Know when to fold ’em

Imminent Joker's Stash demise likely to spawn growth to rival cybercrime forums

Carders, fraudsters, and other cybercriminals will be quick to migrate to other nefarious platforms if infamous darknet site the Joker’s Stash closes as promised next month, according to experts in the fight against cybercrime.

Joker’s Stash has grown since its inception back in 2014 to become the dark web’s biggest compromised payment card data sale site. Its operator announced plans to bring down the shutters on the site on February 15.

The seizure of proxy servers behind the site by law enforcement last month, as well as unconfirmed reports that its unknown operator was hospitalized with coronavirus in October, may be behind the closure.

Villainous hive

According to Group-IB threat intelligence data, in 2020 Joker’s Stash accounted for over 40% of all stolen bank card data traded in underground markets.

Group-IB’s head of cybercrime research unit Dmitry Shestakov commented: “Maintaining supply chains is essential for carders, hence, they are likely to migrate to other platforms.

“It’s of note, however, that Joker’s Stash’s closest rival held just above 15% of the carding market in 2020.”

RELATED Safe-Inet: VPN service for cybercriminals taken down in law enforcement bust

The Singapore-based threat intelligence and digital forensics firm has been tracking incidents of cybercrime enabled by Joker’s Stash, such as credit card dumps, for some years.

“Joker’s Stash has been one of the most notorious underground cardshops for trafficking in stolen payment data,” Shestakov told The Daily Swig.

“It was used by carders to monetize major breaches of the past years – for instance, the biggest single card database ever on sale on dark net, [when] 1.3 million card records of primarily Indian banks [were] uploaded to the marketplace in October 2019,” he added.

Business as usual

The demise of Joker’s Stash – assuming it happens – is unlikely to have much on an effect on demand for, and trade in, compromised payment card data.

Shestakov predicted: “The demand for stolen bank card data will remain, that’s why other carders, not connected with Joker’s Stash, will naturally shift to new marketplaces themselves, with no need for these venues to attract them.”

Cybercrime watchers Gemini Advisory agreed with this assessment, and noted that the “underground payment card economy is likely to remain largely unaffected by this shutdown”.

They added that while Joker’s Stash was the largest in the carding space, it “also exhibited a severe decline in the volume of compromised records posted over the past six months”.

Read more of the latest cybercrime news

Group-IB declined to offer the names of specific marketplaces that may be in the ascendency in “order to not advertise them and generate traffic for cybercriminals”.

The company did however say that these services all make an illicit income in much the same way as the soon-to-shut Joker’s Stash.

Shestakov explained: “Joker’s Stash business model in which the cardshop owners receive interest from the data sold on the marketplace by third party vendors is not unique and [is] quite widespread among other platforms.

“Payment data traders have access to a cardshop’s seller panel through which they can upload bank cards and then monitor their profits and how many records have been sold.”

RECOMMENDED Magecart attacks: Cat-and-mouse game continues between cybercrooks, law enforcement