Voting in the U.S. elections started recently and there is a real concern over interference and disinformation campaigns that might impact their outcome. During investigations around the elections, the Trustwave SpiderLabs team discovered massive databases with detailed information about U.S. voters and consumers offered for sale on several hacker forums. Those databases include a shocking level of detail about citizens including their political affiliation. The sellers of the U.S. voter database claim that it includes 186 million records, and if that is correct, that means it includes information about nearly all voters in the U.S. The information found in the voter database can be used to conduct effective social engineering scams and spread disinformation to potentially impact the elections, particularly in swing states.
The U.S. consumer database is claimed to include 245 million records, which is nearly the entire population of the U.S. Over 400 potential data points are provided about each person. Databases with information about citizens in other countries are also offered, such as ones for Canada, U.K., Ireland, and South Africa. Based on Bitcoin transaction information also obtained by Trustwave SpiderLabs during the investigation, the cybercriminal group made a fortune worth $100 million USD in the last five months alone. Interestingly, at least some of the data stems from publicly available government resources and hackers happily mention that in forum discussions. Other parts of the data were likely obtained from various data leaks.
US Voter Database for Sale
Cybercriminals have figured out ways to monetize the upcoming elections using information from data leaks and publicly available sources and are actively shopping them for profit. We found the following post from the end of September 2020. The author was selling a database that includes the names, addresses, age, gender, and political affiliation of 186 million voters in the US:
Figure 1: Data about 186 million US voters on sale
The post claims that a third of the records also include phone numbers. Twenty sample records were included in the post. Note the last column with the political affiliation of those voters. Recently, the thread about this database was entirely removed from the forum. Most likely the forum administrator did that to avoid unnecessary attention from researchers and law enforcement agencies. However, we established contact with the seller who said the voter database is still available to purchase.
Figure 2: The thread about US voter database was deleted
RaidForums.com, the website where the voter and consumer databases were found, is widely known in certain circles as a place where members can obtain leaked and hacked data. As expected, this forum involves vetting before new members can see complete information and communicate with other members. Databases found here may be given for free or sold. Databases are typically sold for a few hundred dollars, up to a thousand dollars, payable in bitcoins. This specific post did not mention the price but asks interested members to PM (send him a private message) to find out.
GreenMoon2019 (see Figure 1) is not the only cybercriminal who offers U.S. voter information however, he is the only one offering it for nearly the entire U.S. population that we have seen. Other cybercriminals offer detailed information about U.S. voters in certain states. Sometimes that data is harvested directly from government web sites. In the following example, cybercriminals mention data that is available on the ncsbe.gov site, which is run by the North Carolina State Board of Elections. The fields which are listed in the following post are taken directly from files that are available on that government site:
Figure 3: Data from NCSBE being mentioned on the darkweb
Other posts on RaidForums.com also mentioned the data which is publicly available on the domain of North Carolina State Board of Elections.
Figure 4: NCSBE site offering data
Anyone can download detailed Voter History Data and Voter Registration Data from the NCSBE.gov site or connect to its FTP site:
Figure 5: Sample files on NCSBE FTP site
This data can be useful for all sorts of scams and in particular, can be useful to target voters based on their voting history. Given that North Carolina is a swing state in the current election, that threat is even more significant. Having all this information those adept at disinformation campaigns can impact voters by crafting social engineering attacks that leverage that data. No surprise, that hackers feel lucky that this data was made publicly available, as can be seen in the following post:
Figure 7: Forum members discussing publicly available data
We reported our concerns to the NCSBE about cybercriminals discussing this data and got the response that the FTP site contains only public records. The fact that public records were used to help create the voter database does not make it any less dangerous than illegally obtained records from data breaches. In fact, to a cybercriminal (who generally likes to take the least path of resistance) it is probably more enticing since the records will be more accurate and up to date.
In the right hands, this voter and consumer information can easily be used for geo-targeted disinformation campaigns over social media, email phishing, and text and phone scams. The world is concerned about the spread of disinformation to sway public opinion – yet sensitive information on citizens is widely available. If corporations are the only ones held to strict regulations when it comes to data privacy disinformation campaigns and social engineering will be difficult if not impossible to address.
Information about voters in various US states are offered also on some darkweb forums as can be seen here:
Figure 8: State-level voter DBs offered on the underground
Unsurprisingly, certain forum members are concerned about increased surveillance and attention by reporters, law enforcement agencies, and other white hats. To minimize risks on their end, some recently suggested to stop registration to their forums until the US elections are over:
Figure 9: Underground forum actor suggests to close registration temporarily
More about GreenMoon2019 the Main Actor Selling These Databases
GreenMoon2019 is the actor who offered the database about U.S. voters, however, there are several other huge databases that this cybercriminal maintains and sells. He is an English-speaking forum member and registered there since the beginning of 2019. His reputation score on that forum, 799, is high and the comments he received from other forum members are almost always positive (29 out of 30 comments) as seen below in Figure 10.
Figure 10: The reputation report for GreenMoon2019
GreenMoon2019 has the GOD award which can be acquired for 50 Euros. It provides many benefits such as the ability to exchange up to 10,000 private messages (PM), send attachments of up to 600MB, and win 120 credits (useful on that forum).
Other reputable forum members praise GreenMoon2019 and promise other members that “they would get what they pay for”:
Figure 12: Positive comments about GreenMoon by other forum members
The Gigantic US Consumers Database
GreenMoon2019 started advertising the database about US Consumers last year:
Figure 13: An earlier offering of the US Consumer file
This summer he shared detailed information about that US Consumer database. According to the following post, it includes 245 million records (!), that is nearly the entire population of the US. The size of the database once unzipped is 437 GB:
Figure 14: A more recent US Consumer database offering
This file includes over 400 data points about each person and recently GreenMoon2019 added 6 more data points, probably after obtaining some other leaked data that was merged in. Here are the first columns in this database:
Figure 15: Example of data contained in the US consumer database
We managed to obtain a sample file of one million records from this actor. We checked the data against various public legit sites and social media networks, and the data was found consistently accurate. It includes information about citizens such as:
- Full name
- Physical address
- Phone number
- Email address
- Number of children and their ages
- Marital status
- Ethnic group
- Their home value and purchase date
- Their mortgage amount and lender name
- A very long list of potential interest areas
Not all fields are populated. Some have data almost fully filled out while others are only scarcely populated. It is so detailed, that this file looks like a professional profiling database prepared by a government organization or enterprise.
Other Databases Offered By GreenMoon2019
The GreenMoon2019 offers a variety of databases full of personal information:
Figure 16: List of available databases, fields quantity, prices, and sample locations
Several of these databases cover US citizens but also cover people living in other countries such as the UK, Ireland, Canada, and South Africa.
Revenues of Main Actors
We managed to obtain details of one of the bitcoin wallets that can be used to pay to GreenMoon2019 for those databases. Money that is collected in that wallet was transferred to a bigger wallet. Hundreds of other wallets transferred amount into that main wallet. Many of the transfers were in hundreds of dollars or a bit more, much like showing in the price list above. This main wallet was created in May and already received bitcoins in the value of over 100 million USD. GreenMoon2019 probably is part of a group of cybercriminals that draw amazing revenues from selling these databases and potentially other services and deliverables.
Figure 17: Worth of BTC transferred through the main wallet
In our investigation of criminal activities surrounding the U.S. elections, we uncovered massive amounts of information on U.S. voters up for sale along with other databases detailing individual consumers. This information can be used for social engineering and disinformation campaigns before, during, and after elections to help sway opinions toward one party or another.
As we have shown these activities are extremely profitable and there is a real demand for these databases. We have also shown that cybercriminals are most likely mixing illegally obtained data from leaks with publicly available information on citizens and correlating them to create super databases with detailed information on almost every U.S. citizen and citizens of other major countries.