Stolen, cloned and sold: Inside the digital black market for SNAP benefits

In the deepest corners of the internet, cybercriminals are trafficking welfare benefits on illicit marketplaces — stealing from the country’s most vulnerable.

Thieves are targeting food assistance and other benefits programs fed by billions in federal funding with minimal security measures in place.

They’re purchasing stolen benefits information online, printing the data onto cloned debit cards and cashing out, The Baltimore Banner found after analyzing dozens of online markets, obtaining state social welfare records and speaking to cybersecurity experts.

Even as states are attempting to increase security measures, many are experiencing a collective rise in welfare theft, in part, due to this illicit online ecosystem. Maryland is no exception. The Banner identified at least 2,500 posts selling Marylanders’ benefits account information, also known as EBT.

Recent data breaches are fueling these marketplaces. Though it’s not possible to pinpoint which cyberattacks may be supplying this online economy, experts say the problem could be connected to two recent breaches tied to Maryland: one breach against a government contractor used by the state and one against Maryland social services.

Targeting food assistance recipients can also give thieves access to other welfare benefits. Electronic benefit cards are used for the Supplemental Nutrition Assistance Program, or SNAP, and also for cash assistance and disability programs. Some states, including Maryland, are starting to reimburse for these stolen funds, but there are often limitations to how often, and for how much, states can reissue benefits.

Though the U.S. Department of Agriculture, the federal agency responsible for funding SNAP, and the Maryland Department of Human Services have acknowledged that benefits theft is increasing nationally, the total dollar amount stolen is unclear.

The USDA told The Baltimore Banner in an email that the agency is now beginning to collect “comprehensive data” from states to understand the magnitude of the issue, but does not currently have cumulative national statistics on reported thefts from welfare recipients.

In Maryland, residents using welfare have reported over $2 million stolen in EBT funds over 2022 and the first months of 2023. For comparison, in 2021, $90,000 was reported stolen.

“Sky’s the limit”

Criminals are selling stolen EBT information online in a variety of ways — through social media, messaging boards and the dark web.

But often, according to a Georgia State University criminology professor David Maimon, criminals are turning to encrypted messaging services like Telegram, where any of the app’s 55 million users can view public channels dedicated to selling stolen information.

Maimon said that cybercriminals have come to rely on these applications because they are accessible, easy to use and hard to censor. And, for those same reasons, it’s difficult to grasp the total scope of this economy, he added.

“Sky’s the limit with respect to what we’re seeing there,” Maimon said.

The Baltimore Banner analyzed 26 Telegram channels and found about 50,000 posts selling EBT information from 2020 to 2023. The posts usually did not specify a specific state, but The Banner identified about 2,500 posts related to Maryland. These posts included listings for EBT information, credit card data, and unemployment benefits.

After purchasing the EBT information, criminals will clone the SNAP funds onto blank debit cards then use the cloned card to mass purchase items they can resell for a profit, like baby formula. Or, if the EBT funds are for cash assistance or disability aid, fraudsters can simply go to an ATM and drain the account.

Criminals are also selling tutorials on how to steal benefits online, which they call the “EBT Method,” according to research from DarkOwl, a company dedicated to researching the darknet. For example, on one Telegram channel, a user was selling a “method” that explained how to steal electronic benefits using Instacart.

Not only are cybercriminals selling these step-by-step guides, but they are also posting videos online flaunting their crimes.

When asked if the USDA was aware of these illicit online marketplaces, a spokesperson neither confirmed nor denied knowledge. Instead, they said the agency is aware of fraud where thieves use “card skimming,” “card cloning” and phishing to steal benefits.

Skimming, phishing and data breaches

The online tutorials help explain why so many Maryland welfare benefits are being used out of state.

The Baltimore Banner obtained an internal database from the Maryland Department of Human Services tracking over 950 welfare recipients reporting stolen SNAP or cash assistance between November 2020 and September 2022 . Of the 964 cases DHS tracked in the spreadsheet, over 67% of the stolen benefits were used out of state, most commonly in Illinois, Florida, California and Texas.

Benefits theft — as proven by the Maryland data — is often an interstate crime, suggesting this nationwide trend is more organized and connected than previously thought. A key reason, according to LexisNexis Risk Solutions CEO Haywood Talcove, is the method that criminals now use to obtain the data they are selling.

Talcove and his team have found that the three main avenues bad actors steal are through skimmers, phishing attempts and data breaches.

The USDA and Maryland DHS have heavily insinuated that skimming is the main vehicle for benefits theft. These agencies have also warned against phishing attempts via unsolicited calls, text or emails.

This messaging puts the onus on welfare recipients to protect their EBT cards. Agencies warn against using small convenience stores, recommend changing PIN numbers regularly, and advise against responding to unsolicited calls or texts. Instead, they recommend welfare recipients call their local social services offices directly to confirm — though call centers often place people on hold for hours.

Experts say it’s unclear to what extent skimming and phishing are charging the growth of this illicit online economy since these methods have been employed for years. But for cybersecurity expert Jon DiMaggio, the chief security strategist at Analyst1, the scope and scale of the theft can’t be explained by skimming alone. If that were true, he added, it would require coordinating the installation of thousands upon thousands of hardware devices across the country.

“I realize that’s not hard evidence,” DiMaggio said. “In my professional opinion, that would be highly unlikely to have a large scale of volume.”

Instead, DiMaggio thinks that data breaches could be fueling this recent surge in benefits theft.

It’s unclear which of the many data breaches over the last few years could be bolstering these marketplaces — it’s often impossible to link a case of benefits theft to a particular breach — but two breaches in particular have raised concerns for experts.

In May 2020, a Maryland state contractor was breached by a now-defunct ransomware group called Maze, which profits off of electronically stealing companies’ information for a ransom. The contractor involved was Conduent — an international IT firm used by Maryland and dozens of other states to process electronic benefits.

Conduent ensures that federal funds are transferred from government coffers to EBT cards and processes the individual EBT transactions themselves, meaning the company holds a wealth of personally identifiable information for welfare recipients nationwide.

Conduent publicly said the breach only affected their European services. But DiMaggio, who has spent years researching Maze and other ransomware groups, questions this.

According to DiMaggio, ransomware groups like Maze operate as an organized crime syndicate with internal hierarchies and structure. The goal, typically, is to infiltrate a company’s network and digitally ransack as much data as possible. By doing this, he said, Maze is able to batch sell the data for a larger profit versus capitalizing on data piecemeal by individually cloning the cards themselves.

And even if Maze only targeted Conduent’s European services, DiMaggio said, the cybergang’s history shows they could have easily leveraged that information to gain access to its U.S. operations.

“All they would need is one account to get in,” DiMaggio said. “So, to think that they wouldn’t be able to access the other side at all, to me, it would be naive.”

While still in operation, Maze didn’t work alone. The group collaborated with other cybergangs and even hired contractors to commit these crimes, ultimately resulting in many different parties having access to the stolen data. Any of these people or groups could then use the information to attempt to access welfare recipients’ accounts, DiMaggio said.

If Maze-affiliated cybercriminals did, in fact, gain access to U.S. benefits information from the Conduent hack, DiMaggio said, it would explain why SNAP theft is simultaneously affecting so many states at such a large scale.

“While we don’t have a smoking gun, all the elements are there,” DiMaggio said.

Conduent disputes this theory, however.

“There is absolutely no connection between that incident and EBT fraud,” said Conduent spokesperson Neil Franz in an email. He added that the company’s U.S. systems were not impacted and that there is no indication any client data was put at risk from the breach.

Hundreds of Marylanders’ data exposed

In a September 2022 hearing, state senators questioned former human services Secretary Lourdes Padilla about the rise of benefits theft in Maryland. In particular, one senator asked, could a security breach be contributing to this?

“I do want to note that, within our system, we have not experienced any security breach that could have caused what we’re discussing this afternoon,” Padilla said.

But this may not be true.

Records obtained by The Banner show that the human services department did have a recent data breach that could be facilitating this theft.

According to a notice the agency sent to the Maryland Attorney General, DHS had a breach for roughly three hours on March 12, 2022. (DHS spokesperson Brian Schleter disputed calling the incident a breach in a recent email to The Banner, instead referring to it as an “accidental data exposure.” However, in the notice to the AG, the department repeatedly called the event a breach.)

The document said the breach mainly affected state welfare recipients logging into DHS’s consumer portal.

In a letter the agency sent to residents whose information may have been exposed, social services said the breach allowed the unauthorized disclosure of personal information, such as full name, social security number and customer identification numbers.

Upon learning of the breach, the human services agency said they shut the portal down and made improvements to prevent it from happening again. The agency reported to the AG that the breach affected approximately 51 users’ information in April 2022. However, in an email to The Banner, Schleter said that number has since risen to 201 users potentially exposed.

In a departmental memo from April 5, 2022, the department changed its internal policy, stating it would no longer reimburse stolen cash benefits. (Until recent months, it was also DHS policy to not reimburse for stolen SNAP funds.) Three days later, DHS reported the breach to the Attorney General.

According to Schleter, the April 2022 policy change was not prompted by the data breach, but because the department lacked funding to support benefit reimbursements at the time.

After Congress passed a provision in its 2023 spending bill requiring states to reissue stolen SNAP benefits, DHS has started reimbursing victims. This past month, Maryland Governor Wes Moore also announced his administration’s plans to use state funds to reimburse stolen benefits.

Why now?

Benefits theft is still on the rise in Maryland. According to DHS, in January 2023, welfare recipients reported over $258,000 worth of funds stolen. A year prior, recipients only reported $10,000 stolen the same month. In February 2023, over $417,000 was reported stolen.

This ever-increasing theft, despite growing awareness and reimbursements, raises the question: why now?

To Talcove, the answer starts with record-high food assistance funding in 2022. During the pandemic, SNAP funding significantly increased from $74 billion in 2020 to over $113 billion in 2022. Essentially, he explained, the government massively increased food assistance funds without adjusting security measures accordingly.

Unlike banks and other financial services, Conduent doesn’t offer fraud protection services that proactively detect and alert EBT consumers of suspicious transactions. Similarly, EBT cards don’t have the encrypted chips found in credit and debit cards, which help protect them against skimmers.

Franz said that Conduent is working with its state clients to transition benefits cards to chip-enabled cards and mobile wallets, like Apple Pay and Google Pay, in order to prevent skimming. In addition, a USDA spokesperson said the agency is working with payment processors like Conduent and state governments to raise EBT fraud protection services to be comparable to the commercial sector.

For Maryland welfare recipients, Schleter said DHS is working to implement a statewide EBT card locking feature, fraud alerts, and other solutions.

But until these security features are implemented, welfare recipients are still vulnerable to scammers who drain EBT users’ funds before victims even know the money is available.

For these cybercriminals, according to Talcove, selling benefits information is just one revenue stream. This is “cyberfraud as a service,” he added, where these enterprises also sell credit card numbers, bank account information, and social security numbers.

“They steal from everybody,” Talcove said. “It’s a massive business with multiple access points.”

But once they find a successful revenue stream, he said, they dedicate more time and resources towards it — especially if it’s a hundred-billion-dollar program with lax security measures.

Talcove believes that benefits theft closely mirrors the rise of unemployment theft, which the U.S. Department of Labor Office of the Inspector General estimated could have resulted in “at least” $163 billion in “improper” payments — much of which could be linked to fraud and theft. In July 2020, then-Gov. Larry Hogan announced Maryland had uncovered $501 million in unemployment fraud.

“It’s not going to stop,” Talcove said. “It’s going to get worse.”

Officials at the USDA agree.

On LinkedIn, Mark Haskins, a supervisor of special investigations at the USDA, posted a recent news article on EBT theft captioned, “That is just the tip of the Iceberg. Expect this to continue for the next 2-3 years.”

After The Banner reached out for comment, the post was removed.

brenna.smith@thebaltimorebanner.com

A version of this story appeared on our TikTok. Follow us for more updates.

More From The Banner

The developer of Harborplace bought 128 rowhomes in East Baltimore

One Baltimore County developer is pouring big money into local politics

Larry Lucchino, visionary behind Camden Yards construction, dies at 78

Dundalk was a steel town. When the Key Bridge fell, so did its legacy.