FBI & Interpol Disrupt Joker's Stash, The Internet's Largest Carding Marketplace

Officials from the US Federal Bureau of Investigation and Interpol have seized a small number of servers used by Joker's Stash, the internet's largest marketplace for buying & selling stolen cards, temporarily disrupting the site's activity.

In an email this week, Interpol described the server seizures as an ongoing "coordinated police operational activity" but declined to elaborate further.

Seizure banners appeared on four Joker's Stash sites, at jstash.bazar, jstash.lib, jstash.emc, and jstash.coin.

These are websites that use top-level domains (TLDs) managed by Emercoin, a blockchain company. Records for these domains are stored inside a blockchain and cannot be transferred to anyone else without the domain owner's cryptographic signature.

In a message posted on an underground forum brought to ZDNet's attention by Irina Nesterovsky, Chief Research Officer at threat intel firm KELA, one of the Joker Stash administrators confirmed the disruptions but said that law enforcement only seized the servers hosting the four domains, which only acted as proxies, redirecting users to the actual Joker's Stash portal.

The Joker's Stash operator said the domains would be restored on new servers "in a few days."

In blog posts this week, both Intel 471 and Digital Shadows described the FBI & Interpol disruption attempt as "temporary."

"The seizure of the .bazar domain likely will not do much to disrupt Joker's Stash, especially since the team behind Joker's Stash maintain several versions of the site and the site's Tor-based links are still working normally," the Digital Shadows team said.

"Notably, JokerStash was one of the original proponents of moving dark web services to Blockchain technology. The actor does not appear to be concerned with law enforcement's actions," Christopher Thomas, Intelligence Production Analyst at Gemini Advisory, told ZDNet in an email yesterday.

The Joker's Stash portal has been operating since October 7, 2014, and often posts packs of stolen payment card details that can be used for both CP (card present) and CNP (card not present) fraudulent transactions.

"In the past 12 months, it has posted over 35 million CP records and over 8 million CNP records," Thomas told ZDNet.

"It is also renowned for advertising major breaches containing millions of records; while many dark web shops keep a low profile and attempt to stay discrete, Joker's Stash enjoys its notoriety and boasts about media coverage.

"In 2020, its major breaches have included BIGBADABOOM-III (which compromised Wawa), NIRVANA (which compromised both Islands Fine Burgers & Drinks and Champagne French Bakery Cafe), and BLAZINGSUN (which compromised Dickey's Barbecue Pit)," Thomas added.

"The shop is estimated to have made hundreds of millions of dollars in illicit profits, although this money also goes to the vendors themselves," the Gemini Advisory researcher told us.