Cybercriminal Credential Marketplace “SlilPP” Shut Down, DOJ Announces

DOJ Announces Successful Disruption of Compromised Credential Marketplace “SlilPP”

On June 10, 2021, the US Department of Justice (DOJ) announced the successful disruption of the illicit, cybercriminal credential marketplace known as “SlilPP,” a specialized shop primarily used to conduct the sales and distribution of compromised credentials.

Figure 1: Tor Portal Page for SlilPP Marketplace

Credentials Sold on SlilPP Cause Losses in the “Hundreds of Millions”

Prior to its closure, SlilPP was allegedly offering over 80 million records of stolen credentials from more than 1,400 victim providers worldwide. Once cybercriminals and other threat actors purchased swaths of these compromised credentials on SlilPP, they would quickly turn around and leverage the credentials to run their own fraud operations and account takeover (ATO) activities.

According to the DOJ, the SlilPP marketplace had been enabling the sales of stolen login credentials, including usernames and passwords for bank accounts, online payment accounts, mobile phone accounts, retailer accounts, and other online accounts. Given the range of diverse and effective credential attack paths today, it stands to reason why these credentials acquired from SlilPP ultimately resulted in hundreds of millions dollars in losses to victims worldwide. 

“The SlilPP marketplace allegedly caused hundreds of millions of dollars in losses to victims worldwide.”

—Nicholas L. McQuaid, Acting Assistant Attorney General, DOJ

The FBI Led US Efforts in Coordinated Multinational Takedown Operation

The DOJ noted that US law enforcement, led by the FBI, participated in this multinational operation to take down SlilPP’s infrastructure along with several European partners from Germany, the Netherlands, and Romania. This infrastructure takedown also led to the seizure of a series of servers and domain names that are now pursuant to international legal processes.

The DOJ statement also noted that more than a dozen individuals have already been charged or arrested by US law enforcement in connection with SlilPP, while appearing to leave open the possibility of further charges still to come. 

Figure 2: Default Homepage for Illicit Credential Marketplace “SlilPP”

SlilPP Adds to List of High-Profile Illicit Marketplace Shutdowns

Before its shutdown, SlilPP was widely advertised on Russian-language underground forums, and had an extensive variety of sellers and products—particularly in its high volume credential sales for large financial institution accounts.

The SlilPP shutdown also adds to a trend in rising law enforcement activity, as the list of well-known illicit marketplaces that have been taken offline in recent months grows longer. Most notably, this list includes the Europol takedown of DarkMarket (announced in January 2021) and the INTERPOL disruption of Joker’s Stash (in December 2020), with Joker’s Stash shut down for good a few months later in February 2021.

Test Out Flashpoint CCM and Our 40+ Billion Credentials

According to the 2021 Verizon DBIR, the majority (61%) of breaches involve compromised credentials—and SlilPP was far from the only illicit marketplace to offer this valuable cybercriminal asset.

Sign up for a demo and see how Flashpoint Compromised Credentials Monitoring (CCM) with its industry-leading 40B+ records of compromised credentials will dramatically accelerate your credential validation and discovery efforts, and will mitigate your exposure to credential-based attacks, system intrusions, and account takeovers that put your organization and your customers at risk.