Carders park stacks of cash at Joker’s Stash – Cancer on Security


A steady stream of card breaches at retailers, restaurants and hotels has inundated underground markets with a historic deluge of stolen debit and credit card information. There are at least hundreds of websites these days selling stolen account information, but only a handful of them are actively vying for bulk buyers and organized crime. Given a buyer’s market, these elite shops stand out for their focus on loyalty programs, high-volume discounts, money-back guarantees, and just plain good customer service.

An ad for new stolen cards at Joker’s Stash.

Today’s post examines the complex network and marketing apparatus behind “Joker’s stash“, A sprawling virtual hub of stolen card data that served as a distribution point for accounts compromised in many of the retail card breaches first uncovered by KrebsOnSecurity in the past two years, including Hilton Hotels and Bebe stores.

Since opening in early October 2014, Joker’s Stash has attracted dozens of customers who have spent five- and six-digit amounts in the carding store. All customers purchase card details that are converted into counterfeit cards and used to fraudulently purchase gift cards, electronics and other goods from large retailers such as. be used aim and Wal-Mart.

Unlike so many carding sites that primarily resell cards stolen from other hackers, Joker’s Stash claims that all of its cards are “exclusive, self-hacked dumps”.

“That means – you can only buy our own things in our shop, and you can only buy our things in our shop – nowhere else,” Joker’s Stash explained in an introductory post in a carding forum in October 2014.

“I just don’t want to mention the victim’s name here, and brother, this is just the beginning[ning]”We’ve already committed several other major violations – there is still a lot of stuff to come, hang on, check out the news!” the Joker continued in response to established forum members berating the new guy. He continued:

“I promise you – in a few days you will completely change your mind and only buy from me. I’m going to add another absolute virgin fresh new zero day DB at a valid rate of 100% + 1. Read the latest news at – this new huge base will only be available at Joker’s Stash in a few days. “

As a company, Joker’s Stash kept its promise. It is now one of the busiest carding shops on the internet, often having hundreds of thousands of freshly stolen cards for sale every week.

A true haven for offshore pirates, its home base is a domain name ending in “.sh”. Point-sch is the country-specific top-level domain (ccTLD) assigned to the tiny volcanic, tropical island St. Helena, but anyone can register a domain with the ending dot-sh. St. Helena is in Greenwich Mean Time (GMT) – the same time zone used by this carding website. However, it is very unlikely that any part of this fraud operation is located in St Helena, a remote British territory in the South Atlantic with a population of just over 4,000.

This scam shop has a built-in discount system for larger orders: 5 percent for customers spending between $ 300 and $ 500; 15 percent discount for scammers spending between $ 1,000 and $ 2,500; and 30 percent discount for customers who top up their Bitcoin balance to the equivalent of $ 10,000 or more.

For its large cash “Affiliate” customers, Joker’s Stash assigns three custom domain names to each affiliate. After these partners sign up, the various 3 word domains will be displayed at the top of their site dashboard and the user is encouraged to only use these three custom domains to access the Carding Shop in the future (see screenshot below ). More about these three domains in a moment.

The dashboard for a Joker's Stash customer who spent over $ 10,000 buying stolen credit cards from the website.

The dashboard for a Joker’s Stash customer who spent over $ 10,000 buying stolen credit cards from the site. Click on the image to enlarge it.


Customers pay for stolen cards with Bitcoin, a virtual currency. All sales are final, although some batches of stolen cards for sale at Joker’s Stash come with a replacement policy – a short window of time, from minutes to a few hours in general – where buyers get replacement cards for anyone that comes back as declined , can request during this exchange period.

Like many other carding shops, Joker’s Stash also offers an a la carte card verification, where customers can take out an insurance policy when purchasing stolen cards. Such verification services typically rely on several legitimate, compromised credit card merchant accounts that can be used to round-robin a small fee for each card the customer wishes to buy to test that the card is still valid is. Customers are automatically credited to their shopping cart balance for all cards purchased that are returned as declined when going through the website’s verification service.

This carding site also uses a unique customer rating system to allegedly prevent abuse of the service and offer what the owners of this store call a “Loyalty Program for Honest Affiliates with Proven Affiliate Records”.

According to Joker’s stash administrators Customers with higher ratings will be notified in advance of new lots of stolen cards that are available for sale, prioritized support requests, and additional time to receive refunds for cards returned as “declined” or closed shortly after purchase from the issuing bank.

To determine a customer’s loyalty score, the system calculates the sum of all customer deposits minus the total refunds requested by the customer.

“So if you deposited $ 10,000 and refunded items for $ 3,000, your rating is 10,000-3,000 = 7,000 = 7k [Gold rating – you are the king]“Explains Joker’s Stash. If so, thanks to their high rating, new bases will become available for your purchase sooner than others. It gives you the ability to see and purchase new updates before others can, as well as some other privileges like prioritized support. “

This user has an outstanding rating of over 16,000 for having deposited more than $ 20,000 and only requested a refund for stolen cards worth $ 3,500.

This user has an outstanding rating of over 16,000 for having deposited more than $ 20,000 and only requested a refund for stolen cards worth $ 3,500. Click on the image to enlarge it.


It appears that Joker’s Stash has attracted a large number of high dollar customers, and many of them qualify for the elite “Full Stash” category, which is reserved for customers who and haven’t deposited more than $ 10,000 asked for more than about 30 percent of those cards to be refunded or replaced. KrebsOnSecurity identified hundreds of these three word domains that the card website assigned to customers. They were mostly registered with a number of domain registrars over the past year, and almost all of the (misused) services of a New Jersey-based cloud hosting company called Vultr Holdings.

All customers – be they high roller partners or street thugs with one card at a time – are instructed on how to log into the website using software that connects users to the website Tor network. Tor is a free anonymity network that routes its users’ encrypted traffic between multiple hops around the globe to obscure their actual online location.

The administrators of the site no doubt very much want all customers to use the Tor version of the site, as opposed to domains accessible over the open internet. Carding site domain names are constantly being seized, but it is much harder to discover and seize a Tor hosted site or link.

In addition, the constant change of domain names gets in the crosshairs of phishers and other scammers. As customers desperately search for the store’s updated domain name, scammers step in to take advantage of the confusion and promote fake versions of the website that misuse account details of unwary criminals.

Nicholas Weaver, a senior researcher in networking and security for the International Institute for Computer Science (ICSI) said it looks like the traffic from the three word domains that Joker’s Stash assigns to each user is going through the same hidden Tor servers.

“What it seems to be doing is starting an Nginx proxy for every Internet address it uses to host the domain sets given to users,” said Weaver. “This communicates with its backend server, which can also be reached as one of two hidden Tor services. And both are the same server: when you add your shopping cart into Tor it instantly shows up in the clearnet version of the site, and the same goes for removing cards. So my conclusion is that both Clearnet and Tornet are the same server in the backend. “

By routing all three-word partner domains through a server hidden on Tor, the Joker stash administration seems to understand that many customers can’t bother to run Tor and when forced to do so, they leave simply to a competing site that can be accessed directly over a regular, non-Tor-based internet connection.

“My guess is [Joker’s Stash] wants everyone to go to Tor, but they know Tor is torture, so they’re using the clearnet because that’s what customers are asking, ”said Weaver.

Interestingly, this setup suggests several serious operational security bugs by the staff at Joker’s Stash. For example, while Tor encrypts data on every hop on the network, no partner traffic from any of the custom three-word domains is encrypted by default en route to the Tor version of the site. For their credit, the site administrators are encouraging users to change this default setting by replacing http: // with https: // in front of their private domains.

A website lists the different ways to reach the carding forum on Clearnet or via Tor.  The links have been edited.

A website lists the different ways to reach the carding forum on Clearnet or via Tor. The links have been edited.

I’ll have more about Joker’s Stash in an upcoming post. In the meantime, if you liked this story, stop by a deep dive that I did in “McDumpals” last year, another credit card fraud bazaar aimed at bulk buyers with a heavy focus on customer service.

Leave A Reply

Your email address will not be published.