Card Not Present Fraud , Cybercrime , Fraud Management & Cybercrime
After Joker’s Stash Closes, What Comes Next?Researchers Expect Other Underground Sites Will Pick Up the Slack
Other darknet marketplaces are apparently preparing to fill the underground economy's need for a steady stream of stolen payment card data if the Joker's Stash site closes Feb. 15 as its administrator has announced. Some researchers believe the administrator may even launch a new marketplace.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Since 2014, Joker's Stash has developed a reputation for offering for sale millions of stolen payment card numbers and making splashy announcements of new offerings.
Thomas Beek, a senior cybersecurity specialist at security firm Digital Shadows, which has tracked the evolution of the Joker's Stash site over the years, notes that while it's too early to point to a specific successor site, there's little doubt that other underground marketplaces are lining up to grab a piece of the action.
He points out that several other darknet automated vending cart sites, or AVCs, which make sales without the need for buyer-vendor interaction, already offer some of the same features and functionality found on Joker's Stash.
"There has been an array of AVC carding services available to the cybercriminal community for some time now. Even though the Joker's Stash service was highly respected, it was operating in a crowded market," Beek says. "Other sites are likely to see an increase in footfall following Joker's Stash's announcement as buyers try to identify a reliable and regularly updated resource, but it will take time for an alternative site to emerge as the front-runner."
Beginning of the End
Even before the administrator of Joker's Stash announced last month the looming "retirement,” Beek and other researchers saw signs that the marketplace was in trouble.
For example, some cybercriminals began complaining on underground forums about the quality of payment card data for sale on Joker's Stash, according to Gemini Advisory, which tracks stolen payment card data.
"While this marketplace was the largest in the carding space, it also exhibited a severe decline in the volume of compromised card-not-present and card-present records posted over the past six months," the Gemini researchers note.
"For many months now, we have seen cybercriminals complaining about the quality of material on Joker's Stash and asking for recommendations for alternatives," Beek says. "The Joker's Stash closure will accelerate this process. Cybercriminals will be looking for platforms that have regularly updated stock, good security practices and are reliable to use."
Also, Joker's Stash had started to attract the attention of law enforcement agencies. In December 2020, the FBI and Interpol reportedly briefly seized the blockchain domains used by the site, although the site's administrator appeared to quickly regain control, security researchers say.
Nevertheless, Gemini reports that Joker's Stash generated an estimated $1 billion in revenue since its inception. And it posted 40 million records for sale over the past year - even as its reputation slipped.
The most recent payment card collection posted on the site in October, called "BlazingSun," included 3 million cards that appeared to be related to a breach of the Dickey's Barbecue Pit restaurant chain (see: For Sale: 3 Million Cards Used at Dickey's Barbeque Pit).
Researchers at Digital Shadows and Gemini believe that if, indeed, Joker’s Stash closes up shop Feb. 15, its operators likely will offload unsold payment card data to another site.
Beek believes the administrator of Joker's Stash might be planning to open up a fresh site under a new name.
Other cybercriminal organizations and fraudsters have switched names and tactics to avoid attracting the attention of law enforcement officials. For example, the operators behind GandCrab ransomware announced their retirement in May 2019 only to reemerge as REvil, aka Sodinokibi, a few months later. The Maze ransomware gang called it quits in October 2020, and many researchers believe its operators now work under the name Egregor (see: FBI Issues Alert on Growing Egregor Ransomware Threat).
"It is entirely possible for Joker's Stash to set up shop under a different guise due to their extensive knowledge and expertise they have built up over the years, and therefore make this retirement seem as legitimate as they can to throw off any law enforcement interest in another potential platform," Beek says. "It may sound far-fetched, but this wouldn't be the first time an admin has left one platform only to return on another. For instance, the ex-administrator of the Russian-language cybercriminal forum Exploit is now the administrator of XSS, another Russian-language forum."