Joker’s Stash Shutting Down—for Good This Time
After Flashpoint published this initial blog post (below), we released new in-depth research about Joker’s Stash on February 15, 2021, coinciding with its official shutdown date.
Our new research—“Joker’s Stash Post-Mortem: Where Will the Cybercriminals Go?”—analyzes the events that led to Joker’s Stash’s precipitous rise and ensuing fall, projects where the card fraud market goes from here, and advises how fraud and security teams prepare for what’s next. Read more here!
A Major Blow to Cybercriminals Worldwide, Joker’s Stash Shutters its Shop
On January 15, 2021, the notorious and highly reliable card shop known as “Joker’s Stash” announced earlier today that it will be shutting down its operations in the next 30 days.
For those who aren’t familiar with this card shop, it has been *the* place to purchase stolen cards and data dumps and for buyers to do so with a high degree of confidence that the purchased illicit goods will be active or otherwise legitimate for their use. For cybercriminals and fraudsters, this news surely comes as a major hit—either hurting their illicit profit-making operations or disrupting their ongoing attacks.
Joker’s Stash Official Closing Message
For those interested in the card shop’s official closing post, we’ve added the image and message the Joker’s Stash admins posted.
Joker’s Stash: A Brief History
Joker’s Stash opened in 2014, making it one of the oldest continually-operating compromised credit card shops on the internet. It’s been a fixture for many illicit cyber schemes, gaining notoriety for their large breaches of credit card information. Over the past year, Joker’s Stash is credited with selling compromised credit card information from point-of-sale transactions at Dickey’s Barbecue Pit, Champagne French Bakery and Cafe, and Wawa Inc. Joker’s Stash differentiated themselves from their competitors by their card freshness, an assessment of the card’s validity, as well as claiming to source their own card data through “exclusive self-hacked bases.” Joker’s Stash was also unique in their decision to host their shop on blockchain DNS. In April 2020, they also added Tor domains to their shop.
Compromised payment card information available in underground card shops falls into two categories:
- Dumps: Skimmed track information from a physical card that is collected using a skimmer or point-of-sale (POS) malware.
- Cards: Cards which is collected from intercepted network traffic and provides information that can be used to make online purchases.
Recent Complications Likely Lead to its Demise
Over the last year, there have been a number of unsubstantiated rumors on illicit cybercrime forums that Joker’s Stash was taken down by law enforcement. Previously, in March, 2020, the Russian Federal Security Service (FSB) detained thirty members of an illicit carding operation, which led to subsequent shutdown of more than 90 domains. Though several users on cybercrime forums claimed that Joker’s Stash was included in the takedown, they actively refuted these claims. The shutdown further affirmed Joker’s Stash dominance in the carding underground.
Death by a Thousand Cuts: PCI-DSS, COVID-19, and Domain Takedowns
Since opening in 2014, Joker’s Stash has had to navigate a number of issues, including updates to PCI-DSS. Increased security on payment card data, including implementation of EMV chip, has challenged carders. Shifts in payment card methods, like e-commerce and NFC wallets, have required threat actors to be agile in their methodology. Improvements in fraud monitoring at financial institutions has also lessened threat actors ability to monetize card data before getting flagged for fraud.
Throughout 2020, the typically active administrator JokerStash had several gaps in communications. JokerStash claimed that they were hospitalized due to a coronavirus infection. The decreasing number of large fresh bases also questioned their ability to source new card data.
On December 16, 2020, four blockchain domains (.bazar, .lib, .emc, and .coin) of a notorious card shop, Joker’s Stash were purportedly seized by the FBI and Interpol. JokerStash claimed that it was an external proxy server, and that their Tor domains were still available.
It is unclear if the recent seizure of their blockchain domains were a factor into the decision to close. It is not uncommon for criminals to shutdown high-profile operations to avoid potential law enforcement actions. Nevertheless, due to the long history of this shop — we expect the law enforcement focus will remain for several years.
The shutdown of Joker’s Stash is notable due to the fact that the administrators of the shop are not conducting an exit scam, nor there is a takedown by law enforcement.
Flashpoint analysts access with moderate confidence that in the wake of the shutdown of Joker’s Stash, other shops will attempt to fill the void and control a sizable part of the carding underground.
Where Will the Cybercrime Go?
While Joker’s Stash has been one of the biggest card shops, it’s far from the only one. Across Flashpoint card shop collections, we’re pulling in and identifying millions of stolen credit cards from illicit marketplaces.
As the dust starts to settle and Joker’s Stash fully shuts down in 30 days, Flashpoint will keep a close eye on where all the activity starts to go. We will monitor for an increase in the number of dumps and cards on the existing credit card shops, as well as promotions of new shops or services within illicit cybercrime communities.
New Flashpoint Research Dives Deeper into Joker’s Stash
Get more in-depth research and data analysis about Joker’s Stash and the future cybercriminal marketplaces in our latest research: “Joker’s Stash Post-Mortem: Where Will the Cybercriminals Go?