Full Report
The FBI and Dutch national police were among the law enforcement agencies that took down BidenCash, a cybercrime marketplace attributed to millions of dollars in fraud since late 2022.
Analysis Summary
# Incident Report: Takedown of BidenCash Darknet Marketplace
## Executive Summary
A multi-national law enforcement operation, led by U.S. and Dutch authorities, resulted in the seizure and shutdown of nearly 145 domains associated with the BidenCash darknet marketplace on June 4, 2025. BidenCash, active since 2022, specialized in the sale of stolen payment card data, credentials, and personal information, generating significant illicit revenue. The operation successfully neutralized the platform, replacing seized domains with law enforcement splash pages.
## Incident Details
- **Discovery Date:** The scope and operation relate to the platform's activity dating back to its founding, but the public takedown date is **June 4, 2025**.
- **Incident Date:** Platform operated **since 2022**.
- **Affected Organization:** BidenCash (Cybercriminal Marketplace)
- **Sector:** Cybercrime Economy / Illicit Online Services
- **Geography:** Unknown operational base; global customer base (117,000+ customers).
## Timeline of Events
### Initial Access
- **Date/Time:** Operationally active **since October 2022**. *Note: This refers to the initial public launch of the marketplace for its illicit sales.*
- **Vector:** Not applicable, as this summary concerns the *disruption* of the service, not an intrusion into an entity's network. The vector for their **customers** was likely phishing, malware, or database breaches to obtain victims' data.
- **Details:** The platform began offering over 1 million stolen card numbers in October 2022.
### Lateral Movement
- Not applicable (This was a marketplace infrastructure takedown, not an internal network breach).
### Data Exfiltration/Impact
- **What was stolen or damaged:** Approximately **15 million payment card numbers** and troves of associated personal information (names, addresses, emails, phone numbers, CVVs, expiration dates). Additionally, researchers noted the sale of compromised credentials and SSH server access prior to the takedown.
### Detection & Response
- **How it was discovered:** Ongoing investigation by U.S. (DOJ, FBI, USSS) and Dutch law enforcement authorities.
- **Response actions taken:** Coordinated international law enforcement action resulting in the seizure of nearly 145 domains and associated cryptocurrency assets.
## Attack Methodology
- **Initial Access:** N/A (Marketplace service established by threat actors).
- **Persistence:** N/A (Platform maintenance).
- **Privilege Escalation:** N/A
- **Defense Evasion:** N/A
- **Credential Access:** Offered stolen credentials and payment information for sale.
- **Discovery:** N/A
- **Lateral Movement:** N/A
- **Collection:** Used stolen data (CC numbers, PII) harvested elsewhere.
- **Exfiltration:** N/A (Data was centralized on the marketplace for sale).
- **Impact:** Generation of substantial illicit revenue ($17 million) through the sale of stolen data.
## Impact Assessment
- **Financial:** Generated **$17 million in revenue** for the operators. The DOJ seized an undisclosed amount of associated cryptocurrency.
- **Data Breach:** Sale of approximately **15 million payment card numbers** and corresponding PII/account holder details.
- **Operational:** The primary impact was the complete disruption of the BidenCash black market service.
- **Reputational:** The operation served as a public demonstration of law enforcement cooperation against major dark web infrastructure.
## Indicators of Compromise
*Note: As this is an operational takedown of a service, rather than a typical network intrusion incident, network indicators (URLs/domains) are listed as seized/impersonated.*
- **Network indicators (defanged):** Seized domains were repurposed with law enforcement splash pages (DOJ, FBI, USSS, Dutch HTHCU insignias).
- **File indicators:** Unknown.
- **Behavioral indicators:** Hosting/selling stolen payment data (credit cards, CVVs, account details) and compromised credentials.
## Response Actions
- **Containment measures:** Seizure of nearly 145 associated domains.
- **Eradication steps:** Installation of law enforcement seizure notices on the infrastructure.
- **Recovery actions:** Seizure of associated cryptocurrency assets.
## Lessons Learned
- Successful large-scale, international coordination between agencies (US and Dutch) can effectively dismantle established global cybercriminal marketplaces.
- High-profile branding (e.g., appropriating the name of a former U.S. President) used by threat actors can attract significant law enforcement attention.
- The platform utilized promotional material, such as offering 3.3 million stolen cards for free (Oct 2022 – Feb 2023), to rapidly scale its customer base.
## Recommendations
- Continue investment in international cooperation frameworks targeting cryptocurrency transactions associated with illicit online services.
- Enhance monitoring for infrastructure transitions or rebranding efforts following major darknet marketplace takedowns to track residual activity.
- Financial institutions should aggressively monitor for payment card data matching historical characteristics found on the BidenCash marketplace leading up to the seizure date.