After Joker’s Stash shutdown, the market for stolen financial data looks a lot different
The closure of the Joker’s Stash cybercrime forum put a lasting dent in the overall market for stolen payment-card data on the dark web, researchers say, amid other factors complicating business for crooks aiming to trade in illicit credit or debit card information.
From mid-2020 to mid-2021, the value of the “carding” market fell to $1.4 billion, compared $1.9 billion during the same period a year earlier, according to cybersecurity company Group-IB, which attributes the shrinkage largely to the disappearance of Joker’s Stash.
The FBI and Interpol disrupted the market’s digital infrastructure in December 2020, and by February 2021, it had shut down. The site hosted data dumps from all over the globe, including U.S. restaurant patrons and Indian bank customers. Criminal groups like the gang known as FIN7 knew they would find customers on the forum. (Those customers quickly scattered to myriad other sites.)
While the market shift happened, advancements in card security and other factors also continued to affect the quality of the card “dumps” appearing in forums, researchers say. Carders are still hard at work, but recent trends — including the appeal of ransomware — have altered the ecosystem.
“Due to a lack of options and high-quality material available on the market, users in cybercriminal forums frequently bemoan the state of carding,” the security firm Digital Shadows, which monitors illicit carding trends, said in a statement. “We often see threads from users looking for new sources or reliable vendors.” Sometimes the forums themselves are hacked, with attackers leaking stolen data, further degrading its value.
New marketplaces include All World Cards, BINART, CC Shop, Dundee Shop, Flowcc, Hogwarts Market, Rockefeller’s Store and Wixxx, according to threat intelligence firm Intel471, but “no dump shop or threat actor has been able to fill the void” left by Joker’s Stash.
When Joker’s Stash was at its peak, much of the stolen data came from two sources: skimmers that criminals physically attached to ATM machines and other devices, and digital intrusions that compromised the networks of point-of-sale (POS) terminals.
The most vulnerable financial transactions are those involving cards with magnetic strips. Chip-based payment cards have two key security benefits: The embedded data is better protected, and it’s harder to duplicate them for illegal use somewhere else.
“As currently there are no widely used technologies that can completely clone bank card EMV chips, we expect cybercriminals specializing in harvesting bank card dumps to encounter further challenges,” Group-IB said in a statement. EMV stands for “Europay, Mastercard, and Visa,” the companies that initiated the chip standard.
Some of the carding activity has continued to expand beyond the dark web.
Digital Shadows says messaging platforms like Telegram and Discord are where some of the actual trading now occurs. Some of the remaining dark web forums are used “solely for marketing purposes or to swap information about the best platforms on which to buy carding-related data,” according to researchers.
Meanwhile, the crooks are paying close attention to higher quality investments. Group-IB’s data shows that individual card dumps rarely sell for more $1 million — and they have a limited shelf life, as victims eventually cancel compromised cards. Ransomware demands, meanwhile, have a much higher ceiling. Card scammers are increasingly trying to get in on that action, researchers say.
Now, the breach of a payment card network can become just the first step in a bigger scheme to encrypt a victim company’s data and hold it hostage.
“Some threat actors who used to be carders today prefer to monetize the initial access they get by further deploying ransomware, which offers them higher incomes, while at the same time decreases the number of attack stages and simplifies the attack monetization,” Group-IB says.
Joker’s Stash still has imitators that masquerade as the now-defunct site, researchers say, with the goal of capturing that old traffic. And some of the forum’s previous competitors appear to sense an opportunity. A carding shop that was popular in 2019 has returned, according to Intel471.
“Rescator, which has ties to Russian-speaking actors, started operating again in December 2021,” Intel 471 says. It’s unclear if Rescator is operated by the same proprietor as before, or if its infrastructure was sold to a new operator, the researchers say, but credentials tied to the old site were valid on the new shop, suggesting a link.
There’s one other way to make money from carding: Charging the scammers to promote themselves.
“In fact, some fledgling cybercriminal forums have stayed afloat,” Digital Shadows says, “due to their constant inflows of advertisers from carding sites.”