Card Not Present Fraud , Cybercrime , Cybercrime as-a-service
Joker's Stash Reportedly Shutting Down OperationsResearchers: Notorious Underground Marketplace Will 'Retire' in February
Joker's Stash, the notorious underground marketplace that has specialized in the sale of stolen payment card data, is reportedly shutting down in February, with its administrator claiming he will "retire" at that time, according to researchers at Gemini Advisory, which tracks stolen payment card data.
In a report released Friday, Gemini Advisors notes that the administrator of the darknet site, who also goes by the name "JokerStash," plans to close down the marketplace on Feb. 15. The message was posted to the Joker's Stash forum as well as several other underground forums.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The news that Joker's Stash will cease its operations comes a few weeks after published reports claimed that the FBI and Interpol briefly seized the blockchain domains used by the site, although the administrator appears to have regained control shortly after the incident.
And while the Joker's Stash administrator claims that the site will retire, the Gemini report finds that the marketplace's activity over the past six months has noticeably declined and that "buyers" who used the site had started to complain about the quality of the payment card data posted for sale.
"While this marketplace was the largest in the carding space, it also exhibited a severe decline in the volume of compromised card not present and card present records posted over the past six months," the Gemini researchers report. "Most other top-tier carding marketplaces actually increased their posted data (largely CNP data, while CP data declined during COVID-19 lockdowns) during this time."
After the expected closure of Joker's Stash, the market for stolen payment card data will quickly move to other darknet marketplaces, say Christopher J.S. Thomas, an intelligence product analyst with Gemini.
"It is very likely that the cybercriminals who buy and sell stolen payment cards on Joker's Stash will find new marketplaces," Thomas says. "The underground payment card economy is subject to the same basic market forces as other industries, and with cybercriminal vendors still generating a supply of stolen cards and buyers still generating demand for them, new or existing marketplaces will very likely facilitate their exchanges for a profit."
Joker's Stash is one of the oldest underground marketplaces for stolen card data, having been established in 2014. And while the Gemini report notes that its activity has declined since mid-2020, the site still published 40 million records over the past year, according to the report.
Over the past six years, Gemini calculates that the Joker's Stash site has generated some $1 billion in revenue.
The most recent payment card collection posted on the site in October, called "BlazingSun," included 3 million credit cards that are likely related to a breach of the Dickey's Barbecue Pit chain of franchised restaurants (see: For Sale: 3 Million Cards Used at Dickey's Barbeque Pit).
Joker's Stash had also posted payment card data from a breach at convenience store chain Wawa, as well as stolen data from cards issued by banks in the U.S., South Korea and a few EU countries (see: Joker's Stash Sells Fresh US, South Korean Payment Cards).
Despite the marketplace's success over the years, Austin Merritt, a cyber threat intelligence analyst at Digital Shadows, also notes that the quality of payment cards posted on the site declined recently, and the joint FBI and Interpol operation seems to have affected its reputation.
"The announcement has been met with mixed reviews on the cybercriminal forum Club2CRD where the site administrator has been providing daily updates for Joker's Stash," Merritt says. "The overwhelming sentiment from users is disappointment; however, forum users are already discussing they know of other carding sites that can be used in Joker's Stash absence. If Joker's Stash does officially shut down, the site's users will likely disperse to other underground carding sites to advertise, purchase and sell stolen credit cards. The authenticity of the announcement can likely be verified in the coming weeks if the servers are actually taken offline."
The Gemini report notes that the recent spike in the price of bitcoin - the virtual currency was trading at about $37,000 as of late Friday - could mean the site's administrator had enough money to walk away from Joker's Stash.
Joker's Stash was one of the first underground sites to heavily promote bitcoin as an alternative payment method, according to Gemini.
Other cybercriminal organizations have also announced "retirements" only to re-emerge in other parts of the darknet. In November, for example, researchers found that the Maze ransomware gang announced that it would retire its operations.
Not long after that announcement, researchers found a new ransomware strain called Egregor that many believe is the successor to Maze and is likely a continuation of the cybercriminal gang's operations under a new name (see: FBI Issues Alert on Growing Egregor Ransomware Threat).
Managing Editor Scott Ferguson contributed to this report.