Jokeroo Ransomware as a Service Pulls an Exit Scam

Jokeroo Ransomware as a Service (RaaS) Pulls an Exit Scam: The Dark Web’s Latest Fraud Unmasked

In the shadowy underworld of cybercrime, trust is a volatile currency. On May 7th, 2019, Jokeroo—a notorious Ransomware-as-a-Service (RaaS) platform—shocked its affiliates and cybercrime watchers by displaying a message on its Tor site claiming that it had been seized by international law enforcement agencies, including the Royal Thai Police, the Dutch National Police, and Europol. This announcement turned out to be nothing more than a deceptive exit scam—a tactic increasingly used by illicit platforms to vanish with user funds under the guise of law enforcement takedowns.

What Is an Exit Scam?

An exit scam occurs when a person or organization—often within a criminal or semi-legal framework—pretends to have been shut down, compromised, or raided. The goal is to disappear with users’ or clients’ funds while creating the illusion that the business was forcibly stopped. These scams are growing more common across the dark web, particularly as law enforcement pressure mounts on underground markets and illegal services.

In Jokeroo’s case, the platform attempted to use the fear of law enforcement activity as a smokescreen to pull off one of the most publicized exit scams in the ransomware ecosystem in recent years.

Jokeroo’s Fake Seizure Notice Raises Red Flags

The seizure notice displayed on Jokeroo’s Tor servers read:

“THIS HIDDEN HAS BEEN SEIZED
by the Royal Thai Police in conjunction with the Dutch National Police and Europol.
The police investigation focuses on the criminal activities of Jokeroo and the people behind Jokeroo. Jokeroo uses the Dutch (digital) infrastructure to provide services to criminals by renting out servers from which criminal activities can be deployed such as sending spam messages and causing RANSOMWARE attacks.”

At first glance, the message seemed legitimate. But experts and cybersecurity analysts quickly noticed several inconsistencies and red flags:

• Poor grammar and unusual phrasing uncommon in official law enforcement takedown notices.

• Overly descriptive explanations not typical of government seizure banners.

• No confirmation from Europol or any police agency involved. In fact, Europol officially stated they were not part of any such operation.

These details suggested that Jokeroo’s administrators had faked the takedown to mislead users and make off with the money.

How Jokeroo RaaS Worked

Jokeroo operated as a Ransomware-as-a-Service offering various affiliate packages to cybercriminals. The pricing ranged from $90 to $600, with each tier offering increasing benefits such as higher revenue shares, access to ransomware customization, and technical support.

Affiliates could purchase a “lifetime” plan, which made the exit scam even more painful for buyers—many of whom expected long-term ransomware deployment services.

The ransomware itself, though not widely adopted, had begun making rounds in the wild. Security researcher Jakub Kroustek of Avast noted that one version of Jokeroo appeared to be a modified GandCrab ransomware clone (source)—another infamous RaaS service that was shut down in 2019.

“Well, well, well… what do we have here? This looks like a modification of unpacked #GandCrab with version 5.3, but with #Jokeroo RaaS debug messages ‘Jokeroo, new ransom’, ‘We rulez!!’. False flag?”
— Jakub Kroustek, Twitter, April 19, 2019

The RaaS Business Model and Its Risks

The RaaS model has exploded in popularity among cybercriminals due to its low entry barrier. Even individuals with minimal technical knowledge can launch ransomware attacks by subscribing to a RaaS platform. These services typically:

• Offer user-friendly dashboards.

• Provide payload generation tools.

• Deliver encryption scripts.

• Handle payment processing (often via cryptocurrency).

• Split ransom profits between developers and affiliates.

While profitable, this model also places immense trust in the RaaS operators. Since anonymity is the norm, it’s easy for providers like Jokeroo to vanish overnight without consequence.

The Fallout: Victims and Affiliates Left in the Dark

For affiliates who paid Jokeroo for its services, the exit scam meant both financial and operational losses. Not only were their funds gone, but any planned ransomware attacks using Jokeroo’s toolkit were rendered nonfunctional. The scam also undermined affiliate confidence in other RaaS platforms.

Cybersecurity firms and analysts took the incident as another lesson in the risks of commoditizing cybercrime. The increasing trend of criminal services behaving like startups—with branding, customer support, and monetization tiers—has led to more scams within the criminal ecosystem itself.

Law Enforcement Pressure and a Growing Trend

As international law enforcement becomes more adept at tracking and dismantling dark web operations, more cybercriminals are choosing to exit via deception rather than risk arrest.

High-profile darknet marketplaces like Wall Street Market and Empire Market have also pulled exit scams, walking away with millions in cryptocurrencies from users who could not report the theft due to the illegal nature of their transactions.

The illusion of a law enforcement raid gives the perpetrators a layer of plausible deniability. If buyers assume the operation was forcibly shut down, they are less likely to pursue retribution or demand explanations—especially when operating anonymously.

What It Means for Cybersecurity and RaaS Monitoring

Jokeroo’s exit scam serves as a cautionary tale for threat actors and researchers alike. It underscores several critical truths:

1. Cybercrime is not immune to fraud—scammers scam other scammers.

2. RaaS buyers are just as vulnerable as victims when trust breaks down.

3. Law enforcement impersonation will likely become a favored method of exit deception moving forward.

For cybersecurity professionals, this incident also highlights the importance of tracking underground forums, RaaS offerings, and their operational patterns. Early warning signs—like inconsistent updates, sketchy payment demands, or suspicious communication—can help flag potential scams before large-scale damage occurs.

Final Thoughts

The Jokeroo RaaS exit scam is a striking example of how fragile and volatile the cybercrime infrastructure can be. It also demonstrates the complexities involved in fighting online crime—not only do defenders have to worry about ransomware infecting networks, but they also need to stay informed on the shifting behaviors and tactics of the very criminals behind these operations.

As long as anonymity, decentralization, and cryptocurrencies remain foundational to the dark web economy, exit scams will continue to be a risk—not just to victims of cybercrime, but to the criminals themselves.

References

1. BleepingComputer – Jokeroo Ransomware as a Service Pulls an Exit Scam

2. Europol denial – BleepingComputer Follow-Up

3. Avast Researcher Jakub Kroustek Twitter Post – https://twitter.com/JakubKroustek/status/1119248975796768769

4. Ars Technica – Exit scams on darknet markets

How the Ransomware as a Service Economy Works: Non-Technical  (Video)

Related Videos:

Related Posts:

What is entry point method of VB.NET program?

Starting a Career with Strategic Planning: Signing an Early Contract at Magna International in 2003

Alert on Amazon Customer Scam Circulating in Ontario

Make your Chromebook or Google Chrome run super faster

RCMP Fraud Prevention: Avoid Phishing Scams in New Brunswick