EmpireMarket, what’s behind carding fraudsters

Carding is the prince of cybercrimes. It consists of trafficking with stolen payment card data: card number, expiration date, owner name. Who purchases it can use the details to buy online everything with the legit owner’s money. EmpireMarket is a dark web platform that offers to sell these data (in addition to counterfeit banknotes, arms, fake documents).

The Bazaar EmpireMarket does go online and offline periodically for security reasons. At the moment, the managers write on the front page that they have been “attacked by cyber-criminals for more than two weeks”. They announce they “have only gained part of the control” of the platform. They ask for financial help “from every user” to face the current problems: a donation worth $ 30 in the cryptocurrency Bitcoin (aiming “to buy more servers“).

Before the attack, American Express, Mastercard, and Visa payment cards were offered for sale on the website. It was published their balance and the price to buy the data. A Prepaid Card with a balance of 3100 $ cost 110 $ if American Express, 114 $ if Mastercard, 109 $ if Visa.

EmpireMarket – Credit Cards Prices

EmpireMarket, a cyber investigation

Purchasing method: Escrow

The purchasing method was detailed and explained. The customer needed to pay, and then a vendor operating on the website would have sent him the stolen payment card details. Nevertheless, the risk of scams is always high: paying without receiving the data. We are on the dark web without contract, authority, or possibility of claims. For this reason, the purchase was processed with and (supposed to be) guaranteed by Escrow.

“What is Escrow?

  1. Buyer sends money to Escrow during the checkout process. (It’s active with every trade)
  2. The vendor receives a notification about money in Escrow.
  3. The vendor will send the order/product to the buyer. (Digital purchases are sent instantly)
  4. The buyer checks the product and, if it is as described, releases money from Escrow to the vendor. (Escrow release link is sent to your email)
  5. Trade is finished, and all personal details are removed.”

No personal details of the vendor are available on the website, as the activity is highly illegal. However, some trails can help to discover more.

Escrow Payment Method

Escrow Payment Method

A clue: the email domain Airmail.cc

At the bottom of EmpireMarket’s homepage, “support ” was a section. It should be used whether customers would have faced technical issues. But it also contained a clue for our research. Indeed, there was shown an active email address: empiresupport@airmail.cc.

The email domain airmail.cc is not a public provider such as Gmail, Yahoo, or Outlook. It should be registered, and it could potentially link to a corresponding website. So it is.

The front page of the website Airmail.cc displays a short message: “Airmail is an invite-only Email server focused toward professionals and Email enthusiasts. To report abuse please Email abuse [at] Airmail.cc.”

The email server is told to be available only on an invite. The service is addressed to professionals and email enthusiasts. It is a provider offering an email service, and it is not necessarily related to Empire Market fraudsters’ activities.

Shodan: the internet connections and the hacker EdmondMajor

Using an OSINT tool named Shodan, we can add some information. Shodan is “a search engine for Internet-connected devices” (shodan.io).

A standard search engine (Google, Bing) looks for relationships based on the contents on the web (the service displaying web pages). You insert a word or a sentence, and you can see the pages corresponding to the searched content.

Instead, Shodan searches the connections on the internet, which is the network that links computers and servers. Every activity on the net leaves a trail, the IP address: a sequence of digits identifying a unique source of connection and nearly impossible to replicate. When searching for a website domain on Shodan, the search engine shows the devices’ data (primarily servers) connected to the queried name: first, the Ip address and its location.

Looking for the connection with Airmail.cc, the search engine Shodan displayed three results (last visited 20th April). The first is an Ip address located in Belgrade (Serbia), the second is in Vietnam, and the third is an IP address in New York (US). The three locations are far away, one from the other.

Indeed, the servers can be located everywhere globally, although the physical person behind the connection is in another area. A hacker in the US can use remote servers located in Eastern Europe. In this case, despite Serbian Ip and Vietnamese Ip don’t show links at first glance, New York Ip does.

Simply clicking on the IP address from New York, we are redirected to a webpage (http://edmond.bz/) of a self-defined hacker (grey hat?): EdmondMajor. He described himself as “Highly interested in cybersecurity”. The webpage links to another website (http://www.edmondmajor.com/), where you can read a manifesto: “The Conscience of a Hacker”. He writes: “I am a hacker, enter my world (…)Yes, I am a criminal. My crime is that of curiosity.”

Edmond Major's personal webpage

Edmond Major’s webpage

He offers services for companies: “Phishing your employees”, “Un-Hack/De-Malware Your Servers”, and “Research or Spy on Your Competition” (among others).

On the webpage edmond.bz, he provides a contact email: em3@airmail.cc. He chose to set up an email account with Airmail.cc, which seems a secure way to communicate: a cybersecurity expert selected it. It could explain its use also by the highly illegal platform EmpireMarket.

Waybackmachine: what Airmail.cc looked like in the past

Airmail.cc email works, but the corresponding website doesn’t contain relevant information. Now. What about in the past?

Waybackmachine (archive.org) is an Internet archive. It stores web pages published at a specific date, allowing users to see how websites looked in the previous years.

From 14th September 2018 until 25th November 2021, the homepage of “airmail.cc” redirected to another website: “ovo.sc”. “Sc” is the internet country code for Seychelles. Ovo is the name of a group, as explained on the website “ovo.sc” (still active).

Waybackmachine OvO welcome meesage

Waybackmachine: OvO welcome meesage

It is “a global collective of service providers and provided services. Its members share knowledge, resources, and support with the aim of building sustainable, independent online businesses.

Abuse: OvO’s network hosts several free speech and cryptocurrency services. To report abuse, email abuse // ovo.sc and include all applicable logs and evidence.”

Although now Airmail.cc doesn’t link to OvO anymore, we can infer that there has been a connection between the two services.

Panama papers: an offshore company

The signature under the message on the front page ovo.sc reports the address of the group “OvO Systems Ltd”: “Suite 9, Ansuya Estate, Revolution Avenue Mahe Seychelles”.

The same direction is contained in the “Panama Papers“. These papers are 11.5 million leaked documents detailing financial information for more than 210 thousand offshore entities. They have been published since 2016 by the International Consortium of Investigative Journalists (ICIJ). Offshore entities are subjects (primarily companies) registered in foreign (often tax favourable) jurisdictions.

According to the Panama Papers, two companies were registered at the Ovo Systems Ltd direction in the past: “Enterprise Solutions Ltd” (now inactive) and “Professional Consulting Services Ltd” (currently inactive).

Panama Papers Offshore companies address

Panama Papers: companies at OvO address

Currently, the company “Fidelity Corporate Services (Seychelles) Ltd” is registered there. It is a specialist offshore company formation agent. They provide company registration services in Seychelles.

An enquiry on Shodan (ran on the 28th March) shows that 1) one Ip connected with “ovo.sc” links to “airmail.cc”; 2) at least one IP connected with “ovo.sc” is located in Seychelles. A company registered in Seychelles doesn’t necessarily be fraudulent. As the ICIJ alerts, “there are legitimate uses for offshore companies and trusts”.

MyIP: domains connected to Airmail.cc

There is another helpful tool for investigating a domain. MyIp.ms is an online database “that helps you find out who hosts a website”. Suppose you type a website name (Airmail.cc in our case). In that case, MyIp shows where the server hosting the site is located and, in addition, the other domains connected.

There are several websites related to Airmail.cc.

a) Cockbox.org, a “Bitcoin VPS provider”

Cockbox.org is one result. It is defined as a “Bitcoin VPS provider” on the corresponding website. VPS is the acronym for a virtual private server: an application running in your system and working as a server.

Cockbox is the organization offering this “virtual machine” as a service. According to the website, “Cockbox’s servers are in Bucharest, Romania”.

The payments are accepted in the cryptocurrencies Bitcoin or Monero. A message at the bottom of the page indicates: “Service provided super serious by OvO Systems Ltd.”

Cockbox.org Server

Cockbox.org frontpage

b) Cock.li, stable email services

Cock.li is another result (the website’s logo is the same as cockbox.org). Cock.li provides “stable Email services” for professionals. Indeed, it is an email provider privacy-oriented and runs with encryption. It “allows registration and usage using Tor and other privacy services”.

At the bottom of the page is written: “The service is provided for fun by OvO Systems Ltd”. The service manager is the American Vincent Canfield (living in Romania, as per his Twitter profile description). In April 2021, he tweeted that they closed the registration to the service as they had reached 1 million users.

Cock.li email

Cock.li frontpage

The provider Cock.li has several distinct domains registered and listed on the homepage. Among them, the same Airmail.cc. In 2015, Canfield explained: “the “invite-only” bit on the front page of Airmail.cc is a farce, Airmail.cc is a publicly-registerable domain name available here: cock.li”. On the homepage of Cock.li, they want to specify that they are “as transparent as possible”. “To accomplish this Cock.li publishes communication with law enforcement including or regarding a successful demand or order for user information.” The communications between cock.li and authorities (emails and phone calls) are shared on the website.

b. 1) Cock.li legal issues and uses by intelligence services

In multiple cases, distinct US authorities contacted cock.li to get information on suspicious clients or criminals using the services provided by the organisation. American agencies also delivered some subpoenas to Vincent Canfield, and in some cases, they seized his hard drives. Some investigations were related to child exploitation.

In January 2017, Canfield wrote:” The last preservation of records request received by the US government was immediately followed by the seizure of cock.li’s hard drives by the hands of the US Government”. Indeed, he informed that the US Customs and Border Protection (CBP) seized all of his electronics when entering the United States.

It’s not the first legal issue faced by Canfield. In 2016, he wrote: “My friends, This evening, I was arrested by the Romanian Police. (…) I am being extradited to face a charge under Strafgesetzbuch section 86a, which bans, amongst other things, the use of “slogans of unconstitutional organisations”. (…) For about three weeks, I displayed a JOKE on the front page of cock.li (…) that said “HITLER DID NOTHING WRONG”. I did this while the server was hosted in Germany, so I think this is what this is about. I’ve never been unironically racist in the entire history of the site, so this is the only thing I can come up with. (…) I’ve also been informed that my extradition is being expedited because I am scheduled to undergo investigative surgery. The prosecution office in the city of Zwickau believes I may have a surgically-implanted storage device. The SRI performed forensics on my storage devices in my apartment and did not find another copy of the cock.li data”.

However, the legal problems seem pretty old. As of April 2022, the website reports: “From 2017 to 9th April 2022, cock.li has not received:

  • A gag order preventing the disclosure of a broad order for user metadata
  • A gag order preventing the disclosure of a broad order for user data
  • A gag order preventing the disclosure of a targeted order for user data
  • A gag order preventing the disclosure of a targeted order for user metadata”.

Still, Canfield writes on the website that in the first quarter of 2022 cock.li received and responded “to two verified orders for user metadata enforceable in the jurisdiction of Seychelles on behalf of French authorities”.

According to the website Deepwebmarketsreview, in November 2019, the provider’s servers were taken offline, possibly due to a search warrant. No further information on that is shared.

In April 2021, the FBI reported that “a number of SVR [Russian Foreign Intelligence Service] cyber personas use email services hosted on cock.li or related domains”. Canfield told the website Vice: “This is the first time I’ve heard for sure that Russian intelligence is using cock.li, but it’s not surprising, since the CIA uses it too”.

b) 2. Cock.li donations

Cock.li relies on donations to survive, the homepage states. It also publishes an annual financial report. In the 2020 report, Canfield writes: “In the last year, cock.li has gone from being completely hosted in one country, to being geographically distributed within Eastern Europe. This change has brought long-term resilience to the site at the cost of speed and reliability. (…) Cock.li received a 1.5BTC donation in 2018 that is still funding the site today.”

2021 report hasn’t been published yet.

MyIP and Shodan with Ovo.sc, another carding website

In 2018, Canfield tweeted that Cock.li and Cockbox “have incorporated on the new name “OvO Systems Ltd”.

According to Shodan research on ovo.sc (run on the 30th March), the servers hosting Ovo Systems Ltd are reportedly located partly in Romania and partly in Seychelles. MyIp links these latter servers to a telecommunication company: “Flokinet Ltd“.  Flokinet has an office in Iceland and one in Seychelles, according to the website flokinet.is. It offers hosting services, web design services and security consulting. It was “established in 2012 – Iceland, to provide a safe harbour for freedom of speech, free press and whistleblower projects”.

One of the Ip addresses connected with OVO and owned by Flokinet links to the website domain cardmafia.pw. This website’s description on hypestat.com states: “Russian carding forum, verified carding forum, altenen.com new domain”.

OvO Systems, a solution for cybercriminals

The cluster OvO Systems Ltd provides valuable services covering identities, messages, and connections online. So, it is also used by hackers, fraudsters, and cybercriminals. The benefits (some of the services are free) are rewarded with conspicuous bitcoin donations.

This network could be fundamental, above all, right now. In February 2022, Russian authorities arrested six men active in selling stolen payment card data. (Another operation with the same target was held in March 2020 by FSB, Russia’s domestic security service). According to the journalist Brian Krebs, carding platforms UniCC, Trump’s Dumps, Ferum Shop, and Sky-Fraud (among others) could be involved in this operation.

Russian Message for Trump Dumps users

Russian Message for Trump Dumps users

According to the website Digitalshadow, now someone guesses the carding markets should move to Telegram for safe communications. Others argue that they should implement security in their procedures.

Behind some carding platforms (EmpireMarket, Cardmafia), we found offshore companies, anonymous email accounts, and privacy services. Cybercriminals are challenging to be identified, also for law enforcement agencies. The cluster OvO Systems could be a significant resource for carding fraudsters also in the future.