There is no shortage of places within the internet’s dark market where stolen credit and debit card information is sold. Most of them, truth be told, are criminal chancers trading in recycled data from old breaches; bargains are to be held for fraudsters willing to take a gamble that some of the bundle of payment cards they have bought will actually be usable. Then there is Joker’s Stash where a stolen payment card database is on sale for $130 million (£101 million.)

What is Joker’s Stash?

What is Joker’s Stash, do I hear you ask? Well, I’m not talking about the half a million Android devices the Joker malware is said to have infected, nor the $4.5 million (£3.5 million) smackers that Joaquin Phoenix is reported as having got paid for the role in the Joker movie either. Instead, Joker’s Stash is well-known within cybercriminal circles as the most significant “carding” site, where payment card data is traded on the dark web.

Not only is it the biggest, but Joker’s Stash, which was established in 2014, prides itself on traders selling the “freshest” of payment card details, those that come directly from a breach rather than being recycled. As a result, this compromised card data doesn’t come cheap and is pitched firmly in the top tier as far as pricing is concerned.

The $130 million payday

On October 28, the compromised details of more than 1.3 million payments cards were put up for sale on the notorious dark market site, with an asking price of $100 (£78) per card. Yes, you did read that right; if the cybercriminals trading the payment card data sell the lot then that’s an incredible $130 million (£101 million) payday. The security researchers who detected the card drop, thought that the card collection, courtesy of it containing magnetic stripe “track 2 data,” was created by a network of ATM cash machine or point of sale skimming devices. The vast majority appear to be from customers of Indian banks.

Why so serious?

The only funny thing about Joker’s Stash is that the volume of payment card data it offers for sale isn’t all bad news. In fact, it could be quite helpful for those fighting fraud.

Business risk intelligence specialist, Flashpoint, has published a new analysis of Joker’s Stash. Flashpoint’s director of analysis and research, Ian Gray, along with research developer, Max Aliapoulios, have outlined why organizations need visibility into the card data from Joker’s Stash, because of its size and positioning if they want to be in a position to best curtail any potential impact of a breach.

The report stated that fraud teams need to understand what payment card data is available, along with the timing of that availability, to help with the identification of the “common point of purchase” of the compromised card data. This is, the Flashpoint report said, the most reliable way that fraud teams can determine the source of a breach.