It’s Groundhog’s Day in the cybercriminal underground. Once again, in an eerie repetition of the first half of 2020, the underground market for stolen credit cards plummeted nearly 40% in the first six months of 2021, with a total of 28,934,392 compromised cards offered for sale on the dark web. This marks a significant decline from the total 45,130,117 compromised cards observed in the second half of 2020.

This current ebb may be the result of several factors. One explanation may be the closure of credit card markets (either due to crackdowns by law enforcement or threat actor ‘retirement’). Secondly, the pandemic-driven acceleration towards contactless payments, including mobile wallets and contactless chip cards, has presumably reduced the use of credit cards – resulting in fewer transactions and, accordingly, less opportunity for fraud. Additionally, lenders appear to have been more temperate in issuing new cards during the pandemic, as reflected by the drop in the number of credit card accounts in the US from 457.6 million in Q1 2020, to 454.6 million in Q1 2021.

Still, despite these apparent trends, in the rapidly evolving cyber landscape, threat actors are likely to continue modifying and adapting their techniques, finding new opportunities to siphon funds out of unsuspecting victims’ wallets.


In the first half of 2021, two underground shops dominated approximately 53% of the total market share – with Market 1 (a consistent high-performer over the past two years) raking in a staggering 34% and Market 2 claiming an impressive 19%. Notably absent from the list of top markets in H1 2021, however, was a popular credit card market that had previously maintained a consistent and coveted spot in the top 10 most popular markets over the past years. Before ceasing operations in the beginning of this year, the former crowd favorite had comprised 11% of the market share in H1 2020 (#2) before plummeting to holding only 2% of the market share in H2-2020 (#7) – a rapid decline that apparently signified the beginning of the end. Still, even on the precipice of underground obsolescence, had the market remained open and maintained the same amount of cards it posted in January 2021 (100,096 – low by its standards, but still the 8th highest number of cards posted on the underground that month), it would have held the #8 spot in the market leader board for H1 2021.


Our examination of the global distribution of compromised cards revealed that cards issued in the United States are vastly over-represented in comparison to those originating from other countries. America’s unfortunate status as global leader of targeted financial fraud is unlikely to change. American card holders have an outsized share of credit cards in comparison to the global average, holding ~25% of the total world share. This is coupled with the perception that cards issued in the U.S. generally enjoy a higher yield and purchasing power in comparison to cards issued by other countries, thereby increasing their attraction for threat actors.

Meanwhile, despite Russian actors continuing to comprise a large segment of the cybercriminal underground, compromised Russian credit cards are conspicuously underrepresented on the underground credit card markets, with a mere 974 cards. This low number is fairly consistent and stands in line with the principal that Russian threat actors can act with impunity as long as they do not target Russian or CIS citizens. Violation of this tacit agreement in March 2020 had devastating implications for the cybercriminal ecosystem, with the digital underground still struggling to recover from the supply-void following a major crackdown by Russian law enforcement against threat actors who dared to target Russian citizens.


Distribution of compromised credit cards between the four major payment networks falls parallel to their respective order of purchasing volumes. Visa leads the pack, holding 57.6% of the credit cards offered for sale on the underground, followed by Mastercard (25.6%), American Express (11.7%) and Discover (4.8%). Despite having recovered from the anomalous jump to 38% in the second half of 2020, compromised American Express cards are likely to continue trending upwards due to the high purchasing power of the cards compared to the total number in circulation, making AMEX cards more attractive as a high yield card to target.


Stolen credit cards offered for sale on the underground come in two forms: those categorized as ‘dumps’ and those including CVV/CVV2 information. ‘Dumps’ contain segments of unencrypted data located on the magnetic strip of a card, including the cardholder’s name, account number, and other validating points used by banks to verify purchases. Cards from dumps require the creation of a physical clone of the card, and must be used physically for in-person purchases.

CVV/CVV2 information, on the other hand, provides the 3- or 4- digit code on the back of the card required for remote transactions, such as online or phone purchases. Cards sold in CVV/CVV2 format may also include additional Personally Identifiable Information that can be exploited by threat actors for identity fraud and other criminal activities. Providing anonymity, considerably less risk and immediate usability, CVV/CVV2 cards are generally more attractive and higher in demand, with a typical ratio of ~60% CVV/CVV2 to ~40% dumps. The first six months of 2021 proved no exception, with a distribution of 58% CVV/CVV2 data and 42% for dumps.


Despite the obstacles facing threat actors (namely, the closure of popular markets and accelerating trends towards other forms of digital payment), stolen financial data remains a lucrative commodity in the underground economy. Given the profitability of stolen credit cards for cybercriminals, these new challenges will undoubtedly be met with innovative solutions by threat actors.

Accordingly, in spite of continued efforts by law enforcement agencies, credit card networks, banks, and retailers to improve security, fraudsters are expected to adapt and evolve their skills and techniques, finding new methods to exfiltrate sensitive payment credentials from cards being utilized both virtually and physically.

Download the full report to access Cybersixgill’s recommendations on how to mitigate the ongoing risks related to financial fraud.