[BreachExchange] Underground Carding Marketplace Joker's Stash Announces Shutdown

Wed Jan 20 10:45:15 EST 2021

https://www.securityweek.com/underground-carding-marketplace-jokers-stash-announces-shutdown

Joker’s Stash, a large underground marketplace for stolen payment card
data, has announced plans to shut down operations on February 15,
2021.

The announcement was posted on a Russian-language cybercrime forum and
detailed plans to cease all operations “forever.”

The representatives of the carding service pointed out that, although
the marketplace has become highly popular, the team is getting a
“well-deserved retirement.”

“It’s time for us to leave forever,” the announcement reads, according
to threat intelligence company Intel 471.

Active since 2014, the marketplace offered card data from a robust
network of criminal vendors, with some of the data supposedly
exclusive to Joker’s Stash. Data from various high-profile breaches
was being offered on the site, including Earl Enterprises.

Underground threat intelligence company Gemini Advisory estimates that
“Joker’s Stash has generated more than $1 billion USD in revenue over
the last several years.”

The end of 2020 was rough for Joker’s Stash, as it was the target of a
takedown attempt after attracting a lot of attention from law
enforcement. The service, however, wasn’t fully interrupted.

In mid-December 2020, a message on the Joker’s Stash site informed
visitors that the U.S. Federal Bureau of Investigation and Interpol
managed to seize the marketplace’s servers, in an attempt to disrupt
its activity.

However, it turned out that Joker’s Stash, which has been described as
an automated vending cart (AVC), had several domains up and running,
and the law enforcement takedown attempt impacted only some of them.

Specifically, only the shop’s blockchain domains were affected by the
attempt, which allowed operators to continue selling card data
unhindered. The site’s representatives also announced at the time they
would have no trouble restoring the impacted domains.

Prior to December, however, the shop’s popularity had been fading,
after the threat actor who runs the site (who uses the moniker
JokerStash) announced he was hospitalized with a COVID-19 infection.

Around the same time, both the volume and quality of Card Not Present
(CNP) and Card Present (CP) records offered in the shop started
declining, and customers began complaining of that.

In the shutdown announcement, the service’s operator says that all
servers and backups will be erased after Feb. 15, but that users will
have until then to spend their account balance. He also notes that
partners will be paid before the service’s permanent closing.

According to Gemini Advisory, some individuals on the Dark Web
speculate that the shutdown might be caused by the FBI detaining
JokerStash.