Payment App Fraud

Corona Cash: Payment Platforms on the Dark Web During Covid-19

Though mentions of payment platforms were on the rise prior to COVID-19, they spiked tremendously during lockdowns. The rise is staggering: from February until the peak in May, the total number of mentions rose 262%.

This report focuses on trends and shows examples of how these payment apps provide critical infrastructure in dark web financial crime.
DOWNLOAD RESOURCE September 15, 2020

Sixgill Study: How Darkfeed’s Unique Indicators Accelerate Protection from Threats

We took a sample of 15,000 of Darkfeed’s IOCs, derived from underground forums and markets over a 90-day period and we compared that sample with IOCs from more than 40 leading antivirus providers over the same period to see what portion of our IOCs were also identified by their systems. 


What did we find? We discovered just how unique Darkfeed’s IOCs really are.

DOWNLOAD RESOURCE September 10, 2020

Gaming the System: An Overview of Dark Web Threat Against the Gaming Industry

Discussions of all things related to gaming thrive on the deep and dark web. And while much of gaming-related discourse is innocuous, there is a tremendous amount that violates terms of service of games and challenges their integrity, such as cheats and hacking tools. Even worse, there are many items that are outright illegal, such as breached accounts, gift card generators, and services for DDoS attacks against game servers and for doxing rival gamers.


Citing data and specific examples of underground conversations, our latest threat report illustrates why the risk of gaming-related fraud is so serious.

DOWNLOAD RESOURCE September 2, 2020
Financial fraud on the dark web

Underground Financial Fraud Report: H1 2020

This report examines financial fraud activity that took place in the deep and dark web during the last six months of 2020 (H1 – 2020). During this period, 45,130,117 compromised cards were offered for sale in credit card markets monitored by Sixgill in the underground.


Remote Desktop Pandemic

For many employees working from home, remote desktop protocol (RDP) is an essential tool for remotely accessing important digital resources and tools hosted on their organization’s network. When compromised, RDP connections put these employees’ organizations at great risk by giving threat actors access to their most critical resources.


Download this report learn how the danger posed by compromised RDP servers has changed recently in light of the coronavirus outbreak, as well as practical steps you can take to stay safe.

cyber threat intelligence analyst

The 7 Secrets of Top Performing Analysts

Leading cyber threat intelligence analysts share their tips and best practices for success in today’s cyber environment in this 7-step guide.


Knock, knock! When the underground comes a-knocking: hacks & exploits of smart homes

As consumers implement a variety of connected devices, to include smart speakers and security systems, among others, the larger the potential attack surface. This is particularly important as employees of many organizations have adapted to remote work, with more endpoints attempting to reach company networks.


In It To Win It: eSports on the underground – hacks, exploits & fraud

Many sites on the deep and dark web can quickly go from providing valuable, nonmalicious programming resources, to fully dedicated repositories for stolen data and attack methods. The forums of the gaming hacks and Twitch exploits analyzed in this report contain hundreds of thousands of posts referencing carding/fraud techniques, and credit card data for sale.


The Corona High: COVID-19’s Boost to the Underground Illicit Drug Economy

Narrowing in on the dark web drug economy reveals a microcosm of how illicit economies adapt to such crises, showcasing the unique rule of the internet in providing flexibility and resilience to illicit activities.


Overstimulating: CARES Act Fraud on the Deep and Dark Web

If there’s one thing that is certain on the dark web, it’s that these threat actors sensed an opportunity last month when the U.S. government announced it would deposit checks into the accounts of millions of Americans. And multiple news sources have noted that the stimulus checks and the forgivable loans made under the Paycheck Protection Program (PPP) were attractive targets for a myriad of fraud schemes. 


You are the product: Combating the Growing Sophistication in the Stolen Credentials Marketplace

At the end of 2019, account takeover (ATO) fraud accounted for 16% of fraud-related losses. The dark web provides fraudsters with intelligence that enables them to infiltrate your customers’ accounts without raising any suspicions. Once activity in a compromised account goes undetected, the potential for loss is much higher than with stolen credentials fraud.


Zooming in on Zoom: Discourse on Video Conferencing Applications in the Underground

The worldwide Coronavirus pandemic has forced millions of people to adapt their lives and work from home. With this new normal came a quantum leap in the use of video conferencing apps such as Zoom—along with many users unfamiliar with the technology—has created an opening for hackers and internet trolls.


Coronavirus Discourse Update

While the overwhelming majority of discourse surrounding COVID-19 is informational, there is a troubling rise in malicious intent, as threat actors seek to monetize this crisis through a variety of illegal methods. We must caution that the dark web is a testing ground of malign ideas; if an actor shares a “success story” of how he made money, many copycat attacks should be expected in the immediate future.


Virus in the Wild: Coronavirus Discourse on the Dark Web

Dark web activity is very often focused on computer viruses. Sometimes, however, it takes a virus of another kind—biological—to remind us of the dark web’s original intended use, as a medium for anonymous communication between individuals, unimpeded by governments and geography. Undoubtably, many want to discuss COVID-19 on more secure channels, including those wishing to avoid Chinese state surveillance. Accordingly, we noted interesting patterns of discourse in secure messaging apps, such as Telegram, QQ, and Discord, as well as a spike in discourse on deep and dark web forums.



What kind of activities are really happening on the Dark Web? How much is myth and how much is real? Organizations from all industries need to understand the importance of monitoring the Dark Web to prevent future threats and attacks that could be costly and tarnish their reputation.

Download our Ultimate Guide To Dark Web Intelligence to find out.

DOWNLOAD RESOURCE February 11, 2020

Underground Financial Fraud – H2 2019

During the last six months of 2019 (H2-2019), 76,230,127 compromised cards
were offered for sale by threat actors in illegal credit card markets monitored
by Sixgill in the deep and dark web. In H1-2019, 23,319,709 cards were offered
for sale.

DOWNLOAD RESOURCE January 27, 2020

Calling Your Number: SIM Swapping on the Dark Web

SIM swapping is a form of identity theft through social engineering, in which an attacker convinces a wireless carrier to port a phone number from the victim’s SIM card to a SIM belonging to the attacker. Once in posession of the victim’s phone number, the attacker can take control of any account that uses an SMS/call to authenticate login or reset passwords, including email, bank accounts, and cryptowallets.

DOWNLOAD RESOURCE December 12, 2019

Fowl Play: Threat Actors Also Preparing to Celebrate During Thanksgiving Holiday

As the holiday shopping frenzy officially begins around the Thanksgiving period, many consumers will turn to e-commerce stores to make their purchases. Given the increase in commerce during the holiday period, threat actors will capitalize on this increased spending for their own gain.

DOWNLOAD RESOURCE December 5, 2019
The Ultimate Guide to Dark Web Intelligence Winter 2019 ebook

The Ultimate Guide To Dark Web Intelligence

What kind of activities are really happening on the Dark Web? How much is myth and how much is real? Organizations from all industries need to understand the importance of monitoring the Dark Web to prevent future threats and attacks that could be costly and tarnish their reputation.
Download our Ultimate Guide To Dark Web Intelligence


Death by a Thousand Clicks

Autoclickers are software that simulates clicking, i.e. user interaction, with a computing device. While they can have legitimate uses, threat actors have found several ways to improve and weaponize them. Sixgill has identified many autoclickers distributed on the underground, including some that employ sophisticated methods to mimic human actions and bypass antivirus software.

DOWNLOAD RESOURCE October 31, 2019

Sniffing in the Dark

Credit card sniffers are relatively few lines of malicious code that are injected into payment pages of e-commerce sites. Sniffers copy input credit card information and send it to the attackers’ servers. These attacks are difficult to detect, as sniffers are generally small and stealthy, blending in with legitimate elements of a website. While making a purchase on a reputable site, an e-commerce client can unknowingly be victimized by this type of attack.

DOWNLOAD RESOURCE September 15, 2019

Underground Financial Fraud: H1 – 2019

The criminal cyber-underground has long been fertile ground for financial fraud. With increasing overall activity in underground forums and the global transition to economies based on payment cards, malicious activity targeting compromised credit cards is as rampant as ever.

In the first six months of 2019, 23,319,701 compromised credit cards were offered for sale in the underground deep and dark web stolen credit card markets monitored by Sixgill.

sixgill whitepaper CVE Common Vulnerabilities and Exposures

Sixgill White Paper: Prioritizing CVEs: A New Approach to an Old Problem

CVEs (Common Vulnerabilities and Exposures) are lists of publicly available vulnerabilities and exposures related to software and hardware. Their purpose is to facilitate the sharing of data and to alert users of required actions to mitigate potential threats in the cyber world.

Nowadays, CVE identification and prioritization have become a prominent part of every vulnerability management tool, and an integral component in any risk assessment.

sixgill report cover test before you buy credit card checkers

Test Before You Buy: Credit Card Checkers

Cybercriminals dedicated to the practice of carding have proven their resiliency over the years, developing new techniques to successfully circumvent the continuously evolving anti-fraud measures deployed by the financial and retail industries, and adapting many of the old techniques they employ. With the introduction of EMV card technology in 2015, the United States witnessed a decrease in fraud rates for card-present transactions. Nevertheless, the business of online carding has remained as relevant as ever. Credit card checking tools have remained a key element in sustaining high success rates of online carding.

DOWNLOAD RESOURCE February 18, 2019
carding and the digital gaming industry sixgill report


The Digital gaming industry grossed over $100 billion in 2017. With more than 125 million players and revenues of over 300 million dollars every month, the online multiplayer game “Fortnite” has rocketed to the top of the online gaming industry, surpassing established giants like “World of Warcraft” and “Minecraft”.  Fortnite’s format and popularity have drawn the attention of cyber criminals, and resulted in a thriving criminal eco-system around the game.

DOWNLOAD RESOURCE January 10, 2019
forging document deep dark web sixgill report

Forging Documents in the Deep and Dark Web

Threat actors are constantly looking for quick and easy ways to commit fraud, and document forgery is a significant part of that effort. These fake documents can serve a number of illicit purposes, from providing proof of residence for a false identity, through creating legitimate business accounts under that identity, to even traveling internationally using fake biometric passports.

The competition between legitimate authorities and the fraudsters who attempt to dupe them, is likely to continue for years to come. While encryption and identification technologies are constantly improving, threat actors find ways keeping up with these developments. As long as there’s gain to be had, cyber criminals will continue to manufacture and sell forged documents in the deep and dark web.

DOWNLOAD RESOURCE December 13, 2018
cve publishing dark web threat actors drupalgeddon2

CVE Publishing: A Race to Protect Against Dark Web Threat Actors Trying to Exploit

Although the practice of alerting the public with new CVEs (Critical Vulnerabilities and Exposures) is a crucial component in contemporary cyber-security strategy,  Dark Web threat actors are actively searching for new vulnerabilities and investing considerable effort in finding ways to exploit them before organizations can protect themselves.

sixgill threat report web based crypto wallet hijacking

Web-Based Crypto Wallet Hijacking

Cybercriminals have managed to redirect web-based crypto-wallet DNS queries to a malicious mirror website. By doing so, they were able to steal $17m in Ethereum.1 The hackers pulled off a BGP (Border Gateway Protocol) hijacking attack on the website’s DNS service host, causing it to receive a false IP address and direct users to a phishing website. As a result, the users became victims of the attack, losing their stored wallet’s crypto-currency.

sixgill report EU regulations cyber criminals

Sixgill Threat Report: Will EU Regulation Aid Cyber Criminals?

During the last few months, global corporations have been extremely busy with implementing the needed changes in order to be compliant with the upcoming GDPR regulation. While this happens, cyber-threat actors are preparing themselves for the possible consequences, without a clear picture of whether GDPR will hurt them or benefit them.

sixgill report cybercrime bitcoin

Sixgill Investigative Report: Cybercrime and the Bitcoin Dilemma

In this investigative report, Sixgill analyzes how the exponential growth in the value of bitcoin has inadvertently disrupted the dynamics of the cybercrime economy, and put criminals at an unprecedented crossroads, bringing speculation and uncertainty to the core of financially motivated cybercrime.

DOWNLOAD RESOURCE January 19, 2018
Slovakian report anonymous slovakia targets nato and eu sites

Sixgill Threat Report: Hacktivist Group “Anonymous” in Slovakia Targets NATO and EU Sites

In Sixgill’s latest threat report, malicious activity of the Slovakian “Anonymous” group was found in the Deep Web message board ‘Hidden Answers’, where threat actors were looking to recruit accomplices for an operation targeting NATO and EU websites.

DOWNLOAD RESOURCE December 31, 2017
next generation dark net markets sixgill report

Sixgill Threat Report: Next Generation Dark Web Markets

The second half of 2017 has been very rocky for Dark Web markets.  Two of the largest Dark Web markets were taken down by law enforcement in 2017, AlphaBay and Hansa, the latter being run for a while by law enforcement without users knowing. For a variety of reasons, Dark market vendors are looking for alternative platforms and methods to protect themselves while carrying on their business.

DOWNLOAD RESOURCE December 25, 2017
Health Care threat report cover

Sixgill Threat Report: How Vulnerable is the Health Care Industry to Cyber Attacks?

Similar to other verticals, the health care industry is vulnerable to cyberattacks that can cause tremendous damage, both to the medical organizations themselves and to their patients. Download new Sixgill Threat Report on the vulnerability of the Health Care Industry.

DOWNLOAD RESOURCE November 14, 2017
sixgill whitepaper dark web potential threats

Sixgill White Paper: Understanding the Dark Web: The Potential Threat and What You Can Do About It

Ever wonder what the Dark Web really is? How it got started? How it became the dangerous place it is? More importantly, what kind of threats are lurking out there, why you need to know about them and what you can do about them? Sixgill has released a White Paper that takes a look at the Dark Web and answers these questions. 

DOWNLOAD RESOURCE October 11, 2017
Telegram Report Cover page

Sixgill Threat Report: ISIS on Telegram: Weaponized UAV – ISIS’ New Aerial Weapon

A wealth of security-related information can be found on Telegram, a secure encrypted messaging application operating in the deep web. During the past couple of years, the German-Russian-based Telegram application has emerged as the jihadists’ preferred application for encrypted communications. Looking at examples from just the past few months regarding the use of new weapons by “The Islamic State” (ISIS) demonstrates just how prevalent this trend has become.

ovum logo

Ovum Research On the Radar: Sixgill highlights threats and enables real-time prioritization of alerts

Why put Sixgill Dark-i on your radar?
Today, the dark web conceals a vast underworld of cybercriminals who are collaborating and cooperating on exploits, as well as sharing methodologies. There is clearly a need for platforms suchb as Dark-i so that the enterprises who are targeted by these individuals and gangs can investigate who is focusing on them, what attacks vectors they are using, and how they go about their business,enabling them to organize and structure their response.

proton a new mac os rat sixgill report


Sixgill researchers encountered a post in one of the leading, closed Russian cybercrime message boards. The author of the thread announced a RAT dubbed Proton, intended for installation exclusively on MAC OS devices. The author offered this product in one of the leading underground cybercrime markets. This report contains information about the malware which has drawn extensive interest in the industry. As a result of this discovery, Sixgill was written up in numerous industry articles. 

DOWNLOAD RESOURCE February 7, 2017