Carding

Carding is a broad term describing the criminal activity of exploiting stolen payment card data. At its core, it involves obtaining card details — through purchase of fullz or dumps on dark-web markets, phishing, or data breaches — and using them to make unauthorised transactions or sell goods that are then liquidated.

A key step in carding is 'checking' or 'testing' cards: fraudsters use automated scripts or manual attempts on low-scrutiny merchants to verify whether a stolen card is still active before attempting larger purchases. This testing phase is also called a BIN attack or enumeration attack when many card numbers are systematically tested at once.

Once valid cards are confirmed, carders may purchase physical goods for reshipping, buy gift cards (which are harder to trace), or sell the verified card data at a premium. Carding forums on the dark web provide tutorials, tools, and marketplaces. Anti-carding measures include 3DS authentication, velocity checks, device fingerprinting, and CAPTCHA on payment pages.