The first quarter of 2021 saw a number of noteworthy developments in the darknet community. This included the DDoS attacks targeting WhiteHouse market and the shutdown of Joker’s Stash. There have also been some interesting emerging trends concerning ransomware groups that are likely to affect the threat landscape for the rest of the year.
WhiteHouse continues to dominate
Since Empire’s collapse in the latter half of 2020, WhiteHouse has become the preeminent darknet market. This continued to be the case throughout the first quarter of 2021, and there is no sign of any rival market challenging WhiteHouse’s dominance.
Of the current crop of markets, WhiteHouse is one of the oldest. The lifespan of darknet markets is often very short, so longevity is often seen as an indication of legitimacy. Consequently, WhiteHouse is well-established as a reputable market in comparison to many others. The chief WhiteHouse admin has also publicly collaborated with the moderators of Dread, one of the largest darknet forums, on various projects, further improving their credibility amongst darknet users.
However, as is always the case for darknet markets, there are clear threats to WhiteHouse’s dominance. There is the ever-present risk from law enforcement, which has likely increased as the market’s profile has grown. There is also the constant threat posed by rival markets. While none are currently putting genuine pressure on WhiteHouse’s dominance, markets such as Dark0de and Versus are gradually increasing in popularity. In recent weeks, WhiteHouse has also been hit by several DDoS attacks which have severely hampered its uptime. As an isolated incident, these attacks are not particularly damaging. However, if they persist, DDoS attacks have the potential to create a significant dent in WhiteHouse’s customer base, as buyers move to more stable markets.
Naming victims and leaking stolen data via darknet leak sites is now a staple of many ransomware groups operations. However, some ransomware groups are now beginning to experiment with this technique in a bid to place further pressure on victims to pay.
Several groups began leaking samples of stolen victim data on various cybercrime forums. However, in light of recent developments surrounding the Colonial Pipeline incident and DarkSide ransomware group, which saw ransomware groups being banned from advertising on multiple high-profile forums, it is unlikely this practice will continue. That said, many of these groups have so far maintained a limited presence on these forums, so the possibility of them leaking samples of stolen data via these forums should not be ruled out entirely. Moreover, they could use alternative accounts to leak the data, providing them with a thin veneer of deniability against the forum administrators. Several groups have also made attempts to publicly taunt victims via Twitter accounts, though these accounts often have relatively a short lifespan. This severely hampers their utility for applying pressure to victims, which may explain why more ransomware groups have not adopted this technique.
Other groups have also announced their intention to begin directly contacting executives of organisations that refuse to pay, via phone and email. Some ransomware groups have already been doing this, but there are recent indications that it is becoming a larger part of their operation. For instance, some RaaS groups have incorporated spam calling into the services they offer affiliates. Others have begun conducting DDoS attacks against victims that refuse to pay. All of these techniques are designed to maximise disruption for affected organisations and increase pressure on senior decision-makers to pay the ransom.
There is also an increasing trend of ransomware groups relying on media outlets to amplify their claims, which echoes techniques used in state-sponsored Russian information operations. Several RaaS groups have conducted public interviews, which serve multiple purposes: advertising the RaaS product to potential affiliates; and increasing awareness of the RaaS group beyond the criminal community, which may further encourage victims to pay the ransom. The interviews themselves often have limited value from a defensive standpoint, but for RaaS groups, they are essentially free publicity.
Joker’s final punchline
On 15 February 2021, Joker’s Stash, one of the largest carding sites officially shut down. Unlike other carding sites, this was a voluntary decision made by the Joker’s Stash administrators, rather than the result of law enforcement takedown operation.
Despite being well-established as a reliable source for stolen card details, Joker’s Stash experienced significant reputational damage throughout 2020. This was in large part due to a decline in the rate of valid cards per breach being sold on the site. Moreover, in December 2020, multiple Joker’s Stash domains were seized by law enforcement. It is likely that these factors contributed to the Joker’s Stash administrator’s decision to shut down.
In the wake of Joker’s Stash shutting down, other carding sites have attempted to fill the void. Unlike the current situation with WhiteHouse market, Joker’s Stash was merely one of many well-established carding sites. Therefore, it is likely that most Joker’s Stash customers have switched over to one of the more reputable carding sites, rather than to one of the plethora of relatively unreliable carding sites.
Barring an exit scam or law enforcement takedown, WhiteHouse is likely to continue to dominate the darknet market landscape for the foreseeable future. However, once a darknet market reaches a certain size, there is a target on its back. Darknet market staff understand this inherent risk, which is why so many chose to exit scam and rather than continue operating. For now, WhiteHouse remains the dominant market, but this current level of relative stability will not last forever.
Likewise, ransomware groups are likely to continue playing a significant role in the threat landscape for the foreseeable future. It is also likely that these groups will continue to experiment with different ways of pressuring victims into paying the ransoms, whether that is via leaking data, conducting public interviews, contacting victim employees directly or another new technique. However, as seen with the ubiquity of data leak sites, once a particular technique is considered effective, it will become adopted rapidly by other ransomware groups.
Finally, the shutdown of Joker’s Stash will cause a dispersal of ex-customers across other rival carding sites. However, at this stage, it is difficult to assess which of these sites will benefit most. In comparison to darknet markets, there are a significant number of reputable carding sites, and so former Joker’s Stash customers are less likely to congregate around a specific site.