Cybercrime site shows off with a free leak of 2 million stolen card numbers

A Russian-language dark web shop known as BidenCash recently attracted attention from cybersecurity researchers by posting a leak — for free — of 2 million stolen payment card numbers.

The good news, researchers say, is that many of the compromised numbers have been available for purchase on the dark web for a while — meaning they likely have been exposed to fraud already, causing financial institutions to cancel them. About 70 percent also expire this year, reports cybersecurity company Flashpoint, limiting their usefulness for illicit purchases.

The bad news? Even if this "free sample" of credit card and debit card numbers is mostly just an attempt to gain attention in the cybercrime underground, the leak contains data that could still be useful for scammers, researchers say.

Cybercriminals "have been known to purchase expired payment cards to gain more information on potential victims," notes the threat intelligence company Cyble in a post about the leak. As is common in this kind of "dump," the data also includes names, emails, phone numbers and home addresses.

Those details are useful for tactics like spearphishing specific people to try to steal their login credentials for personal or work accounts, researchers say.

Crooks who like hype

It's hard to discern what the BidenCash leak means in general for the illicit "carding" market, which is a "fluid environment," says Ilya Volovik, an expert on payment fraud with Insikt Group, which is part of The Record's parent company, Recorded Future.

At face value, the move announces that BidenCash plans to stay in the game, researchers say. (Co-opting the U.S. president's surname also adds to the mischief, too.)

"BidenCash has done this twice before to market their dark web shop, so we believe it's just a clever marketing strategy," Volovik says.

The leak is one of the largest over the last year — lately the typical release is "somewhere in the ballpark of 40,000 stolen credit cards," Flashpoint says — and it comes as carding shops have been trying to fill the void left by the U.S.-led takedown of the notorious Joker's Stash market in early 2021. Russia also cracked down on cybercrime before it invaded Ukraine last year.

It's important to remember the top goal of Russian-speaking cybercriminals who specialize in payment card fraud, Volovik says: Steal payment cards to buy Western goods, then smuggle those goods back home.

"I believe we will be seeing carding increase as Russia is sinking economically and politically" because of the war and the resulting sanctions, Volovik says. "The shadow economy that prevailed in Russia in the '90s-2000s will return."