The notorious B1ack’s Stash dark web carding marketplace has announced the free download of 4.6 million stolen credit card records. The data, it says, was dumped after sellers were caught reselling card data purchased from B1ack’s Stash on competing platforms, a violation of the marketplace’s policies. B1ack’s Stash allegedly suspended 8 million stolen CVV2 records in response to the sellers’ misconduct and decided to release the card data for free instead of deleting it from its inventory.
According to SOCRadar, the released data includes full card numbers, expiration dates, CVV2 codes, cardholder names, billing addresses, email addresses, phone numbers, and IP addresses. Based on the availability of full card details and payment data, the information was likely stolen as part of e-skimming or phishing operations, SOCRadar says. The cybersecurity firm says it has validated the authenticity of some of the records. Analysis of the data showed that some of the cards had expired or were duplicate entries.
Overall, 4.3 million records appear to be new and likely usable for illicit activities, SOCRadar says. The stolen credit cards are sourced worldwide, but approximately 70% of them are from the US. Canada, the UK, France, and Malaysia round out the top five. “The presence of Asian financial hubs like Hong Kong, Singapore, Thailand, and Malaysia in the top 15 suggests the dataset is not solely the product of a single regional operation, but draws from multiple skimming or phishing campaigns targeting English-speaking and high-purchasing-power markets globally,” SOCRadar notes.
How Carding Marketplaces Operate
Carding marketplaces like B1ack’s Stash serve as black markets where cybercriminals buy and sell stolen financial data. These underground platforms typically require registration and sometimes a fee or proof of illicit activity to gain access. Sellers often obtain credit card data through various methods, including data breaches, point-of-sale (POS) malware, e-skimming (Magecart attacks), phishing, and social engineering. Once acquired, the data is packaged into “dumps” or “CVV2 lists” and sold to other criminals who use the information to make unauthorized purchases, create cloned cards, or commit identity theft.
B1ack’s Stash has been operating on the dark web since at least 2023, becoming one of the most active shops for stolen credit card data. In April 2024, the marketplace offered 1 million credit cards to anyone who registered. In February 2025, it released over 4 million stolen credit cards for free, likely to attract more users. The newly dumped cards are expected to fuel card-not-present (CNP) fraud activities, such as illicit online purchases. The accompanying information may allow cybercriminals to open fraudulent accounts, apply for credit, or launch convincing phishing attacks.
“The richness of the leaked records – full PAN, CVV2, expiration date, billing address, full name, email, phone, and IP address in a single entry – creates compounding risks that go well beyond simple card fraud,” SOCRadar says. Such comprehensive data enables criminals to perform more convincing social engineering attacks, as they can reference specific purchases or personal details. It also increases the potential for account takeovers across multiple services where victims may reuse passwords.
E-Skimming and Phishing: How the Data Was Likely Stolen
E-skimming, also known as formjacking, involves injecting malicious JavaScript code into the checkout pages of e-commerce websites. When a customer enters their payment information, the code captures the data and sends it to the attacker. This technique gained notoriety after the Magecart attacks, which targeted major retailers like Ticketmaster and British Airways. Phishing, on the other hand, tricks victims into voluntarily providing their card details through fake emails or websites that mimic legitimate companies. Both methods allow attackers to obtain not only the card number but also the CVV2 code and billing address, which are essential for many online transactions.
The presence of full CVV2 codes in the leaked dataset strongly suggests that the data originated from such attacks, as POS compromises typically do not capture the CVV2. Additionally, the inclusion of IP addresses and email addresses indicates that the stolen data may have been used to validate the cardholder’s identity or to conduct further reconnaissance.
Global Impact and Regional Distribution
While the majority of the stolen cards are from the United States, the top 15 countries include Canada, the United Kingdom, France, Malaysia, Hong Kong, Singapore, Thailand, India, Mexico, Australia, Brazil, and China. This geographic diversity points to a widespread and coordinated effort by multiple threat actors. The financial hubs of Asia, in particular, are attractive targets due to high online purchasing power and relatively less stringent fraud detection in some regions. The large volume of US cards suggests that American consumers remain a primary focus for cybercriminals, likely due to the prevalence of credit card usage and the ease of monetizing stolen information in the US underground market.
What Victims Should Do
Individuals whose credit card data has been compromised should immediately contact their bank or card issuer to report the breach and request a replacement card. Monitoring account statements for unauthorized transactions is crucial. Additionally, victims should consider placing a fraud alert or credit freeze on their credit reports to prevent identity theft. Changing passwords for online banking and e-commerce accounts is also recommended, especially if the same password was used elsewhere. Consumers can use services like Have I Been Pwned to check if their email address appears in known data breaches.
Law Enforcement and Industry Response
Authorities have been increasingly targeting carding marketplaces. Recent operations have resulted in the shutdown of platforms like BidenCash, Joker’s Stash, and others. The US Department of Justice has charged and sanctioned administrators of such sites. However, takedowns often lead to the emergence of new marketplaces, as demand for stolen financial data remains high. Payment networks like Visa and Mastercard continuously update their fraud detection algorithms, but the cat-and-mouse game continues. The free release of 4.6 million records by B1ack’s Stash could overwhelm some fraud detection systems, as the influx of compromised cards may appear as legitimate transactions if not quickly blacklisted.
The incident underscores the persistent threat of card-not-present fraud and the need for stronger authentication methods, such as 3D Secure 2.0 and tokenization. Merchants are encouraged to implement robust security measures, including regular security audits, web application firewalls, and real-time monitoring for skimming scripts. For consumers, using virtual credit card numbers or dedicated payment services like Apple Pay can add an extra layer of protection.
Source: SecurityWeek News