The dark web's B1ack's Stash marketplace has made headlines again by releasing a massive cache of 4.6 million stolen credit card records for free. This latest dump follows the marketplace's decision to suspend 8 million CVV2 records after it discovered that some sellers were reselling purchased data on rival platforms — a direct violation of its internal policies. Instead of deleting the suspended inventory, B1ack's Stash chose to release the card data for public download, claiming it wanted to penalize the dishonest sellers and attract new buyers.
Cybersecurity firm SOCRadar analyzed the leaked dataset and confirmed the authenticity of a subset of records. According to their report, the released data contains full card numbers (PAN), expiration dates, CVV2 codes, cardholder names, billing addresses, email addresses, phone numbers, and IP addresses. The richness of the information suggests the cards were likely stolen through e-skimming or phishing operations rather than point-of-sale breaches. E-skimming involves injecting malicious code into online checkout pages to capture payment details in real time, while phishing lures victims into entering credentials on fake sites.
Of the 4.6 million records, approximately 300,000 were expired or duplicate entries, leaving around 4.3 million usable cards. Geographically, the cards originate from numerous countries, but the United States dominates with roughly 70% of the total. Canada, the United Kingdom, France, and Malaysia round out the top five. SOCRadar noted the presence of Asian financial hubs such as Hong Kong, Singapore, Thailand, and Malaysia in the top 15, indicating that the dataset is the product of multiple skimming or phishing campaigns targeting English-speaking and high-purchasing-power markets globally.
Background of B1ack's Stash
B1ack's Stash has operated on the dark web since at least 2023, quickly becoming one of the most active shops for stolen credit card data. Its business model relies on a reputation system and strict rules against reselling data outside the platform. Sellers caught breaking those rules face account suspension and loss of inventory. The April 2024 promotion offered 1 million credit cards to anyone who registered, and in February 2025 the marketplace released over 4 million stolen cards for free — a tactic seen as a way to boost user base and competitive advantage in the underground economy.
Such giveaways are not unprecedented in the carding world. In 2021, the BidenCash marketplace released a batch of 1.2 million cards after a similar rule violation. Joker's Stash, once the largest carding site, also periodically leaked data to attract customers. However, the scale of B1ack's Stash's leak — 4.6 million records — is among the largest voluntary dumps in recent years.
Implications for Cybercrime
With full card details and associated personal information, the leaked data is a goldmine for cybercriminals engaging in card-not-present (CNP) fraud. CNP fraud occurs when a transaction is conducted without the physical card, typically online. The availability of CVV2 codes and billing addresses makes it easier to bypass many anti-fraud checks. Additionally, the inclusion of email addresses and phone numbers enables targeted phishing attacks, account takeover attempts, and even identity theft.
Security experts warn that the compromised data could be used to open fraudulent accounts, apply for credit, or launch convincing social engineering campaigns. Because the records include IP addresses, attackers could potentially geolocate victims or use that data to refine their attacks. The compounding risks go well beyond simple card fraud, as noted by SOCRadar.
Historical Context of Carding Marketplaces
Carding marketplaces have existed for over a decade, evolving in sophistication. Early sites like Carder.su operated in the mid-2000s, but law enforcement takedowns forced operators to adopt stronger anonymity measures. Tor hidden services and cryptocurrencies became standard. In 2015, the FBI shut down the Darkode forum, which hosted carding vendors. Later, the AlphaBay and Hansa market coordinated takedown in 2017 disrupted many vendors, but new shops quickly filled the void.
Joker's Stash, operational from 2014 to 2021, was the dominant carding marketplace until its operators announced retirement. After its closure, several competitors emerged, including B1ack's Stash, BidenCash, and others. These marketplaces compete on data volume, price, and reliability. The free dump strategy is a direct attempt to lure buyers away from rivals and build a loyal user base.
Law enforcement has made strides in targeting carding infrastructure. In April 2024, the operator of a Chilean carding shop was extradited to the United States. In March 2024, authorities shut down the BidenCash marketplace and arrested its administrators. And in early 2025, the US Department of Justice announced charges and sanctions against a Russian administrator of another carding website. Despite these actions, the underground market for stolen financial data remains robust, with new players constantly emerging.
The cybersecurity community continues to monitor these leaks, advising consumers and financial institutions to remain vigilant. Cardholders whose data may be compromised are urged to monitor bank statements, consider credit freezes, and report any suspicious transactions immediately. For businesses, implementing strong fraud detection systems, using 3D Secure protocols, and educating customers about phishing are essential steps.
The B1ack's Stash free dump serves as a stark reminder that the black market for payment data is thriving. With millions of fresh records now circulating, both individuals and organizations must prepare for a wave of fraud attempts in the coming months. The interconnected nature of online commerce means that even a single compromised card can lead to cascading losses across multiple platforms. As the cybercriminal ecosystem adapts to law enforcement pressure, consumers and businesses alike must stay ahead of the threat.
Source: SecurityWeek News