Cybercriminal gangs operating darknet stolen payment card marketplaces are scrambling to attract customers from the now-closed Joker's Stash card market, according to representatives from the security firms Kela and Flashpoint. The administrator behind Joker's Stash claims to have officially shut down the operation in February 2021. Meanwhile, other criminal gangs offering stolen payment cards for sale have stepped up their promotional
Among the darknet marketplaces vying to pick up former Joker's Stash customers are Brian's Club, Vclub, Yale Lodge and UniCC, Kela says. Flashpoint's researchers say the Ferum and Trump's Dumps marketplaces are also attempting to build their clientele after the apparent demise of Joker's Stash.
Joker's Stash customers were likely already looking for a new marketplace, says an analyst from the threat research firm Digital Shadows, due to the site's declining customer service and having its service interrupted by law enforcement officials in December 2020.
Recently, Brian's Club has increased their marketing efforts, a Kela analyst added. For example, it has replaced Joker's Stash as the official sponsor of the popular underground forum Omerta, which focuses on payment card trading. "With the heavy marketing and advertising that Brian's Club has been investing in, it seems that the longtime attempts of marketing to credit card traders may be finally paying off now that Joker's Stash is out of the picture," says Victoria Kivilevich, a threat intelligence analyst with Kela. "Brian's Club has been immodestly trying to steal the thunder by publishing an advertisement on the main page of [Russian-language forum] XSS, soon after the announcement by Joker's Stash."
Kela anaysts estimate about 5 million payment cards are being offered for sale through Brian's Club. At its height, Joker's Stash had about 30 million. Brian's Club has eight years of experience and offers criminals an easy way to conduct their illicit business, Flashpoint says. But even if Brian's Club soon becomes the dominant player, "it will still have to make up considerable ground to come close to rivaling Joker's Stash at its peak," one of the Flashpoint investigator said.
Kela and Flashpoint investigators both mention that Yale Lodge could emerge as a dominant market for stolen card data because it operates both a Tor and clear web card shop and has a self-hosted checking service. This service allows the buyer to check to see if the card information being bought is valid. Kivilevich points out, however, that Yale Lodge charges a $150 registration fee and a minimum deposit of $200, which is 10 times higher than what Joker's Stash required.
A Flashpoint analyst says the operators of the Ferum market also have a wealth of experience and provide easy access, but the site has less card data available for sale than others. Meanwhile, Trump's Dumps, which is a newer operation, has increased its advertising, Flashpoint reports. It offers a variety of services, including a self-hosted checking service.
Kivilevich says she has spotted Vclub members trying to recruit Joker's Stash customers on darknet forums. But Kela's researcher has found many complaints about the quality of cards available on Vclub. Kela representative reports it has seen almost 300,000 new stolen card data offerings being added on UniCC each week. "Overall, the carding landscape is much bigger than the several markets we mentioned in this post," Kivilevich says. "Moreover, cybercriminals buy cards and dumps not only in specialized shops but also on forums, via instant messaging channels, and behind closed doors in private deals."
In January 2021, the operator of Joker's Stash announced the site would shut its doors on Feb. 15 and gave customers one month to settle their business dealings. Digital Shadow's researchers say the site is very likely permanently offline. This news came only a few weeks after several of the marketplace's servers were reportedly taken down in a joint FBI and Interpol operation
"Joker's Stash activity began to fall precipitously starting in July 2020," the Flashpoint researchers note. "JokerStash, the shop administrator, built a reputation based on the shop's reliable and quick customer responses. During July 2020, JokerStash's normally speedy fielding of comments, complaints and feedback across top-tier forums began to ebb, and it grew increasingly worse and more sporadic in the following months."
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org.
Weekly Cyber Intelligence Briefings: