Old methods of protection are powerless in the face of automated conveyor belts.
Despite years of combating it, bank card fraud hasn't disappeared under pressure from banks and payment systems, but has instead transformed into a resilient shadow market. The authors of the Rapid7 report described how "dump shops" and large platforms have transformed the sale of stolen data into convenient marketplaces with filters, guarantees, and support, almost reminiscent of legitimate e-commerce.
Rapid7 calls this model "carding-as-a-service." It refers to bundled offerings that combine card data, verification tools, and refund policies. Meanwhile, personal information is increasingly being added to card details, leading to losses that extend beyond direct charges and into identity theft and account takeovers .
The report identifies three main types of "products." These are sets containing card data and security codes, "dumps" containing raw magnetic stripe data for cloning cards, and "fulls" containing an extended cardholder profile, including contact information and other identifiers. The sources of leaks are typically concealed by the platforms, but the most common topics discussed on specialized forums include phishing , physical overlays and devices on terminals and ATMs, malware for POS systems and infostealers, and attacks on payment pages through script injection.
Rapid7 separately analyzed three prominent platforms that continue to influence the market: Findsome, UltimateShop, and Brian's Club. All operate similarly—searching by BIN, country, and "databases," specifying the expiration date, issuing bank, and price, as well as refund policies if the listing proves invalid. These platforms appear to be aggregators that purchase packages from third-party sellers and resell them after their own "quality check," which is why the same packages can appear in multiple places.
Findsome, according to the report, has been operating since at least 2019 and sells primarily card data and full accounts, as well as introducing paid access for new accounts. UltimateShop has been operating since at least 2022 and relies more heavily on a small group of large sellers, which, as the authors note, may impact the rate of invalid data. Brian's Club, which has been operating since 2014, stands out for its wide selection of dumps and a tool that simplifies data preparation for physical cloning.
All three platforms accept Bitcoin, and Findsome, according to Rapid7, also supports other cryptocurrencies . Administrators frequently change domains on the open network to reduce the risk of blocking, while the number of lookalike sites posing as "official" and stealing funds from buyers is growing.
In the statistics section, the authors disclaim that the figures are taken from the platforms themselves and cannot be independently verified. According to these data, Findsome has the largest share, followed by UltimateShop and Brian's Club. Among brands, Visa and Mastercard are the most frequently encountered, and geographic distribution is dominated by posts related to the US, with Canada and the UK significantly less frequent. The peak of posts occurred in November and December, which is associated with the shopping season.
Rapid7 expects the market to shift from mass-market magnetic stripe schemes to the sale of "rich" data sets containing personal data suitable for phishing, account takeover, and other identity attacks. Recommendations for companies include multi-factor authentication, regular updates, protection of payment pages from customer exploits, and monitoring of shadow marketplaces to more quickly identify leaked data and initiate card reissues and account resets.
Despite years of combating it, bank card fraud hasn't disappeared under pressure from banks and payment systems, but has instead transformed into a resilient shadow market. The authors of the Rapid7 report described how "dump shops" and large platforms have transformed the sale of stolen data into convenient marketplaces with filters, guarantees, and support, almost reminiscent of legitimate e-commerce.
Rapid7 calls this model "carding-as-a-service." It refers to bundled offerings that combine card data, verification tools, and refund policies. Meanwhile, personal information is increasingly being added to card details, leading to losses that extend beyond direct charges and into identity theft and account takeovers .
The report identifies three main types of "products." These are sets containing card data and security codes, "dumps" containing raw magnetic stripe data for cloning cards, and "fulls" containing an extended cardholder profile, including contact information and other identifiers. The sources of leaks are typically concealed by the platforms, but the most common topics discussed on specialized forums include phishing , physical overlays and devices on terminals and ATMs, malware for POS systems and infostealers, and attacks on payment pages through script injection.
Rapid7 separately analyzed three prominent platforms that continue to influence the market: Findsome, UltimateShop, and Brian's Club. All operate similarly—searching by BIN, country, and "databases," specifying the expiration date, issuing bank, and price, as well as refund policies if the listing proves invalid. These platforms appear to be aggregators that purchase packages from third-party sellers and resell them after their own "quality check," which is why the same packages can appear in multiple places.
Findsome, according to the report, has been operating since at least 2019 and sells primarily card data and full accounts, as well as introducing paid access for new accounts. UltimateShop has been operating since at least 2022 and relies more heavily on a small group of large sellers, which, as the authors note, may impact the rate of invalid data. Brian's Club, which has been operating since 2014, stands out for its wide selection of dumps and a tool that simplifies data preparation for physical cloning.
All three platforms accept Bitcoin, and Findsome, according to Rapid7, also supports other cryptocurrencies . Administrators frequently change domains on the open network to reduce the risk of blocking, while the number of lookalike sites posing as "official" and stealing funds from buyers is growing.
In the statistics section, the authors disclaim that the figures are taken from the platforms themselves and cannot be independently verified. According to these data, Findsome has the largest share, followed by UltimateShop and Brian's Club. Among brands, Visa and Mastercard are the most frequently encountered, and geographic distribution is dominated by posts related to the US, with Canada and the UK significantly less frequent. The peak of posts occurred in November and December, which is associated with the shopping season.
Rapid7 expects the market to shift from mass-market magnetic stripe schemes to the sale of "rich" data sets containing personal data suitable for phishing, account takeover, and other identity attacks. Recommendations for companies include multi-factor authentication, regular updates, protection of payment pages from customer exploits, and monitoring of shadow marketplaces to more quickly identify leaked data and initiate card reissues and account resets.
