Underground carding marketplace leaks over 2 million payment card records, enabling large-scale financial fraud
On February 28, 2023, the operators of the notorious carding marketplace BidenCash released a dataset of 2,165,700 credit and debit cards to commemorate one year of operation.
This leak was advertised on an underground cybercrime forum, similar to cc leaks previously covered by CRIL (Cyble Research and Intelligence Labs) in October 2022 and June 2022.
Several other shops use famous personas for marketing their wares, such as Brian’s Club impersonating cybersecurity journalist Brian Krebs since 2015. Similarly, the strategy of leaking cards at scale to advertise the shops was previously utilized by All World Cards.
Analysis
The data within the leak included Personally Identifiable Information such as names, emails, phone numbers, home addresses, and the main offering: payment card numbers, expiration dates, and CVV codes, with the expiration dates ranging from early 2023 up to 2052.
However, threat actors have been known to purchase expired payment cards to gain more information on potential victims.
This card leak contained at least 740,858 credit cards, 811,676 debit cards, and 293 charge cards. The inherent risk is higher for debit card holders than credit card holders, due to different fraud protection.
According to our analysis, the most records leaked by country are as follows:
| Records | Country |
| 965,846 | UNITED STATES |
| 97,665 | MEXICO |
| 97,003 | CHINA |
| 86,313 | UNITED KINGDOM |
| 36,906 | CANADA |
| 36,672 | INDIA |
| 23,009 | ITALY |
| 22,798 | SOUTH AFRICA |
| 21,361 | AUSTRALIA |
| 19,700 | BRAZIL |
The top ten most impacted banks were as follows:
| Records | Bank |
| 118,826 | CHASE BANK USA, N.A. |
| 98,631 | BANK OF AMERICA, N.A. |
| 62,650 | WELLS FARGO BANK, N.A. |
| 50,832 | CAPITAL ONE BANK (USA), NATIONAL ASSOCIATION |
| 47,851 | CITIBANK N.A. |
| 35,249 | BANK OF AMERICA, NATIONAL ASSOCIATION |
| 28,296 | BBVA BANCOMER, S.A. |
| 27,192 | CAPITAL ONE BANK (USA), N.A. |
| 1,696,173 | Others |
The presence of email addresses and full information (commonly referred to as “Fullz” by cybercriminals) will make the victims of this leak vulnerable to other attacks, such as phishing, identity theft, and scams, long past the expiration of their card details.
Conclusion
Threat Actors routinely utilize stolen credit cards for fraud by purchasing them from carding marketplaces, as we have seen in the examples of BidenCash. However, the availability of these cards for free will enable bad actors to commit more fraudulent activities. Banking institutions should monitor the dark web for these leaks and fraudulent activities to prevent fraud proactively.
See Cyble Vision in Action
Comments are closed.