Cybercriminals Gamble With Victims' Livelihoods To Pass the Covid-19 Blues

Our underground monitoring revealed several ways how criminals have been entertaining themselves during isolation, with normal activities that offer cyber-crime-related prizes.

by Erin Johnson, Vladimir Kropotov, and Fyodor Yarochkin

In the Trend Micro 2020 midyear security report, we discussed how the Covid-19 global pandemic affected the cybersecurity industry. However, the pandemic didn't just change the way businesses (and subsequently, their employees) operate; the nature of certain criminal activities have also changed in this time of isolation.

Interestingly, some of this involves what we might call “leisure activities.” However, unlike most people (for whom leisure time might involve a round of Netflix shows), cybercriminals have not passed the time in the same way. Unsurprisingly, their leisure time leads to even more crime, negatively impacting global communities.

Our underground monitoring revealed several ways how criminals have been entertaining themselves during isolation, with normal activities that offer cyber-crime-related prizes. From seemingly “wholesome” activities such as rap battles to more sinister fare such as poker tournaments and other competitions for stolen credit cards, criminals have been entertaining themselves by playing games with the lives of those who may already be suffering from the pandemic.

Cybercriminal pastimes during the time of Covid-19

Cybercriminals seem to favor certain types of online competitions, which have increased in frequency in 2020 as the pandemic progressed. These include:

  • Online rap battles
  • Poker tournaments
  • Poem contests
  • In-person sport tournaments

Some of these activities (for example, the MMA tournaments) involve personal meetups between the participants, with most happening in local sport clubs, bars or cafes.

On the surface, this all seems like innocent fun in which normal people also participate. However,  beneath the veneer of fun and games is a far more troubling scenario: these seemingly legitimate activities award criminally obtained assets as prizes. These range from credit card dumps to personally identifiable information (PII).

Many of these prizes are obtained through malicious means and can be used to facilitate more cybercrime. For example, PII is often used for identity theft, while credit card dumps are used to commit credit card fraud.

Not only are these prizes questionable, but the legality of some of the activities themselves may also be in question. For example, poker tournaments may not be legal as online poker is illegal in some countries. However, quarantine restrictions during the global pandemic have increased the frequency of underground poker tournaments.

We have observed some underground forum members even proposing an increase in the frequency of tournaments from weekly to daily due to the extra free time afforded by the Covid-19 lockdowns. Poker tournaments have become exceedingly popular in the underground, and we have observed dozens of forum threads advertising poker tournaments.

Overall, about half of the online criminal platforms we examined offered some sort of Covid-19-related entertainment program.  Some seemed fairly innocent, like a story contest with monetary prizes, while others offered rewards of criminal nature.

The screenshot in Figure 1 shows that many of these threads were created during Covid-19 times, with some already having several thousands of views.


Figure 1. Dedicated poker section on the underground forum

Some underground poker clubs grant additional forum privileges for active players. Parts of these privileges are static, like discounts on escrow service commissions for money exchanges. Other groups change benefits each month, possibly to keep users coming back. In June, participants had a 50% discount on all escrow service commissions (5% instead of 10%).

To become an active member, malicious actors can join the poker club forums, join the related poker group in Telegram, or install an application from the poker room at a specific poker site and join the club using the app. Actors must participate in club games at least three times to become a member, and then play at least four times a month to keep their membership.

We also saw rap battles gain popularity, perhaps as a way to create a virtual shared experience within the safety of underground marketplaces. Similarly, poetry contests were also in demand as criminals flexed their “creative” muscles while being confined indoors. One poetry contest even combined some of these leisure activities, challenging competitors to produce poems about poker tournaments.

We’ve seen an ongoing interest in these types of contests with similar prizes. For example, some prizes were offers to pay the participation fee for poker tournaments.


Figure 2: Poetry contest used to promote a poker tournament

Cybercriminals used the poems submitted to the contest to promote tournaments and prizes. These poems are written with heavy use of forum slang and could feature such phrases as “Teri give socks,”  referring to  SOCKS proxies; or “Sphere,” which refers to the customized browser Linken Sphere that malicious actors use to mimic legitimate user environments.

Stolen Prizes for Criminal Games

As mentioned earlier, the leisure activities themselves are generally not the problem. The prizes for winning these contests are where the criminal element comes into play. These prizes are normally supplied by underground forum actors, further stimulate crime.

The prizes we observed on online offers include:

  • Access to cloud-based logs of stolen data, including PII and stolen credit cards.
  • Licenses for Linken Sphere, a customized browser that uses stolen credentials and system fingerprints to avoid antifraud system detection. Criminals typically use these to monetize stolen credit cards or payment systems credentials.
  • A VISA Gold Card (with a seven-month warrantly) registered using leaked scanned IDs.
  • Two airplane tickets purchased using a stolen credit card, which is similar to what we reported here, but in a new setting as a competition prize.
  • A script to automate the creation of cloned websites and e-shops. Underground actors often use these to harvest user credentials, PII, credit cards, e-wallets, and other monetizable assets by tricking users into logging in and shopping on a cloned version of a website.
  • Verified Yandex money and QIWI wallets registered to money mules. Underground actors often use these for money transfers, as a means of payment in e-shops, or to purchase virtual private server (VPS) and other necessary assets for their business.
  • A license for credit card fraud anti-detection software, along with 50 custom configurations. This software is used along with stolen payment information to mimic the legitimate credit card owner while avoiding detection by antifraud systems.
  • Monetary prizes that were originally accumulated through criminal activities.


Figure 3: Examples  of prizes used to promote further crimes

Impact on people and businesses

The prizes  — and their use for further malicious activities  —  presents a strain for individuals and organizations already suffering because of the pandemic.

Identity theft and the use of stolen credit cards can be highly damaging.  Verified wallets and bank accounts are often registered using leaked PII and scanned documents from companies and individuals. When these stolen accounts are used for criminal activities, the true owner could unknowingly have their name connected to criminal activities. Meanwhile, identity theft may lead to severe consequences for victims.

Additionally, the specific (crime-assisting) software licenses offered as prizes are very valuable — and highly useful for cybercriminals. The antifraud detection software Linken Sphere costs about US$100 per month, or US$500 for a six-month subscription.

These threats aren’t new — of course, credit card fraud, identity theft, and stolen software have been around for years. However, criminally obtained assets being used as prizes for personal entertainment is a phenomenon that demonstrates the mentality of these criminals; the stolen assets are simply assets that can be awarded, traded, or given away. However, it's very different for the victims, as it’s their livelihood being passed around like printed bills in a sociopathic game of Monopoly.

Cybercriminals entertaining themselves, creating games, and participating within their community during this time of quarantine and seclusion may seem innocent at a glance. However, crime is crime, and these activities will almost invariably lead to more crime.  

The Covid-19 situation brought a lot of difficulties and economic distress to our communities. People continue to get sick,  lose their loved ones, or even pass away themselves. Thousands of families are trying to figure out how to pay for massive medical bills. Offices are closed, while many have lost their jobs — leading to high unemployment.

Treating people’s livelihood and finances as assets to be traded for entertainment is never okay, even more so given the current circumstances. It is extremely unethical to organize entertainment events that take advantage of and victimize other people.

Trend Micro’s mission is to make the internet a safer place, and we will continue to proactively disrupt cybercriminal activities. We’ve never felt more motivated to work toward this mission as people need protection during such times as these. Mutual help and support are extremely important for our goal to succeed.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.