Joker’s Stash Reportedly Shutting Down Operations

Joker’s Stash, the notorious underground marketplace that has specialized in the sale of stolen payment card data, is reportedly shutting down in February, with its administrator claiming to “retire” at that time, according to researchers with Gemini Advisors, which tracks stolen payment card data.

In a report released Friday, Gemini notes that the administrator of the darknet site, who also goes by the “JokerStash,” plans to close down the marketplace on Feb. 15. The message was posted to both the Joker Stash as well as several other underground forums.

See Also: Top 50 Security Threats

The news that Joker Stash will cease its operations comes a few weeks after published reports claimed that the FBI and Interpol briefly seized the blockchain domains used by the site, although the administrator appears to have regained control shortly after the incident.

And while the Joker Stash administrator claims that the site will retire, the Gemini report finds that the marketplace’s activity over the past six months has noticeably declined and that “buyers” who used the site had started to complain about the quality of the payment card data posted for sale.

“While this marketplace was the largest in the carding space, it also exhibited a severe decline in the volume of compromised Card Not Present (CNP) and Card Present (CP) records posted over the past six months,” the Gemini researchers report. “Most other top-tier carding marketplaces actually increased their posted data (largely CNP data, while CP data declined during COVID-19 lockdowns) during this time.”

While Joker’s Stash remains one of the most well-known underground carding sites, Christopher J.S. Thomas, an intelligence product analyst with Gemini, notes that the market for stolen payment card data is quickly expected to move to other darknet marketplaces.

“It is very likely that the cybercriminals who buy and sell stolen payment cards on Joker’s Stash will find new marketplaces,” Thomas says. “The underground payment card economy is subject to the same basic market forces as other industries, and with cybercriminal vendors still generating a supply of stolen cards and buyers still generating demand for them, new or existing marketplaces will very likely facilitate their exchanges for a profit.”

Joker’s Stash

Joker’s Stash remains one of the oldest underground marketplaces for stolen card data, having been established in 2014. And while the Gemini report notes that its activity declined since mid-2020, the site still published 40 million records over the past year, according to the report.

Over the past six years, Gemini calculates that the Joker’s Stash site has generated some $1 billion in revenue.

The most recent payment card collection posted on the site in October, called “BlazingSun,” included 3 million credit cards that are likely related to a breach of the Dickey’s Barbecue Pit chain of franchised restaurants (see: For Sale: 3 Million Cards Used at Dickey’s Barbeque Pit).

Joker’s Stash had also posted payment card data from a breach at convenience store chain Wawa, as well as stolen data from cards issued by banks in the U.S., South Korea and a few EU countries (see: Joker’s Stash Sells Fresh US, South Korean Payment Cards).

Despite the marketplace’s success over the years, Austin Merritt, a cyber threat intelligence analyst at Digital Shadows, also notes that the quality of payment cards posted on the site declined recently and the joint FBI and Interpol operation seems to have affected its reputation.

“The announcement has been met with mixed reviews on the cybercriminal forum Club2CRD where the site administrator has been providing daily updates for Joker’s Stash,” Merritt says. “The overwhelming sentiment from users is disappointment; however, forum users are already discussing they know of other carding sites that can be used in Joker’s Stash absence. If Joker’s Stash does officially shut down, the site’s users will likely disperse to other underground carding sites to advertise, purchase, and sell stolen credit cards. The authenticity of the announcement can likely be verified in the coming weeks if the servers are actually taken offline.”

Thomas says he does believe the announcement that the site will shut down in February, but notes the reason for this is likely never to be fully known. The Gemini report does note that the recent spike in the price of bitcoin – the virtual currency was trading at about $37,000 as of late Friday – could mean the site’s administrator had enough money to walk away from Joker’s Stash.

Joker’s Stash was one of the first underground sites to heavily promote bitcoin as an alternative payment method, according to Gemini.

Other ‘Retirements’

Other cybercriminal organizations have also announced “retirements” only to re-emerge in other parts of the darknet. In November, for example, researchers found that the Maze ransomware gang announced that it would retire its operations.

Not long after that announcement, researchers found a new ransomware strain called Egregor that many believe is the successor to Maze and is likely a continuation of the cybercriminal gang’s operations under a new name (see: FBI Issues Alert on Growing Egregor Ransomware Threat).

Managing Editor Scott Ferguson contributed to this report.