What happened
New Research Uncovers 28 IPs and 85 Domains Hosting Carding Markets when security researchers identified the technical infrastructure behind underground carding operations that host marketplaces for stolen credit card data. Investigators mapped 28 unique IP addresses and 85 domains actively serving as front ends for carding sites, which function like illicit e-commerce platforms selling stolen payment credentials. The analysis used internet-wide scanning of HTTP/HTTPS banners on ports 80 and 443 to detect servers displaying carding-specific keywords such as “CVV,” “dumps,” and “shop.” Researchers noted the prevalent use of jurisdictionally lax top-level domains and examined X.509 certificates to cluster related infrastructure. The study highlights how these criminal networks set up and maintain accessible infrastructure before being obscured by protective services like CDNs.
Who is affected
Financial institutions, retailers, and consumers are indirectly affected as carding marketplaces facilitate the trade of stolen payment data, increasing the risk of fraud and financial loss across payment ecosystems.
Why CISOs should care
Understanding where underground carding marketplaces host their infrastructure helps security teams and fraud analysts prioritize takedowns, anticipate threat actor behaviors, and strengthen monitoring around exposed services tied to financial fraud operations.
3 practical actions
- Monitor underground infrastructure: Track and block IPs/domains linked to illicit marketplaces to reduce exposure.
- Enhance fraud detection: Correlate card-not-present and transaction anomalies with emerging carding infrastructure.
- Collaborate with law enforcement: Share threat intelligence on identified IPs/domains to support disruption efforts.