A (15:07)

So when you're talking about underground marketplaces, you're talking about the key platforms for the sale and distribution of typically things like stolen payment card information, personally identifiable information, or PII account credentials, and other sort of sensitive information like the logs from info stealer malware. So these shops represent sort of the professionalization and commodification of cybercrime because they are truly a centralized place where they offer this very similar to any sort of online marketplace where you might buy, you know, gifts or clothing or things like that. It just happens to be stolen information.

B (15:45)

Can you give us an idea of the breadth of these marketplaces and how they're kind of tiered? Are there top marketplaces that sort of lead everything or how does it work?

A (15:57)

Yeah, so they've gone on, like undergone a significant evolution under the last 10, 15 years. So you used to have these really prominent marketplaces that were these large sort of multipurpose platforms, and they've shifted more to, you know, a more specialized and fragmented ecosystem. And this was mostly driven actually from law enforcement action. So as long as you don't have a mix of some new technological advancements, but you used to have really large marketplaces. So some that might sound familiar to viewers are things like Silk Road, AlphaBay and Hydra Market, and those sold everything from drugs to hacking tools. And those were, you know, the top of their game at the time. But those law enforcement actions showed that these large centralized operations were very vulnerable once they were taken down. So as a result, we've seen actually more niche marketplaces with specialized offerings. So you might have a marketplace that just offers payment card information, or a marketplace that just offers information stealer logs. So you have some that are, you know, sort of that single offering type marketplace, something like a dump shop or something like that. And then there are still some that have multifunctional marketplaces, and there are still some that are kind of top of the game as well. So, yeah, for us, we do tier them. We tier them just kind of based off of the size of them, how long they've been around, how popular they are with cybercriminals. So there definitely are preferred marketplaces, but kind of two categories, the sort of multifunctional category and the single use category.

B (17:31)

Am I correct in my understanding that these markets are largely reputational based?

A (17:39)

Yeah. So in the cybercriminal underground, because you're dealing with people who aim to be anonymous, your reputation is kind of everything. So when you are a successful marketplace in the underground, you're typically operating similar to an e commerce store, but you are conducting marketing much like any other sort of brand would, except it typically is on underground forums, maybe instant messaging channels. Things like Telegram. And then as people use your store, they will leave reviews or talk about if they happened to purchase something and they felt they got scammed, they'll file a complaint. And all of that is viewable on the underground. So the more reviews you have with the fewer complaints partnered with. How long you've been around increases your reputation as an underground marketplace, which makes people more likely to continue to use you.

B (18:32)

And where do we stand when it comes to law enforcement? How successful have they been at taking these things down?

A (18:39)

They have been successful. So there's been a couple notable law enforcement takedowns in recent years. So they are a compelling target for law enforcement agencies because they are some of the foundational. These marketplaces offer some foundational products that cybercriminals will use to then commit larger cyber crimes. So it impacts a large number of cybercriminal operations if you can take it down at that sort of early source. So in recent years, we've seen several actually significantly popular marketplaces, you know, fall to a well implemented law enforcement disruption over the years. So typically what law enforcement will do is seize the domain. But we have seen administrators get arrested and, you know, with any of these sort of disruptions, just like any of the other ones you might see for ransomware organizations or something similar, some weather the disruption, some might have spawned a successor, and some never recovered. So some of the ones we've seen recently and earlier in 2025, for example, is the Biden Cash Marketplace, which is one that sold payment cards and PII. In June, they seized about 145 related Biden cash domains and cryptocurrency funds, which, According to the DOJ's announcement, at the time, this one store had more than 117,000 customers and facilitated tracking more than 15 million payment card numbers. So even just that one disruption, you can see the size of the impact of that, which is why law enforcement, I think rightfully continues try to disrupt those operations in particular.

B (20:18)

And what are the trends that you're tracking here? Where do we see this heading in the new year?

A (20:25)

Yeah, so, you know, underground marketplaces rapidly facilitate the exchange of stolen data, but they also foster this sort of competitive environment where operators are continually trying to enhance their offerings to beat out the next person. So, you know, when it comes to 2026, what we're most likely going to see is how automation starts becoming embedded in these marketplaces so that they can start offering more products than their competitors. We're already seeing that being used across cybercriminals for things like phishing lures and things. But the other thing that we're going to see probably is the continued growth of credential based crime. So you know, info stealers, session hijacking, account takeovers, these are all really becoming foundational for many downstream attacks by cybercriminals. Anything from gift card fraud, business email compromise, everything in between. So you know, these markets are going to continue and already are optimizing around speed so that these stolen credentials can get monetized faster and faster before they can be detected by defenders. So that's something that we're definitely going to see. I think going into the next year. We're also seeing more emphasis on fraud infrastructure than a single attack. So services like card checkers, bot frameworks and access brokers are also becoming more refined. So we'll likely see maybe specialized marketplaces start to grow in these offerings as well because these allow criminals to scale their operations without necessarily needing to be technically skilled in and of themselves. And then the other thing we'll see because as I was just talking about, there is a lot of law enforcement focus on these marketplaces is resilience. I think we're going to see resilience kind of be a major theme of these cybercriminals trying to grow some roots for their marketplace and kind of try to evade what they've been seeing law enforcement do. So they're already becoming more decentralized, they're becoming more cautious, they're spreading their activity across multiple platforms, multiple domains, private channels, in an attempt to make takedowns less effective and allow their infrastructure to persist even if part of it gets disrupted. So I think they're going to continue to look more like a business optimized for these things, efficiency scale, return on investment. And defenders are going to need to adapt to that reality as well.

B (22:47)

For the defenders in our audience, what sorts of things should be on their radar? What should they be looking out for in their day to day?

A (22:57)

Yeah, I mean, depends obviously on what they're defending against. But things like credential monitoring, things like multi factor authentication on your accounts to keep them secure, even if the password gets like, you know, stolen, all of that is still very, very effective. You know, being able to quickly having, you know, password change policies and things like that, things when it comes to, you know, credit cards in general, recognizing the pattern of card testing, that looks like a lot of small rapid fire transactions that mostly fail. So looking for things like that, rate limiting by ip, adding step up verification and then, yeah, just hardening your accounts so that they can't be used. Don't leak overly specific decline reasons. Don't say it was a CVV mismatch. Add friction to your ad card or save card actions and the main thing is having some sort of response playbook for when you detect this type of activity.

B (23:58)

That's Ashley Jess, Senior intelligence analyst from Intel 471. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year, and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. The world moves fast. Your workday even faster. Pitching products, drafting reports, analyzing data. Microsoft 365 Copilot is your AI assistant for work built into Word, Excel, PowerPoint and other Microsoft 365 apps you use, helping you quickly write, analyze, create and summarize so you can cut through clutter and clear a path to your best work. Learn more@Microsoft.com M365 copilot. And finally, Australia's recent mega breaches at Optus, Metabank and Latitude Financial left millions wondering how cyber disasters keep slipping through. The usual answer is technical inevitability, complex systems, clever attackers and bad luck. But research suggests another, quieter defense has been hiding in plain sight the auditors. Auditors do not write code or chase hackers. They ask awkward questions about controls, oversight and whether anyone is actually paying attention. The study found that auditors who have lived through a client's cyber breach become noticeably tougher everywhere else, flagging more weaknesses and issuing more meaningful, clean bills of health. Those clean reports, it turns out, correlate with fewer future breaches. For Australia, where regulators like Australian securities and Investments Commission and the Australian Prudential Regulation Authority are pressing boards on cyber governance, the message is firewalls matter. So does skepticism, preferably from someone who has already seen a glowing red screen ruin their week. And that's the cyberwire. For links to all of tomorrow today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Foreign. If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26 I'll see you in San Francisco.