DoJ shuts down infamous stolen credentials marketplace Slilpp

The US Department of Justice (DoJ) has shut down the popular dark web marketplace Slilpp, which has been trading stolen username and password combinations since 2012.

The FBI, working with foreign law enforcement agencies in Germany, the Netherlands, and Romania, identified and seized control of a series of servers that hosted Slilpp's infrastructure and various domains. Meanwhile, over a dozen individuals tied with the platform have been charged or arrested to date.

The platform is well-known for trading in stolen usernames and passwords of popular financial and banking services, as well as e-commerce sites, and is considered the largest of its kind on the dark web. The DoJ said it offered more than 80 million credentials for sale prior to takedown.

"The Slilpp marketplace allegedly caused hundreds of millions of dollars in losses to victims worldwide, including by enabling buyers to steal the identities of American victims," said acting assistant Attorney General, Nicholas L McQuaid of the Criminal Division.

"The department will not tolerate an underground economy for stolen identities, and we will continue to collaborate with our law enforcement partners worldwide to disrupt criminal marketplaces wherever they are located."

Slilpp has been selling stolen credentials, including those for bank accounts and online payments accounts, since 2012, and initially began life as an eBay and PayPal accounts trader. In recent years, Slilpp has come to specialise in trading Amazon account credentials, according to security expert Brian Krebs.

Writing in 2017, Krebs added that its operator is known to buy up credentials that are gathered by credential-testing crime groups who harvest and enrich details stolen or leaked from major data breaches at social media and e-commerce platforms.

Cyber gangs routinely trawl through infamous breaches from years gone by, such as the recently discovered cache of 533 million Facebook users' credentials. They would then see how many of the email address and password pairs work at hundreds of other banking and e-commerce sites. Slilpp served as a central hub for this enterprise.

The details of users registered with more than 500 merchants were traded on the site as of 2017, including many household names such as Amazon, Tripadvisor, and Argos. The price for a credential pair was $2.50 (roughly £1.70) at the time.

The DoJ claims the number of vendors, merchants, and service providers whose users' details were being traded through Slilpp is closer to 1,400. The department also claims that stolen credentials sold through Slilpp have led to the loss of $200 million in the US alone, according to best estimates.