After Joker’s Stash Shutdown, the Market for Stolen Financial Data Looks Very Different


Written by Joe Warminsky

The shutdown of cybercrime forum Joker’s Stash has put a lasting dent in the overall market for stolen payment card data on the dark web, researchers say, among other factors complicating the business of scammers aiming to trade illicit information. on credit or debit cards.

From mid-2020 to mid-2021, the value of the “carding” market fell to $1.4 billion, from $1.9 billion in the same period a year earlier, according to the cybersecurity firm Group-IB, which attributes shrinkage largely to the demise of Joker’s Stash.

The FBI and Interpol disrupted the market’s digital infrastructure in December 2020, and by February 2021 it had closed. The site hosted data dumps from around the world, including US restaurant customers and Indian bank customers. Criminal groups like the gang known as FIN7 knew they would find customers on the forum. (These customers quickly dispersed to a myriad of other sites.)

As the market has changed, advances in card security and other factors have also continued to affect the quality of card dumps appearing in forums, the researchers said. Carders are still hard at work, but recent trends – including the lure of ransomware – have altered the ecosystem.

“Due to a lack of options and high-quality hardware available on the market, users of cybercriminal forums frequently lament the state of carding,” security firm Digital Shadows, which monitors cybercriminals, said in a statement. illicit carding tendencies. “We often see threads of users looking for new sources or reliable suppliers.” Sometimes forums themselves are hacked, with attackers leaking stolen data, further degrading their value.

Newer markets include All World Cards, BINART, CC Shop, Dundee Shop, Flowcc, Hogwarts Market, Rockefeller’s Store and Wixxx, according to threat intelligence firm Intel471, but “no dump store or threat actor has was able to fill the void” left by Joker’s Hideout.

When Joker’s Stash was at its peak, much of the stolen data came from two sources: skimmers that criminals physically attached to ATMs and other devices, and digital intrusions that compromised point terminal networks. of sale (POS).

The most vulnerable financial transactions are those involving magnetic stripe cards. Chip payment cards have two key security advantages: the embedded data is better protected and it is more difficult to duplicate it for illegal use elsewhere.

“Since there is currently no widely used technology capable of fully cloning bank card EMV chips, we expect cybercriminals specializing in collecting bank card dumps to encounter other challenges,” Group- said. IB in a press release. EMV stands for “Europay, Mastercard and Visa”, the companies that pioneered the chip standard.

Some of the carding activity has continued to expand beyond the dark web.

Digital Shadows says messaging platforms like Telegram and Discord are where some of the real commerce happens now. Some of the remaining dark web forums are used “solely for marketing purposes or to exchange information on the best platforms to buy carding-related data from,” according to the researchers.

Meanwhile, scammers pay special attention to higher quality investments. Group-IB data shows that individual card dumps rarely sell for more than $1 million – and they have a limited lifespan as victims end up canceling compromised cards. Ransomware demands, on the other hand, have a much higher cap. Card scammers are increasingly trying to get in on the action, researchers say.

Now, breaching a payment card network may be just the first step in a larger program to encrypt a victimized company’s data and hold them hostage.

“Some threat actors who used to be carders today prefer to monetize the initial access they get by deploying more ransomware, which gives them higher revenue, while at the same time reducing the number of processing steps. attack and simplifying the monetization of the attack,” Group-IB said.

Joker’s Stash still has impersonators impersonating the now-defunct site, researchers say, in an effort to capture that old traffic. And some of the forum’s previous competitors seem to sense an opportunity. A card store that was popular in 2019 is back, according to Intel471.

“Rescator, which has ties to Russian-speaking players, started operating again in December 2021,” says Intel 471. It’s unclear if Rescator is operated by the same owner as before, or if its infrastructure was sold to a new operator, the researchers say, but the credentials linked to the old site were valid on the new store, suggesting a link.

There is another way to make money from carding: charging scammers to promote themselves.

“In fact, some fledgling cybercriminal forums have stayed afloat,” Digital Shadows explains, “due to their constant influx of advertisers from carding sites.”


Comments are closed.