| Key Takeaways |
| Card shops power a global web of fraud that sells stolen credit card data, enabling money laundering, account takeovers, and synthetic identity fraud. |
| Since 2021, many major card shops like Joker’s Stash and UniCC have shut down, driven by global law enforcement action and the rise of stronger online payment protections. |
| Group-IB has collected data on nearly 400 million compromised cards across over 70 card shops, including many that are now defunct. Through its Threat Intelligence platform, Group-IB helps businesses detect and respond to card data exposure before it’s exploited. |
What is a Card Shop in Cybersecurity?
In cybersecurity, a card shop is a type of underground market that sells specific types of data – dumps and bank card credentials (СС). Card credentials are data in text format that may include card number, card expiration date, cardholder name, address, and CVV dumps. Dumps stand for the contents of the magnetic strip of bank cards.
1. Card Credentials
These are text-based records of credit or debit card information. A single CC entry may include:
- Cardholder name
- 16-digit card number
- Expiration date
- CVV/CVC security code
- Billing address
- Sometimes even phone number or email address
This data is primarily used for online purchases, Card-not-Present (CNP) fraud, or identity theft.
2. Dumps
“Dumps” refer to the raw magnetic stripe data extracted from physical payment cards. This data is captured using skimmers, POS malware, or infected ATMs. It typically includes:
- Track 1 and/or Track 2 data
- Encoded cardholder information
- Bank Identification Numbers (BINs)
Dumps are used to clone physical cards, i.e., criminals can “write” the dump data onto a blank magnetic stripe card and use it to withdraw money or make purchases at in-person terminals.
The Evolution of Card Shops
The peak of card shop popularity fell between 2015 and 2021. During this era, prominent underground markets like Joker’s Stash, UniCC, Ferum Shop, and All World Cards dominated the dark web. They offered searchable databases of stolen card data with near-professional customer service, filtering tools, and feedback systems.
Decline Since 2021: What Changed?
Starting in late 2020 and intensifying throughout 2021, the card shop ecosystem began to shrink. Major shops voluntarily shut down or were forced offline. The first is the emergence of more profitable attack methods, such as ransomware. The latter offers a Ransomware-as-a-service model, ensuring a low threshold for inexperienced cybercriminals alongside higher earnings than card shops can provide.
The second factor is the introduction of new online transaction security systems by MasterCard, Visa, American Express, and other payment systems. This measure significantly reduced the possibility of selling cards purchased at card shops.
For instance:
- Joker’s Stash, once the largest dark web carding site, voluntarily shut down in January 2021.
- UniCC, another major player, closed operations in early 2022, citing “age and fatigue.”
- Law enforcement pressure intensified, INTERPOL, Europol, and national CERTs cracked down on cybercrime infrastructure tied to financial fraud.
Why are Card Shops Dangerous?
Card shops may look like just another corner of the dark web, but they’re anything but small-time. These underground markets fuel a vast criminal economy. What starts as a $10 card listing can ripple into millions in financial loss, reputational damage, and systemic risk.
Here’s why card shops are far more dangerous than they appear and how they power some of the most damaging forms of cybercrime today.
Card shops fuel a global ecosystem of:
Credit Card Fraud
Card shops are central to the global trade in stolen payment data. They distribute credit card credentials and magnetic stripe dumps, which enable a range of illicit activities. As noted by cybersecurity firms, carding has transformed into a full-scale industrial operation involving automated validation tools and botnets.
According to UK Finance, in 2018, unauthorized card fraud losses amounted to £844.8 million, though banks prevented nearly double that amount. That means two in every three attempted frauds were blocked.
Money Laundering
Cybercriminals purchase dumps, validate them using money tools, and funnel illicit gains through prepaid cards or fake shell accounts. Sometimes collusive merchants play a role, charging inflated costs and funneling cash back to fraudsters.
Authorities and researchers highlight how card fraud often serves as a stepping stone into broader money laundering schemes. They do this by using tools like prepaid credit cards or multiple microtransactions to conceal illicit origins.
Account Takeovers
Once card data is purchased from a card shop, fraudsters can hijack accounts or bypass online protections. Stolen cardholders from account takeovers are vulnerable to:
- Phishing and credential abuse
- Brute-force attacks, or credential stuffing
- Leveraging data obtained from card shops for wide-reaching credential abuse
Modern carding includes services offering bot-powered validation, proxies, and configuration templates. This makes it easy to test millions of credentials quickly.
Synthetic Identity Creation
Card shops support the supply of data for synthetic identity construction. Using pieces of real stolen PIIs (like name, SSN) combined with fabricated details, criminal networks create fictional but realistic personas.
Synthetic identities are used to open credit lines, bank accounts, and make fraudulent purchases over months or years before collapsing into large-scale fraud (known as bust-out schemes). Thomson Reuters estimates synthetic identity fraud costs U.S. institutions between $20 to $40 billion annually.
According to Investopedia, synthetic identity theft is one of the fastest-growing financial crimes, and financial institutions miss up to 95% of synthetic identities during initial onboarding.
Where are Card Shops Found?
While some operate on the dark web (using .onion domains and accessible only via Tor), many have migrated to invite-only Telegram groups, underground forums, or bulletproof hosting platforms to evade takedowns.
Some real-world examples of card shop takedowns include:
1. Joker’s Stash
This was the card shop everyone knew. The most popular card shop operated from 2014 to 2021. The shop allowed the sale of stolen bank card data but also facilitated the laundering of illegally acquired cryptocurrency.
The Joker’s Stash card shop made money by charging a fee for converting bitcoins into dollars as well as trading in stolen cards. At the beginning of 2021, the card shop went out of business due to the owner’s decision.
2. Trump’s Dumps
The card shop started working in 2017. In 2020 and 2021, 30 million bank card dumps were put up for sale in this card shop. Throughout the whole time, Trump’s Dumps could have had more than 48 million dumps.
Its run came to a crashing halt in early 2022 when authorities shut it down during a sweep of a central cybercrime card shop marketplace.
3. UniCC
One of the biggest and oldest card shops dark web on the market was opened in 2012. UniCC had a loyal user base thanks to frequent updates, a vast inventory, and decent customer support (yes, really). Over its lifespan, blockchain investigators estimated it processed over $358 million in crypto payments.
The resource quickly gained popularity due to frequent updates. However, it was shut down by law enforcement in 2022.
4. Brian’s Club
Brian’s Club is infamous, and still technically active. In 2019, it got hit hard: a massive breach leaked over 26 million stolen cards from its database to law enforcement and security researchers. You’d think that would have taken it offline, but nope.
It bounced back, possibly under stricter operational rules and new management. Clones and mirrored sites have popped up since.
5. Ferum Shop
Ferum was one of the oldest in the business, and in its prime (around 2020–2021), it was offering more stolen credit card data than any other site, roughly 14.5 million cards in just two years.
But like Trump’s Dumps, Ferum didn’t survive the 2022 crackdown by law enforcement. The shop was taken offline, and several domains were seized as part of a broader cleanup operation.
What is the Difference Between Card Shops and Underground Markets?
Though underground markets also sell bank card details, they’re different from card shops in many aspects. The main differences between underground card data sales and other underground markets are the following:
- Сard shops do not sell other information except for bank card data
- Cards are usually sold piece by piece
- Card shops provide more detailed information about the card than other markets: BIN, bank name, cardholder’s name, country, city, ZIP code
- Card shop databases are updated regularly
Here’s the difference at a glance:
| Main Parameters | Card Shops | Underground Markets |
| Main focus | Exclusively sells bank card data (CCs and dumps) | Sell a wider variety of illicit goods (e.g., malware, credentials, drugs) |
| Product format | Cards sold individually | Often bundled, bulk-sold, or offered via vendor shops |
| Data detail level | Highly detailed: BIN, bank name, cardholder name, country, ZIP, etc. | Often limited metadata; depends on the seller |
| Database updates | Frequently updated with fresh card data | Varies; some listings remain stale |
| Target audience | Primarily, low-skilled attackers (carders) | Mixed: fraudsters, hackers, scammers, and more |
| Use case | Used for fraudulent purchases, cashouts, and reselling | Includes broader criminal use cases: hacking, drugs, exploits, etc. |
| Phishing risks | Often mimicked by fake shops to phish inexperienced users | Less commonly impersonated (markets are more centralized/curated) |
The target audience of card shops is carders – low-skilled attackers. They use the card data they obtain to withdraw money or purchase goods, and resell the credentials to others.
Due to their popularity among inexperienced attackers, card shops are often targeted by fake shop creators. The latter develop phishing websites mimicking popular card shops to steal data from carders.
How Do Card Shops Obtain Card Data For Selling?
All data sold in card shops is compromised bank card data. The compromise can happen in these ways:
- Embedding JS-Sniffer on pages with payment elements
- Intercepting card data with a skimmer or shimmer
- Infecting a POS-terminal network with malware
- Phishing pages
- Bank card database leaks
Compromised bank card credentials can also be delivered to the card shop in various ways. The card shop team may have its sources for extracting compromised card data, such as hacked payment gates and online stores, phishing campaigns, etc.
Another scheme implies purchasing compromised card data from third-party vendors. The card shop owners’ role is to find such vendors and upload the received credentials to the card shop for selling.
The most popular scheme implies that a card shop works as a marketplace providing its functionality to independent sellers. In this case, the seller goes through verification in the card shop once and then can upload the card data for subsequent sales. In this model, the card shop owner receives a fixed percentage of each card sold on the resource.
In the last scheme, card shop administrators take responsibility for developing the cybercriminal marketplaces, promoting them on underground forums, supporting customers, and acting as a guarantor in deals between sellers and buyers.
How Does Group-IB Battle Card Shops?
Group-IB collects and records all data sold in a large number of card shops, including historical data from already closed sites in its databases. Over the entire period of monitoring card shops, information was received about almost 400 million compromised bank cards from 70+ different card shops.
All this data is stored in the Group-IB Threat Intelligence platform. Cards can be viewed in the Compromises section. Monitoring these data and keeping track of fresh data leaks allows companies to take protective measures and prevent cybercriminals from taking advantage of the leaked data.
Learn more about Group-IB Threat Intelligence and card shop cybersecurity.