Borrowing from the playbook of ransomware purveyors, the darknet narcotics bazaar Incognito Market has begun extorting all of its vendors and buyers, threatening to publish cryptocurrency transaction and chat records of users who refuse to pay a fee ranging from $100 to $20,000. The bold mass extortion attempt comes just days after Incognito Market administrators reportedly pulled an “exit scam” that left users unable to withdraw millions of dollars worth of funds from the platform.
An extortion message currently on the Incognito Market homepage.
In the past 24 hours, the homepage for the Incognito Market was updated to include a blackmail message from its owners, saying they will soon release purchase records of vendors who refuse to pay to keep the records confidential.
“We got one final little nasty surprise for y’all,” reads the message to Incognito Market users. “We have accumulated a list of private messages, transaction info and order details over the years. You’ll be surprised at the number of people that relied on our ‘auto-encrypt’ functionality. And by the way, your messages and transaction IDs were never actually deleted after the ‘expiry’….SURPRISE SURPRISE!!! Anyway, if anything were to leak to law enforcement, I guess nobody never slipped up.”
Incognito Market says it plans to publish the entire dump of 557,000 orders and 862,000 cryptocurrency transaction IDs at the end of May.
“Whether or not you and your customers’ info is on that list is totally up to you,” the Incognito administrators advised. “And yes, this is an extortion!!!!”
The extortion message includes a “Payment Status” page that lists the darknet market’s top vendors by their handles, saying at the top that “you can see which vendors care about their customers below.” The names in green supposedly correspond to users who have already opted to pay.
The “Payment Status” page set up by the Incognito Market extortionists.
We’ll be publishing the entire dump of 557k orders and 862k crypto transaction IDs at the end of May, whether or not you and your customers’ info is on that list is totally up to you. And yes, this is an extortion!!!!
Incognito Market said it plans to open up a “whitelist portal” for buyers to remove their transaction records “in a few weeks.”
The mass-extortion of Incognito Market users comes just days after a large number of users reported they were no longer able to withdraw funds from their buyer or seller accounts. The cryptocurrency-focused publication Cointelegraph.com reported Mar. 6 that Incognito was exit-scamming its users out of their bitcoins and Monero deposits.
CoinTelegraph notes that Incognito Market administrators initially lied about the situation, and blamed users’ difficulties in withdrawing funds on recent changes to Incognito’s withdrawal systems.
Incognito Market deals primarily in narcotics, so it’s likely many users are now worried about being outed as drug dealers. Creating a new account on Incognito Market presents one with an ad for 5 grams of heroin selling for $450.
New Incognito Market users are treated to an ad for $450 worth of heroin.
The double whammy now hitting Incognito Market users is somewhat akin to the double extortion techniques employed by many modern ransomware groups, wherein victim organizations are hacked, relieved of sensitive information and then presented with two separate ransom demands: One in exchange for a digital key needed to unlock infected systems, and another to secure a promise that any stolen data will not be published or sold, and will be destroyed.
Incognito Market has priced its extortion for vendors based on their status or “level” within the marketplace. Level 1 vendors can supposedly have their information removed by paying a $100 fee. However, larger “Level 5” vendors are asked to cough up $20,000 payments.
The past is replete with examples of similar darknet market exit scams, which tend to happen eventually to all darknet markets that aren’t seized and shut down by federal investigators, said Brett Johnson, a convicted and reformed cybercriminal who built the organized cybercrime community Shadowcrew many years ago.
“Shadowcrew was the precursor to today’s Darknet Markets and laid the foundation for the way modern cybercrime channels still operate today,” Johnson said. “The Truth of Darknet Markets? ALL of them are Exit Scams. The only question is whether law enforcement can shut down the market and arrest its operators before the exit scam takes place.”
A Florida teenager who served as a lackey for a cybercriminal group that specializes in cryptocurrency thefts was beaten and kidnapped last week by a rival cybercrime gang. The teen’s captives held guns to his head while forcing him to record a video message pleading with his crew to fork over a $200,000 ransom in exchange for his life. The youth is now reportedly cooperating with U.S. federal investigators, who are responding to an alarming number of reports of physical violence tied to certain online crime communities.
The grisly kidnapping video has been circulating on a number of Telegram chat channels dedicated to SIM-swapping — the practice of tricking or bribing mobile phone store employees into diverting a target’s phone number, text messages and calls to a device the attackers control.
The teen, known to the SIM-swapping community by the handle “Foreshadow,” appears to have served as a “holder” — a term used to describe a low-level member of any SIM-swapping group who agrees to carry out the riskiest and least rewarding role of the crime: Physically keeping and managing the various mobile devices and SIM cards that are used in SIM-swapping scams.
“Yo, Dan, please bro send the 200k,” Foreshadow said in the video, which was shot on Sept. 15 in the backseat of a moving car. Bleeding from a swollen mouth with two handguns pointed at his head, Foreshadow pleaded for his life. A still shot from that video is available here [Warning: the image is quite graphic].
“They’re going to kill me if you don’t,” Foreshadow continued, offering to get a job as a complicit mobile store employee or “plug” to help with future SIM-swaps. “I’ll pay you back. Just let me know what you need. I got you, for real. Any work for free. Whatever. However long you need me, too. I’ll apply to any store you need me to apply to. I can be a plug. I don’t care if I get caught by the cops or anything. I’ll get that money back for you. I used to do that work.”
It’s not clear where in the world the hostage video was recorded. But at one point in the video, the vehicle’s radio can be heard in the background mentioning WMIB, which is a hip-hop station in South Florida that serves both Ft. Lauderdale and Miami.
As Foreshadow’s hostage video began making the rounds on SIM-swapping Telegram channels, a rumor surfaced that Foreshadow had died after being shot in the leg. It soon emerged that Foreshadow had not died, and that he was cooperating with the Federal Bureau of Investigation (FBI). Members of the SIM-swapping community were then warned to delete any messages to or from Foreshadow. One of those messages read:
JUST IN: FORESHADOW IS NOT DEAD!!!!
HES CURRENTLY CO-OPERATING WITH THE FBI DUE TO HIM BEING KIDNAPPED AND AN ATTEMPT TO EXTORT HIM FOR 200K
IF YOU HAVE CHATS WITH HIM CLEAR THEM
Foreshadow appears to be a teenager from Florida whose first name is Justin. Foreshadow’s main Telegram account was converted from a user profile into a channel on Sept. 15 — the same day he was assaulted and kidnapped — and it is not currently responding to messages.
Foreshadow’s erstwhile boss Jarik told KrebsOnSecurity that the youth was indeed shot by his captors, and blamed the kidnapping on a rival SIM-swapper from Australia who was angry over getting shortchanged of the profits from a previous SIM-swapping escapade.
The FBI did not immediately respond to requests for comment.
Reached via Telegram, the alleged mastermind of the kidnapping — a SIM-swapper who uses the handle “Gus” — confirmed that he ordered the attack on Foreshadow because the holder had held back some of his stolen funds. In the same breath, Gus said Jarik was “gonna get done in next” for sharing Gus’ real name and address with KrebsOnSecurity.
“No1 cared about that nigga anyway, he snaked targs [targets] and flaunted it everywhere,” Gus said of Foreshadow. “I’ve been fucked over so many times I’ve lost millions. I am just a guy trying to make more money.”
Foreshadow’s experience is the latest example of a rapidly escalating cycle of physical violence that is taking hold of criminal SIM-swapping communities online. Earlier this month, KrebsOnSecurity detailed how multiple SIM-swapping Telegram channels are now replete with “violence-as-a-service” offerings, wherein denizens of the underground hire themselves out to perform various forms of physical violence — from slashing tires and throwing a brick through someone’s window, to conducting drive-by shootings, firebombings and home invasions.
On Aug. 12, 2022, 21-year-old Patrick McGovern-Allen of Egg Harbor Township, N.J. was arrested by the FBI and charged with stalking in connection with several of these violence-as-a-service jobs. Prosecutors say the defendant fired a handgun into a Pennsylvania home, and helped to torch another residence in the state with a Molotov Cocktail — all allegedly in service of a beef over stolen cryptocurrency.
Earlier this month, three men in the United Kingdom were arrested for attempting to assault a local man and steal his virtual currencies. The local man’s neighbor called the cops and said the three men were acting suspiciously and that one of them was wearing a police uniform. U.K. police stopped the three men allegedly fleeing the scene, and found a police uniform and weapons in the trunk of the car. All three defendants in that case were charged with “intent to cause loss to another to make an unwarranted demand of Crypto Currency from a person.”
Dina Temple-Raston and Sean Powers over at The Record recently interviewed several members of the SIM-swapping community about this escalation in violence. That story is also available on the Click Here podcast — Throwing Bricks for $$$: Violence-as-a-Service Comes of Age.
If the first few months of 2020 have taught us anything, it’s the importance of collaboration and partnership to tackle a common enemy. This is true of efforts to fight the current pandemic, and it’s also true of the fight against cybercrime. That’s why Trend Micro has, over the years, struck partnerships with various organizations that share a common goal of securing our connected world.
So when we heard that one of these partners, the non-profit Shadowserver Foundation, was in urgent need of financial help, we didn’t hesitate to step in. Our new $600,000 commitment over three years will help to support the vital work it does collecting and sharing global threat data for the next three years.
What is Shadowserver?
Founded in 2004, The Shadowserver Foundation is now one of the world’s leading resources for reporting vulnerabilities, threats and malicious activity. Their work has helped to pioneer a more collaborative approach among the international cybersecurity community, from vendors and academia to governments and law enforcement.
Today, its volunteers, 16 full-time staff and global infrastructure of sinkholes, honeypots and honeyclients help run 45 scans across 4 billion IPv4 addresses every single day. It also performs daily sandbox scans on 713,000 unique malware samples, to add to the 12 Petabytes of malware and threat intelligence already stored on its servers. Thousands of network owners, including 109 CSIRTS in 138 countries worldwide, rely on the resulting daily reports — which are available free of charge to help make the digital world a safer place.
A Global Effort
Trend Micro is a long-time partner of The Shadowserver Foundation. We automatically share new malware samples via its malware exchange program, with the end goal of improving protection for both Trend Micro customers and Shadowserver subscribers around the world. Not only that, but we regularly collaborate on global law enforcement-led investigations. Our vision and mission statements of working towards a more secure, connected world couldn’t be more closely aligned.
As COVID-19 has brutally illustrated, protecting one’s own backyard is not enough to tackle a global challenge. Instead, we need to reach out and build alliances to take on the threats and those behind them, wherever they are. These are even more pronounced at a time when remote working has dramatically expanded the corporate attack surface, and offered new opportunities for the black hats to prosper by taking advantage of distracted employees and stretched security teams.
The money Trend Micro has donated over the next three years will help the Shadowserver Foundation migrate to the new data center it urgently needs and support operational costs that combined will exceed $2 million in 2020. We wish the team well with their plans for this year.
It’s no exaggeration to say that our shared digital world is a safer place today because of their efforts, and we hope to continue to collaborate long into the future
The post Securing the Connected World with Support for The Shadowserver Foundation appeared first on .