Slilpp Users Scammed Following Darknet Market Takedown
The US Department of Justice has taken down Slilpp, following an international collaboration between different law enforcement agencies. Slilpp emerged in 2012 and was one of the largest marketplaces for stolen credentials. According to specialized media, the FBI seized the website and placed a warning on the website.
Although it has only recently been publicized this takedown seems to have happened about a month ago. We have come across various posts in our database of people searching for the new Slilpp since May 1st 2021.
According to conversations held on some of the chat groups we are monitoring, people have been asking for the new Slilpp domain. The same question was posted on almost every single group in our database. In some cases, people even offered to pay for the link to the new domain.
A Slilpp dedicated chat group was still active at the time of writing, with a total of 554 subscribers.
Filling the Void
Scammers have been taking advantage of the void left by Slilpp with fake scamming pages. We found two domains linking to Slilpp clones. The clones looked like Slilpp and contained text such as “slilpp new domain” and “slilpp onion link” in an attempt to improve their Search Engine ranking. Both sites use encrypted connections and have certificates verified by Cloudflare (issued on April 12, 2021) and Sectigo Limited (issued on May 24, 2021). This is likely used to make the scam page more trustworthy. Also, the WHOIS record for one of the clones shows it was created back in March, about one month before we first started seeing people asking for the new domain.
This is likely an attempt to steal money and account credentials from other malicious actors. These credentials could then be used to access accounts on other markets.
The website is a frontend copy of the original, with a captcha field that is the same on the homepages of both domains mentioned, regardless of how many times the website is being accessed. This is a static, useless field just to make the website appear more legitimate. There are no dynamic elements. Users can enter any username and password, without even having an account, and they will be immediately logged in.
Once logged in, no matter what you choose, the page doesn’t change.
Additionally, the cart stays empty even after adding items:
In order to purchase information, the user is expected to fund their account by sending money to a Bitcoin address. Interestingly, one of the bitcoin addresses we found on the clones actually started receiving money last week, which indicates that the scammers may indeed be making money from this scheme.
Since June 6, “This address has transacted 16 times on the Bitcoin blockchain. It has received a total of 0.01717567 BTC ($691.87) and has sent a total of 0.01574938 BTC ($634.42). The current value of this address is 0.00142629 BTC ($57.45),” says data from Blockchain.com, at the time of writing.
However, according to Walletexplorer.com, the wallet has received a total of 0,29716661 BTC since 2021-02-01. That’s close to USD $12,000.
Aged like Wine
The WHOIS record of the domain we found says the domain was created last October. A quick Google search revealed a Google Support post with the link:
It appears this user was attempting to scam people back when Slilpp was still online, but is only now making money from it. A quick look at the Slilpp channel on reddit shows that the whole subreddit is dedicated to phishing users looking for a new working domain.
Additionally, we found that the same user is potentially associated with Joker Stash malicious websites, which may also be scams.
This is not the first time we detected copycats of popular markets. Knock-offs are not a surprise considering the constant complaints we have been reading on the channels we are monitoring, where malicious actors are accusing others of trying to scam the community by impersonating notorious criminal groups, creating clones of popular markets or simply selling fake databases or carding methods.
One of the most notorious clones was of the Silk Road, which significantly affected the criminal underground when it was taken down by US law enforcement in 2013. The shutdown of multiple markets in the past years has automatically opened the door for malicious actors to manipulate the industry’s desperation for markets similar in size and scope. Based on the chat groups, forums and markets we have been monitoring for the past year at least, we have noticed an increase in market fragmentation, which may, in the future, make it more challenging for law enforcement to track down all the channels that keep popping up.
Research conducted by Luana Pascu and Francis Labelle