B1ack’s Stash Releases 4.6 Million Stolen Credit Cards for Free

A notorious Dark Web carding marketplace is making headlines again. B1ack’s Stash, one of the most active illicit card shops on the Dark Web, has announced the free release of approximately 4.6 million stolen credit card records, this time framing it as a response to seller misconduct on its own platform.

B1ack's Stash forum post announcing the 4.6 million CC freebie release

B1ack’s Stash forum post announcing the 4.6 million CC freebie release

What Happened? B1ack’s Stash Dumps 4.6 Million Cards for Free

Through a forum post targeting the criminal underground, B1ack Stash recently declared the suspension of approximately 8 million stolen CVV2 records from its active inventory. The stated reason: sellers on the platform had been reselling cards purchased from B1ack’s Stash in competing shops, violating the marketplace’s internal rules.

Rather than simply removing the affected cards, the operator/s behind the marketplace chose to release approximately 4.6 million of them as a free download, directing users to the marketplace’s Freebies section. The post also extended an olive branch to sellers deemed trustworthy, offering them a “second chance” through a support ticket system, and teased the upcoming launch of a new card database.

The announcement was written in both English and Russian, consistent with the marketplace’s established communication style, targeting an international criminal audience.

What Does the Leaked Data Look Like?

The sample data shared as part of this release follows a structured format typical of carding databases. Each record contains:

Full credit/debit card number (16-digit PAN)
Expiration date (month/year)
CVV2 code
Cardholder’s full name
Billing address (street, city, state, ZIP code, country)
Email address
Phone number
IP address

The data appears to be sourced from e-commerce skimming or phishing operations, given the presence of full cardholder identity details alongside payment data.

Sample from the credit card data dump

SOCRadar’s analysis found the records consistent with genuine compromise data, passing BIN and algorithm checks. After filtering duplicates, expired cards, and previously known entries, an estimated 4.3 million cards appear to be net new and potentially actionable. SOCRadar’s validation of the dataset is ongoing.

Who Is Most Affected?

SOCRadar’s Dark Web team analyzed the released dataset and identified clear geographic and demographic patterns that shed light on the scope and likely origin of the compromised records.

Geographic Distribution

The United States accounts for the overwhelming majority of records – roughly 70% of the entire dataset – making American cardholders by far the most heavily represented victims. Canada and the United Kingdom follow at a significant distance, with France and Malaysia rounding out the top five. The presence of Asian financial hubs like Hong Kong, Singapore, Thailand, and Malaysia in the top 15 suggests the dataset is not solely the product of a single regional operation, but draws from multiple skimming or phishing campaigns targeting English-speaking and high-purchasing-power markets globally.

Email Domain Breakdown

The email domain breakdown reinforces the US-centric nature of the leak. Gmail addresses account for nearly half of all records with an associated email, followed by Yahoo and Hotmail at a considerable gap. The presence of US ISP-linked domains such as comcast.net, verizon.net, att.net, and sbcglobal.net further supports the conclusion that a substantial portion of victims are US-based consumers. Notably, two lesser-known domains (rhyta.com and dayrep.com) also appear in the top 15, which are associated with disposable or fake email generation services.

Taken together, the geographic and email data paint a picture of a dataset that is heavily weighted toward high-value Western markets, with particular emphasis on the United States – consistent with the profile of victims typically targeted by large-scale e-commerce skimming infrastructure.

Who Is B1ack’s Stash?

B1ack’s Stash is a Dark Web carding marketplace that has been operating since at least 2023 and has steadily grown into one of the more prominent platforms for buying and selling stolen payment card data. For a detailed breakdown of the marketplace’s infrastructure, history, and operational tactics, see SOCRadar’s dedicated Dark Web Profile: B1ack’s Stash.

This Is Not the First Time: A Pattern of Free Releases

The 4.6 million card release is the latest in a series of high-profile free dumps by this threat actor.

In February 2025, SOCRadar documented B1ack’s Stash releasing 4 million stolen credit cards for free in what appeared to be a calculated move to attract new buyers and establish marketplace authority. That release garnered significant attention across the cybersecurity community and confirmed the operator’s willingness to sacrifice short-term revenue for long-term platform growth.

A previous free release from B1ack’s Stash featuring 4 million credit cards

A previous free release from B1ack’s Stash featuring 4 million credit cards

This latest release of 4.6 million records follows the same playbook: large volume, free access, and a narrative that positions the operator as acting in the interests of legitimate buyers rather than simply dumping unwanted data. The “seller misconduct” framing is a new wrinkle, but the underlying strategy remains consistent: use free data to grow the user base and reinforce marketplace credibility.

What Are the Cybersecurity Risks?

The richness of the leaked records – full PAN, CVV2, expiration date, billing address, full name, email, phone, and IP address in a single entry – creates compounding risks that go well beyond simple card fraud.

Financial Fraud and Unauthorized Transactions

The most immediate threat is card-not-present (CNP) fraud. Complete card details combined with billing addresses make AVS bypass straightforward, undermining one of the most common fraud control layers. Expect fraudulent online purchases and bulk reselling of the data to accelerate in the weeks following this release. Major free dumps consistently trigger a measurable spike in downstream fraud activity as lower-skilled actors pile in.

Identity Theft and Phishing Enablement

The PII included in each record is enough to open fraudulent accounts, apply for credit, or craft highly convincing phishing lures. Email addresses can also be cross-referenced with other breach databases for credential stuffing. SOCRadar’s Dark Web Monitoring tracks exactly this kind of cross-dump correlation, alerting organizations when their customers’ data surfaces in new releases before fraud activity peaks.

SOCRadar’s Dark Web Monitoring

What Should Organizations and Individuals Do?

For Individuals

Monitor statements closely – fraudsters typically test cards with small charges before escalating.
Enable real-time transaction alerts on all payment cards.
Request a new card number if you’ve shopped online recently, especially with smaller merchants.
Be skeptical of unsolicited outreach that references your real personal details – the identity data in this dump makes social engineering far more convincing than generic phishing.

For Organizations and Security Teams

Get ahead of it with Dark Web Monitoring. SOCRadar tracks threat actors and underground forums continuously, surfacing customer exposure before chargebacks signal a problem. Waiting for fraud to appear in your transaction logs means you’re already behind.
Review CNP fraud thresholds for transactions with billing addresses matching patterns in this dataset.
Cross-reference the dump’s IP addresses and email addresses against your own logs to identify potentially compromised accounts.
Communicate proactively with customers – early notification reduces fraud and protects brand trust.