Sixgill threat Intelligence report

overstimulating: cares act fraud on the dark web

April 30, 2020

If there’s one thing that is certain on the dark web, it’s that these threat actors sensed an opportunity last month when the U.S. government announced it would deposit checks into the accounts of millions of Americans.

So we set about looking for indirect evidence of bubbling fraud schemes. Here were some of our findings:

  • Multiple examples of threat actors seeking to buy or sell stolen identity packages (fullz) with the explicit purpose of impersonating victims to take their stimulus money. 
  • Mentions of ID terms (tax ID, paystub, Social Security Numbers, and Form 1040) averaged at 925 per day in March. Between April 5 and April 18, mentions of these terms increased by nearly 90%, peaking at 1,765 mentions on April 11, two days before the initial payments were first disbursed.
  • Several examples of accounts with major banks, including Wells Fargo, SunTrust, and Chase, that were compromised after the CARES Act was passed.

To learn more on how we are tracking threat activity related to the CARES Act, download the full report.