Sophos discovers fake criminal marketplaces that scam scammers

In addition to the surface website it discovered last year, cybersecurity solutions company Sophos revealed that it uncovered 20 fake marketplaces that scammers use to scam fellow scammers.

In its series of reports “The Scammers Who Scam Scammers on Cybercrime Forums.” Sophos said the fake sites may have been operating since August 2021 using the handle “waltcranston,” a reference to the American TV series “Breaking Bad.” Sophos examined about 600 scams of varying types.

“Out of all the scams investigated, this operation stood out for its sheer scope and intricacy,” said Matt Wixey, senior threat researcher, Sophos. “The scammer advertises the fake marketplaces on Reddit and replicates not just Genesis, which was the first scam site we ran across, but numerous other prominent or defunct marketplaces, such as Benumb, UniCC, and PoisOn.”

Cybercriminals scam each other — Sophos
Sophos uncovers liquidity mining cryptocrime

Sophos said the the scam operation has been highly successful even if the sites are not sophisticated at a technical level.

“In fact, seven of these fake sites are still active, and, to date, the cryptocurrency wallets associated with the scams have received at least $132,000,” Wixey said.

Dark web

All 20 of the fake sites followed a similar scheme. Criminals were offered a chance to activate an account on the fraudulent version of a dark web marketplace with $100. The criminals expected their $100 would be deposited in either Bitcoin or Monero, and they would receive activation credentials. Once the criminals paid, their account would never activate.

According to Sophos, one common denominator among the 20 fake sites was a link to a website called darknet[.]markets — a site that lists dark web criminal marketplaces for visitors interested in drug sales, carding, and cryptocurrency exchanges. This site ultimately led Sophos to a criminal forum called Café Dread — and a user going by the name of waltcranston.

“While we can’t be 100% certain that those behind the handle ‘waltcranston’ are the culprit, there is strong circumstantial evidence. The entire operation and our investigation is an example of how much rich intelligence there is about cybercriminals hidden in these scams against other scammers, which the security community can leverage to help develop stronger defenses,” said Wixey.