“Joker’s Stash”, the largest dark web marketplace for buying & selling stolen payment card data, announced on January 15, 2021 that it is shutting down. The last day of activity will be February 15, 2021.
Joker’s Stash is a dark web payment card marketplace, probably the most popular one active today. You may remember it from some of the massive payment card and PII breaches the cyber-security community has observed in the past few years, including: the Wawa breach, also known as BIGBADABOOM-III which compromised more than 30 million payment cards, or BLAZINGSUN, the breach of 3 million Dickey’s Barbecue Pit’s customer information. All these records, among many others, were offered for sale on Joker’s Stash marketplace.
The platform offers payment cards stolen via both CP (card present) methods such as ATM skimmers and POS malware, and CNP (card not present) TTPs such as data skimming, phishing and victim device malware. It is estimated to have generated more than 1$ billion in revenue since its creation in 2014.
In the past few years Cyberint has observed how Joker’s Stash established its status as the leading carding marketplace: in the last 3 months alone, the marketplace brought 18,686 new intelligence items into Argos™, which comprises more than 11% out of all the information coming from covered carding marketplaces in the same timeframe.
Despite its success, Joker’s Stash had managed to evade being taken down by law enforcement throughout the years through smart decentralization methods. Their site is accessible via the use of blockchain DNS, a decentralized DNS service that requires the installation of a browser plugin to access non-standard top-level domains (TLD), such as ‘.bit’, ‘.lib’, ‘.emc’, ‘.coin’ and ‘.bazar’. These TLDs prevent censorship or takedown activity such as law enforcement agencies compelling ISPs to a sinkhole or redirect illegal sites.
However, no one is infallible, and Joker’s Stash users have experienced some recent outages. On December 17, 2020, the U.S. Federal Bureau of Investigation (FBI) and Interpol allegedly seized servers of the .bazar TLD. The marketplace admin took to several dark web forums after the event in order to assuage concerns and clarify that these were only proxy servers that did not disclose any “shop data”; however, it is assumed that the seizure took its toll and resulted in customer churn.
A few weeks earlier, in October 2020, Joker’s Stash’s admin announced he had contracted COVID-19 and was hospitalized for a week. Researchers believe that this is one of the reasons for recent maintenance issues, which resulted in clients complaining that the shop’s payment card data quality was increasingly poor.
On January 15, 2021, Joker’s Stash announced their site will be shutting down on February 15, 2021. In their announcement, they explain: “It’s time for us to leave forever”. They encourage the users to “spend accounts balances”, and emphasize they “will never open again! Do not trust possible future imposters”.
In the past two months, Cyberint has leveraged Argos™ to detect several threat actors already searching for alternatives to Joker’s Stash, likely following its stability issues.
Therefore, rival carding marketplaces and similar platforms will emerge as alternatives. Threat actors on Joker’s Stash also conduct activities in:
- BriansClub payment card marketplace
- Dread forum
- Altenen forum and its mirrors
- CardPro, Club2Card and CardClub forums
- Omerta forum
- XSS forum, which is known for exploits for sale but has been increasingly populated by carders during the COVID-19 period
- Private Telegram channels
Cyberint will continue to monitor trends in the migration of threat actors from Joker’s Stash to alternative dark web marketplaces and forums.
- Due to the crackdown of law enforcement on dark web markets, threat actors may be encouraged to conduct business in closer circles, such as private or invite-only platforms where reputation scores largely play a role in the capacity to buy and sell.
- As Joker’s Stash is keeping the marketplace open for another month, Cyberint expects a slight increase in user activity on the website and “last-minute” transactions. On the other hand, Joker’s Stash vendors might be setting discounts and sales to take advantage of the marketplace’s last days. This may be reflected in increased carding activity, which is the main use of the marketplace’s listings.