In addition to the risk matrices we’ve discussed in previous sections, the data we were able to gather from underground data shops includes other interesting tidbits that we will present in this section.
The following analysis looks at Russian Market logs. These logs came from computers infected with infostealers. These marketplaces are like eBay in the sense that log owners put the whole data dump on the market up for sale for a specific price. It’s important to note that the data we present in this report is just a snapshot; If we had performed the same analysis on another week or month, it might have yielded different results.
We did not look at personally identifiable information (PII) because that is precisely the type of data criminals pay for. We could only see generic data about the infected computer. As part of that data, we could see the country where the infected computer is located. This allowed us to perform a per country analysis to check which countries are most at risk of being targeted by an infostealer. The data in Figure 8 was collected in May 2023.
Just by looking at the number of logs from each country, we could get a very basic metric of what countries were most at risk. Bear in mind that each log seller could specialize in specific sets of countries. This could skew the analysis, but we have no way to check for that. This is the top 10 list of this very plain metric:
Figure 8. A chart of countries at risk based on the number of logs sold on Russian Market
To extract a more accurate infection risk matrix for each country, we weighed each of those infections against the internet user base in each country.1 The top 10 countries we see here are quite different, as the countries with fewer internet users and have many stolen logs will get a higher rank. The key metric here is the number of stolen logs for each million internet users in the country.
Figure 9. Number of logs per country, normalized by each country's internet population
Finally, and to put everything together on this country-based analysis, we want to place a risk rating for each country. We incorporated these findings into the risk matrix in Figure 9. We modified the risk matrix so that we could put a number to the following question: “What is the risk level of each crypto asset (or any of the seven previously described categories) from country X?”
To do this, we reused the risk matrix in Figure 9 that puts risk numbers for each of the assets’ seven categories. In the new “per country risk” table we present in Figure 10, Portugal (the riskiest country) gets 100% of the asset risk (7 for crypto wallets, 7 for web credentials, and so on). The rest of the countries get a percentage of that risk based on their respective “logs per 1 million users” data in comparison to Portugal. For example, the second country, Brazil, had 3,717 logs per 1 million users. That’s 50.45% of Portugal’s 7,368 logs per 1 million users. So, Brazil gets that percentage of the risk per asset, which would equate to 3.53 for crypto wallets and web credentials (the formula for which is 7 multiplied by 50.45%).
1 The main source for internet users per country is Wikipedia. The individual sources for each country are cited at the bottom of the Wikipedia page. Taiwan is not listed on that page, so our source for Taiwan is DataReport. Each figure is dated differently, depending on the source, ranging from 2020 to 2023.
Figure 10. Data risk estimates per country based on logs per 1 million internet population
Note that the right-hand side of the table shows the sum of all the individual risks for each asset per country, which allows us to compare countries’ risk levels. Please also note that Luxembourg did not show up in the logs, it’s just there to reflect that EU15 (The European Union with 15 members) has this country in it. This is the resulting ranked table based on the total risk of all data assets:
Figure 11. The top 20 countries’ total data risk estimates
We performed the country analysis in Figure 11 with data from Russian Market only because 2easy.shop had certain limitations with data downloads that forced us to work with only a subset of the total data. This made it biased and unreliable, so we did not continue with the analysis using 2easy.shop data. For completeness, the top 10 countries on 2easy.shop looked like this:
Figure 12. A chart of countries at risk based on the number of logs sold on 2easy.shop
The similarity between both top 10 tables (from Russian Market and from 2easy.shop) makes us think that perhaps the same data is being sold in both markets. Although this is unethical, it’s a real possibility since criminals are not often bound by ethical constraints. As previously mentioned, these numbers could be biased based on the kind of logs the log owners decide to upload. It could also be a matter of developed countries having a better security posture overall than the countries shown here.
We also looked at which websites’ credentials are the most interesting for criminals to purchase on underground shops. For this, 2easy.shop had better data; We could download a list of all the domains for which they had credentials for sale. This list shows the top domains on 2easy.shop before reaching a very long tail of more obscure domains:
Figure 13. Top domains with credentials on 2easy.shop