The U.S. government has seized approximately 145 domains associated with the BidenCash marketplace and other criminal marketplaces, effectively dismantling one of the most notorious darknet operations for trafficking stolen credit card data and personal information.
Announced by the U.S. Attorney’s Office for the Eastern District of Virginia, this sweeping operation targeted both darknet and surface web domains. According to court records, the U.S. also obtained authorization to seize cryptocurrency wallets used by BidenCash to process illicit payments, further choking off the revenue stream that sustained its criminal operations.
BidenCash Marketplace: A Hub for Cybercrime
Launched in March 2022, the BidenCash marketplace quickly gained notoriety in the criminal underworld. Operating as a one-stop shop for stolen financial data, the marketplace offered credit card numbers, expiration dates, CVV codes, and even personal identification details such as names, addresses, phone numbers, and emails. For each transaction facilitated on the site, BidenCash administrators collected a fee.
Over time, the platform grew to serve more than 117,000 users and facilitated the trafficking of over 15 million payment card records. In just under two years, it generated over $17 million in revenue.
To boost their visibility and expand their user base, BidenCash operators engaged in marketing strategies more often seen in legitimate businesses, such as promotional giveaways. Between October 2022 and February 2023, they released 3.3 million stolen credit card records for free, hoping to attract more buyers to their services.
The BidenCash marketplace wasn’t limited to payment card data. It also offered stolen credentials to access computers, effectively enabling a range of unauthorized and potentially destructive cyber intrusions.
Beyond BidenCash: Ongoing Crackdown on Cybercrime Syndicates
This isn’t the first time federal authorities have disrupted cybercrime infrastructures. In a related case, the Department of Justice previously seized four domains tied to a crypting service—a software-based method for concealing malware from antivirus detection. These crypting and counter-antivirus (CAV) services allowed cybercriminals to deploy more advanced and undetectable malicious software, often linked to ransomware attacks.
According to an affidavit, undercover agents made purchases from the seized sites and traced connections to known ransomware groups operating in the U.S. and abroad, including in Houston. “Modern criminal threats require modern law enforcement solutions,” said U.S. Attorney Nicholas J. Ganjei. “This investigation struck at the infrastructure enabling cybercriminals, not just the end users.”
FBI Houston Special Agent in Charge Douglas Williams echoed the sentiment: “Cybercriminals don’t just create malware; they perfect it for maximum destruction.”
Operation Endgame: A Global Effort
These seizures were part of Operation Endgame, a multi-national law enforcement initiative focused on dismantling malware and cybercriminal services worldwide. On May 27, coordinated actions by U.S., Dutch, Finnish, German, French, and Danish authorities led to the takedown of several domain infrastructures supporting criminal activity.
The FBI Houston Field Office, along with the U.S. Secret Service and international partners, played a pivotal role in this effort. Assistant U.S. Attorneys Shirin Hakimzadeh and Rodolfo Ramirez are leading the prosecution, with AUSA Kristine Rollinson overseeing the seizures.
Earlier in May, another operation saw the seizure of nine DDoS-for-hire sites, commonly known as booter or stresser services. These services allow paying users to launch Distributed Denial-of-Service (DDoS) attacks, disrupting internet access for individuals, schools, government agencies, and gaming platforms.
The FBI and Poland’s Central Cybercrime Bureau, which arrested four site administrators, discovered that these sites had facilitated hundreds of thousands of DDoS attacks globally. While the services claimed to be for “network testing,” evidence showed they were routinely used to attack third-party systems.
Assistant U.S. Attorney Bill Essayli for the Central District of California stated, “Booter services facilitate cyberattacks that harm victims and compromise everyone’s ability to access the internet.”
