Back

STYX Marketplace emerged in Dark Web focused on Financial Fraud

Cybercrime Intelligence

financial crimes, compliance, KYC, fraud prevention

STYX Marketplace emerged in Dark Web focused on Financial Fraud

Resecurity has identified the newly launched STYX Marketplace which focuses primarily on financial fraud, money laundering, and identity theft. Some examples of the specific service offerings marketed on STYX include cash-out services, data dumps, SIM cards, DDOS, 2FA/SMS bypass, fake and stolen ID documents, banking malware and much more. Financial fraud is one of the key catalysts of the commercial cybercriminal ecosystem, enabling bad actors to profit from credential theft in the online banking and e-commerce sectors.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


The marketplace opened sometime around January 19, 2023, but earlier mentions of its launch were noted by Resecurity analysts on the Dark Web in early 2022. Back then, the actors behind STYX Marketplace were building out the platform’s built-in escrow module, which enables the brokering of transactions between buyers and sellers of illicit cybercriminal products and services.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


Once a new user registers and is granted access to the STYX marketplace, the registrant is greeted with a vast selection of services to browse through. STYX also offers a Trusted Sellers section, presumably where the admins of STYX have vetted reliable vendors, before whitelisting them. Some of the service descriptions are limited – the marketplace connects actors via Telegram contacts and various automated bots as a security measure.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


Should the user wish to purchase any of presented services, they must first fund their STYX wallet by transferring the amount specified by their chosen purchase in either Bitcoin (BTC), Ethereum (ETH), or Tether (USDT).


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware
styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware



Tools to Bypass Anti-Fraud Filters

Resecurity analysts first noted mentions about STYX Marketplace in multiple Telegram groups that provide private access to tools frequently used for online-banking theft and fraud like anti-detects, device fingerprint emulators and spoofers.

Cybercriminals use such tools to bypass anti-fraud solutions and access compromised accounts. These fraud tools work by using granular digital identifiers like stolen cookie files, physical device data, and network settings to fool bank and e-commerce anti-fraud systems and impersonate legitimate customer logins.

One notable STYX Marketplace product is listed by “Enclave Service”, a reputable service on the Dark Web that provides tools for identity spoofing and anti-fraud bypass.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


Notably, some of these tools have been re-designed and optimized for mobile devices. Previously, tooling was geared more towards PC-based user-spoofing tools like Vektor T13, Antidetect 4 Patreon, and other. Tools like Vektor T13 and others are particularly favored by the cybercriminal community due to their strong customer support and diligent software updates.

The bypass of banks’s existing customer authentication and fraud-prevention solutions requires special attention, which Resecurity will address in a separate research publication. In Q1 2023, Resecurity observed a significant spike in interest from bad actors seeking these tools, as well as the emergence of new fingerprint spoofing and anti-detect products on the Dark Web.



Compromised Payment and Personal Data for Sale

In the heart of STYX Marketplace, members can browse vendor listings for compromised online-banking, credit cards, cryptocurrency, e-commerce account credentials, as well as stolen credit card data. Bad actors are especially focusing on defrauding “digital banks” and VCC (virtual credit cards).


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


Besides payment data, threat actors are also monetizing stolen Personal Identifiable Information (PII). One reputable STYX Marketplace vendor focused on stolen PII is the “Fraud Store”.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


“Fraud Store” provides an interactive Telegram bot that enables the automation of PII data sales.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware telegram russian bot store bearss social security


Another credible Styx vendor is “Bearss”, a provider that specializes in selling large volumes of stolen social security numbers (SSNs) and ID-related data.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


“Bearss” features stolen SSN and ID data for victims in the U.S., Canada, Netherlands, the U.K, and other countries.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


Beyond stolen PII, Bearss also sells stolen business data. Typically, this information is exploited for Tax Fraud and other forms of business scams. One example of the latter is COVID-19 relief fraud, a theft bonanza that saw scammers potentially swindle over a $100 billion from the U.S. government.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


Threat actors capture exploitable business data via a variety of different intrusion vectors. Favored data theft channels involve the hacking of web resources that process business loan data, phishing attacks targeting CPAs, social engineering, and other scams.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware



Underground Lookup Services

Resecurity analysts also identified multiple “checking services,” which allow threat actors to collect data about a targeted individual. Typically, these resources are used by actors as victim reconnaissance tools to enhance their odds of successfully compromising their bank or credit card accounts.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


“Kraken” is one notable lookup service that has been listed on STYX Marketplace virtually since the platform launched:


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


The service is accessible via Telegram and enables users to search by a targeted victim’s driver’s license (DL) or SSN. Kraken also provides the extraction of Credit Reports, both on individuals and organizations. Typically, the fraudsters use compromised or purchased access via a reputable credit bureau’s third party and exploit their services for illegal purposes. Data sold by Kraken and similar vendors helps fraudsters to pass various verifications and authenticate a victim’s identity when committing fraud.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


The scope of cybercriminal lookup services is not limited exclusively to PII data based on ID, DL or SSN. For example, “NZI Lookup” enables fraudsters to extract banking statements. Bank statements can help threat actors simulate a victim’s established financial behavior, before committing actual theft. Instead of logging directly into a compromised online-banking account, threat actors can leverage compromised credentials exchanged via third-party fintech SaaS solutions like Plaid, Yodlee, Finicity, which are widely used in the financial industry.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


The price for Kraken’s services start at $20 (per account check), with possible discounts for bulk orders.



Fake IDs and “Drawing” Services

Another significant product offering on STYX are fake IDs and document forgery. With over 900 positive reviews listed on other cybercriminal websites and markets, “Podorozhnik” is one of the most credible vendors operating on STYX. His services are widely used by Dark Web actors to pass selfie and ID verifications required by digital banks, cryptocurrency platforms, and e-commerce systems.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


Beyond the the U.S. market, Podorozhnik serves threat actors targeting victims in over 65 other countries. This threat actor has been operating in the cybercriminal ecosystem for over 2 years.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


Podorozhnik shares samples of his work on his Telegram channel. The threat actor provides examples of various documents, starting with passports, SSN cards, banking statements and credit cards. Illustrating the high-quality of Podorozhnik’s work, are fake documents he has shared in the name of David Beckham and Joseph Biden.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


The service is delivered manually, but the end product is exceptionally high-quality. According to this threat actor, his clients were able to bypass automated Know Your Customer (KYC) checks conducted by some of the most specialized fraud prevention vendors used by major payment systems and online-marketplaces. These services scan the documents to recognize the key fields (lastname, firstname, DOB, etc.) to compare with the original identifying information submitted by users.

Another notable vendor offering services similar to the above is “AnyDocs.” This provider also offers additional document types not supported by Podorozhnik.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


One particularly well-crafted AnyDocs offering is the generation of driving license bar codes in PDF417 (Portable Data File) format. This credential validator is rendered in a 2D, stacked linear barcode format used in a variety of applications, including transport, ID cards and inventory management.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware
styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware



Telephone and E-Mail Flood – Fraud-as-a-Service

Vendors who provide telephone and e-mail flood services represent another noteworthy STYX Market seller category. These services are extremely useful when the victim’s bank account has been already compromised and the fraudster needs to block the account owner from any contact with the institution’s anti-fraud team. In exploitation scenarios, this compliance unit may call a victim to confirm suspicious account activity or send a text message or email.

To prevent that customer interaction from taking place, fraudsters use flooding services to inundate a victim’s phone and email accounts with a high volume of calls and messages, which can drown out bank communications.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


HubExpert is one reputable vendor who specializes in account flooding. According to the vendor’s service offering, HubExpert’s operators are continuously working to improve the fraud tool’s delivery mechanisms.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


The service supports flooding with calls, SMS and e-mails.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


An hour of flooding starts at $4, with price varying on the amount of communication channels specified by buyers. 24-hours of multi-threaded flooding is priced at around $150.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


The service also offers flexible API, enabling the automation of follow-on attacks.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


E-mail flood prices are cheaper, with an hour costing roughly $12. “Flood Studio” is a high-credibility vendor that solicits e-mail flooding services.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


Once an order is placed, the victim will receive multiple e-mail notifications primarily coming from third-party online services. Threat actors deploy a mass-registration engine that enables them to generate a large number of accounts with further alerts about activation. that’s why typically such e-mails go through spam filters.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware



Money Laundering – the Catalyst of Shadow Economy


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


One of the central pieces of STYX Marketplace is money laundering. Resecurity identified multiple underground vendors providing cash-out services from stolen VCC, banking, e-commerce and cryptocurrency exchange accounts.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware
styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


“Verta” is one such vendor who specializes in processing funds stolen via Business Email Compromise (BEC) scams and other fraudulent transfers. This threat actor also charges a relatively high 50% commission for their cash-out services. The Verta service is accessible via Telegram and Jabber, following the initial vetting of cybercriminal customers. This vetting includes information about threat actors’ sources of stolen funds.

The minimum amount of funds Verta will process starts at $15,000 (for personal accounts) and $75,000 (for business). Typically, cybercriminal cash-out providers eschew processing lower transaction amounts because they do not justify their risk.

Notably, the commission on processing stolen funds from VCC is significantly higher compared to ACH/WIRE transfers. For example, the reputable underground vendor, “Chponk Family”, takes up to 80%. Less reputable vendors perform this service for 60%.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware
styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


Another STYX Marketplace cash-out provider is “ZelleCash”. This vendor offers a broad coverage of VCC cash-outs and charges up to 83% commission.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


Originally, this service established its credibility on the Dark Web by successfully processing funds stolen from Zelle accounts, charging 55% next-day payout.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


In response to heightened Zelle fraud, the Federal Reserve has proposed new anti-fraud tools to enhance consumer protection .

Resecurity also identified a group of trending cash-out vendors that charge commissions based on the exact BIN of the card and brand of gift card. The commission spread depends on the popularity of the service/bank, the complexity of cash-out process, including the tactics the launderers will have to deploy to successfully circumvent a payment platform’s anti-fraud filters.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


Some of these threat actors use more sophisticated techniques, including their own merchant terminal and NFC-enabled processing systems .


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


“Slava044” aka “egg_nfc” is one of the more sophisticated cash-out vendors identified by Resecurity. While relatively new to STYX Marketplace, they have long established their credibility as a cash-out provider in various cybercriminal communities.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


This threat actor’s services support multiple geographies, including the Middle East, and the European Union (EU).


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


Translation

The best cash-out service of your material with OTP from Egg NFC
- Instant withdrawal and payout

Cash-out in EU & USA

NFC POS – 60-65%
NFC MERCHANT – 50-55%
NO LINK – 30-40%

We accept:
Credit Cards US | EU
- NFC ENROLL
- CC with intercepted OTP
- Material from call-centers
- CC/VCC from phishing
- Any other similar material

Priorities geographies:
- Switzerland
- Denmark
- Belgium
- UAE
- Austria
- other EU-based countries

- We will provide the best percentage for volume
- Fast withdrawl and payout
- Payout withdrawl reporting
- Permanently online


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


This type of fraud has become more popular due to increased support for NFC and greater availability/adoption of applications that store payment data for contactless payments.

“Parlamenter VCC” is another reputable cash-out vendor with listings on STYX Marketplace. This threat actor differentiates themselves by specializing in cashing-out stolen funds from Apple Pay (with POS terminal) and other U.S.-based online merchants.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


Parlamenter VCC service offerings cover cash-out processing for North American markets, in addition to merchant accounts registered by fraudsters in the UAE, EU, and Kazakhstan.

Another notable STYX Marketplace cash-out vendor is “Wonderland service”. This threat actor charges 50% commission on the amount of funds laundered via financial institutions based in UAE. As one of the options of receiving payments the actors offer Apply Pay. 


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


Around March 28, this threat actor started to offer cash-out via their own “reliable USA-based merchant”. Resecurity assesses that Wonderland threat actors opened fraudulent merchant accounts, posing as legitimate businesses with viable revenues. This type of scheme may only work for a certain period of time, typically shuttering when the acquiring bank contacts the merchant customer about high numbers of chargeback complaints. The solution is designed to receive stolen funds from compromised credit cards via merchant registered on 'money mule' based in the U.S.: 

 

styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


In the post above, the Wonderland vendor states that they can also assist with cashing out funds of a “different nature”, while maintaining “confidentiality” in Kazahstan. The actors are able to receive funds based on credit card number or via banking transfer in EUR, USD and other currencies. 


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


Wonderland service has also a wide network of 'money mules' internationally and offers cash-outs in EU countries like Poland, Slovakia, Czechia, Germany, Romania and Bulgaria.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


Another significant category of STYX Marketplace money-laundering service providers offer newly registered banking accounts and credit cards. These offerings are in high demand on the Dark Web and are widely used by cybercriminals to launder stolen funds or funnel them via vast networks of money mules. KYC and fraud prevention teams have a difficult time identifying these ‘funnel’ accounts because customer activity and value transfer often mirrors legitimate user behavior, with non-suspicious transaction indicators.

Zen Crew” is one reputable STYX vendor that specializes in the sale of funnel accounts. This threat actor has been operating since August 2021, with a presence on Telegram and multiple carding communities favored by experienced cybercriminals.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


Using a diffuse network of money mules, Zen Crew provides account opening services at various financial institutions (FIs) in the U.S., the UK and Canada. Notably, once the account and card has been issued, they provide an option to physically ship the latter to the buyer. But in some cases, buyers do not even require a debit or credit card, as a photo of the card the remote use of the account and will be often be enough to effectively facilitate illicit transactions and cash-outs.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


Zen Crew offers different prices, based on the FI or service specified by threat actors for account opening. Beyond consumer account, Zen Crew can also register PayPal Business accounts with merchant terminals, thus enabling buyers to process fraudulent credit and debit card transactions.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


Some actors refer to Zen Crew’s offerings as a “drop service” (meaning, those accounts will be used as accounts on which they will “drop” stolen funds). Resecurity identified multiple STYX Marketplace listings for verified accounts, which can similalry be used as drops.

Nevertheless, such accounts may have to be verified with the ‘real’ accountholder’s identity. As such, buyers exploiting them may be limited to cash-outs only. In these cases, accounts are exploited for money laundering (for example, when receiving and distributing stolen funds). Notably, the price of such account varies on the FI and geography where the FI is based.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


Resecurity also identified listings for verified VCC drop accounts.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


For buyers to operate VCC drops, vendors must supply them with an e-sim or virtual number access.


styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware


The prevalence of these listings on cybercriminal marketplaces remains a big challenge for bank fraud- prevention and KYC teams. It is not possible to effectively prevent frauds of this nature, without prior knowledge about account owners facilitating this activity or actionable intelligence regarding the underground services selling them.

Resecurity collected intelligence on multiple illicit funnel accounts being offered for sale on the Dark Web. This threat intelligence enabled several major FIs in the U.S. and abroad to detect similarities in account openings, transactions anomalies, and mailing addresses used by fraudsters. This intelligence also helped FIs map out the network of ATMs frequently used by the ‘money mule’ rings co-opted by fraud leaders. The timely exchange of this information can help banks better detect threat actors exploiting VCC accounts for money laundering and other fraudulent purposes.



Manuals and Tutorials

STYX Marketplace also offers a trove of tutorials for cybercrime and fraud. The review of some of these guides may be helpful for cybersecurity awareness and risk management. The tutorials cover the process of opening new accounts in digital banks and e-commerce systems, committing tax fraud and using ChatGPT for malicious purposes.

styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware
styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware
styx dark web marketplace fraud financial data dump sim card ddos 2fa bypass fake id stolen documents banking malware



Significance

- STYX Marketplace is a leading example of emerging cybercriminal platforms that service financially-motivated threat actors involved in online-bank theft and other fraudulent activities. The launch of this Dark Web marketplace confirms that threat-actor category remains highly active and is poised for significant growth.

- The majority STYX Marketplace vendors specialize in fraud and money laundering services targeting popular digital banking platforms, online-marketplaces, e-commerce and other payment applications. The geographies targeted by these threat actors are global, spanning the U.S., EU, UK, Canada, Australia and multiple countries in APAC and Middle East.

- Money laundering services (advertised at STYX and other marketplaces) started to support new jurisdictions, including the Middle East, which previously not widely visible in cybercriminal service listings. With the mass-adoption of digital banking and e-commerce, financial institutions in the Middle East are bound to face the same KYC and fraud problems as organizations in North America, EU and the UK. As such, the tracking of ‘money mules’ needs to become a core component of financial crime risk management at every FI.

- The banking sector remains vulnerable to threats related to identity authentication. Cybercriminals are leveraging weaknesses in KYC verification process, while also leveraging new tactics to plant money mules in FIs to facilitate cash-outs and other laundering services.

Newsletter

Keep up to date with the latest cybersecurity news and developments.

By subscribing, I understand and agree that my personal data will be collected and processed according to the Privacy and Cookies Policy

Cloud Architecture
Cloud Architecture
445 S. Figueroa Street
Los Angeles, CA 90071
Google Maps
Contact us by filling out the form.
Try Resecurity products today with a free trial