Criminals auction off stolen domain admin credentials for up to £95k. Your bank account details? Barely get £50 Stolen domain admin login credentials can be resold by dark web criminals for up to £95,000 and a total of 15 billion purloined credentials are traded on illicit marketplaces. Or so says threat intel biz Digital Shadows in a study published today, which it said equates to roughly two login details for every human on the planet …
I'd not even give you £95,000 for admin access to Jennifer Lawrence herself. I mean, I'm sure she's lovely and it'd be the best 2 minutes of physical activity one of us ever saw, but £95k is a lot of money.
Given the time to detection for an account with access to something you could extract at least 95 grands worth of value from, I'm not seeing any obvious account details that would be worth so much money. Maybe an AWS admin to I can mine crypto, but even that is likely to get detected before I get the value out unless I can spin up a massive amount of resources to burn the compute before anyone can react to what I'm doing. What else is worth £95k in terms of creds? Corporate espionage maybe?
Maybe I'm being naive, but I find it hard to think of anything one could do (for criminal gain) with £95k admin credentials that wasn't really quite high risk, so one would need expected gain of much more than 95k to take it on. Unless I'm wrong about the risk, there must be some ways of wringing genuinely huge amounts of cash out of these.
The bank accounts tell a different story, I think. Lots of them will have little in, and most anti-fraud measures are no doubt only effective if one were to try to drain a really large amount in a rash way. So a figure of £100 rather suggests low risk to the criminal and weak protections by the banks. I guessed that, but it's not very cheering to see it demonstrated this way.
The bank accounts tell a different story, I think. Lots of them will have little in, and most anti-fraud measures are no doubt only effective if one were to try to drain a really large amount in a rash way.
Retail accounts are most likely sought for their laundering capacity rather than their current balance.
I can launder anything up to about £1M per year with almost no risk of getting caught, though it would inevitably come with some losses built into that - maybe about 5 or 10%. Betting shops and casinos are the easiest ways to do this.
If you want scale however, you need a web of accounts through which to funnel money. That's easily done with corporations, however its expensive to do if you want things to be untraceable, so you're suddenly talking about £100M plus.
The gap in that market is the £1M to £100M range, and the easiest way to make that spin cycle untraceable is dipping in and out of retail accounts, crypto wallets etc in as many different jurisdictions as you can. Some people will notice and report it, others will not notice, and others will see a credit and a debit and assume a banking error now resolved. This you can do entirely from your laptop with a few hundred quids worth of moody bank details, with no previous experience required.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
