Technical Infrastructure of Carding Markets Exposed by New Research
Recent research has uncovered the technical infrastructure supporting underground carding markets, identifying 28 unique IP addresses and 85 domains actively hosting illegal platforms for trading stolen credit card data. These marketplaces function as sophisticated e-commerce sites, with criminals selling payment card information for prices ranging from $5 to $150 per card, depending on credit limits and associated identity details. Investigators used internet-wide scanning techniques, focusing on HTTP and HTTPS title banners, to detect servers advertising carding-related keywords before they could be hidden behind services like Cloudflare. The analysis revealed that these operations frequently use top-level domains such as .su, .cc, and .ru, exploiting their loose registration policies and jurisdictional challenges to maintain operational security.
The research, conducted between July and December 2025, provided law enforcement with actionable intelligence, including login pages and forum landing pages for carding sites, which can support subpoenas and takedown efforts. The findings also highlighted the variety of methods used to steal credit card data, including web skimming attacks, database breaches, and physical skimming devices at ATMs and point-of-sale terminals. The exposure of these technical details offers critical insights into the infrastructure and operational patterns of carding markets, enabling more effective disruption of these criminal enterprises.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Research on legacy-domain carding market infrastructure is published
On January 12, 2026, reporting published the findings that carding markets continue operating on legacy domains and documented the infrastructure supporting these marketplaces. The coverage emphasized that the identified infrastructure could aid law-enforcement subpoenas and takedown efforts.
Investigation identifies 28 IPs and 85 domains tied to carding markets
By the end of the 2025 research period, analysts had mapped 28 unique IP addresses and 85 domains hosting carding-market login pages, forum landing pages, and related infrastructure. The analysis also used X.509 certificate common names, TLD patterns, and ASN data to cluster related services and highlight hosting providers such as Privex.
Researchers scan internet for carding market infrastructure
From July through December 2025, investigators conducted internet-wide scanning on ports 80 and 443 using carding-related title and banner searches to identify active underground marketplaces before operators could mask them behind CDNs such as Cloudflare.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Underground Listings Promote Massive Stolen Payment Card Dumps
Dark-web monitoring reported new underground listings advertising an alleged **80 million** payment card dump, including claims of CVV/expiration data and download access, with indicators it may be an aggregated collection rather than a single fresh breach (often combining previously leaked data, stealer logs, and other illicit sources). The same monitoring roundup also mentioned separate, unverified listings claiming access or data tied to **Suno**, **ASUS**, and **Air France**, but the payment-card dump was presented as a distinct offering within that weekly set of listings. Separate threat research described the broader **carding-as-a-service (CaaS)** ecosystem in which “dump shops” and marketplaces package stolen card data (e.g., CVVs, magnetic-stripe “dumps,” and identity-rich “fullz”) alongside tooling and support, enabling fraud at scale. The research highlighted that despite takedowns, major marketplaces continue to operate and shape criminal demand, providing context for how large card-dump listings are monetized and why organizations should expect continued availability and reuse of stolen payment data across multiple criminal venues.
Mar 21, 2026
Carding Mafia Forum Breached Twice, Exposing Nearly 600,000 Criminal Marketplace Accounts
The cybercrime forum **Carding Mafia**, which was used for the theft and trading of stolen credit cards, suffered two separate data breaches in 2021 that together exposed records tied to nearly **600,000 member accounts**. One breach in **March 2021** affected nearly 300,000 members, while a second breach in **December 2021** exposed more than 300,000 more, showing repeated compromise of the same criminal platform within nine months. Across the two incidents, the leaked data included **email addresses, usernames, IP addresses, and passwords hashed with salted `MD5`**. Both breaches were classified as **sensitive** and were not made publicly searchable by Have I Been Pwned, but the disclosures highlight that even illicit forums can become sources of credential exposure, infrastructure intelligence, and attribution data for defenders and investigators.
Mar 27, 2026
B1ack’s Stash Dumps 4.6 Million Stolen Credit Card Records
Dark web carding marketplace **B1ack’s Stash** released about **4.6 million stolen credit card records** for free after accusing some sellers of reselling data purchased on its platform through rival shops. The forum said it removed roughly **8 million `CVV2` records** from active inventory and moved 4.6 million into its freebies section, while allowing some trusted sellers to seek reinstatement through support channels. Reporting cited by SC Media and analysis from SOCRadar indicate the exposed dataset is largely authentic, with about **4.3 million records** assessed as fresh after excluding duplicates, expired cards, and previously known entries. The leaked records reportedly include full payment card data along with extensive personally identifiable information, including names, billing addresses, email addresses, phone numbers, and IP addresses. Researchers said the breadth of the data suggests collection through **e-skimming** or **phishing**, and warned of immediate risks including card-not-present fraud, identity theft, targeted phishing, and credential abuse. Most affected cards are tied to the **United States**, with significant exposure also reported in **Canada, the United Kingdom, France, and Malaysia**, underscoring the international scope of the breach and B1ack’s Stash’s continued use of free data dumps to build notoriety in the cybercrime market.
May 24, 2026