The notorious B1ack’s Stash dark web carding marketplace has announced the free download of 4.6 million stolen credit card records.

The data, it says, was dumped after sellers were caught reselling card data purchased from B1ack’s Stash on competing platforms, a violation of the marketplace’s policies. B1ack’s Stash allegedly suspended 8 million stolen CVV2 records in response to the sellers’ misconduct, and decided to release the card data for free, instead of deleting it from its inventory.

According to SOCRadar, the released data includes full card numbers, expiration dates, CVV2 codes, cardholder names, billing addresses, email addresses, phone numbers, and IP addresses. Based on the availability of full card details and payment data, the information was likely stolen as part of e-skimming or phishing operations, SOCRadar says. The cybersecurity firm says it has validated the authenticity of some of the records. Analysis of the data showed that some of the cards had expired or were duplicate entries. Overall, 4.3 million records appear to be new and likely usable for illicit activities, SOCRadar says.

The stolen credit cards are sourced worldwide, but approximately 70% of them are from the US. Canada, the UK, France, and Malaysia round out the top five. “The presence of Asian financial hubs like Hong Kong, Singapore, Thailand, and Malaysia in the top 15 suggests the dataset is not solely the product of a single regional operation, but draws from multiple skimming or phishing campaigns targeting English-speaking and high-purchasing-power markets globally,” SOCRadar notes.

B1ack’s Stash has been operating on the dark web since at least 2023, becoming one of the most active shops for stolen credit card data. In April 2024, the marketplace offered 1 million credit cards to anyone who registered. In February 2025, it released over 4 million stolen credit cards for free, likely to attract more users. The newly dumped cards are expected to fuel card-not-present (CNP) fraud activities, such as illicit online purchases. The accompanying information may allow cybercriminals to open fraudulent accounts, apply for credit, or launch convincing phishing attacks. “The richness of the leaked records – full PAN, CVV2, expiration date, billing address, full name, email, phone, and IP address in a single entry – creates compounding risks that go well beyond simple card fraud,” SOCRadar says.

The world of carding – the illegal trade of stolen payment card data – has evolved considerably over the past decade. Dark web marketplaces such as Joker’s Stash, BidenCash, and now B1ack’s Stash have emerged and fallen, often under pressure from law enforcement. The release of massive free dumps is a tactic used both to punish competitors and to attract new buyers who might later purchase premium data. Such dumps also increase the attack surface for financial institutions and consumers.

E-skimming, also known as formjacking, involves injecting malicious code into e-commerce websites to capture payment details entered by customers. Phishing campaigns, meanwhile, trick victims into entering their card information on fake sites. The combined use of these methods allows fraudsters to amass vast databases of sensitive information. The data released by B1ack’s Stash appears to be the result of such operations, as it includes not only card numbers but also full personal details that enable identity theft.

The impact of such dumps extends beyond immediate financial fraud. With full cardholder names, addresses, and contact information, criminals can attempt to open new lines of credit, take over existing accounts, or conduct social engineering attacks. The inclusion of IP addresses also allows for geolocation analysis, which can be used to tailor fraudulent transactions to appear more legitimate. Financial institutions must rapidly reissue compromised cards and monitor for suspicious activity, while consumers need to be vigilant about checking statements and credit reports.

The scale of this dump – 4.6 million records – is significant but not unprecedented. Similar dumps from other carding sites have contained tens of millions of records. What makes this incident noteworthy is the explicit retaliation motive and the quality of the data. SOCRadar’s analysis indicates that only a small fraction of records are duplicates or expired, meaning the vast majority pose a real threat. The global distribution of the cards also suggests a coordinated, multi-regional cybercriminal effort.

Law enforcement agencies worldwide have been cracking down on carding marketplaces. In recent years, operations have led to the shutdown of BidenCash and Joker’s Stash, with administrators arrested or charged. However, the persistent emergence of new markets demonstrates the resilience of the underground economy. B1ack’s Stash, in particular, has used aggressive marketing tactics, such as offering free data to registered users, to build its reputation.

The free release of 4.6 million cards is likely to drive a wave of card-not-present fraud, which already accounts for a significant portion of credit card losses. Retailers and online merchants must ensure their payment systems are secured with strong authentication and fraud detection measures. Consumers are advised to use virtual credit card numbers, enable two-factor authentication, and monitor accounts regularly. The data may also be used in credential stuffing attacks, where criminals try leaked email and password combinations on other services.

As the dark web continues to evolve, the cat-and-mouse game between cybercriminals and security professionals intensifies. The B1ack’s Stash dump serves as a stark reminder of the value of payment card data and the lengths criminals will go to monetize it. While the immediate response involves card reissuance and fraud monitoring, the long-term solution lies in more secure payment technologies, such as chip cards (EMV), tokenization, and biometric authentication. .

Source: SecurityWeek News