Last week DarkMarket, the second largest dark web marketplace, was shut down by law enforcement in Europe. This takedown is the result of increasing joint efforts to take down dark web facilitated crime. Some dark web market administrators are taking notice, and deciding to retire on their own terms, before the police come knocking on their door. Such is allegedly the case for Joker’s Stash, a notorious carding marketplace.
“Joker goes on a well-deserved retirement,” reads a post on one of the Russian dark web forums, after the popular carding marketplace recently announced it was shutting down on February 15.
The website has been operational since 2014. Throughout its activity, it has facilitated the sale of credit cards leaked in major breaches, including some 30 million cards allegedly from the Wawa breach in 2019.
Source: https://twitter.com/amartinsec/status/1222271538503831552
Last week, Joker’s Stash administrators reported that “an external proxy server” was taken down by law enforcement which led to a disruption in daily business operations for one of its sections. Interpol has not yet disclosed much information about the takedown operation. While at first it seemed the entire Joker’s Stash website was taken offline, users noticed that only the .bazar domain was compromised.
Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.
Apparently the compromised server did not contain critical information about buyers and sellers, website administrators claimed. They urged account owners to spend their balances as soon as possible, because all servers and backups will be erased in 30 days. Once the marketplace is shut down completely, administrators claim they will never reopen and warn against “future imposters.”
The news has taken dark web forum users by surprise, many left wondering which existing marketplace will now replace Joker’s Stash, or if a new marketplace will arise to focus on compromised payment card data. But above all, most are wondering how this will affect the payment card economy on the criminal underground.
There is an interesting narrative around carding, as many users take advantage of the shut down to express concern for their wellbeing and future activities. Blaming their financial situation on their country being in a third lockdown or that they are falling behind on payments, some confess they are desperate and “clueless” as to how carding actually works. More experienced fraudsters warn that this type of activity is not for beginners, as law enforcement units are likely monitoring forums and are specifically focused on government relief programs.
Additionally, there are also rumours on a few forums that this is either an exit scam, or that the FBI has arrested the administrator, following a temporary FBI and Interpol seizure notice posted on the website a few weeks ago. So far there is no clear evidence to confirm this. Law enforcement does have a tendency to welcome new deposits so its seizures can increase in size and impact on the criminal underground. It is therefore doubtful that law enforcement would warn market participants to withdraw all of their funds. Other rumours include the idea that administrators wanted to leverage Bitcoin’s record high from last week.
Moving forward, our threat intelligence team will be monitoring the dark web and chat groups to identify trends and where malicious actors may be moving their business to, now that law enforcement is closing in on them. It will be interesting to observe whether the underground payment card economy will experience this as a major blow or will move forward as if nothing has happened. It is very likely that this shutdown, as well as others, will not have a major impact, given the high number of available markets, forums and chat groups that keep popping up. It is likely more a matter of trust among vendors, sellers and administrators, rather than a matter of unavailability.