The dark web carding marketplace B1ack's Stash has announced the free download of 4.6 million stolen credit card records, escalating a long-running battle with sellers who violated platform policies. The data, claimed to have been dumped after sellers were caught reselling card data purchased from B1ack's Stash on competing platforms, was instead released publicly rather than deleted from inventory. This marks the second major free giveaway from the marketplace in as many months, following a similar release of over 4 million stolen cards in February 2025.

According to cybersecurity firm SOCRadar, which analyzed the leaked dataset, the released data includes full credit card numbers, expiration dates, CVV2 codes, cardholder names, billing addresses, email addresses, phone numbers, and IP addresses. The richness of the records—combining financial credentials with personally identifiable information—creates compounding risks that extend well beyond simple card fraud. SOCRadar notes that the presence of full PAN (Primary Account Number), CVV2, expiration date, billing address, name, email, phone, and IP address in a single entry allows cybercriminals to launch multilayered attacks, including fraudulent account openings, credit applications, and highly convincing phishing campaigns.

The cybersecurity firm has validated the authenticity of some records, though analysis revealed that some cards had expired or were duplicate entries. Overall, 4.3 million records appear to be new and likely usable for illicit activities. Based on the availability of complete card details and payment data, SOCRadar suggests the information was likely stolen through e-skimming or phishing operations. E-skimming, also known as formjacking, involves injecting malicious code into legitimate e-commerce websites to capture payment information as users submit checkout forms. Phishing attacks, meanwhile, trick victims into entering sensitive data on fraudulent websites that mimic legitimate retailers or financial institutions.

The stolen credit cards originate from multiple countries worldwide, with approximately 70% coming from the United States. Canada, the United Kingdom, France, and Malaysia round out the top five countries. The presence of Asian financial hubs such as Hong Kong, Singapore, Thailand, and Malaysia in the top 15 suggests the dataset is not the product of a single regional operation but draws from multiple skimming or phishing campaigns targeting English-speaking and high-purchasing-power markets globally. This geographic diversity indicates that B1ack's Stash aggregates data from numerous sources, likely from both large-scale breaches and smaller targeted attacks.

Background on B1ack's Stash

B1ack's Stash has been operating on the dark web since at least 2023, quickly rising to become one of the most active shops for stolen credit card data. The marketplace has employed aggressive marketing tactics to attract buyers and sellers. In April 2024, the platform offered 1 million credit cards to anyone who registered, effectively giving away high-value stolen data to build a customer base. In February 2025, it released over 4 million stolen credit cards for free, likely to further expand its user community and undercut competitors. The latest dump of 4.6 million records represents an escalation in both scale and frequency.

The marketplace allegedly suspended 8 million stolen CVV2 records in response to the sellers' misconduct, deciding to release a portion of that data for free instead of deleting it from inventory. This punitive action serves a dual purpose: it deters sellers from violating policies and demonstrates the marketplace's control over its dataset, while also generating buzz and attracting new users. The tactic mirrors those employed by other underground carding forums, where free dumps are sometimes used to market sellers' wares or retaliate against rivals.

Impact on Card-Not-Present Fraud

The newly dumped cards are expected to fuel card-not-present (CNP) fraud activities, such as illicit online purchases. CNP fraud occurs when a fraudster uses stolen card details to make purchases over the internet, by phone, or by mail order, without needing the physical card. With full card numbers, expiry dates, and CVV2 codes, criminals can easily bypass many online merchant verification systems. The accompanying personal information—names, billing addresses, emails, and phone numbers—allows fraudsters to make purchases that appear legitimate, often using the victim's own address for delivery or redirecting packages to alternative locations.

Beyond immediate financial theft, the data enables identity theft. Cybercriminals can use the email addresses and phone numbers to conduct SIM swapping attacks, reset passwords on financial accounts, or apply for new credit cards and loans in the victim's name. The IP addresses included in the records may reveal geolocation details that help fraudsters tailor attacks or verify identity challenges. SOCRadar warns that the compounding risks go beyond simple card fraud, as the combination of data points allows for sustained fraud campaigns that can last months or years.

Expanding the Context: Carding Markets and Law Enforcement

The release of stolen credit card data on such a scale highlights the ongoing challenge of fighting carding markets, which operate on the dark web using encrypted communication and cryptocurrency payments. B1ack's Stash joins a notorious lineage of carding marketplaces, including Joker's Stash, which operated from at least 2014 until its shutdown in 2020, and BidenCash, which was taken down by authorities after a series of free dumps. Other major carding shops have been disrupted through international law enforcement operations, but new platforms continue to emerge to fill the void.

In April 2024, a Chilean carding shop operator was extradited to the United States to face charges related to selling stolen payment data. In February 2025, US authorities announced charges and sanctions against a Russian administrator of a carding website. These actions demonstrate the ongoing efforts of law enforcement to dismantle the cybercrime ecosystem. However, the persistence of B1ack's Stash and similar marketplaces indicates that the demand for stolen financial data remains high, and the underground economy adapts quickly to enforcement actions.

The decision to release data for free rather than delete it also raises questions about the lifecycle of stolen card data. While merchants and payment networks have become more sophisticated at detecting fraud, criminals still trade stolen credentials for months before they are flagged or expire. The inclusion of expired cards in the latest dump suggests that some data may be recycled or that the marketplace is prioritizing volume over quality. Nevertheless, the 4.3 million new records represent a significant threat to consumers and financial institutions.

The cybersecurity firm SOCRadar continues to monitor the dark web and reported that B1ack's Stash has grown through consistent updates and customer service. The marketplace offers tutorials, escrow services, and a dispute resolution system to maintain trust among users. The free dumps serve as a marketing tool to attract both new buyers—who can test the data with little risk—and sellers, who are drawn to the marketplace's large user base. The latest release underscores the challenge of securing personal and financial data in an era where breaches are common and stolen information is traded like a commodity.

For consumers, the best defense remains vigilance: monitoring bank and credit card statements regularly, using credit freezes where possible, and being cautious about sharing personal information online. Financial institutions are investing in AI-driven fraud detection systems and tokenization technologies to mitigate the impact of such data breaches. However, the scale of the B1ack's Stash release means that many victims may not become aware of the compromise until fraudulent charges appear. The long-term effects of this data dump will likely be felt for years as criminal networks exploit the information for various schemes.

Source: SecurityWeek News