On January 28, 2021 the dark web community was informed that “ValidCC”, one of the leading marketplaces for compromised payment card details, was unexpectedly closing its services for good. This happened less than a month after “Joker’s Stash”, another popular dark web payment card marketplace, announced its retirement. The announcement was distributed via a post, that was published on popular underground fraud forums by a threat actor dubbed “SPR” who is known as the official speaker for the “ValidCC” marketplace.
Last year, a Singapore-based threat hunting and intelligence company published a report concerning the threat actor group associated with “ValidCC”, which is dubbed “UltraRank”.
“UltraRank” were observed conducting waves of activities in November 2020, although they have been active since 2015 and have targeted over 700 websites, including US telco operator T-Mobile, French advertising group Adverline, and Block and Company, the U.S.'s largest manufacturer for cash handling supplies.
The IOCs detected in this latest campaign are now inactive:
As this surprising announcement is still fresh and unexpected, researchers focus on the publications left by “SPR” in order to learn about the sudden decision.
Originally written in Russian, the message reveals that some of the site’s servers were seized by a law enforcement organization, including encrypted backup servers. “SPR” is assuring the readers that although this prevents them from operating the marketplace, their details will not be exposed thanks to the site’s encryption. However, as the servers stored information regarding the users, including identifiers and balance information, “SPR” claims it is impossible to refund the users.
“SPR” publication on a fraud forum as detected on Argos™
This aroused the suspicion that the abrupt shutdown is actually an exit scam, for two main reasons. First, “ValidCC” is known as a successful and profitable payment card shop, estimated to be earning up to $100,000 a day in revenues, according to “SPR”. Second, law enforcement agencies have yet to confirm or take credit for the server seizure described by “SPR”.
For comparison, on January 15, 2021, “Joker’s Stash” announced their site will be shutting down on February 15, 2021. Though they were a profitable site as well, handling similar sums of money, “Joker’s Stash” announced they were shutting down a month in advance to allow users to make final transactions and withdraw the balances left in their accounts.
In the past few days, Cyberint has leveraged Argos™ to detect several threat actors already searching for alternatives to “ValidCC”, after learning about the closing.
Example post on a criminal forum asking for alternatives to “ValidCC”
Therefore, rival carding marketplaces and similar platforms will emerge as alternatives. Threat actors on “ValidCC” also conduct activities in:
- Vclub, BriansClub and Fe-Shop payment card marketplaces
- Dread forum
- Altenen forum and its mirrors
- CardPro, Club2Card and CardClub forums
- Omerta forum
- XSS forum, which is known for exploits for sale but has been increasingly populated by carders during the COVID-19 period
Cyberint will continue monitoring trends in the migration of threat actors from “ValidCC” to alternative dark web marketplaces and forums.
 Kovacs, Eduard. “UltraRank Group Stole Card Data From Hundreds of Sites Using JS Sniffers.” Security Week, 27 Aug. 2020, www.securityweek.com/ultrarank-group-stole-card-data-hundreds-sites-using-js-sniffers
 “New Attacks by UltraRank Group.” Group-IB Blog, 23 Dec. 2020, www.group-ib.com/blog/ultrarank