Jokers Stash - Going out of Business? - X-Industry

Red Sky Alliance has long reported on the underground carding site – Joker’s Stash (JS). Well several research firms have identified that JS is ‘goiong out of business.’ Joker’s Stash is reportedly (or was…) the largest underground forum/shop for selling stolen credit card and identity data. JS is reporting they are closing its shop by the middle of February 2021. This news was shared after a crazy 2020 for the major cybercrime store, and several weeks after US and European law enforcement authorities seized a number of their servers.

The Russian and English language carding store began operations in October 2014, and quickly became a major source of credit card “dumps,” which is information stolen from compromised payment cards that crooks can buy and use to create physical counterfeit copies of those credit cards.[1]

But 2020 turned out to be a tough year for Joker’s Stash. Researchers at Intel 471 recently explained that the owner of JS reported last October that he had contracted COVID-19 and spent a week in the hospital. In that time frame many of JS’s ardent customers started complaining that the shop’s payment card data quality was increasingly poor. “The condition impacted the site’s forums, inventory replenishments and other operations,” reported Intel 471.[2]

Figure 1. Image: Gemini Advisory

That COVID diagnosis may have affected the shop owner’s ability to maintain fresh and valid inventory on his site. Gemini Advisory,[3] who monitor underground carding shops, observed a “severe decline” in the volume of compromised payment card accounts for sale on JS over the past six months. “Joker’s Stash has received numerous user complaints alleging that card data validity is low, which even prompted the administrator to upload proof of validity through a card-testing service,” Gemini wrote in a blog post about the planned shutdown.

Figure 2. Image: Gemini Advisory

On 16 December 2020, several of JS’s long-operated domains began displaying notices that the sites had been seized by the US Department of Justice and Interpol, yet JS quickly recovered, moving to new infrastructure and assuring customers that it would continue to operate normally.

Gemini researchers estimate that JS produced more than a billion dollars in revenue over the past several years. Much of that revenue came from high-profile breaches, including tens of millions of payment card records stolen from major merchants including: Saks Fifth Avenue, Lord and Taylor, Bebe Stores, Hilton Hotels, Jason’s Deli, Whole Foods, Chipotle, Wawa, Sonic Drive-In, the Hy-Vee supermarket chain, Buca Di Beppo, and Dickey’s BBQ.

Joker’s Stash routinely teased big breaches days or weeks in advance of selling payment card records stolen from those companies, and periodically linked to this site and other media outlets as proof of his shop’s prowess and authenticity. Like many other top cybercrime forum/shops, JS was a frequent target of phishers looking to rip off unwary or unsophisticated thieves. In 2018, KrebsOnSecurity (KoS) detailed a vast network of fake Joker’s Stash sites set up to steal login credentials and bitcoin. The fake sites all traced back to the owners of a Pakistani web site design firm. Many of those fake sites are still active (e.g. jokersstash[.]su).

As noted by KoS in 2016, JS attracted an impressive number of customers who kept five and six-digit balances at the shop, and who were granted early access to new breaches as well as steep discounts for bulk buys. Those “partner” customers will be given the opportunity to cash out their accounts. But the majority of Stash customers do not enjoy this status and will have to spend their balances by 15 February 2021 or forfeit those funds.

Figure 3. The dashboard for a Joker’s Stash customer who has spent over $10,000 buying stolen credit cards from the site.

Gemini said another event that may have contributed to this threat actor shutting down their marketplace is the recent spike in the value of Bitcoin. A year ago, one bitcoin was worth about $9,000. Today a single bitcoin is valued at more than $35,000. “JokerStash was an early advocate of Bitcoin and claims to keep all proceeds in this cryptocurrency,” Gemini stated in a recent blog post. “This actor was already likely to be among the wealthiest cybercriminals, and the spike may have multiplied their fortune, earning them enough money to retire. However, the true reason behind this shutdown remains unclear.” If the bitcoin price theory holds, that would be fairly rich considering the parting lines in the closure notice posted to JS.

“We are also want to wish all young and mature ones cyber-gangsters not to lose themselves in the pursuit of easy money,” the JS site administrator(s) warns. “Remember, that even all the money in the world will never make you happy and that all the most truly valuable things in this life are free.” Regardless, the impending February shutdown is unlikely to have much of an impact on the overall underground carding industry, Gemini explains. “Given Joker’s Stash’s high profile, it relied on a robust network of criminal vendors who offered their stolen records on this marketplace, among others. Gemini assesses with a high level of confidence that these vendors are very likely to fully transition to other large, top-tier dark web marketplaces.”

As stated, Red Sky Alliance has been collecting, analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports – to include Joker’s Stash. As Gemini warns, the underground criminal activity will keep in operation, long after JS disappears. Specifically, our analysts are currently collecting and analyzing numerous underground forums, which include carding sites.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings: https://attendee.gotowebinar.com/register/8782169210544615949