November 2, 2023

The login page for the criminal reshipping service SWAT USA Drop.

One of the largest cybercrime services for laundering stolen merchandise was hacked recently, exposing its internal operations, finances and organizational structure. Here’s a closer look at the Russia-based SWAT USA Drop Service, which currently employs more than 1,200 people across the United States who are knowingly or unwittingly involved in reshipping expensive consumer goods purchased with stolen credit cards.

Among the most common ways that thieves extract cash from stolen credit card accounts is through purchasing pricey consumer goods online and reselling them on the black market. Most online retailers grew wise to these scams years ago and stopped shipping to regions of the world most frequently associated with credit card fraud, including Eastern Europe, North Africa, and Russia.

But such restrictions have created a burgeoning underground market for reshipping scams, which rely on willing or unwitting residents in the United States and Europe to receive stolen goods and relay them to crooks living in the embargoed areas.

Services like SWAT are known as “Drops for stuff” on cybercrime forums. The “drops” are people who have responded to work-at-home package reshipping jobs advertised on craigslist.com and job search sites. Most reshipping scams promise employees a monthly salary and even cash bonuses. In reality, the crooks in charge almost always stop communicating with drops just before the first payday, usually about a month after the drop ships their first package.

The packages arrive with prepaid shipping labels that are paid for with stolen credit card numbers, or with hijacked online accounts at FedEx and the US Postal Service. Drops are responsible for inspecting and verifying the contents of shipments, attaching the correct shipping label to each package, and sending them off via the appropriate shipping company.

SWAT takes a percentage cut (up to 50 percent) where “stuffers” — thieves armed with stolen credit card numbers — pay a portion of each product’s retail value to SWAT as the reshipping fee. The stuffers use stolen cards to purchase high-value products from merchants and have the merchants ship the items to the drops’ address. Once the drops receive and successfully reship the stolen packages, the stuffers then sell the products on the local black market.

The SWAT drop service has been around in various names and under different ownership for almost a decade. But in early October 2023, SWAT’s current co-owner — a Russian-speaking individual who uses the handle “Fearlless” — took to his favorite cybercrime forum to lodge a formal complaint against the owner of a competing reshipping service, alleging his rival had hacked SWAT and was trying to poach his stuffers and reshippers by emailing them directly.

Milwaukee-based security firm Hold Security shared recent screenshots of a working SWAT stuffer’s user panel, and those images show that SWAT currently lists more than 1,200 drops in the United States that are available for stuffers to rent. The contact information for Kareem, a young man from Maryland, was listed as an active drop. Contacted by KrebsOnSecurity, Kareem agreed to speak on condition that his full name not be used in this story.

A SWAT panel for stuffers/customers. This page lists the rules of the service, which do not reimburse stuffers for “acts of god,” i.e. authorities seizing stolen goods or arresting the drop.

Kareem said he’d been hired via an online job board to reship packages on behalf of a company calling itself CTSI, and that he’s been receiving and reshipping iPads and Apple watches for several weeks now. Kareem was less than thrilled to learn he would probably not be getting his salary on the promised payday, which was coming up in a few days.

Kareem said he was instructed to create an account at a website called portal-ctsi[.]com, where each day he was expected to log in and check for new messages about pending shipments. Anyone can sign up at this website as a potential reshipping mule, although doing so requires applicants to share a great deal of personal and financial information, as well as copies of an ID or passport matching the supplied name.

A SWAT panel for stuffers/customers, listing hundreds of drops in the United States by their status. “Going to die” are those who are about to be let go without promised payment, or who have quit on their own.

On a suspicion that the login page for portal-ctsi[.]com might be a custom coding job, KrebsOnSecurity selected “view source” from the homepage to expose the site’s HTML code. Grabbing a snippet of that code (e.g., “smarty/default/jui/js/jquery-ui-1.9.2.min.js”) and searching on it at publicwww.com reveals more than four dozen other websites running the same login panel. And all of those appear to be geared toward either stuffers or drops.

In fact, more than half of the domains that use this same login panel actually include the word “stuffer” in the login URL, according to publicwww. Each of the domains below that end in “/user/login.php” are sites for active and prospective drops, and each corresponds to a unique fake company that is responsible for managing its own stable of drops:

lvlup-store[.]com/stuffer/login.php
personalsp[.]com/user/login.php
destaf[.]com/stuffer/login.php
jaderaplus[.]com/stuffer/login.php
33cow[.]com/stuffer/login.php
panelka[.]net/stuffer/login.php
aaservice[.]net/stuffer/login.php
re-shipping[.]ru/stuffer/login.php
bashar[.]cc/stuffer/login.php
marketingyoursmall[.]biz/stuffer/login.php
hovard[.]xyz/stuffer/login.php
pullback[.]xyz/stuffer/login.php
telollevoexpress[.]com/stuffer/login.php
postme[.]today/stuffer/login.php
wint-job[.]com/stuffer/login.php
squadup[.]club/stuffer/login.php
mmmpack[.]pro/stuffer/login.php
yoursmartpanel[.]com/user/login.php
opt257[.]org/user/login.php
touchpad[.]online/stuffer/login.php
peresyloff[.]top/stuffer/login.php
ruzke[.]vodka/stuffer/login.php
staf-manager[.]net/stuffer/login.php
data-job[.]club/stuffer/login.php
logistics-services[.]org/user/login.php
swatship[.]club/stuffer/login.php
logistikmanager[.]online/user/login.php
endorphine[.]world/stuffer/login.php
burbon[.]club/stuffer/login.php
bigdropproject[.]com/stuffer/login.php
jobspaket[.]net/user/login.php
yourcontrolboard[.]com/stuffer/login.php
packmania[.]online/stuffer/login.php
shopping-bro[.]com/stuffer/login.php
dash-redtag[.]com/user/login.php
mnger[.]net/stuffer/login.php
begg[.]work/stuffer/login.php
dashboard-lime[.]com/user/login.php
control-logistic[.]xyz/user/login.php
povetru[.]biz/stuffer/login.php
dash-nitrologistics[.]com/user/login.php
cbpanel[.]top/stuffer/login.php
hrparidise[.]pro/stuffer/login.php
d-cctv[.]top/user/login.php
versandproject[.]com/user/login.php
packitdash[.]com/user/login.php
avissanti-dash[.]com/user/login.php
e-host[.]life/user/login.php
pacmania[.]club/stuffer/login.php

Why so many websites? In practice, all drops are cut loose within approximately 30 days of their first shipment — just before the promised paycheck is due. Because of this constant churn, each stuff shop operator must be constantly recruiting new drops. Also, with this distributed setup, even if one reshipping operation gets shut down (or exposed online), the rest can keep on pumping out dozens of packages a day.

A 2015 academic study (PDF) on criminal reshipping services found the average financial hit from a reshipping scheme per cardholder was $1,156.93. That study looked into the financial operations of several reshipping schemes, and estimated that approximately 1.6 million credit and debit cards are used to commit at least $1.8 billion in reshipping fraud each year.

It’s not hard to see how reshipping can be a profitable enterprise for card crooks. For example, a stuffer buys a stolen payment card off the black market for $10, and uses that card to purchase more than $1,100 worth of goods. After the reshipping service takes its cut (~$550), and the stuffer pays for his reshipping label (~$100), the stuffer receives the stolen goods and sells them on the black market in Russia for $1,400. He has just turned a $10 investment into more than $700. Rinse, wash, and repeat.

The breach at SWAT exposed not only the nicknames and contact information for all of its stuffers and drops, but also the group’s monthly earnings and payouts. SWAT apparently kept its books in a publicly accessible Google Sheets document, and that document reveals Fearlless and his business partner each routinely made more than $100,000 every month operating their various reshipping businesses.

The exposed SWAT financial records show this crime group has tens of thousands of dollars worth of expenses each month, including payments for the following recurring costs:

-advertising the service on crime forums and via spam;
-people hired to re-route packages, usually by voice over the phone;
-third-party services that sell hacked/stolen USPS/Fedex labels;
-“drops test” services, contractors who will test the honesty of drops by sending them fake jewelry;
-“documents,” e.g. sending drops to physically pick up legal documents for new phony front companies.

The spreadsheet also included the cryptocurrency account numbers that were to be credited each month with SWAT’s earnings. Unsurprisingly, a review of the blockchain activity tied to the bitcoin addresses listed in that document shows that many of them have a deep association with cybercrime, including ransomware activity and transactions at darknet sites that peddle stolen credit cards and residential proxy services.

The information leaked from SWAT also has exposed the real-life identity and financial dealings of its principal owner — Fearlless, a.k.a. “SwatVerified.” We’ll hear more about Fearlless in Part II of this story. Stay tuned.


34 thoughts on “Russian Reshipping Service ‘SWAT USA Drop’ Exposed

  1. DonnyFortano

    Psyched to read Part 2. Good stuff Brian, keep it up!

  2. Ken

    Sounds like there’s a lot of honest people in this industry. How many shippers keep the drop?

    1. BrianKrebs Post author

      Considering the drops have to share their financial information and identity documents in order to work, it probably wouldn’t be a wise thing to do. But my sense is that most people involved are motivated by the lure of easy money, and they are not asking too many questions because they don’t immediately see the downside.

    2. WK

      I’d wager it’s a combination of expecting to get paid at the end of the month for a very easy task, with a (veiled) threat of severe legal trouble if they keep the stuff. So the risk will not seem to be worth the gain for many.

      There are obviously those who don’t see any risk for whatever reason, but if the scheme works well enough to earn $100k/month for at least two people, that points to these people being a small minority.

  3. Richard

    I knew that the American special forces (SWAT) were doing bad things. 🙁

    1. Sacco Vanzetti

      You know nothing.
      American “special forces” are US advanced military.
      SWAT refers to advanced civilian police methods and tactics.

    2. an_n

      “SWAT” is a police unit designation and has 0 to do with either US military or SOC.
      ¯\_(ツ)_/¯

  4. James

    Seems easy enough to at least catch the bad guys who are mailed the package from the dropper. Get honest people to become droppers working with the authorities that govern this kind of thing, go to the end address & wait till someone picks the package up. BOOM! Caught!!

    1. BrianKrebs Post author

      Drops/mules are a dime a dozen. There will always be drops looking for work, and not asking too many questions. But the people running this reshipping program have been doing it for more than a decade, so maybe going after those responsible is a better idea. Or at least making their lives more difficult.

    2. Catwhisperer

      Except that the receiving entities are not usually in the US, where there is a semblance of laws. Rather the mailing addresses are in places where the authorities are getting their cut if not controlling the racket themselves…

    3. W

      The end address is in Russia and similar. They do not cooperate with EU/US, especially now.

    4. Joe

      Making a case is not that simple. They could say the reason the package showed up at their house was because they bought it off some random guy on telegram and had no idea it was fraud/stolen.

      It would take a long investigation with lots of resources to prove they were involved in a racket. Plus, most of the merch is sent overseas where the authorities have no interest in tracking down stolen merchandise from other countries.

      1. an_n

        It’s not even “worth” seriously investigating after cutting losses if it’s under N-tens-to-hundreds of thousands because realistically any criminal prosecution or civil suit costs at least that much whether successful or not, and years down the road. “The law” doesn’t even begin until they reach those damage thresholds per individual and even then there’s prosecutorial discretion (of necessity) which is directly tied to budget and docket realities. We don’t even have impetus to keep serious tabs on the people already successfully prosecuted here in our own jurisdictions. McGruff would be driven to drinking.

  5. Catwhisperer

    Exciting read! I can’t wait for the next installment. It’s scary to think how easily the West in infiltrated, using our freedoms against us. Oh, yes, and our addiction to money, too…

  6. Phil

    1. Sign up to mule this nonsense
    2. Receive merchandise
    3. Never send it
    4. Profit

    1. Joe

      But SWAT has your banking info, a copy of your ID, address, etc. It might not turn out well for you.

    2. an_n

      They’d burn you. You’re having stolen items show up at your actual address.
      Also you need a plausible fake identity with real PII to sign up in the first place.
      If you have that and don’t care about burning yourself, you’re the scammer now.

      Whatever you would steal from the “scammers” is actually not theirs anyway,
      you’re now an independent renegade mule/drop, one call away from jail time.
      If that’s the best way you can think of to get an ipad, ¯\_(ツ)_/¯

      1. LoneWolf

        First off these Russian reshippers are not elite hackers. He just had his whole site hacked and was using a Google Spreadsheet and went crying about it on a hacking forum.

        Ripping them off would be very simple.A fake ID is easy to get. A fake bank account like Cash App, Venmo, Paypal or 100 more app banks I could name is even easier to open. I know I’ve made at least 30 Cash App accounts already never one having to show an ID. You could even show them one of your real bank accounts and then just close it because they are never sending you money anyway.
        As for your address just drive around or look on realty sites for an abandoned or foreclosed house and theres your “drop”.
        Shipping it back to the scammers would actually be worse, another crime on top of receiving the goods. Keeping the Russians happy doesn’t change the fact that the police are the ones after you. Do you think they are going to snitch on you?

        But why go through all that when you can just do it yourself? Oh wait been there done that over 10 years ago. Carding is practically obsolete in the cyber crime world and buying a good card is not $10 it’s $75-100. 10-12 years ago you could get them for $0.50-$1

        Krebbs should do a deep dive on the refunding services scene and chargeback scams.

        Although that too is already starting to die now for the lone wolf scammers because of TikTok morons dancing and showing that they got a measly $20 item free.
        Now you almost have to have an insider at UPS/FedEx, or at one of the retailers or a CS worker.
        And the one rule to rule them all is always work alone. Everyone squeals like a pig in the end. Everyone.

        1. an_n

          Gee, so commit ID fraud multiple ways to “pwn” the scammers…
          Still you’re still not stealing from “them” even as a rationalization.
          You are become them, taking their place as a criminal end point,
          any justification that you’re doing it to “pwn bad guys” falls away.

    3. KFritz

      Anyone holding such a package and its online trail is, prima facie, open to a charge of grand theft. Not a win.

  7. Howard

    Really excited about part two, hopefully fearless – won’t be so fearless haha.

  8. Randy

    how hard would it be to extradite the russia hackers to the us?

    1. an_n

      As hard as it would be to overthrow the Russian government.

  9. Melitta Ball

    Thanks for bringing this to light! Job hunters need to know what to look for so thank you!

  10. R. Cake

    I would be curious about customs procedures for exports from the US to Russia. Looking at the sanctions regime, is it really possible to just pack a random parcel and send it there, and it will not get inspected?
    Would it not be kind of obvious for authorities to do histographic analysis of what kind of packages get sent to whom, and then blacklist certain recipients? Or is there a separate set of “secondary drops” in Russia, so that the recipient addresses also vary from case to case?
    …really looking forward to part 2 – excellent work, @Brian!!

  11. John Doe

    Let’s flood these drop shipping “companies” with fake “employees” who just turn around and return the goods to sender as FRAUD. Invest some money and really mess these guys up.

  12. Austin

    This happened to me earlier in the year. I managed to find the re-shipper who was local to me, contact him and follow the rabbit trail. I convinced him to give me his login credentials for the site, mirrored the site and traced as much as legally possible and submit the package in an IC3 report to the FBI. Reach out if you’re curious about any more detail. This exact site layout was haunting.

  13. Chris Johnston

    Job hunting is getting very risky. Lots of folks looking to steal your personal info.

  14. house of hazards

    Combating cybercrime and protecting consumers from fraudulent activities requires a multi-pronged approach. Online retailers must continue to refine their security measures and educate consumers about the risks associated with online shopping. Law enforcement agencies need to enhance their capabilities to investigate and prosecute cybercrime syndicates, while international cooperation is essential to disrupt these networks that often operate across borders.

  15. Ryan

    I just got a call from the “Head of HR” at CTSI Logistics USA and they described to job to me without too many questions and asked if I was interested. I immediately sensed this was some kind of a phishing thing or some other kind of scam, and sure enough, here we are lol. If it sounds too good to be true, it usually is. I ended the call with letting them know I was considering the job though and I have the contract they wanted me to sign and attach my ID to so maybe I can contact local law enforcement here first and see what they think I should do. Unfortunately I live in a small town in the US and local law enforcement consists of about 3 guys handing out traffic tickets.

  16. Bigchupa

    Nothing comes Free and nothing comes easy in your life.
    If you want to have nice life like human.
    Then you need to have stress but question is wich hardship or stress you choose?
    1. Starting your business try to build it up sleepless nights damaged health.
    2. Working hard killing your health aswell
    3. Become famous no privacy paparazzi Everywhere and stress and bad healt again.
    4.criminal activity looking over your shoulders heavy stress bad for health.
    5. No stress just regular life and Job but no money and in this world inflation goes higher and higher you will have stress becouse of poverty.

    Whos the winner here ?
    Everybody is loser here !! No winners !!
    So choose your stress and live life

Comments are closed.