Facebook's failure to moderate bad behavior on the sprawling online world it created, what with political trolls, extremist content, and livestreamed acts of horrific violence, has received a torrent of criticism. But researchers have found that the social media giant is also failing to police a far more basic and decades-old internet problem among its users: plain old cybercrime.

Researchers at Cisco's Talos security division on Friday revealed that they'd uncovered 74 Facebook groups devoted to the sale of stolen credit card data, identity info, spam lists, hacking tools, and other cybercrime commodities. The researchers say those groups sat in plain sight, with names like Spam Professional and Spammer and Hacker Professional, attracting 385,000 members in all. Anyone could find them with a site search for basic terms like "carding" or "CVVs," a reference to the security codes on the back of credit cards.

"Effectively, what we found was a huge number of Facebook groups openly trading crime stuff online," says Craig Williams, Cisco Talos' director of outreach. "The user base in these groups is basically the size of Tampa."

"It's ridiculous ... This company operates on a set of rules that are backward and are only in its own commercial interest." Dipayan Ghosh, Shorenstein Center Platform Accountability Project

Screenshots that Cisco published in a blog post summarizing its findings capture Facebook users publishing pictures of purportedly stolen credit cards and IDs, offering lists of CVVs priced at $5 each, as well as collections of thousands of emails ripe for spamming and phishing—the type of data usually sold on dark-web markets or password-protected, invite-only hacker forums. Williams says many of the users he saw in those groups even appeared to be conducting business in Facebook's cybercrime bazaars under their real accounts.

Some of the posts that Cisco researchers found selling credit card data, including CVV security codes, as well as counterfeit credit cards and IDs. Cisco

And finding the groups, Williams says, wasn't particularly difficult: Once Cisco's researchers identified a handful of them, Facebook's recommendation algorithm offered them other groups with similar black market focuses.

This isn't the first time Facebook has faced this exact problem. Last year, cybersecurity reporter Brian Krebs identified a similar-sized crop of Facebook cybercrime groups, totaling 300,000 members, and reported them to Facebook. Facebook banned those groups at the time, but it took less than a year for an even larger population of fraudsters and hackers to make homes on the site.

And while Facebook has removed the groups Cisco identified—after the researchers alerted the company to its findings—its cleanup remains incomplete. In a few minutes of searching, WIRED found users and groups with names like Carder Philippines and Anonymous Carding India openly hawking credit card information, along with what appeared to be stolen goods like cameras and iPhones bought with hijacked ecommerce accounts.