Full Report
In cybercrime markets, trust isn't assumed, it's verified. Flare reveals how underground guides teach actors to evaluate carding shops based on data quality, reputation, and survivability. [...]
Analysis Summary
# Tool/Technique: Cybercrime Marketplace Vetting (Carding Shop Evaluation)
## Overview
This technique involves a structured methodology used by threat actors to identify, verify, and monitor "legitimate" (reliable) underground marketplaces for stolen credit card data. The purpose is to mitigate risks associated with scams, law enforcement "honeypots," and poor-quality data within the volatile cybercrime ecosystem.
## Technical Details
- **Type**: Technique / Operational Security (OPSEC)
- **Platform**: Web-based underground forums and specialized e-commerce CMS for illicit goods.
- **Capabilities**: Supplier reputation scoring, data quality verification (BIN checking), and infrastructure resilience assessment.
- **First Seen**: Documented in Flare’s April 2026 report (referencing "The Underground Guide to Legit CC Shops").
## MITRE ATT&CK Mapping
- **[TA0042 - Resource Development]**
- **[T1583.003 - Acquire Infrastructure: Virtual Private Server]**: Used to host/access marketplaces.
- **[T1586.003 - Compromise Accounts: Identity Accounts]**: Sourcing stolen financial identities.
- **[TA0011 - Command and Control]**
- **[T1571 - Non-Standard Port]**: Use of hidden services (Tor/I2P) to access shops.
## Functionality
### Core Capabilities
- **BIN (Bank Identification Number) Analysis**: Evaluating shops based on their ability to provide "fresh" BINs, which correlate to recently breached Point-of-Sale (PoS) systems or e-commerce sites.
- **Survivability Assessment**: Monitoring the longevity of a shop’s domain and infrastructure to determine if it can withstand law enforcement takedowns.
- **Data Quality Testing**: Using automated "checkers" to verify decline rates and card validity before large-scale purchases.
### Advanced Features
- **Escrow Integration**: Utilization of third-party mediation services to hold funds until data validity is confirmed.
- **Community-Driven Verification**: Leveraging invite-only, closed-forum discussions and historical reputation threads to bypass fake on-site testimonials.
- **Adversarial Pressure Monitoring**: Evaluating shop security features (e.g., PGP encryption, two-factor authentication, and "burn" protocols) to judge resilience against law enforcement.
## Indicators of Compromise
- **File Names**: `The Underground Guide to Legit CC Shops: Cutting Through the Bullshit` (PDF/Text guide).
- **Network Indicators**:
- `CardingHub[.]ac` (identified as a shop mentioned in the guide).
- Tor `.onion` addresses associated with high-reputation carding forums.
- **Behavioral Indicators**: Repeated small-volume "test" transactions (carding "checking") from specific IP ranges associated with residential proxies.
## Associated Threat Actors
- **Carders and Fraudsters**: Financially motivated actors specializing in the theft and monetization of payment card industry (PCI) data.
- **Initial Access Brokers (IABs)**: Who may sell the access that generates the "fresh" card data.
## Detection Methods
- **Behavioral Detection**: Monitoring for "card-testing" behavior on e-commerce checkout pages (multiple rapid, low-value authorization attempts).
- **Threat Intelligence**: Monitoring underground forums for mentions of specific SHOP domains or new "mirror" URLs.
- **YARA rules**: Development of rules to detect credit card data formats (Luhn algorithm patterns) in egress traffic or unauthorized file transfers.
## Mitigation Strategies
- **Payment Security**: Implement 3D Secure (3DS) protocols to require multi-factor authentication for card-not-present transactions.
- **Velocity Tracking**: Implement rate-limiting on payment gateways to prevent automated BIN testing.
- **Dark Web Monitoring**: Actively monitor for internal company BINs appearing on marketplaces like "CardingHub" to identify potential breaches early.
## Related Tools/Techniques
- **Magecart/E-commerce Skimming**: The primary method for sourcing the "fresh" data these shops sell.
- **Credential Stuffing**: Often used in conjunction with carding to access user accounts on merchant sites.
- **BIN Checkers**: Automated tools used to verify the validity of stolen cards.