Latest Kaspersky research reveals cybercriminals posted more than 1 million messages mentioning escrow services on the darknet in 2020-2022. Escrow agents are third-party intermediaries involved in such deals to control the fulfillment of agreements and reduce the risks of cheating. They partner with cybercriminals who want to sell or buy data, services, or conclude a partnership - usually earning from three to 15 percent of the transaction. However, the deal can still fail for various reasons, including those related to escrow scams. How such business is done on the darknet is described in a new report by Kaspersky Digital Footprint Intelligence team.
Cybercriminals active on the darknet care about their own security, and do not want to become a victim of their “colleagues”. When closing any transaction, such as buying databases, accounts, initial corporate accesses, etc., they use intermediary services of escrow agents. It can be a human or an automatic system, developed to speed up and simplify relatively typical deals. For expensive or untypical cases, cybercriminals still engage a human intermediary.
Kaspersky Digital Footprint Intelligence team monitors the darknet to help companies track cybercriminal discussions and other types of activities to prevent incidents and mitigate risks related to data leaks. The experts found the number of messages mentioning the use of an escrow agent (or other terms such as “guarantor”, “middleman”, “intermediary”, etc., designated to the same services) has amounted to more than one million[1] from January 2020 to December 2022. These messages accounted for 14 percent of the total number of deal-related messages on various dark web resources. In fact, the share of deals with escrow services can be higher since cybercriminals often discuss detailed terms in person without specifying all the particulars in announcements and offers.
Figure 1. The total number of messages on shadow sites
mentioning escrow agents,
by quarter, from 2020 to 2022
“The number of messages mentioning escrow services surged in the second half of 2021, and coincided with the dynamics of cybercriminal activity in shadow Telegram channels in general. Members of the dark web community were increasingly transitioning there due to the compromise of several popular dark web forums in early 2021. In most of 2022, we saw a decline in activity on shadow resources in general. This may be a consequence of the escalated geopolitical situation, which motivated cybercriminals to cease their illegal activities and relocate using the accumulated money. Nevertheless, at the end of 2022, we have again seen growing escrow-related activity”, said Vera Kholopova, Security Services Analyst at Kaspersky.
Despite the rules of communication between cybercriminals on the forums and “dark web etiquette”, no escrow service protects against cheating. Apart from the cases when the buyer or seller changes their mind, one of the deal-breakers could be foul play. Both seller and buyer, as well as the escrow agent, can violate the deal arrangements, especially when it comes to large sums. With the help of Kaspersky Digital Footprint Intelligence, experts found a post accusing an official escrow agent of two shadow forums (including the popular one) of not paying a total of US$170,000 in four deals.
Since the dark web community becomes more complex and structured, developing self-regulation systems as it grows. For effective protection against cybercriminals it is worth understanding how it operates, how cybercriminals interact with each other, what kinds of deals there are, and how they are carried out. To read the full report about escrow services on the darknet, please visit Securelist.com.
To stay protected from the corporate threats emerging from darknet activities, Kaspersky researchers recommend implementing the following measures:
- Always keep software updated on all the devices you use to prevent attackers from infiltrating your network by exploiting vulnerabilities. Install patches for new vulnerabilities as soon as possible. Once it is downloaded, threat actors can no longer abuse the vulnerability.
- Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors.
- Use Kaspersky Digital Footprint Intelligence to help security analysts explore an adversary’s view of their company resources, promptly discover the potential attack vectors available to them, or be aware about existed threats from cybercriminals in order to adjust their defenses accordingly or take counter and elimination measures timely.
- If you are faced with an incident, Kaspersky Incident Response service will help you respond and minimize the consequences, in particular – identify compromised nodes and protect the infrastructure from similar attacks in the future.
About Kaspersky
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.
[1] The sample includes messages from international forums and marketplaces on the dark web, as well as from publicly available Telegram channels used by cybercriminals (a total of 226 forums and 489 channels).