Although in decline, carding has traditionally been an easy entry point into the world of cybercrime, owing to the low level of technical knowledge required to do it. Carding forums offer a platform to both wannabes and veterans to sell their exploits and exchange ideas. Just like any other forum, they need admins and moderators to run them. Such users are placed in positions of trust, which afford them much influence over the forum’s community. Where goods and services are offered for sale, they sometimes administer the forum’s escrow scheme, so as to facilitate the exchange of money for spoils. Forum users would hope that staff wouldn’t exploit their positions of trust for personal gain. On most forums, this is the case. But what happens when the staff of a carding forum are cut from the same moral fabric as its users?

Digital Shadows (now ReliaQuest) are no strangers to witnessing exit scams, in which a trusted escrow provider on a forum choses to pocket the held funds rather than properly fulfill their duties. They’re called exit scams because the escrow provider loses their reputation, and will not hold such a position again. When an escrow scam is being perpetrated by the forum’s staff however, the scammers are free to scam as many users as they wish. If the forum is able to attract a constant influx of naive members, it can stay online no matter what damage to its reputation is done by the scam’s revelation.

In this blog, we will see two staff members of a carding forum take advantage of their positions for personal gain, at the expense of the forum’s users. We will dive into what they did, and how far they were prepared to take things. 

Altenen:

Altenen is an English language forum catering to those of a cybercriminal mindset. Believed to have been created in 2013, It has rebranded itself over the years and was previously an Arabic language forum. Nowadays it mainly concerns itself with “making money on the internet” by means of “various earning schemes” (i.e., carding). Reports of Altenen scamming users have been circulating as far back as 2015.

Reddit post from 2015 alleging Altenen to be scamming users.

A tip-off from a twitter user in June 2022 led Digital Shadows (now ReliaQuest) to an xss forum thread, on which breached user data could be found. Most of the data consists of usernames, email addresses, registration dates, user status tags, and direct message counts. One file however, presents compelling evidence indicating the rumors of scamming to be true. It contained leaked direct messages between Altenen staff and several users. By analyzing these messages, we can learn about the staff’s modus operandi and motivations. The conversations took place between late 2019 and mid 2021, and are summarized below.

The Scammers:

The escrow scam was conducted by two staff members, the first being a moderator (henceforth known as “moderator”) and the second being an administrator  (henceforth known as “admin”). The scam started with the moderator sending out direct messages to several users containing Bitcoin addresses, telling them to reply to “us” (likely the moderator and admin) in order to be taught the next step in the escrow process.

Modus Operandi:

The first conversation in the dataset summarized how the scam works:

  1. User 1 messaged the moderator asking him for an address to send a six hundred dollar payment for holding, as part of a deal made with User 2 for the purchase of a laptop.
  2. Once the money was sent, User 1 asked the moderator for a confirmation receipt, only for the moderator to demand an additional escrow fee, which User 1 claimed not to have. 
  3. The moderator agreed to accept a smaller amount, and cut the rest from the seller’s fees. 
  4. Shortly afterwards, the user claimed to no longer be able to complete the deal due to personal issues and demanded a refund.
  5. The moderator dismissed User 1’s pleas to get the money back, first by citing a three to four day waiting period, then by asking the user to create a thread in the relevant part of the forum.
  6. Subsequent pleas by the user for a refund were ignored.
Screenshot of a conversation between a victim user and the moderator, showing the scam in action. Forum usernames and bitcoin addresses have been redacted.

Several more conversations took place that followed a similar pattern, involving either the moderator or admin ignoring or ceasing to reply to a user once payment had been taken. Western Union (WU) transfers were used in place of Bitcoin in some cases. In one conversation, the admin even admitted to a user that the moderator conned him and tried to downplay the whole event. 

Selective Targeting:

Not all users who approached the scammers ended up becoming targets. In some cases, the user was told that it’s a scam and they’re not being targeted because of certain criteria. Muslims weren’t targeted, and neither were the forum’s “high profile” members. This mirrors behavior seen on Russian-language forums, in which entities in the CIS region are not targeted.

A user is told that Muslims aren’t targeted.

Claimed Motive:

In one conversation, the admin claimed a motive for the scam: covering server fees of fifteen thousand dollars per month. Whether this was genuine, or only a cover story so as not to anger the user, cannot be confirmed.

One of the scam’s perpetrators claims a motive.

Crypto Stealing Malware:

Towards the end of the dataset, we saw a very revealing conversation. A user was seeking “verified seller” status, in order to sell point of sale (POS) RAM scraping malware on the forum. The user asks if the role is subject to payment, to which the admin replies quoting a price of five hundred dollars. The admin suggested that the user turn his malware development skills against the forum’s own users, by developing a Bitcoin stealer and deploying it onto the forum, as there are many users on the forum with large amounts of Bitcoin.

The admin suggesting a user develop a bitcoin stealer, implying that it would be deployed on the forum.

Conclusions:

From these leaked conversations, it is clear that at least two staff members (one of which being an administrator) are prepared to steal from their own forum’s user base. Whether it be through a bogus escrow scheme, or even through cryptocurrency stealing malware. They are however selective about their targeting; they don’t want to alienate valuable members, nor it seems, violate their own religious beliefs. Being a carding forum on the surface web, Altenen attracts the type of threat actor who is likely to be OPSEC naive, and the staff appear to be taking advantage of this. 

Altenen is still online as “a test forum that may be removed at any time”. It is not clear why these revelations haven’t led to the forum’s permanent downfall, but a possible reason is its ability to attract a constant influx of new members, who may be naive as to what’s happened.

Upon reading through the conversations, one might be tempted to sympathize with those who fall for the bogus escrow scheme. After all, they do cite some genuine reasons for wanting to make money quickly. One must bear in mind however, that these people were themselves prepared to either make use of stolen card details, or trade in goods purchased using them.

Search Light (now ReliaQuest GreyMatter Digital Risk Protection) has a threat profile on Altenen, which goes into more detail. If you would like access to the profiles of criminal locations like Altenen, as well as threat actors, malware and more, you can request a test drive or demo.