Cyber Incident Victim: Swarmshop

On March 17, 2021, threat actors breached Swarmshop, an underground carding marketplace operational since April 2019, and leaked its entire database on another forum. The leaked data included 12,344 records encompassing nicknames, hashed passwords, contact details, and activity histories of 4 administrators, 90 sellers, and 12,250 buyers. The dump also contained 623,036 stolen payment card records from banks in the U.S., Canada, U.K., China, Singapore, France, Brazil, Saudi Arabia, and Mexico, alongside 498 sets of online banking credentials and 69,592 U.S. Social Security Numbers and Canadian Social Insurance Numbers. Attackers provided no explanation for the breach, only sharing a link to the database. Swarmshop administrators initially dismissed the leak as recycled data from a January 2020 incident, urging users to change passwords, but Group-IB researchers confirmed the data was new based on recent activity timestamps. The breach exposed account balances and contact information for some users, compromising the anonymity of participants in the illicit marketplace.

The incident occurred during a wave of attacks targeting underground forums in early 2021, with Swarmshop being the third such breach in March alone. Earlier that month, Russian-speaking forum Maza suffered a member data leak, while February saw breaches at Verified, Dread, and Club2Crd—including Verified’s infrastructure takeover via vulnerability exploitation and Club2Crd’s moderator account hijacking. Group-IB CTO Dmitry Volkov characterized Swarmshop’s breach as uncommon for card shops, suggesting a potential revenge hack motive that resulted in sellers losing both their illicit goods and personal data. The leak eliminated Swarmshop’s operational base by exposing its entire user community and inventory of stolen financial data, effectively dismantling the marketplace. No containment measures or post-breach recovery efforts by Swarmshop were reported beyond the initial password reset directive.