FBI Internet Crime Report 2024:

• $16.6 billion lost to fraud — up 33% from last year
• Cases actually solved: 1-4%

SpyCloud 2025 Report:

• 53.3 billion stolen identity records floating around the internet
• 17.3 billion stolen session cookies
• 3.1 billion exposed passwords

The Cost of Entry	Price Tag
Starting a carding operation	Under $50
One stolen card	$5-15
Full identity package	$10-100
Getting caught	1-4% chance

When startup costs are pocket change and prison odds are a rounding error, the math writes itself. That’s the whole explanation for why this industry exists and why it won’t stop. Ever.

The risk-to-reward ratio is better than most legitimate businesses. Let that sink in.

1. You download cracked software, a “free tool,” some sketchy game mod, a pirated app
2. Hidden malware runs in the background — you will never see it running
3. It grabs every saved password, every cookie, every autofill field, every card stored in your browser
4. Sends it all to an attacker’s server in literal seconds
5. Your data gets packaged and sold as “logs” on underground markets

That cracked Photoshop you downloaded? It came with a free copy of RedLine Stealer. Congratulations — your entire browser is now someone else’s shopping list.

Stealer	What Happened
RedLine	Dominated the market — 47-51% share. Taken down Oct 2024 after stealing 170M+ passwords. The king is dead.
Lumma	Rose to 92% of Russian Market logs. Disrupted May 2025 by Microsoft + DOJ. Long live the king.
Rhadamanthys	Growing fast. 12,000+ victims by Oct 2025. Written in C++ with advanced evasion. The new crown prince.

The pattern that never fucking ends:

Takedown → Competitors absorb the customers → Business continues → New stealer takes the crown → Repeat forever.

Every. Single. Time. RedLine dies, Lumma fills the gap. Lumma gets hit, Rhadamanthys steps up. The code gets forked, the features get copied, and the stolen data keeps flowing.

It’s a hydra with a subscription model. Cut one head off, two more pop up with a Telegram channel and a pricing page.

When researchers or security teams need to parse through stolen log dumps to understand what was compromised, these tools do the heavy lifting:

Tool	What It Does
ITSEC-Research/bron-vault	GUI dashboard for log analysis — visual, easy to navigate
lexfo/stealer-parser	Parse logs to JSON, supports multiple stealer formats
milxss/universal_stealer_log_parser	Handles RedLine, Raccoon, Vidar, and more in one tool
bikemazzell/stealer-log-processor	Multithreaded bulk processing for massive dumps
nak0823/RParseX	Blazing fast Rust-based parser — speed demon
OpensourcedPro/DiamondChecker	All-in-one log utility
Joieux/stealer-log-detector	CLI scanner with SIEM-compatible output
0xGilda/stealer	Stealer analysis repo

These aren’t attack tools — they’re what security teams use to figure out the blast radius after a compromise. What got taken, how much, from where.

📁 victim_log/
├── 📄 Passwords.txt      → every saved login
├── 📄 Cookies.txt        → session tokens (MFA bypass gold)
├── 📄 Autofill.txt       → addresses, names, phones
├── 📄 CreditCards.txt    → saved payment methods
├── 📄 System.txt         → OS, IP, hardware info
└── 📁 Screenshots/       → desktop captures

Why each file is a goldmine:

• CreditCards.txt — Card numbers with CVV and expiry. The obvious prize. The thing everyone thinks about first.
• Autofill.txt — Billing addresses that match with cards. AVS (Address Verification System) needs these to approve transactions. Without the billing address, a stolen card is way harder to use online.
• Cookies.txt — Session tokens that bypass MFA entirely. You don’t need the password if you have the cookie. This is why cookies are worth more than passwords in 2026.
• System.txt — Browser fingerprint data to mimic the victim’s computer so fraud detection systems think you’re them. Same OS, same screen resolution, same timezone, same everything.

One log can contain hundreds of accounts across dozens of sites — banking, email, shopping, social media, crypto exchanges — all in one $5 purchase.

Current market leader: Russian Market — 180,000+ fresh logs listed in the first half of 2025 alone. That’s a thousand new victims every single day.

Product	Price	What You Get
CC (basic)	$5-15	Card number, expiry, CVV — bare minimum
CC + Billing	$15-30	Above + cardholder’s billing address for AVS matching
Fullz	$10-100	Complete identity: SSN, DOB, mother’s maiden name, address, phone
Fullz + DL scan	$100-200	Above + driver’s license image — enough to pass most KYC
Medical fullz	Up to $1,000	Health records — most valuable because you can’t change your medical history
Dead fullz	$5-10	Expired/cancelled cards — still useful for building synthetic identities
Dumps (track data)	$20-125	Magnetic stripe data for cloning physical cards
Kitz	Varies	Physical credentials — actual stolen wallets, documents, the whole package

2025-2026 dark web pricing update:

Product	Updated Price
US CC with CVV	$10-40
UK CC with CVV	$10-60
High-limit verified CC	$110-120
Bank logins	$200-1,000+
Coinbase accounts	$120-250
Kraken accounts	Up to $1,170
Bulk unverified cards	$5-20 per 100+
Verified live cards	$20-200 each

Quality tiers — because even stolen data has a freshness rating:

• Fresh = just stolen, highest success rate, sells fast, premium pricing
• Aged = been sitting around, might be flagged by now, cheaper
• Dead = confirmed non-working — but still useful for synthetic identity fraud (more on that later)

Better underground shops offer validity guarantees — 90%+ valid cards or free replacement. Like Amazon customer service, but for stolen data. Some even have escrow, buyer ratings, and dispute resolution systems. The irony of criminals building trust systems to protect themselves from other criminals isn’t lost on anyone.

Stolen cards don’t appear from nowhere. The pipeline from breach to marketplace follows a predictable, almost industrial path:

1. Breach happens — company hacked, database dumped, POS malware deployed
2. Data gets sorted — automated tools separate cards by BIN, region, type, freshness
3. Listed on markets — automated vending carts (AVCs) list cards with search filters better than most legit e-commerce
4. Buyers shop by specs — BIN, country, card type, balance range — like filtering shoes on Amazon
5. Validity tested — checkers confirm which cards are still live before purchase
6. Dead cards recycled — used for synthetic identity building or resold as “dead fullz” at a discount

The marketplace ecosystem keeps evolving. Every law enforcement takedown just reshuffles the deck. BidenCash dumped 900K+ cards as a free promotional stunt to attract customers. B1ack’s Stash runs automated card shops with search filters that would make Shopify jealous.

When one market gets seized, the sellers migrate overnight. The data doesn’t disappear — it just changes address.

1. Attacker compromises the merchant’s site (vulnerable plugin, stolen admin creds, supply chain attack on a third-party script)
2. Malicious JS injected into the payment page — often disguised as Google Analytics or Facebook Pixel code
3. When a customer enters card details, the skimmer captures every keystroke in every field
4. Data exfiltrated to a command-and-control server — sometimes via Telegram bots as C2 channels
5. Cards packaged and sold on dark web markets within hours

You’re typing your real card number into a real checkout page on a real website. Everything looks completely normal. But there’s an invisible JavaScript parasite sitting between you and the payment form, copying every digit.

Modern evasion tricks that make these hard to catch:

• Skimmer code hidden inside image pixels (PNG steganography — the JavaScript is literally encoded in a picture)
• Obfuscated code that only activates on checkout pages — stays dormant everywhere else
• Anti-debugging code that detects developer tools and goes completely silent when security researchers look
• Domain names mimicking legitimate analytics services (good luck spotting g00gle-analytics.com in a code review)

Skimmers — overlay devices slapped onto ATMs and gas station pumps. They sit on top of the real card reader and capture magnetic stripe data as you swipe. Bluetooth-enabled models transmit stolen data wirelessly — the thief doesn’t even need to come back for the device. They just drive by and download.

Shimmers — paper-thin circuit boards inserted inside the card slot. They sit between your chip and the terminal’s chip reader, intercepting the data during a chip transaction. Harder to detect because they’re literally invisible from the outside. You can’t wiggle what you can’t see.

How to not get skimmed:

• Wiggle the card reader before inserting — skimmers are often just glued on and come loose
• Cover the PIN pad with your hand when entering your PIN — hidden cameras are common partners to skimmers
• Use contactless/NFC tap-to-pay when possible — no physical card insertion means no skimmer contact
• Check for unusual bulk, weird plastic seams, or anything that looks “added on” around the card slot
• Use ATMs inside bank branches — harder for criminals to install and maintain skimmers with cameras watching

Skimmers have been around since the 1990s. Shimmers appeared when EMV chips rolled out. Neither is going away because physical terminals still exist by the millions and humans still insert plastic into slots.

When you swipe or dip your card at a store, the terminal decrypts the data to process it. For a fraction of a second, your full card number, expiry, and track data sit in RAM in plaintext. No encryption. Completely exposed. POS malware lurks in that memory space, scraping every card that passes through.

The hall of fame hits:

• Target breach (2013) — 40 million cards stolen via RAM-scraping malware on POS systems. The breach that made “data breach” a household term.
• Home Depot (2014) — 56 million cards from POS malware. Even bigger, somehow got less press.
• 167,000+ cards stolen in a single 2022 POS malware campaign — proving this attack vector is alive and thriving a decade later.

PCI DSS was supposed to fix this. It didn’t. The standard mandates encryption, but the RAM gap exists because terminals need to decrypt data to process it. That’s the physics of the problem — and malware exploits physics, not policy.

You can write all the compliance rules you want. The card still has to be readable at some point, and that point is the attack surface. Always will be.

Stage	What Happens	Timeline
Breach	Attacker compromises company systems	Day 0
Exfiltration	Data dumped — cards, PII, credentials	Day 0-7
Sorting	Automated tools separate cards by BIN, region, type	Day 1-14
Listing	Cards posted on dark web markets with search filters	Day 7-30
Testing	Checkers validate which cards are still live	Day 7-60
Sale	Buyers purchase cards matching their target specs	Day 14-90
Use	Carding, cashout, resale	Day 14-180
Death	Card gets reported, cancelled, or maxed out	Varies

Dark web pricing (2025-2026):

Data Type	Price Range
Single CC with CVV	$5-15
CC with fullz	$15-100
Bank login	$50-200
Full identity package	$10-100
SSN + DOB	$1-5

Notice how an SSN + DOB costs less than a coffee. Your Social Security number — the one number that’s supposed to secure your entire financial identity — goes for a dollar. That tells you everything you need to know about the state of identity security in 2026.

The marketplace never sleeps. When one market gets seized, the sellers migrate overnight. The data doesn’t disappear — it just changes address. And the next market usually has better UI than the last one.

Your Card → Merchant's Site → Payment Gateway → Processor → Card Network → Issuing Bank
                                                                              ↓
Your Card ← Merchant's Site ← Payment Gateway ← Processor ← Card Network ← Approved/Declined

The players in every transaction:

• Payment Gateway — the front door (Stripe, Braintree, Adyen, Square, PayPal). Takes card data, encrypts it, sends it along the chain.
• Processor — the middleman who talks to the card networks on the merchant’s behalf
• Card Network — Visa, Mastercard, Amex, Discover. The highway system that routes money.
• Issuing Bank — your bank. The one who says yes or no to every transaction.
• Acquiring Bank — the merchant’s bank. Where the money eventually lands.

Auth vs Capture — the two-step dance:

1. Authorization — “Is this card real? Is there money? Does the address match?” Just a hold. No money moves yet. Think of it as a reservation.
2. Capture — “Okay, actually take the money now.” This is when the merchant grabs the funds for real.

Most sites do auth + capture simultaneously — you click pay, money moves. But some (hotels, gas stations, marketplaces) do auth first, capture later — sometimes days later. That gap between auth and capture? That’s a window. And windows get climbed through.

Stripe allows up to 50 captures per PaymentIntent. Hotels authorize your card at check-in, capture at checkout. Gas stations pre-auth $100 and capture the actual pump amount later. Every gap is an opportunity for fraud or exploitation.

The 7-day rule: Most auths expire after 7 days if not captured. After that, the hold drops and the money goes back to the cardholder. Merchants lose the sale if they don’t capture in time.

#	Official Requirement	What It Actually Means
1	Install and maintain network security controls	Firewalls that actually work
2	Apply secure configurations to all system components	Don’t leave factory defaults on
3	Protect stored account data	Encrypt stored card data
4	Protect cardholder data with strong cryptography during transmission	TLS everywhere, no excuses
5	Protect all systems and networks from malicious software	Anti-malware that’s actually updated
6	Develop and maintain secure systems and software	Patch your shit
7	Restrict access to system components by business need	Least privilege — not everyone needs admin
8	Identify users and authenticate access	Strong passwords + MFA
9	Restrict physical access to cardholder data	Lock the server room
10	Log and monitor all access	Keep logs, actually read them sometime
11	Test security of systems and networks regularly	Pen test, vulnerability scan
12	Support information security with policies and programs	Write it down, train people

Compliance levels by transaction volume:

Level	Annual Transactions	Audit Requirement
1	6M+	Annual on-site audit by QSA (Qualified Security Assessor)
2	1M-6M	Annual SAQ (self-assessment)
3	20K-1M	Annual SAQ
4	Under 20K	Annual SAQ (simplest form)

The dirty truth: PCI DSS compliance doesn’t equal security. Target was PCI-compliant when 40 million cards got stolen. The standard sets a floor, not a ceiling. Most breaches happen at merchants who passed their last audit with flying colors.

CVV storage is permanently banned. Under PCI DSS, merchants cannot store CVV/CVC after authorization. Period. Full stop. This is why legitimate merchants never have your CVV on file — and why a CVV appearing in a stolen database means the breach happened at the moment of transaction (skimmer, MITM), not from stored data.

PCI DSS resources:

• PCI Security Standards Council — official standards body
• Stripe PCI Compliance Guide — practical implementation guide

Network Tokens (Visa/Mastercard level):

• Card networks generate tokens that route through the same payment rails
• Token is tied to a specific merchant — can’t be reused elsewhere
• If the token leaks, it’s worthless without the merchant relationship
• Actual card number stored only at the network level in a vault

Gateway Tokens (Stripe/Braintree level):

• Payment gateway generates a token for the card on file
• Token only works with that specific gateway’s API
• Merchant never sees or stores the real card number
• Gateway handles the token-to-card mapping internally

Why this matters for carding:

Tokenized transactions are nearly immune to replay attacks. Even if you steal a token, it won’t work anywhere else — it’s cryptographically bound to one merchant or one gateway. This is why Apple Pay and Google Pay have the lowest fraud rates of any payment method — they’re tokenized end-to-end. And it’s exactly why carders avoid them entirely.

The whole carding model depends on stealing a card number that works everywhere. Tokens break that model at the root.

Code	Meaning	Translation
51	Insufficient Funds	Card is broke. Try a smaller amount or try later.
61	Exceeds Withdrawal Limit	Daily limit hit. Try tomorrow.
65	Exceeds Frequency Limit	Too many transactions today. Cool off.
91	Issuer Unavailable	Bank’s system is down. Try later.
96	System Malfunction	General system error. Retry.

Why carders care about decline codes:

Every code tells you why a card died. Code 51 means the card is real but broke — try a smaller amount. Code 14 means the number is garbage — throw it away. Code 41/43 means burn it immediately and move on, that card is hot. The codes are basically a diagnostic tool for sorting live cards from dead ones.

80-90% of all declines are soft. Most gateways have smart retry logic built in. Visa limits retries to 15 attempts before charging $0.10/retry penalty. Mastercard has its own MAC (Merchant Advice Code) system. Hitting retry limits means the merchant gets flagged — and flagged merchants get watched.

Why MCCs matter for fraud:

• High-risk MCCs get extra scrutiny — gambling (7995), crypto exchanges (6051), money orders (6049), wire transfers (4829)
• Low-risk MCCs sail through with less friction — grocery stores (5411), gas stations (5541), general retail
• Some cards block entire MCC categories — government purchase cards restrict entertainment, travel, and cash advance MCCs
• 3DS challenges trigger more often for high-risk MCCs
• Velocity limits are tighter for suspicious MCC categories

Knowing the MCC helps pick targets. A $500 purchase at a grocery store (MCC 5411) triggers way less scrutiny than $500 at a gift card seller (MCC 5815). Same card, same amount — wildly different fraud scores. The system treats a grocery run and a gift card bulk buy as completely different risk profiles.

MCC Resources:

• Stripe MCC Reference — Stripe’s MCC guide
• Visa Merchant Data Standards Manual (PDF) — official Visa MCC list
• Full MCC Code List (PDF) — complete code listing

Metric	Typical Threshold	What Triggers It
Transactions per card per hour	3-5	Same card used repeatedly
Transactions per IP per hour	5-10	Multiple cards from same IP address
Failed attempts per card	3 in 10 minutes	Card testing detected
Total amount per card per day	Varies by card	Spending limit hit
Unique cards per device	3-5 per day	Multiple cards on same device fingerprint

Why velocity matters:

Legitimate shoppers don’t submit 50 card numbers per minute. They don’t try 3 different cards in 2 minutes from the same IP. They don’t make 10 $1 charges in a row. When the velocity pattern screams “bot testing stolen cards,” fraud systems slam the door.

Gateway-level velocity controls:

• Stripe: custom Radar rules based on velocity patterns
• Braintree: configurable velocity thresholds per merchant
• Adyen: real-time velocity scoring integrated into risk engine
• Checkout.com: automated velocity limits with merchant override

Every gateway has these. The thresholds vary by merchant risk profile, transaction volume, and industry. A coffee shop that normally sees 50 transactions/hour will flag at 200. A large retailer doing 10,000/hour has a different baseline entirely.

The process:

When you type your billing address at checkout, the gateway strips out just the numbers — your street number and ZIP code. That’s it. “123 Main Street, Anytown, NY 10001” becomes just “123” and “10001.”

Those numbers get sent to the issuing bank. The bank compares them against what’s on file and sends back a single letter:

Code	What It Means	Fraud Risk
Y	Full match — street + ZIP	Low
A	Street matches, ZIP doesn’t	Medium
Z	ZIP matches, street doesn’t	Medium-High (most common fraud pattern)
N	Nothing matches	High
U	Can’t verify (international card or system down)	Unknown
G	International issuer — AVS not supported	N/A
S	AVS not supported for this card type	N/A

The dirty secrets of AVS — why it’s basically a coin flip:

1. AVS only works in US, Canada, and UK. Every other country? The response is basically “¯_(ツ)_/¯”. International issuers return U or G, which most merchants just accept anyway because rejecting international customers means rejecting real money.

2. It only checks numbers. “123 Main St” and “123 Elm Ave” both return the same match. Only the “123” part is compared. The street name is completely ignored.

3. Apartments break it. “123 Main St Apt 4B” might fail because the bank has “123 Main St #4B” on file. Different formatting = mismatch on a legitimate transaction.

4. The ZIP is trivially easy to get. The dark web sells “CC + billing” packages that include the exact address on file. The Z code (ZIP match, no street) is the most common fraud pattern because the ZIP is known but the street number is guessed.

5. Prepaid cards always fail AVS. There’s usually no billing address on file for prepaid/gift cards. Many merchants learned to skip AVS for prepaid because rejecting those means rejecting real customers buying real things.

6. 95% of AVS-mismatch orders are legit (ClearSale data). Meanwhile, over 50% of confirmed fraud had a full AVS match. The system is literally worse than a coin flip at catching fraud.

The bypass technique — “address stuffing”: Put the real billing address in address line 1 (for AVS to match), then put the drop address in address line 2 or the shipping address field. AVS only checks line 1. Fulfillment systems ship to whatever address you specify. Some merchants catch this. Many don’t.

Apple Pay, Google Pay, and tokenized wallets bypass AVS entirely. The wallet handles verification before the transaction even reaches the gateway. No address needed. This is why wallet payments have the lowest fraud rates — and also why carders avoid them like the plague.

• Visa → “Verified by Visa” (VBV)
• Mastercard → “Mastercard SecureCode” / “Identity Check”
• Amex → “SafeKey”
• Discover → “ProtectBuy”

All the same underlying protocol. Different sticker on the box.

3DS1 (the old one, mostly dead by 2026):

• Ugly popup window that looked like a phishing site — because it basically was
• Static password (same every time — defeat the purpose much?)
• No mobile-friendly design
• 20-30% cart abandonment because shoppers genuinely thought it was a scam
• Merchants hated it because it murdered sales

3DS2 (current):

• Embedded in checkout flow — no popup, no redirect, no panic
• One-time codes via SMS, push notification, or biometrics
• Sends 100+ data points to the issuer for risk-based analysis
• Supports “frictionless” authentication — no customer action needed if the risk is low enough
• Mobile-native design that doesn’t look like it was built in 2003

Not every transaction interrupts the customer. That’s the whole point of 3DS2:

Frictionless flow (90% target): The issuer analyzes device fingerprint, transaction history, location, spending patterns, and 100+ other signals. If everything looks normal? Transaction goes through silently. Customer never sees a verification prompt. They don’t even know 3DS happened.

Challenge flow (triggered when risk is elevated): Customer gets a one-time code via SMS/push/biometric prompt. Must complete within 5-15 minutes or the transaction dies.

What triggers a challenge:

• New device or browser nobody’s seen before
• Unusual purchase amount for this cardholder
• Different country than usual
• Behavioral anomalies (typing speed, mouse patterns that scream “bot”)
• Transaction risk score above the issuer’s threshold

Before 3DS: If a fraudulent transaction happens, the merchant eats the loss. Every time.

With 3DS authenticated: If the transaction was authenticated with 3DS and still turns out to be fraud, the issuing bank eats the loss instead.

This is why merchants push 3DS — it shifts the liability away from them. And why some merchants skip it for low-value transactions — the friction costs more in lost sales than the fraud would cost to absorb.

ECI (Electronic Commerce Indicator) values — the 3DS scorecard:

ECI	Meaning
05 (Visa) / 02 (MC)	Fully authenticated — best protection, liability shifts to issuer
06 (Visa) / 01 (MC)	Attempted but not completed — partial liability shift
07 (Visa) / 00 (MC)	No authentication — no liability shift, merchant holds the bag

PSD2 (Payment Services Directive 2) is European law requiring Strong Customer Authentication (SCA) for most online payments. SCA means at least 2 of 3 factors:

1. Something you know — password, PIN
2. Something you have — phone, card, hardware token
3. Something you are — fingerprint, face scan

Exemptions (how transactions skip 3DS even in Europe):

Exemption	Condition
Low-value	Under €30 (resets after 5 transactions or €100 cumulative)
Trusted beneficiary	Customer whitelisted the merchant
Recurring payments	Same amount, same merchant (after first authenticated payment)
Transaction Risk Analysis (TRA)	Merchant’s fraud rate below threshold — €100 limit if fraud rate <0.13%, €250 if <0.06%, €500 if <0.01%
Secure corporate	B2B dedicated payment processes

Every exemption is a potential bypass vector. The TRA exemption is especially interesting — merchants with very low fraud rates can skip 3DS on transactions up to €500. That’s a lot of headroom.

Non-VBV = cards that skip 3D Secure entirely. Payment goes through with just card number + expiry + CVV + matching billing address. No OTP. No verification popup. No phone needed. Just card details and you’re in.

Why Non-VBV still exists in 2026:

• Some banks haven’t upgraded (especially smaller credit unions and international issuers)
• Some countries lag behind in 3DS adoption (parts of Asia, Africa, Latin America)
• Business/corporate cards often skip it
• Prepaid cards frequently skip it
• Merchants can request SCA exemptions — TRA exemption under €100 means no 3DS needed if the merchant’s fraud rate is low enough
• Recurring payments after first auth are exempt

Non-VBV cards are actively hunted by carders using VBV checkers. Finding a batch of live Non-VBV cards from a specific BIN range is hitting the jackpot. No OTP means no roadblock means smooth cashout.

A credit card number isn’t random. Every digit has a purpose:

4 5 3 7  1 2 0 0  9 8 7 6  5 4 3 2
│ ├──────────────┤ ├──────────┤ │
│ BIN/IIN         Account #   Check Digit (Luhn)
│ (first 6-8)     (variable)  (last digit)
│
MII (Major Industry Identifier)

First digit = industry:

First Digit	Industry
3	Travel & Entertainment (Amex, Diners Club)
4	Banking — Visa
5	Banking — Mastercard
6	Merchandising/Banking — Discover
7	Petroleum

Card lengths vary: Visa = 13/16/19 digits. Amex = 15. Mastercard = 16. Most cards = 16.

In 2022, Visa and Mastercard moved from 6-digit to 8-digit BINs. Why? Fintech explosion. Too many new card issuers, not enough 6-digit combinations to go around. Both formats coexist now — existing cards keep their numbers (no reissuance needed), but all new BINs are 8 digits.

For merchants this meant updating masking logic (can now show first 8 + last 4 instead of first 6 + last 4 under PCI DSS), updating fraud blacklists, and updating BIN lookup databases. For carders it meant better precision when hunting specific issuer/card type combos — 8 digits narrows down the bank and card product way more than 6 did.

What it does: Catches typos. That’s literally it. When you mistype a digit at checkout and get “Invalid card number” instantly — before anything even talks to your bank — that’s Luhn doing its one job.

How it works (5 steps):

1. Start from the rightmost digit, move left
2. Double every second digit
3. If a doubled digit is 10 or more, subtract 9 (so 7×2=14 → 14-9=5)
4. Add all digits together
5. If the total is a multiple of 10 → valid. Otherwise → invalid.

What Luhn catches:

• All single-digit typos (100% detection)
• Most adjacent digit swaps (except 09↔90)
• Can’t detect 22↔55, 33↔66, 44↔77 swaps
• Doesn’t verify the card is real, active, or funded
• Doesn’t check CVV or expiry

Luhn is a typo detector, not fraud prevention. Passing Luhn means the number is structurally valid. It could still be completely fake — no account, no bank, no cardholder. A random number that passes Luhn is like a key that fits the lock shape but doesn’t actually open anything. It’s the difference between “correctly formatted” and “real.”

Inputs to CVV generation:

• Your full card number (PAN)
• 4-digit expiry date
• 3-digit service code
• A pair of DES encryption keys (CVKs) known only to the bank

The bank feeds these into an encryption algorithm inside a Hardware Security Module (HSM) — a physical tamper-proof device that self-destructs if someone tries to open it. The output gets truncated to 3-4 digits = your CVV.

Why it’s uncrackable:

• One-way process — you can’t reverse-engineer the CVV to find the keys
• HSM-protected — the encryption keys never leave the physical hardware
• Different keys per batch — banks use different CVK pairs for different card groups
• PCI DSS bans storage — merchants are forbidden from storing CVV after authorization

CVV variants — more than one type:

• CVV1 — embedded in the magnetic stripe (for in-person swipes)
• CVV2 — printed on the card (for online/phone purchases)
• iCVV — different value for chip/contactless transactions
• dCVV (Dynamic CVV) — changes every ~60 seconds on some modern cards, displayed on a tiny e-ink screen or via mobile app

Dynamic CVV is the real killer for carders. Even if someone steals your card data at this exact moment, the CVV expires in a minute. Some banks are already rolling this out — and it makes stolen card data decay faster than milk in the sun.

CVV Technical Resources:

• PaymentCardTools.com — CVV calculator, DES/3DES tools, CAVV decoder (requires bank keys)

Checker	What It Does
Stripe checkers	Validate against Stripe’s payment gateway using leaked API keys
Braintree checkers	Same concept, using Braintree/Authorize.net gateways
Silent testers	Check validity without triggering fraud alerts (small $0-$1 auth)
Balance checkers	See how much money is actually on the card
VBV checkers	Confirm if card triggers 3D Secure or not

How Stripe checkers work:

1. Use stolen or leaked Stripe API keys (sk_live_xxx)
2. Send an authorization request — no actual charge, just a $0 or $1 auth
3. Gateway returns: valid/invalid, card type, sometimes risk signals
4. Carder sorts live cards from dead ones

This is called card testing — and it’s one of the biggest fraud problems for merchants in 2026. A sudden spike of tiny authorizations from the same IP means someone is testing a batch of stolen cards against your checkout. If you run an online store, you’ve probably seen this.

A BIN attack is when fraudsters take a known BIN (first 6-8 digits of a real bank’s cards), generate thousands of possible card numbers using Luhn math, add random CVVs and expiry dates, and test them all against merchant checkouts until something hits.

Three phases:

Phase 1 — Generate: Start with a known BIN. Randomize the remaining digits. Calculate Luhn check digit. Generate random 3-digit CVVs (only 1,000 possibilities per card). Generate expiry dates (limited range: current month → 5 years out).

Phase 2 — Test: Hit merchant sites with tiny authorizations ($0.50-$5). Use bots (Selenium, Puppeteer) to automate form submission. Bypass CAPTCHAs with solver services. Spread across multiple merchants to avoid triggering velocity limits at any single one.

Phase 3 — Exploit: Store working card details. Use for real purchases. Or sell validated cards on dark web for $5-50 each. A validated, live, Non-VBV card is worth way more than an untested one.

Detection signals for BIN attacks:

• Sudden spike in authorization requests (10-100x normal volume)
• Repeated small charges from same IP/device fingerprint
• High volume of specific decline codes (invalid CVV, expired)
• Same BIN range targeted repeatedly
• Purchases at odd hours from unusual geolocations

Merchant defenses: Rate limiting (3 attempts per 10 minutes per IP), CAPTCHA, device fingerprinting, 3DS for suspicious transactions, velocity checks, behavioral analytics. Legit users don’t submit 50 card numbers per minute.

CAPTCHAs are supposed to stop automated card testing. In practice, they’re a speed bump with a price tag. Every CAPTCHA has a market of humans and AI models willing to solve it for fractions of a cent.

How solver services work:

1. Bot encounters CAPTCHA at checkout
2. CAPTCHA image/challenge forwarded to solver service via API
3. Human workers or AI models solve the CAPTCHA in 5-30 seconds
4. Solution returned to bot
5. Bot submits the solved CAPTCHA and continues testing — seamlessly

The solver market:

Service	Price (per 1,000)	Solve Time	Method
2Captcha	$0.50-3.00	10-30s	Human workers
Anti-Captcha	$0.50-1.00	5-20s	Human workers
AI-based solvers	$1-5	1-5s	Neural networks

reCAPTCHA v3 (score-based, no visible challenge) was supposed to fix this by analyzing behavior instead of showing puzzles. But browser automation tools with human-like mouse movement patterns score 0.7+ (the threshold for “probably human” is 0.5). The behavioral analysis gets fooled by good enough behavioral mimicry.

hCaptcha, Turnstile (Cloudflare), and Arkose Labs each have their own economics — but every CAPTCHA ever invented has a solver market. The solve cost just varies.

Payment gateways provide fake card numbers for developer testing. These only work in sandbox mode — they’re not real accounts and they fail on live gateways:

Network	Test Number	Notes
Visa	4242 4242 4242 4242	Always succeeds
Visa (debit)	4000 0566 5566 5556	Debit card simulation
Mastercard	5555 5555 5555 4444	Always succeeds
Amex	3782 822463 10005	15-digit format
Discover	6011 1111 1111 1117	Always succeeds
3DS challenge	4000 0027 6000 3184	Triggers 3DS prompt

Any future expiry date + any 3-digit CVC works with these. They exist so developers can test payment flows without real money. Nothing nefarious about them — they’re in every gateway’s public docs.

Stripe Radar uses machine learning trained on data from millions of merchants. It scores every transaction from 0-99 on fraud risk.

What Radar looks at:

• Device fingerprint (hardware, screen, fonts, timezone)
• IP address and geolocation
• Email age and reputation
• Transaction velocity (how fast, how many)
• Card testing signals (repeated small charges)
• Network-wide data (if this card was already flagged across other Stripe merchants)
• Behavioral signals (time on page, mouse movements, typing patterns)

Risk levels: normal / elevated / highest. Merchants set rules: block all highest, review elevated, auto-approve normal.

Custom rules merchants can set:

• Block if CVC check fails
• Block if billing country ≠ IP country
• Require 3DS if risk score > 65
• Block if email domain is @tempmail.com
• Block if more than 3 failed attempts in 10 minutes

Radar’s 2025 upgrade: Adaptive AI rules that automatically adjust thresholds based on your specific fraud patterns. Enhanced Issuer Network that shares fraud signals between banks. +1.3 percentage point improvement in approval rates. The machine gets smarter every day.

Platform	What It Does	Price Model
Signifyd	Guaranteed fraud protection — they pay your chargebacks	Revenue share
Riskified	ML-based, guaranteed chargeback coverage	Per-transaction
Sift	Real-time ML scoring, 16K+ signals per event	Subscription
Forter	Identity-based decisions, 300M+ consumer profiles	Per-transaction
Kount	Device fingerprinting + AI, owned by Equifax	Subscription
ClearSale	Human + AI hybrid reviews, strong in LATAM	Per-transaction

Most of these offer a guarantee model: if they approve a transaction and it turns out to be fraud, they pay the chargeback. Merchants love this because it removes all risk from their side. The fraud platforms eat the losses and price that risk into their fees.

Fraud detection doesn’t just check your card — it checks your email too. Every email address has a “reputation score” based on age, domain, breach history, and usage patterns.

What gets flagged instantly:

• Disposable/temp email domains (tempmail.com, guerrillamail.com, 10minutemail.com)
• Recently created email addresses (under 30 days old)
• Email addresses found in known data breaches
• Domains with no MX records or suspicious DNS
• Emails that don’t match the cardholder name pattern

Email verification services fraud systems use:

Service	What It Checks
IPQualityScore	Email risk scoring API, 10B+ emails tracked, disposable detection
Verifalia	AI-powered verification, 30+ validation steps

The disposable email problem: Temp-Mail alone gets 46.26 million monthly visits. Every fraud system worth its code checks for disposable domains. Using a burner email at checkout is basically wearing a neon sign that says “I’M FRAUD.” Carders who use custom SMTP setups with aged domains get much further — but that takes more work to set up and maintain.

The arms race never stops: fraud platforms get smarter → carders buy better antidetect tools → fraud platforms add new signals → carders find new evasion methods → repeat forever.

The problem with stealing just passwords:

MFA exists. Password alone = blocked at 2FA prompt. Victim gets an OTP notification on their phone and immediately knows something’s wrong. Password theft alone is a dead end in any modern system.

The cookie solution:

Session cookies prove “this browser already authenticated.” Here’s how it works:

1. You log into a site → enter password + MFA code
2. Site creates a session cookie and stores it in your browser
3. Every future request includes that cookie automatically
4. No re-authentication needed until the cookie expires
5. The cookie IS the proof of identity — nothing else needed

What carders figured out: Steal the cookie → load it into your browser → you’re already logged in. No password needed. No MFA triggered. No notification sent. You become that user’s authenticated session. The server can’t tell the difference between the real user and someone replaying their cookie.

This is why cookies are worth more than passwords in 2026. Way more. A credential dump with passwords is worth cents per entry. A log with fresh session cookies is gold.

What Genesis sold: Not just passwords. Complete digital identities called “bots”:

• IP address and geolocation
• All session cookies — already authenticated
• Complete browser fingerprint
• OS info, installed plugins
• Timezone, language, screen resolution

Buy a bot → import into antidetect browser → become that person online. Instant access to everything they were logged into. Banking, email, social media, crypto — all of it.

Genesis was taken down in April 2023 (Operation Cookie Monster, FBI + international law enforcement). But the concept didn’t die — competitors absorbed the market immediately, just like every other takedown in this space.

The EA Breach — ten dollars to breach a billion-dollar company: Started with a $10 cookie purchase from Genesis Market. Attacker bought an EA employee’s Slack session cookie, walked into internal Slack channels, social-engineered their way to source code access. Ten dollars → full access to one of the world’s biggest game companies. That’s the ROI on a single stolen cookie.

Browser	Price	Key Features
Multilogin	€99-399/mo	55+ parameters, AES encryption, most established in the market
GoLogin	$49-299/mo	53 parameters, cloud sync, good for beginners
Octo Browser	€29-329/mo	Auto-config, popular in underground forums
Dolphin Anty	$89-299/mo	Team collaboration features
AdsPower	$9-50/mo	Budget option that still works
Kameleo	Varies	Android app support
Incogniton	Varies	Multiple browser engine support
Undetectable	Varies	Cloud-based profile management
Lalicat	Varies	Chinese market focused
ClonBrowser	Varies	Multi-account management
Karta	Varies	Privacy-focused antidetect
Camoufox	Free	Open-source, modified at C++ level — JavaScript detection literally can’t see it

What they spoof: Canvas fingerprint, WebGL renderer, screen resolution, timezone, installed fonts, browser plugins, user agent, hardware concurrency, audio context, WebRTC leaks — everything that makes your browser unique gets replaced with whatever you want.

Camoufox deserves special attention — it’s a modified Firefox fork where the anti-fingerprinting is done at the C++ source code level, not through JavaScript injection like most paid tools. Standard fingerprint detection tests return 0% detection rate. It’s free, open-source, and arguably more effective than tools costing $300/month. That’s embarrassing for the paid options.

Setting up an antidetect browser isn’t just “install and go.” Every profile needs consistent fingerprint parameters that don’t contradict each other:

1. Pick a browser — Multilogin for reliability, GoLogin for simplicity, Camoufox for free + undetectable
2. Create a new profile — each profile = one “identity”
3. Set the fingerprint parameters:
   • User agent matching your target OS/browser combo
   • Screen resolution (pick common ones: 1920x1080, 1366x768)
   • Timezone matching your proxy’s geographic location
   • Language matching the region
   • WebGL and Canvas values (auto-generated or borrowed from real devices)
4. Assign a proxy — residential proxy from the same region as your fingerprint
5. Warm the profile — browse normal sites first (Google, YouTube, news sites) to build cookies and history
6. Test the fingerprint — run it through detection tools before using it on any target

The warmup step is critical. A browser with zero cookies, zero history, and a brand-new fingerprint screams “just created for fraud.” Real browsers have accumulated weeks or months of browsing data, cached images, stored preferences. A sterile profile is a red flag.

Fraud detection doesn’t just look at your IP. It builds a unique fingerprint from dozens of browser attributes. Here’s what they’re checking:

Canvas fingerprinting — your browser renders an invisible image. Tiny differences in GPU, drivers, and font rendering make each output unique. Two “identical” computers produce different canvas hashes. It’s like a digital fingerprint that your graphics card doesn’t know it’s leaving.

WebGL fingerprinting — similar concept but using 3D rendering. Your GPU model, driver version, and rendering quirks create a unique signature visible through the WebGL API.

AudioContext fingerprinting — your browser processes an audio signal. The processing differences between audio hardware create a unique hash. This one’s especially hard to spoof because it’s deeply hardware-dependent.

Font enumeration — which fonts are installed on your system. The specific combination of fonts is surprisingly unique across machines.

Behavioral fingerprinting — how you type, move your mouse, scroll, and interact with pages. Machine learning models can distinguish individual humans by their behavioral patterns alone. This is the hardest to fake because it requires mimicking natural human behavior in real-time.

The scale: ~100 million residential IPs in the US alone. More than all VPN servers combined globally. Blocking them = blocking real customers. Websites can’t afford that.

How proxy providers get residential IPs:

1. SDK embedding — apps install a proxy client hidden in their code (Hola VPN famously did this — sold user bandwidth without disclosure)
2. “Free VPN” services — users become exit nodes without knowing it. Free VPN = you are the product.
3. Browser extensions — legitimate-looking tools route traffic through your connection silently
4. Malware — infected phones and computers become proxy nodes in botnets

The numbers that explain the problem: 836% increase in residential proxy use for fraud (HUMAN Security 2023). 84% of websites cannot detect bots using residential proxies (DataDome report). That’s not a detection problem you can patch — it’s a fundamental limitation.

Not all proxies are equal. The protocol determines how much you leak:

HTTP proxies — only handle HTTP traffic. Can read and modify requests. Headers visible. Fine for basic web browsing but can leak proxy-identifying information.

HTTPS proxies — handle encrypted traffic via CONNECT tunnel. The proxy sees the destination but not the content. Better privacy but still reveals you’re using a proxy if headers aren’t clean.

SOCKS5 proxies — protocol-agnostic. Handle any TCP/UDP traffic (web, email, torrents, DNS). No header modification, no content inspection. Support authentication. The gold standard for carding because they don’t inject proxy-identifying headers.

Feature	HTTP	HTTPS	SOCKS5
Protocol support	HTTP only	HTTP/HTTPS	Any TCP/UDP
Speed	Fast	Medium	Fast
Header modification	Yes (leaks)	Tunnel only	No
UDP support	No	No	Yes
Authentication	Basic	Basic	Username/pass
Detection difficulty	Easy to spot	Medium	Hard to detect

The standard combo: SOCKS5 + residential IP. HTTP proxies leak too much metadata. Datacenter SOCKS5 gets flagged by IP reputation lists. Residential SOCKS5 hits the sweet spot — protocol that doesn’t leak + IP that looks real.

Step by step:

1. Carder initiates purchase → OTP sent to victim’s phone
2. OTP bot immediately calls the victim — within seconds
3. Automated voice: “This is your bank’s security department. We’ve detected unusual activity on your account. Please enter your one-time verification code to secure your account.”
4. Panicked victim enters the code on their phone keypad
5. Bot relays code to carder in real-time
6. Carder enters code → transaction completes
7. Victim realizes what happened approximately 30 seconds too late

Major OTP bots in the wild:

Bot	Method	Success Rate
SMSRanger	Telegram-based automated calls	~80% when victim answers
BloodOTPbot	SMS spoofing + automated calls	High
OTP.agency	Full service with customizable templates	Varies by template
SMS Buster	Specializes in Canadian bank scripts	High

Pricing:

• $40-100/week rental
• $300-1,200/month unlimited
• $4,000 for lifetime access

Why it works: People trust phone calls from their “bank.” The automated voice sounds professional and urgent. The caller ID is spoofed to show the bank’s real phone number. In the moment of panic — “unusual activity detected on your account” — most people comply immediately. Fear overrides rational thought.

Your 2FA isn’t protection. It’s a speed bump. A speed bump that costs between $40 and $4,000 to flatten.

When OTP bots fail, there’s a more aggressive approach: SIM swapping. Take over the phone number entirely.

How it works:

1. Attacker gathers victim’s personal info (name, DOB, account PIN, last 4 of SSN)
2. Calls the victim’s carrier (T-Mobile, AT&T, Verizon) pretending to be them
3. Convinces carrier support to transfer the phone number to a new SIM card
4. Victim’s phone goes dead — no signal, no service
5. Attacker now receives ALL calls and texts to that number
6. Every SMS-based OTP, password reset, and 2FA code goes straight to the attacker

The scale of the problem:

• FBI IC3: 982 complaints, $26M in US losses in 2024 alone
• UK saw a 1,055% surge in SIM swap attacks (Cifas data)
• T-Mobile lost a $33M arbitration case over a SIM swap that drained a customer’s crypto
• IDCARE reports 90% of attacks succeed without victim interaction — it’s all social engineering the carrier
• The SEC’s official X (Twitter) account was hijacked via SIM swap in January 2024 — the fake Bitcoin ETF post spiked BTC 10% to $48K before correction. Eric Council Jr. was sentenced to 14 months for the attack, exploiting T-Mobile’s eSIM QR code provisioning.

eSIM attacks — the new frontier:
eSIM doesn’t fix the problem. Attackers now generate eSIM QR codes through compromised carrier portals — the entire swap cycle can complete in under 5 minutes. NOPORT fraud flags that carriers implemented? Already defeated.

Insider threats — the real access vector:

• Carrier employees sell SIM swaps for $300-1,000 per swap on Telegram
• Jonathan Katz (T-Mobile employee) was convicted for taking $1,000 per line in bribes
• T-Mobile was breached 100+ times in 2022 alone through employee credential phishing
• Kroll (risk advisory firm) was hit when an employee’s T-Mobile account was SIM-swapped — downstream breach hit BlockFi, FTX, and Genesis customers
• Scattered Spider/UNC3944 used SIM swapping + Azure Serial Console abuse for enterprise-level attacks, including the M&S breach in April 2025

SS7 Protocol Exploitation — the telecom backdoor:
The SS7 protocol (Signaling System 7) is the 50-year-old backbone of global telecom. It was designed in the 1970s with zero authentication — any node on the network is trusted by default.

• 2,000+ known vulnerabilities in the protocol
• Attackers use SRI-SM (Send Routing Information) and PSI (Provide Subscriber Information) commands to intercept SMS messages
• A $5,000 zero-day SS7 exploit appeared on darknet with 1,200+ vulnerable gateway IPs
• The exploit operates at 50 transactions/second through SIGTRAN interface exposure
• Tools like SigPloit (open-source) allow Point Code spoofing and MitM attacks
• The Diameter protocol (4G/5G successor) has its own vulnerabilities — the migration didn’t fix the fundamental trust model
• Group-IB found 39% of SIM swap fraud involves multiple transactions — once they have your number, they drain everything fast

Detection & Prevention — carrier-side APIs:

• CAMARA SIM Swap API — real-time SIM swap detection with timestamp/yes-no responses
• GSMA Open Gateway — standardized API for financial institutions to check SIM swap status before authorizing transactions
• Telefónica Open Gateway — deployed by Itaú Unibanco, MovyPay, LankaPay
• Carriers now offer SIM Protection features (Verizon) and port-freeze policies

Why SMS 2FA is the weakest form of 2FA. Push notifications (Google Authenticator, Authy) and hardware tokens (YubiKey, FIDO U2F) can’t be SIM swapped. They require physical possession of a specific device — not just control of a phone number that lives on a tiny swappable chip.

Phone OSINT Tools — for researchers tracking SIM swap infrastructure:

Tool	What It Does
FOGSEC/PhoneInfoga	E164 format analysis, Google Dork generation, VoIP detection
The-Osint-Toolbox/Telephone-OSINT	Truecaller alternatives, carrier ID tools
phoneintel/phoneintel	Neutrino API integration, batch processing
github.com/topics/phone-number-information	PhoneInfoga, Moriarty, OwlTrack ecosystem
N0rz3/Inspector	Carrier identification modules

Every carding operation needs throwaway emails. Disposable email services provide single-use addresses that self-destruct:

Service	What It Does
Temp-Mail	10M+ Android installs, instant disposable emails
AdGuard Temp Mail	Privacy-focused temp email
TempMailTo	Simple disposable addresses

Fraud systems maintain blacklists of known disposable email domains. IPQualityScore checks every email against these lists. So carders move to custom SMTP setups with aged domains — harder to detect but more work to maintain.

When you need a phone number for SMS verification but can’t use your real one:

Service	What It Offers
GrizzlySMS	Virtual numbers for verification
TextVerified	Premium SMS verification service
SMSPVA	Bulk virtual number service
receive-smss.com	Free online SMS receiving

Non-VoIP numbers pass more verification checks than VoIP numbers. Carriers can detect VoIP-originated numbers and reject them, so the market for “real” non-VoIP numbers commands a premium.

WormGPT (June 2023) — the one that started it:

• Built on GPT-J 6B, fine-tuned on malware data
• €60-100/month subscription from creator Rafael Morais (“last/laste”)
• Distributed on HackForum + Exploit forum with Mitre ATT&CK mappings
• Wrote perfect phishing emails — no grammar mistakes, no “dear sir/madam” cringe
• Creator got doxxed by Brian Krebs → shut down the same day
• 200+ customers already had access at €500+/month; model was already being shared freely

WormGPT didn’t die. It evolved:

• WormGPT v2 — €550/year, private build €5,000 — rebuilt with same group behind FraudGPT
• WormGPT 4 — $50/month, $220 lifetime access — rebuilt on Grok and Mixtral architectures (CATO Networks analysis, BreachForums distribution Oct 2024-Feb 2025)
• Variants by xzin0vich and “keanu” running on Grok keep appearing

The current dark LLM market (2025-2026):

Tool	What It Does	Price
FraudGPT	Phishing emails, scam scripts, fake pages — plug-and-play for non-technical actors	$200/mo to $1,700/yr
GhostGPT	Rapid exploit development, social engineering scripts	$50/week on Telegram
KawaiiGPT	Anime-themed, community-maintained, 500+ users, ransomware generation tested	Free on GitHub
DarkGPT	“Godmode ChatGPT” — general fraud assistance	Varies
OnionGPT	Tor-based access	Varies
DarkBard	Built on Google Bard architecture	Varies
WolfGPT	Polymorphic malware generation	Varies
EvilGPT / XXXGPT	Various specialized criminal use cases	Varies

Xanthorox AI (late Q1 2025) — the game changed again:

Xanthorox abandoned all dependency on GPT, LLaMA, and Claude. It’s a fully self-hosted, multi-model architecture running on private servers. SlashNext called it “the next evolution of black-hat AI” and “the killer of WormGPT.”

• $300/month or $2,500/year
• Five specialized models: Xanthorox Coder, Xanthorox Vision, Xanthorox Reasoner Advanced, voice interface module, and web scraping module
• Scrapes 50+ search engines for real-time data
• Runs entirely offline — no API calls to trace, no cloud dependency to shut down
• Has a GitHub page, YouTube channel, and accepts Discord crypto payments
• KELA report: “making lives of cybercriminals much easier” — but primarily scaling known scams rather than enabling novel attacks

The ecosystem growth:

• KELA 2025 report: 219% increase in malicious AI tool mentions on underground forums
• 52% increase in jailbreaking discussions
• Chinese LLMs (DeepSeek, Qwen) being adapted by hackers for uncensored use
• Retrieval poisoning is emerging — NewsGuard found 3.6 million Russian disinformation articles designed to contaminate LLM training data

What they actually generate:

• Perfect phishing emails in any language
• Social engineering call scripts with objection handling (“if they say X, respond with Y”)
• Convincing customer service chat responses for social engineering
• Fake refund request templates
• Code for automated attacks, scrapers, and testing tools
• Polymorphic malware that mutates to evade detection

The real shift isn’t that AI can write phishing emails. It’s that AI eliminated the skill barrier. Before, you needed to actually know English well enough to write a convincing email. Now you just describe what you want and the model handles the rest. In any language. Including perfect BEC (business email compromise) that passes executive review.

The $25 million video call (February 2024, Hong Kong / Arup):

A finance employee joined a video call with his “CFO” and several colleagues. They discussed an urgent fund transfer. He authorized $25 million.

Every person on that call was AI-generated. Every face. Every voice. Real-time deepfakes running in a video meeting. Nobody was real except the victim.

The scale of deepfake fraud in 2026:

• Deepfake attacks grew 2,000%+ over 3 years
• 1 in 15 fraud attempts now use AI (a deepfake attempt occurs every 5 minutes)
• 244% rise in digital document forgeries
• 42.5% of fraud attempts use AI, 29% succeed (Signicat data)
• Projected losses: $40 billion by 2027 (FS-ISAC)
• WEF estimates $12 billion in synthetic media fraud annually

Deepfake KYC bypass services — the full menu:

Service	Price
Basic KYC verification bypass	$30-600
Deepfake-as-a-Service images	$10-50 per image
Synthetic identity package	~$15
Biometric training datasets	~$5
Crypto exchange identity unlock	$400-600
ProKYC (full toolkit — face gen + document gen + liveness bypass)	$629/year

47 specialized KYC bypass tools identified (Sensity 2024 report), from a landscape of 10,206 image generation tools, 2,298 face-swap tools, and 1,018 voice cloning tools.

Key tools in the wild:

• Deepfake Offensive Toolkit (DoT) — purpose-built for KYC bypass
• Deep-Live-Cam — real-time face swapping for video calls
• ProKYC — generates synthetic documents + faces + liveness bypass in one package
• GPT-4o — being used to generate fake ID documents that pass automated checks

Test results:

• Bypassed Veriff liveness detection
• Bypassed IDScan anti-spoofing
• Got 99% confidence scores from KYC detection systems
• Group-IB documented 8,065 liveness bypass attempts at a single bank (Jan-Aug 2025)
• An AI-generated Polish passport went viral after bypassing real KYC verification
• Javelin Research: $6.2B in new account fraud in US alone (2024)

Regulatory response:

• EU AI Act (2025) classifies deepfake KYC bypass as “high-risk”
• ISO 25456 injection-attack testing standard emerging
• ISC2 launched a Deepfake Mitigation Specialist credential in 2025

For $30, you can bypass the identity verification that banks, crypto exchanges, and financial services rely on. Your face is not proof of identity anymore. Not on video calls. Not on KYC selfie checks. Not anywhere that a camera is the only verification method.

The numbers are insane:

• Vishing surged 442% from H1 to H2 2024
• Deepfake vishing specifically spiked 1,600%+ in Q1 2025
• AI fraud attempts surged 194% in 2024 vs 2023
• Voice cloning jumped 400%+ in 2025 (FBI alert, April 2025)
• Annual voice fraud losses: $25 billion (Truecaller data)
• Projected: $40 billion by 2027

How it works:
All you need is 30 seconds of audio from the target — a voicemail, a YouTube video, a podcast clip, a social media post. AI clones the voice convincingly enough to fool family members, colleagues, and bank voice authentication systems. Underground pricing: “a few dollars.”

Case studies that should terrify you:

• $25 million Arup CFO scam — deepfake video call, every participant AI-generated
• Retool crypto breach — attacker cloned an IT employee’s voice to authorize access
• Italian Defense Minister Crosetto — voice clone extracted €1 million from a business executive
• UK energy firm CEO — voice clone extracted €220,000 in “emergency” wire transfer
• Sharon Brightwell — lost $15,000 to a cloned voice of a family member
• WPP CEO — voice cloned on Microsoft Teams (Guardian reporting)
• Senior US government officials targeted with cloned voices (FBI 2025 alert)
• Elon Musk deepfake voice used in crypto scam campaigns — hundreds of thousands of AI-generated scam sites

Organized operations:

• SilverPhantom — collective targeting Brazil/Argentina procurement departments with AI-cloned executive voices
• Xanthorox AI automates voice cloning + live delivery for vishing campaigns
• Less than 30% of cyber insurance policies cover AI-powered social engineering attacks

Defenses being deployed:

• Acoustic fingerprinting to detect synthetic audio
• Multimodal authentication (voice + behavior + device)
• Code words for high-value transfers (low-tech but effective)

What it measures:

• Keystroke dynamics (how you type — speed, pressure, rhythm)
• Mouse movement patterns (acceleration, curve, drift)
• Touchscreen gestures (swipe pressure, finger angle)
• Voice cadence and micro-expressions
• Gaze tracking patterns

Why it works: GANs (the AI behind deepfakes) struggle to simultaneously synthesize face + speech + gait in a way that matches real behavioral patterns. You can fake a face. You can fake a voice. Faking both plus natural typing patterns plus mouse movements in real-time? That’s exponentially harder.

Detection rates:

• 98.7% detection rate against synthetic identity fraud (Innovify research)
• 75-90% false positive reduction compared to rule-based systems

Key platforms:

• BioCatch (Oct 2025) — behavioral biometrics for banking, including vulnerable customer protection
• Incode Deepsight (Dec 2025) — dedicated deepfake detector
• Feedzai — ML-based behavioral scoring (Spark Matrix top ranking)

What fraudsters use to counter it:

• Anti-detect browsers with human behavior simulation
• Device emulators + proxy networks
• Cursor drift injection scripts

It’s the newest front in the arms race — and for now, behavior is the one thing AI can’t convincingly replicate in real-time across multiple modalities simultaneously.

The convergence of AI agents and card fraud is accelerating:

• OpenAI Operator, DeepSeek, and Qwen are being studied for weaponization potential — browser automation AI repurposed for fraud workflows
• BidenCash has been dumping cards since 2022 as promotional stunts — AI bots process these dumps at unprecedented speed
• Luhn algorithm generators combined with AI-driven testing can validate cards at scale
• AI behavioral mimicry makes bot traffic indistinguishable from human browsing
• Bulk unverified cards go for $5-20 per 100+ — AI testing validates them into $20-200 each verified cards

The bottleneck used to be human speed. Now bots with residential proxies and behavioral mimicry can test thousands of cards per hour while looking like normal shoppers. The math changed overnight.

How it works:

1. Card store’s e-gift cards (Walmart, Target, Amazon, Best Buy, Apple)
2. Keep orders under $200 to avoid manual verification triggers
3. Receive codes instantly via email — no shipping, no physical goods
4. Sell codes on Paxful, Telegram, or reseller markets
5. Get 50-70% face value in crypto

Why gift cards dominate the cashout market: Digital delivery means no shipping address needed. Instant fulfillment. Hard to trace back to the buyer. Easy to resell on secondary markets. The codes are just strings of characters — no physical evidence, no fingerprints, no DNA.

A $200 Amazon gift card bought with a stolen card becomes $100-140 in Bitcoin within an hour. Scale that across 50 cards and you see why this is the go-to method.

The flow:

1. Get card with full billing info (fullz preferred for AVS matching)
2. Buy crypto through services accepting cards: MoonPay, Changelly, Ramp
3. Buy privacy coins (Monero/XMR) or stablecoins first
4. Move through mixers/tumblers to break the transaction trail
5. Cash out through non-KYC exchanges or P2P platforms

Why it works: No physical goods. No drop addresses. No shipping labels. No waiting. Once crypto is tumbled through enough hops, tracing becomes effectively impossible — especially with Monero’s ring signatures that obscure sender, receiver, and amount by design.

Tumblers/mixers break the link between the sending address and the receiving address. You send Bitcoin in, it gets pooled with other people’s Bitcoin, and a different set of coins comes out to a new address.

Method	How It Works	Traceability
Centralized mixers	Third party pools and redistributes	Medium (operator knows the link)
CoinJoin	Multiple users combine transactions into one	Low (no central operator)
Monero (XMR)	Ring signatures + stealth addresses built into protocol	Near-zero (privacy by default)
Cross-chain swaps	BTC → XMR → BTC on different address	Very low

The Monero advantage: Bitcoin’s blockchain is public — every transaction is traceable with enough effort and tooling. Monero’s ring signatures make every transaction look like it could have come from dozens of possible senders. Chainalysis has admitted limited Monero tracing capabilities compared to Bitcoin.

Once crypto is cleaned, it needs to become usable money:

Non-KYC exchanges — the exit door:

Exchange	KYC Threshold	Notes
MEXC	10 BTC daily	Email-only registration
PrimeXBT	Email only	No KYC for basic accounts
Various DEXs	None	Decentralized, no accounts needed
P2P platforms	Varies	Cash trades, LocalBitcoins-style

Off-ramp services convert crypto to fiat (real money) via bank transfer, mobile money, or cash pickup. Some process payouts in under 5 minutes. The speed matters — the longer funds sit in any one place, the higher the seizure risk.

The flow:

1. Card high-value items — electronics, luxury goods, designer products
2. Ship to drop address (never your real address)
3. Reship to buyer or list on Facebook Marketplace, Craigslist
4. Sell for 40-60% retail value

Best items to card for resale: iPhones (always liquid — instant demand), gaming consoles (easy resale at near-retail), AirPods (small + valuable + high demand), designer goods (steady luxury resale market).

The older method. More risk because physical goods need physical delivery. But some carders prefer it because the resale markets are mature and the conversion to cash is straightforward.

1. Card Western Union, Remitly, or similar transfer services
2. Send money to a receiver (usually in another country)
3. Receiver picks up cash at a local agent
4. Takes their cut (20-40%), sends the rest back via crypto

Limits: ~$2,000 per card before fraud flags trigger. Approximately 20-minute window before detection systems catch up. Speed is literally everything — if you haven’t completed the transfer in 20 minutes, it’s getting blocked.

Prepaid cards as a cashout channel — load stolen funds onto reloadable prepaid cards, then withdraw at ATMs or spend in stores:

1. Buy reloadable prepaid cards (Green Dot, Serve, Bluebird) with minimal ID
2. Load via stolen card-funded money transfers or direct deposits
3. Withdraw at ATMs (daily limits: $500-1,000)
4. Or spend in stores for goods to resell

Why prepaid cards get exploited: Weak KYC at activation, reloadable without full identity verification, and ATM withdrawal converts digital fraud directly into physical cash in your hand. FinCEN tracks suspicious prepaid activity, but the volume overwhelms monitoring systems.

A drop = an address where carded goods get shipped. Never the carder’s actual address. Never.

Type	Description	Risk Level
Residential drop	Recruited mule’s house — they receive and forward	Medium
Vacant property	Abandoned house, intercept package on delivery day	High
Reshipper service	Organized network handles everything end-to-end	Low (for the carder)
Business front	Fake company with a commercial address — looks completely legit	Low

The process:

1. Carder ships goods to a US drop address
2. Reshipper receives the package
3. Removes original shipping labels and any identifying information
4. Reships to final destination (usually overseas — Russia, Eastern Europe, Southeast Asia)
5. Takes a 30-50% cut of the goods’ value

SWAT USA Drop (exposed November 2023):

• Operated by a Russian syndicate
• 1,200+ US reshippers recruited via Craigslist and Indeed ads
• Workers genuinely believed they were doing legitimate “logistics coordinator” or “package handler” work
• Processed $1.8 billion in reshipped fraud goods per year
• Average mule lost $1,156.93 when banks clawed back the deposits used to pay them

How reshippers get recruited:

• Craigslist “package handler” ads
• Indeed/LinkedIn “logistics coordinator” job postings
• “Work from home, make $3,000/month” — sounds too good to be true because it is
• They receive packages, rebox them, ship them overseas, and eventually get a visit from postal inspectors

UPS, FedEx, and USPS aren’t clueless. They have their own fraud detection systems:

• Package redirection scams — changing delivery address after shipment using stolen account credentials
• ROS (Receipt of Shipment) fraud — claiming shipment was received when it wasn’t
• Empty package scams — shipping empty boxes to generate tracking numbers for FTID schemes
• Address pattern analysis — carriers flag addresses receiving unusually high volume from different senders

Average loss per shipping fraud incident: $400K+ per affected business. Carriers increasingly share fraud intelligence with merchants and law enforcement.

Product	Use Case
Dumps	Physical carding — magnetic stripe data written to blank cards for in-person use at ATMs and stores
Fullz	Online carding — complete identity for card-not-present fraud at e-commerce sites

Different products for different attack surfaces. Dumps need physical equipment. Fullz need antidetect browsers and proxies. The skillsets barely overlap.

Hardware needed:

• JCOP cards (Java Card blanks) — $2-5 each on Amazon
• Smart card reader/writer — $20-50
• EMV writing software (X2 EMV 2024) — $1,499+

Process:

1. Get “201 dumps” (includes EMV cloning data — track 1, track 2, and chip data)
2. Load data into EMV writer software
3. Generate IST file (authentication data)
4. Write to blank JCOP card
5. Use at compatible ATMs or POS terminals

Why it still works in 2026: Many terminals still have fallback modes. If the chip read fails, they fall back to magstripe — which defeats the entire purpose of the chip. And some terminals don’t fully validate the chip cryptogram — they check the format but not the cryptographic integrity. That gap between “format check” and “crypto validation” is the entire cloning business.

Video tutorials exist showing the entire cloning process step by step. The tools are sold openly. The blanks are on Amazon. The only thing separating anyone from a card cloner is $1,500 and the moral compass to not use it.

1. Cardholder disputes — calls bank or files dispute online
2. Issuing bank reviews — decides if claim seems valid
3. Provisional credit — cardholder gets money back immediately (before investigation even starts)
4. Merchant notified — has 20-45 days to respond with evidence
5. Bank reviews evidence — decides who keeps the money
6. Pre-arbitration — if merchant fights, it escalates to the card network
7. Arbitration — Visa/Mastercard makes final decision. Loser pays $500+ in fees.

Visa reason codes (the common ones):

• 10.4 — Fraud. Cardholder says they didn’t make the purchase.
• 13.1 — Goods not received.
• 13.3 — Not as described.
• 13.6 — Credit not processed (refund not issued).

Mastercard reason codes:

• 4837 — No cardholder authorization (fraud)
• 4853 — Goods not as described
• 4855 — Goods not received

The dirty secret: If a merchant’s chargeback rate exceeds 1% of transactions, they get put on monitoring programs (Visa VDMP, Mastercard ECM). Above 1.5% = fines. Above 2% = potential termination of payment processing. Losing your ability to accept cards is a business death sentence.

Merchants aren’t defenseless. Representment = the merchant’s right to dispute the chargeback with evidence.

What wins representment cases:

Evidence Type	Why It Helps
Delivery confirmation with signature	Proves goods were physically received
IP address + device fingerprint matching customer’s location	Links transaction to real customer’s devices
Email correspondence	Shows customer engaged with merchant before/after purchase
Customer’s transaction history	Previous legitimate purchases from same account
AVS + CVV match proof	Card details were correct at time of purchase
3DS authentication proof	Liability should be on the issuer, not merchant

Win rates:

• Average merchant representment success: 20-30%
• With professional chargeback services: up to 50-75%
• Visa’s Compelling Evidence 3.0 (CE3.0): uses historical transaction footprint to prove the real cardholder made the purchase

Time limits — miss them and you automatically lose:

• Visa: 20 days to respond to initial chargeback
• Mastercard: 45 days

Chargeback resources:

• Stripe: Representment Explained — how to build a representment case
• Mastercard Official Chargeback Guide (PDF) — Mastercard’s own rulebook

When you call your bank and say “I didn’t make that charge,” here’s what actually happens on the bank’s side:

1. Intake — agent collects dispute details, provisional credit issued to you
2. Pattern analysis — bank checks if other cardholders reported the same merchant
3. Transaction review — IP address, device fingerprint, velocity, location data all examined
4. Merchant contact — acquiring bank notifies merchant, requests evidence
5. Decision — bank weighs customer claim vs merchant evidence
6. Arbitration (if escalated) — card network (Visa/MC) makes final binding decision

What banks actually check:

• Was the device used for the transaction associated with the cardholder’s history?
• Did the shipping address match known addresses?
• Were there other suspicious transactions in the same timeframe?
• Has this cardholder made excessive disputes before? (Friendly fraud detection — yes, banks track this)

DNA (Did Not Arrive):
Claim the package never showed up. Under $200, most retailers just refund without investigation. They eat the loss because fighting it costs more than the refund itself.

FTID (Fake Tracking ID):
Create a shipping label with the merchant’s address as both sender and recipient. The tracking shows “delivered” because the label was scanned — but nothing actually went to the merchant. Some sophisticated operations use real tracking from unrelated shipments that happen to show delivery to the same ZIP code.

Empty Box / Wrong Item:
Claim the box arrived empty or contained the wrong item. Works best with high-value electronics. Some people ship back boxes filled with sand or broken items of similar weight.

FaaS — Fraud as a Service:
Professional refund services charge 15-30% of the item value to process refunds on your behalf. They have scripts, established methods for each major retailer, and experienced “refund specialists” who know exactly what to say on customer service calls.

Major retailer policies that get exploited:

• Amazon: generally refunds anything under $300 without requiring a return for first-time claims
• Walmart: refund threshold varies by account history and item category
• Target: in-store returns with receipt manipulation
• Best Buy: price match + return arbitrage

1. Get a real SSN (stolen from a child, elderly person, immigrant, or deceased individual — people who don’t check their credit)
2. Pair it with a fake name and fabricated date of birth
3. Apply for credit — the first application gets denied, but it creates a credit file at the bureaus
4. Apply to a few more places — each inquiry builds the synthetic file
5. Get added as an authorized user on a legitimate account (tradeline piggybacking — some people sell this)
6. After 6-12 months of “credit building” → the synthetic identity has a real credit score
7. Apply for credit cards, max them all out, disappear

Why it works: Credit bureaus automatically create new files when they see a SSN + name combination they don’t recognize. There’s no verification that the name actually belongs to that SSN. The system trusts the data format, not the data source.

The scale: Federal Reserve estimates synthetic identity fraud costs $6 billion/year and is the fastest-growing type of financial crime in the US. Experian reports a 60% increase in synthetic fraud cases in 2024 vs 2023 — now representing 29% of all identity fraud.

The Federal Reserve mapped the complete bust-out lifecycle:

Step 1 — Create the Identity: Start with a real SSN. Children’s SSNs are 50x more likely to be used as CPNs because kids don’t check their credit for years. SSN paired with fabricated name and DOB. Cost: $1-5 per SSN on dark web markets.

Step 2 — Establish the Credit File: First credit application gets denied — but the denial itself creates a new credit file. Apply at 2-3 more places. Each inquiry adds to the file. The synthetic identity now “exists.”

Step 3 — Boost the Credit: Get added as an authorized user on a legitimate credit card with good history. This is tradeline piggybacking — services sell authorized user slots for $200-1,000. The synthetic ID inherits the account’s positive history. Credit score jumps from nothing to 650-700+ in as little as 30 days.

Step 4 — Harvest: Apply for credit cards, personal loans, auto financing, even bank accounts. With a 700+ credit score and a “clean” file, approvals flow freely. Build up $50K-200K in available credit across multiple issuers.

Step 5 — Bust Out: Max every card, draw every credit line, take every cash advance — all within a few days. Then disappear. The synthetic identity never existed as a real person, so there’s nobody to collect from. Average bank loss per synthetic bust-out: $310,000.

CPNs (Credit Privacy Numbers) are marketed as “legal alternatives” to your SSN for credit applications. They’re not. They’re either stolen SSNs repackaged or fabricated numbers.

CPN vendors operate openly on social media, selling packages for $200-2,000 that include a “clean” SSN, a fake name backstory, and instructions for building credit.

The law: Using a CPN on a credit application is federal identity theft (18 U.S.C. § 1028) and bank fraud (18 U.S.C. § 1344). Penalties: up to 30 years imprisonment.

eCBSV (Electronic Consent Based SSN Verification) — the SSA’s API that lets financial institutions verify if a SSN/name/DOB combo is real. Match rate: ~95%. But it can’t catch established synthetic identities that are already in the credit system.

What works better:

• Tri-bureau merge analysis (checking all 3 credit bureaus for inconsistencies)
• Behavioral analytics during application (typing patterns, device fingerprinting)
• Graph network analysis (finding clusters of connected synthetic identities)
• Alternative data sources (utility records, phone records, address history)

Synthetic ID Resources:

• Federal Reserve Synthetic ID Hub — whitepapers, toolkit, mitigation framework
• SSA eCBSV Service — real-time SSN verification API

AI is making it worse: Deepfake-generated ID documents pass automated KYC checks. AI-generated faces pass liveness detection. Synthetic identities that took months to build manually can now be created in days. With AI, the full pipeline from CPN purchase to bust-out can be compressed to weeks.

1. Never mix identities — personal life and operations use completely separate devices, accounts, and networks. One crossover = everything connected.
2. Burner phones — cash purchase, activate far from home, never connect to home WiFi. Your home router’s MAC address is a fingerprint.
3. VPN + Tor — never use your home IP for anything operational. Tor alone is slow but safe. VPN alone is fast but logged. Both together = layers.
4. No personal info — don’t brag, don’t flex, don’t tell your friends. Assume everything is logged, everything is monitored, everything is evidence.
5. Compartmentalize — each operation is separate. Different browser profiles, different proxies, different email addresses. If one gets burned, the others survive.

The number one way carders get caught isn’t technical forensics. It’s bragging. They post screenshots. They flex on social media. They tell their girlfriend. They use the same username on a forum and on their personal Instagram. The FBI thanks them for the cooperation.

Framework	What It Does
Puppeteer	Chrome automation by Google — the industry standard
Playwright	Microsoft’s cross-browser automation
Selenium	The OG browser automation
Nodriver	Undetectable Chrome automation
Rebrowser-puppeteer	Anti-detect Puppeteer fork

The problem: Standard browser automation is detectable. Sites check for navigator.webdriver, CDP (Chrome DevTools Protocol) fingerprints, and automation-specific JavaScript properties.

The solution: Stealth plugins and custom patches:

Tool	What It Does
rebrowser-patches	Patches for stealth automation
undetected-chromedriver	Selenium-compatible undetected Chrome
FakeBrowser	Anti-fingerprinting automation
Bot Detector Test	Test if your bot is detectable

Cloudflare protects millions of sites with Turnstile challenges and JavaScript fingerprinting. Bypassing it is its own cottage industry:

Methods that work (2025-2026):

• SeleniumBase UC Mode — handles Cloudflare challenges automatically
• Camoufox engine — C++ level modifications invisible to Cloudflare’s JS checks
• CDP patching — removing Chrome DevTools Protocol fingerprints that Cloudflare looks for
• TLS fingerprinting — matching real browser TLS signatures so Cloudflare can’t distinguish bot from human at the protocol level

Resources:

• CloudflareBypassForScraping — automated Cloudflare bypass
• Chrome DevTools Protocol docs — understanding what gets detected

The ecosystem:

Channel Type	What It Does
Card shops	Automated vending via bots — search by BIN, country, type
Checker bots	Validate cards against gates (Stripe, Braintree)
Log markets	Sell stealer log output — passwords, cookies, cards
OTP services	Automated voice calls to intercept verification codes
Drop coordination	Connect carders with reshippers and mules
Escrow services	Hold funds during trades to prevent ripping
Reviews/vouches	Reputation systems for sellers

Scale: BidenCash dumped 900K+ cards as a Telegram promotion. CrdPro has 7K+ members. Moon Cloud has 20K+. Academic analysis identified 1,489+ active carding channels.

Roles in a carding Telegram channel:

• Admin — runs the channel, sets rules, takes a cut of every transaction
• Vendor — sells cards/logs/tools
• Checker — runs card validation bots
• Ripper — scams other members (ironic but constant — criminals scamming criminals)
• Escrow — trusted middleman for trades
• Mule — provides drop addresses or bank accounts

Modern phishing doesn’t use sketchy free hosting anymore. Sophisticated operations run professional infrastructure:

The stack:

1. Domain registration — typosquatted domains via privacy-respecting registrars
2. SSL certificates — Let’s Encrypt provides free HTTPS (the padlock means nothing for trust — it only means the connection is encrypted, not that the site is legitimate)
3. Hosting — bulletproof hosting or compromised legitimate servers
4. Phishing toolkit — Evilginx2 for real-time MITM proxy phishing
5. Exfiltration — stolen credentials sent via Telegram bot, email, or C2 server

Evilginx is the game-changer — it acts as a reverse proxy between the victim and the real site. The victim sees the real site, enters real credentials, completes real 2FA, and Evilginx captures the session cookie. Even hardware 2FA tokens get bypassed because Evilginx captures the authenticated session, not just the credentials.

Phishing resources:

• Evilginx2 — MITM proxy phishing framework
• Evilginx Phishlets — pre-built phishing templates
• Evilginx TTPs + Blacklist — tactics and IP blacklist

Sandboxes — upload suspicious files, watch them detonate safely:

Tool	Purpose
any.run	Interactive cloud sandbox — watch malware execute in real-time
Hybrid Analysis	Free upload, detailed behavioral reports
Tria.ge	Recorded Future sandbox
VirusTotal	Multi-engine scanner (70+ antivirus engines)

YARA Rules — pattern-matching for malware detection:

Resource	Purpose
Yara-Rules/rules	Massive community rule collection
bgd-cirt/LummaStealer-YARA-Rules	Lumma-specific detection rules

18 U.S.C. § 1029 — Fraud and Related Activity in Connection with Access Devices. This is the statute that covers credit card fraud, device fraud, and access device trafficking at the federal level.

Key thresholds:

• Possession of 15+ unauthorized access devices (cards, account numbers, PINs) triggers federal charges
• Maximum penalty: 10-20 years depending on offense type
• 18 USC §1028A (Aggravated Identity Theft) adds a mandatory 2-year consecutive sentence on top of any other sentence — no parole, no reduction
• 18 USC §1344 (Bank Fraud) carries up to 30 years
• Loss amount directly impacts sentencing guidelines — higher losses = more points = longer sentences
• Forfeiture provisions allow seizure of all proceeds and instruments of the crime
• Extraterritorial jurisdiction — the statute applies even if the fraud occurred partially outside US borders

The Infraud Organization was one of the largest cybercrime enterprises ever prosecuted. Founded in 2010 by Ukrainian Svyatoslav Bondarenko, it operated as a structured criminal organization with screening protocols, VIP member tiers, and its own motto: “In Fraud We Trust.”

The numbers:

• 10,901 members by March 2017
• $568 million in actual losses
• $2.2 billion in intended losses
• 4 million+ compromised payment cards
• 36 people indicted across 7 countries
• Operated on clearnet with invitation-only access

Key sentences:

• Sergey Medvedev (co-founder, ran escrow services) — 10 years
• Valerian Chiochiu — 10 years
• Aleksey Burkov (Cardplanet admin) — 9 years
• Arnaldo Sanchez Torteya — 8 years
• Andrii Kolpakov — 7 years + $2.5M restitution
• Marko Leopard (abuse-immune hosting) — 5 years
• John Telusma — 4 years (14th member sentenced)

Medvedev was extradited from the US. Bondarenko (founder) — believed to be in Russia. Russia exemption rule applied: Russian nationals operating from Russia remained largely untouchable. Andrey Novak was arrested by FSB but details remain murky.

The organization used FastPOS malware, had RICO conspiracy charges applied, and the takedown required coordination across 7 countries. The infrastructure included escrow services, review systems, and a reputation economy that mirrored legitimate marketplaces.

FIN7 (also known as the Carbanak Group) has been active since 2015, targeting restaurants, gambling, and hospitality industries worldwide. They ran like a tech company — complete with a fake security firm called Combi Security that recruited unwitting pen testers.

The damage:

• 20 million+ debit and credit cards stolen
• $1 billion+ in damages
• 6,500+ POS terminals compromised
• Victims across all 50 US states plus UK, Australia, and France
• Used JIRA project management to coordinate breach operations (yes, really — they tracked hacking projects like sprints)

Key sentences:

• Fedir Hladyr (systems admin) — 10 years
• Andrii Kolpakov (high-level manager, arrested in Lepe, Spain 2018) — 7 years + $2.5M restitution
• Denys Iarmak (pen tester) — 5 years

What made FIN7 different:

• Ran as a corporate structure with managers, developers, and pen testers
• Used Combi Security as a legitimate-looking front company to recruit developers
• Deployed Carbanak malware + phone call legitimization (social engineering calls to confirm fraudulent transactions)
• Conducted BadUSB attacks — mailing physical USB drives disguised as Best Buy gift cards to targets
• Even after co-conspirators were arrested, operations continued — new members stepped in
• Affiliated with ALPHV/BlackCat and Ryuk ransomware operations

The prosecution proved that even nation-state-level criminal enterprises can be partially dismantled — but FIN7’s continued operations after arrests also proved that arresting individuals doesn’t kill the organization.

Albert Gonzalez pulled off the largest credit card theft in history at the time — and he did it while being a $75,000/year Secret Service informant.

The hit list:

• TJX Companies — 90 million cards (some sources say 45.7M, TJX settled for $171.5M)
• Heartland Payment Systems — 130 million cards, 250+ financial institutions affected
• BJ’s Wholesale Club, OfficeMax, Barnes & Noble, 7-Eleven, Hannaford Bros — all compromised
• 170 million+ cards total across all operations

The method:

• Wardriving — literally driving around Miami with a laptop, finding vulnerable WiFi networks at retail stores
• Installed sniffer programs (written by co-conspirator Stephen Watt) on corporate networks
• Exfiltrated data to encrypted servers in Eastern Europe
• Part of Operation Firewall / ShadowCrew — turned informant, then kept hacking while working with the feds

The sentence: 20 years (concurrent sentences for TJX and Heartland cases)

Forfeiture: $1.65 million in cash, a Miami condo, a BMW — plus $25,000 fine

The absurdity: Gonzalez threw himself a $75,000 birthday party while under Secret Service employment. He claimed internet addiction and Asperger syndrome as mitigating factors. The judge was unimpressed.

Total costs to victims: TJX alone spent $200 million+ on breach remediation. Heartland’s costs were comparable. The ripple effects across 250+ financial institutions took years to resolve.

The math hasn’t changed:

• Startup cost: under $200
• Monthly overhead: $200-500
• Prosecution risk: 1-4%
• Potential return: unlimited

When the startup cost is less than a PS5 and the prosecution rate is a rounding error, the math writes itself.

Security Added	Evasion Created
Device fingerprinting	Antidetect browsers
MFA / 2FA	OTP interception bots + SIM swapping
KYC verification	Deepfake tools ($30)
IP blocking	Residential proxies (100M+ IPs)
3D Secure	Non-VBV BIN hunting + SCA exemptions
EMV chips	EMV bypass cloning
AVS address checks	Address stuffing + fullz with billing
AI fraud detection	AI-generated attacks
Machine learning models	Behavioral mimicry + cookie theft
CAPTCHAs	Solver services ($0.50/1000)
Email verification	Custom SMTP + aged domains
Velocity limits	Distributed bot networks
PCI DSS compliance	RAM scraping + supply chain attacks
Credit bureau checks	Synthetic identities (95% pass rate)
Cloudflare protection	CDP patching + stealth automation
Voice authentication	AI voice cloning (30 seconds of audio)
Liveness detection	Deep-Live-Cam + DoT bypass ($30-600)
Behavioral biometrics	Anti-detect browsers + cursor drift injection
Dark LLM takedowns	Xanthorox self-hosted architecture (offline, untraceable)

Every defense creates a market for the evasion tool. Every lock sells a lockpick. The fraud ecosystem doesn’t just survive takedowns — it uses them as marketing events. “RedLine got busted? Switch to Lumma. Here’s a discount code.”