A recent investigation has illuminated the technical underpinnings of clandestine carding operations, discovering 28 unique IP addresses and 85 domains actively hosting illicit marketplaces where stolen credit card data is traded. These platforms function as sophisticated e-commerce sites for financial fraud, facilitating the exchange of compromised payment information, with prices ranging from $5 to $150 per card, influenced by credit limits and additional personal details.
The research, conducted between July and December 2025, employed internet-wide scanning techniques to identify servers hosting carding infrastructure before they could implement protective measures. By searching HTTP and HTTPS title banners on ports 80 and 443, investigators detected servers broadcasting carding-specific keywords such as “CVV,” “Dumps,” “Carding,” and “Shop.” This scanning methodology enabled researchers to capture server identities during their initial configuration phases, prior to obscuring their true locations with services like Content Delivery Networks, such as Cloudflare.
Uncovered Carding Infrastructure and Domains
Team Cymru analysts identified significant patterns in how these criminal enterprises establish their technical presence. The IP addresses uncovered were hosting login pages and forum landing pages for these carding sites. This evidence is crucial for law enforcement actions, including the issuance of subpoenas and the execution of takedown operations. The most frequently utilized top-level domains by these operations were .su, .cc, and .ru. These domains offer jurisdictional advantages and less stringent registration policies, which criminals exploit to enhance their operational security.
The theft of credit card data occurs at various transaction points through a multitude of methods. Web skimming attacks involve injecting malicious JavaScript code into checkout pages, while database breaches target the central servers of retail and financial organizations. Physical theft methods include the use of skimming devices at ATMs and point-of-sale terminals to capture magnetic stripe data and personal identification numbers. Once compromised, this data enters a complex supply chain where specialized criminals manage different stages, from initial theft to sale and eventual conversion into cash.
The investigation also examined X.509 certificates, analyzing Subject Common Names to group related infrastructure based on recurring certificate attributes. This approach allows for the tracking of bulletproof hosting environments where these illicit marketplaces operate, even when operators attempt to replicate legitimate carding markets through website cloning for phishing purposes.
Hosting Infrastructure Analysis
An analysis of the Autonomous System Numbers (ASNs) associated with the 28 identified IP addresses revealed that many of the hosting providers operate from offshore jurisdictions where cooperation with law enforcement is limited. Privex emerged as the most common hosting provider, marketing privacy-focused infrastructure with dedicated Virtual Private Server (VPS) options that criminals can procure without submitting personal identification. These hosting services often support a range of illicit activities beyond carding, including offensive security tools and broader hacking campaigns.
The distribution of ASNs hosting carding infrastructure indicates a reliance on providers that facilitate anonymity and circumvent regulatory oversight. This reliance is a key factor in the sustained operation of these illegal marketplaces. The image above displays the ASN distribution, while other accompanying visuals provided examples of the login pages and forum interfaces discovered for these carding markets during the research.
The findings of this investigation highlight the technical sophistication and the often offshore nature of carding operations. This underscores the ongoing challenges faced by cybersecurity professionals and law enforcement in combating digital financial crime. Future efforts will likely focus on further disrupting these hosting providers and closing loopholes in domain registration policies that are exploited by malicious actors.