A peek in the dark world of credit card laundering

Carders Market The world of card laundering is both alienating and oddly human.

I assumed that credit card fraud was big, but I only experienced how big after I stumbled upon this black market. Or rather, the public tentacles of a hairy underground scene. Which strangely enough has much of the dynamics of a regular market for, say, cattle.

Carder economics 101

This is how it generally works. Cards get stolen physically (“skimmed”) or online. In the latter case, there is either a breach of data: hackers steal a badly encrypted card database. Famous cases: Target, Home Depot, Adobe.

Another class is breach of process: hackers inject themselves somewhere in the payment process to digitally “skim” the payment data. No need for decryption, but stealth is required, as collecting credit cards takes time.

After the theft, the cards have to be sold quickly while they are still “fresh”. The value of stolen cards deteriorates as the chances of discovery increase.

To connect buyers and sellers, hundreds of sites exist, ranging from basic forums to sophisticated reputation-based markets. Have a go and Google for “cvv market”. And this is probably only the tip of the iceberg, as the biggest markets are rumoured to be hidden behind tor proxies (aka the “dark web”).

high limit cards

Interestingly, these exchanges have all the properties of a mature market.

First, a standardized lingua franca exists to conduct business. You gotta know the difference between Dumps and Fullz. See glossary below.

Pricing is very transparent and somewhat stabilized, with a German card going for $15 but a Visa Black Card will cost you $120.

All sorts of peripheral services swarm the traders, such as escrow services, high-volume card verification services and anonymized messaging.

Supporting technology has been standardized. Vendors demand payment in Bitcoins or Western Union. All sites run on the network of DDoS-protection provider Cloudflare, which hides the owner’s identity and protects against attacks from agitated competitors. (Some people protested that Cloudflare doesn’t do shit about this.)

Carding culture & cognitive dissonance

These trading sites offer a quaint view of the carding culture. As is to be expected, these market places are made up of grotesque pictures of money and weapons. Its (probably adolescent) members name themselves after famous mafia bosses.

Money, Power, Respect

However, the dynamics of the market resemble that of the ordinary world. It is almost as if people are trading second hand kitchen appliances. Ironically, sellers of stolen goods vow to be trusted:

We are verified on various well known underground/carding forums. So when you deal with Gold Bank Cards you are 100% safe.

Traders vie for the best service, such as “customer support” and “quick replacements” on their stolen wares:

High Balance Dumps are guaranteed to handle swipes of $2k-$3k per time. Any High Balance card which fails to authorize for this range will be replaced

replacement policy

Trader TuxedoJesus gives an interesting insight in the psyche of a fraudster. Apparently the local expert, he humbly apologizes for his busy family life before lecturing his followers on the tricks of the trade:

Sometime it takes me until 48 hours because I also have a family and I also work. [..] remember that the information I give you is for educational purpose only!!!

Somewhere in this ocean of zeroes and ones, the emotional connection between trade and theft was severely lost.


Some basic fraudster vocabulary to make sense of this mess:

Carder: Somebody who sells or buys stolen credit cards

CVV: The actual details of a card which can be used for online purchases: the 16-digit code, name, expiry date etc. Not to be confused with the 3 digit verification code which is called “cvv2”.

Fullz: CVV plus private data (social security number), can in some countries be used to open bank accounts, phone subscriptions etcetera.

Dump: A copy of the magnetric strip of a card. Can be written to a blank card to create a duplicate. This duplicate can then be used in physical stores to pay.

101/201: Indicates “high quality” type of card (no restrictions/pin code). First digit denotes magnetic or chip equipped card.

VBV: Verified by Visa, these cards require an additional password when used in online transactions.

Further reading

I am the creator of MageReport and have been tracking payment skimmers since 2015. My company Sanguine Security provides security solutions for online stores. If you need a solid cleanup & root cause analysis, do get in touch.