Exploring the truth about KYC wallet sales on the dark web

PANews · 2023-04-18T05:20:01.000Z

Previously, CertiK had done some research on the KYC black market, actor hiring and KYC transactions. Various platforms including Telegram and Discord are selling Web3.0 exchange account services that have passed KYC verification, including KYC actor buying and selling, etc. People can't help but wonder whether such account buying and selling activities are also rampant on the dark web. Our investigation into the buying and selling of KYC accounts shows that this may not be the case: CertiK’s analysis of fraudulent buying and selling of KYC accounts in 300 darknet markets shows that only 4% are related to Web3.0 KYC fraudulent ads. Investigation background introduction

Previously, CertiK has conducted some research on the KYC black market, actor hiring, and KYC trading. Various platforms including Telegram and Discord have been selling KYC-verified Web3.0 exchange account services, including KYC actor trading, etc. This makes people wonder whether such account trading activities are also rampant on the dark web.
Our investigation into the buying and selling of KYC accounts suggests this may not be the case: CertiK’s analysis of fraudulent buying and selling of KYC accounts on 300 darknet markets showed that only 4% were associated with Web3.0 KYC fraud ads.
Investigation Background
KYC (customer background check) is one of the legal procedures that financial service providers must comply with when selling financial services products to customers. These regulations require customers to prove their identity - using identity documents and other personal records allows financial institutions to better assess risks and detect all types of financial crimes, including fraud, money laundering, financing related to terrorist activities and identity theft.
Depending on the nature of the financial services, some countries may require: collecting identity information of their customers, assessing customers by regularly updating identity documents, screening customer transactions and keeping a close eye on key individuals, etc.
It may sound complicated, but it is just like applying for a loan. We need to check our background, credit, etc. In fact, people who have used centralized exchanges are likely to be familiar with some of these practices. However, the semi-anonymous nature and relatively new characteristics of the Web3.0 ecosystem make it particularly difficult for traditional financial regulators to implement KYC in the industry. This is caused by many reasons, including that many exchanges are located in jurisdictions with relatively loose financial supervision, and most of these jurisdictions fail to regulate financial platforms according to international unified standards.
The current regulatory environment has likely created opportunities for bad actors to use centralized exchanges (CEX) to launder money and transfer funds. One of the methods used to launder money is to obtain funds through fraudulent KYC accounts.
You can get more information by reading the article "Dialogue with Underground Gang "KYC" Actors, Unveiling the Veil of the Fake KYC Industry Chain". This investigation focuses mainly on fraudulent KYC sales on Telegram, Discord and other social media sites (hiring actors, etc. to try to pass KYC verification through fraudulent means, etc.). However, we also want to have a deeper understanding of how much of this activity occurs on darknet markets.
Dark web markets are often associated with criminal services, including the sale of stolen data, credit card information, malware, hiring hackers, buying and selling drugs, weapons and even human organs.
Analyzing KYC sales on darknet markets
Researching the dark web is difficult. Research must be done using a special browser or by configuring another web browser to access it. The browser allows one to access website URLs ending with the extension .onion. But these URLs are often "volatile" and often become inactive when the domain owner moves online for security purposes. This makes accessing and investigating dark web markets more complicated than it seems on the surface. A URL may be "active" today and replaced by an invalid URL tomorrow.
We started our investigation with a database of over 300 darknet market links and evaluated their sales of KYC accounts. Of the initial 300 URLs, only 182 were correctly transcribed. Of these 182 complete addresses, 102 were dead links and 80 were working, active links. Of the remaining working, active links, only 12 were related to KYC account sales or fraudulent KYC advertisements for other remittance platforms such as PayPal.
Number of active and inactive links in the dark web market database
Only 27% of the links in the database are valid links. In the market where KYC accounts or KYC services are sold, the number of valid links accounts for only 4% of the total.
Not only is the number of CEX account advertisements hosting KYC quite low, the total number of advertisements on each platform is also low. The following figure shows the distribution of vendors related to the sale of KYC services across all markets.
We looked at the three most active ads and vendors by total number of ads currently listed, including Nemesis, MGM Grand, and Ares, each with more than 10 ads. Despite having the highest number of ads on these markets, about half of the ad links were broken or reposted from the same vendor.
While KYC ads vary on each marketplace, they all provide basic information about the service provider and the following: provider username, total supplier sales, total supplier reviews, provider rating, product price, and product description.
Example of an ad for a Paxful.com KYC account Source: Ares Market
When examining these ads, we can also see that the vast majority of them are from the same providers. In our examination of the three markets mentioned above, six providers were found with unique usernames. However, the content of these ads indicates that there are only four (unrepeated) actors in all of this content, two of which use different usernames in different markets. (Based on the content of these ads being exactly the same word for word). Below is a list of these actors and their associated provider statistics for the Nemesis, MGM Grand, and Ares markets.
Real-time KYC actor ads in the dark web
While most suppliers have fairly high score rankings, there aren’t enough sales or reviews to truly assess the supplier’s influence. Just like some sellers on Taobao have high scores, but have almost no sales or reviews. Only one supplier, mikedoesittoo, has over 100 sales and 37 reviews on the Nemesis market, with multiple reviews being five-star ratings.
 Summarize
Overall, the market for buying and selling KYC CEX accounts on the dark web does not seem to be large, and is statistically irrelevant to the amount of fraud in the industry as a whole.
Therefore, we may continue to see this KYC buying and selling activity dominate on Telegram and Discord, after all, these channels are already heavily used and occupied by individuals and projects in Web3.0. These social platforms are not only easier to access than darknet markets, but are also the "permanent residence" of most Web3.0 enthusiasts. Their ease of use undoubtedly creates greater convenience for criminals.