Market for stolen payment cards will persist, threat intel firm predicts
UPDATED The largest illicit marketplace for stolen payment card data, Joker’s Stash, officially shut down today (February 15).
Threat intel experts at Flashpoint predict one of four contenders will step in to fill the vacuum left by the site’s departure from the cybercrime scene.
Joker’s Stash closed on schedule, 30 days after its founder announced he was pulling down the shutters on the cybercrime bazaar.
Increased law enforcement scrutiny hastened the marketplace’s demise but not the illicit business model it mined, according to a white paper from Flashpoint.
The security firm reckons four cybercrime marketplaces are primed to become the leading exponent of the Joker’s Stash model: Brian’s Club, Ferum, Trump’s Dumps and Yale Lodge.
Joker’s Stash, the longest running stolen payment card shop, launched in 2014 in the wake of several major credit card breaches and the success of other illicit stores such as Silk Road.
It successfully sold credit card details stolen from various data breaches for just over six years. Since 2017 the site has hosted shops and associated infrastructure via blockchain DNS, which according to one operator “is perfect bcoz its impossible to abuse and it’s fully resistant to domain locks”.
Joker’s Stash operated as a kind of blackmarket equivalent of eBay or Amazon Marketplace, taking a cut of sales proceeds generated by third party vendors.
Its unidentified operator may have amassed a fortune of more than $1 billion in Bitcoin, according to an analysis by cryptocurrency technology provider Elliptic.
Elliptic reports that the site became inaccessible more than a week ago, some time before its scheduled closure, in a development that annoyed some of its customers.
“Joker’s Stash announced that it would cease operations on 15th February, although the site became inaccessible as of the 3rd February, angering many customers, who still had balances to spend,” said the company.
“It is one of the few criminal marketplaces to shut down on its own terms, a victim of its own success rather than as a result of any apparent law enforcement operation.”
Flashpoint confirmed that the Joker's Stash effectively closed on February 4, nearly two weeks ahead of schedule, a day after "spokesperson for Joker's Stash card shop across various Russian and English-forums deleted the threads that they have used for communication with their customers and for announcements of upcoming updates".
The shop itself has remained unreachable since February 4.
Joker’s Stash appeared to scale back its operations in July 2020 with a noticeable decline in both the quality and response time of its customer support. Numerous theories emerged to explain the drop-off that included possible law enforcement action, health issues of the threat actors, and even a potential exit scam.
Shop operators finally announced on January 15, 2021 that it would shut down the shop for good on February 15.
Enhancements to the card payment ecosystem such as improved anti-fraud technologies and the move to contactless payments are making life more difficult for carders (payment card data thieves). This will have a knock-on effect for the carding marketplaces seeking to exploit a gap in the market created by the exit of Joker’s Stash, according to Flashpoint.
The threat intel firm offers a form book on the four main contenders looking to supplant Joker’s Stash:
Brian’s Club: Since news of Joker’s Stash’s imminent closure broke, this platform has significantly increased advertising on carding forums and chat rooms in an attempt to attract new users. It offers extensive support to users on various forums, and has fully recovered from a breach that took down the shop in October 2019.
Ferum: Ferum’s administrator maintains a long-standing presence in illicit carding communities. The shop is available on the clear web and Tor, providing easier access for entry-level cybercriminals. However, the relatively small volume of card content has limited broader scale adoption.
Trump’s Dumps: This relatively new shop has increased advertising to capture the open market share left by Joker’s Stash’s absence. The shop offers a variety of services, including a self-hosted checker.
Yale Lodge: A Tor and clear web card shop with a relatively high degree of customer support, as well as a self-hosted checking service.
Ian Gray, director of analysis and research at Flashpoint, said: “Our insights show that what from the outside appeared to be a sudden and unexpected shutdown of Joker’s Stash was in fact a long-term decline.”
He adds: “Joker’s Stash was not the first illicit card shop and it certainly won’t be the last. We know from our intelligence that at least four shops are well-positioned to capture the market share left open following Joker’s Stash’s closure.”
Forums, rather than private groups on Telegram and the like will remain the main forum for the sale of stolen card data, according to Flashpoint:
While Telegram supports chats and conversations, it doesn’t have a native payment system within the application. Some users may conduct peer-to-peer transactions through Telegram, however without an escrow or administrator there is a possibility that the user may be scammed.
Bot services like Televend are being used in fraud and drug communities to provide automated payment systems, which provides convenience, although it lacks a shop interface.
Shops like Joker’s Stash have gained the trust of their users through the release of large breaches of credit card data, and anonymous and decentralized network infrastructure (e.g., Blockchain-DNS).
They have provided customer support on mid and high-tier English and Russian language forums. Furthermore, they have provided guidelines for giving out customer refunds on rejected cards that met a certain criteria.
Flashpoint analysts do not foresee any major changes taking place in the structure of card shops. "The business model on Joker’s Stash was rated highly by users across various cybercrime communities and Flashpoint analysts assess with high confidence that other card shops will attempt to replicate the model Joker’s Stash," it said.
Flashpoint's Gray concluded: “Financial institutions [need] to remain aware of these fast-paced market changes and have the ability to quickly identify their payment products and customer data when it’s offered for sale on these illicit marketplaces.”
This story has been updated with additional comment from Flashpoint.