Over 1.3 million Indian banks’ credit cards sold in dark web forums

Ethical hacking specialists have detected that a dark web site dedicated to the sale of stolen payment card data has included among its offer a list with at least 1.3 million new credit and debit cards extracted from several India-established banks.

Security firm Group-IB reported the incident for the first time, stating that the list was found on the popular dark web forum Joker’s Stash. According to the experts, the database operators are asking $100 USD for each payment card record, which could grant threat actors profits for up to $130 million USD.

A sample of the massive list. Source: Group-IB

So far, specialists in ethical hacking still do not know the source of the stolen information, although one possible explanation is that hackers may have collected these millions of records at points of sale or ATMs infected with some variant of malware designed for data theft. Unfortunately, the evidence collected indicates that the information is legitimate, so the banking institutions and responsible authorities have already been notified.

After analyzing the list shown at Joker’s Stash dark website, the specialists concluded that almost 99% of the exposed payment cards were issued by banks in India, while the remaining minimum portion appears to be tied to some banks in Colombia. Previous reports from ethical hacking specialists claim that Joker’s Stash is one of the world’s leading illegal sales forums, counting on at least 49 servers and more than 500 domains associated with the operators of the sales forum.

At Joker’s Stash it is not only possible to purchase compromised payment card records, but personal records, social security numbers and even contact information of millions of people, obtained in multiple data breaches are also available.

According to experts from the International Institute of Cyber Security (IICS), this dark web forum uses a blockchain-based domain name (DNS) system, which helps users stay anonymous, so a plugin is required to access a domain name system (DNS) version of the site via the top-level .bazar domain of Emercoin, the DNS used by site operators.