WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Back in December 2020, Digital Shadows (now ReliaQuest) reported that the Blockchain DNS domains for the infamous carding automated vending cart (AVC) Joker’s Stash displayed a notification that the US Department of Justice and Interpol had seized the site.
While the domains were soon back up and running, speculation abounded about the real story behind the seizure notification and the site’s long-term future. And the tale didn’t end there. In January 2021, the Joker’s Stash administrators announced that the site would close permanently on 15 Feb 2021. The impending closure has been met with mixed reactions from users on cybercriminal forums, with many forum comments looking to the future of carding-related sales. It’s made us think about what could be next for the already-ailing system of carding AVCs and whether the demise of Joker’s Stash will be the straw that breaks the camel’s back and kicks off a large-scale rejection of AVC technology in favour of other platforms.
Joker’s Stash has been a feature of the carding landscape since October 2014. It rose to prominence offering regular replenishments of payment card details, often sensationalizing stock updates by giving them exciting names like “AVALANCHE” or “MASSIVEATTACK”. The administrator of the site maintained dedicated threads on a number of carding-related cybercriminal forums to announce fresh dumps and address customers’ questions and complaints.
For security and stability reasons, the Joker’s Stash website was mirrored on multiple Tor URLs, and in July 2017, the team behind the site also created several Blockchain DNS versions, including .bazar, .lib, .emc, and .coin. Blockchain DNS, a decentralized system for top-level domains, has significant security advantages over normal URLs, including bulletproof-hosted platforms and obscured malicious activity.
On 16 Dec 2020, notifications appeared on several of the Joker’s Stash’s Blockchain DNS versions announcing that the US Department of Justice and Interpol had seized the site. Following initial panic on cybercriminal forums that the entire site had fallen, Joker’s Stash’s official forum representative reported that only the .bazar domain’s external proxy server had been “busted.” The representative said that this server did not contain any “shop data”, adding that within “a few days” all Blockchain versions of the site would be transitioned to new servers. They encouraged their customers to use the apparently unaffected Tor versions of the site in the meantime.
Several weeks later, it’s still unclear what exactly happened with this alleged seizure. By January 2021, all versions of the site were back up and running as promised and the Joker’s Stash dedicated forum threads were again being regularly updated with fresh stock announcements.
It’s not uncommon for events like this to remain a mystery. When the prominent English-language hacking forum KickAss went offline in 2019, the site briefly displayed a seizure notice but to this day, law enforcement involvement has never been confirmed. In December 2020, KickAss announced its comeback, attributing the site’s closure to a deliberate decision intended to avoid the increasing scrutiny generated by the activities of one of its members, the extortionist threat actor “TheDarkOverlord”. Yet we’ll likely never know how much truth there is to this version of events.
On 15 Jan 2021, the administrator of Joker’s Stash posted in their dedicated forum threads to announce that the platform would be closing entirely on 15 Feb 2021 so that its creator could embark upon a “well-deserved retirement”. The 30 days between the announcement and closure dates are intended to provide users with a chance to spend their remaining account balances, after which all the servers and back-ups will be wiped and Joker’s Stash will “fade to dark, forever”. The shut-down announcement stressed that “WE WILL NEVER EVER OPEN AGAIN” and warned “Do NOT trust possible future imposters”.
In a rare moment of sentimentality for the cybercriminal world, the closure announcement ended with advice for threat actors not to “lose themselves in the pursuit of easy money”, advising them to remember that “even all the money in the world will never make you happy and that all the most truly valuable things in this life are free”.
The immediate reaction to the closure announcement on cybercriminal forums was mixed. On the carding-focused Russian-language cybercriminal forum Club2CRD, many users expressed dismay at the news and thanked Joker’s Stash for its years of service.
Typical comments included:
Similarly, on the English-language community forum Dread, a user lamented, “Humanity is still alive and here is one more graceful closure. Hats off to Joker Stash store”.
Conversely, a high proportion of comments from forum users suggested that the loss of Joker’s Stash was not so great, saying that the store had never provided high-quality goods. One Club2CRD user posted: “Bah not much to cry for, never was the best shop for me always hassle and low valid low replace and high prices”. In recent months, Digital Shadows (now ReliaQuest) has observed increasingly frequent comments on cybercriminal forums complaining about the worsening quality of material hosted on Joker’s Stash. The dedicated Joker’s Stash threads have often been filled by users’ complaints about poor quality material or demands for refunds.
In April 2020, for example, one user on Dread asked whether Joker’s Stash was “really as high quality as it is advertised as”, receiving the response “Nope. The best site nowadays is pois0n dot ru and savastan0 dot biz/store”. In a discussion on the English-language cybercriminal forum RaidForums pegged to the Joker’s Stash closure announcement, a user opined that the service would be unlikely to reopen in the future, adding “there’s [sic] already functional alternatives with way more rep than what their new site would have / get”.
AVCs are a popular option due to their ease of use and the mass supply of credit card data. In just a few clicks, a threat actor intent on conducting financial fraud can register on a carding AVC, select their victim bank, and choose accounts to purchase. Even when AVCs require users to deposit funds into the site before they can search listings (as Joker’s Stash did), this doesn’t complicate the process significantly. Vendors, often called “affiliates”, directly source payment card information and supply this data to AVCs, receiving a cut of the profits in return.
While Joker’s Stash was arguably one of the most popular carding AVCs, it was operating in a crowded market. The below screenshot shows just a selection of the dedicated threads operated by carding AVCs on Club2CRD.
Users simply wishing to transition from one shop to another just need to select one of the many available alternatives. This will likely prove to be a popular option. Just two days after the Joker’s Stash closure announcement, a user on the prominent Russian-language cybercriminal forum XSS asked for recommendations for carding stores, providing the names of several sites they were already aware of, such as Ferum and UniCC. Their thread received multiple responses from users suggesting other options.
Dread members searching for AVC alternatives also had a wealth of recommendations to draw on, with several months’ worth of discussions about available stores. In recent weeks, Dread users have recommended carding sites such as VClub and BriansClub and discussed options like 2force, C2bit, and Central Shop.
Despite the many cybercriminals who have reacted to the loss of Joker’s Stash by seeking or suggesting other AVCs, there is a growing movement away from this technology altogether. It is very common these days to see threat actors complaining about the poor quality of carding AVCs. Moreover, many carding AVCs in addition to Joker’s Stash have closed their doors in recent times. One post on Club2CRD lamented: “RIP JokerStash, RIP Stiff.academy, RIP ccclinique, RIP binmarket, RIP rescator”. While these closures have in no way diminished the availability–new carding AVCs have sprung up in response to shutdowns–they do perhaps indicate that all is not well for this type of technology.
As we wrote in our whitepaper, The Modern Cybercriminal Forum: An Enduring Model, AVCs do have innate disadvantages over alternative platforms.
While using AVCs to efficiently trade credit card details has been the norm for a number of years, for many months now the carding community has been split over the merits of the different options for purchasing stolen payment card details. As far back as October 2019, in a thread on the Russian-language carding forum Omerta, one user advised, “better use a private vendor… all the rest is trash even [sic] joker”, referring to the Joker’s Stash AVC. Others have advised turning to forums to find high-quality material. In the aforementioned XSS thread, a user recommended using a private seller if buying in volume. This view was also to be found on Dread, where one member stated that carding sites are “scams” and that buyers should look for privately skimmed cards.
A retirement announcement does not necessarily signal the end of a threat actor’s activity on the dark web. For instance, the operators of the now-defunct “GandCrab” ransomware announced their retirement in May 2019, but similarities between that variant and the “Sodinokibi” variant have led many to believe that the two are connected; some researchers have suggested that the operators of GandCrab were involved in the development of Sodinokibi. In another incident, the former administrator of the Russian-language cybercriminal forum Exploit announced their retirement from the site due to health reasons in 2018 but subsequently purchased a back-up of the defunct forum DamageLab and transformed it into the currently active forum XSS. So we may yet see the return of Joker’s Stash, despite their protestations.
With the demise of Joker’s Stash, carding appears to be at a juncture of sorts. Cybercriminals have a wealth of options at their fingertips, including other AVCs, cybercriminal forums, or even dark web marketplaces. In the past we’ve seen markets such as Empire offering their own carding facilities in an attempt to try and capture a segment of the market. Messaging platforms such as Telegram and Discord might also become a more popular element in the carding game, providing a way other than forums to locate private sellers. Vendors may opt for a private channel or server on which they can advertise their cards directly to their audience and avoid paying middle-men to do so. However, transacting via such platforms is not always simple or convenient. For those who prize ease-of-use, security on cybercriminal forums is continuously improving, meaning that buying carding details on these sites is becoming both safer and more seamless. And on the AVC front, if the popularity of this technology for carding decreases, we may perhaps see increasing uptake for selling other types of goods and services. Genesis Market, for example, uses an AVC model to facilitate sales in credentials and botnet logs. So even if carders move on to pastures new, we may not be waving goodbye to AVCs just yet…
Digital Shadows (now ReliaQuest) will continue to watch developments in the carding landscape closely, looking for any indications as to which way the wind might be blowing. Digital Shadows (now ReliaQuest)’ SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) service features a constantly-updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. If you’d like to access the library for yourself, you can sign up for a free seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.