Keep Factually independent
Whether you agree or disagree with our analysis, these conversations matter for democracy. We don't take money from political groups - even a $5 donation helps us keep it that way.
Fact check: Carding
Executive Summary
Carding is a form of payment-card fraud where stolen card data is used to make purchases, convert balances into cash or near-cash instruments, and move value via intermediaries; recent reporting highlights both traditional carding markets on the darknet and novel “Ghost Tap” NFC techniques that exploit digital wallets. Researchers, payment firms, and law enforcement reported activity and responses across September–October 2025, with industry pushing AI detection and banks urged to tighten wallet onboarding, while police actions against dark-web networks demonstrate enforcement but do not eliminate supply channels [1] [2] [3] [4].
1. Criminals are evolving: from card dumps to NFC “cash-out” tricks
Reporting in September 2025 documents a shift where criminals no longer rely solely on physical card cloning or online card-not-present buys; attackers add stolen card data to mobile wallets and use NFC relay or “Ghost Tap” methods to cash out at contactless terminals or through money mules. This technique exploits gaps in tokenization and wallet enrollment checks, allowing fraudsters to monetize stolen PANs quickly. Researchers and journalists warn that digital-wallet onboarding and contactless acceptance are new fraud surfaces requiring stronger controls from banks and wallet providers [2].
2. Carding remains centered on darknet supply chains and commercial conversion
Multiple analyses lay out the economics: credit/debit data are bought and sold on darknet markets, then converted into goods, gift cards, cryptocurrency, or cash via intermediaries. The darknet continues to supply carding with volume and variety, supporting sustained fraud operations. Law enforcement takedowns in 2025 show disruption of networks but also illustrate resilience and global reach—seizures and arrests reduce capacity temporarily but do not erase demand or the underlying infrastructure [5] [6] [7].
3. Industry response: fraud detection and AI acceleration
Payment industry announcements in October 2025 emphasize investments in detection technologies, including generative AI models and enhanced analytics to spot patterns indicative of carding or NFC relay activity. Mastercard and others promoted tools aimed at earlier detection and customer protection, reflecting a defensive posture leaning on machine learning to reduce false positives while accelerating fraud interdiction. Firms frame AI as a force-multiplier, though deployment timelines and measurable impact remain operational questions for banks and merchants [3].
4. Prevention toolkit: what merchants and issuers are urged to deploy
Analyses converge on several mitigations: stricter wallet onboarding, dynamic risk scoring for contactless transactions, stronger AVS/CVV/3DS enforcement for online flows, CAPTCHA/GDPR-compliant bot controls, and proactive account monitoring. The security community stresses that multi-layer controls—both technical and business-process—are necessary because no single control blocks new cash-out methods alone. Authorities and vendors recommend combining behavioral signals with transaction limits and manual review for high-risk onboarding [1] [8].
5. Law enforcement victories are real but partial and episodic
September 2025 RCMP operations and an international multi-country sweep demonstrate capacity to disrupt dark-web markets and arrest operators; these actions produce seizures, indictments, and temporary market dislocation. However, reporting also shows that arrests do not eliminate carding supply chains, since marketplaces migrate, vendors reappear, and cryptocurrency rails enable rapid value movement. The enforcement narrative emphasizes success while acknowledging the cat-and-mouse dynamic between investigators and cybercriminal networks [4] [7].
6. Conflicting emphases: industry optimism versus criminal ingenuity
Industry communications highlight technological progress and protective services as evidence of reduced consumer risk; researchers and journalism underline adaptable criminal tactics that exploit systemic gaps. Both perspectives are valid: payment networks can and do reduce certain fraud vectors, yet novel attack patterns—like Ghost Tap—demonstrate criminals adapt faster than some operational controls. Readers should treat vendor claims of readiness as part of a risk-management story rather than definitive elimination of carding [3] [2].
7. Consumer action and residual risk: what cardholders should know
Practical guidance across sources urges consumers to monitor statements, enable alerts, avoid sharing OTPs, and use card protections offered by issuers; these measures reduce victim impact but cannot stop systemic carding supply. The emphasis on individual vigilance highlights a residual risk: consumer steps mitigate consequences but do not close supply or cash-out channels, which require coordinated industry and law-enforcement responses to address comprehensively [8] [5].
8. Bottom line for policymakers, banks and researchers
The combined evidence from September–October 2025 indicates that carding remains a dynamic threat, evolving into contactless and wallet-based cash-out schemes even as darknet supply is intermittently disrupted. Effective reduction of carding requires synchronized action—stronger wallet enrollment controls, improved tokenization practices, AI-assisted detection, marketplace disruption by police, and transparency from payment firms about effectiveness of mitigations. The public debate will center on how rapidly industry and regulators can adapt versus how quickly criminals innovate, a gap that current reporting shows remains substantive [3] [2] [4].