Flashpoint analysts investigated the Bitcoin cluster associated with a reputable underground carding marketplace in order to identify the size of the market, its earnings, and the scope of the damage to financial institutions from the fraudulent use of credit cards sold on the website.
Carding marketplaces, often called “card shops,” sell payment card data labeled as “dumps” or “CVVs.” “Dumps” refers to track data stolen during card-present transactions at retailers by compromising Point of Sale systems with malware. “CVVs” refers to card-not-present data sourced during customer transactions with online retailers or through phishing attacks. The marketplace examined by Flashpoint in this brief sells exclusively CVV data. As of this writing, there are approximately 30 marketplaces that sell dumps and CVVs.
Utilizing the Chainalysis Bitcoin investigation tool, we linked addresses generated by the marketplace for its customers to the root address of its Bitcoin cluster, or wallet.
The cluster contains over 600 unique Bitcoin addresses, one for each of the marketplace’s customers. These addresses are used by the buyers to deposit funds into their accounts.
The first transaction for the cluster took place on in early June 2014. The cluster remains active as of this writing. Within a span of approximately one year, the cluster has received nearly 5,000 Bitcoins. By using the average exchange rate for the period of June 2014 to July 2015 (calculated by combining average monthly exchange rates) of $363 USD per Bitcoin, we estimate that the marketplace has generated approximately $1,784,000 in revenue in the last 13 months.
Considering that the marketplace operates on commission by charging its vendors 10% for all sold items, the shop’s proprietors earned $178,000, remitting $1,606,000 to its vendors.
Using the average price of $3.493 for a credit card on the marketplace, we were able to estimate that 510,736 cards were sold on the shop during the relevant time period.
Image: Distribution of card prices.
Finally, considering the average approval rate of the site’s cards at 70% and the estimated amount of fraudulent charges of $100 per compromised payment card, we assess that the website facilitated approximately $36,000,000 in losses to online retailers and issuing financial institutions in the last 13 months.