On November 4 2021, the threat actor known as ShinyHunters leaked data belonging to PagSeguro-owned online payment solution Wirecard Brasil via Raidforums. The data, which is only partially available, included personally identifiable information (PII) and credit card details from one million+ affected customers. Three days later, they shared the entire database of over 417GB in size. This blog post provides insights into what happened and the threat actor behind the leak.
Who isPagSeguro Wirecard Brasil?
Wirecard Brasil is a payment intermediary that provides online payment solutions to more than 200,000 customers across the region, including e-commerce platforms, marketplaces, and virtual store platforms. Their services also include anti-fraud management, early receipt, transparent checkouts and chargeback management, among other capabilities.
In August 2021, the company was acquired by PagSeguro, a Brazilian financial services and digital payments company founded in 2006.
How did it happen?
On November 4, 2021, a user known as ShinyHunters posted the following thread titled “Wirecard Brasil [Part 1]” on the cybercriminal forum Raidforums. The post did not specify how the breach occurred or when it happened, providing only the link to download the stolen data.
On November 7, the threat actor opened another thread where it shared the download link for the full data breach. This also included a link to the Wikipedia page of PagSeguro and a screenshot of the company’s stock market performance.
Analysing other mentions of this data leak using Blueliv’s Dark Web module, we discovered a thread posted on the Exploit forum selling a database of 4.8 million records of Wirecard Brasil from all the way back to December 2019. However, it’s not clear whether the incident described in this publication is somehow related to the current leak.
Threat actors behind the breach
“ShinyHunters” is a financially motivated hacking group that has been active since early 2020. They regularly engage in database publishing on the cybercriminal underground. Often these databases are posted for free, while on some occasions they auction stolen databases for values between US$500 and US$5,000. Since April 2021, ShinyHunters has adopted a new modus operandi which has seen the group start demanding a ransom from the breached company in order not to leak their data online.
The group has historically targeted the education, entertainment, financial services, hospitality-leisure, retail, technology, telecommunications, and transportation sectors, across more than 10 countries. Throughout the past year, the hacking group has created profiles in several underground cybercriminal forums such as top-tier Russian forum Exploit and English-language forum Raidforums, on which they are most active. ShinyHunters used to have a seller profile at the now defunct Empire Market, where they made their debut by selling 91 million worth of data stolen from Indonesian company Tokopedia in 2020. One of ShinyHunters’ known Bitcoin wallets suggests that on May 13, 2020, the threat group received a transfer worth 0.13190000 BTC (roughly US$1,300 at that time). This transaction took place a few days after the Tokopedia data breach and auction, despite being substantially smaller than the price demanded by ShinyHunters’ Empire Market original post (which was 0.548381 BTC, at that time corresponding to roughly US$5,000).
Furthermore, ShinyHunters auctioned other major companies’ databases, such as one belonging to US-based Telco AT&T Inc. On this occasion, 70 million user records were auctioned on Exploit with a starting bid of USD $200,000.
What kind of data has been leaked?
Blueliv analysts have obtained and analysed the data published on 4 November (roughly 12GB uncompressed). The entire 417GB leak download link is down at the time of writing and therefore could not be obtained.
The partial leak contains 5,000 folders with documents in various formats, including .PNG images and .PDF files. These documents contain personal IDs, invoices, telephone number, date of birth and other sensitive information.
Screenshot of one of the leaked documents.
The leak also contains 100,000 card records with partial credit card numbers (first six and last four digits), the expiry date, and the cardholder’s name. Another file with the same number of records contains the hashed version of each full credit card number.
On top of the credit card information, there are also several records of bank accounts, which include bank codes, bank names, and agency numbers, among other data.
Additionally, a file named ‘users’ contains one million records with email and SHA1 hashes next to it, which leads Blueliv analysts to believe it might be password protected. The same file includes an argon2 hash, which we are currently unable to determine what’s behind – once solved, we will provide an update.
Screenshot of the user’s file.
Part1 files content:
UPDATE: Further investigations on the entire leak revealed that up to 4.1 million users and around 3.48 million payment cards have been compromised.
After analysing the card details, we have found that although 28.31% of them are already expired, or are soon to be expired (14.98%), a high percentage of them (56.7%) are still in use with valid expiry dates.
Banks and countries affected
Banks have been anonymised so that names are not disclosed.
- “Bank Metis” with almost 600.000 compromised cards
- “Bank Adrastea” around 350.000 compromised cards
- “Bank Amalthea” with more than 300.000 compromised cards
- “Bank Thebe” with 279.080 compromised cards
The ten most affected banks are:
In terms of countries, we can see the bincode belongs to victims across 31 countries, with Brazil being the most affected (around 90%) and United States is the second most affected (around 5%). The rest of the cards are distributed across: Argentina, Australia, China, Denmark, France, Germany, Italy, Japan, Mexico, Russian Federation, Spain, Sweden, and others.
The full list of affected countries is as follows:
Argentina, Australia, Bangladesh, Belize, Bermuda, Brazil, China, Costa Rica, Czechia, Denmark, France, Germany, Ghana, Hungary, Indonesia, Italy, Japan, Kazakhstan, Lebanon, Lithuania, Mauritius, Mexico, Montenegro, Papua New Guinea, Russian Federation, Serbia, Spain, Sweden, Turkey, United States of America, Uruguay.
Banking and financial services continue to be a top tier target for threat actors over the world due to the sensitive data they hold and how successful criminals can monetize it once it’s in their hands. Shinyhunter are just one example of actors who are becoming less targeted in their approach and are instead pivoting to ransom demand as a means of further increasing their profit off stolen data.
It’s vital that businesses operating in the financial services industry ensure a ground-up approach to their security hygiene. Employees at every level of the business must accept a share of responsibility for cybersecurity and have a baseline understanding of how the threat landscape and how it can affect them. Similarly, affected banks and customers must become extra vigilant when it comes to suspicious activities.
To support this, Blueliv’s Credit Card Theft module, part of our Threat Compass solution, provides proactive monitoring and alerts for stolen and leaked card information from your company in real time. Threat Context, Blueliv’s Threat Intelligence module, provides insights about threat actors and the cybercriminal ecosystem to help customers join the dots, prioritize defenses, and mitigate credit card breaches like Wirecard Brasil and All World Cards before it’s too late.
Contact Blueliv today for a free one month trial of Threat Compass.