DoJ shuts down infamous stolen credentials marketplace Slilpp

The platform offered 80 million stolen credentials from roughly 1,400 banking and e-commerce providers, including Amazon and PayPal

The US Department of Justice (DoJ) has shut down the popular dark web marketplace Slilpp, which has been trading stolen username and password combinations since 2012.

The FBI, working with foreign law enforcement agencies in Germany, the Netherlands, and Romania, identified and seized control of a series of servers that hosted Slilpp's infrastructure and various domains. Meanwhile, over a dozen individuals tied with the platform have been charged or arrested to date.

The platform is well-known for trading in stolen usernames and passwords of popular financial and banking services, as well as e-commerce sites, and is considered the largest of its kind on the dark web. The DoJ said it offered more than 80 million credentials for sale prior to takedown.

"The Slilpp marketplace allegedly caused hundreds of millions of dollars in losses to victims worldwide, including by enabling buyers to steal the identities of American victims," said acting assistant Attorney General, Nicholas L McQuaid of the Criminal Division.

"The department will not tolerate an underground economy for stolen identities, and we will continue to collaborate with our law enforcement partners worldwide to disrupt criminal marketplaces wherever they are located."

Related Resource

Security awareness training strategies for account takeover protection

Why you need an inside-the-perimeter strategy for internal threats

Security awareness training strategies for account takeover protection - whitepaper from MimecastDownload now

Slilpp has been selling stolen credentials, including those for bank accounts and online payments accounts, since 2012, and initially began life as an eBay and PayPal accounts trader. In recent years, Slilpp has come to specialise in trading Amazon account credentials, according to security expert Brian Krebs.

Writing in 2017, Krebs added that its operator is known to buy up credentials that are gathered by credential-testing crime groups who harvest and enrich details stolen or leaked from major data breaches at social media and e-commerce platforms.

Cyber gangs routinely trawl through infamous breaches from years gone by, such as the recently discovered cache of 533 million Facebook users' credentials. They would then see how many of the email address and password pairs work at hundreds of other banking and e-commerce sites. Slilpp served as a central hub for this enterprise.

The details of users registered with more than 500 merchants were traded on the site as of 2017, including many household names such as Amazon, Tripadvisor, and Argos. The price for a credential pair was $2.50 (roughly £1.70) at the time.

The DoJ claims the number of vendors, merchants, and service providers whose users' details were being traded through Slilpp is closer to 1,400. The department also claims that stolen credentials sold through Slilpp have led to the loss of $200 million in the US alone, according to best estimates.

Featured Resources

Consumer choice and the payment experience

A software provider's guide to getting, growing, and keeping customers

Download now

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Download now

Business in the new economy landscape

How we coped with 2020 and looking ahead to a brighter 2021

Download now

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Download now

Most Popular

How to find RAM speed, size and type

How to find RAM speed, size and type

16 Jun 2021
EU plans to launch bloc-wide cyber task force
cyber attacks

EU plans to launch bloc-wide cyber task force

22 Jun 2021
What is HTTP error 400 and how do you fix it?
Network & Internet

What is HTTP error 400 and how do you fix it?

16 Jun 2021