What Is Carding?

Carding is a form of payment fraud where criminals steal and exploit credit or debit card details to make online purchases and generate cash or acquire other assets. 

It’s unfortunately a growing problem. And with credit card fraud reports passing $33 billion in 2024 and projected to reach $43 billion by the end of 2026¹, consumers need to take the threat seriously.

In this guide, we’ll walk you through everything you need to know about carding – from how attacks work to the steps you can take to protect yourself.

What Is Carding Fraud?

Carding is a type of cybercrime that involves the theft and unauthorized use of credit or debit card information. The criminals who carry out these attacks, known as carders, steal payment card data and use it to make fraudulent transactions or sell it on to other criminals. 

What cybercriminals are able to do with this data depends on the degree of completeness of the information they have. There are three tiers of card information that carders can get their hands on:

• Basic data: Card numbers and card verification value (CVV) codes that can be used to make purchases on websites that don’t have strong security and authentication measures.
• Dumps: Raw data extracted from a card’s magnetic strip that allows attackers to clone physical cards.
• Fullz: Complete packages of card and personal data that can be used for identity theft and financial fraud.

If the carder doesn’t use the information themselves, it’s generally traded on carding forums. These are dedicated online communities where carders exchange this information, carding techniques, and other card fraud tools.

The Consequences of Carding

Carding fraud can have serious consequences for both individuals and businesses, ranging from immediate financial losses to longer-term reputational damage.

• Financial loss: Cybercriminals can drain personal bank accounts and max out credit cards with fraudulent transactions. For businesses, chargebacks, inventory shrinkage, and increased operational costs can add up quickly.
• Identity theft and poor credit scores: Fullz data can be used to open fraudulent accounts or take out loans in a victim’s name, damaging their credit score in ways that can take years to repair.
• Compromised accounts and data exposure: Stolen credentials can give carders access to other personal or business accounts, potentially compounding the initial financial damage.
• Emotional distress: The experience of being defrauded – and the process of recovering from it – can be stressful and time-consuming for individuals and business owners alike.

How to Tell If You’ve Been Carded

Catching carding fraud early can limit the potential damage to your finances and reputation. Fortunately, there are some tell-tale signs to look out for.

The most obvious red flags are financial. Strange transactions – especially small ones – on your bank or credit card statements can indicate that a carder is testing your details. Easily noticeable and unexpected balance reductions may suggest that fraudulent activity is already underway.

Unexplained credit applications on your credit report are another warning sign. If you haven’t applied for additional lines of credit, this could indicate that someone is attempting to open new accounts in your name using your data.

Beyond your finances, unsolicited communications asking you to verify payment details and checkout pages that look slightly off considering the rest of a website’s appearance should also raise concern.

It’s also worth keeping an eye on your devices. Unusual slowdowns or unfamiliar apps could point to your device being infected with malware that might be harvesting your data. 

How Do Carders Get Your Credit Card Details?

There are loads of ways that carders can get their hands on your card data. Their methods include everything from sophisticated cyberattacks to simple in-person monitoring:

• Phishing: Deceptive emails, text messages, or fake websites impersonate trusted organizations to trick victims into entering their card details.
• Card and RFID skimming: Physical devices attached to ATMs, fuel pumps, or point-of-sale terminals capture card data when a card is inserted or tapped.
• Keylogging: Malware silently records keystrokes on an infected device, capturing card details as they’re typed.
• Social engineering: Carders manipulate victims directly (e.g. by posing as bank officials or customer service representatives) to extract card information through conversation.
• Hacking and data breaches: Attackers gain access to databases that contain stored payment data to expose thousands of records at once.
• SQL injection: Carders exploit vulnerabilities in web forms to inject code into a website’s database to extract sensitive customer information, including card details.
• Form takeovers: Malicious scripts are injected into legitimate checkout pages to intercept payment data as it’s entered.
• Fake apps and websites: Fraudulent storefronts or applications mimic legitimate services to trick users into submitting their card details directly to attackers.
• Shoulder surfing: Carders simply observe victims entering card details in public places (e.g. when completing payment information on a website).
• Brute force and bot attacks: Automated tools that systematically generate and test card number combinations.
• Buying data on dark web marketplaces: Many carders purchase data from carding forums and dark web marketplaces where stolen information is bought and sold in bulk.

How Does Carding Work?

Carding typically follows a three-step process: acquiring card details, validating them to identify which ones are active and usable, and then cashing out. Below is a more detailed look at how each of these steps is carried out.

1. Acquiring Card Details

The first step in any carding attack is getting hold of payment card data. Carders do this in one of two ways: by stealing it themselves or by buying it.

Direct theft methods range from phishing and malware to large-scale data breaches targeting businesses, while bulk card details are generally purchased from dark web marketplaces. Either way, carders’ main priority is volume – the more card details they have, the more opportunities they have to find usable ones.

2. Validating Card Data

Not all stolen card details are usable. Carders may have obtained information for cards that have been canceled, expired, or already flagged for fraud. This means that they need to identify which cards are still active by account testing or “nibbling”.

To do this at scale, carders use botnets (networks of compromised devices) to automate large volumes of small, low-value transactions across multiple e-commerce sites at the same time. The size of the transactions and distributed nature of the attack makes it more difficult to detect and block. 

Once tested, the cards that successfully process a transaction are confirmed as live and ready to exploit.

3. Cashing Out

Once a carder has confirmed which cards are live, they want to start extracting funds as quickly as possible (i.e. before the fraud is detected and the cards are blocked).

Fraudsters will often purchase gift cards or other digital assets like cryptocurrency using the stolen card details. Both are particularly attractive to carders because they’re difficult to trace, easy to resell, and can be liquidated quickly for cash.

Carders may also use stolen card details to purchase high-value physical goods that can then be resold for cash (e.g. electronics or luxury items). To minimize suspicion, the fraudster will often purchase smaller quantities of items across multiple retailers rather than in one large transaction.

Recent Examples of Carding Attacks

Carding attacks are on the rise and become more and more sophisticated with every attack.

In December 2024, for example, the European Space Agency’s official merchandise store was compromised with a malicious script that generated a fake Stripe payment page at checkout². The page silently collected customers’ credit card details and routed them to an attacker-controlled domain. 

A few weeks later, in January 2025, something similar happened to the Casio UK online store³. A web skimmer was used to intercept customers at the cart page and present them with a convincing fake payment form to capture their data.

Carders aren’t just targeting online stores directly, though. In April 2025, a malicious package discovered on the open-source Python Package Index (PyPI) was found to have given carders a way to automate the testing of stolen credit card details across WooCommerce stores at scale without triggering fraud detection systems⁴.

What to Do If You Think You’ve Been Carded: Step-by-Step Recovery Process

If you suspect your card details have been compromised, acting quickly is essential. The faster you respond, the better your chances of limiting the financial damage.

1. Freeze Your Card or Account

Your first priority is to stop any further fraudulent transactions from taking place. Most banks and card issuers allow you to temporarily freeze your card through their mobile app or website. 

You should do this immediately, even before you’ve confirmed that fraud has taken place. If you’ve identified unauthorized transactions, request a full card cancellation and replacement at the same time.

2. Notify Your Bank

Contact your bank or card issuer as soon as possible to report the suspected fraud. They can flag your account, initiate a formal investigation, and begin the process of reversing any unauthorized transactions. 

Most banks have dedicated fraud teams available around the clock, so you don’t need to wait until the next business day to get in touch.

3. Secure Your Accounts

Once you’ve notified your bank, it’s time to make sure your accounts are secure. Change the passwords on your online banking and any other accounts that use the same or similar credentials. Carders who have access to your card details may also have access to other personal information. 

If you haven’t already done so, it’s also a good idea to enable multi-factor authentication on all financial accounts for an extra layer of protection.

4. File a Police Report and Notify the Relevant Fraud Bureau

Filing a police report creates an official record of the fraud, which may be required by your bank or insurer when processing a claim. 

You should also report the incident to your national fraud reporting body. In the US, this is the Federal Trade Commission (FTC) while Action Fraud is the bureau in the UK. These reports help authorities track carding activity and build cases against perpetrators.

5. Scan All Your Devices for Malware

If your card details were stolen through keylogging or malware, the threat may still be present on your device. Run a full virus and malware scan on all devices you use for online banking or shopping, and remove any threats that are detected.

Going forward, using a VPN can add a meaningful layer of protection when transacting online. A VPN encrypts your internet traffic, making it significantly harder for carders to intercept your payment data or deploy malware through unsecured Wi-Fi connections.

6. Monitor Your Accounts Closely

Even after taking the above steps, it’s important to keep a close eye on your financial accounts in the weeks that follow a carding attack. 

Review your bank and credit card statements regularly for any further suspicious activity and consider signing up for credit monitoring to receive alerts about any new credit applications made in your name.

How to Avoid Carding

Carding operations are designed to be hard to detect and even harder to trace. Carders use botnets, anonymizing tools, and low-value transactions to cover their tracks, which makes them difficult to catch and means your best defense is making sure they can’t get hold of your details in the first place.

Following some standard security precautions in your online life can significantly reduce your risk of falling victim to a carding attack:

• Use strong, unique passwords and PINs: Reusing passwords across multiple accounts means that a single breach can compromise several accounts at once. Use a password manager if you struggle to keep track of them.
• Make use of virtual cards for online payments: Many banks offer virtual cards that have dynamic CVV codes. Because these details change regularly, they’re much harder for carders to exploit.
• Enable multi-factor authentication: Adding an extra layer of verification (like biometric or SMS authentication) to your financial accounts means that stolen card details alone aren’t enough to gain access.
• Keep your card and other details to yourself: No legitimate bank, retailer, or payment provider will ever ask for your full card details over the phone, by email, or via text message.
• Check that payment sites are secure: Before entering card details online, confirm that the site uses HTTPS and that the URL matches the legitimate website. Keep a lookout for subtle misspellings or unfamiliar domain extensions.
• Don’t click suspicious links: Phishing is one of the most common ways carders obtain card details. If an email or message asking you to verify payment information seems unexpected or unusual, go directly to the website rather than clicking any links.
• Monitor your financial accounts: Checking your statements frequently means that you’re more likely to catch suspicious activity early, before any significant financial damage can be done.
• Use a VPN: A VPN encrypts your internet connection, protecting your payment data from interception. Choose a VPN that uses strong encryption protocols and has a strict no-logs policy, as these features help to ensure that your activity remains private.
• Keep your software updated: Security patches address known vulnerabilities that carders and other cybercriminals actively exploit. Keeping your operating system, browser, and apps up to date can help close these gaps.

Carding: Frequently Asked Questions

References:

1. Credit Card Fraud Statistics – merchantcostconsulting.com
2. European Space Agency’s official store hacked to steal payment cards – Bleeping Computer
3. Casio UK online store hacked to steal customer credit cards – Bleeping Computer
4. Carding tool abusing WooCommerce API downloaded 34K times on PyPI – Bleeping Computer