How do cybercriminals harvest and sell stolen credit card information
This fact-check may be outdated. Consider refreshing it to get the most current information.
Executive summary
Cybercriminals harvest card data through malware (infostealers and PoS skimmers), phishing/credential harvesting, and breaches of merchants or payment processors, then package and sell it in underground “carding” markets as CVV lists, dumps, or bulk batches; Kaspersky estimates 2.3 million bank cards leaked in recent infostealer logs and every 14th infostealer infection yields card data [1], while research shows dumps often sell as grouped batches for roughly $100 on average [2]. Firms report credential-harvesting (phishing) is now a leading vector—accounting for 38% of retail compromises in 2023—while direct payment-card theft has declined but remains a major commodity in dark‑market trade [3] [4] [5].
1. How criminals collect card data: malware, skimmers, phishing and breaches
Cybercriminals use a portfolio of collection tools. Infostealer malware on victims’ devices captures autofill and keystrokes and has leaked millions of cards — Kaspersky’s analysis found 2.3 million bank cards exposed and estimates that roughly every 14th infostealer infection produces card data [1]. Point‑of‑sale (PoS) malware and physical skimmers remain effective: PoS infections can siphon card tracks undetected for months, producing huge dumps later sold on markets [6] [7]. Phishing and credential‑harvesting campaigns — including smishing and vishing — also harvest card details directly or steal login/session cookies that give access to stored payment methods; KnowBe4’s research showed credential harvesting accounted for 38% of retail compromises in 2023 [3] [4].
2. How the underground market packages and sells stolen cards
Stolen card data is commercialized in distinct products: single CVV entries, “dumps” containing many accounts, cloned‑card services and full identities. Academic and industry analyses describe “dumps” grouped from tens to hundreds of accounts and sold as batches — historically averaging about $100 per dump in studies of underground forums [2]. Modern carding sites act like legit marketplaces with categories, seller reputations and even post‑sale support where sellers replace invalid cards, making the market buyer‑friendly [8] [5].
3. Market mechanics and pricing — why some data is cheap and some valuable
Price reflects freshness, completeness and associated PII. Card-only records (number, expiry, CVV) can be inexpensive; deeper bundles with Social Security numbers or additional KYC data fetch much higher prices. Reporting that complete stolen identities can trade for as little as $12 highlights how commoditized some identity elements have become, while specialized services (cloned physical cards or full dumps) command higher fees [9] [10] [2].
4. How criminals monetize stolen cards after purchase
Buyers convert card data into cash via test purchases, buying and reselling gift cards, or creating cloned physical cards for in‑person use; laundering often uses prepaid and gift cards to obscure trails [7]. Some actors use harvested PII to build synthetic identities or open new accounts, amplifying long‑term value from a single data set [11].
5. Shifts in tactics and the role of commoditized tools
The ecosystem has evolved: malware and “cybercrime‑as‑a‑service” toolkits make harvesting easy for low‑skill actors, and automated agents and AI tools increasingly refine attacks in real time [11]. Meanwhile, reports show a shift toward credential harvesting (phishing) as a dominant retail threat vector even as card theft continues to supply underground markets [3] [4].
6. What defenders and consumers are told to do — and limitations
Security vendors and payment networks push PCI compliance, threat intelligence, and skimmer detection; Mastercard and others have launched payment threat‑intelligence offerings to disrupt card‑related malware and skimming [12]. Consumers are urged to monitor statements, enable fraud alerts and use password managers and MFA, but sources note these controls cannot stop mass breaches or PoS compromises on their own [5] [12] [8].
7. Reporting caveats and unresolved questions
Available sources document scale, vectors and market behavior but differ on trend emphasis: some report payment‑card theft declining as credential theft rises [3] [4], while other analyses still highlight large dumps and millions of leaked cards from PoS or infostealer incidents [1] [6]. Sources do not provide a single, consolidated global price list or granular, real‑time market turnover figures — those specifics are not found in current reporting.
Limitations: this summary relies on vendor reports, industry research and academic studies provided; methodological differences and private underground activity mean exact volumes and prices are estimates rather than settled facts [1] [2] [3].