ATM / POS Fraud , Blockchain & Cryptocurrency , Card Not Present Fraud

Joker's Stash Lists 1.3 Million Stolen Indian Payment Cards

Notorious Cybercrime Marketplace Unveils Massive Data Trove, Researchers Warn
Joker's Stash Lists 1.3 Million Stolen Indian Payment Cards
Cards for sale (Source: Group-IB)

A notorious cybercrime marketplace specializing in the sale of stolen payment card data has a new listing: 1.3 million credit and debit cards, most of which have been issued to Indian banking customers.

See Also: Check Kiting In The Digital Age

Cybersecurity firm Group-IB, based in Singapore, first spotted the massive haul of stolen data, which it says was uploaded to the cybercrime marketplace called Joker's Stash. Group-IB says the entire database of 1.3 million stolen card details has a value on the cybercrime underground of more than $130 million, based on each of the stolen card details being sold for $100. It notes that this may be biggest batch of stolen payment card information to ever be advertised at one time.

Group-IB tells ZDNet, which first reported on its findings, that the provenance of the stolen data remains unknown, although it likely was been amassed from point-of-sale systems or ATMs infected with either card-skimming malware or physical skimmers.

The security firm says the data appears to be legitimate; it's alerted relevant authorities to the card data being for sale.

Joker's Stash lists the massive batch of stolen payment card data as “INDIA-MIX-NEW-01” (Source: Group-IB)

Joker's Stash lists the database of payment card details under the name “INDIA-MIX-NEW-01” and says the data includes both track 1 and track 2 data, referring to data stored on the magnetic stripe on the back of a card, which includes the primary account number and expiration date, and which may include the card verification value or card verification code, or CVV.

"Track 2 dumps can be used to produce cloned cards for further cashing out," Group-IB says.

The listing says the data has a validity rate of 90 to 95 percent.

Most Stolen Data Traces to Indian Banks

Group-IB, which has analyzed the cards listed for sale, says more than 98 percent appear to have been issued by Indian banks, with a single bank accounting for more than 18 percent of all of the dumps. About 1 percent of the cards appear to have been issued to Columbian banks.

What's unusual about this sale is that so many payment cards have been uploaded at once (see: Big Dump of Pakistani Bank Card Data Appears on Carder Site).

"Databases are usually uploaded in several smaller parts at different times,” says Ilya Sachkov, CEO and founder of Group-IB, which was originally headquartered in Moscow. While that is unusual, so too is the sheer scale of what's being offered all at once.

“This is indeed the biggest card database encapsulated in a single file ever uploaded on underground markets at once," he says. "What is also interesting about this particular case is that the database that went on sale hadn’t been promoted prior either in the news, on card shop or even on forums on the dark net. The cards from this region are very rare on underground markets. In the past 12 months, it is the only one big sale of card dumps related to Indian banks."

"Only banks can identify the source of the compromised data."
—Dmitry Shestakov, Group-IB

Typically, attackers would tend to drip-feed payment card data onto cybercrime markets so as not flood the market all at once and drive down their asking price. "In general, it is more lucrative to sell databases separately, in smaller pieces, which allows the sellers to constantly maintain interest in a database," Dmitry Shestakov, head of the cybercrime research unit at Group-IB, tells Information Security Media Group.

"Once you roll out the first part, everybody is waiting for the next. If you do the opposite, selling it as part of a single database, most cards would be gone straight away; the rest will be harder to sell," he says. "Breaking it into smaller batches also allows to boost the database advertisement in the search results on markets. Every new part will be shown at the top."

Shestakov says dumping this type of database all at once, versus breaking it up into smaller pieces, wouldn’t complicate efforts to identify where the stolen data originated. "It would unlikely to complicate the identification of the data origin for banks," he says. "If a bank gets such data it wouldn’t be hard for it to identify the source. But only banks can identify the source of the compromised data."

Major Cybercrime Marketplace

Security experts say that Joker's Stash is one of the major underground sites specializing in the sale of stolen payment card data.

The operation also appears to have an extensive online presence. Threat intelligence firm Recorded Future's Insikt Group, together with independent researchers Rodrigo Bijou and Jared Wilson, in a report about Joker's Stash released on Thursday, say they have identified 49 servers and 543 domains that appear to be associated with the cybercrime marketplace.

The researchers note that while Joker's Stash still lists large batches of breached payment card data for sale on a regular basis, its operators have diversified. "The forum operators have moved beyond carding to include a variety of personally identifiable information on victims, including contact information and Social Security numbers," the researchers say in the report. "This represents an escalation in the type of data that Joker’s Stash operators are selling. Additionally, the actors have continued to provide dedicated domains and servers for their buyers," although moved these domains off of the anonymizing Tor network.

Recorded Future says Joker's Stash maintains hundreds of domains, typically built using the following formula: [English- word1]-[English-word2]-[English-word3].[tld]. Examples range from and to and

"These domains are not malicious, in the manner of delivering malware or phishing visitors," Recorded Future says. "The domains act as portals for Joker’s Stash’s biggest clients to have dedicated servers to purchase, store, and retrieve cards of interest."

New registrations of domains connected to Joker's Stash (Source: Recorded Future)

New domains tend to get rolled out in advance of big breaches, Recorded Future says. "For example, a large number of these domains were registered in 2017, preceding the disclosure of the Sonic and Jason’s Deli breaches, as well as other major payment card breaches," it says (see: Credit Card Theft Ringleader Pleads Guilty).

Multiple Access Options

In 2017, Joker's Stash began begun using a decentralized, blockchain-based domain name system called Emercoin, which helps users maintain their anonymity when registering the site. A version of Joker's Stash is thus reachable via Emercoin's .bazar top-level domain, using regular browsers that have a required plug-in, threat intelligence firm Digital Shadows said in a report issued last year.

"As blockchain domains do not have a central authority, and registrations contain a unique encrypted hash of each user rather than an individual's name or address, it is much harder for law enforcement to take down criminal sites," Digital Shadows reported (see: Era of the eBay-Like Underground Markets Is Ending).

Other versions of Joker's Stash are available as cleartext sites, which are likely provided only to previously verified clients, says Recorded Future. Other versions are only reachable via a .onion top-level domain.

Joker's Stash actively blocks users from using Tor to access cleartext websites.

Tor warning from the Joker’s Stash server on Sept. 25 (Source: Recorded Future)

"Connecting to the domains or servers via Tor will load a splash page, telling users to use a normal browser to access the page via clearnet," Recorded Future says. "This likely is to block known Tor exit nodes, as lists are commonly propagated," and thus often get blocked.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.