How IRS-CI Used Blockchain Intelligence to Take Down the xDedic Marketplace

‍

Internal Revenue Service, Criminal Investigation (IRS-CI) is responsible for investigating criminal violations of the US Internal Revenue Code and related financial crimes. They specialize in “following the money” related to many violations of federal law, including money laundering, cybercrime, and tax-related offenses. 

Since the group’s founding in 2018, IRS-CI has worked most of the largest illicit crypto cases in the world, resulting in the largest digital asset seizures to date. IRS-CI continues to play a critical role in combating tax crime both domestically within the United States, and globally in conjunction with international partners. 

The rise of the xDedic Marketplace

The xDedic Marketplace rose to prominence around 2014. This darknet marketplace sold compromised, remote access credentials to computer systems across the world—enabling cyber criminals to wreak all kinds of havoc on individuals’ and organizations’ lives, including financial fraud, ransomware, and extortion.

“The xDedic Marketplace listed over 700,000 credentials for servers around the world, including 150,000 in the US and 8,000 in Florida,” said Justin Allen, a special agent with IRS-CI. “One of the biggest victims was CPA firms in the United States.” 

Allen explained that threat actors used stolen credentials from the xDedic Marketplace to access CPA firms’ client data, steal the clients’ tax information, and then use the tax information to file fake tax returns the following year—generating large, fraudulent refunds which the threat actors pocketed for themselves.

How international cooperation led to the demise of xDedic

IRS-CI first became aware of the xDedic scheme in 2016, when a victim in Tampa, Florida alerted local officials to their stolen information and refunds. Allen and his team responded with federal law enforcement partners, looked at the digital artifacts that were compromised, and determined that the credentials—along with those from hundreds of thousands of other individuals—had been sold on the xDedic Marketplace.

Once IRS-CI and its partners identified cryptocurrency addresses associated with the marketplace, they used blockchain intelligence to unravel the network of associated addresses and legal process to identify real-world subjects. They were then able to identify the server location and worked with international partners to seize the data, which provided yet more information on the administrators and vendors using the marketplace.

Investigators also traced undercover payments made to xDedic accounts. From there, they reviewed outgoing transactions to identify infrastructure payments, vendors, and administrators. These payments to vendors and administrators were not direct; they frequently went through unattributed services or mixers. So investigators combined blockchain analysis and open-source intelligence to identify the threat actors. 

‍

‍

“We identified and indicted 19 individuals, including some of the administrators, vendors, and individuals that were using the site,” Allen explained. 

Allen and his team also worked in close cooperation with law enforcement authorities in Belgium and Ukraine; the European law enforcement agency, Europol; the National High Tech Crime Unit from the Dutch National Police; and the German Bundeskriminalamt. With their support, IRS-CI was able to arrest and extradite individuals involved in these crimes from four different countries—including an extradited subject who had used the xDedic Marketplace to request US tax refunds exceeding $68 million in a nine-month period.

Connecting xDedic to additional crypto cases

Not only did IRS-CI and its partners shut down the xDedic Marketplace and arrest multiple administrators and vendors, but the investigation also generated multiple leads based on the cryptocurrency transactions of related cybercriminals. 

For example, Allen noted that information from the xDedic takedown helped identify the administrator of the SSNDOB Marketplace, which listed and sold the social security numbers of over 24 million people in the United States. Thanks to IRS-CI’s and its partners’ persistence, they were also able to take down the SSNDOB Marketplace and extradite one of the site’s administrators from Hungary.

In addition to selling compromised remote access credentials, xDedic also sold personal identifiable information (PII) for US citizens. Forensic analysis revealed this was done through an API with the SSNDOB marketplace. Blockchain analysis for additional undercover payments made to SSNDOB revealed transactions with bitcoin payment processors and centralized exchanges. Investigators were able to obtain records from those locations that led to the identification of the administrators.

The xDedic seizure was a huge success for crypto crime investigations at IRS-CI. These kinds of outcomes—marked by strong international collaboration and fueled by blockchain intelligence—are a testament to the important work of agents and criminal investigators combating crypto crime on a global scale, and one of the many reasons why TRM is proud to partner with IRS-CI.