Dark web marketplaces periodically offer stolen credit cards for free as a promotional stunt, but a recent offering from an outfit calling itself “BidenCash” appears to be the largest one yet with a total of 1.2 million cards.
Of course, not all of the stolen credit cards are still valid; security experts that have looked over the dump think the number that are actually usable at this point may be a lot closer to 100,000 than one million (and dwindling by the day as they are flagged by banks and reported). However, some of the numbers have additional sensitive personal information attached to them, including Social Security numbers.
“Free” stolen credit cards meant to draw attention to underground merchant’s new servers
It’s hardly unusual for a dark web marketplace to be in possession of millions of credit card numbers for sale; it’s a volume business, given that stolen numbers often do not remain usable for very long, and individual numbers can sell for well under $1 each. However, a dump of 1.2 million stolen credit card numbers for free is an unusually large amount. At the time of the dump, BidenCash had just a little over two million numbers for sale.
According to security analysts, the BidenCash dump contains card numbers set to expire between 2023 and 2026 and about 30% of the numbers have not been seen before on underground forums. The majority of the numbers are from the United States, and just a little over half of the collection is issued by American Express. A subset of numbers that came from Italy appears to only be 10% active, a strong indication that most of the collection was already unusable when it was released.
Some numbers may have been pulled from previous dark web marketplace giveaways
In August of 2021, another dark web marketplace called AllWorld Cards released about a million stolen credit cards in a similar promotional stunt. BidenCash may not have only taken inspiration from that incident, but also taken some of the numbers for its own promotion as well. Those numbers have most likely long since been flagged by banks. Other numbers appear to have also been taken from prior data breaches and are unlikely to be usable by criminals.
That does leave about 350,000 that have never been seen before and are potentially viable, however. About 70% of the new cards also have the full complement of information needed to immediately start making online purchases, such as the CVV code and the expiration date with the owner’s full name. Security analysts believe that the new cards were skimmed from various e-commerce sites that were hacked, with malicious scripts inserted to siphon off the payment information as customers place orders.
The stolen credit cards giveaway was most likely brought on by BidenCash’s recent loss of domains that were taken out by a DDoS attack; the promotion was announced across multiple underground forums and was likely done to let people know about the group’s new domains.