The Soviet Ghost: How Carding Markets Survive on Legacy Domains

A new analysis by Team Cymru researchers has shed light on the physical and digital infrastructure powering this underground economy, revealing a network heavily reliant on “bulletproof” offshore hosting and legacy domains from countries that no longer exist.

Between July and December 2025, researchers tracked the digital footprints of carding operations, using advanced internet-wide scanning to pierce through the obfuscation layers criminals use to hide. The results paint a detailed picture of a fraud ecosystem that is as resilient as it is widespread.

To the uninitiated, credit card theft might seem like a simple grab-and-go crime. But the report describes it as a sophisticated, multi-stage “supply chain” where specialization is key.

“Once data is stolen, it is rarely used immediately by the thief. Instead, it is sold on specialized markets and cybercrime forums,” the researchers explain.

The value of this data fluctuates wildly. A stolen card might fetch anywhere from $5 to $150, with the price driven by the card’s credit limit, its country of origin, and whether it comes with “fullz”—complete identity details that make fraud easier to commit.

The investigation distinguished between two main types of criminal hubs: Carding Markets and Carding Forums.

Markets are purely transactional—the e-commerce sites of the underworld. “A carding market is primarily a transactional platform and is essentially an e-commerce site for stolen financial data,” the report notes. These automated vending carts (AVCs) allow criminals to filter stolen goods by bank or country with the ease of a legitimate online shopper.

Forums, on the other hand, are the social hubs. They are “discussion-based hubs where threat actors share intelligence, trade techniques, and build reputations”. This is where criminals network, review shops, and advertise “bulletproof” services to keep their operations online.

By utilizing internet-wide port scanning and passive DNS collection, Team Cymru identified 28 unique IP addresses and 85 domains hosting these illicit platforms.

The goal was to catch these servers before they could vanish behind protective shields. “The advantage of this internet-wide scanning is the ability to identify the underlying origin servers before they are obscured by Content Delivery Networks (CDNs) like Cloudflare,” the analysis states.

Perhaps the most striking finding is where these sites choose to live. The researchers found a heavy concentration of domains using Top Level Domains (TLDs) that offer “jurisdictional shielding”.

The most popular? .su, the country code for the former Soviet Union.

“The Soviet Union .su TLD belongs to a country that no longer exists. Its management, therefore, is often considered legacy and has historically had very loose registration and abuse policies,” the report highlights.

Other popular choices included .cc (often adopted because it can stand for “credit card”) and .ru, which remains largely unreachable by Western court orders.

On the hosting side, the analysis pointed to Privex Inc. as the Autonomous System Number (ASN) with the most IP addresses associated with carding markets.

Privex markets itself as “privacy-minded infrastructure,” a pitch that appeals to legitimate privacy advocates and cybercriminals alike. The report notes that criminals can purchase servers “without providing any information about themselves and host illicit content without facing repercussions”.

By identifying these servers early, law enforcement and financial institutions can gather critical evidence for subpoenas and takedowns, potentially disrupting the “supply chain” before the stolen data can be cashed out.

Related Posts:

• Crypto as a Weapon: Malicious npm Packages Use Ethereum Smart Contracts for C2
• Beyond VPNs and Botnets: Understanding the Danger of ORB Networks
• Watch Out for Latrodectus: New Malware from Suspected IcedID Developers Targeting Businesses
• From CastleLoader to CastleRAT: TAG-150’s Multi-Tiered Cyber Arsenal Expands
• CISA/FBI/NSA Unite to Dismantle Bulletproof Hosting Ecosystem with New Global Defense Guide