Dark Web Carding Site Releases 4.6 Million Stolen Credit Card Records for Free

A major dark web marketplace, a carding site to be specific, has released millions of stolen credit card records for free. The move has alarmed cybersecurity researchers worldwide.

B1ack’s Stash shared the data after accusing some sellers of reselling stolen cards on rival platforms. Instead of deleting the records, the marketplace dumped them publicly for cybercriminals to download.

A Seller Dispute Led to a Massive Free Dump

B1ack’s Stash runs its operation via the dark web and has been in existence for at least three years now. Criminals go there to buy and sell stolen payment card information.

Recently, the marketplace caught some of its own sellers breaking the rules. These sellers were reselling card data from B1ack’s Stash on competing platforms. That violated the marketplace’s policies.

So instead of just deleting the affected cards, B1ack’s Stash decided to make a statement. It suspended about 8 million compromised CVV2 records that were listed for sale on its platform. Then it released roughly 4.6 million of those records as a free download. The records are accessible via the site’s “Freebies” section.

They posted the announcement in both English and Russian languages. The operators also offered trustworthy sellers a “second chance” through a support ticket system. They even teased a new card database coming soon.

What the Leaked Data Contains

The stolen records are incredibly detailed. Each entry includes:

• Full 16-digit card number or PAN
• The month and year the card will expire
• CVV2 security code
• Full name of the cardholder
• Complete billing address
• Email address
• Phone number
• IP address

Security firm SOCRadar analyzed the data. It found that the records likely come from e-skimming or phishing attacks. Those attacks steal card details directly from checkout pages or fake websites.

SOCRadar validated some of the records. Many were genuine. Some cards had already expired or appeared as duplicates. After cleaning up the data, SOCRadar estimates about 4.3 million records are brand new and usable for fraud.

Who is Most Affected by this Leak?

The stolen cards come from all over the world. But the United States got hit the hardest. Around 70 percent of the records belong to American cardholders.

Interestingly, not all stolen cards have the same value on dark web markets. Stolen Korean credit card prices surged 168% on underground forums, highlighting how geographic demand affects pricing.

Canada, the UK, France, and Malaysia make up the rest of the top five countries on the list. There’s also a bunch of data coming from Asian financial hotspots like Hong Kong, Singapore, and Thailand. This suggests multiple skimming campaigns operating across different regions. They target English-speaking and high-spending markets.

The email addresses in the dump tell a similar story. Nearly half of the emails are Gmail accounts. Yahoo and Hotmail follow behind. US ISP domains like comcast.net, att.net, verizon.net, and sbcglobal.net also appear frequently. Two unusual domains, rhyta.com and dayrep.com, show up as well. Those are often linked to disposable or fake email services.

This isn’t the First Free Giveaway

B1ack’s Stash has done this before. Two years ago, it offered 1 million credit cards to anyone who registered on the site. Then, in February last year, it released over 4 million stolen cards for free. That move looked like a strategy to attract new buyers and build the marketplace’s reputation.

This latest dump follows the same playbook. Large volume. Free access. A story that makes the operator look like it’s protecting honest buyers. The “seller misconduct” angle is new, but the goal is the same: grow the user base and prove the marketplace has valuable data.

The Real-World Risks Go Beyond Card Fraud

Here is where the danger escalates. These records contain other sensitive info, not just payment details. There were full names. People’s home addresses were there. Emails, phone numbers, and even IP addresses. That combination creates multiple attack paths.

Financial fraud is the most immediate threat. Criminals can use the card details for card-not-present (CNP) fraud. That means buying things online without ever swiping the physical card. The billing address makes address verification system (AVS) checks easy to bypass. Expect a spike in fraudulent online purchases soon.

Identity theft becomes much easier. With full PII, crooks can open new accounts in your name. They can apply for credit cards or loans. They can even file fake tax returns.

Phishing attacks get more convincing. When an email comes with your actual name, address, and part of your card number, it feels legit. Hackers count on that; they build messages so convincing that you barely think twice before clicking bad links or handing over even more private stuff.

Credential stuffing is another risk. When hackers get their hands on email addresses and passwords from the dump, they’ll start trying them on different sites. If you reuse passwords anywhere, those accounts are in danger.

SOCRadar sums it up well: “The richness of the leaked records…creates compounding risks that go well beyond simple card fraud.”

What to Do Next?

People living in the US, UK, Canada, France, or Malaysia are a top target because their stolen credit cards are often very valuable on the dark web. So they should be very careful. Check your credit card statements for small test charges. Those often precede larger fraudulent purchases.

Set up transaction alerts with your bank. Sign up for credit monitoring so you can spot newly opened accounts you didn’t authorize. Criminals often attach phishing links in emails pretending to be your bank to lure you into fake sites, so avoid links in unexpected emails, even if they look legit.

This free dump isn’t just news. It’s an active threat to millions of people right now.