There’s an underground ecosystem where sensitive data is bought, sold, and traded—not just on the dark web, as you might expect, but also on publicly accessible websites, channels, and forums. Among these are platforms dedicated to carding—a cyber crime niche centered on the large-scale use and abuse of stolen credit card information.
In this article, Laura Kankaala, Head of Threat Intelligence at F-Secure, shares her latest insights into the world of carding—exploring why it remains so attractive to cyber criminals, how it has evolved in recent years, and the growing risks it poses to consumers. Crucially, she also outlines what service providers—including telcos, financial services, and insurers—can do to help protect consumers from carding in today’s shifting cyber threat landscape.
What is Carding in Cyber Crime?
Carding refers to the trafficking and exploitation of stolen credit card data, cryptocurrency, and other financial information—a term used within criminal communities and, increasingly, by security professionals, law enforcement, and financial institutions.
It’s not just about selling stolen details. Carding also involves sharing practical methods for using them: how to keep a card active without detection, check balances, cover tracks, and avoid bans on digital platforms. The practice drives significant financial losses, fuels identity theft, and remains a persistent threat across the cyber crime landscape.
A dark web activity gone mainstream
Contrary to popular belief, most carding platforms no longer hide in the dark web (i.e. the Tor network). The sites I’ve evaluated this year all had clear web addresses—with ‘.onion’ versions available for some of them.
So, even though the Tor network is still a home to some cyber crime-related websites, it’s a sign of the times: the clear web—the same internet we all use—has become a far ‘safer’ space for all kinds of cyber criminals to operate.
Carding is a cyber crime niche of its own
There are entire websites, channels, and forums dedicated specifically to carding. Unlike other types of stolen data—such as email lists or personal information—carding exists as its own distinct niche within the cyber crime ecosystem. Stolen credit card details are often sold on platforms and websites dedicated to, and branded as, carding websites.
Why is that? I can’t say for certain, but I’ve always seen carding as a more ‘hardcore’ form of cyber crime—at least from a criminal’s perspective. Compared to harvesting phone numbers or email addresses, carding demands more risk, and potentially, more reward.
Inside the Surprisingly Sophisticated Marketing of Carding
Carding is packaged and sold like a legitimate business within criminal communities—often mimicking the tone, structure, and customer service you see in e-commerce.
)
Carding websites often have logos and consistent branding, login portals with dashboards and shopping cart functionality, pricing tiers based on the quality or freshness of data, and even a newsfeed serving up the latest advice and information on carding.
)
Marketing around carding is designed to make it feel easy and accessible—even for newcomers. That’s part of what makes it so dangerous: the commodification of cyber crime. Last year, I came across an article promoting the "benefits" of carding during the holiday season, complete with an image of a balaclava-wearing Santa Claus—a tone that trivialized the seriousness of the crime.
)
Connecting global criminals in carding forums
Carding forums act as central hubs for cyber criminal activity—particularly for promoting websites and Telegram channels that sell stolen credit card data. In other words, these forums serve as advertising platforms for illicit services. Occasionally, data dumps containing credit card details or other sensitive information are also shared directly within the forums.
)
Advertising carding on legitimate platforms
Carding websites continue to find creative ways to promote themselves on legitimate platforms—including global services like Last.fm (music streaming), Gravatar (avatar creation), and Pinterest (visual discovery). This misuse allows cyber criminals to reach a broader audience while evading detection—blending into the digital spaces that consumers and businesses use every day.
)
Knowledge-sharing in the carding community
Interestingly, a major part of the carding ecosystem revolves around education. There’s a wealth of information shared among carders—from how to bypass anti-fraud systems to practical guides on using stolen credit cards—all of which helps keep the ecosystem active and evolving.
While stealing card data can sometimes be relatively easy, successfully using it is far more difficult. Transactions can be quickly flagged or blocked, making fraud attempts risky and unreliable. As a result, carding communities are developing new strategies to leverage existing online platforms and withdraw money from stolen credit cards.
Tutorials range from guidance on using legitimate websites with stolen credit cards, to tips on avoiding IP address flagging and methods for exploiting mobile payment services and cryptocurrencies to drain funds.
Carding in 2025: What’s New?
In recent years, I’ve observed some shifts in how carding is carried out—changes that mirror broader developments in both technology and threat intelligence research. Notably, cryptocurrency has become a valid option for carding operations, whether through exploiting stolen crypto wallets and accounts or using stolen credit card details to purchase cryptocurrency.
How to Keep Consumers Safe from Carding
Carding has long been a prevalent form of online crime—and it remains a serious threat. Fortunately, protections have evolved and continue to advance. One such protection is the use of anti-fraud tools, such as F‑Secure Total, our complete online security solution. These tools offer consumers the most effective way to defend against carding attacks.
But technology alone isn’t enough. Consumers also need to follow key best practices to reduce their risk. Financial data can leak in many ways—through phishing attacks, data breaches at online services, or poor account security. Even in regions like the EU, where banks are legally required to implement strong customer authentication, criminals continue to find ways to bypass these safeguards. That’s why staying vigilant is essential.
Practical tips to prevent carding fraud
Service providers play a critical role in the broader financial security ecosystem, so one of the most valuable things you can do is empower your customers with clear, practical advice. Here are a few key steps they can take to better protect themselves from carding-related threats:
Regularly monitor bank and credit card accounts for unfamiliar transactions
Be cautious when clicking links in emails, text messages, or while shopping online
Treat unexpected requests for personal or payment information with suspicion
Use multi-factor authentication (MFA)—ideally with authenticator apps and biometrics, which are the most secure options
Install and routinely update comprehensive online protection across all devices