February 14, 2022by Cybersixgill

Underground Financial Fraud Drops 51% in the Second Half of 2021

In the cybercriminal underground, your hard-earned money may be up for grabs. On the dark web, financial account data - traded as dumps or CVVs - is available by the millions, in a thriving ecosystem of cyber fraudsters looking to profit at their victims’ expense. In the final 6 months of 2021, Cybersixgill observed a 51% drop in the total number of compromised credit cards offered for sale in the deep and dark web - could carding fraud be on the decline?

One of the more popular commodities for sale on the dark web is credit card information. Cybercriminals have multiple tools and techniques at their disposal to access and extract private credit card data. They target e-commerce sites through data breaches and keyloggers, dupe victims through social engineering phishing scams, or use physical hacking tools such as skimmers and shimmers installed on ATMs, point-of-sale terminals and gas stations to copy the information stored within the card’s magnetic strip. Once they have successfully gathered the payment card data, cybercriminals then monetize the information by selling it on underground credit card markets, to be purchased by their peers for additional fraudulent and malicious activities.

Cybersixgill recently released a report that analyzed several trends relating to underground financial fraud over the last six months of 2021, identifying over 14 million compromised credit cards for sale on illicit cybercriminal markets. Here are some of the significant findings:

The total number of credit cards offered for sale during the final six months of 2021 dropped 51% in comparison to the total observed in H1 2021.

US-issued credit cards make up 55.9% of the total number of cards advertised for sale on the underground.

Visa cards represent a majority of the compromised credentials with 57.6% of the total among the four payment networks.

Cards with CVV/CVV2 information make up 84% of the total, while cards sold as “dumps” account for only 16%.

The first finding above shows a notable reduction in the amount of credit cards offered for sale on the underground throughout the final six months of 2021 from the total observed in the first six months of the same year. According to a recent blog post on, several major underground credit card markets shut down their operations in the last quarter of 2021, cutting the number of stolen cards for sale. Insiders attributed this cessation of operations to three key factors: (1) mounting pressure caused by law enforcement efforts to close in on these illicit sites, (2) threat actor “retirement” or internal conflict within the cybercriminal community, and (3) a growing threat actor preference for ransomware schemes as a more lucrative option for those running the sites.

The second finding revealed that US-issued cards remain the most highly valued cards on the underground markets in comparison to those issued in other countries. US cards are perceived, correctly or not, as having higher yields and purchasing power.  With over 7.4 million US credit cards offered for sale during the second half of 2021, the total number of Russian cards (974) is minuscule in comparison. While Russian authorities generally turn a blind eye to cybercriminal activity launched from within their borders, they do not want their threat actors targeting their own people. Impunity for immunity, if you will.

The third finding that Visa cards lead the way in stolen cards is a direct reflection of Visa's overall dominance in the global credit card market. Visa is followed on the list of compromised credentials by the US payment networks MasterCard, American Express and Discover.

Our fourth finding relates to the format in which compromised card information is sold in the underground. There is a substantial difference between cards sold with CVV/CVV2 information and those sold as “dumps”. Cards sold in "dumps" format are used physically (cloned cards), and contain data from the magnetic strip of the card, including cardholder name, account number, expiration date, and other validating data points used by banks to verify purchases. CVV/CVV2 information, on the other hand, refers to the 3- or 4-digit security code on the back of the card needed to conduct card-not-present transactions. Conducting in-person fraudulent activities carries a significantly higher risk to threat actors when compared to the anonymity afforded by an online purchase. Conducting ‘card-not-present’ transactions are thus more attractive and in higher demand on the underground.

Despite efforts by law enforcement agencies, credit card networks, banks, and retailers to improve their cybersecurity defenses, fraudsters continue to adapt their skills and techniques to exfiltrate sensitive payment credentials from cards being used both virtually and physically. To keep from being victimized, remember to monitor bank accounts for suspicious transactions, avoid password reuse across sites and services, enable multi-factor authentication, be wary of opening links and files delivered by suspicious senders, and remember - visibility into the activities on the dark web can keep you ahead of the game.

For more information, check out the Cybersixgill report: Underground Financial Fraud H2, 2021.

You may also like

A close-up, detailed, and vibrant image of a microscopic cell with numerous tentacle-like extensions, depicted in shades of pink and purple against a blurred blue background.

May 15, 2024

Black Basta's Devastating Attack on a US Hospital System: Lessons Learned and Protective Measures

Read more
Screen showing a malware alert

May 09, 2024

New 'Latrodectus' Malware Linked to Notorious 'IcedID' Developer: A Deep Dive into Targets, Potential Impact, and Remediation Steps

Read more
Chris Strand-Thumbnail

May 07, 2024

Enhancing Security Posture with Cyber Risk Intelligence Part 2

Read more