Marketplace Financial Services Used for Illegal P2P Transactions

According to experts at Angara Security, after Qiwi Bank’s license was revoked in February 2024, cybercriminals began using Ozon’s electronic wallets for their illegal operations. The number of messages about buying and selling verified marketplace e-wallets for peer-to-peer (P2P) transfers has already tripled. The peak growth occurred in February–March 2024, when Qiwi wallets became unavailable.

Researchers report a surge in ads for buying and selling verified Ozon wallets, as well as instances of selling Ozon Bank accounts with the highest verification statuses. Additionally, criminals offer services for direct transfers of funds from stolen accounts to other cards for cashing out.

Ozon e-wallets have been found for sale both openly on Telegram and on the dark web, where they can be purchased for about 2,599 rubles.

“The financial services of Russia’s largest marketplaces, originally designed for a seamless customer experience, are now attracting the attention of participants in the gray payment market. Transactions using e-wallets provide more opportunities for illegal schemes—from cashing out funds to financing undesirable organizations,” analysts commented.

Angara Security notes that after acquiring real users’ data, fraudsters can link digital cards to anonymous accounts registered to SIM cards from any mobile operator. This is a service offered by the marketplace itself, which criminals exploit for their own purposes. Experts warn that other Russian marketplaces and their customers may face similar risks. They recommend not only preventive measures to protect customer databases but also regular OSINT research to detect and prevent the illegal use of financial services.

According to Forbes, citing its own sources, in mid-2023, access to Ozon Bank accounts on the dark web cost 700–2,500 rubles, but now prices range from 500 to 10,000 rubles. The final price depends on several factors, including:

• Wallet status (anonymous, basic, extended);
• Verification method (via “Gosuslugi,” using a passport photo, or through a mobile operator);
• Likelihood of account blocking (depends on the time since registration and whether any transactions have occurred);
• Data provided to the buyer (minimum: phone number for Ozon Bank, login and password for SMS reception service; maximum: phone number, code word, secret code, passport data, proxy for Ozon Bank, login and password for SMS reception service).

Sources also note that verified wallets from all payment services are sold on the dark web, and their quantity “directly depends on their popularity among the public.”

Ozon told Forbes that the bank has a multi-level fraud analysis process in place, using special detection algorithms, machine learning, and other technologies to identify fraudulent activity. “If the system detects any suspicious activity, the fraud monitoring team promptly blocks the movement of funds and investigates such cases, which may include additional identification and, in some cases, confirmation of the source of funds,” a company representative said. “Fighting fraud is an ongoing process. Criminals constantly invent new schemes, so we are always working to improve our own rules and anti-fraud tools.”