Carding Site BriansClub Hacked: 26 Million Payment Cards Stolen Again Drew Wilson | November 6, 2019 Major underground carding site BriansClub got hacked. In all, 26 million payment cards were stolen… again. In a story that could start with the phrase “yo dawg…” a major carding website got hacked. BriansClub, a darkweb site that specializes in the buying and selling of stolen credit cards, got hacked. In all, 26 million payment cards were stolen, or would that be “re-stolen”? Observers are saying that this highlights just how severe the problem of stolen credit cards are. Some even suggest that financial institutes are downplaying just how big of a problem this really is. Here’s a report from Krebs on Security: In September, an anonymous source sent KrebsOnSecurity a link to a nearly 10 gb set of files that included data for approximately 26 million credit and debit cards stolen from hundreds — if not thousands — of hacked online and brick-and-mortar businesses over the past four years. The data was taken from BriansClub, an underground “carding” store that has (ab)used this author’s name, likeness and reputation in its advertising since 2015. The card accounts were stolen by hackers or “resellers” who make a living breaking into payment card systems online and in the real world. Those resellers then share the revenue from any cards sold through BriansClub. KrebsOnSecurity shared a copy of the BriansClub card database with Gemini Advisory, a New York-based company that monitors BriansClub and dozens of other carding shops to learn when new cards are added. Gemini estimates that the 26 million cards — 46 percent credit cards and 54 percent debit cards — represent almost one-third of the existing 87 million credit and debit card accounts currently for sale in the underground. So, as hard as it is to keep up with it all, a website that stole the identity of a security professional, had their website hacked and had all their stolen payment cards re-stolen. All of this is being reported by the security professional who had his identity more or less stolen by the website. We have to be careful of the details here should we accidentally divide by zero here. On a more serious note, the information that was obtained by the data dump highlights just how much money goes into the buying and selling of stolen credit cards. The entire database represents roughly $556 million. The top 20 buyers on the site represent 5% of the entire data set. Krebs also pointed out the fact that all of this information was reported to the affected financial institutions. In response, the larger banks shrugged, saying that they knew about 90%-95% of the stolen payment cards already. As for the person who hacked the carding site, apparently the hacker claimed that the information was wiped from the site. Unfortunately, a security company reviewed the facts and found out that the information was still available on the site itself. It is speculated that those behind the site will continue to buy and sell the stolen cards under the thought that the banks won’t cancel every card. So, the criminals will continue to operate like nothing happened even though financial institutes are fully aware of the situation. The only difference is that this look into the criminal network has been exposed to the public. Drew Wilson on Twitter: @icecube85 and Facebook.