From 2019 through 2022, the supply of stolen credit cards fell by almost 90%. Demand seems to have dropped too. Here’s why.
There is something magical about the simplicity of a credit card. With a single swipe, wave, or click, a number printed on a piece of plastic catalyzes commerce between the merchant and buyer. However, because it is so easy to use a card for purchasing, we would imagine that malicious actors strongly desire to steal credit cards and use them for their ends.
The deep and dark web hosts many marketplaces selling compromised credit cards. Attackers generally procure these cards by targeting e-commerce sites through data breaches and phishing scams or with physical hacking tools such as skimmers and shimmers installed on ATMs, point-of-sale terminals, and gas stations.
But all is not well in the underground credit card markets. Over the last few years, there has been a dramatic decline in the number of cards offered for sale: in 2019, dark web markets listed approximately 140 million compromised cards for sale. This declined by 28% to over 102 million in 2020, which in turn declined by 60% to about 42 million in 2021. This year, based on our numbers from H1, we project a drop of 77%, to only about 9.1 million cards.
Figure 1: Compromised credit cards sold on underground markets. The quantity has fallen from over 140 million in 2019 to a projected 9.1 million in 2022.
Furthermore, the number of markets is in decline, from 47 in 2019 to 38 in 2022 (though they rebounded after the low in 2020 when Russian authorities shut down some of the larger sites).
Figure 2: The overall number of credit card markets has been in decline
However, a closer look shows that the remaining markets are far smaller than their predecessors. That is, the number of large markets (defined as selling 100K+ cards per year, or 50K+ in 2022 H1) dropped from 38 in 2019 to 8 in 2022.
Figure 3: The number of large underground markets (those that listed 100K+ cards per year, or 50K+ in 2022 H1) is in much more significant decline
By all measures, the supply of credit cards has collapsed.
What about demand? If demand for compromised cards has remained consistent as inventory crashed, then we would expect the price of a card to skyrocket.
However, this has not been the case. While the average price of dumps has risen from $10.51 in 2019 to $16.69 in 2022, and CVVs, from $11.04 to $13, there does not seem to be a clear year-to-year trend of increasing prices that would indicate that demand for compromised cards was stable. Instead, it appears that demand has also dropped off significantly.
Figure 4: Average prices for dumps and CVV cards have been erratic
There are several possible explanations for what caused such a massive market collapse over the last few years. We believe that all of the following reasons have, to a certain extent, affected the reduction in supply and demand of credit card compromise, known in dark web slang as carding, on the underground:
Reduced Demand
Improvements in fraud prevention and detection have made it more difficult to successfully use a compromised card. This may have reduced the number of actors that are interested in procuring them.
Improved fraud prevention
Cyber security tools and methods used by financial organizations are in an improvement process from year to year. As a result, procedures and processes became harder to break through for cybercriminals, such as using fingerprints, face recognition, PIN, EMV chip, MFA, and others.
EMV chips, for example, are very difficult to clone or spoof, and they can only be authenticated by unique readers. This more secure technology has been around since 2015, however, it took several years to adopt and replace most credit cards in circulation, especially in the United States.
Therefore, more widespread adoption of new card authentication technology in previous years is a primary reason for the reduction of the number of compromised cards, particularly with dumps, which are procured from compromised card present transactions.
Improved fraud detection
Credit card processors use machine learning to understand a user’s baseline behavior, integrating data points such as a user’s typical location and spending patterns. When a card attempts a new transaction, the card issuer immediately determines the risk factor for fraud by analyzing if it is anomalous. If the risk is deemed higher, the issuer will reject it outright, or demand an out-of-band verification, such as a security question or SMS. While these extra factors can be overcome (such as through SIM swapping), they create more work for attackers.
As machine learning algorithms and models improve, it is becoming increasingly difficult for attackers to use a stolen card.
Reduced Supply
Furthermore, actors may be finding it increasingly difficult to compromise credit card numbers in the first place. Improved e-commerce security and law enforcement operations are making it more challenging to compromise and sell credit cards. Meanwhile, actors that were once involved in carding might have pivoted towards more lucrative cybercrimes.
Improved security on e-commerce platforms
In a Magecart attack, a threat actor injects code into a checkout page of an e-commerce site, enabling the attacker to receive the information of every credit card used on the site. These attacks peaked in 2019, most notably an attack against British Airways that claimed 500,000 victims. Credit cards compromised from Magecart attacks were often quickly posted for sale on underground markets.
Security analysts have noted that Magecart attacks have been significantly decreasing each year. Much of this can be attributed to improved security tools and methodology used by e-commerce sites. According to the 2022 Global Ecommerce Security Report, e-commerce businesses continue investing more in security technologies than ever to enhance overall protection.
Certainly, the fines that regulators levied against e-commerce sites for falling victims to Magecart attacks, such as the $229 million fine against British Airways, were enough motivation for other e-commerce sites to invest in security. As a result, they collectively cut off what had been a very effective method for compromising credit cards.
Law enforcement shutdowns
Many underground forums and markets are operated by Russian threat actors. While Russian threat actors can generally operate with impunity provided that they do not attack Russians, during the last few years, the Russian authorities have taken down numerous credit card markets (possibly for violating these rules). While the largest bust was in March, 2020, Russian authorities continue to shut down some markets, making them more difficult to operate.
Lucrative alternatives
There are plenty of alternatives to carding. Over the last few years, ransomware attacks have transformed from making a few hundred dollars from attacking a single end-user to bagging tens of millions by stealing the data and then encrypting the entire network of a large organization.
Furthermore, as cryptocurrency and NFTs drastically increased in popularity over the last few years, they provided actors with more lucrative opportunities. As a result, threat actors have attacked many crypto exchanges and owners of cryptocurrency and NFTs. For example, hackers recently breached gaming-focused blockchain platform Ronin Network and extracted cryptocurrencies valued at more than $600 million, making it the second biggest crypto hack ever. The FBI recently noted that in January-March, 2022, attackers siphoned over $1.3 billion in cryptocurrency from DeFi platforms.
Ransomware and cryptocurrency attacks are easier to monetize and can provide higher winnings than carding. In ransomware, the victim willingly pays (albeit with a forced hand), sometimes millions of dollars. And cryptocurrency has notorious security vulnerabilities and transactions cannot be reversed. It would be no surprise if advanced actors and groups pivoted from credit card fraud for the greener pastures of ransomware and crypto hacking.
Conclusion
Most cybersecurity stories are doom and gloom, with messages that “things are going from bad to worse.” However, this is not the case with compromised cards. Trends from the previous 3.5 years point to a significant decline in the number of credit cards for sale and even indicate a decrease in demand for them.
While some may be because threat actors moved on to more lucrative targets, we ought to acknowledge the successful efforts of credit card networks, banks, retailers, and law enforcement to improve security. It is an encouraging story that we hope can be replicated to neutralize the many other criminal threats emanating from the cyber underground.
Nevertheless, one should not be careless with their cards. Despite the reduced risk, cardholders ought to follow best practices to ensure they do not fall victim to credit card fraud and identity theft.