BidenCash Business Expansion: SSH Server Access Now Available on Dark Web

May 16, 2023
min read
BidenCash, a notorious marketplace for selling leaked credit card information, has expanded its services by offering SSH access to buyers for as low as $2. This new offering can have severe consequences for cybersecurity.
Blog Image


BidenCash, a carding marketplace infamous for selling leaked credit card information, has gained significant traction since its launch in April 2022. The marketplace has recently ventured into a new area by offering SSH services to buyers for as low as USD 2. The impact of these offerings can be severe as threat actors can launch cyber attacks with the powerful processing capabilities of the servers.

In October 2022, the first dataset of 1.2 million credit cards was leaked. The datasets involved sensitive information such as Personally Identifiable Information (PII) and Social Security Numbers (SSNs) along with card details, and CVV codes. As a result, the marketplace quickly grew in popularity and experienced a significant increase in monthly visitors where February 2023 saw the highest number of visitors due to its latest release of 2 million unique credit card data in February 2023.

BidenCash's New Venture: Selling SSH Access 

In the latter part of last week, CloudSEK noticed a slight deviation from the primary business model of BidenCash, which involves selling leaked credit card information. The marketplace appears to have ventured into a new area of selling SSH access to interested buyers.

Advertisement post on the forum

As per the advertisement on a Russian-speaking underground forum, the key features provided by BidenCash ensure a smooth and efficient experience for those interested in purchasing SSH access through BidenCash. The offerings include:


  • Shell presence check: To ensure the presence of a shell on the target server
  • CPU and RAM information: To provide information about the server's processing power
  • Server flag information: To check for the presence of known vulnerabilities or exploits
  • Socks5 port availability check: To check if the server supports the Socks5 protocol
  • Geolocation check: To confirm the server's location
  • Checking IP addresses against blacklists Spamhaus,, Spamcop, SouthKoreanNBL,

Barracuda BBL: To ensure the server's IP address is not blacklisted

  • Available filtering options include filters based on geography, architecture, presence of a shell, availability of socks5, username, etc.
  • Validity check before issuing SSH access: To guarantee the absence of dead accesses.

Different offerings based on the type of SSH servers

The advertisement also encourages other threat actors to join forces in order to expand this venture. BidenCash receives 30% in commission for each sale offered on the website. 

Commission received by BidenCash for each sale

Also Read Custom malware Kaiji targets IoT devices via SSH brute forcing

Based on this new offering, various existing sellers on different dark web forums can also begin their venture into gathering SSH accesses to monetize maximum from the marketplace. By listing their accesses on Bidencash, the threat actors can escape the negotiations cycle and traps set by security researchers on the forums.

Threat actors advertising SSH access on the same cybercrime forum where Bidencash listed their new offering

Analysis of BidenCash's SSH Inventory and Potential Earnings

After analyzing BidenCash's SSH inventory over the past five days, we've discovered that they've listed over 850 SSH servers with varying architecture, CPU configurations, and countries, among other things. The prices for these servers range from $2 (lowest) to $10 (highest).

SSH Servers from the most affected countries

Based on our rough calculations, if all 850 listed cards are sold, sellers on the marketplace stand to make an average of $3,570 every five days (or $21,420 every month), while BidenCash itself would receive $1,530 (or $9,180 every month) in commission. However, given the popularity of BidenCash, we anticipate at least a 3-fold increase in the number of listings on the marketplace that can attract more potential buyers over time.

Vouch for the Service

With the launch of the new SSH offering, threat actors have already started vouching for it on various dark web forums. Given the popularity and reputation of BidenCash in the underground market, it is highly likely that many cybercriminals may have already started purchasing these illegitimate offerings to conduct nefarious activities.

Threat actors vouching for the new SSH service

Long-term Impact

The SSH servers being offered on the BidenCash marketplace are not only cheap but also come with varying CPU configurations and processing powers. Some of the servers with admin-level or root-level access are available for as low as $10, equipped with powerful hardware specifications. We have observed some of the most powerful servers on the marketplace with 196GB RAM and 104 CPU cores.

This poses a significant risk as threat actors can leverage this power to conduct a wide range of malicious activities, such as data exfiltration, brute force and ransomware attacks, and cryptocurrency mining. Moreover, they can launch large-scale DDoS attacks to disrupt services at private and government organizations, causing significant damage to their operations and reputation.


With the ability to purchase powerful servers while maintaining anonymity, cyber attacks can be very difficult to thwart. The availability of SSH servers on marketplaces such as BidenCash can increase the scope and scale of attacks, making it imperative for organizations to ensure the security of their systems and keep their SSH servers secure.

Contributors to this Article
Co-Author Image
Rishika Desai
Cyber Threat Researcher @ CloudSEK
Related Posts

BidenCash Business Expansion: SSH Server Access Now Available on Dark Web

BidenCash, a notorious marketplace for selling leaked credit card information, has expanded its services by offering SSH access to buyers for as low as $2. This new offering can have severe consequences for cybersecurity.

February 6, 2023

Spear Phishing Scams: The CEO Impersonation Fraud Threatening IT Companies

While investigating phishing cases of various customers, CloudSEKs’ analysts identified a spear phishing campaign targeting multiple corporations.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.