Stolen giftcards, hacked logins, copyrighted books, email and password lists. It sounds like what would be available on the darkweb in some silk road successor site. But all that is being sold in the open, on the regular internet. Bitify claims to be “the world’s largest Bitcoin Marketplace and Auction site” and touts a strong escrow system that makes buyers and sellers safe.
Unfortunately, they don’t seem as concerned with keeping their site safe from illegal items. At the time of this writing, sellers on Bitify are offering $50 worth of Potbelly gift cards for $5, $100 worth of BlazePizza for $10, $20 WhichWich cards for $7 and similar discounts.
Almost certainly, the majority of these cards were obtained through illegal means. While reselling unwanted gift cards is a common and legitimate practice, selling them for this cheap is not. It is typical for gift card marketplaces to offer anywhere from 3-20% off their face value. The cards on Bitify are commonly priced at 80 – 90% off their face value.
Gift card fraud is big business. There are three main ways someone can obtain a gift card fraudulently. First, they can use a stolen credit card or hacked Paypal account to purchase gift cards and then sell them to convert those cards into spendable money.
Second, thieves go into stores find unsold gift cards, copy down the numbers and PINs (replacing the sticker with new ones) and then wait for someone else to legitimately purchase and activate the cards. They use software to continually check if they are activated, and then sell the numbers.
Or third, they use botnets to continually test numbers and PINs on company websites until they find valid, activated and loaded gift card, which is then sold.
In addition to the absurdly low price, there is more evidence that the gift cards being sold on Bitify have been illegitimately obtained. Sellers are oftentimes advising buyers to use their cards as quickly as possible. That is because if the legitimate owner of the card uses the balance, the Bitify buyer will be out of luck. If the balance has been moved to another card and that card hasn’t been spent yet, the legitimate owner may also be able to convince the issuing company to reverse that transaction.
More obvious than that, is that other sellers on the site are offering educational materials on how to “clean” gift cards purchased on sites like Bitify. I don’t know what their method is, or if it works but it showcases that everyone involved likely knows exactly what is going on.
The questionable items aren’t limited to gift cards either. Sellers are offering complete email and password combinations, credit card numbers and Steam logins.
Other sellers are offering copyrighted materials, including ebooks not authorized by the publishing company at a massive discount. There are also premium memberships to services like NBA League Pass, HBO Go and Netflix. It is unlikely that these are shared accounts by sellers, based on the number of accounts they are selling, the advice they give (use VPNs) and the promises to give new accounts if the buyer is locked out.
We contacted Bitify about these issues by email and they sent us this response from the CEO and founder of Bitify, Ahmad Aoun
“We are very cooperative when companies contact us to take listings they believe infringe on their copyrights and/or licenses. We try to maintain a trustworthy site, but we do miss some listings due to the nature of the marketplace. We only allow listing of gift cards by verified users so that our buyers and Bitify are protected. We are looking into implementing a feature where sellers will be able to upload gift card credit on the site and the credit would get checked with the source of the card through an API. We hope this will eliminate or at least reduce any chances of suspicious cards.
Netflix and NBA accounts seem to be shared accounts rather than hacked. I’m not entirely sure how the accounts can be shared as I’m in Australia and most accounts seem to be American, but from my understanding, a single account can be shared between multiple people to stream at the same time. At least my Netflix AU account allows that (up to 4 devices if I’m not wrong). As for Windows keys and licenses, they are not hacked licensing. I had personally approached two large sellers and inquired about the source of the keys and they explained the are bulk enterprise keys, hence the cheap price.”
While Aoun could be correct about the Windows Licenses found on Bitify (they can be found on other marketplaces, like eBay, for similar prices) his explanation for the shared accounts seems either extremely naïve or intentionally misleading.
Not only is account sharing against the terms of service for many of these services, and could, therefore, get the account banned, but that doesn’t appear to be what these sellers are offering. Sellers are offering “lifetime” subscriptions to them and promise new accounts for anyone who is locked out of the one the purchased on Bitify. It is also difficult to imagine these sellers are only offering shared access to the accounts they legally own because they sell access to those services multiple times across the site.
Multiple accounts being sold at once, promises to offer new accounts if the buyer is kicked out of the original and suggestions to use a VPN all add up to something, and it isn’t someone allowing strangers from the internet to access their account.
As for the gift card aspect of his explanation, it seems he either didn’t understand my question or is again trying to distract from the issue. Allowing only verified users to sell gift cards has nothing to do with the source of the gift cards. Checking with an API would only be relevant if it checked the credit card information of who purchased the card against the seller on Bitify, but it seems unlikely that companies would hand that information over to Bitify. In either case, it isn’t being applied now.
There are also some items available that are of questionable moral status, even though they aren’t strictly illegal. One listing offers a prebuilt website and coin for people wanting to launch an ICO with “no coding experience.” While again, not illegal, the ICO space is rife with scams and services like these are only going to make it worse, which in turn hurts the entire bitcoin industry.
There is a “report” feature on Bitify. I tested it and found that a password/email combination listing was taken down two days later. However, more email/password (along with Credit Card numbers and Steam logins) listings have since appeared.
Bitify isn’t selling these items themselves, so they may feel that gives them some legal cover. However, if the Napster case is considered, along with the travesty of justice that is the Silk Road case, it is clear that authorities consider the actions of users to reflect on the owners of sites and marketplaces.
Bitify might be Bitcoin’s largest peer to peer marketplace, but unfortunately, the goods for offer are, at best, a bit iffy.