Do Son 
One of the most notorious underground marketplaces for trafficking stolen banking data—BidenCash—has ceased operations following a large-scale international takedown involving the U.S. Secret Service, the FBI, and foreign law enforcement partners. Approximately 145 domains—both on the surface web and the dark web—were seized, along with cryptocurrency assets linked to the platform.
Former URLs now redirect to an official U.S. Secret Service page announcing that the domains have been confiscated as part of an ongoing criminal investigation. The operation also included the Dutch National Police, the nonprofit ShadowServer Foundation, and cybersecurity firm Searchlight Cyber, which specializes in threat intelligence.
Researcher g0njxa noted that even the BidenCash domain in the .asia zone, accessible via the clear web, now leads to a “usssdomainseizure.com” landing page. While some subdomains reportedly remain online, it is evident that the administrators have lost overarching control of the platform’s infrastructure.
According to the U.S. Department of Justice, since its launch in March 2022, BidenCash had serviced over 117,000 clients and facilitated the sale of more than 15 million payment card numbers, complete with accompanying personal information. The platform charged a fee for each transaction, amassing total revenues exceeding $17 million.
BidenCash emerged in the wake of Joker’s Stash—the largest carding marketplace of its time—being shuttered, followed by the takedowns of other dark web venues including Forum, Trump Dumps, and UniCC. Unlike its predecessors, BidenCash aimed for notoriety from the outset, drawing attention with its provocative name and high-profile data leaks.
The first major dump occurred in the summer of 2022, releasing a trove of 6,600 card records alongside millions of email addresses. By October of that year, the marketplace had exposed another 1.2 million card numbers, predominantly from U.S. issuers. In 2023, the leaks escalated further, with two additional archives containing over 4 million records—featuring cards with varying expiration dates and global origins.
BidenCash made extensive use of web skimmers—malicious scripts embedded in e-commerce sites to intercept payment data during checkout. Previously, the primary method of data collection involved malware infecting point-of-sale terminals, extracting unencrypted card data directly from system memory.
Although operators of illicit platforms often attempt to resurrect operations after takedowns, coordinated crackdowns of this magnitude inflict lasting damage on the shadow economy. The U.S. Secret Service remains committed to combatting financial crimes, including card fraud, money laundering, cryptocurrency scams, and identity theft.
Just prior to the domain seizures, agents—working in tandem with local police—conducted raids at more than 400 retail locations, inspecting terminals and ATMs for skimming devices. While only 17 were ultimately discovered, law enforcement estimated the potential financial loss could have exceeded $5 million.
Donate