Carding forum B1ack’s Stash claims to have released millions of stolen CVV2 payment card records for free after suspending sellers.
B1ack’s Stash, one of the most active stolen card marketplaces on the dark web, has released 4.6 million credit card records for free, not because of a law enforcement action or a system compromise, but essentially as a punishment for its own sellers behaving badly.
The story behind the dump is almost mundane in its internal logic. Some vendors who had purchased stolen card data through B1ack’s Stash were caught reselling that same data on competing platforms, which violated the marketplace’s terms of service. In response, the operators suspended 8 million stolen CVV2 records linked to those sellers and decided to release a portion of the inventory for free rather than simply deleting it. A public dump as a disciplinary measure, the dark web equivalent of burning the merchandise in the town square.
Each record in the release is unusually complete. According to an analysis by SOCRadar, the data includes full card numbers, expiration dates, CVV2 codes, cardholder names, billing addresses, email addresses, phone numbers, and IP addresses, everything a fraudster would need in a single entry. That level of detail points toward e-skimming or phishing as the original collection method, since both techniques capture data at the point of entry rather than pulling it from static databases.
SOCRadar validated a portion of the records and found that some had already expired or appeared as duplicates. After filtering, roughly 4.3 million records appear to be fresh and potentially usable. That is not a small number.
The geographic spread is wide but skewed heavily toward the United States, which accounts for around 70 percent of the cards. Canada, the United Kingdom, France, and Malaysia round out the top five source countries. The presence of Asian financial centers in the broader dataset, Hong Kong, Singapore, Thailand, suggests this is not the product of a single regional operation.
“The presence of Asian financial hubs like Hong Kong, Singapore, Thailand, and Malaysia in the top 15 suggests the dataset is not solely the product of a single regional operation, but draws from multiple skimming or phishing campaigns targeting English-speaking and high-purchasing-power markets globally.“ reads the report published by SOCRadar.
B1ack’s Stash has been running since at least 2023 and has a pattern of using free data releases as a marketing tool. In April 2024 it gave away one million cards to new registrants. In February 2025 it released over four million records to drive traffic. This latest dump follows the same playbook — the internal dispute with sellers just provided the pretext this time.
The practical risk from a release like this runs across several categories. The most immediate is card-not-present fraud: unauthorized online purchases made using the card details before the accounts are flagged and the cards cancelled. But the depth of the accompanying personal data opens up a longer list of possibilities.
“The richness of the leaked records – full PAN, CVV2, expiration date, billing address, full name, email, phone, and IP address in a single entry – creates compounding risks that go well beyond simple card fraud.” continues SOCRadar
Fraudsters working with this kind of profile can attempt to open new credit accounts, apply for loans, or build convincing phishing lures that reference real personal details to establish credibility.
For anyone whose card data might be in this set, and given the volume and the US-heavy distribution, that is a realistic concern for a significant number of people, the standard advice applies: watch statements closely for unfamiliar transactions, consider a temporary freeze on credit if you have reason to be concerned, and be especially skeptical of any incoming communications that reference personal or financial details with unusual specificity.
That last point matters more than it usually does when the leaked data includes email addresses and phone numbers alongside the card details. Targeted phishing built on accurate personal information is considerably more convincing than the generic variety.
In February 2025, B1ack’s Stash released another collection of over 1 million unique credit and debit cards. Experts speculate that B1ack’s Stash used the free card release as a marketing strategy. The decision to release free samples aims at attracting new customers and gain notoriety in the cybercrime ecosystem.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, B1ack’s Stash)
