top of page

STYX Marketplace Emerged In Dark Web Focused On Financial Fraud

Resecurity has identified the newly launched STYX Marketplace which focuses primarily on financial fraud, money laundering, and identity theft. Some examples of the specific service offerings marketed on STYX include cash-out services, data dumps, SIM cards, DDOS, 2FA/SMS bypass, fake and stolen ID documents, banking malware and much more. Financial fraud is one of the key catalysts of the commercial cybercriminal ecosystem, enabling bad actors to profit from credential theft in the online banking and e-commerce sectors.

The marketplace opened sometime around January 19, 2023, but earlier mentions of its launch were noted by Resecurity analysts on the Dark Web in early 2022. Back then, the actors behind STYX Marketplace were building out the platform’s built-in escrow module, which enables the brokering of transactions between buyers and sellers of illicit cybercriminal products and services.

Once a new user registers and is granted access to the STYX marketplace, the registrant is greeted with a vast selection of services to browse through. STYX also offers a Trusted Sellers section, presumably where the admins of STYX have vetted reliable vendors, before whitelisting them. Some of the service descriptions are limited – the marketplace connects actors via Telegram contacts and various automated bots as a security measure.

Should the user wish to purchase any of presented services, they must first fund their STYX wallet by transferring the amount specified by their chosen purchase in either Bitcoin (BTC), Ethereum (ETH), or Tether (USDT).

Tools To Bypass Anti-Fraud Filters

Resecurity analysts first noted mentions about STYX Marketplace in multiple Telegram groups that provide private access to tools frequently used for online-banking theft and fraud like anti-detects, device fingerprint emulators and spoofers.

Cybercriminals use such tools to bypass anti-fraud solutions and access compromised accounts. These fraud tools work by using granular digital identifiers like stolen cookie files, physical device data, and network settings to fool bank and e-commerce anti-fraud systems and impersonate legitimate customer logins.

One notable STYX Marketplace product is listed by “Enclave Service”, a reputable service on the Dark Web that provides tools for identity spoofing and anti-fraud bypass.

Notably, some of these tools have been re-designed and optimized for mobile devices. Previously, tooling was geared more towards PC-based user-spoofing tools like Vektor T13, Antidetect 4 Patreon, and other. Tools like Vektor T13 and others are particularly favored by the cybercriminal community due to their strong customer support and diligent software updates.

The bypass of banks’s existing customer authentication and fraud-prevention solutions requires special attention, which Resecurity will address in a separate research publication. In Q1 2023, Resecurity observed a significant spike in interest from bad actors seeking these tools, as well as the emergence of new fingerprint spoofing and anti-detect products on the Dark Web.

Compromised Payment And Personal Data For Sale

In the heart of STYX Marketplace, members can browse vendor listings for compromised online-banking, credit cards, cryptocurrency, e-commerce account credentials, as well as stolen credit card data. Bad actors are especially focusing on defrauding “digital banks” and VCC (virtual credit cards).

Besides payment data, threat actors are also monetizing stolen Personal Identifiable Information (PII). One reputable STYX Marketplace vendor focused on stolen PII is the “Fraud Store”.

“Fraud Store” provides an interactive Telegram bot that enables the automation of PII data sales.

Another credible Styx vendor is “Bearss”, a provider that specializes in selling large volumes of stolen social security numbers (SSNs) and ID-related data.

“Bearss” features stolen SSN and ID data for victims in the U.S., Canada, Netherlands, the U.K, and other countries.

Beyond stolen PII, Bearss also sells stolen business data. Typically, this information is exploited for Tax Fraud and other forms of business scams. One example of the latter is COVID-19 relief fraud, a theft bonanza that saw scammers potentially swindle over a $100 billion from the U.S. government.

Threat actors capture exploitable business data via a variety of different intrusion vectors. Favored data theft channels involve the hacking of web resources that process business loan data, phishing attacks targeting CPAs, social engineering, and other scams.

Underground Lookup Services

Resecurity analysts also identified multiple “checking services,” which allow threat actors to collect data about a targeted individual. Typically, these resources are used by actors as victim reconnaissance tools to enhance their odds of successfully compromising their bank or credit card accounts.

“Kraken” is one notable lookup service that has been listed on STYX Marketplace virtually since the platform launched:

The service is accessible via Telegram and enables users to search by a targeted victim’s driver’s license (DL) or SSN. Kraken also provides the extraction of Credit Reports, both on individuals and organizations. Typically, the fraudsters use compromised or purchased access via a reputable credit bureau’s third party and exploit their services for illegal purposes. Data sold by Kraken and similar vendors helps fraudsters to pass various verifications and authenticate a victim’s identity when committing fraud.

The scope of cybercriminal lookup services is not limited exclusively to PII data based on ID, DL or SSN. For example, “NZI Lookup” enables fraudsters to extract banking statements. Bank statements can help threat actors simulate a victim’s established financial behavior, before committing actual theft. Instead of logging directly into a compromised online-banking account, threat actors can leverage compromised credentials exchanged via third-party fintech SaaS solutions like Plaid, Yodlee, Finicity, which are widely used in the financial industry.

The price for Kraken’s services start at $20 (per account check), with possible discounts for bulk orders.

Fake IDs And “Drawing” Services

Another significant product offering on STYX are fake IDs and document forgery. With over 900 positive reviews listed on other cybercriminal websites and markets, “Podorozhnik” is one of the most credible vendors operating on STYX. His services are widely used by Dark Web actors to pass selfie and ID verifications required by digital banks, cryptocurrency platforms, and e-commerce systems.