How do carding websites obtain and verify stolen payment card data?

1. How the stolen data enters the ecosystem — theft, skimming and markets

Cybercriminals collect card data in several documented ways. Web‑skimming and payment‑page compromise scrape card numbers from e‑commerce checkouts; ATM or POS skimmers physically copy mag‑stripe data; large breaches and compromised e‑commerce sites also leak full card records. Those datasets then circulate on criminal marketplaces and carding sites where they are aggregated and sold ^{[6] [3] [7]}. Mastercard’s threat intelligence reporting shows malicious domains used to steal payment data impacted thousands of sites and tied to large fraud losses, underscoring that mass theft of card data is a principal source of supply ^[5].

2. Organizing product: BINs, “fullz” and quality tiers

Carding ecosystems structure stolen records by BIN (the first 4–6 or commonly first 6 digits), issuer, country and the presence of CVV/expiry/holder name. Sellers label sets by freshness and “non‑VBV” or “non‑3DS” status; higher‑quality, freshly verified cards command better prices. Research and reporting note dedicated dashboards, pricing tiers and even newsfeeds on carding platforms that mirror legitimate marketplaces ^{[1] [7]}.

3. Verification at scale: Card checkers, bots and low‑value transactions

The primary verification method is automated testing. “Card checkers” and bot fleets attempt authorizations against payment processors or merchant checkouts, often making very small charges or authorization holds to confirm a card is live. Successful checks are marked as “verified” and resold or used for larger fraud. This three‑step pattern—harvest, validate with bots, then monetize—appears across technical explainers and industry guides ^{[2] [1] [8]}.

4. Supporting tooling: Fraud panels, proxies and BIN checkers

Card‑testing operations use fraud panels (web dashboards) to manage tests, rotate proxy servers or SOCKS proxies to avoid IP blocks, and employ BIN checkers to infer issuer, card type and security layers. These operational tools let attackers scale verification while attempting to evade merchant and processor defenses ^{[1] [3]}.

5. Cashing out and secondary techniques

Once verified, cards are used for direct purchases (often gift cards or resaleable goods), account takeovers, or sold to other criminals. Some carders exploit “reshipping” or mule networks to launder goods; others seek aged merchant accounts or non‑VBV targets to avoid 3‑D Secure interruptions. Reporting also documents fraudulent refund or “refunder” techniques to extract funds ^{[6] [9] [7]}.

6. Where defenders are winning — authentication, tokenization and intel

Payment industry and merchants are deploying countermeasures: 3‑D Secure routes authentication to issuers; tokenization renders captured tokens useless elsewhere; AVS and device/IP reputation raise false‑positive risk for attackers; and threat‑intelligence programs can detect and help takedown malicious domains used for skimming. Mastercard cites threat‑intel efforts that identified thousands of malicious domains and linked them to large estimated fraud losses, showing industry coordination can reduce supply and detect testing activity ^{[4] [5]}.

7. Practical implications for merchants and consumers

Merchants face chargebacks and processor penalties when tests spike; recommended defenses include enforcing 3‑D Secure, blocking anomalous burst traffic and monitoring for patterns of low‑value, high‑decline transactions. Consumers are advised in vendor guidance to use virtual cards and avoid insecure networks, though specific consumer tips vary by source ^{[10] [11] [12]}.

8. Conflicting narratives and limitations in reporting

Some underground forums publish lists of “cardable” targets and claim many sites still accept non‑VBV transactions; those claims reflect adversary experience but may be inflated to attract customers ^{[13] [9]}. Conversely, industry sources emphasize improved defenses and detection. Available sources document both the offensive tooling (card checkers, BIN analysis) and evolving defensive tech (3DS, tokenization, threat intel), but they do not provide exhaustive statistical rates of verification success or precise market prices beyond isolated examples, so the scale and profitability should be treated as indicative rather than fully quantified ^{[1] [5] [2]}.

9. Bottom line for policymakers and security teams

The cycle—data theft, automated verification, monetization—is well documented and continues to evolve with new tools on both sides. Effective mitigation requires collaborative threat intelligence, stronger authentication (3‑D Secure), merchant hardening against skimming, and attention to the operational signals of card‑testing attacks ^{[2] [5] [4]}. Available sources do not mention specific law‑enforcement outcomes for the most recent marketplaces beyond historical takedowns and industry takedown work ^{[6] [5]}.