Brand Protection / Joker’s Stash’s Final Deal: A turning point for AVCs?

Joker’s Stash’s Final Deal: A turning point for AVCs?

Joker’s Stash’s Final Deal: A turning point for AVCs?
Photon Research Team
Read More From Photon Research Team
January 28, 2021 | 12 Min Read

Back in December 2020, Digital Shadows reported that the Blockchain DNS domains for the infamous carding automated vending cart (AVC) Joker’s Stash displayed a notification that the US Department of Justice and Interpol had seized the site

While the domains were soon back up and running, speculation abounded about the real story behind the seizure notification and the site’s long-term future. And the tale didn’t end there. In January 2021, the Joker’s Stash administrators announced that the site would close permanently on 15 Feb 2021. The impending closure has been met with mixed reactions from users on cybercriminal forums, with many forum comments looking to the future of carding-related sales. It’s made us think about what could be next for the already-ailing system of carding AVCs and whether the demise of Joker’s Stash will be the straw that breaks the camel’s back and kicks off a large-scale rejection of AVC technology in favour of other platforms.

What is  Joker’s Stash?

Joker’s Stash has been a feature of the carding landscape since October 2014. It rose to prominence offering regular replenishments of payment card details, often sensationalizing stock updates by giving them exciting names like “AVALANCHE” or “MASSIVEATTACK”. The administrator of the site maintained dedicated threads on a number of carding-related cybercriminal forums to announce fresh dumps and address customers’ questions and complaints. 

Figure 1: Joker’s Stash interface

For security and stability reasons, the Joker’s Stash website was mirrored on multiple Tor URLs, and in July 2017, the team behind the site also created several Blockchain DNS versions, including .bazar, .lib, .emc, and .coin. Blockchain DNS, a decentralized system for top-level domains, has significant security advantages over normal URLs, including bulletproof-hosted platforms and obscured malicious activity. 

 New stock on the Joker’s Stash website
Figure 2: Information about new stock on the Joker’s Stash website

When did warning signs appear for Joker’s Stash?

On 16 Dec 2020, notifications appeared on several of the Joker’s Stash’s Blockchain DNS versions announcing that the US Department of Justice and Interpol had seized the site. Following initial panic on cybercriminal forums that the entire site had fallen, Joker’s Stash’s official forum representative reported that only the .bazar domain’s external proxy server had been “busted.” The representative said that this server did not contain any “shop data”, adding that within “a few days” all Blockchain versions of the site would be transitioned to new servers. They encouraged their customers to use the apparently unaffected Tor versions of the site in the meantime.

Several weeks later, it’s still unclear what exactly happened with this alleged seizure. By January 2021, all versions of the site were back up and running as promised and the Joker’s Stash dedicated forum threads were again being regularly updated with fresh stock announcements. 

It’s not uncommon for events like this to remain a mystery. When the prominent English-language hacking forum KickAss went offline in 2019, the site briefly displayed a seizure notice but to this day, law enforcement involvement has never been confirmed. In December 2020,  KickAss announced its comeback, attributing the site’s closure to a deliberate decision intended to avoid the increasing scrutiny generated by the activities of one of its members, the extortionist threat actor “TheDarkOverlord”. Yet we’ll likely never know how much truth there is to this version of events.

KickAss seizure notice
Figure 3: KickAss seizure notice and speculation as to its veracity

What was the Joker’s Stash closure announcement?

On 15 Jan 2021, the administrator of Joker’s Stash posted in their dedicated forum threads to announce that the platform would be closing entirely on 15 Feb 2021 so that its creator could embark upon a “well-deserved retirement”. The 30 days between the announcement and closure dates are intended to provide users with a chance to spend their remaining account balances, after which all the servers and back-ups will be wiped and Joker’s Stash will “fade to dark, forever”. The shut-down announcement stressed that “WE WILL NEVER EVER OPEN AGAIN” and warned “Do NOT trust possible future imposters”. 

In a rare moment of sentimentality for the cybercriminal world, the closure announcement ended with advice for threat actors not to “lose themselves in the pursuit of easy money”, advising them to remember that “even all the money in the world will never make you happy and that all the most truly valuable things in this life are free”. 

Announcement of Joker’s Stash’s  closure
Figure 4: Announcement of Joker’s Stash’s impending closure

What were the cybercriminal reactions to Joker’s Stash’s closure?

The immediate reaction to the closure announcement on cybercriminal forums was mixed. On the carding-focused Russian-language cybercriminal forum Club2CRD, many users expressed dismay at the news and thanked Joker’s Stash for its years of service.

Typical forum post thanking Joker’s Stash for the services
Figure 5: Typical forum post thanking Joker’s Stash for the services it provided

Typical comments included:

  • “THANK YOU SO MUCH JOKER. YOU GAVE US SO MUCH OPPORTUNITY TO EARN AND GROW”
  • “Seeing this news, I feel sorry for myself and happy for you”
  • “joker dont close please i love you bros you make my life great man dont close please”
  • “If your problems are with feds man you should really come up with a new site. We can’t say goodbye to you”

Similarly, on the English-language community forum Dread, a user lamented, “Humanity is still alive and here is one more graceful closure. Hats off to Joker Stash store”. 

 Dread post expressing sadness at Joker’s Stash’s closure
Figure 6: Dread post expressing sadness at Joker’s Stash’s closure

Conversely, a high proportion of comments from forum users suggested that the loss of Joker’s Stash was not so great, saying that the store had never provided high-quality goods. One Club2CRD user posted: “Bah not much to cry for, never was the best shop for me always hassle and low valid low replace and high prices”. In recent months, Digital Shadows has observed increasingly frequent comments on cybercriminal forums complaining about the worsening quality of material hosted on Joker’s Stash. The dedicated Joker’s Stash threads have often been filled by users’ complaints about poor quality material or demands for refunds. 

Typical forum post complaining about the Joker’s Stash service
Figure 7: Typical forum post complaining about the Joker’s Stash service

In April 2020, for example, one user on Dread asked whether Joker’s Stash was “really as high quality as it is advertised as”, receiving the response “Nope. The best site nowadays is pois0n dot ru and savastan0 dot biz/store”. In a discussion on the English-language cybercriminal forum RaidForums pegged to the Joker’s Stash closure announcement, a user opined that the service would be unlikely to reopen in the future, adding “there’s [sic] already functional alternatives with way more rep than what their new site would have / get”.

Why are AVCs a popular option for cybercriminals?

AVCs are a popular option due to their ease of use and the mass supply of credit card data. In just a few clicks, a threat actor intent on conducting financial fraud can register on a carding AVC, select their victim bank, and choose accounts to purchase. Even when AVCs require users to deposit funds into the site before they can search listings (as Joker’s Stash did), this doesn’t complicate the process significantly. Vendors, often called “affiliates”, directly source payment card information and supply this data to AVCs, receiving a cut of the profits in return.

While Joker’s Stash was arguably one of the most popular carding AVCs, it was operating in a crowded market. The below screenshot shows just a selection of the dedicated threads operated by carding AVCs on Club2CRD. 

 Dedicated threads operated by carding AVCs on Club2CRD forum
Figure 8: Dedicated threads operated by carding AVCs on Club2CRD forum

Users simply wishing to transition from one shop to another just need to select one of the many available alternatives. This will likely prove to be a popular option. Just two days after the Joker’s Stash closure announcement, a user on the prominent Russian-language cybercriminal forum XSS asked for recommendations for carding stores, providing the names of several sites they were already aware of, such as Ferum and UniCC. Their thread received multiple responses from users suggesting other options. 

XSS user asking for recommendations for carding stores
Figure 9: XSS user asking for recommendations for carding stores

Dread members searching for AVC alternatives also had a wealth of recommendations to draw on, with several months’ worth of discussions about available stores. In recent weeks, Dread users have recommended carding sites such as VClub and BriansClub and discussed options like 2force, C2bit, and Central Shop.

Dread users discussing AVC alternatives 2force, c2bit, and Central Shop
Figure 10: Dread users discussing AVC alternatives 2force, c2bit, and Central Shop

What are the downsides of AVCs?

Despite the many cybercriminals who have reacted to the loss of Joker’s Stash by seeking or suggesting other AVCs, there is a growing movement away from this technology altogether. It is very common these days to see threat actors complaining about the poor quality of carding AVCs.  Moreover, many carding AVCs in addition to Joker’s Stash have closed their doors in recent times. One post on Club2CRD lamented: “RIP JokerStash, RIP Stiff.academy, RIP ccclinique, RIP binmarket, RIP rescator”. While these closures have in no way diminished the availability–new carding AVCs have sprung up in response to shutdowns–they do perhaps indicate that all is not well for this type of technology. 

As we wrote in our whitepaper, The Modern Cybercriminal Forum: An Enduring Model, AVCs do have innate disadvantages over alternative platforms.

  • It can be hard for threat actors to determine the trustworthiness of an AVC and the quality of the material it hosts. Compare this with cybercriminal forums, on which members can use the reputation systems and users’ post histories to help them assess the legitimacy of vendors. 
  • Forums’ arbitration and escrow systems reduce the risk of scams, increasing the chance of a fair deal and introducing consequences for failed transactions. AVCs lack this inbuilt justice system.
  • Running a successful AVC is a delicate operation: if payment card data is not stolen, delivered, and advertised in a timely manner, the details could be void before the buyer has even had a chance to use them. 
  • The requirement to provide a cut of the money earned from sales to the affiliates who supply the stolen card details reduces profits for AVCs. And, from the other perspective, affiliates might earn much less from their crimes if they sell to an AVC rather than just advertising the credit card details directly themselves on a forum or private messaging platform. 

While using AVCs to efficiently trade credit card details has been the norm for a number of years, for many months now the carding community has been split over the merits of the different options for purchasing stolen payment card details. As far back as October 2019, in a thread on the Russian-language carding forum Omerta, one user advised, “better use a private vendor… all the rest is trash even [sic] joker”, referring to the Joker’s Stash AVC. Others have advised turning to forums to find high-quality material. In the aforementioned XSS thread, a user recommended using a private seller if buying in volume. This view was also to be found on Dread, where one member stated that carding sites are “scams” and that buyers should look for privately skimmed cards. 

 XSS user recommending using private seller for card information
Figure 11: XSS user recommending using private seller for card information

What is the future for carding and AVCs?

A retirement announcement does not necessarily signal the end of a threat actor’s activity on the dark web. For instance, the operators of the now-defunct “GandCrab” ransomware announced their retirement in May 2019, but similarities between that variant and the “Sodinokibi” variant have led many to believe that the two are connected; some researchers have suggested that the operators of GandCrab were involved in the development of Sodinokibi. In another incident, the former administrator of the Russian-language cybercriminal forum Exploit announced their retirement from the site due to health reasons in 2018 but subsequently purchased a back-up of the defunct forum DamageLab and transformed it into the currently active forum XSS. So we may yet see the return of Joker’s Stash, despite their protestations.

With the demise of Joker’s Stash, carding appears to be at a juncture of sorts. Cybercriminals have a wealth of options at their fingertips, including other AVCs, cybercriminal forums, or even dark web marketplaces. In the past we’ve seen markets such as Empire offering their own carding facilities in an attempt to try and capture a segment of the market. Messaging platforms such as Telegram and Discord might also become a more popular element in the carding game, providing a way other than forums to locate private sellers. Vendors may opt for a private channel or server on which they can advertise their cards directly to their audience and avoid paying middle-men to do so. However, transacting via such platforms is not always simple or convenient. For those who prize ease-of-use, security on cybercriminal forums is continuously improving, meaning that buying carding details on these sites is becoming both safer and more seamless. And on the AVC front, if the popularity of this technology for carding decreases, we may perhaps see increasing uptake for selling other types of goods and services. Genesis Market, for example, uses an AVC model to facilitate sales in credentials and botnet logs. So even if carders move on to pastures new, we may not be waving goodbye to AVCs just yet… 

Digital Shadows will continue to watch developments in the carding landscape closely, looking for any indications as to which way the wind might be blowing. Digital Shadows’ SearchLight service features a constantly-updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game.  If you’d like to access the library for yourself, you can sign up for a free seven-day test drive of SearchLight here.

REvil: Analysis of Competing Hypotheses

REvil: Analysis of Competing Hypotheses

July 28, 2021 | 15 Min Read

Back in December 2020, Digital Shadows...
Getting Started With Domain Monitoring Part 3: Remediation

Getting Started With Domain Monitoring Part 3: Remediation

July 27, 2021 | 5 Min Read

Back in December 2020, Digital Shadows...
Cyber Threats to the Tokyo 2020 Olympic Games

Cyber Threats to the Tokyo 2020 Olympic Games

July 21, 2021 | 8 Min Read

Back in December 2020, Digital Shadows...
Q2 Ransomware Roll Up

Q2 Ransomware Roll Up

July 20, 2021 | 9 Min Read

Back in December 2020, Digital Shadows...