Award Banner
Award Banner

Stolen Singaporean digital identities sold on Dark Web from $8, huge spike in such data being offered for sale: Cybersecurity firm

Stolen Singaporean digital identities sold on Dark Web from $8, huge spike in such data being offered for sale: Cybersecurity firm
cybersecurity company Resecurity noted a 230 per cent jump in the number of underground sellers offering stolen identities belonging to Singaporeans.
PHOTO: GovTech

He was hoping to make a quick buck and the advertisement had promised "fast cash". 

All Reign Lee Jing Yu had to do was give up his Singpass account details for them to be used in opening bank accounts and he would be paid $8,000. Not only did he not receive the money, his account was used by scammers to launder $220,000, CNA reported in October 2023. 

The 21-year-old was dealt with under the Computer Misuse Act for disclosing his Singpass password for wrongful gain.

The case was cited as an example of how cybercriminals use stolen identities for illegal activities in an article posted by California-based cybersecurity company Resecurity on their website on June 26 this year. 

A large number of underground sellers, the article revealed, have gotten their hands on identity data of Singaporeans and are offering them on the Dark Web for prices as low as $8.

By the end of the second quarter of this year, the number of such sellers have jumped by 230 per cent compared to the same period in 2023.

This increase was determined based on mentions of "Singpass" on the Dark Web — underground forums and communities, and invite-only Telegram groups — as well as sales records from underground sellers.

Stolen data includes biometric information such as fingerprints and facial data, as well as templates for passports, driving licences, utility bills and banking statements.

Resecurity noted that it identified several major underground vendors monetising stolen identity data from Singapore around October 2023. It also detected around June this year that "large volumes of compromised identity data" were offered for sale.

Over 2,000 affected Singpass accounts recovered in June: Resecurity

The cybersecurity firm also identified a number of cybercriminal groups "operating illegally under the guise of telemarketing or customer support services" that target Singapore citizens' personal data for criminal use.

In particular, Singpass accounts are utilised for scams, money laundering and identity theft - facilitated by the anonymity of the Dark Web.

In June, Resecurity recovered more than 2,377 compromised Singpass accounts from the Dark Web and notified the victims.

In response to queries from Lianhe Zaobao, Resecurity's chief operating officer Shawn Loveland clarified that data leaks have nothing to do with Singpass's security system. Instead, he said that the online habits and lack of awareness of the victims could have led to their information being released online.

Since Jan 1, the Singpass credentials of at least 219 people had been stolen under the pretext of job screening to open bank accounts, The Straits Times reported in May. This was a spike from the figure reported in March, when the police said there were at least 47 such victims since the start of the year.

According to the Zaobao report on Sunday (July 7), there are multiple Telegram groups offering to buy Singpass accounts among other personal details.

The accounts are offered at different prices depending on the profile: A 'clean' account with no criminal record goes for $6,000 to $12,000, while a 'dirty' one sells for around $3,500. Prices for a personal bank account range from $800 to $2,400.

Stay vigilant online: GovTech

Responding to queries from AsiaOne, the Government Technology Agency of Singapore (GovTech) said it is aware of the illegal sales of Singpass accounts on the Dark Web.

Information has been collected via phishing, malware and social engineering tactics targeted at individuals, a spokesperson said.

"The Government continuously enhances Singpass’ threat detection and login security in response to and in anticipation of evolving scams. We will take the necessary measures to secure an account that is suspected to be compromised."

The spokesperson advises users to remain vigilant and follow cybersecurity practices online, such as keeping operating systems, web browsers and security patches up to date, and setting strong passwords for access to their devices.

"Individuals may be held criminally liable if they disclose their Singpass credentials while knowing, or having reasonable grounds to believe, that the disclosure was to commit or facilitate the commission of an offence."

AsiaOne has reached out to Resecurity for more information.

ALSO READ: Police warn of rise in bulk order scams, with victims losing at least $830k

This website is best viewed using the latest versions of web browsers.