SOCRadar® Cyber Intelligence Inc. | BidenCash Carding Shop Returns With a Larger Credit Card Dump


Oct 10, 2022
4 Mins Read

BidenCash Carding Shop Returns With a Larger Credit Card Dump

[Update] May 17, 2023: BidenCash has started buying and selling SSH credentials. The marketplace is now offering related new services. Added the subheading: “BidenCash Shifts Operations, Selling SSH Access for Cyber Attacks.”

BidenCash carding shop released another advertisement dump, including information on 1,221,551 credit cards. The dump is available to anyone for free.

BidenCash dump download page
BidenCash dump download page

Last month, BidenCash launched new domains in response to distributed denial-of-service attacks. BidenCash publicized their offer on these new domains, possibly to promote them, as well as on their clearnet website and other hacking forums

Along with credit card numbers, the dumped data lists:

  • Expiration dates 
  • CVV numbers 
  • Holders’ name 
  • Bank names 
  • Addresses 
  • Emails 
  • Social security numbers 
  • Phone numbers

Another Promotional Campaign 

BidenCash made the same move when the carding site was newly launched, on June 16, in order to boost it. The shared file had approximately 8 million lines of information, including email addresses, with about 6,700 credit cards. 

The card information offered in the BidenCash marketplace is gathered using a variety of website skimmer and infostealer malware attacks.

SOCRadar continuously monitors cybercriminal forums for fraudulent activity and can detect if your credit card information is stolen and ends up in dark web channels. You can search SOCRadar’s Breach Database to find out if your sensitive data is shared in blackmarkets.

D3Lab’s Twitter post relating to the incident
D3Lab’s Twitter post relating to the incident 

Most of the records in the dump appear to be from the United States and contain credit card information with expiration dates between 2023 and 2026

The “bigger leak” may be fake or old data that has been recycled, as large-scale dark web posts and offers are frequently frauds. Although, D3Lab has confirmed that about 30 percent of the data offered by BidenCash is new, and some valid data is related to Italian banks.

BidenCash Shifts Operations, Selling SSH Access for Cyber Attacks

BidenCash marketplace has changed its primary business model from selling leaked credit card information and has started selling SSH access

On a Russian-speaking hacker forum, the BidenCash marketplace announced the following features as its new services: 

  • Shell presence check
  • CPU/RAM information
  • Server flag information
  • Geolocation check
  • SOCKS5 port availability check
  • Check of IP addresses against blacklists (Spamhaus,, Spamcop, SouthKoreanNBL, and Barracuda BBL)
  • Validity check before issuing SSH to ensure that no dead accesses exist 

BidenCash is offering the SSH services for as low as $2. This poses a severe threat, as threat actors can use the powerful processing capabilities of the servers to launch cyber attacks. With the availability of affordable and powerful SSH servers on BidenCash, malicious actors can engage in activities like data theft, ransomware, DDoS attacks, and cryptocurrency mining.

The marketplace encourages other cybercriminals to join and takes 30% commission for each sale. Researchers explain that BidenCash’s SSH inventory includes over 850 SSH servers with varying architecture, CPU configurations, and countries, and the prices range from $2 to $10.

The sellers on the marketplace stand to make an average of $3,570 every five days, while BidenCash itself would receive $1,530 in commission. This offering has already received positive feedback from threat actors on various dark web forums, which may lead to more cyber attacks.

The existence of the BidenCash, now as an SSH marketplace, can increase the scope and scale of attacks, making it essential for organizations to ensure the security of their systems and keep their SSH servers secure.