For law-abiding cryptocurrency users, getting verified to trade on an exchange is a painstaking process. They must give out a wealth of personal data, including their home addresses, scans of government-issued ID, and photo or video selfies. For criminals, it’s easier. They can pay as little as $150 on the black market for a ready-to-use, […]
For law-abiding cryptocurrency users, getting verified to trade on an exchange is a painstaking process. They must give out a wealth of personal data, including their home addresses, scans of government-issued ID, and photo or video selfies.
For criminals, it’s easier. They can pay as little as $150 on the black market for a ready-to-use, verified account in someone else’s name at Coinbase Pro, Binance US, Kraken or numerous other exchanges, a CoinDesk investigation found.
To be clear: “verified” in this context does not mean legitimate. Underground vendors create these accounts with other people’s identities or under made-up names, tricking the exchanges into verifying them as valid users. They then advertise these verified accounts for sale on internet forums and on Telegram.
Besides crypto exchanges, the vendors also offer fraudulently created accounts for use with mainstream payment providers such as Square’s Cash App and Transferwise.
“We are producing from 1,500 to 2,000 synthetic verified accounts each month,” an operator of one such service told CoinDesk in an interview via the Telegram messaging app.
This service has multiple employees and even “departments” within the business, said the person, who refused to give a name. And it has no shortage of competitors, CoinDesk’s investigation found.
A CoinDesk reporter reviewed a sample of crypto and payment accounts that had been purchased from several black-market vendors. The exercise revealed these vendors are, in many cases, trafficking in sensitive information about people who likely have no idea their names are on the accounts.
It also showed how people who, for whatever reason, don’t want to expose their real identities or fear they wouldn’t be approved for an account can skirt the industry’s customer-vetting processes – at least, up to a point.
While it’s difficult to gauge the size of this market – criminals don’t typically publicize their revenue, after all – it appears to be flourishing.
“We’ve observed a staggering amount of threat actors advertising and brokering fraudulent accounts for both crypto exchanges and payment services,” said Andrew Gunn, senior threat intelligence analyst at ZeroFox, a cybersecurity firm based in Baltimore.
Over the past 12 months, ZeroFox found over one million posts on forums and Telegram messaging-app groups advertising accounts for sale, Gunn said.
The fact that you can buy a fake digital identity for around $200 raises fresh questions about the effectiveness of “know your customer” (KYC) policies implemented by crypto businesses around the world. While everyday users often have to submit the same information multiple times for reverification and wait for weeks or months to withdraw their money (even Martha Stewart reportedly waited two weeks to get verified), bad actors can sneak in easily.
In plain sight
Black markets thrive both on the so-called dark web, which is accessible through the anonymizing Tor browser, and on the clear web or surface web – the part of the internet most of us browse every day.
Here, in plain sight, are live forums populated by professional hackers, scammers of all sorts and sellers of illegal goods. To name some, Russian-speaking forums such as Ver.sc (short for “Verified”) and CCCC.sb are focused on illegal identity-related services such as “carding” (trafficking in stolen or counterfeit credit card numbers).
On these platforms, one can easily find for sale accounts for use on a diverse range of crypto exchanges and payment services, from peer-to-peer trading platform Localbitcoins to professional trading venue Coinbase Pro to mainstream payment services CashApp, Transferwise and Revolut.
Prices, ranging from $150 to $500, are disclosed to a prospective buyer in a personal chat or posted on a price list like the one on this web page. To buy an account, one needs to get in touch with a vendor (often via Telegram), pay in crypto (usually bitcoin) and get the requested account data.
Sometimes the accounts originally were registered by legitimate customers and have been hijacked by hackers. (For a buyer of such an account, there is always the risk that its actual owner will notice something weird is going on and flag it to the platform administrator.) Sometimes vendors create accounts from scratch using stolen or fake data. Sometimes users register accounts in their own names and then turn them over to vendors to sell.
According to posts on the forums and conversations with some of the vendors, they go through the exchanges’ verification process to open accounts, and control the accounts until they are sold. People whose information is used for registering with the services might not even know the accounts exist.
On the same forums where some vendors offer these fraudulent accounts, others look to hire “drops,” or individuals willing to lend their identities for account registration. Meanwhile, people willing to fill this role search for “job postings.” There are also multiple offerings of counterfeit IDs.
Lend me your face
The job of a drop is well explained by a recent dialogue on the CCCC.sb forum (the posts are translated from Russian).
“Looking for a job as a money launderer. Send offers to my DM,” one user wrote in July.
“Of a drop,” corrected another user in a reply before describing the role: “Only your face is needed. To pass video verification via WhatsApp. From 1,500 to 2,000 rubles [$20-$28] for a pass, you can do several passes a day.”
“The task is to pass verification on an exchange in real time. You can use your passport/driver’s license/foreign passport. Also gonna need to take a selfie. You get 500 rubles [around $7], after the successful verification,” says another post on the Bhf.im forum, adding that a “job seeker” will just need to give a full name and date of birth and then click on a link. The poster used a photo of the rapper Lil’ Pump as their profile picture.
More often, vendors do not advertise exact prices for such services in the postings but convey them one-on-one via chat.
Some vendors act as middlemen, offering to connect users with drops, much as a ridesharing app matches passengers with drivers. One ad boasts that the drops are available to work at any time.
But sometimes you don’t even need anyone’s real personal data to verify an account, the vendor who spoke to CoinDesk said: You can make things up.
“It’s a vulnerability KYC systems have. If you know how to generate [synthetic] data, you use it. KYC systems are not a customs checkpoint with a shared database and verified information about any potential user,” they said.
The ‘fullz’
Buyers can buy accounts registered under whatever names vendors have in hand or order custom accounts based on personal data (“fullz”) they themselves, by whatever means, have obtained.
Some vendors promise they will do all the necessary research on the real people whose data is being used, including credit and background checks.
If nothing works, they stand ready to search for people with the same names, even when a person whose name is being used is older than 90, vendors say in advertising posts.
“Working with us means we’ll do our best to verify accounts: selecting a model of suitable age, searching for namesakes and trying to achieve results,” one vendor wrote in a Telegram post illustrated with a cheeky meme.
In another post, the vendor describes software that allows the creation of fake selfies, including video.
“We do live selfies. 3D biometric is possible for us. take photos with id cards. print any docs. we can be anyone you need,” the same vendor advertised on the paid forum Ver.sc.
Some of these vendors just post from time to time that they have a good account for sale or are looking to buy some. Others run regular shops, with dedicated teams and customer support done via Telegram. Their posts are followed by testimonials from satisfied customers.
The sample
CoinDesk reviewed a sample of accounts at exchanges Binance US, Coinbase Pro and Kraken and payment services Cash App and Wirex that were available for purchase on the black market. The accounts had been put up for sale by several different vendors. The prices of these accounts ranged from $170 to $250, all paid in bitcoin.
Along with login credentials, these accounts came with private data of the purported account owners, all of whom appeared to be genuine U.S. or European Union residents. The data included dates of birth, street addresses and, in the case of the U.S. residents, Social Security numbers.
Most of the accounts came with instructions for using a virtual private network (VPN) to disguise an IP address so an exchange would think a user was logging in from, say, Miami instead of Moscow. In some cases, vendors included credentials for a Gmail account (with Google Voice phone number), presumably for multi-factor authentication (MFA) when logging into the financial service – and a recovery email address in case Google asks for verification, too.
After reviewing the accounts, CoinDesk contacted the crypto exchanges and payment services to check their authenticity. None of the companies would say whether the accounts were genuine, explaining they can’t comment on individual accounts.
Binance US sent CoinDesk an email signed by “Binance U.S. PR,” saying the company “believes this to be a fake account.” The exchange did not respond to a follow-up question asking whether by “fake” the representative meant it was nonexistent or fraudulently created.
CoinDesk searched online databases such as Spokeo, SearchPeopleFree and ClustrMaps and found four people whose names, years of birth and cities matched those on the black-market accounts. Two of those people had matching street addresses as well.
Attempts to contact these and other individuals whose names were on the reviewed accounts by phone, email and social media were unsuccessful, and CoinDesk has mailed them letters to alert them their data is potentially being abused.
We also called the phone numbers used to register the accounts – all of them except one turned out to be Google Voice numbers, meaning they are virtual numbers generated by Google. Users can register virtual phone numbers without getting contracts with a mobile provider. This has made Google Voice numbers a handy tool for scammers.
The email addresses associated with the accounts did not match the names under which the accounts were registered, and instead contained random-seeming combinations of names and numbers.
Made to order
“It’s quite hard to evaluate the total volume of this market, as we are probably the only public example of such a business with departments and streamlined processes,” the vendor who spoke to CoinDesk said.
“Our colleagues who are running similar businesses are either running very small enterprises or selling accounts of real people, who are either going through some hard times or have been deceived,” they added.
But ZeroFox’s Gunn said the market for these accounts for sale is vast, with some Telegram channels counting thousands of members.
“The sheer amount of threat actors specializing in this has even driven prices down to very reasonable levels (anywhere from $50 to $300 per account, depending on the exchange or service in question),” Gunn said.
While Gunn’s research focuses on Eastern Europe, he said stolen, hacked or artificially created accounts at payment services or crypto exchanges are sold all over the world and advertised in multiple languages.
In addition to ready-to-use accounts, the black-market vendors offer “on-demand, almost a la carte services, based on customer needs,” Gunn said.
They can help their “clients” register fraudulent accounts by selling compromised personal data or “offering support during any step of the verification process,” including digital rendering of faces to pass photo and video verification, which major crypto exchanges often require.
‘Go here, click this’
ZeroFox identified at least one case when a group was hiring individuals on a freelance job platform to do account creation and verification, and then hand those accounts over, for as little as $5-$10 for each pass, Gunn said. The group was giving precise instructions to the people willing to do the job: “go here, click this, use this ID,” Gunn said.
Further investigation showed the group managed to create and sell “thousands of verified accounts” on a single platform, he said. Gunn would not name that platform.
Getting fraudulent accounts is a slam dunk for criminal groups, Gunn said. “These accounts are very easy to come by, relatively cheap and disposable, so in the criminal underground it’s very trivial to buy as many as you want. And if you lose one account you just buy another one,” he said.
For services, finding and shutting down fraudulent accounts can get extremely tricky, Gunn said.
“Some of these accounts are dormant until money moves through them, and if a real person verified them how would they know?” he said. “Security measures [implemented by the platforms] are pretty good, but there is always a way around.”
It’s unclear how long such accounts remain operational until a service notices something suspicious and shuts them down. The lifespan of an account depends on the way it’s being used, the black-market vendor told CoinDesk.
“We are providing an account that essentially looks no different from the one you or your friend would register. They are fully compliant with the KYC requirements, except they are fully synthetic,” the person said, adding that users’ own reckless behavior, rather than the quality of the account, can trigger exchanges’ fraud alerts.
Gunn agreed that it’s possible for the buyer of a synthetic account to fly under the radar. “If they took precautions to blend in with normal behavior (not exceeding transaction amounts, etc.), leveraged residential proxies matching the information and geolocation of the victim, to name a couple of items, the accounts might last indefinitely,” he said.
The trade in crypto exchange accounts is just a subset of a larger global black ID market. According to a 2020 report by the cybersecurity firm Digital Shadows, there are more than 15 billion credentials in the world for sale, and the most valuable are “bank and other financial accounts,” which sell for $70.91 each, on average. This is dwarfed only by the prices of domain administrator access to corporate systems, where the price tag can go up to $140,000, Digital Shadows said.
Apparently, illegal access to cryptocurrency services is valued somewhere in the middle, with some accounts sold for as high as $500 each.
Countermeasures
Some platforms CoinDesk contacted confirmed they were aware of the black market for their accounts.
“We have team members dedicated to monitoring the dark web for accounts stolen through malware or phishing, as well as ‘mule accounts,’ which are put up for sale as fronts for criminals to launder funds,” a spokesperson for Kraken told CoinDesk via email. “Depending on the situation, we can either restore the account back to the rightful owner or disable it with immediate effect and take appropriate action as necessary.”
At Coinbase, a threat intelligence team “monitors darknet markets and other cybercriminal forums,” the Nasdaq-listed exchange’s senior manager for communications, Jaclyn Sales, told CoinDesk.
“Like any other financial institution, Coinbase implements measures to protect accounts from fraudulent actors. For security reasons we do not disclose specifics of those measures, as we do not want to provide fraudsters with information that could be used to bypass those controls.”
Binance US’s press representative told CoinDesk via email that the company is closely watching how users are logging into their accounts each time they use them.
“Our risk management system collects a wide array of signals during account opening, subsequent logins and during each account interaction, and we monitor these signals to identify potentially high-risk accounts or related activity and prevent malicious behavior,” the spokesperson told CoinDesk.
A CashApp spokesperson said the company is also monitoring users’ behavior to detect potential fraud.”In addition to our standard customer information and verification programs, we use various behavioral signals, information provided by our customers and various vendors, as well as transactional patterns to analyze and detect when accounts may be suspicious for various bad activity, including fraud and identity theft,” the company said in a written statement to CoinDesk.
Gunn’s firm ZeroFox is helping payment app company Wirex to “track and take down impersonations of Wirex, and those malicious actors claiming to sell Wirex accounts on the dark web,” Wirex Communications Manager Lottie Wells told CoinDesk via email.
The offerings, according to her, are abundant.
“Between the beginning of June and [September], we have monitored nearly 400,000 links, accounts and posts, we identified and remediated (blocked, took down, deleted, etc.) over 1,500 pieces of content. In fact, 32% of this was specifically from the dark web,” Wells said.
To prevent fraud, Wirex employs “a range of compliance, tech and security measures,” depending “on the risk profile of a user, the nature of transactions and our third-party partners who support us on evaluating external conditions,” Wells said.
“We also work closely with regulators to mitigate account takeover risks, and report them where necessary,” she added. “Any customer accounts that may be compromised are quickly blocked and protected, while our customer support team works with our customers to protect their accounts.”
CoinDesk also asked cryptocurrency exchange Huobi as well as payment services Transferwise and Revolut, for comment. All of them are mentioned in the ads posted by fraudulent-account vendors.
TransferWise spokesperson Chris Monteiro said that the company works with law enforcement “to help prevent further illegal activity” when it learns about “specific organized fraud cases.”
“For our customers, if they feel they have been a victim of fraud they should report it to the police immediately, and we encourage them to get in touch with us straight away,” Monteiro added.
Huobi declined to comment. Revolut did not respond by press time.
Bitter pill
The target audience for these accounts for sale are people involved in other criminal activities, Gunn said.
“Threat actors that are purchasing the created and verified accounts are leveraging them for whatever criminal activity they do, whether it’s a carding operation or selling malware or gift card scam,” he said. “This is one part of the process that helps them to stay anonymous rather than having crypto accounts on their names on those exchanges.”
The vendor who spoke to CoinDesk used more delicate language, saying users avail themselves of its services to avoid “taxation risks.”
As law enforcement agencies around the world adopt blockchain-sleuthing software, it makes even more sense for criminals to cover their tracks by buying and selling crypto through accounts registered in others’ names, Gunn said.
Sergey Mendeleev, founder of Estonia-registered crypto exchange Garantex and CEO of investment platform InDeFi, explained to CoinDesk how these “mule” accounts might be used to obscure the connection between crypto and its actual owner.
“If you buy monero for fiat, then withdraw it and then deposit via another account, you can sell it for bitcoin and get clean, exchange-originated bitcoin, not connected to the previous transactions. This scheme is quite popular, and there are tens of others,” Mendeleev said.
Another reason there is demand for synthetic accounts can be as simple as this: People living in countries sanctioned by the U.S. and EU or with prohibitive anti-crypto regulations can’t register under their real names on the major crypto exchanges.
Sergey Zhdanov, chief operating officer of London-registered crypto exchange EXMO, told CoinDesk his company has caught some users faking their KYC data. The users explained they were based in territories under international sanctions, so they wouldn’t be able to register with their real IDs, he said.
“Some users just honestly admitted that they were based in the DNR [Donetsk People’s Republic, a disputed area in southeastern Ukraine] or North Korea, so they bought their documents [to register]. We block such accounts,” Zhdanov said.
China, which has been aggressively pushing crypto out of the country, appears to be a new growth market for the bogus ID business. Dovey Wan, founder of the Primitive Ventures crypto fund, told CoinDesk the market for verified accounts for Chinese users is “vibrant.”
The vendors “advertise in Telegram groups as ‘KYC service,’” Wan said, adding that “you simply ask in the Telegram groups (mostly in Chinese ones) that ‘I want a KYC service’ [and] people will pop up.”
The vendor CoinDesk spoke to confirmed their service is becoming popular in China: “At the moment, we’re seeing interest in our services from Chinese people. No need to explain, I guess. 🙂 “
Marc Hochstein, Danny Nelson and Daniel Kuhn contributed reporting