The notorious B1ack's Stash dark web carding marketplace has announced the free download of 4.6 million stolen credit card records. The data, it says, was dumped after sellers were caught reselling card data purchased from B1ack's Stash on competing platforms, a violation of the marketplace's policies. This move underscores the volatile and cutthroat nature of the underground carding economy, where trust is fragile and retribution can result in massive data leaks.

Details of the Data Dump

According to cybersecurity firm SOCRadar, which analyzed the leak, the released dataset includes full credit card numbers (Primary Account Numbers or PANs), expiration dates, CVV2 codes, cardholder names, billing addresses, email addresses, phone numbers, and IP addresses. B1ack's Stash allegedly suspended 8 million stolen CVV2 records in response to the sellers' misconduct, and decided to release 4.6 million of those cards for free, rather than deleting them from its inventory. SOCRadar reports that while some records are duplicates or expired, approximately 4.3 million appear to be new and likely usable for fraudulent activities.

The stolen credit cards originate from around the world. Approximately 70% are from the United States, followed by Canada, the United Kingdom, France, and Malaysia. The presence of Asian financial hubs such as Hong Kong, Singapore, Thailand, and Malaysia in the top 15 suggests that the dataset is not the product of a single regional operation but draws from multiple skimming or phishing campaigns. The data is particularly valuable because it includes not just card numbers but also the associated personal information, which can be used for identity theft and targeted phishing attacks.

Methods of Data Theft

Based on the completeness of the records, SOCRadar believes the information was likely stolen through e-skimming (Magecart-style attacks that inject malicious code into checkout pages) or phishing campaigns that trick users into entering their payment details. E-skimming has become a preferred method for cybercriminals because it captures data in real time from legitimate e-commerce sites. Since the records include IP addresses and email addresses, the attackers may have also harvested data through credential theft or formjacking. The richness of the data—full PAN, CVV2, expiration date, billing address, full name, email, phone, and IP in a single entry—creates compounding risks that go beyond simple card fraud.

Background on B1ack's Stash

B1ack's Stash has been operating on the dark web since at least 2023, rapidly becoming one of the most active shops for stolen credit card data. The marketplace offers a user-friendly interface and a reputation system for sellers. In April 2024, the marketplace made headlines by offering 1 million credit cards to anyone who registered, a tactic to attract new customers. In February 2025, it released over 4 million stolen credit cards for free, likely to boost its user base and compete with other carding platforms. These free dumps serve as both a marketing stunt and a way to damage rival marketplaces that resell data. The current dump of 4.6 million records continues this pattern of aggressive promotion.

The carding ecosystem has seen several marketplaces rise and fall. For example, BidenCash was shut down by authorities in a coordinated international operation. Joker's Stash, once the largest carding site, announced its shutdown in early 2021 after law enforcement pressure. The constant churn of marketplaces means that stolen data frequently circulates, and free dumps like this one flood the underground with fresh material.

Implications for Fraud

The newly dumped cards are expected to fuel card-not-present (CNP) fraud, which involves making illicit online purchases where the physical card is not required. With full card details and associated personal information, cybercriminals can also open fraudulent accounts, apply for credit, or launch convincing phishing attacks against the victims. CNP fraud has been rising globally, as e-commerce grows and EMV chip technology makes in-person fraud harder. The availability of thousands of fresh cards from high-purchasing-power countries like the US means that fraudsters can quickly monetize the data through online shopping, digital goods, or subscription services.

Beyond CNP fraud, the leaked data enables synthetic identity theft—combining real cardholder information with fabricated details to create new identities for credit applications. The inclusion of email and phone numbers makes it easier to contact victims for social engineering or to bypass two-factor authentication. Financial institutions face increased chargeback costs, while consumers may suffer from damaged credit scores and time-consuming resolution processes.

Role of SOCRadar and Other Researchers

Cybersecurity firms like SOCRadar play a crucial role in monitoring dark web activity and validating stolen data. By analyzing the dump, SOCRadar can identify patterns in the data, such as the geographic distribution and likely methods of theft, and alert affected financial institutions. Their validation of authenticity helps law enforcement prioritize cases. However, the sheer volume of data—4.6 million records—makes it difficult to contain the damage. Many cards will be cycled quickly, and some may have already been used before the victims even know their data was stolen.

Researchers also track the evolution of carding marketplaces. B1ack's Stash has shown resilience despite occasional outages and competition. Its decision to release data free of charge is a strategic move to undermine rival platforms that resell data, but it also exposes the marketplace to increased law enforcement scrutiny. The fact that such dumps are now public means that any individual with dark web access can download thousands of usable credit cards, lowering the barrier to entry for cybercrime.

Broader Industry Context

The carding ecosystem has existed for decades, but the scale of these dumps continues to grow. In 2024 and 2025, several record-setting leaks have occurred, driven by improved skimming tools, larger phishing operations, and the commoditization of stolen data. The rise of cryptocurrency payments on dark web markets has made transactions harder to trace. For consumers, the best defense is to monitor bank statements regularly, use virtual credit card numbers where possible, and enable transaction alerts. For businesses, especially e-commerce sites, implementing robust security measures such as web application firewalls, regular vulnerability scans, and employee training is essential to prevent e-skimming.

Authorities worldwide have stepped up efforts to dismantle carding sites. The US Department of Justice, Europol, and other agencies have conducted takeovers and arrests, but the decentralized nature of the dark web makes it difficult to eliminate the problem entirely. The release of 4.6 million stolen credit cards by B1ack's Stash serves as a stark reminder that cybercriminals continue to operate with impunity, and that the stolen data economy shows no signs of slowing down.

Source: SecurityWeek News