Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/New Research Uncovers 28 Unique IP Addresses and 85 Domains Hosting Carding Markets
Threats

New Research Uncovers 28 Unique IP Addresses and 85 Domains Hosting Carding Markets

An investigation recently exposed the technical infrastructure supporting underground carding operations, pinpointing 28 unique IP addresses and 85 domains actively hosting illegal marketplaces for...

Emy Elsamnoudy
Emy Elsamnoudy
January 12, 2026 3 Min Read
31 0

An investigation recently exposed the technical infrastructure supporting underground carding operations, pinpointing 28 unique IP addresses and 85 domains actively hosting illegal marketplaces for the trade of stolen credit card data.

These platforms operate as sophisticated e-commerce sites for financial fraud, enabling criminals to trade stolen payment information ranging from $5 to $150 per card depending on credit limits and additional identity details.

The research conducted between July and December 2025 utilized internet-wide scanning techniques to identify servers hosting carding infrastructure before they could hide behind protective measures.

By performing searches across HTTP and HTTPS title banners on ports 80 and 443, investigators detected servers broadcasting carding-specific keywords such as “CVV,” “Dumps,” “Carding,” and “Shop.”

This scanning approach allowed researchers to capture server identities during initial configuration phases, before Content Delivery Networks like Cloudflare obscured their true locations.

Team Cymru analysts noted that the infrastructure analysis revealed significant patterns in how these criminal operations establish their technical presence.

The IP addresses discovered were hosting login pages and forum landing pages for carding sites, providing critical evidence that can support law enforcement actions including subpoenas and takedowns.

The most common top-level domains used by these operations were .su, .cc, and .ru, which offer jurisdictional advantages and loose registration policies that criminals exploit for operational security.

Login pages for carding markets (Source - Team Cymru)
Login pages for carding markets (Source – Team Cymru)

Credit card data theft occurs at multiple transaction points through various methods. Web skimming attacks inject malicious JavaScript into checkout pages, while database breaches target central servers of retail and financial organizations.

Physical theft techniques include skimming devices at ATMs and point-of-sale terminals that capture magnetic stripe data and PINs.

Once stolen, this data enters a sophisticated supply chain where specialized criminals handle different stages from theft to sale to conversion into cash.

Carding forums (Source - Team Cymru)
Carding forums (Source – Team Cymru)

The investigation also examined X.509 certificates and analyzed Subject Common Names to cluster related infrastructure based on reused certificate attributes.

This methodology enables tracking of bulletproof hosting environments where illicit marketplaces reside, even when operators attempt to use website cloning techniques to replicate legitimate carding markets for phishing purposes.

Hosting Infrastructure Analysis

The distribution analysis of Autonomous System Numbers from the 28 IP addresses showed that many hosting providers operate in offshore jurisdictions with limited law enforcement cooperation.

Privex emerged as the most common hosting provider, advertising privacy-minded infrastructure with dedicated VPS options that criminals purchase without providing identification.

These hosting services typically support multiple malicious activities beyond carding, including offensive security tools and hacking campaigns.

ASNs Hosting Carding Infrastructure (Source - Team Cymru)
ASNs Hosting Carding Infrastructure (Source – Team Cymru)

This above infrastructure displays the ASN distribution, while other above ones show the examples of carding market login pages and forum interfaces discovered during the research.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachExploitphishingSecurity

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

New ‘Penguin’ Pig Butchering as a Service Selling PII, Stolen Accounts and Fraud Kits

Next Post

Everest Hacking Group Allegedly Claims Breach of Nissan Motors

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us