Arguably the biggest cybersecurity event of the year so far was the Russian Federal Security Service (FSB) arresting suspected members of the REvil (aka Sodinokibi) ransomware group on 14 Jan 2022. News of this operation, which reportedly occurred at the request of US authorities, rocked the cybersecurity community and has led to endless debates about the arrests’ implications and likely impact on the cybercriminal ecosystem. While media headlines focused on the REvil operation, though, cybercriminal forum users had started to notice alarming changes in the carding sphere. In this blog, we’ll take a look at the latest law enforcement operations against carding-focused threat actors and explore how cybercriminals reacted to developments plus their predictions for the future.

Four individuals arrested, UniCC meets its end

On 12 Jan 2022, representatives of the long-standing carding platform UniCC posted on several cybercriminal forums to announce the site operators’ retirement (see Figure 1). The statements thanked UniCC’s “loyal partners, clients and colleagues” and warned against creating “conspiracy theories” about the site’s closure. The announcement explained, “we are not young and our health do not allow us to work like this any longer.” UniCC customers would have ten days to spend any funds deposited into the site and vendors would be “paid up to the last cent”. The post ended by cautioning against following “any fakes tied to our comeback.. Another well-known carding platform, Joker’s Stash, broadcast a similar message at the time of its own closure almost one year earlier, declaring that any future reincarnations of the site would be illegitimate as its owners had no plans to return.

 Figure 1: UniCC’s retirement announcement on a Russian-language cybercriminal forum

On 22 Jan 2022, a message appeared on UniCC’s domains declaring that the Russian Internal Affairs Ministry had shut down the site as part of a “special law enforcement operation.” Cybercriminal forum users highlighted that the source code for the seizure notice featured an ominous hidden question: “Which of you is next?” News also broke that, in cooperation with US law enforcement, the FSB had detained four alleged members of the hacking group “The Infraud Organization,” including the group’s organizer Andrey Novak, who was also the UniCC administrator.

Cybercriminal forum users immediately began to wonder what linked the takedown notice on UniCC, the FSB arrests, and the UniCC operators’ retirement announcement just ten days earlier. One user mused, “probably they were sensing something like this, or they were tipped off. but FSB was faster”. Another asked, “So he decided to give up the business, and as soon as he ceased to be needed, he was busted? Or was he taken and [the retirement message] written on his behalf?” A different user guessed that US law enforcement agencies “already had info on these guys” and decided to act once they saw the retirement announcement, explaining that Joker’s Stash “had been missed in the same way”. Other threat actors wasted little time trying to interpret events, and quickly began looking for suggestions for alternative platforms to replace the seized websites. One user complained that they had not been able to find “any good shop besides UNICC and JOKER. But they’re both gone now” (see Figure 2).

Figure 2: Forum user seeks alternative carding platforms

Another six individuals arrested, more carding platforms targeted

A few days later, on 07 Feb 2022, media outlets announced that the Russian Internal Affairs Ministry had arrested six more individuals, citing the same charges linked to selling stolen credit card information that had been leveled at the four individuals detained on 22 Jan 2022. Almost simultaneously, on 07 and 08 Feb 2022, the domains for several carding platforms displayed the same seizure notice seen on UniCC’s URLs: announcing that the Russian Internal Affairs Ministry had shut down the site as part of a “special law enforcement operation” (see Figure 3). Affected platforms included long-time mainstays of the carding scene, such as Trump’s Dumps, Ferum, and Sky-Fraud, as well as the RDP shop UAS. Cybercriminal forum members again wondered how this latest round of arrests linked to the carding sites’ seizures. Some users observed that one of the arrested individuals, Artem Zaytsev, headed up “Get-Net,” the domain registrar for the four sites. 

Figure 3: Seizure notice on Trump’s Dumps

Reaction to the developments on cybercriminal forums was mixed. Many forum users characterized the series of arrests as catastrophic. A carding forum user described the developments as the “most scary moment in the carding history.” They continued that they had “never seen this before,” and said the current situation represented a “nightmare for people involved in this business” (see Figure 4). A different threat actor agreed, posting, “at this tempo there won’t be a Russian darknet by the end of the year.” They quipped, “what will Krebs write about?”, referring to the information security researcher Brian Krebs. 

Others explored more nuanced aspects of the developments. A user on a prominent Russian-language forum connected the incidents with the hacks of the forums Mazafaka and Verified, which took place in 2021, suggesting that login credentials from these hacked sites were used to target other platforms. A different user associated the law enforcement operations with cybercriminal forums’ former tolerance of ransomware, commenting: “You know who to thank for this […] if in 2020 we started speaking out against lockers here, the crowd would have been downvoted.” Still another mused, “Joker knew something when they closed their shop a year ago,” referring to the February 2021 closure of the Joker’s Stash carding platform.

Figure 4: Cybercriminal forum user comments on the significance of the law enforcement operations

The future of carding

Some threat actors looked to the future and wondered how the next few weeks and months would pan out. A carding forum user predicted that “some partial restore will happen in some days or weeks” because some of the seized carding shops “were also reselling direct suppliers.” They explained that “these suppliers are safe and they will have to supply stuff to keep their wallets warm.” Another user guessed that carding would “move to Telegram.” Others highlighted the increased importance of operational security, with one commenting ominously, “Hard times have come. Take care of yourself and remember your safety” (see Figure 5). A well-respected member of another long-standing carding forum agreed, warning, “EVERYTHING has changed, go on vacation!”

The atmosphere of uncertainty and distrust dominating cybercriminal forums is causing threat actors to assume the worst when previously-stable sites become inaccessible – a trend that is likely to continue throughout 2022. For instance, in the wake of the 07/08 Feb 2022 seizure notices on carding sites, forum users raised the alarm when the domains for the credit card platform Brian’s Club became inaccessible. A few days later, the service’s administrator announced, “My dear fellow crooks! Brian’s Club has been relocating for the past few days and now the servers are prepared for a launch starting next week. Thanks for your understanding and I appreciate your patience!”. At the time of writing, though, the domains are still not functional.

We saw a similar story with the carding site All World Cards, with forum users initiating panicked posts on cybercriminal forums to report a message left on the All World Cards platform on 09 Feb 2022 that read, “Due to recent events, we are going on vacation for 2 weeks. Bases from sellers will be automatically added to the shop. The ticket system is temporarily unavailable. Thank you for understanding! We’ll be back soon, so don’t worry! And remember, if our store is down, then we are under DDoS attack. We will make the next payments to sellers on February 20.” At the time of writing, All World Cards is still not accessible, and forum users have reported that the site had disabled the refund option for all cards.

Figure 5: Cybercriminal forum users warns other members to “remember your safety”

The carders’ dilemma

In these unstable times, carders are left in a tricky position. As we’ve seen with All World Cards and Brian’s Club, existing sites that appear to have survived the takedown will probably be viewed with suspicion every time they encounter problems. Users may begin to abandon sites whose security they cannot trust. Yet there are fears that any new sites that spring up to replace the ousted platforms could be law enforcement honey pots designed to steal users’ information and provide intelligence for law enforcement. As one threat actor put it, if there are no reliable carding platforms, “there are no cards = no work = no money.” Predictions of a mass move to Telegram are complicated by many threat actors’ inherent distrust of the platform and fears over its lack of security. One user speculated that carders will simply “stop working for some time” due to the arrests and takedowns.

There’s also more to the story than these latest developments. Here at Digital Shadows (now ReliaQuest), we’ve observed threat actors complaining for many months now that the quality of credit card details for sale on criminal platforms has been decreasing — including on some of the seized sites. In response to the latest developments, one carder on a prominent cybercriminal forum complained, “It was obvious that [carding] did not have long left. They explained, “the risk-cost-reward ratio was simply unrealistic”, due to “the validity of the cards and tightening the screws”. Another user opined that carding has been “dead since 2018”. Viewed in this light, these law enforcement takedowns could just represent another blow to a carding community that has been struggling for some time. Yet the carding scene has been battling on, so it seems unlikely that cybercriminals will do as some forum users joked, and go to work in the “factories.” We saw one threat actor commenting that although now would be a “great time” if “someone has long wanted to retire,” the carding world would “be ok for the rest of the hard workers.”

Digital Shadows (now ReliaQuest) will continue to watch developments in the carding landscape closely, looking for any indications as to which way the wind might be blowing and where the newest threat will originate from. Digital Shadows (now ReliaQuest)’ SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) service features a constantly-updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game.  If you’d like to access the library for yourself, you can sign up for a free seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.