State of Underground Card Shops in 2021
On February 15, 2021, after nearly 6.5 years in business, the prolific card shop Joker’s Stash closed its doors. Those behind the shop, which had been a pillar of the cybercriminal underground for years, announced that they were retiring, reminding their fellow fraudsters in their farewell message that “the most truly valuable things in this life are free.” While card shops have been a staple of the underground for years, few have managed to achieve the level of prominence that Joker’s Stash enjoyed. The shop was frequented by clients from around the world – the site was available in English and was marketed heavily on many Russian-language forums – and cultivated ties with renowned cybercriminal gangs such as FIN7 and Anunak (also known as Carbanak), which supplied the shop’s inventory.
The past year had not been an easy one for the crew behind Joker’s Stash, however. In October, a member of the gang posted that they had recently been hospitalized with COVID-19, and in December the shop’s blockchain DNS domains temporarily displayed a law enforcement seizure notice, an incident that is still somewhat unexplained. To top it off, many criminals had been complaining about a decline in the quality of cards supplied by Joker’s Stash over the past several months.
On January 15, 2021, Joker’s Stash announced their imminent closure on various underground channels. The site’s administrators opted to give their clients a 30-day notice in order to spend any remaining balance they might have on the site. On February 15, 2021, the lights turned off and the gang went home.
In this blog, Blueliv analysts investigate the current card shop ecosystem, from active shops that may grow in the vacuum left by Joker’s Stash’s withdrawal as well as other recently shuttered card shops.
Active credit card shops
FERum Shop – sometimes also referred to as FE Shop – is an English-language card shop that has both a clear net domain and an onion domain. In order to access information about the shop, such as updates and card information, one needs to log into the site. Creating a new account is relatively straightforward, though it does require contact information such as Jabber ID and ICQ number to register.
According to metrics shared by the site itself, FERum Shop has information on millions of compromised cards. The site regularly advertises the fact that new compromised data has been added and is available for sale. FERum Shop allows prospective clients to browse the millions of CVVs available on the site. CVVs, also known as “cards” on the underground, are compromised card information typically stolen from online sources such as phishing pages or Magecart skimming tactics.
CVVs for sale on FERum Shop.
CVVs often take the form of a card number, expiration date, and a CVV code, and sometimes other information such as zip code may be included. The FERum Shop site states that it sells over four million CVVs, and allows users to browse by inputs such as BINs, countries, and card type (Visa, Mastercard, etc ). The shop does not appear to sell cards sourced from victims located in countries that are members of the Commonwealth of Independent States (CIS). The countries for which the site has over 100,000 compromised cards sourced from include: Australia, Brazil, France, Hong Kong, India, Mexico, South Africa, Turkey, the US, and the UK. CVV prices range between $6,90 USD and $16,80 USD. Support for the market is available over Jabber. Purchases are made via Bitcoin, which is added to a wallet directly on the website. The shop includes a banner ad for a competitor card shop dubbed Trump Dumps, possibly indicating a link between the two shops.
Brian's Club is one of the most well-known markets specialized in selling stolen payment card data. Although users can freely register without any sort of referral, users must add balance to the account within five days or the account is automatically deleted. This type of restriction is likely used to avoid watchers that are really not going to be customers of the service and keep a low-profile, trying to avoid unwanted attention from researchers or law enforcement. As soon as access to the market is granted, pop-up appears advertising a “ 10% bonus each time you deposit more than $500”. Additionally, the message states that the administrator uploads every day "more than 50,000 freshly grabbed dumps & cards.” Blueliv researchers couldn’t verify if these numbers are accurate as the market doesn’t provide transparent statistics about the amounts of dumps and cards added every day. However, the administrators have been updating the News section almost daily with new bases – a collection of compromised payment card information usually coming from the same source – specifying the countries impacted, the type of track data, and the validity percentage.
The Brian's Club interface is quite polished compared to most of their competitors, with clear sections, detailed information and filters, and no overwhelming bugs. However, there are things about this site that complicate its image as a paradise for fraudsters. The Brian's Club hack, reported in October 2019 , raised serious concerns about the security of the site. An anonymous source reported to KrebsOnSecurity that 26 million cards were stolen between mid-2015 and August 2019. Another disadvantage is that most dumps and cards are not refundable. Purchases are made via Bitcoin, Litecoin, or Dash cryptocurrencies, adding balance to the account.
Screenshot of “Dumps” section filters.
Screenshot of “Dumps” section items.
Screenshot of “ CVV ” section filters.
Screenshot of “CVV” section items.
Furthermore, the shop has a “Wholesale” section where they sell dumps packages and bulk mix packages. Brian’s Club has a banner advertisement on the Club2CRD forum that links to a thread from the threat actor “Brian Krebs.” Brian Krebs is a popular security journalist the crooks have been mocking since the shop’s inception.
Advertisement post in Club2CRD forum.
The threat actor Brian Krebs has a reputation of 24 positive and 17 negative reviews. In February 2021, the user “AllMoneyIn2020” posted the following feedback in this thread:
anyone saying brians dumps dead just doesnt know the game plain and simple out of all the shops brians by far is the most legit. He doesnt do all that reselling dead dumps and not responding to tickets bs most sites try and pull.
Additionally, the user “siberiano” complained about an increase in the cards price:
change the service a little, almost all the good pages have their own checkers, you have raised the prices a lot, so stop buying separately, they sell dead and do not replace them as if they were the only ones who hunt information, please change a little and I will reduce their prices to Latinas is absurd to charge 40 dollars a classic that fixed wing comes out in insufficient funds and those same sell them on other pages at 8 dollars they are losing customers.
Thefreshstuffs is a card shop with a modern and simple design available both via a clear net and an onion domain. The available cards are less diverse compared to Brian's Club and FERum , but at the time of publication, they offer a considerable amount of cards from the United States, Australia, Japan, Canada, the United Kingdom, and Italy. Regarding prices, Thefreshstuffs items are usually refundable and their prices are highly competitive.
Purchases are made via Bitcoin, Litecoin, or Ethereum cry ptocurrencies, adding balance to the account. The market includes a News section that is updated at least once a week, along with Support and Chat sections. The administrators maintain the Telegram channel @TheFreshStuffs, created on August 13, 2018, where they post updates about the shop. Currently, the channel has 206 followers.
Screenshot of “CVV” section filters.
Screenshot of “CVV” section items.
Screenshot of “Dumps” section filters.
Screenshot of “Dumps” section items.
The administrators have posted updates on multiple cybercriminal underground forums (Omerta, Enclave, Club2CRD, under the moniker “TheFreshStuffs” where they published the same updates featured on the News tab of their shop. On the Russian-language forum Club2CRD, TheFreshStuffs has a reputation of 14 positive and 2 negative reviews. In November 2020, the user “ slickback ” answered to TheFreshStuffs ’ “ Dumps ” selling thread with the following feedback:
well here is the update! 1 for 2 ! the second one declined in 2 stores. but checker approved. i dont see how when these are local credit unions in my area. im onot gonna complain this round. but next time i will be sending a ticket in shop for my refund. I will try 5 more tomorrow. stay tuned for feed back !.. this is 100% honest review. thanks for reading!
Then, the user updated the review with a second post:
shop is no good like the others went 1 for 6. the one was dead in store but checker approved!! therefore my results are shop is no good!!! Yes!!! they gave me an excuse i used old base when i did NOT!! used from the freshest base and used bins from credit unions in my area. POS declined the cards so fast!!! did NOT even hesitate!! lets me know the cards were SUPER DEAD!!!! This is 100% HONEST review.. when i get the lil bit of money i have in shop i will no return! MIC DROP!!
The forum user “0merta” also posted the following feedback:
I had been through a few different sites ever since dumpsclinique got shut down and I think I finally found a home. I know that the dumps are a little bit higher in price nevertheless, you get what you pay for, and if for some reason you get a bad card, Fresh has no problem refunding anything that isn't live. There's a reason that they are the only shop with good feedback on this forum.
Sorry it took me a little bit to post the positive feedback I promised you I would write after you fixed my issue, keep up the good work. The only thing I would like to see change is more eu, this past week seemed like there was a lot less eu getting dumped, not sure why that was, hopefully they'll be more before the week ends.
Analyzing the reviews from multiple users, it seems the card shop’s track data (dumps) often have a low valid rate, but the customer service is quick with refunds. According to the threat actor Thefreshstuffs , they use direct API with LUXCHECKER checking services to verify if compromised cards and track data are live.
Missing Credit Card Shops
In the final week of January 2021, ValidCC abruptly closed its doors. The closure was due to an alleged server-seizing law enforcement action that led to the loss of access to the proxy, destination backup servers, and to a significant part of the site’s inventory.
Yet, such claims are not verified to date; the shop may potentially have closed for alternative reasons other than law enforcement action. ValidCC is one of many cybercrime shops that used the Media Land LLC hosting provider services. There are no signs that any law enforcement actions tackled Media Land LLC’s infrastructure nor that any actions were directed at “ Yalishanda ,” the moniker under which the proprietor of Media Land operates. However, due to the recent wave of law enforcement actions against major cybercrime groups, SPR’s claim may be legitimate. ValidCC was an active shop also involved in hacking and pillaging hundreds of e-commerce businesses. The revenues from ValidCC exceeded $5,000 USD per day , and SPR claims that the shop took in approximately $100,000 USD worth of virtual currency deposits each day from customers.
VaultMarket is another case of a major card shop that has recently shut down operations. The circumstances under which this closure took place are still unknown; no official communiqué was issued by any actor related to the shop.
Screenshot from a carding forum
In the past months, users started questioning in forums what could have potentially happened to VaultMarket , but no evidence particularly revealing could be found by Blueliv analysts.
Screenshot from a carding forum
Due to the timing of the events, the closure could be possibly linked to ongoing law enforcement actions; yet, this remains only as a hypothesis.
Rescator offers cards, dumps, and even SSHs, as well as its own checker (a tool for checking the validity rate of compr omised cards). For years, the site would upload new databases of compromised information for sale several times a month. This habit stopped abruptly, however, with the final database uploaded to the site being advertised on the site’s front page on December 16, 2019. Attempts to browse the site prove buggy, perhaps suggesting issues with the maintenance of the site. Researchers at Blueliv did not identify any compr omised information – cards, dumps, or otherwise – available for sale on the site. At the time, this fall of Rescator seems largely unexplained. Blueliv analysts did uncover a post opened in the Arbitration subforum of the top-tier Russian language forum Exploit authored in August 2020 directed at Rescator.
Screenshot from Exploit speaking about Rescator
In this post, the threat actor accused Rescator of scamming them years ago, though they produced no proof. This same accuser also suggests that the Rescator gang did disappear for a bit, but could be b ack at that moment. Blueliv analysts could not assess the likelihood of these claims.
Like any other type of online business, card shop clients will choose a reliable store, with not only a high quantity of available cards , but also quality. Card shops with a higher valid ratio on CVVs and dumps are much more likely to succeed and get better reviews on underground forums specialized in card fraud. In the cybercriminal underground ecosystem, there is an astonishing amount of scams. For this reason, clients look for sellers that offer protection mechanisms like refundable items, a good support service, or escrow. The reputation of the sellers is equally relevant. Clients check feedback, reviews, and reputation scores left on underground forums. However, it is important to consider we have seen a lot of accusations of fake and paid reviews from forums users. Furthermore, new stores are investing in advertisements to compete with older ones and to capitalize the space left upon Joker’s Stash closure. Card shops can also attempt to attract customers by offering a set of free compromised cards or heavy discounts.
The evolution of cybercrime and threat actors in the last years has seen a decrease in the use of POS malware, maybe in pro of ransomware usage, and therefore in the amount of available “dumps”, which was the main source for shops like Rescator or Joker’s Stash. However, cybercriminals started to use even more web skimmers and Magecart schemes which increased the amount of card-not-present fraud and the availability of CVVs in shops. The evolution of threat actors and attacks certainly influences the evolution of cybercrime services to adapt to the new changes. Joker’s Stash closure leaves behind a free space and a doubt: can and will any shop fulfill the role previously played by Joker’s Stash ? In this competitive environment, permeated by secrecy, instability, fraud against fraudsters, surveillance, and law enforcement operations, nothing can be taken as given. The legacy of Joker’s Stash might be carried forward by one or many heirs. Yet, according to the actors behind the shop, one of the most valuable heritages of theirs is the following lesson “we wish all young and mature ones cyber-gangsters not to lose themselves in the pursuit of easy money. Remember, that even all the money in the world will never make you happy.”