What are CVV, dumps, and fullz and how do they differ in fraud marketplaces?
Executive summary
CVVs, dumps, and Fullz are distinct product types traded on underground fraud marketplaces: CVVs are cardholder records optimized for online (card-not-present) purchases, dumps are raw magnetic-stripe data used to clone physical cards, and Fullz are comprehensive identity packages that bundle card data with personal identifiers for broader fraud and account takeover — each carries different use cases, prices, and operational tradeoffs for criminals [1] [2] [3].
1. What each term actually means
“CVV” in underground parlance refers to a package containing the card number, expiration date, cardholder name and billing address plus the CVV2 code needed for many online transactions, not simply the three digits on the card face [1] [4]; “dumps” are the raw track data copied from a card’s magnetic stripe that can be written to a blank card to create a physical clone [2] [5]; and “Fullz” (or “fulls”) are fuller identity dossiers — card details plus Social Security numbers, dates of birth, addresses and other PII — designed to enable more complex fraud such as account takeover, new accounts, or tax refund schemes [4] [3] [6].
2. How criminals obtain these commodities
CVVs commonly come from ecommerce breaches, phishing, or malware that capture checkout data, while dumps come from point-of-sale malware, skimmers, or breaches of merchant infrastructure that extract magnetic-stripe track data [5] [2]. Fullz often arrive as a downstream product of larger data breaches, aggregation of multiple breached sources, or targeted identity theft operations that stitch together disparate records into a usable package [3] [6].
3. How fraudsters use each product
CVVs are optimized for card-not-present (CNP) fraud — online purchases where a billing address and CVV suffice — and are therefore the go-to for immediate e-commerce cash-outs [1] [5]. Dumps enable creation of cloned physical cards and are used at ATMs or in-store terminals, a use that remains lucrative where magnetic stripes are still accepted [2] [7]. Fullz enable higher-value or longer-lived schemes — opening new accounts, passing KYC checks, executing tax-refund or medical-identity fraud, and solving “out-of-wallet” security questions that simple card data cannot [4] [6].
4. Relative value and pricing dynamics
Market prices reflect monetization potential: simple CVV records for U.S. cards typically trade for low single-digit to low-double-digit dollars, dumps command higher prices because they enable physical cloning (often $20–$125 in reporting), and Fullz routinely fetch the highest premiums — commonly $20–$100 and sometimes substantially more when the dossier is fresh, high-quality, or includes SSNs and DOBs [1] [3] [2]. Variations arise by geography, card type, freshness, and the presence of EMV/chip protections that shift criminal demand toward Fullz for account takeover when cloning becomes harder [3] [8].
5. Market mechanics, risks and incentives
These products are traded on card shops, dark‑web marketplaces and encrypted chat channels using cryptocurrencies; sellers advertise validity rates, country filters and “kitz” that bundle documents to help cash out [9] [10] [11]. Law-enforcement takedowns, marketplace promotions (leaked datasets), and competitive features (search filters, refund guarantees) shape supply and trust in the illicit economy, while technological changes — EMV adoption, better fraud detection, stronger authentication — alter which products are most profitable and push criminals toward account‑based fraud that Fullz facilitate [10] [8] [12]. Sources reporting on marketplace dynamics have implicit agendas: cybersecurity firms emphasize threat severity and mitigation to sell services, while investigative outlets focus on sensational breaches that can skew perception of relative prevalence [10] [12].
6. Bottom line and unanswered questions
CVVs, dumps and Fullz occupy complementary roles in the fraud ecosystem: CVVs for quick online spending, dumps for physical cloning, Fullz for identity-based, higher-return fraud — their prices and desirability shift as defenses and merchant practices evolve [1] [2] [3]. Reporting documents these distinctions but has limits: available sources provide price ranges, use cases and market behavior, yet gaps remain about exact volumes, the lifecycle from breach to sale, and how effective current industry countermeasures are in stopping the resale and weaponization of each data type [3] [11] [12].