What happened to Joker’s Stash?

In a very recent event, the Blockchain domains of Joker’s Stash, an automated vending cart (AVC) known for the sale of payment card details, allegedly displayed a notification that the US Department of Justice and Interpol seized the site. 

The team behind Joker’s Stash maintain several versions of the site, with Blockchain domains including .bazar, .lib, .emc, and coin, as well as two Tor (.onion) versions of the platform. Early chatter on the Russian-language cybercriminal forum XSS initially suggested that the entire site had been seized and expressed concern at this development. 

However, later comments clarified that only the .bazar domain was unavailable. In response to the notification, the official Joker’s Stash representative, “JokerStash”, created a post within a dedicated thread on the Russian-language carding forum Club2CRD to report that the .bazar domain’s external proxy server had been “busted.” The representative went on to state that the server did not contain any “shop data,” and announced they were creating new servers and transitioning the site, meaning all Blockchain versions of the site would be “back to work in a few days.” Finally, the representative confirmed that the Tor versions of the site remained unaffected and encouraged users to leverage them in the meantime.

Figure 1: Reported Joker’s Stash seizure on XSS

The “JokerStash” account on Club2CRD is considered to be an official representative of the site’s administration team; one of many such accounts across a number of prestigious cybercriminal forums. The thread JokerStash posted in has been active since March 2017 and has repeatedly been used for credible communications about the site’s status. Digital Shadows (now ReliaQuest) successfully accessed the Tor versions of the site and verified that they are still operational for now. 

Figure 2: JokerStash’s post on Club2CRD

What is Blockchain DNS?

Blockchain DNS technology is a decentralized system for top-level domains, and it brings significant security advantages―think bulletproof-hosted platforms and obscured malicious activity. It’s also much harder for security services to target blockchain DNS sites because they’re not regulated by a central authority in the way conventional DNS sites are. You can read more on how cybercriminals use blockchain DNS here. Typically, blockchain DNS sites are accessed via Chrome, with a browser extension that enables access to sites with certain URL suffixes. In July 2017, the Joker’s Stash began using blockchain DNS alongside its established Tor domain. Users wanting to access the .bazar version of the site needed to install a blockchain DNS browser extension or add-on.

Figure 3: Jokers Stash .bazar domain

AVCs and other sites used to trade stolen account information have been experimenting with peer-to-peer DNS technology in order to hide malicious activity, and crucially bullet-proof their platforms. As blockchain domains do not have a central authority and registrations contain unique encrypted hashes rather than an individual’s name and address, it is harder for law enforcement to perform site takedowns (or so we thought).

What the FUD?

Historically, when cybercriminal forums and marketplaces go offline, users start asking questions. Commonly, marketplace and forum members directly request feedback from administrative team members to confirm the issue at hand. It is likely JokerStash posted their update in the Club2CRD thread to avoid fear, uncertainty, doubt, and rumors being spread among the cybercriminal community as to the reasons behind the site’s inaccessibility and potential user data exposure. 

As of now, Joker’s Stash’s .bazar, .lib, .emc, .coin domains, which are all those accessible via blockchain DNS, are no longer displaying a law enforcement seizure note. Instead, the sites are simply showing a “Server Not Found” banner. 

Historically, a similar scenario occurred when the KickAss forum was taken offline: Their site briefly showed a seizure notice, but it was never confirmed that law enforcement activity managed to take it down. It’s possible that the forum was simply taken offline by the administrator, and someone else temporarily uploaded the banner to spread fear, uncertainty, and doubt. 

Generally speaking, if the Joker’s Stash takedown was a coordinated law enforcement operation, it’s likely that the law enforcement banner would remain in place to demonstrate that other Blockchain DNS services aren’t untouchable. On the other hand, it’s possible that law enforcement thought they had taken the entire Joker’s Stash service offline, rather than just one component, and quickly removed the banner after finding out that this was not the case. 

While this event is still in the process of unfolding, it will be interesting to see if authorities release a notification to confirm the takedown officially.

What’s next for Joker’s Stash?

The seizure of the .bazar domain likely will not do much to disrupt Joker’s Stash, especially since the team behind Joker’s Stash maintain several versions of the site and the site’s Tor-based links are still working normally. Furthermore, Joker’s Stash maintains a presence on several cybercrime forums, and its owners use those forums to remind prospective customers that millions of credit and debit card accounts are for sale. Even following the seizure of the .bazar domain, the official Joker’s Stash representative updated a thread on Club2CRD with a long list of new payment card dumps recently added to the site. 

Law enforcement disruption may impact Joker’s Stash’s reputation within the cybercriminal community. Still, as the Tor versions of the site are still accessible and with Joker’s Stash’s standing as a credible marketplace, cybercriminals will likely continue to utilize the site.
In the future, additional AVC sites could be the target of takedown operations by law enforcement in an attempt to deter cybercriminals. Unfortunately, when one site or operation is taken down, cybercrime finds a way through other platforms with cybercriminals ready to fill the void.

Resources from Digital Shadows (now ReliaQuest)

If you’d like to read more into cybercriminal forums, you can view our report The Modern Cybercriminal Forum: an enduring model.

If you’re interested in dark web monitoring, Digital Shadows (now ReliaQuest)’ SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) monitors across sources where criminals are active, no matter is that is on the open, deep, or dark web. This includes continually monitoring and indexing hundreds of millions of dark web pages, pastes, criminal forums, Telegram, IRC, and I2P pages.If you’d like to see your organization’s exposure on the dark web, you can sign up for a test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.