Yale Lodge – the largest dark web seller of stolen credit cards – has suffered a mass exodus of both buyers and suppliers of stolen data after it apparently stole their funds. Although the seller is still online and blamed “technical difficulties” for the problems, he was banned and removed from all high-profile cybercriminal forums after a major dispute in June.
Active since 2017, Yale Lodge is a major seller of stolen credit card information (also referred to as the “card marketplace”). It recently became the largest in the industry after a number of competitors were either closed or seized.
It was allegedly led by a cybercriminal from Belarus who used the pseudonym “Elihu Yale” – a reference to the former British colonialist of the same name. Many carders follow the trend of creating pseudonyms for themselves, using the names of prominent politicians or media personalities.
In its years of operation, Yale Lodge has amassed a significant client base. He became an official sponsor of at least one prominent cybercrime forum and had confirmed status on many others. However, in a few short weeks in June 2023, Yale Lodge went from being the preferred supplier of many criminals to being banned by all major cybercrime communities.
Yale Lodge website showing card supplements from different US states.
In addition to being a welcome further blow to an already struggling criminal enterprise, the Yale Lodge story offers interesting insights into the dark web’s carding ecosystem. In this blog, we examine a series of rather unique events that led to the unusual decline of this threat actor.
Yale Lodge: Summer 2023 Dark Web Drama
The card market involves cybercriminals – known as “carders” – who steal credit card data via malware-infected point-of-sale (PoS) terminals or hack online payment databases. These vendors then sell this data to vendors such as Yale Lodge, where customers can purchase it and use it to make ATM withdrawals or make online purchases.
However, in early June 2023, many Yale Lodge suppliers began to complain that they were not being paid, while customers noticed that their cryptocurrency deposits were not being processed.
One user raised complaints about Yale Lodge’s built-in support feature on its vendor interface, receiving assurances that the problems were due to technical difficulties and that payments would resume shortly. Similar assurances were posted on the dedicated dispute resolution threads of prominent cybercrime forums, where a time frame of late June was given. However, there have been no updates on Yale Lodge’s own “News” page on its website.
Forum administrators were less than convinced, however, demanding that Yale Lodge manually pay its suppliers of the stolen data until “technical issues” were resolved. Elihu Yale declined, but said that customer deposits for those who wanted to buy the stolen cards were operating normally.
Unconvinced, administrators banned Elihu Yale in early July and deleted official Yale Lodge advertisements from their forums. One moderator noted, “Anything can happen in our industry. A server with hot wallets can die. [They] can be taken away. Everything is possible. This is a very unpleasant but very likely scenario. But if it is [supplier] he can’t wait, it’s his right, he can have payments, loans, payments, expenses, etc. So you have to pay from cold wallets.”
The end of June has come and gone – as of July 20, Yale Lodge remains banned, although its website is still online. Some users have continued to use it, but have complained that the quality of stolen credit card data has dropped dramatically since unpaid suppliers have left the retailer in droves.
Is this an exit scam?
For all intents and purposes, Yale Lodge continues to operate. His site is live and appears to be regularly updated with stolen credit card information. However, its ongoing ban from major cybercrime outlets suggests the site is still withholding payments.
Usually when a dark web service abandons scams, they will abruptly shut down their services, delete any forums/media accounts they have and disappear. Blockchain data on the chain will also sometimes reveal large transfers from the service’s wallet, ready to be laundered. In a typical sense, therefore, the demise of Yale Lodge does not fit the generic indicators of exit fraud.
However, similar to other ticket markets that have been scammed in the past, Yale Lodge’s assurances and continued online presence may be a temporary ruse to generate as much revenue as possible from unsuspecting buyers and sellers before closing up shop permanently. As Elihu Yale was particularly keen to point out, all “deposits and payments” to Yale Lodge were still working – apparently only payments from suppliers were affected.
Still, the disappearance of the market’s most prominent supplier is positive news in reducing the damage caused by one of the largest and most exploitative criminal industries active today. In May 2023, Yale Lodge accounted for nearly half of all Bitcoin payments made to sellers of stolen data. His plight is therefore a significant self-inflicted wound to the wider industry.
The go-kart market has already suffered major shutdowns, starting with the shutdown of market leader UniCC in January 2022. As the chart above shows, the industry’s crypto transaction volume has plummeted since then, fueling mistrust among sellers and buyers. The unusual case of Yale Lodge is likely to add to this already prevailing feeling.
How can Elliptic help?
Elliptic’s crypto-intelligence teams routinely investigate dark web activity to ensure virtual asset services and law enforcement can verify and prevent blockchain activity related to credit card and identity fraud. Contact us for a demo.
Crypto Crime Global Law Enforcement