Hacker published 1 million payment cards data for free; users of 1000 banks in 100 countries, including India, Mexico, US, Australia & Brazil affected

In early August, Group-IB researchers began tracking unusual activity on a hacking forum specializing in selling stolen payment cards. According to the researchers, the user AW_cards posted a link that directed users of a couple dark web forums to an archive with more than 1 million stolen financial records, available to anyone interested completely free of charge. The leak includes user data in more than 100 countries, including Brazil, India, Mexico and the United States.

This is a tremendously unusual fact, since on few occasions cybercriminals leak this valuable information for free, especially considering that this database is not available in other hacking forums and that apparently it is information that had not been leaked in previous incidents.

SOURCE: Group-IB

On August 2, the same message AW_cards published on CRDCLUB and XSS, two forums for the sale of payment cards. As mentioned above, the user uploaded a database with 1 million payment records, some of which also included email addresses and phone numbers.

SOURCE: Group-IB

To be precise, the database was contained in a zip file protected with a password and stored a total of 1 million records, including data such as:

  • Card number and username
  • Due date
  • CVV code
  • Country
  • State/City
  • Address
  • Telephone number and email address (only in some cases)

The publications caught the attention of the researchers, who decided to carry out a thorough analysis to find all the possible details of this leak.

According to Group-IB, 22% of the compromised information belongs to users in India, while 18% belongs to users in Mexico and the United States, while the rest belongs to affected users in Brazil, Australia, the United Kingdom, South Africa, Turkey and other countries. 

SOURCE: Group-IB

The attackers claim that this leak is completely legitimate, although the Group-IB report notes that these cards would have been compromised between 2018 and 2019. Even so, it should be noted that practically all registrations are still valid and, while experts only found 810 overdue payment cards, they found about 28 thousand cards that will expire in a couple of weeks.

The unusual features of this incident led investigators to conclude that this is a kind of dark web marketing strategy with which operators sought to increase the level of users of All World Cards, an illegal platform established in May 2021.

While Group-IB confirmed that the leak is composed of data compromised in other incidents, this report should be taken seriously, as the vast majority of exposed payment cards continue to be used. The only possible protection is to hope that the users affected by the leak have already taken the necessary measures against wire fraud and identity theft.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.