A ‘coordinated police’ action against the Joker’s Stash took a small domain offline

Earlier chatter on other cybercriminal forums suggested that Joker’s Stash had gone down.
Pete Linforth via Pixabay

An ongoing law enforcement operation has disrupted aspects of a leading website where internet scammers frequently buy and sell stolen data, according to the site’s administrators and multiple sources with visibility into the site. 

A message posted Thursday on a forum at the Joker’s Stash, a marketplace where members have previously listed millions of payment cards stolen from U.S. restaurant chains, notifies members that “these bastards busted” an “external proxy server” connected to a section of the site. Other aspects of Joker’s Stash remained functioning normally at press time Thursday, though one researcher suggested the action represented a kind of warning to the site that has facilitated fraud since at least 2015. 

“This relates to a coordinated police operational activity that is ongoing, and at this time we are not in a position to comment,” Interpol, the inter-governmental law enforcement organization based in France, said in an email.

The affected Joker’s Stash domain was a .bazar site that appeared to function as part of an emerging technology known as a blockchain-based Domain Name System (DNS). Typically, DNS protocol functions as a kind of internet phone book by allowing users to type website names (such as to access a web address that actually is a long string of numbers. Blockchain DNS tools use a similar approach, but help a website owner avoid outages through a kind of decentralized web service. 


If one part of the blockchain DNS goes down, that doesn’t spell doom for the larger site.  

Chatter on other cybercriminal forums earlier Thursday suggested that Joker’s Stash had gone down, though it later became clear that only the .bazar domain had ceased to function, according to a brief from Digital Shadows, a threat intelligence company. The Joker’s Stash administrator who made the initial announcement also said that the affected server contained no “shop data,” in an apparent reference to information about buyers, sellers or the marketplace’s listings. 

That administrator, who goes by the name “JokerStash,” is considered a credible source of information about the site, Digital Shadows said. Part of the motivation for the claims in the administrator post, the accuracy of which CyberScoop could not verify, likely were meant to ease concerns in the hacking ecosystem about the viability of the site. 

The action likely will only disrupt the site temporarily, cybersecurity vendor Intel471 predicted.

Joker’s Stash is one of a number of sites that has mostly evaded law enforcement action in recent years, despite its reputation as a hub of criminal activity. In October, sellers on the site claimed to offer 3 million payment card numbers purportedly stolen from Dickey’s Barbecue Pit, an American restaurant chain. Previously, data associated with breaches as the Hy-Vee supermarket chain, Sonic Drive-In and other sources was advertised. 


In 2019, Joker’s Stash expanded to sell personal information about high-value individualism such as current and former members of the Trump administration, as the threat intelligence firm Recorded Future previously found

That brand recognition might be starting to catch up to Joker’s Stash, though, according to Andrei Barysevich, the founder of Gemini Advisory, a threat intelligence firm. 

“I think it was a signal to Joker’s Stash specifically, but other markets, as well,” he said. “It’s sort of a ‘We are watching you closely and will take an action with any opportunity.’”

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts