Dark Net Markets Going Out of Business: Where are Users Headed to Next?
Victoria Kivilevich, Threat Intelligence Analyst and Sharon Bitton, Marketing Manager
Going out of business is a popular phenomenon with online marketplaces both in the Dark Net and surface web. Dark Net marketplaces continually shut down for a number of reasons, causing those markets’ users to actively search for alternative spots to trade goods and services. In light of the major announcement of Joker’s Stash shutting down on February 15th, 2021, we’ve dived into the cybercrime underground to understand more about the closures of Dark Net marketplaces and where market’s users migrate to.
The research’s main highlights include:
- KELA identified four main marketplaces that are trying to steal Joker’s Stash’s users following the market’s closure. According to advertisements and users’ reactions, we may see users shifting activities to Brian’s Club, Vclub, Yale Lodge, and UniCC.
- KELA observes cybercriminals acting just as regular businessmen and marketers, trying to take advantage of their competitors’ terminations in order to advertise their services and steal their competitors’ users.
- KELA reveals an evident trend of market administrators offering free vendor bonds to try and lure new sellers to come to their marketplaces following a competitor’s market closure.
- KELA highlights the significance of monitoring threat actors and their TTPs so that enterprise defenders can assess actors’ credibilities, predict actors’ next steps, and protect their organizations from cyber threats.
The Hunt for New Markets to Trade Compromised Credit Cards
Recent cybercrime events have shown that Covid-19 has taken a toll even on Dark Net cybercriminals. Towards the end of 2020, Joker’s Stash – the largest Dark Net credit card marketplace – embarked on its termination. Following a year where the market’s admin caught the Coronavirus and some of the market’s servers were seized by authorities, it’s only natural that the admin may have realized that it may be time to retire. Like millions of individuals around the world, the pandemic put a pause to the admin’s day-to-day activities, causing him to announce his unavailability for some time while he took some personal leave to recover.
Announcement by the Joker’s Stash admin, where he shares that he was infected with COVID-19, forcing him to pause work on the marketplace in order to focus on his recovery. In hindsight, this announcement seems to be the beginning to the end of Joker’s Stash.
Joker’s Stash has become a bustling one-stop-shop for cybercriminals looking to trade compromised credit cards. Cybercriminals, thirsty for money, turn right to this infamous market for all of their credit card trading needs. That is, until February 15th, 2021. A month prior, the market’s administrator announced that they will officially be closing in 30 days, without much explanation as to why.
The official announcement posted by Joker’s Stash announcing the closure of the market by February 15, 2021.
By reviewing some recent events related to this market, we assume that the closing is likely a combination of several things:
- Simply, the admin has decided to retire after some good years of business – and what a better time than after he fell sick to COVID-19 and may not be ready to go back to work at full force.
- The market’s operations could have been affected when the US Federal Bureau of Investigation and Interpol have temporarily seized a small number of servers used by Joker’s Stash. The hunt and growing dangers by authorities may have influenced the decision by the market’s admin to close.
- The downtime due to the admin’s sickness could have slowed operations and affected him from picking activities back up.
- Joker’s Stash may have experienced potential reputational damage from multiple downtimes that occurred on the market, including the recent seizures of several of their servers by authorities.
Regardless of the reasons behind the closure, the market’s regular users have raised concerns of where to go next. Naturally, other credit card marketplaces leveraged this opportunity to push their businesses forward and lure the Joker’s Stash users towards them. This behavior is not novel though. We’ve seen similar activities by marketplace admins in the past when markets like Dark Market and Empire have shut down.
We’ve explored some popular underground forums to see where Joker’s Stash’s sellers and buyers may be headed to next. Throughout the analysis, we’ve observed that though the carding landscape is very active among cybercriminals, it seems that several marketplaces may be seeing more traffic due to Joker’s Stash’s closure.
With the heavy marketing and advertising that Brian’s Club has been investing in, it seems that the longtime attempts of marketing to credit card traders may be finally paying off now that Joker’s Stash is out of the picture. Brian’s Club has been immodestly trying to steal the thunder by publishing an advertisement on the main page of XSS, soon after the announcement by Joker’s Stash.
Brian’s Club purchased advertising space on the main page of XSS, a well-known underground forum where Joker’s Stash members have discussed where they will move to next.
Clearly, cybercriminals have learned how to best use marketing tactics at a time of opportunity. Not only did Brian’s Club publish ads on the main pages of XSS, but they also put down some money to become the official sponsor of Omerta – a popular underground forum focusing on credit card trading – a position that was held by Joker’s Stash only a year ago.
Brian’s Club has decided to become the official sponsor of the Omerta carding forum.
And as Brian’s Club’s marketers are doing their jobs, the underground actors seem to agree that this marketplace will be the new hub for trading compromised credit cards, especially since it appears to be the largest market for compromised credit cards in terms of volume of cards and dumps offered for sale. To date, we’ve found that there are nearly 5 millions of credit card details available for sale on Brian’s Club. Buyers should deposit at least 1 USD to activate their account. Moreover, the shop has a referral system: “For each invited user you will get percentage of his deposit” – meaning users will get 10-15% from the first deposit of the person they invited to Brian’s Club.
Forum members on XSS are sharing that Brian’s Club will be the next go-to for trading compromised credit cards: “Someone will need to fill the empty space. Brian’s Club, it’s your turn!”
But Brian’s Club has not been the only carding marketplace to try and take advantage of the Joker’s Stash closure. Vclub, another carding marketplace, has also been seen trying to push their name in the carding world by advertising their market for users looking for Joker’s Stash replacements. Registration fee is 25 USD with which they instantly gain access to about 100,000 compromised credit cards and hundreds of thousands of dumps.
A post by the official user for Vclub on a well-known underground forum, where they attempt to promote themselves to Joker’s Stash’s users.
Members on a popular underground forum have claimed that Vclub does not reach the levels of service and quality that was available in Joker’s Stash. For example, a member complains that despite the fact that he purchased one of the priciest cards for sale on the forum, the card’s spend limit was 150 USD. Buyers complained that the quality of cards sold on Vclub aren’t as good as they are on Joker’s Stash, however others still think that Vclub is one of the good possible alternatives to Joker’s Stash.
Users complaining about the quality of Vclub’s cards.
Users clashing in the thread of Vclub if Joker’s Stash vendors should be allowed to trade there or not.
Additionally, we may see some of Joker’s Stash’s users migrating to Yale Lodge. Some former Joker’s Stash users have been seen actively inquiring on how to register on Yale Lodge, as they look for new marketplaces to profit from. However, one red flag for Yale Lodge here is the registration fee that they demand – 150 USD for registration and a minimum deposit of 200 USD – a demand that is significantly higher than other similar shops such as Joker’s Stash that required a 20 USD deposit.
Last, UniCC also seems to be a promising candidate to replace Joker’s Stash with almost 300,000 new credit card details being added every week (based on their updates from February 3-9, 2021). At UniCC, users are able to explore these details with a 100 USD deposit requirement in order to activate the account.
Overall, the carding landscape is much bigger than the several markets we mentioned in this post. Moreover, cybercriminals buy cards and dumps not only in specialized shops but also on forums, via instant messaging channels, and behind closed doors in private deals. To reach true success in the carding niche, newly emerging markets need to focus on the constant influx of vendors and buyers – something that the above-mentioned markets have been actively attempting to do with their heavy advertising campaigns.
The History of Market Closures and User Migration
Dark Market took great advantage of its predecessors by using tactics of “free offerings” for users coming from similar and recently shut down markets. Dark Market, reportedly the world’s largest Dark Net marketplace, grasped attention of many cybercriminals when they used the closure of Bitbazaar and Nightmare Market to attract more users to their market. Dark Market’s administrators published advertisements offering waived vendor bonds for refugees of Bitbazaar and Nightmare Market, meaning that new vendors coming from those formerly closed sites could open a free vendor account on Dark Market by simply applying and passing the market’s requirements.
But soon after Dark Market’s shutdown by law enforcement in January 2021, we found other markets using the same tactic of free vendor bonds being used against them. Dark0de 2.0, which is said to be online from May 2020 (allegedly being a reborn of the infamous market, Dark0de), now offers “Free (Premium) Vendor Bonds for Dark Market Refugees,” which is valued at 200 USD for new entry level vendors. Other markets adopted this ‘free vendor bond’ tactic en masse: Raw Market, ViceCity, Liberty, Televend – to name just a few.
Yellow Brick Market
Yellow Brick Market, another Dark Net market known for going on and offline multiple times without any explanation whatsoever, seems to have officially gone offline once again in the end of 2020. To no surprise, here as well alternative markets have been using this event to promote their markets. Dark0de 2.0 took the spotlight again here, offering again free vendor bonds and some further benefits as well.
Incognito Market was seen using the closure of both Yellow Brick Market and Dark Market to advertise to established vendors on both of those now-closed markets. Incognito’s administrators shared that they will offer any established vendors who have good track records on pre-existing markets – such as Dark Market or Yellow Brick Market – to have their bond fully waived and, depending on their reputation, may be automatically gifted full “finalize early” (FE) privileges, allowing them to bypass the escrow holding period during a purchase. The admins also shared that established vendors who don’t have the longevity to be eligible for the automatic full FE privileges but still have a good reputation can also pay for the €1500 FE Bond.
Similar trends were also observed when the famous Empire Market left the underground ecosystem in an apparent exit scam. Icarus Market took on from other famous market admins and also decided to use this opportunity to invite any former Empire vendors to become vendors on their market by offering them free vendor bonds as well.
Following the Cybercriminals’ Tracks
The examples listed above are just a few of the many instances where cybercriminals are observed acting just as regular marketers looking to improve their profits and market traffic. What is evident is that these markets’ admins show a trend of offering free vendor bonds to try and lure new sellers to come to their marketplaces following their competitor’s closure.
Cybercriminals will constantly be shifting operations to new markets and innovating their monetization methods in line with Dark Net changes. It’s therefore crucial that enterprise defenders constantly follow these trends to ensure that they understand threat actors and their TTPs, allowing them to continually be a few steps ahead of cybercriminals. Now that Joker’s Stash has officially been closed, we can presume that most activity will turn to Brian’s Club, Vclub, Yale Lodge, and UniCC. By observing chatter between cybercriminals across these markets and other forums and instant messaging groups, fraud teams can learn tremendously about what cybercriminals may be planning to do next, essentially helping them avoid severe financial losses due to fraudulent activities.