Global Cardholders: B1ack's Stash Carding Marketplace Dump

"The B1ack's Stash dark web carding marketplace has released 4.6 million stolen credit card records for free download, according to analysis published by SOCRadar and reported by SecurityWeek. Roughly 4.3 million of the…"

The B1ack's Stash dark web carding marketplace has released 4.6 million stolen credit card records for free download, according to analysis published by SOCRadar and reported by SecurityWeek. Roughly 4.3 million of the records appear to be new and likely usable for fraud, with approximately 70% sourced from cardholders in the United States.

What Happened

B1ack's Stash, one of the most active stolen-card shops operating on the dark web since at least 2023, dumped 4.6 million payment card records into the public domain rather than deleting them from its inventory. According to the marketplace's own announcement, the release was triggered after some of its sellers were caught reselling card data purchased through B1ack's Stash on competing platforms, a breach of the shop's exclusivity rules. In response, the marketplace says it suspended 8 million stolen CVV2 records and elected to push 4.6 million of those records out for free download. SOCRadar validated the authenticity of a sample of the records and confirmed the dump is largely fresh inventory, though it does contain some expired cards and duplicate entries. This is consistent with prior B1ack's Stash behavior: the shop gave away 1 million cards in April 2024 and over 4 million in February 2025, almost certainly as marketing stunts to drive registrations.

What Was Taken

SOCRadar's analysis indicates that each record in the dump is unusually rich, going well beyond bare card numbers. Exposed fields include:

Full Primary Account Numbers (PAN)
Card expiration dates
CVV2 security codes
Cardholder names
Billing addresses
Email addresses
Phone numbers
IP addresses

Approximately 4.3 million of the 4.6 million records are assessed as new and viable. Geographically, around 70% of the cards belong to US cardholders, with Canada, the United Kingdom, France, and Malaysia rounding out the top five. Asian financial hubs including Hong Kong, Singapore, and Thailand also feature prominently in the top 15, indicating the dataset is the product of multiple campaigns rather than a single regional operation.

Why It Matters

The combination of full PAN, CVV2, expiration date, and complete cardholder identity in a single record dramatically lowers the bar for card-not-present (CNP) fraud and identity-driven attacks. Unlike a bare card number, this dataset gives fraudsters everything needed to bypass basic address verification (AVS), pass CVV checks at most merchants, and impersonate the cardholder convincingly enough to open new fraudulent accounts or pass step-up verification. Because the data is being given away rather than sold, the attacker pool that can act on it expands sharply from established carders to opportunistic low-skill criminals, which historically produces a short, intense spike in CNP fraud attempts. The presence of email, phone, and IP addresses also enables highly tailored phishing and smishing campaigns against the affected cardholders.

The Attack Technique

The records were not stolen in a single breach. SOCRadar's assessment, based on the completeness of payment and personal data in each entry, is that the data was harvested through e-skimming (Magecart-style JavaScript injections on e-commerce checkout pages) and phishing operations. E-skimmers capture data as it is typed into legitimate merchant checkout forms, which explains why the records contain billing addresses, contact details, and IP addresses alongside the card data itself. The global spread of the cards, weighted toward English-speaking and high-purchasing-power markets, is consistent with skimming campaigns that target widely-used e-commerce platforms and payment plugins rather than a single compromised merchant.

What Organizations Should Do

Issuers and card networks: Prioritize reissuance for any BINs identified in the dump and tighten CNP authorization scoring for transactions originating from IP ranges seen in the leak. Force step-up authentication (3-D Secure) on transactions matching the leaked profiles.
E-commerce operators: Audit checkout pages for unauthorized third-party scripts, enforce Subresource Integrity (SRI) and a strict Content Security Policy, and monitor for unexpected outbound connections from payment pages. Magecart-style skimmers remain the most likely upstream source.
Fraud and risk teams: Expect a near-term spike in low-value CNP probing transactions, account-creation fraud, and credit applications using the leaked identity data. Tune velocity rules and device-fingerprinting models accordingly.
Security awareness teams: Warn cardholders and employees that the dump enables highly personalized phishing, including calls and texts referencing real recent purchases, addresses, and partial card data. Treat unsolicited "fraud alerts" with suspicion.
Threat intelligence teams: Ingest the leaked dataset (via reputable TI partners) to cross-reference customer, employee, and executive cards, and to seed monitoring for downstream reuse.
Merchants in top-affected regions (US, CA, UK, FR, MY): Coordinate with acquirers on elevated chargeback monitoring over the next 30 to 90 days.

Sources: B1ack's Stash Marketplace Gives Away 4.6 Million Stolen Credit Cards - SecurityWeek