Russian Reshipping Service ‘SWAT USA Drop’ Exposed – Krebs on Security

The login page for the criminal reshipping service SWAT USA Drop.

One of the largest cybercrime services for laundering stolen goods was hacked recently, exposing its internal operations, finances and organizational structure. Here’s a closer look at the Russian-based SWAT USA Drop Servicewhich currently employs more than 1,200 people across the United States who are knowingly or unknowingly involved in the reshipment of consumer goods purchased with stolen credit cards.

Among the most common ways thieves take money from stolen credit card accounts is by buying expensive consumer goods online and selling them on the black market. Most online retailers got wise to these scams years ago and stopped shipping to regions of the world frequently associated with credit card fraud, including Eastern Europe, North Africa, and Russia.

But such restrictions have created a thriving underground market for reshipping scams, which rely on willing or unwitting residents of the United States and Europe to receive stolen goods. goods and deliver them to the rascals living in the embargoed areas.

Services like SWAT are known as “Drops for stuff” in cybercrime forums. The “drop” are people who respond to work-at-home package reshipping jobs advertised on craigslist.com and job search sites. Most reshipping scams promise employees a monthly salary and even cash bonuses. In fact, scammers in charge almost always stop communicating with drops before the first payday, usually about a month after the drop ships their first package.

Packages come with prepaid shipping labels paid for with stolen credit card numbers, or with hijacked online FedEx and US Postal Service accounts. Droppers are responsible for inspecting and verifying the contents of shipments, attaching the correct shipping label to each package, and sending it through the appropriate shipping company.

SWAT requires a percentage cut (up to 50 percent) where “stuffers” — thieves armed with stolen credit card numbers — will pay a portion of the retail value of each product to SWAT as a reshipping fee. The stuffers use the stolen cards to buy high-value products from the merchants and the merchants ship the items to the droppers’ addresses. When the drops receive and successfully deliver the stolen packages, the stuffers sell the products on the local black market.

The SWAT drop-off service has been around under different names and under different ownership for nearly a decade. But in early October 2023, the current co-owner of SWAT — a Russian-speaking individual using the handle “There is no fear” — took to his favorite cybercrime forum to file a formal complaint against the owner of a competing reshipping service, alleging that his rival hacked SWAT and tried to poach the his stuffers and reshippers by emailing them directly.

Milwaukee-based security company Maintain Security shared recent screenshots of a working SWAT stuffer’s user panel, and those images show that SWAT currently lists more than 1,200 drops in the United States available for stuffers to rent. Contact information for Kareem, a young man from Maryland, is listed as an active drop. Contacted by KrebsOnSecurity, Kareem agreed to speak on the condition that his full name not be used in this story.

A SWAT panel for stuffers/customers. This page lists the rules of the service, which will not pay stuffers for “acts of god,” ie authorities who seize stolen goods or arrest the drop.

Kareem says he was hired through an online job board to deliver packages for a company calling itself CTSI, and that he has been receiving and reshipping iPads and Apple watches for several weeks now. Kareem wasn’t too happy to learn that he probably wouldn’t get his paycheck on the promised payday, which was coming in a few days.

Kareem said he was instructed to create an account on a website called portal-ctsi(.)com, where every day he is expected to log in and check for new messages about pending shipments. Anyone can register on this website as a potential reshipping mule, although doing so requires applicants to share extensive personal and financial information, as well as copies of an ID or passport that matches the given name. .

A SWAT panel for stuffers/customers, listing hundreds of drops in the United States by their status. The “dead” are those who are about to be released without the promise of payment, or who give up on their own.

Suspecting that the login page for portal-ctsi(.)com might be a custom coding job, KrebsOnSecurity selected “view source” from the homepage to reveal the site’s HTML code. Take a snippet of that code (for example, “smarty/default/jui/js/jquery-ui-1.9.2.min.js”) and search for it in publicwww.com revealed more than four dozen other websites running on the same login panel. And all that appears to be aimed at any stuffers or drops.

In fact, more than half of the domains that use this same login panel actually include the word “stuffer” in the login URL, according to publicwww. Each of the domains below ending in “/user/login.php” are sites for active and future leaks, and each corresponds to a unique fake company responsible for managing its own stable in drops:

lvlup-store(.)com/stuffer/login.php
personalsp(.)com/user/login.php
destaff(.)com/stuffer/login.php
jaderaplus(.)com/stuffer/login.php
33baka(.)com/stuffer/login.php
panelka(.)net/stuffer/login.php
aaservice(.)net/stuffer/login.php
re-shipping(.)ru/stuffer/login.php
bashar(.)cc/stuffer/login.php
marketingyoursmall(.)biz/stuffer/login.php
hovard(.)xyz/stuffer/login.php
pullback(.)xyz/stuffer/login.php
telollevoexpress(.)com/stuffer/login.php
postme(.)today/stuffer/login.php
wint-job(.)com/stuffer/login.php
squadup(.)club/stuffer/login.php
mmmpack(.)pro/stuffer/login.php
yoursmartpanel(.)com/user/login.php
opt257(.)org/user/login.php
touchpad(.)online/stuffer/login.php
peresyloff(.)top/stuffer/login.php
ruzke(.)vodka/stuffer/login.php
staf-manager.net/stuffer/login.php
data-job(.)club/stuffer/login.php
logistics-services(.)org/user/login.php
swatship(.)club/stuffer/login.php
logistikmanager(.)online/user/login.php
endorphine(.)world/stuffer/login.php
bourbon(.)club/stuffer/login.php
bigdropproject(.)com/stuffer/login.php
jobspaket(.)net/user/login.php
yourcontrolboard(.)com/stuffer/login.php
packmania(.)online/stuffer/login.php
shopping-bro(.)com/stuffer/login.php
dash-redtag(.)com/user/login.php
mnger(.)net/stuffer/login.php
begg(.)work/stuffer/login.php
dashboard-lime(.)com/user/login.php
control-logistics(.)xyz/user/login.php
povetru(.)biz/stuffer/login.php
dash-nitrologistics(.)com/user/login.php
cbpanel(.)top/stuffer/login.php
hrparidise(.)pro/stuffer/login.php
d-cctv(.)top/user/login.php
versandproject(.)com/user/login.php
pakitdash(.)com/user/login.php
avissanti-dash(.)com/user/login.php
e-host(.)life/user/login.php
pacmania(.)club/stuffer/login.php

Why so many websites? In practice, all leaks are cut within approximately 30 days of their first shipment – before the promised salary arrives. Because of this constant shaking, each store operator must constantly recruit new drops. Also, in this distributed setup, even if one reshipping operation is shut down (or exposed online), others can continue to pump out many packages a day.

A 2015 academic study (PDF) on criminal reshipping services found that the average financial hit from a reshipping scheme per cardholder was $1,156.93. That study looked at the financial operations of several reshipping schemes, and estimated that approximately 1.6 million credit and debit cards are used to commit at least $1.8 billion in reshipping fraud each year.

It’s not hard to see how reshipping can be a profitable business for card crooks. For example, a stuffer buys a stolen payment card from the black market for $10, and uses that card to buy more than $1,100 worth of goods. After the reshipping service is terminated (~$550), and the stuffer pays his reshipping label (~$100), the stuffer receives the stolen goods and sells them on the black market in Russia for $1,400. He just turned a $10 investment into over $700. Rinse, rinse, and repeat.

The SWAT breach revealed not only the nicknames and contact information for all of its stuffers and drops, but also the group’s monthly income and payouts. SWAT apparently kept its books in a publicly accessible Google Sheets document, and this document revealed that Fearless and his business partner regularly spent more than $100,000 per month operating the their various reshipping businesses.

SWAT’s disclosed financial records show that this crime group has tens of thousands of dollars worth of expenses per month, including payments for the following recurring expenses:

-advertising the service in crime forums and through spam;
-people hired to reroute packages, usually by voice over the phone;
-third party services that sell hacked/stolen USPS/Fedex labels;
-“drops test” services, contractors who test the authenticity of drops by sending them fake jewelry;
-“documents,” eg sending drops to physically obtain legal documents for new fake companies.

The spreadsheet also includes the cryptocurrency account numbers that will be credited monthly with SWAT’s earnings. Not surprisingly, a review of the blockchain activity tied to the bitcoin addresses listed in that document shows that many of them have deep associations with cybercrime, including ransomware activity and transactions on darknet sites that sell stolen credit card and residential proxy services.

Information leaked from SWAT also exposed the real-life identity and financial dealings of its principal owner – Fearlless, aka “SwatVerified.” We will hear more about Fearlless in Part II of this story. Watch out.

Leave a comment