IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

DoJ shuts down infamous stolen credentials marketplace Slilpp

The platform offered 80 million stolen credentials from roughly 1,400 banking and e-commerce providers, including Amazon and PayPal

The US Department of Justice (DoJ) has shut down the popular dark web marketplace Slilpp, which has been trading stolen username and password combinations since 2012.

The FBI, working with foreign law enforcement agencies in Germany, the Netherlands, and Romania, identified and seized control of a series of servers that hosted Slilpp's infrastructure and various domains. Meanwhile, over a dozen individuals tied with the platform have been charged or arrested to date.

The platform is well-known for trading in stolen usernames and passwords of popular financial and banking services, as well as e-commerce sites, and is considered the largest of its kind on the dark web. The DoJ said it offered more than 80 million credentials for sale prior to takedown.

"The Slilpp marketplace allegedly caused hundreds of millions of dollars in losses to victims worldwide, including by enabling buyers to steal the identities of American victims," said acting assistant Attorney General, Nicholas L McQuaid of the Criminal Division.

"The department will not tolerate an underground economy for stolen identities, and we will continue to collaborate with our law enforcement partners worldwide to disrupt criminal marketplaces wherever they are located."

Related Resource

Security awareness training strategies for account takeover protection

Why you need an inside-the-perimeter strategy for internal threats

Security awareness training strategies for account takeover protection - whitepaper from MimecastFree download

Slilpp has been selling stolen credentials, including those for bank accounts and online payments accounts, since 2012, and initially began life as an eBay and PayPal accounts trader. In recent years, Slilpp has come to specialise in trading Amazon account credentials, according to security expert Brian Krebs.

Writing in 2017, Krebs added that its operator is known to buy up credentials that are gathered by credential-testing crime groups who harvest and enrich details stolen or leaked from major data breaches at social media and e-commerce platforms.

Cyber gangs routinely trawl through infamous breaches from years gone by, such as the recently discovered cache of 533 million Facebook users' credentials. They would then see how many of the email address and password pairs work at hundreds of other banking and e-commerce sites. Slilpp served as a central hub for this enterprise.

The details of users registered with more than 500 merchants were traded on the site as of 2017, including many household names such as Amazon, Tripadvisor, and Argos. The price for a credential pair was $2.50 (roughly £1.70) at the time.

The DoJ claims the number of vendors, merchants, and service providers whose users' details were being traded through Slilpp is closer to 1,400. The department also claims that stolen credentials sold through Slilpp have led to the loss of $200 million in the US alone, according to best estimates.

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021

Most Popular

Raspberry Pi launches next-gen Pico W microcontroller with networking support
Hardware

Raspberry Pi launches next-gen Pico W microcontroller with networking support

1 Jul 2022
Xerox CEO John Visentin dies unexpectedly aged 59
Careers & training

Xerox CEO John Visentin dies unexpectedly aged 59

30 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022