In DarkOwl’s Darknet Marketplace Snapshot weblog sequence, our researchers provide short-kind insight into a wide range of darknet marketplaces: looking for trends, exploring new marketplaces, inspecting admin and vendor activities, and offering a host of insights into this transient and sometimes criminal corner of the internet. This edition features Styx market.

Don’t neglect to subscribe to our blog at the underside of this web page to be notified as new blogs are revealed.

What is Styx Market?

Styx is a darknet market promoting unlawful strategies for committing fraud, cash laundering, and entry to stolen data. Chatter on the darknet around Styx market first appeared in 2020 earlier than the market officially opened in mid-January 2023.

Figure 1: Captcha to Styx Market; Source: Styx Market

Styx market gives stolen knowledge as well as a wide range of products for conducting unlawful cyber activities. Examples include 2FA/SMS bypass, Business Full Info/Tax, Installs for stealer, Anti-detect browsers, laundry services, FB/Google logs, Cashout Banks/VCC, Credit Cards (CC), Crypto-mixer, Stealer companies, Lookup BG/SSN/DOB, RDP (remote desktop protocol)/ VDS (virtual detected server) /VPS (virtual private server), and many more. Table of definitions can be found at the underside of this weblog, here.

Figure 2: Homepage of Styx Market; Source: Styx Market

Infrastructure of Styx Marketplace

Styx market is divided into 5 predominant sections: the main page, trusted sellers, auto ESCROW, news, and a filters part to search for specific products on the left aspect.

The principle web page of the marketplace has posts by customers promoting what they promote in the marketplace. The customers have usernames that are not assigned and may be customized. Nearly all of the site is in English and therefore easy to navigate for English-audio system. However, many listings and names of vendors are in Russian. This consists of vendors on the Trusted Sellers page. Vendors on a trusted sellers page have sometimes been vetted by the administration running the location, and therefore are more "trustworthy".

DarkOwl analysts assess many refined darknet actors are Russia-based mostly. Therefore, the fact that some distributors and their listings are Russia-affiliated provides to the legitimacy of the marketplace. There are noticeable spelling errors throughout the location in a few of the listings posted by vendors. In some circumstances, a listing will embrace each a Russian and English translation. A few of the filters that can be utilized to search for specific products or goods offer a Russian translation proper next to them.

Many kinds of stolen or leaked information on the market are offered in listings. Listings will be found on the principle web page, underneath News, and sure sorts of data might be looked for with the filter bar. Looking at particular person listings, the private data obtainable offered is noticeably largely from the West. The sorts of knowledge for sale are usually PII (private identifiable data) and credentials - information that can be used for fraud and scams. For example, a hacked database of U.S. payday loans is available for $90. There are additionally nationwide Spanish identification cards available. Many international governments problem national identification cards to their residents that are used whereas voting, traveling, applying for authorities advantages, and are utilized by law enforcement for identification functions. Other personally identifiable data from the EU such as credentials are supplied in a number of listings. However, a number of APAC (Asia Pacific) international locations and Middle Eastern nations are additionally present on the site.

For cost, Styx market has its own ESCROW-enabled payment system. In accordance with the phrases and circumstances of the marketplace’s auto-ESCROW, the utmost amount a transaction could be is $1,000,000 USD. The ESCROW system can be used by consumers and sellers for dispute resolution. They'll invite an Arbitrator by clicking on a support button. The Arbitrator takes 4% of each arbitration, and their determination is final.

The infrastructure of Styx Market depends closely on a Telegram component.

In some cases, the "contact seller" button on the marketplace will lead on to a Telegram channel. Vendors who depend on Telegram will sometimes have a number of channels tied to their vendor store- one for administrative support and another for promoting their merchandise.

Figure 3: Trusted Sellers of Styx Market; Source: Styx Market

Focus on Financial Crime

Nearly all of services on the market look like financial. Customer information for digital banking companies resembling Chime and PayPal are listed as well as extra traditional banks including Capital One Bank, Wells Fargo, Citi Bank, and Old National Bank, among others. Access to cryptocurrency exchanges and Bitcoin platforms are prevalent throughout the site; sites corresponding to Crypto[.]com, Coinbase, BitRue, Kraken, and others are listed by sellers to offer entry to compromised accounts or to facilitate cashing out illicit funds. It’s unclear from research which these accounts are supplied for, but traditionally we have now seen them used for both.

Figure 4: Wells Fargo Account; Source: Styx Market

Figure 5: KYC Binance Tutorial; Source: Styx Market

The merchandise and data obtainable on Styx can be used to help a cybercriminal at every stage in the technique of financial fraud. This might start with social engineering emails targeting CEOs, utilizing lookup providers to find and collect information on targeted people as reconnaissance reminiscent of a mother‘s maiden title or the identify of a household pet and previous addresses to assist access accounts, and creating accounts to drop and launder cash. Lookup services are utilized by cybercriminals and unhealthy actors for reconnaissance. They use lookup service information to help them cross verification and authenticate their victim’s identity when they are committing fraud.

Figure 6: Telegram Channel for a Lookup Service on Styx Market; Source: Telegram

[TRANSLATED Image]

☀️Search manually:

DOB ($2)

EIN ($10)

☀️Search by way of API:

DL ($8)

SSN ($8)

⚙️Connect to the API and search 24/7

Styx market additionally gives money out and cash laundering companies. Multiple distributors claim to supply this service, and every has their very own requirements. For example, the vendor "Verta" sometimes charges a 50% commission. They even have necessities for the minimum amount of cash needed for a switch: $15,000 minimum per switch to a private account and $75,000 minimum per transfer to a enterprise account.

Figure 7: Verta Requirements; Source: Telegram

Facilitating financial crime seems to be a major component of the companies supplied on Styx marketplace. Cash out vendors require vital minimums of money for his or her services. Cash out services are used to turn illicit Bitcoin into fiat forex. This can be a problem if the service, similar to Coinbase, requires users to use their actual identity and to prove that the crypto funds are authorized -neither of which a darknet actor would do.

Banks are wary of cryptocurrencies’ links to the darknet and can seemingly be hesitant to cash out large sums of crypto, or will raise a crimson flag and require additional documentation. Darknet cash out services assist darknet actors money out their unlawful cryptocurrency by utilizing their very own methods to bypass the system. Exact methods are exhausting to come by as distributors don’t publish what they are profiting from. However, a technique includes utilizing multiple Bitcoin wallets, running them by way of customized mixers, and finding a Bitcoin purchaser who gives money in change. Another manner is to send Bitcoin to a company that can cost a pay as you go debit card.

Cash out services typically have minimums and excessive commissions, indicating that their customer base are actors with illicit cryptocurrency positive factors who have sufficient funds that the cash out will likely be useful to them despite the excessive fee. These indicators may indicate that Styx market has been designed and constructed for users who are already skilled in cybercrime, since they seem to have entry to a high quantity of illicit funds.

Unique Characteristics of Styx Market

DarkOwl analysts have observed a unique characteristic of Styx market is its interconnectedness with Telegram. For every itemizing, the consumer has the choice to get in touch with the seller directly to buy the merchandise. A "Get in Contact" button will either carry the person to a page with a chat field on the marketplace itself, or the person shall be taken to a Telegram channel. The Telegram channels are a mix of bots or direct entry to the sellers themselves. Some Telegram channels, corresponding to the money laundering service "Verta", are used by the sellers to make public their terms of service and to publish positive reviews of their providers. Positive customer critiques are key to gaining trust within the darknet neighborhood.

Limited descriptions of products are given on the location and users are sometimes re-directed to a selected Telegram channel of that vendor. The Telegram channels are both a channel for direct messages to the seller or are the seller’s help Telegram channel.

A Telegram channel is used to broadcast information to a large viewers; solely admins are in a position to put up and there might be an infinite variety of subscribers. A public group is just like a channel, but all subscribers can submit in the chat. Public channels have a username, and anybody can be part of. Private channels are only accessible if a person is added by the owner or receives a private hyperlink to affix. Analysts have noticed that it is common for darknet vendors to have multiple Telegram accounts, where every is used for a distinct purpose. One could also be only for support, one might be for posting new products, and yet one more might be for direct messages to the admin.

Figure 8: Link to Deviant Shop’s Telegram from Styx Market; Source: Styx Market

Within the Telegram channels, descriptions of merchandise and availability are shared. Buyers can also get footage of the kind of merchandise they are trying to buy as proof.

Figure 9: Deviant Shop Telegram Channel; Source: Telegram

A look on the Vendors of Styx Market

To grasp if a darknet market is sophisticated, mega darknet market it is necessary to evaluate the legitimacy and level of sophistication of its vendors. Trustworthy darknet marketplaces are more likely to have distributors with a considerable darknet footprint. More legitimacy is afforded to a vendor if they've been selling for multiple years, throughout completely different marketplaces, and have been evaluated to be reliable and not a scammer. Using DarkOwl Vision, the darknet, and darknet-adjacent websites DarkOwl analysts checked out distributors from Styx market to review the vendor’s footprints throughout the darknet. The presence on the darknet of the vendors will doubtless indicate if vendors on Styx market are sophisticated hackers or skids.

The vendor shop "Valera888" sells PII, reminiscent of nationwide identification documents, on Styx market. Using DarkOwl Vision, this identical vendor’s username was discovered on darknet carding websites, a popular darknet Russian hacking forum, and extra darknet marketplaces dating again to 2019. Although the same username on Styx has been used throughout darknet marketplaces in the past there is no such thing as a way to inform if the same person is behind these accounts. Up to now they have been associated with promoting CVVs and non-public software program. The username may very well be connected to the identical person since they seem to observe a sample selling personal information, however that is unconfirmed.

Figure 10: Mapping Valera 888 with information from DarkOwl Vision

"337 Diller" is a vendor on the trusted distributors page of Styx marketplace. This vendor gives lookup services.

Figure 11: Vendor Profile of 337 Diller on Styx Market; Source: Styx Market

There are two Telegram channels instantly related to this vendor on Styx market. Further analysis reveals different channels run by a vendor with the identical identify selling similar products on Telegram. One of many Styx-market related channels advertises knowledge for sale and recruitment posts. Purchases of the data posted on this site will be made through their linked Telegram bot channel. A assist channel can also be linked inside this channel. The other channel consists of opinions of the vendor.

Figure 12: 337 Diller selling services on Telegram; Source: DarkOwl Vision

Research from DarkOwl Vision indicates this vendor has been providing lookup services and fullz since a minimum of 2021 both by way of Telegram and on common darknet marketplaces and boards.

Figure 13: Mapping 337 Diller using data from DarkOwl Vision

"Podorozhnik" sells drawing companies as a vendor on Styx market where a user can get in touch with them via the chat function supplied on the site. In addition to their presence on Styx, additionally they supply their faux documents for sale by way of devoted Telegram channels. Drawing services is a time period used for cast documents and fake paperwork. "Podorozhnik" advertised their drawing providers on the darknet site DarkMoney in 2021. No Telegram channels are linked straight on Styx market, but there are a number of public channels connected to "Podorozhnik" on Telegram. For example, they have a Telegram channel dedicated to reviews. These present communication between prospects and "Podorozhnik" of profitable verifications. A Telegram channel promoting "Podorozhnik" claims they'd over 900 constructive critiques on a popular Russian Forum.

Figure 14: Mapping Prodorozhnik using information from DarkOwl Vision

As every of the three distributors researched seem to have been current on darknet forums and marketplaces for years earlier than joining Styx, they are more likely to be refined and reliable distributors. Vendor opinions are an essential component to establishing trust on darknet marketplaces and reassuring potential consumers of the legitimacy of the vendor. Two of the three distributors have opinions readily accessible for potential consumers to evaluate. These include Telegram channels devoted to critiques. These critiques point to belief in the vendor. They have additionally embraced using Telegram for selling services and products and as a support system for customers. Telegram continues to develop as a essential avenue for purchasing and promoting darknet-related goods. Some of the Telegram channels related to Styx marketplace vendors had been created as early as 2021, whereas others have been created within the last yr.

Final Thoughts

The products bought on Styx marketplace are hacker and financial-crime oriented. The market caters to refined cybercriminals. Vendors supply entry to a number of online banking and e-commerce sites. Money laundering services are strict and only for those who pays meet the dollar minimal. While cash laundering is dangerous, due to this fact requiring a minimum for funds, vendors have been successful enough to proceed providing the service. And despite the excessive worth there appear to be prospects who're keen to pay. Financial establishments and the banking sector might want to proceed to be cautious given the account identity authentication techniques accessible for sale on Styx market. These embody NFC Bins (NFC is what allows for contactless fee on cards) and vendors providing to set up funnel accounts which can be utilized as a drop service to "drop" stolen financials. Much like money out distributors, drop services are used for money laundering illegally earned funds. For now, Styx market will provide a valuable outlet for cybercrime on the darknet as cybercriminals go after the web elements of banking and give you new strategies for cash laundering.