An Inside Look at How Cybercriminals Sell Stolen Credit Card Information

Phishing

When it comes to the hidden corners of the internet, few places are as infamous as the darknet and deep web. They are sometimes misunderstood and often misrepresented. While they have legitimate uses, they have also gained notoriety for harboring a thriving trade in illicit goods, including stolen credit card details.

To clarify, the deep web refers to parts of the internet that are not indexed by traditional search engines, which could include your email inbox or the back-end databases of private companies. The darknet, a subset of the deep web, is where websites operate anonymously and can only be accessed with specific software like Tor, ensuring transactions and identities are hard to trace. This privacy and anonymity have unfortunately made the darknet a hub for illicit activities, including the trade in stolen credit card information.

The cybercriminals’ modus operandi is straightforward. They gain unauthorized access to a victim’s credit card details through methods like phishing, malware, or skimming, and then sell these details on darknet marketplaces. Once sold, these details can be used for unauthorized transactions, identity theft, and other fraudulent activities.

According to Cybersecurity Ventures, cybercrime, including credit card fraud, is predicted to cause damages worth $10.5 trillion annually by 2025, up from $3 trillion in 2015 [1]. While it’s difficult to separate out the impact of credit card fraud alone, this stark increase underlines the severity of the problem.

An analysis by Privacy Affairs found that as of 2021, the price for stolen credit card details on the darknet ranged from $12 to $20 per card, depending on the card’s region, brand, and other factors [2]. In essence, a criminal can steal someone’s financial identity for less than the price of a meal.

Though it’s challenging to quantify the exact number of stolen credit cards traded in the darknet, a 2019 study by Sixgill, a cybersecurity firm, revealed that nearly 23 million credit card numbers were being sold on the darknet [3]. This alarming figure only represents the cards that were detected.

What type of credit cards can you find in Kaduu?

There are two types of credit cards that can be tracked in Kaduu:

  1. Free Cards: Credit cards, which are offered for free on the Dark- and Deepweb. Although millions of credit cards are indexed in the Kaduu logs, it can be assumed that the data is rather outdated. It is unusual for functioning credit cards to be offered for free. This type of credit cards can be found in the database search in the Control Center app.
  2. Paid Cards: Credit cards that are offered for sale on the dark and deep web. This type of credit card is offered like a commercial good. Mostly, they are functional cards for which you have to pay a certain down payment.

How do we obtain the free cards?

We try to collect mostly freely available credit card log dumps. These dumps may not have the very latest card data, usually sold for a high price, but can still help owners find out if their card has been affected by a leak in the past. Occasionally, we also purchase dumps and make them available in Kaduu’s elastic search DB..

How much does it cost if you had to buy stolen credit card data on the darknet?

The cost of buying stolen credit card information on the darknet varies depending on a number of factors, including the type of card, the card’s issuing country, and the amount of information that is included with the card.

Typically, a single credit card number, known as a “dumps,” can be sold for a few dollars. A “dumps” is the information on the magnetic strip of a credit card, which can be used to make fraudulent purchases in-store.

On the other hand, a full package of information for a credit card, known as “fullz,” which includes the cardholder’s name, address, date of birth, social security number and other personal information, can be sold for $10-$50. These fullz are used to make fraudulent purchases online, open bank accounts, apply for loans, and for other financial frauds.

It is important to note that these prices are just an estimate and the cost may vary depending on the source and the quantity of data available. It’s also worth noting that the prices are subject to change over time, and the prices may be different based on the location and the vendor.

How do we find credit card market places?

Cybercrime is a persistent and rapidly evolving issue in our digitally-dependent society. A significant part of this criminal landscape is credit card theft, where stolen information is bought and sold in the shadowy corners of the internet. As technologies evolve, so do the methods used by these criminals to advertise their illicit goods. We’ll explore some of the known avenues they use to market their stolen credit card shops, including some that may not be commonly known.

Social Media Platforms: Instagram, TikTok, and even LinkedIn have inadvertently become platforms for cybercriminal activity. Hackers use coded language and disguised URLs to evade algorithms designed to detect and remove illegal content. In recent years, Instagram and TikTok profiles advertising “CC” (Credit Card) “dumps” (batches of stolen credit card information) have been discovered, reflecting the audacity and adaptability of cybercriminals.

Instant Messaging Apps: WhatsApp and Telegram are often used as direct communication channels between cybercriminals and potential buyers. Telegram, in particular, with its encryption and anonymity features, has been increasingly exploited by hackers. They create channels or groups where they post ads and updates about their available credit card data.

Paste Sites: Cybercriminals utilize “paste” websites such as Pastebin or Ghostbin to host information temporarily. These sites allow users to share plain text through unique URLs, which can be easily shared and deleted after a certain period, making it harder for law enforcement to track their activities.

Hacker Forums: These are digital havens for cybercriminals to trade tactics, sell stolen data, and advertise their services. Forums such as RaidForums, Nulled, or XSS are just a few examples where stolen credit card information can be found.

Search Engine Manipulation: By compromising legitimate websites, hackers can insert hidden pages that advertise their wares. These pages can be SEO-optimized for terms like “CVV dumps”, causing them to appear in the search results of major engines like Google.

Banners and Google Ads: While it might sound surprising, some criminals use actual banner advertisements and Google ads to advertise their stolen credit card shops. They use deceptive language and imagery to mislead unsuspecting users, and even attempt to appear as legitimate businesses.

Darknet Marketplaces: Darknet markets such as AlphaBay, Dream Market, and others operating on the Tor network, are infamous hubs for illegal transactions, including stolen credit card data. These markets often provide escrow services to ensure “fair” trades between sellers and buyers.

Gaming Platforms: In recent years, platforms like Discord and even in-game chats have been exploited by hackers. They use these platforms to communicate, advertise, and sell their illicit wares.

Peer-to-Peer Networks: P2P networks and torrent sites are often leveraged by cybercriminals to share stolen information. Such sites usually have lax regulation, making it easier for criminals to advertise and distribute their wares.

How do we scrape paid credit cards?

We search popular websites (hacker forums) or marketplaces for credit card offers. These websites can be found on the Deepweb or Darknet. We have an array of paid accounts to keep track of the most recent leaks. We are constantly working on extending our list of websites to scrape data from. We either scrape Onion or deep web sites. Basically, the biggest challenge in scraping is to emulate human behavior, bypass Captcha, Cloudflare/Datadome/Ddosguard and similar protection mechanisms. We work to balance the load on the websites that our robots produce, and to scrape the entire new datasets in a reasonable amount of time. In some cases, we may use multiple website accounts to ensure that we scrape everything and never get blocked

On some sites, metadata about the credit cards is published – on other sites, a package is offered without you knowing what is inside before you buy it. Below an example how credit cards can be offered without any metadata:

The goal is to scrape the entire website and filter new records. We ususally find two types of websites:

  • Case 1: If we see a clear news feed that can be processed by a script to filter new records, we check that feed daily and run the script only when updates are added.
  • Case 2: If a news feed is actually unclear (as in the following figure), we scrap the entire site and filter new records at the database level

Note: sometimes a record may appear in multiple databases within the context of a website, so we store both records

Is there some way to verify the quality of the paid credit cards?

Unfortunately, very often artificially generated credit card data is offered, which is not associated with any real account. However, there are websites where the sellers are rated. Here is an example:

For this reason, you can also filter for sellers in Kaduu.

A typical website has the following fields for each credit card record:

  • BIN (4, 5 or max 6 Digits)
  • Expiration Date,
  • Price

However, some websites offer more fields:

  • Country/State/PLC
  • address/full name/part of name
  • A base name to which this record belongs, and a valid rate.

The basename probably contains the publication date, so we can understand when a CC record was published. Our tools filter invalid records that have been published on websites, and we try to capture as many fields as possible related to the credit card in question.

How can you find paid credit cards in Kaduu?

The paid credit card search can be found under the nafigation CC search (1) on the deep-web-app:

The user can either look for a single BIN number or upload a file of BIN numbers (2). Please upload a text file with 1 BIN number per line. Note: A Bank Identification Number (BIN), also known as the Issuer Identification Number (IIN), is the initial four to six numbers that appear on a credit card. The BIN or IIN uniquely identifies the institution issuing the card. The search criterias can be combined. You could for example search for all credit cards of the type “mastercard” belonging to a user “john”. Or you could search for all credit cards published on a specific date. The search can then either be setup a a one-time query, or a monitoring job (3). In case it is setup as a monitoring job, you will see the data on the dashbord at the bottom and will get a notification via email with the according data. The system uses the email from the logged in user (top right). If you run a one time search you will be able to download the data from the dashboard using the download button (4) with 3 options:

  • CSV (text) Download
  • Excel (xls) Download
  • Json Download

What are the challenges and limitations of paid scraping of credit card data?

Data disappears after purchase: Currently, we automatically check the newly published records/basics on a daily basis. However, our research team has found that once a database is published, the numerous records can sell out on the first day. We currently check sites daily, but plan to set up our scrapers to check new datasets multiple times a day.

Data duplication: We also know that some websites might steal data from each other. A typical example: a database with X records that has a price of $8 per record. Another website might offer the same records for 15$ per record.

Problems with junk data/fake records: Anyone can easily create fake credit card records (example https://www.vccgenerator.org/). These fake cards are mixed in with the valid cards. Sometimes the entire credit card marketplace is fake and a scam (they are after the participation fee).

Coverage (Telegram, etc.): Kaduu has just recently started scraping credit card sites. New card sites are popping up, old ones are disappearing. We currently only cover darknet and deep-web, but there are also Dicsord, Whatsapp and Telegram Channels that sell cards. We can’t cover all sites, but we try to add new ones and new technologies all the time.

You don’t know what you’re buying: With many offers, you don’t see what you’re buying. This makes it virtually impossible to understand which cards, banks or users might be affected before you buy them. Please note that we can buy sample card packages for you.

What improvements can you expect in our CC search over the coming months?

Our team is constantly working on scrapping new websites . Some of them require a high credit balance to gain access to the cc market. However, if we consider this website valuable, we will definitely add it to our scraping schedule. For the coming month, we have a preliminary list of almost 100 websites to add. We also plan to add more techologies including Telegram and Discord CC Channels. We share our list with forums with our clients and welcome any suggestion in case we are missing a crutial forum.

How can you find free credit cards in Kaduu?

The free cards can be queried in control.center via dashboard or API (https://wiki.kaduu.ch/doku/doku.php?id=api).

The credit card data published here comes from leaks that have already been published on the darknet. New cards are added continuously. The database is updated weekly or daily for major leaks. You find the Credit Card Search in the expert mode only:

On this page you can search in a database of indexed credit card leaks. Credit cards are displayed in masked form and when you are searching the database. You may search using first 6 and last 4 digits and replace all middle digits with “X” – thus you will not expose your credit card number to the system. Otherwise, the number gets hashed with SHA-256 algorithm before being sent to our server.

Please note that there are specifc search operators you have to use to get to the data. If you just look for the name “john” you will find 0 results:

If you search for owner:john you get more than 5000 results:

You can also look for owner:john doe, which looks for John OR Doe:

If you want only “John Doe” as an exact match, you have to search for owner:”john doe”

Detailed Search Syntax:

Available Fields:

FieldDetails
createdAtCreation date & time.
numberCredit card number (default field), masked with X in the middle except first 6 and last 4 digits.
HashSHA-256 of a credit card number
expireDateExpiration date
cvvCard verification value
ownerOwner name
bankIssuer bank name
leakIdLeak ID

Detailed Syntax:

FieldDetails
543210*Search cards starting with 543210 number.
543210XXXXXX1234Search cards starting with 543210 and ending with 1234, containing 16 digits.
543210*1234Search cards starting with 543210 and ending with 1234, containing any number of digits.
owner:Johnson AND bank:CitibankSearch cards containing Johson as an owner and Citibank as a bank name.
number:543210* AND owner:”Elon Musk”Search cards starting with 543210 and belonging to Elon Musk.
cvv:123 AND expireDate:[2021-01-01 TO *]Search cards that have a CVV 123 and that expire on 1st July, 2021 or later.
number:4* AND leakId:158dd4b2-7672-3492-95f6-019479cb4552Search cards that start with 4 and that were found in a leak with ID 158dd4b2-7672-3492-95f6-019479cb4552.