Carding is a type of cybercrime where attackers steal or illegally buy credit card information and use it to make unauthorized transactions. It often involves testing stolen card numbers with small purchases before making larger fraudulent charges. Criminals typically exchange or sell these stolen details on underground forums or dark web marketplaces.

Outpost24’s Threat Intelligence team, KrakenLabs, carried out a previous public analysis of the underground card fraud ecosystem in 2022. Three years later, we’re bringing you an updated overview of the current state of carding.

Key takeaways about the carding ecosystem

Carding is in decline. After doing a deep analysis of the situation, we have uncovered the following key factors, which we consider may have led to the current situation.

• Carding under pressure: Law enforcement agencies, global payment networks, banks, and regulators have been gradually implementing advanced measures that make traditional carding techniques far less effective.
• Erosion of trust: A plethora of internal scams coupled with forum shutdowns have severely weakened confidence within carder communities, reducing their stability.
• Operational difficulties: Constant disruption of Telegram accounts and channels, together with bigger entry barriers, undermines carders ability to establish and threatens the long-term sustainability of their operations.
• Evolving tactics: Established carders are experimenting with AI agents and advanced methods to adapt to a new and complex environment. However, the lack of skilled operators and failure to attract new ones raise doubts about the community’s long-term resilience.
• Existence of fraud alternatives: Cybercriminals are increasingly turning to the use of synthetic identities, account takeovers, and cryptocurrency-related scams, which seem to pose fewer hurdles and achieve greater success.
• Overall decline: Established carders moving to more profitable ventures, new cybercriminals not getting into the ecosystem, and those remaining struggling to combat and adapt against new and improved security measures have led to the current situation, with way less visible activity and fewer fresh data dumps, turns carding into a less attractive business and further increasing the aforementioned problems, which seems to be leading to an inevitable “demographic collapse” highlight the diminishing appeal and profitability of carding in 2025.

Carding forums

Specialized carding forums play a crucial role in this type of fraud, serving as hubs for activities such as:

• The sale and sharing of stolen cards, both individually and in bulk.
• Announcement and sharing of new carding tools and techniques.
• Tutorials and specific training for newcomers.
• Hosting debates about carding techniques and trends.
• Promotion of active card shops in banners or in specific threads.

Given its decades-long presence, carding has given rise to hundreds of forums in various languages and regions, most notably within Russian and English-speaking communities.

Some of the most active carding specialized forums are:

• Altenens
• Club2Crd
• Carders[.]biz
• WWH-Club

The activity level in these forums and within the different sections differs. However, most of the public activity is, in general, relatively unsophisticated.

Forums are also used as a platform by relevant card shops to target potential sellers of stolen cards and to promote their products and services by announcing themselves in banners and in specific threads.

Carding markets

Most carding markets share a similar structure, with several sections in common:

• Stolen cards section, with most of the cards being sold individually for a range of prices between US$ 3 to US$ 150.
• Dumps section, giving the option to buy dumps in bulk.
• Fullzs: This section includes both personal and financial information about the victim.
• Checker tools to evaluate if the cards are still active and valid.

Well-established carding markets have lost prominence in the last years while some newcomers have gained popularity. Some of the most relevant and active markets in H2 2025 include the following:

• Rescator
• Brains’club
• KFCClubs
• B1ack’s Stash
• PP24Shop
• SharkShop
• Vclub
• Jerry’s
• Cards4Money
• Ouhennie CC
• Bingo[.]lc

The preferred payment methods in most of these markets include Bitcoin (BTC), Litecoin (LTC), and occasionally Monero (XMR).  Furthermore, to prevent scammers, researchers and bots in some underground markets require users to make a payment prior to registration to obtain full access to all the services offered.

Relevant carding threat actors active in underground forums

The following table shows a selection of notable carding threat actors along with some of the forums where they are known to operate.

Threat actor alias and market	Forums active
LegendaryRescator – Rescator admin	Club2Crd, DarkNet Army, ProCrd,  CardVilla, BlackBones, Enclave
b1ack – B1ack’s Stash admin	Club2Crd, XSS, Exploit[.]in, Verified, WWH-Club CRD Pro, Dread, Enclave, Carders[.]cm
“PP24” – PP24 Card Shop admin	Club2Crd, Carders[.]biz, crdcrew, LegitCarders, ShadowCarders
vclub – VClub admin	Club2Crd, WWH-Club, CrdPRo, Exploit[.]in
Crazy_shop_sup – Cards4Money admin	Club2Crd, CardVilla, Ascarding, CrdCrew
albanec – Club2Crd Senior Member	Club2Crd, XSS, ProCRD, CyberCarders, Center Club

• “Legendary Rescator” active since the early 2010s is one of the most well-known threat actors in the carding underground. The threat actor administrates the carding marketplace Rescator and has sold millions of stolen cards and other financial data. The adversary also has a strong presence in several forums, mainly to promote the market.
• “b1ack” is a threat actor selling services and products in underground forums and through their own carding marketplace “B1ack’s Stash”. The adversary not only engages in carding but also in other cybercriminal activities such as phishing and Malware-as-a-Service (MaaS) schemes.
• “PP24” is a prominent carding marketplace owner who is often present across multiple underground forums, maintaining several aliases to advertise services and recruit new partners.
• “vclub” is a well-known member of the carding ecosystem and the administrator of VCLUB marketplace.
• “Crazy_shop_sup” is the admin of “Cards4Money” carding shop. Frequently share free data in underground forums to promote their marketplace.
• “albanec” is a senior member of various carding forums which frequently engages in educational and innovation related discussions to elevate the knowledge within the carding community.

Carding trends and overall atmosphere

During the last year, we have seen a significant decrease in the volume of stolen credit cards being sold in these underground carding markets and forums. Where large batches of hundreds or even thousands of cards were once common, the offerings have shifted towards smaller, more selective offerings, with some markets even selling individual cards at higher prices depending on their quality.  

Carders themselves seem to be aware of the mounting difficulties in sustaining their illicit activities. Discussions on underground forums and marketplaces reveal that many cybercriminals acknowledge how measures such as AI-driven fraud detection, biometric verification, tokenized payments, and stronger regulatory frameworks are eroding the effectiveness of traditional tactics.

Furthermore, the rise of scams and mistrust among carders is another growing challenge. Many underground forums and marketplaces have become riddled with fraudulent sellers who advertise invalid or recycled card data, or who simply scam others by disappearing after receiving payment without providing any product. This environment of deception forces even experienced carders to doubt the reliability of their peers, leading to disputes, negative reputation scores, and frequent forum shutdowns. As trust erodes, cybercriminals must spend more time verifying sources, using escrow services, or migrating between platforms, which not only increases their operational costs but also weakens the overall resilience of the carding community.

Outpost24 KrakenLabs researchers have also observed an overall activity decrease in underground carding forums, with fewer fresh card dumps being advertised and declining participation in community discussions. We assess that tighter fraud defenses and repeated law enforcement disruptions have discouraged many lower-level actors, leaving forums quieter and less vibrant than in previous years.

Fraud-fighting strategies

Combating card fraud has become a top priority for global payment networks and financial institutions alike. Companies such as Visa and Mastercard are investing billions in advanced fraud prevention, combining AI-driven analytics, biometric authentication, tokenization, and real-time monitoring to stay ahead of increasingly sophisticated cybercriminals.

Many traditional carding schemes are now quickly identified and blocked before fraudulent transactions can be successful. Even when criminals attempt more sophisticated methods, such as linking stolen data to mobile wallets or executing social engineering scams, multi-factor authentication and predictive AI monitoring substantially reduce their effectiveness. As a result, the profitability of carding is diminishing, forcing threat actors to take greater risks for lesser rewards.

Additionally, regulations and organizations, such as the PCI Security Standards Council, play a significant role in fortifying security protocols aimed at detecting and preventing fraudulent and malicious operations. This is particularly evident in frameworks like PCI DSS, which, when combined with emerging technologies, enable more effective monitoring and real-time anomaly detection to prevent illicit transaction attempts.

These advancements have a direct impact on carding operations, forcing the underground market to refocus its efforts on less-secured assets—such as the commonly referenced “non-VBV” cards—and regions with less stringent regulatory frameworks, such as parts of Africa and Asia, where compliance with international standards may be less enforced but also economic profits are smaller, reducing the economic incentives of carding.

Law enforcement operations – Global fight against cybercrime intensifies

Law enforcement agencies conducted several major operations resulting in the shutdown of multiple relevant criminal networks, ranging from the seizure of markets to the dismantling of ransomware groups.

As far as carding is concerned, one of the most recent examples is the seizure of BidenCash market during June 2025, as part of an operation led by the United States Secret Service and the Federal Bureau of Investigation, and supported by other agencies and organizations worldwide. This market alone totaled up to millions of leaked credit cards, translating to more than US$ 17 million in revenue since its inception in 2022.

Influential cybercriminal forums have also been successfully targeted. For instance, during July 2025, an investigation led by the French Police in cooperation with Europol led to the arrest of a key figure behind XSS, one of the most notorious cybercrime forums. With these seizures, cybercriminals are continuously being forced to seek out new places to communicate, exchange data, and promote their services, all whilst being aware of the potential risk of incoming law enforcement actions.

Furthermore, after the arrest of the founder and CEO of Telegram, Telegram began revising its privacy stance—signaling willingness to provide IP addresses and phone numbers to law enforcement upon valid court orders. Alongside these policy shifts, the platform has been actively shutting down cybercrime-related channels and accounts, including the removal of significant black-market groups like Haowang (Huione) Guarantee, estimated to have facilitated over US$ 27 billion in illicit crypto and money laundering activity. This shift in Telegram’s policies, combined with the periodic deletion of criminal channels and accounts, has introduced greater uncertainty for cybercriminals, further hindering cybercriminal operations.

This law enforcement and messaging platforms pressure has created an environment where almost every new platform –be it a market, forum, Telegram channels, etc.– is questioned for its confidentiality, privacy and integrity.

Carders next steps

In response to traditional fraud methods becoming obsolete, some experienced carders propose that the solution lies in improving their technical knowledge and skills, encouraging their peers to study advanced bypass techniques, stay updated on evolving security systems, and learn how to exploit new digital platforms more effectively.

The evolution in carding methods has already been noticed by payment services providers. According to Michael Jibbara, Global Head of Fraud Services at Visa, they observed a particular shift in criminal behavior: “[threat actors] moved upstream from a data perspective, so they are no longer going after payment data, they are going after account data. They’re going after the username and password, your name, your social security number, your email address, so they can create synthetic identities.”

Furthermore, facing stronger defenses and shrinking opportunities, high-skilled carders are experimenting with innovative methods to sustain their operations. A growing trend involves the exploration of AI-powered agents to automate phishing, credential harvesting, and fraud execution, with the goal of bypassing detection systems and scaling their illicit activities more efficiently.

Is carding on the decline?

In recent years, the overall level of carding activity has noticeably declined. Underground forums that once thrived with daily dumps of stolen payment cards now show fewer listings and lower engagement. Law enforcement takedowns, stronger security measures from payment networks, and periodic platform disruptions have discouraged many lower-level actors. As a result, carding no longer attracts the same volume of opportunistic cybercriminals it once did.

However, while the number of active carders has decreased, those who remain seem to be more sophisticated and technically skilled. Instead of relying on bulk stolen card data, they experiment with advanced tactics such as the use of synthetic identities, account takeover fraud, and even AI-driven automation. These operators focus on quality over quantity, carefully adapting to bypass stronger defenses. However, few newcomers are able to reach this high level of expertise, raising questions about the long-term sustainability of the carding ecosystem.

While traditional card fraud shows this not so optimistic future for cybercriminals, the adoption of cryptocurrencies is increasing worldwide. New regulations, the rise of stablecoins for payments, and the growing number of active crypto wallets especially among young generations, signal a shift into a more crypto-related future of finance. Cybercrime goes in parallel, and as traditional carding declines, crypto-related crime is also on the rise, offering cybercriminals new opportunities with fewer restrictions and broader global reach.

Stay ahead of emerging threats 

Outpost24’s CompassDRP solution combines the asset discovery powers of our EASM platform with threat-intelligence powered DRP modules. Customers are backed up by our world-class human-led threat intelligence team, KrakenLabs. Get in touch to learn more.