Russia continues cybercrime offensive with SkyFraud takedown

Authorities in Russia are once again touting a major takedown of a cybercrime operation.

Notices posted on the former website of cybercrime forum SkyFraud warned users that the site has been seized by police and was being investigated for criminal charges.

According to a translation of the notice provided by threat monitoring group VX-underground, police in Russia notified visitors Monday that the site was "permanently closed during a special law enforcement operation." According to TASS, a news agency operated by the Russian government, authorities also arrested six alleged members of an unnamed cyberfraud organization on Monday.

The SkyFraud forum was one of the more popular carding sites on the internet. The site allowed users to buy and sell stolen credit card credentials harvested via fraud operations or site compromises. The stolen card details were then used to make fraudulent purchases, usually by criminals who were separated from the hackers by one or more financial transactions.

VX-underground noted that, in addition to taking the front end of the site offline, Russian police left a notice to hackers in the page's source code, embedding a comment reading, "Which one of you is next?"

Russian cybersecurity firm Group-IB said via Twitter that two other carding sites, Ferum and Trump's Dumps, were also displaying takedown notices from Russian authorities, as well as a fourth cybercrime marketplace known as UAS Service, which sold RDP credentials.

The takedown of the credit card fraud trading forum comes hot on the heels of Russian police efforts to dismantle the REvil ransomware gang. In those arrests, multiple affiliates of the REvil ransomware crew were reportedly taken into police custody.

Some threat analysts remain skeptical on this latest wave of takedowns from Russia, noting that the Kremlin has historically turned a blind eye to the dirty deeds of hackers operating within its border. It is not uncommon for malware written in former Eastern Bloc countries to omit any and all machines using Cyrillic keyboards in order to avoid infecting domestic machines.

Rather, given the increased pressure from the U.S. and the global scrutiny over the Ukraine crisis, the Kremlin may just be looking for some goodwill.

"I think it's tough to definitively say their motivation," GuidePoint Security cyber defense senior director Mark Lance told SearchSecurity.

"The reasoning behind the takedowns could be driven by anything from internal state-related challenges with the groups/criminal organizations to a simple attempt to make calculated moves that try to address negative perception associated with their cybercrime policies."

Regardless of the motivations, having one less carding forum operating in the wild will only be good news to the potential victims whose card information can no longer be bought or sold by criminals.

Over the long haul, however, the takedown of SkyFraud will only be a success if authorities follow through and remove subsequent carding forums.

Padraic O'Reilly, co-founder of risk management vendor CyberSaint, told SearchSecurity that police will have to follow up these takedowns with efforts to get out ahead of the latest efforts by criminals.

"It seems like certain types of attacks on certain sectors are down in the last few months, but the overall trend is still up," said O'Reilly. "This suggests that attackers are adapting to the new political and enforcement environments."