Uncle Sam has seized 145 domains tied to BidenCash, the notorious dark web market that trafficked in more than 15 million stolen credit cards.
In addition to the 145 dark and clear web domains, US authorities also confiscated cryptocurrency funds linked to BidenCash’s illicit transactions, though no value was disclosed.
The marketplace launched in March 2022 and racked up more than $17 million in illicit revenue during its operations, according to the US Department of Justice.
BidenCash administrators trafficked more than 15 million payment card numbers and personal data. It also frequently gave data away for free to drum up business.
Between October 2022 and February 2023, BidenCash posted 3.3 million stolen credit card records for free as part of its promotional campaigns, according to the DoJ.
These records had everything a criminal needed to make a fraudulent payment: card numbers, expiration dates, verification codes, names, home and email addresses, and phone numbers.
While BidenCash primarily trafficked in stolen credit card data, it also offered compromised login credentials that could grant remote access to servers, potentially enabling wider cyberattacks. According to cybersecurity shop SOCRadar, this included SSH credentials sold in bulk.
The DoJ said the platform amassed more than 117,000 customers during its two-year run, and its domains now redirect to US seizure splash pages, similar to those used in ransomware takedowns.
According to SOCRadar, BidenCash also offered customers features such as automated buying tools and a loyalty system of sorts.
The team behind the platform was so confident in their wares that they reportedly offered a buyer protection program that punished vendors on the site for selling spent or otherwise unusable details. The program was also set up to maintain the exclusivity of the data for BidenCash.
“Through these features, BidenCash amplifies the scale and efficiency of cybercrime, making it a significant threat to organizations and individuals alike,” SOCRadar blogged earlier this year. “Its role in the dark web ecosystem highlights the challenges posed by such platforms in combating digital fraud and theft.”
The end?
It seems BidenCash is no more for now, but we’ve seen these things reversed fairly quickly before.
Prior to 2024, threat intel analysts noted that many ransomware crews rebranded or relaunched under new names, with affiliates eager to follow familiar operators.
But Operation Cronos, which dismantled LockBit in February 2024, marked a turning point. The FBI and the UK’s National Crime Agency revealed they had identified over 190 affiliates and confirmed LockBit retained stolen data even after ransom payments, shattering trust among both affiliates and victims.
Since then, officials from national cybersecurity agencies and law enforcement organizations have repeatedly said that the primary goal of missions such as Operation Cronos, Endgame, and Magnus has been to tarnish the public image of cybercrime gangs before taking them offline.
Before BidenCash, law enforcement agencies also recently took down the infrastructure associated with the distribution of Lumma, a prominent strain of infostealer malware experts say often precedes ransomware attacks.
The disruptors behind the operation deployed reputation-ruining tactics on this occasion and took thousands of domains offline.
Investigators took control of the Lumma Telegram channel and claimed both Lumma admins and the operation’s affiliates were already sharing information with them.
They even went so far as to allegedly implant some JavaScript code that took an image of the Lumma user, although the crims claimed this code wasn’t the best and didn’t execute reliably.
Days later, however, researchers at Check Point noticed staunch efforts to restore its infrastructure, questioning whether the legal efforts to shutter the operation would succeed. ®
Click Here For The Original Source.
