Joker’s Stash, once a forum for credit data, grows as breaches yield more stolen data

The site is a hotspot for information stolen in big time data breaches.
Joker's Stash

If it’s possible to describe a cybercriminal marketplace as “reputable” while maintaining a straight face, then Joker’s Stash fits the description as well as any other.

The site has emerged in recent years as a destination for scammers who buy and sell credit card information stolen after data breaches from victims including the Hy-Vee supermarket chain, Sonic Drive-In and others. Now, the site has expanded to include an array of personal information on high-value targets, including members of the Trump administration, as part of an evolution toward making illicit transactions more user friendly, according to research published Thursday by threat intelligence firm Recorded Future.

It’s also available without the use of Tor, the well-known anonymity software that unlocks websites not accessible with mainstream web browsers.

Researchers who explored Joker’s Stash following reports that information stolen from Hy-Vee had been made available also found a new section dedicated entirely to Social Security numbers, which personal details available for $5 per record and searchable by name, birth date, or victim location. The expansion came amid a new marketing campaign, with Joker’s Stash operators advertising the site on Twitter, Reddit, and other carding forums. (Those advertisements don’t appear to have generated much attention, as the Joker’s Stash Twitter page has a mere eight followers and few, if any, interactions.)


Recorded Future said the data includes information about “members of the White House Cabinet” and Fortune 500 executives. The company declined to identify those people by name.

Joker's Stash

The login page of Joker’s Stash. (Recorded Future)

“The SSN section represented a serious update to the marketplace, providing a more persistent fraud vector compared to the relatively short usefulness of credit card data,” researchers noted in their findings.

“The ease with which this data is accessed is particularly troubling. This is the most prominent market or forum Recorded Future is aware of that peddles SSNs in a bulk manner.”

This is the latest evidence that websites explicitly dedicated to trading stolen information and other criminal tools have continued to thrive, even as international law enforcement has sharpened its focus on dark web drug markets. Joker’s Stash requires a browser extension called “blockchain DNS” to enter. The extension relies on a decentralized technique that disperses the servers, helping the site stay online if one segment is taken down, as KrebsOnSecurity reported.


Other hacking-focused sites also have grown of late, apparently propelled by the amount of data stolen in the countless data breaches in recent years. A Russian-language forum,, attracted more than 1,000 new users over a six-week span this spring as one drug forum after another went offline.

Now, Recorded Future assesses with “high confidence” that 49 servers and 543 domains are linked to Joker’s Stash. Many of the domains active now have been reactivated after an initial registration in 2017 that coincided with the sale of information stolen from Sonic. The Hy-Vee breach, which reportedly included more than 5 million credit and debit numbers, apparently provided motivation for the latest infrastructure update, Recorded Future noted.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts