Underground Listings Promote Massive Stolen Payment Card Dumps
Dark-web monitoring reported new underground listings advertising an alleged 80 million payment card dump, including claims of CVV/expiration data and download access, with indicators it may be an aggregated collection rather than a single fresh breach (often combining previously leaked data, stealer logs, and other illicit sources). The same monitoring roundup also mentioned separate, unverified listings claiming access or data tied to Suno, ASUS, and Air France, but the payment-card dump was presented as a distinct offering within that weekly set of listings.
Separate threat research described the broader carding-as-a-service (CaaS) ecosystem in which “dump shops” and marketplaces package stolen card data (e.g., CVVs, magnetic-stripe “dumps,” and identity-rich “fullz”) alongside tooling and support, enabling fraud at scale. The research highlighted that despite takedowns, major marketplaces continue to operate and shape criminal demand, providing context for how large card-dump listings are monetized and why organizations should expect continued availability and reuse of stolen payment data across multiple criminal venues.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Rapid7 documents mature 'carding-as-a-service' underground ecosystem
Rapid7 published an analysis describing dump shops and carding marketplaces as a mature criminal service economy selling stolen payment card data and richer 'Fullz' datasets. The report outlined common theft methods, major marketplaces, and defensive measures, but did not disclose a specific new breach event.
Underground listings advertise alleged Suno, ASUS, Air France, and card data sales
SOCRadar reported multiple new dark web forum listings advertising alleged sales of a Suno database and source code, ASUS database access, Air France-related administrative access, and a dump of 80 million payment card records. The report noted these were seller claims and said the alleged compromises were not independently verified.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
B1ack’s Stash Dumps 4.6 Million Stolen Credit Card Records
Dark web carding marketplace **B1ack’s Stash** released about **4.6 million stolen credit card records** for free after accusing some sellers of reselling data purchased on its platform through rival shops. The forum said it removed roughly **8 million `CVV2` records** from active inventory and moved 4.6 million into its freebies section, while allowing some trusted sellers to seek reinstatement through support channels. Reporting cited by SC Media and analysis from SOCRadar indicate the exposed dataset is largely authentic, with about **4.3 million records** assessed as fresh after excluding duplicates, expired cards, and previously known entries. The leaked records reportedly include full payment card data along with extensive personally identifiable information, including names, billing addresses, email addresses, phone numbers, and IP addresses. Researchers said the breadth of the data suggests collection through **e-skimming** or **phishing**, and warned of immediate risks including card-not-present fraud, identity theft, targeted phishing, and credential abuse. Most affected cards are tied to the **United States**, with significant exposure also reported in **Canada, the United Kingdom, France, and Malaysia**, underscoring the international scope of the breach and B1ack’s Stash’s continued use of free data dumps to build notoriety in the cybercrime market.
May 24, 2026
Technical Infrastructure of Carding Markets Exposed by New Research
Recent research has uncovered the technical infrastructure supporting underground carding markets, identifying 28 unique IP addresses and 85 domains actively hosting illegal platforms for trading stolen credit card data. These marketplaces function as sophisticated e-commerce sites, with criminals selling payment card information for prices ranging from $5 to $150 per card, depending on credit limits and associated identity details. Investigators used internet-wide scanning techniques, focusing on HTTP and HTTPS title banners, to detect servers advertising carding-related keywords before they could be hidden behind services like Cloudflare. The analysis revealed that these operations frequently use top-level domains such as .su, .cc, and .ru, exploiting their loose registration policies and jurisdictional challenges to maintain operational security. The research, conducted between July and December 2025, provided law enforcement with actionable intelligence, including login pages and forum landing pages for carding sites, which can support subpoenas and takedown efforts. The findings also highlighted the variety of methods used to steal credit card data, including web skimming attacks, database breaches, and physical skimming devices at ATMs and point-of-sale terminals. The exposure of these technical details offers critical insights into the infrastructure and operational patterns of carding markets, enabling more effective disruption of these criminal enterprises.
Mar 21, 2026
Carding Mafia Forum Breached Twice, Exposing Nearly 600,000 Criminal Marketplace Accounts
The cybercrime forum **Carding Mafia**, which was used for the theft and trading of stolen credit cards, suffered two separate data breaches in 2021 that together exposed records tied to nearly **600,000 member accounts**. One breach in **March 2021** affected nearly 300,000 members, while a second breach in **December 2021** exposed more than 300,000 more, showing repeated compromise of the same criminal platform within nine months. Across the two incidents, the leaked data included **email addresses, usernames, IP addresses, and passwords hashed with salted `MD5`**. Both breaches were classified as **sensitive** and were not made publicly searchable by Have I Been Pwned, but the disclosures highlight that even illicit forums can become sources of credential exposure, infrastructure intelligence, and attribution data for defenders and investigators.
Mar 27, 2026