According to research from Recorded Future, in June 2025 criminals posted 10.5 million payment cards for sale on dark web marketplaces, resulting in $83 million in potential fraud losses from a single month. The worst part? Most fraud teams won't discover these compromised cards until fraudulent charges start appearing weeks or months later.
This highlights the fundamental flaw in modern fraud prevention: while teams excel at analyzing suspicious transactions, they remain blind to the criminal ecosystem where cards and personal information are stolen, bought, and sold, long before that first fraudulent charge appears. Traditional detection only kicks in after criminals have already struck. To break this cycle, fraud teams need visibility into the types of marketplaces where fraudsters purchase their tools and information.
The Dark Web and Beyond: Where Modern Card Fraud Lives
Dark web marketplaces serve as the critical distribution channel powering the fraud ecosystem. The numbers prove it: 269 million card records posted in 2024 (Recorded Future Annual Payment Fraud Intelligence Report: 2024), and 37 million from the US and Canada in Q1 2025 alone. Visibility into this space is needed to prevent card fraud from occurring, but focusing only on these marketplaces misses critical earlier stages in the fraud lifecycle.
Before cards ever reach criminal markets, they're stolen through increasingly sophisticated methods. Magecart e-skimmers silently harvest payment data from compromised e-commerce sites. Recorded Future identified 2,951 domains infected with Magecart e-skimmers in June 2025, with that number rising to 3,341 in July. Each infected site steals payment data from unsuspecting customers at checkout.
Meanwhile, scam merchants harness increasingly sophisticated tactics, techniques, and procedures (TTPs) to pose as legitimate businesses, process payments, and steal card information directly. The biggest category by far in July 2025 was digital goods sellers, advertising online movies, books, and software that never get delivered. These fake merchants collect payments from unsuspecting customers, then vanish with both the money and card details.
Transaction analysis can reveal common points of purchase (CPPs) after the fact, showing patterns that indicate where cards were likely compromised through either e-skimmer infections or scam merchant operations.
This is the complete fraud kill chain most teams never see. E-skimmers and scam merchants steal the cards. Dark web marketplaces distribute them to buyers worldwide. Tester services validate which cards are still active. Months of planning and preparation happen between theft and use. Traditional fraud teams only witness the final act, the fraudulent transaction, when all opportunity for prevention has passed.
Modern Attack Methods Bypassing Traditional Controls
Criminals have evolved beyond what traditional fraud controls can handle. Consider their timeline advantage: stolen card details can go unused and undetected for long periods of time, retaining value throughout. This gives fraudsters the luxury of patience to develop back-up plans that can obfuscate the various detection & prevention measures employed by card-issuing banks. With most stolen card records being sold with the cardholder’s personal information, there are many options for victim manipulation.
Unsuccessful attempts at fraud are often followed by efforts that exploit personally identifiable information (PII), such as spearfishing and account takeover attacks. This means card records accompanied by PII are associated with higher risk to the cardholder and issuing bank, as well as greater value to criminals. Predictably, fraudsters work very hard for those records and the scale of these operations can be staggering.
In June 2025, a single UK-based phishing campaign deployed 207 domains in just 12 days to harvest victims' personal data and card details. The phishing infrastructure impersonated official web resources of the UK government, manipulating victims into providing a one-time password (OTP) and accepting device checks so the fraudsters could carry out downstream mobile wallet fraud, showing the lengths fraudsters will go to exploit PII-enriched card records. Criminals control when and how to strike. Fraud teams can only react to the aftermath.
These sophisticated techniques operate entirely outside traditional fraud controls' field of vision. While fraud teams analyze yesterday's transactions, criminals are already planning alternative ways to get returns on card records bought in marketplaces fraud teams will never see, or stolen through methods they struggle to detect.
Source: RecordedFuture
Source Link: https://www.recordedfuture.com/blog/getting-ahead-of-payment-fraud