Full Report
The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of cryptocurrency funds and about 145 clearnet and dark web domains associated with an illicit carding marketplace called BidenCash. "The operators of the BidenCash marketplace use the platform to simplify the process of buying and selling stolen credit cards and associated personal information," the DoJ said. "BidenCash
Analysis Summary
# Threat Actor: BidenCash (Cybercriminal Marketplace Operators)
## Attribution & Identity
The actors behind the BidenCash marketplace are **unidentified** by the DoJ. The operation was taken down in a multinational law enforcement effort led by the U.S. Secret Service and the FBI, in partnership with the Dutch Politie, the Shadowserver Foundation, and Searchlight Cyber.
**Known Aliases and Associated Groups:**
* The marketplace is named "BidenCash."
* It was created to fill the void left by the shutdown of major carding forums like **Joker's Stash** and **UniCC**.
## Activity Summary
BidenCash operated as an illicit marketplace on the dark web and clearnet for buying and selling stolen credit cards and Personally Identifiable Information (PII).
* **Launch:** March 2022.
* **Scale:** Facilitated the trafficking of over 15 million payment card numbers and PII, generating at least $17 million in revenue from over 117,000 customers.
* **Promotional Activity:** Released 3.3 million stolen credit cards for free between October 2022 and February 2023 to attract users.
* **Recent Expansion (as of May 2023 report):** Began selling access to compromised SSH services (as low as $2) and offering compromised server validation services (checking for shells, processing power, location, and vulnerabilities).
## Tactics, Techniques & Procedures
The TTPs revolve around the functioning of a large-scale data market rather than typical intrusion techniques:
* **Monetization of Stolen Data:** Charging administrative fees for every transaction conducted on the platform.
* **Data Dumping/Promotion:** Releasing large volumes of stolen credentials for free as a promotional tactic.
* **Sale of Access:** Selling compromised SSH credentials, allowing other actors to potentially conduct unauthorized access, data exfiltration, brute force/ransomware attacks, and cryptocurrency mining.
* **Data Types Traded:** Credit card numbers, expiration dates, CVV numbers, account holder names, addresses, email addresses, and phone numbers.
* *(No specific MITRE ATT&CK IDs were mentioned in the source material.)*
## Targeting
* **Sectors:** Primarily financial institutions/consumers whose payment data was stolen, and any organizations utilizing vulnerable SSH services (implied by data sales).
* **Geography:** 50% of the compromised credit cards released in February 2023 belonged to **U.S.-based people or entities**. The marketplace was global in scope, evidenced by the international law enforcement takedown.
* **Victims:** Over 117,000 customers utilized the marketplace (implying the original victims are countless individuals and entities whose data was compromised to supply the market).
## Tools & Infrastructure
* **Malware Families Used:** None explicitly named in the context of intrusion, but infrastructure was central to the operation.
* **Infrastructure (C2, domains, IPs):**
* The marketplace utilized both clearnet and dark web domains.
* Confirmed marketplace domains seized include: `bidencash[.]asia`, `bidencash[.]bd`, and `bidencash[.]ws`.
* U.S. authorities seized approximately **145 domains** associated with the marketplace.
## Implications
The seizure of key infrastructure successfuly disrupted one of the largest carding operations following the shuttering of Joker's Stash. The marketplace's expansion into selling direct server access (SSH credentialing) signals a convergence between traditional carding/data sales and initial access brokering, significantly broadening the potential impact on enterprise security beyond just financial fraud.
## Mitigations
* **Financial Security:** Implement robust monitoring for fraudulent transactions linked to compromised card data.
* **Enterprise Security (Based on Service Expansion):** Organizations must prioritize securing remote access services, especially SSH, through mandatory Multi-Factor Authentication (MFA), strict key management, and continuous vulnerability scanning, given that compromised access was directly being sold to potential attackers.
* **Proactive Monitoring:** Utilize threat intelligence feeds tracking known compromised card dumps to rapidly deactivate compromised payment instruments.