx marketplace. This vendor presents lookup companies.

Figure 11: Vendor Profile of 337 Diller on Styx Market; Source: Styx Market

There are two Telegram channels instantly related to this vendor on Styx marketplace. Further research reveals different channels run by a vendor with the identical identify promoting comparable products on Telegram. One of many Styx-market associated channels advertises knowledge for sale and recruitment posts. Purchases of the info posted on this site could be made by their linked Telegram bot channel. A help channel can also be linked inside this channel. The opposite channel consists of evaluations of the vendor.

Figure 12: 337 Diller promoting companies on Telegram; Source: DarkOwl Vision

Research from DarkOwl Vision signifies this vendor has been offering lookup providers and fullz since not less than 2021 both through Telegram and on fashionable darknet marketplaces and forums.

Figure 13: Mapping 337 Diller using knowledge from DarkOwl Vision

"Podorozhnik" sells drawing providers as a vendor on Styx market the place a user can get in contact with them through the chat feature offered on the positioning. Along with their presence on Styx, additionally they offer their pretend documents on the market through devoted Telegram channels. Drawing services is a time period used for cast paperwork and faux documents. "Podorozhnik" marketed their drawing companies on the darknet site DarkMoney in 2021. No Telegram channels are linked immediately on Styx market, however there are a number of public channels linked to "Podorozhnik" on Telegram. For instance, they've a Telegram channel devoted to evaluations. These present communication between clients and "Podorozhnik" of profitable verifications. A Telegram channel promoting "Podorozhnik" claims they'd over 900 constructive opinions on a popular Russian Forum.

Figure 14: Mapping Prodorozhnik using knowledge from DarkOwl Vision

As each of the three distributors researched appear to have been current on darknet forums and marketplaces for years before becoming a member of Styx, they usually tend to be refined and official distributors. Vendor evaluations are an integral part to establishing belief on darknet marketplaces and reassuring potential consumers of the legitimacy of the vendor. Two of the three distributors have opinions readily out there for potential patrons to judge. These include Telegram channels dedicated to opinions. These opinions point to trust in the vendor. They have additionally embraced using Telegram for promoting products and services and as a assist system for purchasers. Telegram continues to grow as a fundamental avenue for getting and promoting darknet-related items. A number of the Telegram channels associated with Styx marketplace distributors were created as early as 2021, while others have been created inside the last yr.

Final Thoughts

The products bought on Styx market are hacker and monetary-crime oriented. The market caters to subtle cybercriminals. Vendors provide entry to multiple on-line banking and e-commerce websites. Money laundering companies are strict and only for those who pays meet the dollar minimal. While money laundering is risky, therefore requiring a minimum for payments, distributors have been successful enough to continue providing the service. And regardless of the excessive value there seem like prospects who're prepared to pay. Financial establishments and the banking sector might want to continue to be wary given the account id authentication methods obtainable for sale on Styx market. These embody NFC Bins (NFC is what permits for contactless cost on cards) and distributors providing to arrange funnel accounts which can be utilized as a drop service to "drop" stolen financials. Very similar to money out distributors, drop companies are used for money laundering illegally earned funds. For now, Styx market will present a precious outlet for cybercrime on the darknet as cybercriminals go after the online parts of banking and provide you with new strategies for cash laundering.

If you cherished this report and you would like to acquire extra information concerning mega darknet market kindly take a look at our own web-site.