Travel fraud in the Darknet

There are several types of services and products you can find in the Darknet related to travel fraud. The most worthwhile are fake online travel agencies operating beyond the law, where one can book stolen flight tickets and hotel rooms, rent a car or even book a whole vacation service. Let's look deeper into the topic of travel fraud in the darknet.

In the biggest Darknet markets (DNMs) one can find special fraudulent services which offer travel facilities for 25-70% of their real market value. Continue reading to gain some knowledge on how to do it and what bumps you can find on the way. Discover the details of travel frauds.

NOTE: This article is based on the situation and offers available on the market in September 2019.

In most cases, one has to find a proper vendor on a DNM and usually buy his service by paying an entrance fee ($20-100) using the vendor’s listing. Then the customer has to approach a fraudulent merchant directly to make an ultimate business by sending screenshots of the itinerary he wants to buy - vendors are eager for shoots from popular online travel metasearch engines. After that, the client just needs to pay the “discounted” price of flight/hotel booking and he is ready to travel. As in the legitimate world, different vendors have various rules on time of delivery, possible countries of departure, minimal price, payment methods or refund policy. They also may have different methods of getting that flight/hotel booking done. As frauding flight or hotel booking is not merchandise but a service, fraud vendor needs time to deliver it. Fraud travel vendors usually require 1-7 days to fulfil the order. Usually they also have some restrictions on departure time. For example, they don’t make “last minute” orders and they demand some minimum time before flight departure. Sometimes they precisely define the states which you can fly out from.

Another important issue is the payment. On all DNMs payments are accepted only in cryptocurrency. The most popular one is Bitcoin, but the growing role of Monero – anonymous cryptocurrency as Bitcoin and other mainstream cryptocurrencies are not truly anonymous, is noticeable. The currency in which the vendor accepts payment depends on DNMs options. Vendors often set a minimum price for their service. For example, one vendor offers tickets for 60% of its value but sets a minimum fee for $150. So if the flight you want to fraud is worth $200, instead of $110 (60%), you have to pay $150. In fact, don’t forget that initially there was also a small fee for entrance service ($20-100), so as a result, the minimum price is $170.

Almost all found fraud travel vendors offer escrow which is another popular method of processing payments. When a customer is buying with escrow protection he doesn’t pay directly to the vendor but to the market, who holds the money during the purchase process. After receiving the order from the vendor, the buyer notifies the market staff. Only after that vendor obtains the payment.

As fraudsters behave the same way everywhere, they scam other fraudsters too. It happens when a buyer claims he didn’t receive an order and a vendor says he fulfilled it. Buyer and vendor will dispute over it and market staff will be the third party who has to settle the argument. It is important to emphasize that the market holds escrow until the end of transaction or dispute. So if escrow is the main payment method, every day DNMs hold in deposit a huge amount of money. Another reason, for both vendors and buyers, to stay awake, is that escrow way is not entirely safe. There is always a risk that DNM staff would make an exit scam and run away with all the money. It happened many times in the past. Much safer than escrow is a multi-signature since currency won’t go to any third party wallet. Multi-sig is called 2-of-3 escrow service because it needs 2 consents (signatures) to proceed. If all goes smoothly, there are 2 signatures from the buyer and vendor. After that the vendor receives money. If there is a dispute, the market staff decides who will get currency and provides the second signature. In multi-sig, DNM staff is still a party settling the disputes, but it doesn’t hold money and eventually, it can’t steal the deposits.

Travel merchants don’t work in emptiness. Sometimes they need an intermediate product to get a flight ticket and a place, where they can sell their services. The next chapter is to explain the vendor’s typical modus operandi.

Another issue is how fraudsters get flight tickets. There are 2 well-known methods: online carding and flying points. In the process of online carding, fraudster buys credit card number with CVV code and validation date on DNM or credit cards auto shop. Then he can perform fraud purchase on airline or OTA (Online Travel Agency) website. Of course, this is a huge simplification, since there are many steps a successful carder has to perform to convert (i.e. anonymity measures, spoofing, social engineering). Various websites and locations demand different resources and methods which also complicate the whole process. The second method doesn’t require a credit card - it uses stolen accounts with flight points. Those could be accounts from the airline website or frequent-flyer programs. Such accounts one can crack on his own, if he has appropriate skills, or buy them on DNMs. For your information, buying account is a more efficient way than cracking, because it’s quite cheap. The price for one account oscillates between $2-60, but in most cases, it is around $10. While buying such accounts the fraud travel vendor can choose from the list of accounts with the exact given number of flying points he needs or states the minimal number of flight points attached to the account.

Vendors on that DNM give more information about the accounts than on the other Darknet markets. We can see the name of a website, a number of flying points, an email domain on which account is registered, from when it is listed on the market and sometimes even a name of an account owner. In some cases name and/or email can give us prompt, from which country account owner comes from, which can be handy for fraud purposes.

Airlines electronic gift cards are other flying related merchandise on DNMs. There are only a few airlines which offer gift cards, so there is a small selection of airline brands on DNMs. Still, one can buy gift cards from several US airlines. Such cards cost around 50% of its real value. In red rectangles, one can read several interesting information about the vendor (his reputation score on old - not operating anymore, DNM and level of trust on this DNM) and precise offer (price, payment method and type of cryptocurrency in which one can buy a product – Bitcoin, Litecoin and Monero).

Interesting trend that can be noticed in travel scams is that fraud travel vendors offer their services mainly on Darknet markets, but some of them can use their own websites in TOR. As every DNMs won’t operate longer than a few years, certain merchants prefer using their own shop on their own website. However, such solution works only for vendors with a remarkable reputation. Looking for travel vendors we checked 12 most popular and operating in English language DNMs and additionally several vendors’ websites. We found 14 merchants - 12 on 6 DNMs and 2 with their own websites. 2 vendors are present on several DNMs and sometimes use various nicknames on different markets. All of them provide flight tickets, 13 offer a hotel booking service, 5 car renting. Since on the Internet, we can find metasearch travel engines where we can book precisely the same 3 types of services: flights, hotel and car, it’s probable that some fraudsters get those services from that type of websites.

We can assume that part of found fraud travel services don’t provide real facilities but want to deceive other DNMs users. Such crooks who want to steal from other fraudsters are called rippers or scammers. It is hard to be sure for 100% who delivers reliable services on DNMs without buying it. Nevertheless below, we described the most reputable and interesting vendors.

Mr E: “the scientist with hacking knowledge”

We don’t want to promote fraudsters, so for the purpose of this post, we will invent their names. Let’s call the first one Mr E. Currently, he is probably the most reputable fraudulent travel vendor operating in English language DNM. In the past, he was a well-known vendor on Wall Street Market, one of the biggest DNMs in last 2 years (if you want to know the history of Wall Street Market and how it ended, read our article. On Wall Street Market Mr E had 38 deals and score 4,85/5. On travel-related DNMs, where he is selling nowadays, his score reaches 100%. His prices are quite low – only 25% of flight price, but if a real price is lower than $520 he will charge $130. One can have a 5% discount if chooses multi-signature payment method instead of escrow. There are restrictions on the list of countries from where one can depart with Mr E services: the US, Canada, the UK, Australia, New Zealand and constantly changing list of European states. Mr E has well-explained and transparent partnership rules. First, one has to contact directly and specify the order: number of tickets, day of departure, flight class and flight screenshots from one of the best-known and legitimate OTA website. Then Mr E creates listing on DNM for that transaction one has to buy. He will start working on order when the listing is fully paid and cryptocurrency is in escrow or multi-sig. For security reasons fraud travel vendor demands to establish 2 channels for communication. First is a private messaging on DNM, second is Jabber – one of the most popular and secure communicators among hackers and fraudsters. Vendor doesn’t specify the method of how he frauds airline tickets but probably it’s by hacking. Mr E can also fraud hotel booking but only for clients with whom he had been working for a long time. In like manner, he can make a last-minute booking only for his old/loyal customers. Non-preferential clients have to order flight tickets at least 5 days before departure. The vendor claims that the best time to book is between 8 days and 1 month before departure, but booking even couple months in advance is possible.

Part of Mr E profile description. Currently, that offer is not available because DNM on which Mr E was operating,suspended its activity in November 2019 as a result of unclear circumstances. It could be due to exit scam or law enforcement action.

Mr L: “Don’t worry it’s neither carding nor flying points. It’s just money laundering.”

Mr L claims he is Mr X who was active fraud travel vendor on Silk Road – one of the most important DNMs in history of Darknet (closed a long time ago). But since the name “Mr X” is currently taken by many DNMs users, he decided to change it for Mr L. One can find his offers on 2 big DNMs. He is also active on Dread, the biggest TOR forum, where there are some controversies around him. Some Darknet users say he is a scammer, some claim he provides reliable services. But neither side provided evidence (even though some kind of computer evidence are easy to counterfeit), so his credibility is still a questionable issue.

Mr L claims he completed over 8500 transactions over the years in different DNMs – it’s really a massive number and that is why it feels suspicious. He didn’t provide any piece of evidence and has no feedback on DNMs, neither positive nor negative. Mr L frauds services including booking flights, hotels, cruises, and cars. Cost of flight booking is 35-45% (he has a different price on 2 various DNMs) of real value, but the minimum price is $1000. Hotel bookings cost 35% (where the minimum price is $2000), cruise fraud costs 50% and price for car rental is 55% of real value. Clients need to order booking at least 5 days before departure. Mr L claims to offer 24/7 support in 3 languages: English, Japanese and Russian. As additional communication channels, he uses emails (ciphered protonmail), Wickr and Jabber.
Mr L says his method is the most secure because he is frauding booking services neither by carding nor by flying points. According to him, he pays for booking using SWIFT and SEPA transfers always to the same travel agency. Money comes from money laundering, so his buyers clearly also participate in this illicit process. He uses that argument to emphasize that there will be no chargeback associated with his services because there are no chargebacks in SWIFT/SEPA transfers. And because he is laundering money on a small scale, there will be no law enforcement involved. So it’s like saying “don’t worry it’s neither carding nor flying points. It’s money laundering.”

Mr L terms and conditions of services.

Mr T: “talented kid”

On the biggest DNM, where Mr L operates, we can also find Mr T. It’s easy to notice they are direct competitors: they offer the same services, work on the same biggest DNM and people often compare them to each other.

Services provided by Mr T are flights, hotels and cars. Prices for all types of orders is 35% of real value, but the minimum price for his service is $425. As we can see on the print screen above, he sold 17 such services on this precise DNM. His reputation score on reputable but already dead DNMs was: 4,96 on Dream Market (with 334 sold) and 5.0 on Wall Street Market (with 2 sold). On DNM where he operates now, he has a positive score of 96,15% and 0 disputes in his history on that market. As an alternative canal of communication, he uses Wickr and provides support 24/7. According to Dread users, he is not available very often and during conversations, they feel like talking to a teenager. Some users are certain that Mr T indeed is a kid who learned his fraud methods from another fraudster who is not doing business anymore. On forums, there are also opinions he is a scammer but good feedback prevails.

That Dread user compared Mr T and Mr L services. According to him, Mr T is the definitively more reliable vendor.

Mr P: travel with the biggest vendor on the market

Mr P is one of the biggest and most popular vendor on the market where he operates. Apart of holidays services, he provides a large number of various merchandise: fraud, cracking and spamming tutorials, templates for documents counterfeiting, forged documents, dirty money, exploits, cracked accounts and other fraud services like carding targeted item and sending it to a client. This is the only fraud travel vendor who offers such variety of products and services. Such diversity is rare.

Mr P sells comprehensive holidays services: flights in both ways and hotel rooms. When we compare him to fraud travel vendors mentioned before, we can notice that he is the only one that has fixed prices (CAD 600 per person + CAD 100 entrance fee for deposit) and he needs only 48 h before departure to fill the order. In his portfolio, Mr P offers at least 5 days vacation services and the maximum value of the trip on the OTA website is CAD 2000 per person. When one pays an entrance fee on Mr P market listing, he needs to sent order details: the number of travellers, destination country, name of the hotel, vacation length and date. The lack of information about the country of departure may just be a negligence, but it is also possible that this service is provided only for people living in Canada. His prices are given both in CAD and USD, and most of all, that DNM is focused on the Canadian market. While cooperating with Mr P, additional aspects need to be taken into consideration. On the one hand, Mr P has 99% positive score with almost 1500 items sold and he is tagged by DNMs admins as one of 2 top vendors. On the other hand, there are no forums’ opinions about Mr P on the main TOR forums, neither good nor bad. The DNM he operates on is quite new, as it was opened in 2019. So, although there are vendors who are well-known and they claim there are no administrative problems with that market, it is possible, that Mr P is scam vendor cooperating with DNM admins. With great advertising as a top vendor, he may attract customers. Good feedback is given by fake accounts and bad feedback is deleted by admins. Huge variety of products and services he offers also speaks in favour of this opinion. Which one is a true story, we will see in the nearest future.

Travel-related fraud services are rather a niche but still interesting phenomenon. A person who is buying and using flight tickets takes a far bigger risk than a person buying goods in DNM, so it is surprising there are clients who want to buy these services. When they l appear in person in the airport or hotel they will not hide behind VPN or TOR, as fraud travel vendors do. We can explain this with the simple fact, that there are countries where law enforcements have more serious problems than catching fraudsters from another part of the world checking in at the hotel. This is one of the reasons why some people take the risk and use travel vendor services.

In the future, we will also describe fraud travel vendors operating on Russian language part of the Internet. Part of them doesn’t hide in Darknet but sells their services on fraudsters’ forums and markets in Clearnet.

Stay tuned for more!

If you would like to know more about our anti-fraud solution for travel read more here or talk to us directly!