A Carder’s First Experience

5 minute read

Posted by: Kiell

December 11, 2014

We do not support carding! This is for educational purposes only – and reflect the author’s own experience and views only.

At the time of this story, I was new to carding. Saying that I was “new” is a bit of an understatement. I had never used any Darknet markets, and I had barely any experience with Bitcoin. I had a lot to learn. This was my experience.

There are currently few major carding forums such as – Tor Carding Forums (TCF) and Rescator for example. Since Tor Carding Forums had a fee for registration, I decided to use Rescator. The website requires an account to access any listings or to make purchases, but it does not require any payment for registration.

There are two things that are unique about Rescator: first, it is centralized. As the rumor goes, Rescator was a reputable user from a now-defunct Russian forum. After this forum was infiltrated by law enforcement, he decided to open his own dedicated shop. Many of the recent security breaches, including Target and J.P. Morgan, can be traced back to a small group of people who include Rescator. Second, there is no escrow system. Once you release funds, there is very little you can dispute. The site’s only dispute resolution is in the form of tickets. I had to put a lot of trust in a single person.

There is also some terminology that is pretty exclusively used on carding forums. “Dumps” are the collections of data that are being sold. These are exactly what they sound like – disorganized dumps of all data that was collected. A “base” is a collection of dumps that were all skimmed from the same source. The data from the Target hack would be a base, while the data from the Home Depot hack would be another base. The names of these bases vary, ranging from names like, “Ronald Reagan” to “Beaver Cage”. The amount of data that you can expect to still be usable and valid is called the “validity rate”.

In order to purchase a dump, I had to transfer money into an on-site account. This is where Bitcoin came into the picture. I decided not to tumble my Bitcoins. Many people advocate that you must tumble your Bitcoins. The issue, however, is that tumbling Bitcoins does not make them impossible to trace – it just makes them difficult to trace. This is what we call, “security through obscurity”. I decided that, to be safe, I had to make my Bitcoins impossible to trace. Here was my plan: All Bitcoin transactions are publicly recorded on the blockchain. As long as you are trading on the blockchain, all transactions are connected. Therefore, I had to break the chain of transactions. To do this, I used a normal Bitcoin exchange. I converted my Bitcoin to Litecoin, then back into Bitcoin.

The act of purchasing was fairly straightforward. The website itself was very user-friendly. There was a basic filter that could be used to sort by base, country of origin, type of card, among other criteria. When I decided on the card information I wanted to purchase, I added it to my cart. At this point, in order to release funds and receive the dump, I simply clicked a “purchase” button. From the time a base is released, the validity rate will gradually decrease. After a security breach is discovered, companies and account holders begin to close accounts, and the data quickly becomes useless. Therefore, I chose a recent base: American Sanctions, information collected during the recent Home Depot breach.

This is what I got once I received my order. This, at first, was a bit confusing.

Here’s how card technology works: There are two to three tracks on the magnetic strip of a credit or debit card. Track 3 is sometimes not even present on cards, and most major networks only use tracks 1 and 2.

This is the format for Track 1: account number^Lastname/Firstname^expiration date(YY/MM)::bank key(3 numbers)::discretionary data or security key(in this case it was a CVC code – 3 numbers)::Longitudinal Redundancy Check.

This is the format for Track 2:

account number=expiration date(YY/MM)::service code(3 numbers)::discretionary data or security key (3 numbers)::Longitudinal Redundancy Check

A lot of the information from Track 1 is repeated on Track 2.

Now we can make my example meaningful:

Lets divide Track 1: 4631588xxxxx//<lastname>,<firstname>.//1601//101//163//03100495000000

Our primary account number is: 4631588xxxxx

Our account holder is: <lastname><firstname>

Our Expiration date is: 01/16

Our service code is: 101

Our CVC code is: 163

Once I had organized this information, it became a matter of cashing out the card.

The difficulty of actually using this information is figuring out how to use it anonymously. I decided that once again, I would turn to Bitcoin. There are several things a website asks you for when you use a debit or credit card: the primary account number, the expiration date, and the security (CVC) code. Since all of this was included in the dump, I could use the card online without any problems. I decided to purchase gift cards, which I would then sell for Bitcoins. After doing my Bitcoin > Litecoin > Bitcoin tumbling scheme mentioned earlier, I could deposit these into my wallet. However, I never got that far. My plan would have been successful…had the card holder’s account not been closed.

Overall, my experience was very positive. At first, I was just happy that I hadn’t gotten scammed; and after banging my head over my desk a few times, I ended up not being too upset over the card’s failure. After all, if I had purchased a card with an option for a refund, I would have been successful. Using the information, while an extensive process, was definitely doable. It worked very much like any market, with many helpful and honest members.. The people involved were not just criminals looking for easy money; they were interested in the technology and were more than willing to help me. The carding community was just as diverse as any community, and I discovered it was just as tight knit.

Updated: 2014-12-11