Joker’s Stash Carding Site Taken Down

jokers stash takedown

The underground payment-card data broker saw its blockchain DNS sites taken offline after an apparent law-enforcement effort – and now Tor sites are down.

Joker’s Stash, the carding site where cybercriminals hawk their payment-card wares, has suffered a blow after law enforcement apparently seized one of its domains.

Joker’s Stash is a popular cybercriminal destination that specializes in trading in payment-card data, offering millions of stolen credit and debit cards to buyers. In October for instance, Dallas-based smoked-meat franchise Dickey’s Barbecue Pit saw 3 million customer payment cards turn up on the site. Anyone purchasing the information can create cloned cards to physically use at ATMs or at in-store machines that aren’t chip-enabled; or, they can simply use the information to buy things online.

According to researchers at Digital Shadows, Joker’s Stash evades takedowns by operating from several different domains. These include blockchain domains including .bazar, .lib, .emc, and .coin, as well as two Tor (.onion) versions of the platform, researchers said.

2020 Reader Survey: Share Your Feedback to Help Us Improve

But late last week, the .bazar version of the site began displaying a notification that the U.S. Department of Justice and Interpol had seized the site. Shortly after, the .lib, .emc and .coin domains began showing a “Server Not Found” banner.

“Early chatter on the Russian-language cybercriminal forum XSS initially suggested that the entire site had been seized and expressed concern at this development,” according to Digital Shadows, in a recent blog.

The official Joker’s Stash representative, “JokerStash,” went on to create a post on the Russian-language carding forum Club2CRD, confirming that the .bazar domain’s external proxy server had been taken down — but it’s unclear if the DoJ and Interpol are indeed behind the action. In any event, the person also intimated that the takedown wouldn’t affect operations for long.

“The representative went on to state that the server did not contain any ‘shop data,’ and announced they were creating new servers and transitioning the site, meaning all blockchain versions of the site would be ‘back to work in a few days,'” according to Digital Shadows. “Finally, the representative confirmed that the Tor versions of the site remained unaffected and encouraged users to leverage them in the meantime.”

As of Monday however, the Tor versions of the site were unavailable, but JokerStash claimed the blockchain sites were back in business. “The Tor links that were initially advertised following the .bazar domain seizure appear to be temporarily offline, likely being moved to new servers,” postulated Austin Merritt, cyber-threat intelligence analyst at Digital Shadows, in an email interview.

Thus, the seizure of the .bazar domain likely will not do much to disrupt Joker’s Stash, researchers said. “Joker’s Stash maintains a presence on several cybercrime forums, and its owners use those forums to remind prospective customers that millions of credit- and debit-card accounts are for sale,” according to the post. “Even following the seizure of the .bazar domain, the official Joker’s Stash representative updated a thread on Club2CRD with a long list of new payment card dumps recently added to the site.”

Blockchain domain name server (DNS) technology is a decentralized system for top-level domains that is not regulated by a central authority in the way conventional DNS sites are. When a website wants to match a website IP address to a URL, the lookup is done via a peer-to-peer network. Blockchain DNS sites are usually accessed via Chrome, researchers said, using a special blockchain browser extension that enables access to sites with certain URL suffixes.

This makes it a bit of a Wild West, with Digital Shadows researchers noting that security services have a harder time tracking malicious activity in that environment.

“[Carding services] and other sites used to trade stolen account information have been experimenting with peer-to-peer DNS technology in order to hide malicious activity, and crucially bulletproof their platforms,” researchers wrote. “As blockchain domains do not have a central authority and registrations contain unique encrypted hashes rather than an individual’s name and address, it is harder for law enforcement to perform site takedowns.”

Merritt said that the other non-Tor Joker’s Stash sites were likely offline because they were taken down by the administrator.

“Since the site’s representative mentioned that they were creating new servers and transitioning the site, it’s possible they have not completed the transition,” he told Threatpost. “Another probable cause for these sites’ unavailability is the failure of plugins needed to access the .bazar, .lib, .emc, and .coin domains; installing more than one plugin can also lead to a failure to access the site’s contents.”

While the law-enforcement action is unlikely to slow Joker’s Stash down for long, it could have repercussions for the site’s “cred” on the criminal underground, and it shows that blockchain DNS services aren’t untouchable. It could also spur them to change tactics, Merritt said.

“The significance of law-enforcement coalitions tackling cybercriminal vendors on marketplaces, and their ability to track down vendors, may encourage criminal marketplace administrative teams to take more security-aware approaches, such as implementing PGP encryption, two-factor authentication (2FA), and leveraging Monero (XMR) to avoid tracking,” he told Threatpost. “Law-enforcement action against Joker’s Stash may serve as a short-term deterrent, but the site’s reputation as a credible [carding forum] for cybercriminals will likely be maintained. As we’ve already seen, site administrators can quickly adapt to takedown attempts by moving their operations to more secure domains.”

They added, “In the future, additional…sites could be the target of takedown operations by law enforcement in an attempt to deter cybercriminals. Unfortunately, when one site or operation is taken down, cybercrime finds a way through other platforms with cybercriminals ready to fill the void.”

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!


Suggested articles