Today, the U.S. Department of Justice (DOJ) announced the shutdown of SSNDOB, a marketplace that sold personally identifiable information (PII) of victims around the world on both the darknet and clearnet, following an investigation by IRS-Criminal Investigation and the FBI. SSNDOB operated for several years using many different internet domains, and is believed to have held the PII of approximately 24 million U.S. citizens, the sale of which has enabled a variety of criminal schemes around the world and generated more than $19 million in revenue. The SSNDOB domains that were seized today include:
Below, we’ll tell you more about SSNDOB’s operations and why this shutdown represents an important victory in the fight against cybercrime.
What was SSNDOB?
SSNDOB’s site used a simple interface. Users were greeted with a login page and a URL they could use to access the service’s darknet site.
Once a user registered for SSNDOB, they received an address associated with their account, to which they could transfer cryptocurrency to then be spent with the service. In other words, users could top off their SSNDOC address rather than purchase directly from their own wallets. SSNDOB primarily accepted Bitcoin, but is also known to have accepted Litecoin.
Users were able to browse available PII by country and search for specific names or other characteristics. PII sold on SSNDOB included email addresses, passwords, credit card numbers, and in the case of many American victims, social security numbers. Cybercriminals who purchased this information could use it to conduct phishing attacks and blackmail scam campaigns, as well as to create accounts on social media and financial services under assumed identities.
Blockchain analysis: SSNDOB’s cryptocurrency transaction history and connections to Joker’s Stash
Using Chainalysis Reactor, we can see that SSNDOB’s Bitcoin payment processing system has been active since April 2015. Since then, the service has received nearly $22 million worth of Bitcoin across over 100,000 transactions. That works out to roughly $220 per transfer on average, and a median payment size of $80, which matches what we’d expect for individual purchases of PII. However, some transfers have been much larger — as high as more than $100,000 worth of Bitcoin — suggesting that some “power users” are buying PII from the service in bulk.
Most funds sent to SSNDOB have come from centralized and P2P cryptocurrency exchanges, as well as other services. Interestingly, roughly 10% of funds sent to SSNDOB have come from cryptocurrency ATMs, a higher proportion than we typically see for most services, including darknet markets and other illicit providers.
Perhaps most interesting of all though is the activity we see between SSNDOB and Joker’s Stash, a large darknet market focused on stolen credit card information and other PII that shut down in January 2021. Between December 2018 and June 2019, SSNDOB sent over $100,000 worth of Bitcoin to Joker’s Stash, suggesting the two markets may have had some relationship to one another, including possibly shared ownership.
The SSNDOB shutdown is a win against digital fraud
Services like SSNDOB enable several different kinds of digital fraud by giving cybercriminals access to stolen PII. Not only can this stolen information be exploited to target victims for scamming, it can also be used by cybercriminals to set up online accounts that can’t be traced back to them, which can then form the backbone of other cybercriminal schemes. We saw a particularly serious example of the latter when the Russia-based Internet Research Agency used social media accounts created with stolen information to spread disinformation in the leadup to the 2016 U.S. elections.
We commend the FBI, IRS-CI, and DOJ for their work to shut down SSNDOB, which is the latest in a string of darknet market closures over the past year. These closures show that cryptocurrency is far from the anonymous, crime-friendly mode of exchange it’s been characterized as in the past. Over and over, illicit services that embrace cryptocurrency have opened themselves up to law enforcement scrutiny and been shut down, in large part because of the inherent transparency of blockchains.
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.