Research Reveals 28 IP Addresses and 85 Domains Powering Global Carding Market Infrastructure

CyberDefender 3 mins0
  • 28 unique IP addresses and 85 unique domains were identified as hosting carding markets or carding forums during a recent cybercrime infrastructure study. These sites typically act as front-ends (such as login or landing pages) for underground marketplaces where stolen financial data is bought and sold.
  • The research covered observed activity between July and December 2025, using internet-wide scanning, passive DNS, and network telemetry to map the infrastructure tied to these illicit cybercriminal platforms.

What Are Carding Markets?

  • Carding markets are cybercrime sites — often hidden behind cloned storefronts — where stolen credit card data, payment credentials, and “fullz” (full identity details) are trafficked.
  • Unlike general hacking forums, carding forums emphasize fraud techniques, vendor reputations, phishing tools, and services to facilitate misuse of stolen financial data.

Methods Used in the Research

Researchers used:

  • Internet-wide scanning — to detect servers offering carding login or forum pages.
  • Passive DNS — to track how domain names resolved over time.
  • NetFlow analysis — to correlate related infrastructure and traffic patterns.

Hosting & Domain Trends

  • Many of the 28 IPs were provided by offshore or privacy-oriented infrastructure providers, which offer minimal oversight or cooperation with enforcement — making takedown efforts harder.
  • The 85 domains associated with this infrastructure commonly used legacy or loosely regulated top-level domains (TLDs) such as .su, .cc, and .ru, which are often chosen for reduced scrutiny and cost.

Why This Matters

This research helps law enforcement, cybersecurity defenders, and financial institutions by:

  • Identifying previously unmapped backend servers that support criminal marketplaces.
  • Providing evidence usable in subpoenas or takedown requests.
  • Helping defenders build signatures to block or monitor known malicious IPs and domains before they are leveraged for fraud.

Broader Context

Carding is part of a wider cybercrime supply chain where stolen credentials, malware services, and dispute of victims’ financial data feed into underground economies. Detecting the technical infrastructure — such as IPs and domains — is one of the most proactive ways to disrupt these networks.

CyberDefender