A customer completes a transaction. The payment clears. Two weeks later, the chargeback arrives: the card was stolen, the transaction was fraudulent, and you’re absorbing the loss.
Here’s what makes this frustrating: the intelligence indicating that the card was compromised already existed when you authorized the transaction. It was sitting in dark web marketplaces, stealer malware logs, and underground forums — part of a dataset of over 200 million exposed payment records that grows daily.
You just couldn’t access it.
For e-commerce, iGaming, and other organizations processing card-not-present transactions, this has been the reality for years. While card networks and issuers exchange compromise notifications through systems like Visa’s CAMS and Mastercard’s SAFE, these entities remain outside the loop — absorbing chargebacks from cards they had no way to flag as compromised.
Key Takeaways
Group-IB’s Cyber Fraud Intelligence Platform changes that equation. Built on patented Distributed Tokenization technology, it enables organizations to access real-time intelligence on compromised cards during transaction authorization — without handling raw card data or expanding their PCI DSS compliance scope.
- Over 200 million compromised payment cards are actively circulating in underground markets, but e-commerce, iGaming, and other non-issuing entities have been systematically excluded from accessing this intelligence
- Every dollar of fraud costs organizations $4.61 in total once fees, operational costs, and lost goods are factored in, making delayed detection financially unsustainable
- Group-IB’s Cyber Fraud Intelligence Platform acts as a privacy-preserving fraud intelligence layer, enabling pre-authorization fraud checks without exposing sensitive data or expanding PCI DSS scope
The Problem: A $48 Billion Blind Spot
Global e-commerce fraud losses have surpassed $50 billion annually and continue climbing, driven largely by stolen card details used in card-not-present (CNP) transactions. The scale is staggering, but what makes it particularly damaging is the timing: fraud is typically discovered after a transaction is approved, when a cardholder disputes the charge days or weeks later.
By then, the only option is damage control.
The numbers reveal the impact. E-commerce chargeback rates sit between 0.6% and 1%, higher than in-person transactions, and retail e-commerce chargebacks surged by 233% between Q1 and Q3 2025 alone. Each chargeback incurs fees, requires manual dispute handling, and increases pressure from payment processors.
For iGaming operators, the margin for error is even thinner. Card networks classify online gambling as high-risk by default, meaning operators face immediate penalties when chargeback ratios climb. A spike in fraud doesn’t just cost money — it can trigger account restrictions or termination.
The cost multiplier compounds quickly. In 2025, US merchants lost an estimated $4.61 for every $1 of fraud, once fees, operational costs, and lost goods are factored in. Card-not-present (CNP) fraud alone — the primary fraud vector for online transactions — is projected to reach $28.1 billion in losses by 2026. It comes as no surprise that some e-commerce businesses now spend up to 10% of their revenue just managing fraud.
So while intelligence about compromised cards is circulating actively in underground markets, most organizations operate blind, reacting to fraud only after it hits their bottom line.
Why Non-Issuing Entities Have Been Left Out
Group-IB’s Threat Intelligence unit continuously monitors dark web marketplaces and stealer malware ecosystems, maintaining a repository of over 200 million compromised payment records: 80 million with fully exposed card numbers and another 120 million with partial card data, often enriched with personal identifiers.
This intelligence can identify a stolen card before it’s used fraudulently. Yet organizations outside the banking sector have historically been unable to access it — not because the data doesn’t exist, but because sharing it in a compliant, usable form has been virtually impossible.
Three structural barriers have created this exclusion:
PCI DSS Requirements
PCI DSS imposes strict controls on the storage and transmission of cardholder data. The moment an organization receives raw card numbers, it assumes the full compliance burden: network segmentation, encryption, continuous monitoring, and regular audits. For most e-commerce and iGaming operators, that’s an operational and financial weight they’re neither equipped for nor willing to take on just to consume threat intelligence.
Card Network Rules
Card network notification systems — Visa’s Compromised Account Management System (CAMS) and Mastercard’s System to Avoid Fraud Effectively (SAFE) — operate exclusively on an issuer-to-issuer basis. Intelligence about exposed cards circulates within banking networks, not to the businesses actually accepting the transactions. Non-issuing entities are deliberately excluded from this loop, largely due to compliance constraints and liability boundaries.
In practice, this means that even when a card is confirmed as compromised, the organization processing the payment never knows. Industry documentation makes clear that banks are not obligated to inform merchants when a transaction involves a known compromised card.
Data Protection Regulations
Under frameworks such as the GDPR, Primary Account Numbers are treated as personal data and are subject to strict rules governing processing, sharing, and storage. Sharing raw card numbers with organizations outside the banking sector would require demonstrating a clear lawful basis, defined purpose, and adherence to data minimization principles, conditions difficult to satisfy when distributing sensitive identifiers to large numbers of third parties.
The result is a fundamental trade-off: the more precise the fraud intelligence, the more useful it is for prevention — but also the harder it becomes to share it in a compliant manner. As a result, sensitive data stays locked within tightly controlled financial environments, leaving organizations without access to the signals they need to act before authorizing a transaction.
How Distributed Tokenization Changes the Equation
Distributed Tokenization is the foundation for secure, real-time fraud intelligence sharing without exposing sensitive data. Instead of transmitting raw card details, the technology converts identifiers such as card numbers into irreversible, pseudonymized tokens — and, critically, this conversion occurs within the participant’s own environment before any data leaves their systems.
The Cyber Fraud Intelligence Platform builds on this approach to enable practical, real-time fraud detection. Here’s how it works in practice for e-commerce, iGaming, and other organizations:
When a transaction is initiated, the organization sends a query through the Cyber Fraud Intelligence Platform Connector, and the card number is tokenized locally within its own infrastructure. That token is then matched against Group-IB’s threat intelligence repository of over 200 million compromised records, which have been tokenized using the same method. Because both sides operate on equivalent tokens, the system can identify risk without ever exposing or transferring raw card data.
Two types of matching occur:
Exact Match:The tokenized card number matches one of the 80 million fully exposed records. This produces a confirmed compromise alert, including the breach source (which marketplace or stealer log), exposure level (card-only, card-plus-CVV, card-plus-personal-info), and the date the data was first observed.
Contextual Match: A partial match (for example, the first six and last four digits) validates against the 120 million partial records when combined with associated personal information. If the cardholder name matches data extracted from a stealer log or compromised database, the system flags it as a contextual match.
The critical point: no raw card data is exchanged at any stage. The organization receives a clear risk signal — whether the card is compromised, the likely breach source, and the exposure level — without ever accessing or storing the underlying card number.
This approach aligns with PCI DSS data minimization requirements and GDPR pseudonymization principles, while operating independently of traditional card network notification frameworks that exclude non-issuing entities. The cryptographic design has been independently validated by Bureau Veritas Cybersecurity, confirming compliance with GDPR data protection principles.
In practice, this means an organization can make an informed decision at the exact moment it matters — during authorization — without increasing compliance scope. An e-commerce platform processing a high-value transaction sends a tokenized query. Within milliseconds, the system returns a signal indicating that the card has appeared in stealer malware logs and is actively circulating on dark web marketplaces. The organization never sees the card number in any external system, yet still gains actionable intelligence to block or escalate authentication for the transaction.
What This Means for E-Commerce and iGaming
For the first time, e-commerce, iGaming, and other organizations can embed a real-time check against a global threat intelligence dataset directly into their transaction flow, without expanding their compliance scope or handling raw card data. Risk signals become available at the point of authorization, where they can actually influence the outcome.
Chargeback Prevention at the Source
A compromised card can be identified before the transaction is approved, allowing organizations to decline or step up authentication in real time. An iGaming operator detects that a card used for a deposit has been exposed in stealer malware logs. Instead of accepting the payment and dealing with a chargeback days later, the platform blocks the transaction or triggers additional verification.
Reduced Exposure to Card Network Penalties
Lower fraud rates directly translate into fewer chargebacks, helping organizations stay below thresholds that trigger monitoring programs, fines, or restrictions. An e-commerce business operating near card network limits uses these intelligence signals to filter out compromised cards early, preventing escalation into excessive chargeback programs.
Shared Intelligence Without Shared Liability
The platform enables participants to benefit from network-wide intelligence without exposing sensitive data. If a compromised card is used fraudulently on one platform and flagged within the network, that signal becomes instantly actionable across the network. A second participant encountering the same card can block it immediately, even if the fraud hasn’t yet been reported through traditional channels.
Part of a Broader Cyber Fraud Fusion Approach
The compromised card detection capability described here represents one use case within a broader industry approach known as Cyber Fraud Fusion. Traditional fraud prevention operates in silos — device intelligence, behavioral biometrics, transaction monitoring, and threat intelligence function as separate systems with limited coordination. Cyber Fraud Fusion integrates these capabilities: external threat intelligence sources (such as dark web monitoring and malware analysis) work with internal fraud prevention systems, such as session analysis and transaction monitoring, and are supported by coordinated investigation workflows when fraud is confirmed.
For financial institutions, this might mean connecting threat intelligence — which tracks compromised credentials and fraud tactics — with fraud protection systems for behavioral analysis and rule-based decisioning, then routing confirmed cases to investigation services for resolution. The Cyber Fraud Intelligence Platform provides one mechanism for implementing cross-institutional intelligence sharing within this model, but Cyber Fraud Fusion works equally well when organizations fuse their internal fraud controls with external intelligence sources, without requiring large-scale data-sharing networks. The core principle is integration: making fraud prevention systems work together rather than operating as disconnected tools.
Group-IB is developing capabilities across this full spectrum. By integrating Digital Risk Protection for brand monitoring and takedown, Threat Intelligence for dark web tracking and infrastructure analysis, Fraud Protection for behavioral detection, and Investigation services for attribution, this approach allows organizations to detect compromised card campaigns at their source, correlate signals across multiple fraud vectors, and act before losses occur rather than reacting after chargebacks arrive.
From Reactive Reporting to Pre-Authorization Intelligence
For years, fraud prevention has operated on a delay: the signals needed to stop fraud exist early, yet the systems designed to act on them respond late. Intelligence flows through dark web markets and stealer logs long before a transaction is disputed, but by the time it reaches organizations through traditional channels, it arrives as hindsight.
The Cyber Fraud Intelligence Platform and Distributed Tokenization change not just access to data, but the moment at which that data becomes usable. By enabling privacy-preserving matching at scale, they allow organizations to act on risk signals without inheriting the regulatory burden of handling sensitive card data.
The impact is measurable. In real-world deployments, even with just two institutions actively checking a network of 46 participants, the system prevented an estimated $10-15 million in fraud annually, with projections reaching $100-300 million at full network participation. These results reflect what happens when isolated data points become shared, real-time intelligence.
The model is straightforward:
- Detect earlier (identify compromised cards before they’re used fraudulently)
- Share safely (without exposing personal information)
- Act faster (at authorization, not after chargebacks)
For organizations operating in high-risk environments such as e-commerce and iGaming, this represents a shift from managing fraud as a cost center to treating it as a preventable risk. The intelligence exists. The technology to access it in a compliant manner is now available. The question is whether your fraud prevention strategy can afford to operate without it.
For fraud operations and risk teams who need to understand in depth what happens inside the matching process, how the response payload is structured, and how this integrates with existing transaction authorization workflows, part 2 of this series will examine the cryptographic process behind Distributed Tokenization, explain the difference between exact and contextual matching modes, and walk through the integration architecture that makes this intelligence consumable at pre-authorization without expanding PCI DSS scope.
To see how the Cyber Fraud Intelligence Platform enables secure, pre-authorization card checks, explore more at Group-IB or connect with our team.
