“Carding” as a Service: How Stolen Credit Cards Became a Structured Economy

A new report from Rapid7 has shed light on the sophisticated evolution of the underground credit card market, revealing a thriving ecosystem that operates with the efficiency of legitimate e-commerce. Dubbed “Carding-as-a-Service” (CaaS), this criminal industry has moved beyond simple data dumps to offer a full suite of tools, support, and guarantees that rival modern business platforms.

The report details how “dump shops” like Findsome, UltimateShop, and Brian’s Club have survived takedown attempts to become resilient hubs for fraud, bundling stolen payment data with sensitive personal information to maximize damage.

In the past, carding often meant buying a list of numbers. Today, the market demands more. The report identifies three main categories of data for sale:

• CVV: The basic card number, expiration, and security code.
• Dumps: Raw magnetic stripe data used to clone physical cards.
• Fullz: The most dangerous tier, which includes a “more complete profile of the cardholder, containing additional personal information such as the date of birth or Social Security Number (SSN)”.

This shift towards “Fullz” means the threat isn’t just financial—it’s existential. “The impact extends beyond isolated fraud events to long-term identity abuse and account compromise affecting both organizations and consumers,” Rapid7 researchers warn.

Perhaps most striking is how these illegal marketplaces mimic legitimate businesses to build trust.

• Refunds: Marketplaces like Findsome offer a “check time” window where buyers can verify a card’s validity. “Refund functionality is a critical feature… as it enables buyers to recover funds for cards that later prove invalid,” the report notes.
• Search Tools: Users can filter millions of stolen records by country, bank, and even “base” (a specific breach source) using slick, user-friendly interfaces.
• Bonuses: Platforms offer deposit bonuses of 5-12% to incentivize larger cryptocurrency payments, operating loyalty programs for fraudsters.

The data fueling these markets comes from a variety of sources, including Phishing-as-a-Service (PhaaS) platforms that make it easy for novices to harvest credentials , and sophisticated physical skimming devices designed for modern ATMs and gas pumps.

The scale is immense. In the second half of 2025 alone, Findsome hosted over 2.6 million leaked records, with the United States being the primary target.

As chip-based (EMV) security makes cloning physical cards harder, the market is pivoting. “Carding-as-a-service is evolving into a broader identity-driven ecosystem, where marketplaces supply raw data, and buyers use automation and AI to decide how and where to exploit it,” the report concludes.

Organizations are urged to adopt a defense-in-depth strategy, including “strengthening protections against common compromise vectors such as phishing… and conducting ongoing security awareness training” to combat this industrialized threat.

Related Posts:

• Cybercriminals are selling babies information on the dark web
• Fraudsters Exploit Trust with Fake Refund Schemes in the Middle East
• Avast Privacy Breach: FTC Refunds Open Until June 2025