In a major international law-enforcement operation, the U.S. Department of Justice (DoJ), together with the Federal Bureau of Investigation (FBI), the U.S. Secret Service, the Dutch National High Tech Crime Unit, and cooperating private partners, announced the seizure of roughly 145 domains tied to the illicit carding marketplace BidenCash, both “clearnet” and dark-web domains.
The domains have now been redirected to a law-enforcement-controlled server, effectively cutting off access to the marketplace. Also seized were cryptocurrency funds associated with BidenCash, though authorities did not publicly disclose the full value of the assets.
What Was BidenCash
- BidenCash began operations in March 2022, filling a void left by the shutdown of prior infamous carding forums such as Joker's Stash and UniCC.
- Over its lifetime, the marketplace is estimated to have served more than 117,000 customers, facilitated trafficking of over 15 million payment card numbers and related personally identifiable information (PII), and generated no less than US$17 million in revenue.
- Between October 2022 and February 2023, BidenCash publicly released some 3.3 million stolen credit card numbers for free, an aggressive marketing strategy to attract users. The free dumps included card numbers, expiration dates, CVVs, cardholder names, addresses, email addresses, and phone numbers.
- Broader illicit offerings: Beyond credit cards, BidenCash also sold compromised credentials (such as SSH logins), giving buyers unauthorized access to servers that could be leveraged for further malicious activities, including crypto-mining, ransomware, data exfiltration, or brute-force attacks.
The seizure of 145 BidenCash domains represents a major blow to the global carding community, disrupting the core infrastructure of one of the largest payment-card fraud marketplaces operating across both the clearnet and the dark web. The operation highlights a strong precedent for international cooperation among U.S. agencies, Dutch authorities, and private-sector cyber threat intelligence partners to dismantle illicit online networks.
The New Hub for Illicit Activity
With large marketplaces like BidenCash taken down, cybercriminals and illicit communities are increasingly migrating to more resilient, harder-to-shut-down platforms. Among them, Telegram stands out for several reasons:
- Rather than maintaining complex infrastructures of websites or dark-web portals, threat actors find it much simpler and cheaper to create private or semi-private Telegram channels or groups.
- Research from 2024 shows that channels distributing cybercriminal content on Telegram can rapidly shift across channels with minimal subscriber loss to evade takedowns.
- Compared to publicly accessible clearnet marketplaces or dark-web forums with known domains, Telegram offers a quasi-private environment. Many groups operate in invitation-only or private-channel modes, limiting visibility to outsiders while enabling peer-to-peer sharing of illicit resources.
- Without a central server or public domain list, Telegram-based operations are harder for law enforcement to track, seize, or shut down en masse. As authorities take down more traditional marketplaces (domains, servers), criminals increasingly rely on decentralized, distributed platforms like Telegram that don’t rely on fixed infrastructure.
