DoJ Seizes 145 Domains Tied to BidenCash Carding Marketplace in Global Takedown

The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of cryptocurrency funds and about 145 clearnet and dark web domains associated with an illicit carding marketplace called BidenCash.

“The operators of the BidenCash marketplace use the platform to simplify the process of buying and selling stolen credit cards and associated personal information,” the DoJ said. “BidenCash administrators charged a fee for every transaction conducted on the website.”

BidenCash launched in March 2022 to fill the void left by the shutdown of Joker’s Stash a year earlier and several other carding forums like UniCC.

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

Since the time it went operational, the illegal bazaar (“bidencash[.]asia,” “bidencash[.]bd,” and “bidencash[.]ws”) is estimated to have supported more than 117,000 customers, facilitated the trafficking of over 15 million payment card numbers and personally identifiable information, and generated no less than $17 million in revenue.

Specifically, the platform published 3.3 million individual stolen credit cards for free to promote the use of their services between October 2022 and February 2023. The stolen data contained credit card numbers, expiration dates, Card Verification Value (CVV) numbers, account holder names, addresses, email addresses, and phone numbers.

Of the 2.1 million compromised credit cards released in February 2023, 50% of the cards belonged to U.S.-based people or entities, according to Flashpoint.

BidenCash also specialized in the sale of compromised credentials that could then be purchased by other criminal actors to obtain access to computers without authorization.

In a report published in May 2023, CloudSEK revealed that BidenCash had begun to offer to advertise SSH services to buyers for as low as $2, alongside offering a package of services to check the target server for the presence of shell, as well as information about its processing power, location, and security vulnerabilities, if any.

“This poses a significant risk as threat actors can leverage this power to conduct a wide range of malicious activities, such as data exfiltration, brute force and ransomware attacks, and cryptocurrency mining,” the cybersecurity company said at the time.

However, authorities did not disclose the value of the confiscated cryptocurrency funds, or identify the operators of BidenCash and their physical locations.

The crackdown on BidenCash, according to the seizure banner, is part of an international effort led by the U.S. Secret Service and the Federal Bureau of Investigation (FBI), in partnership with the Dutch Politie, the Shadowserver Foundation, and Searchlight Cyber.

The development comes days after a multinational law enforcement operation confiscated four domains that offered counter-antivirus (CAV) and crypting services to threat actors to ensure that their malicious software stayed undetected from security software.

It also follows the arrest of a 35-year-old Ukrainian national who is alleged to have broken into more than 5,000 customer accounts at an unnamed hosting company to illicitly mine cryptocurrency on the hacked servers. The unnamed individual faces up to 15 years in prison.

The defendant is said to have used open-source intelligence to find and breach the vulnerable infrastructure of various international organizations and then deploy virtual machines to conduct unauthorized cryptojacking, resulting in $4.5 million in damages. The threat actor is believed to have been active since at least 2018.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.