Hackers Leak Hacker Data in Swarmshop Breach

There’s no honor among cyberthieves. It seems the prospect of accessing new hacking tools and other valuable assets is just too lucrative for some hackers to respect their counterparts-in-crime, since for the second time in a little more than a year, user data – that’s hacker user data – from the Swarmshop card shop has been leaked online.

The hackers leaked the data from Swarmshop, known as “a mid-size ‘neighborhood’ store for stolen personal and payment records,” on another underground forum, according to researchers at Group-IB who discovered the leak. The database housed 12,344 records of card shop admins, sellers and buyers – including data like nicknames, contact information, activity history, hashed passwords and current balances. Because card shop users “do not store large amounts of money on their accounts and top up the balance to make payments if necessary,” Group-IB said the total deposited on all accounts was only a little over $18 million.

“Honor Among Thieves” is a Hollywood Myth

Chris Morales, CISO at Netenrich, said honor among thieves is “a Hollywood myth;” he added, “above and beyond the normal for-profit attack motive we most often focus on, ego is still very much a motive, too.”

Among the other information exposed was compromised data traded on Swarmshop, such as 623,036 payment card records from a wide assortment of banks in the U.S., Canada, the U.K., China and other countries, as well as 498 sets of credentials for online bank accounts. The database also leaked 69,592 sets of Social Security numbers and Canadian Insurance numbers.

Naveen Sunkavally, chief architect at Horizon3.ai, is more concerned about the proliferation of user credit card information, as well as online banking credentials, than hackers turning on their own. “Attackers can use these credentials against a variety of systems, rarely triggering any security events, because they look like legitimate users,” Sunkavally said. “In the end, regular users are the ones who lose the most.”

The origins of the breach are not clear, the researchers said, but noted that a review of the exposed records revealed that two of the card shop users “attempted to inject a malicious script searching for website vulnerabilities in the contact information field.” Still, they said it’s impossible to confirm if those two attempts are related to the breach.

What researchers do know about the incident is that “a newly registered user posted a link and a password to the database of the Swarmshop card shop on different forums,” prompting the card shop’s admins to argue that the data didn’t come from last year’s breach. They did recommend that Swarmshop users change the passwords after news of the breach broke. “A week after the post, Swarmshop users were redirected to an ‘under maintenance’ page when trying to log in,” Group-IB said. “At the same time, card shop users reported problems with their account balance.”

Hacking Other Hackers

That hackers would hack their peers is nothing new – Swarmshop records were leaked in an underground forum in January 2020. In that case, the user likely was motivated by revenge, Group-IB said. It’s possible that this latest breach also was motivated by revenge, the researchers suggested.

A successful hack of other hackers can yield a lucrative bounty. “What better way to gain access to new hacking tools, dumps, cards, personally identifiable information (PII) and other items of value than hacking the people that are stealing it in the first place,” said Tyler Shields, CMO at JupiterOne.

Card shops are rarely breached, and this incident will likely throw shade on Swarmshop’s reputation, at least for the time being, something that CISOs and cybersecurity pros at legitimate businesses likely can relate to. Whether it evokes a speck of empathy or just cold comfort, cybercriminals, as Shields said, “have trouble with security just like everyone else. It just goes to show you that cybersecurity is a difficult problem, no matter who you are.”

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)