A May 2020 media report disclosed that a Taiwanese database containing personal data from over 20 million citizens (Taiwan’s entire population) was posted for sale on the Dark Web. According to researchers, the source of the leak is governmental and originates from the Department of Household Registration, under the Ministry of Interior.
The sale offer was posted on May 19, 2020 in an English language underground Dark Web marketplace. The seller indeed claimed the database contains data of the entire country’s citizens and attached a sample where one can see each line in the database is arranged by full name, landline number, ID number, home address and sex. The seller has offered to sell the database for US$ 2,500.
NOT THE FIRST TIME WE’VE SEEN SUCH AN OFFER
Although this database leak was defined by the above reports as unique, this is not the first time we have seen an offer for a database consisting of personal information for the entire population of Taiwan. In Chinese sources, such offers have appeared since August 2018 at least. Our findings, detailed below, may imply the database offer is in fact a resell of a previous database offered several times in the past in Chinese underground sources. These findings show the flow of data from one underground arena to another and stress the importance of multi-language monitoring across various sources to get a full picture of the origins of leaked databases.
THE TAIWANESE DATABASE ON THE CHINESE DARK WEB
Our first indication of a Taiwanese population database was in August and September 2018. In August 2018, an offer appeared on the Chinese Darknet marketplace to sell a Taiwanese population database consisting of the full names, landline numbers, gender and home addresses of 21,141,314 people.
About a month later, an actor who has offered several other major database leaks on the same Chinese language Darknet marketplace (including the Marriott database), offered a full database of the Taiwanese population, consisting – according to him – of approximately 25 million lines of data, claiming the data was updated to September 2017.
Since then, similar offers have occasionally appeared in both the Darknet marketplaces and other underground chat groups operating on Telegram.
SIMILARITIES BETWEEN LEAKED SAMPLES SHARED ON THE DARK WEB
According to our research, the last time a similar offer was published was January 2020, when an actor on a Chinese Darknet marketplace offered a 25 million line Taiwanese population database containing – once more by that order: full names, landline telephone numbers, ID numbers, home addresses and sex. The actor also attached a short sample to prove the authenticity of the database. According to the marketplace’s inner data, this transaction was completed twice, meaning two different actors have purchased the database since. Of note, the same actor also offered the same database in April 2019, attaching a similar sampler. The two screenshots below show the two offers, from January 2020, and April 2019.
The two samples attached to the offers – the two Chinese posts from April 2019 and January 2020 and the English post from May 2020 – show different names but look strikingly similar. The pattern of the data is identical, and it is arranged in the exact same order: full name, landline number, ID number, home address and sex. Furthermore, the current seller admitted he obtained the data in 2019, which is in line with the date the same offer was published on a Chinese marketplace.
All the above leads us to conclude the current offer of the Taiwanese population database is an attempt to resell the same database leaked in the past in Chinese underground platforms. As the asking price for the data sold on the Chinese platform was merely US$ 200, whereas he offered the same database for US$ 2,500, we believe it is highly probable this actor acquired the database on the Chinese marketplace and then tried to make an easy profit from actors operating on other platforms who do not have access to the Chinese marketplace and/or cannot read Chinese.
THE SELLER HAS OTHER ACTIVITIES ON THE DARK WEB
According to our analysis, the seller was seen operating under the same nickname on a Chinese Telegram underground chat group, a Russian Clearnet hacking and fraud forum, and two English-language Darknet forums.
In all instances, he offered credit card user data from China Industrial Bank containing over 460,000 lines. In one of the offers seen below and posted on the English-language forum, the actor quoted a price of US$ 380 for the database.
BUY IN ONE LANGUAGE, RESELL (FOR A NICE PROFIT) IN ANOTHER
As in the case of the Taiwanese population database, the China Industrial Bank database offered by this actor appeared before in Chinese underground platforms. In March 2020, the offer was posted on a Chinese Darknet marketplace for US$56 (see first screenshot below.) According to this marketplace’s inner data, it was sold 21 times. A month later, in April 2020, it was also offered on a Chinese-language underground Telegram group (see second screenshot below.) This demonstrates a similar modus operandi by this actor, and presumably by many other actors who operate across various, multi-language platforms: acquiring databases in one language (Chinese) and reselling them at higher prices on platforms in other languages.