Joker’s Stash Seized by the FBI, One More Cyber Gang Shut Down
Table of Contents
- By Dawna M. Roberts
- Published: Dec 24, 2020
- Last Updated: Mar 18, 2022
In a joint effort, the FBI and Interpol took down servers used by Joker’s Stash, a notorious marketplace famous for selling stolen credit card data on the dark web.
What Happened?
On December 17, the FBI and Interpol seized proxy servers (blockchain DNS servers) with extensions of .bazar, .lib, .emc, and .coin. The owners of Joker’s Stash use several domains to commit fraud. A few of these servers link back to Tor (.onion) sites, which are also now down.
According to ThreatPost regarding Joker’s Stash’s response, “The representative went on to state that the server did not contain any ‘shop data,’ and announced they were creating new servers and transitioning the site, meaning all blockchain versions of the site would be ‘back to work in a few days. Finally, the representative confirmed that the Tor versions of the site remained unaffected and encouraged users to leverage them in the meantime.”
However, as of this week, the Tor sites are still down, and the cybercriminals haven’t yet been able to restore them. Unfortunately, although this is a win for the good guys, it won’t stop Joker’s Stash for long.
ThreatPost researchers commented that “Joker’s Stash maintains a presence on several cybercrime forums, and its owners use those forums to remind prospective customers that millions of credit- and debit-card accounts are for sale,” according to the post. “Even following the seizure of the .bazar domain, the official Joker’s Stash representative updated a thread on Club2CRD with a long list of new payment card dumps recently added to the site.”
The Hacker News noted, “Although last week, the affected .bazar version of the site began displaying a note that the U.S. Department of Justice and Interpol had seized the site, Digital Shadows said the four blockchain sites are now showing a “Server Not Found” banner.”
ThreatPost commented, “Another probable cause for these sites’ unavailability is the failure of plugins needed to access the .bazar, .lib, .emc, and .coin domains; installing more than one plugin can also lead to a failure to access the site’s contents.”
Who is Joker’s Stash?
Joker Stash is a conglomerate of hackers who steal credit cards and sell them online on the dark web. This group is credited with leaking payment card data last December for 30 million Americans from the Wawa chain store data breach. They were also the group responsible for leaking 3 million customer payment cards from the Dallas-based smoked-meat franchise Dickey’s Barbecue Pit in October.
How Does DNS Work?
According to The Hacker News, the blockchain culprits use decentralized DNS servers over a peer-to-peer network to remain anonymous. Because it does not use a top-level domain, that cannot be seized, thus why it won’t stop them for long. They can simply point the DNS server to a new IP address.
The use of peer-to-peer DNS networks make these hacker groups undetectable to law enforcement because they are not registered to any one person; they use unique encrypted hashes instead.
What Now?
Although the takedown wasn’t a huge blow, it did show hackers that law enforcement can impact their operations. That might lead them to make security enhancements and implement 2FA and Monero (XMR) to evade detection in the future. However, cybersecurity experts hope that it might damage Joker’s Stash’s credibility a bit and defray business for a while.
Threat assessors know that Joker’s Stash has duplicates of the site, so it won’t really stop their business or put a damper on things for long, but it is something.
ThreatPost concluded with “In the future, additional sites could be the target of takedown operations by law enforcement in an attempt to deter cybercriminals. Unfortunately, when one site or operation is taken down, cybercrime finds a way through other platforms with cybercriminals ready to fill the void.”
