Federal law enforcement agencies say they shut down a group of websites that made more than $19 million selling social security numbers and other personal data.
A Department of Justice press release announced yesterday “the seizure of the SSNDOB Marketplace, a series of websites that operated for years and were used to sell personal information, including names, dates of birth and social security numbers belonging to individuals in United States. .” SSNDOB apparently ran for about a decade, and the Justice Department said it listed the personal information of about 24 million US residents.
The announcement described how the SSNDOB operation was performed:
SSNDOB administrators created advertisements on darkweb criminal forums for marketplace services, provided customer support functions, and regularly monitored the activities of the websites, including monitoring when buyers deposited money into their accounts. Administrators also employed various techniques to protect their anonymity and prevent detection of their activities, including using online aliases other than their true identities, strategically maintaining servers in multiple countries, and requiring shoppers to use digital payment methods such as bitcoin.
The apprehension operation was led by the IRS and FBI, with the agencies working in “close cooperation with law enforcement authorities in Cyprus and Latvia”. On Tuesday, “seizure orders were executed against the SSNDOB Marketplace domain names (ssndob.ws, ssndob.vip, ssndob.club and blackjob.biz), effectively shutting down the site’s operation,” the announcement said.
No arrests were announced, but the press release said the US plans to carry out the confiscation of assets while the investigation continues. The IRS said agents “will continue to work with the US and international law enforcement community to end these complex scams, regardless of where the money trail takes them.”
The seized domains appear to be part of the same operation detailed by security journalist Brian Krebs about nine years ago. In September 2013, Krebs wrote that SSNDOB “for the past two years has marketed itself on underground cybercrime forums as a reliable and accessible service that customers can use to look up SSNs, birthdays, and other personal data on any US resident.” Krebs was hit shortly after one of his articles on SSNDOB, which used the ssndob.ru domain at the time.
SSNDOB operators obtained their data in part by infiltrating LexisNexis, Dun & Bradstreet and Kroll Background America. Hackers used SSNDOB data to gain control of Xbox Live accounts held by some Microsoft employees, according to another Krebs report in 2013.
As security firm Sophos noted in a report on yesterday’s shutdown, “an SSN does not actively identify you,” but “knowing someone’s SSN (or the equivalent personal identifier in your country) is a good starting point if you is an identity thief, because it can often be combined with other personal information to pass identity checks.”
SSNDOB was big on bitcoin
Security firm Chainanlysis, which markets “investigative software that connects cryptocurrency transactions to real-world entities,” wrote that “SSNDOB’s Bitcoin payment processing system has been active since April 2015” and “has received nearly $22 million in Bitcoin in over 100,000 transactions.”
“Perhaps most interesting of all is the activity we see between SSNDOB and Joker’s Stash, a large darknet marketplace focused on stolen credit card information and other PII that shut down in January 2021,” Chainanlysis wrote. “Between December 2018 and June 2019, SSNDOB sent over $100,000 worth of Bitcoin to Joker’s Stash, suggesting the two markets may have some relationship with each other, including possibly shared ownership.”
Chainanlysis also wrote that the SSNDOB shutdown is “the latest in a series of darknet market closures over the past year. partly because of the inherent transparency of blockchains.”