Gemini company logo
Blog

Joker’s Stash, the Largest Carding Marketplace, Shuts Down

Joker’s Stash, the Largest Carding Marketplace, Shuts Down

J Stash name is shut down as the largest carding place

01 / 15 / 2021

Key Findings

  • Joker’s Stash, the largest dark web marketplace in the underground payment card economy, has announced that it is shutting down. 
  • While this marketplace was the largest in the carding space, it also exhibited a severe decline in the volume of compromised records posted over the past six months.
  • Given this marketplace’s high profile, it relied on a robust network of criminal vendors who offered their stolen records on this marketplace, among others. Gemini assesses with a high level of confidence that these vendors are very likely to fully transition to other large, top-tier dark web marketplaces.
  • The underground payment card economy is likely to remain largely unaffected by this shutdown.

Background

Joker’s Stash, the largest dark web marketplace in the underground payment card economy, has announced that it is shutting down. The announcement, posted on January 15, 2021, claimed that it would remain operational until February 15, 2021, before the administrator, “JokerStash,” “goes on a well-deserved retirement.” This message was originally posted to Joker’s Stash itself, and additionally added to several top-tier dark web forums.

JokerStash announcement of the Joker’s Stash marketplace closure screenshotImage 1: JokerStash announces the closure of the Joker’s Stash marketplace.

In-Depth Analysis

Reactions

Feedback was mixed; some dark web forum members expressed disappointment to lose access to the marketplace, while others who had been frustrated with its operations were neutral. Certain actors accepted JokerStash’s explanation for retirement, while others on dark web forums and hacking-focused Telegram channels speculated that the FBI had detained JokerStash. Several weeks ago, Joker’s Stash blockchain domains were temporarily rendered unavailable and replaced with an FBI and Interpol seizure notice. However, the administrator quickly regained control.

FBI and Interpol seizure notice appeared on a Joker’s Stash blockchain domain screenshotImage 2: An FBI and Interpol seizure notice appeared on a Joker’s Stash blockchain domain on December 16, 2020.

In late October, the marketplace’s routine activities were disrupted. JokerStash posted to claim that this was due to getting COVID-19 and spending more than one week in a hospital.

JokerStash claims being hospitalized due to COVID-19 screenshotImage 3: JokerStash claims to have been hospitalized due to COVID-19.

Another event that may have contributed to this threat actor shutting down their marketplace is Bitcoin’s recent spike. JokerStash was an early advocate of Bitcoin and claims to keep all proceeds in this cryptocurrency. This actor was already likely to be among the wealthiest cybercriminals, and the spike may have multiplied their fortune, earning them enough money to retire. However, the true reason behind this shutdown remains unclear.

Operations

While this marketplace was the largest in the carding space, it also exhibited a severe decline in the volume of compromised Card Not Present (CNP) and Card Present (CP) records posted over the past six months. Most other top-tier carding marketplaces actually increased their posted data (largely CNP data, while CP data declined during COVID-19 lockdowns) during this time. However, Joker’s Stash has received numerous user complaints alleging that card data validity is low, which even prompted the administrator to upload proof of validity through a card-testing service.

Graph of the number of cards posted per month by dark jokerImage 4: Joker’s Stash has posted fewer compromised CNP and CP records over the past six months. The graph shows the percentage change in the number of cards posted by comparing each month’s level to that of July 2020.

Additionally, JokerStash’s tactics, techniques, and procedures (TTPs) involved advertising in advance and then posting high-profile major breaches. The threat actor leveraged media coverage of these breaches to boast about their ability to compromise even major corporations. Most dark web marketplaces eschew such TTPs because they attract undue attention from security researchers and law enforcement; JokerStash actually celebrated such attention.

Joker’s Stash was one of the oldest observed dark web marketplaces and has operated since 2014. In the past year, the marketplace has added over 40 million new records, the majority of which were CP records. CP data was linked to major breaches, such as the “BIGBADABOOM-III” breach that compromised Wawa or the “BLAZINGSUN” breach that compromised Dickey’s Barbecue Pit. CNP data was linked to Magecart attacks or occasionally phishing. Gemini calculated that Joker’s Stash has generated more than $1 billion USD in revenue over the last several years.

Conclusion

Many criminal groups split the sale of compromised data across numerous marketplaces. For example, Gemini Advisory recently observed the “Keeper” group dividing stolen records among four leading marketplaces (including Joker’s Stash). Given Joker’s Stash’s high profile, it relied on a robust network of criminal vendors who offered their stolen records on this marketplace, among others. Gemini assesses with a high level of confidence that these vendors are very likely to fully transition to other large, top-tier dark web marketplaces.

According to Wired research, even the shutdown of the infamous Silk Road dark web marketplace had very little impact on the overall dark web black market. The cybercriminals who sold illicit goods and services there simply shifted to other marketplaces, and the economy continued to function. The underground payment card economy is thus likely to remain largely unaffected by this shutdown.

Gemini Advisory Mission Statement

Gemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to mitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate assets targeted by fraudsters and online criminals in real-time.

Choose your region:

Choose your state:

Book a Demo
This website uses cookies

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services

Allow all cookies