Illicit trade still flourishing despite recent law enforcement takedowns

Markets that trade in stolen credit card details have been a staple of the underground scene for years but recent cybercrime busts – along with sanctions stemming from the war in Ukraine – are putting the squeeze on cybercriminals.

Carding shops offer a platform to buy and sell stolen card data, which is often sourced directly from breaches or malware-infected point-of-sale (POS) terminals, as well as from skimming devices attached to POS terminals and ATMs.

Recent law enforcement busts had led to a wave of card shop closures. For example, the at the time largest illicit marketplace for stolen payment card data, Joker’s Stash, closed in February 2021.

In early February this year, Russian law enforcement agencies also seized four major card shops – Trump's Dumps, FERum, SkyFraud, and Ultimate Anonymity Services (UAS).

Follow the money

An analysis by Blueliv into the state of underground card shops focused on Brian’s Club and Rescator as currently active shops, comparing them with two inactive shops, FERum and All World Cards. Rescator used to be one of the biggest card shops until 2019, when it went offline and encountered a lengthy hiatus before unexpectedly returning in mid-2021.

“Rescator’s case demonstrates how this landscape can be highly volatile and that inactive card shops are not always permanently gone,” a blog post on by Blueliv, the threat intel division of security vendor Outpost24, notes.

Blueliv concludes that the underground carding market remains febrile.

“The card shop ecosystem is deeply impacted by different actors, events, historical moments, the adoption of security policies, and other factors,” Blueliv said. “Law enforcement agencies have a huge impact on the landscape, but personal reasons might lead criminals to withdraw from the carding scene.”

Blueliv’s research was presented at the recent Botconf 2022 conference in Nantes.

Eastern front

Geo-political factors as well as the security policy of e-commerce providers can impact the availability of products for illicit shops, which also impacts the overall landscape.

For example, more countries adopt security chips instead of magnetic stripes in their payment systems, meaning that magnetic strip card data dumps have less utility. Data dumps containing card info plus CVV values however have greater utility because they enable online fraud.

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, told The Daily Swig that sanctions against Russia following its invasion of Ukraine in February have impeded the ability of cybercriminals to realize the profits from their illegal activity.

“The ongoing conflict between Russia and Ukraine has resulted in some of the most significant economic sanctions in history being directed against Russia,” Morgan explained.

“This has also coincided with numerous providers shutting down their operations in Russia; Russian users looking to cash out through certain gift cards – for example Amazon or Paypal – may find this more difficult as such services are no longer available in their country of origin.”


Read more of the latest news about cybercrime


Recent changes have made it harder for entry-level cybercriminals to start making money, according to Morgan.

“Due to increasing sophistication of controls and user awareness, carding often requires a greater level of skills,” Morgan explained.

“A user will be required to steal the initial credentials – potentially by using skimmer on point of sale (POS) machines – parse logs from the affected machines for carding info, set up accounts on the relevant criminal marketplaces, and potentially also assist buyers with money laundering services.”

Morgan added: “Often, this necessitates several individuals working as a team, rather than one person who is capable of completing the entire carding attack on their own. This makes entry into the carding space more difficult for amateur cybercriminals who do not have those initial connections in the carding space.”



YOU MAY ALSO LIKE Ransomware scourge increases global data breach woes