B1ack’s Stash Dumps 4.6 Million Stolen Credit Cards for Free After Seller Dispute
The dark web carding marketplace B1ack’s Stash has released 4.6 million stolen credit card records as a free download, punishing sellers who resold data on rival platforms.
The notorious dark web carding marketplace B1ack’s Stash has announced the free download of 4.6 million stolen credit card records, escalating the threat of card-not-present fraud worldwide. The data dump was triggered after sellers were caught reselling card data purchased from B1ack’s Stash on competing platforms, a violation of the marketplace’s policies. In response, B1ack’s Stash allegedly suspended 8 million stolen CVV2 records and decided to release the card data for free instead of deleting it from its inventory.
According to SOCRadar, the released data includes full card numbers, expiration dates, CVV2 codes, cardholder names, billing addresses, email addresses, phone numbers, and IP addresses. Based on the availability of full card details and payment data, the information was likely stolen as part of e-skimming or phishing operations. The cybersecurity firm says it has validated the authenticity of some of the records, though analysis showed that some cards had expired or were duplicate entries. Overall, 4.3 million records appear to be new and likely usable for illicit activities.
The stolen credit cards are sourced worldwide, but approximately 70% of them are from the United States. Canada, the United Kingdom, France, and Malaysia round out the top five. “The presence of Asian financial hubs like Hong Kong, Singapore, Thailand, and Malaysia in the top 15 suggests the dataset is not solely the product of a single regional operation, but draws from multiple skimming or phishing campaigns targeting English-speaking and high-purchasing-power markets globally,” SOCRadar notes.
B1ack’s Stash has been operating on the dark web since at least 2023, becoming one of the most active shops for stolen credit card data. In April 2024, the marketplace offered 1 million credit cards to anyone who registered. In February 2025, it released over 4 million stolen credit cards for free, likely to attract more users. This latest dump continues the pattern of using free data releases as a marketing tactic to draw new customers and build marketplace dominance.
The newly dumped cards are expected to fuel card-not-present (CNP) fraud activities, such as illicit online purchases. The accompanying information may allow cybercriminals to open fraudulent accounts, apply for credit, or launch convincing phishing attacks. “The richness of the leaked records – full PAN, CVV2, expiration date, billing address, full name, email, phone, and IP address in a single entry – creates compounding risks that go well beyond simple card fraud,” SOCRadar warns.
This incident highlights the ongoing criminal activity on carding forums and the massive scale of stolen financial data circulation. Unlike typical data breaches where stolen cards are sold individually, B1ack’s Stash’s strategy of mass free releases lowers the barrier for entry-level cybercriminals and increases the likelihood of widespread fraud. The marketplace’s willingness to sacrifice inventory to enforce internal policies demonstrates the sophisticated governance structures that have evolved within these underground economies.
For affected cardholders, the risk of fraudulent transactions, identity theft, and targeted phishing attacks has significantly increased. Financial institutions and payment processors are urged to monitor for unusual activity and reissue cards where necessary. The incident serves as a stark reminder that the stolen credit card trade remains a thriving, well-organized industry on the dark web, with marketplaces like B1ack’s Stash continuously adapting their business models to evade law enforcement and maximize profit.