How 4 million payment card details wound up on the dark web (2024)

Here are some of the researchers’ key findings:

  • An average hacked payment card’s data costs less than $10, and hackers have millions of these ready to sell.
  • Visa card data was the most commonly available, followed by that of Mastercard and American Express.
  • Debit card info was more common than credit card info in the markets the independent researchers surveyed. Hacked debit cards put their victims at greater risk because debit cards tend to have fewer protective mechanisms in place.
  • The independent researchers found 1,561,739 sets of card details for sale on the dark web from the US during their research. This was far more than from anywhere else. But people in the US are not necessarily more at risk. Türkiye, for example, had less than half the card details available for sale per capita than the US, but the high proportion of non-refundable cards gives Türkiye a higher risk index score.
  • The risk index is based on one card per person, so the more cards you have, the more likely it is that one of them could have been hacked! This problem is particularly prevalent in the US, where more cards per person are in circulation, but Europeans also need to be aware of this phenomenon.

Hacked payment card numbers per US state

How 4 million payment card details wound up on the dark web (1)

Theft without theft? Brute-forcing explained

Database breaches aren’t the only way to get hacked payment card details anymore. Increasingly, the card numbers sold on the dark web are brute forced. But how does a brute force attack work?

Brute forcing is a little bit like guessing. Think of a computer trying to guess your password. First it tries 000000, then 000001, then 000002, continuing until it gets it right. Being a computer, it can make thousands of guesses a second. Most systems limit the number of guesses you can make in a short space of time to prevent these kinds of attacks, hackers have ways to get around this limit. After all, in such cases, bad actors don’t target specific individuals or specific cards. It’s all about guessing active card details that can then be sold through dark web marketplaces.

Here’s how it works:

Clever hackers can significantly cut down how many numbers they need to guess and check to find your payment card number. In fact, researchers at Newcastle University estimate that an attack like this could take as few as six seconds.

Tips on how to stay secure

Users can do little to protect themselves from this threat short of abstaining from card use entirely. The most important thing is to stay vigilant. Review your monthly statement for suspicious activity and respond quickly and seriously to notices from your bank that your card may have been used in an unauthorized manner.

Here’s what banks and other service providers can do to protect users:

  • Stronger password systems: Payment and other systems need to use passwords, and those passwords need to be strong. Every extra step is one that will make it harder for attackers to break in. To prevent inconveniences for users, banks could provide password managers — but good consumer options are also available.
  • MFA: Multi-factor authentication is becoming the minimum standard for security, so if your bank doesn’t offer it already, demand it or consider switching banks. Passwords are only one step, but verifying your identity using a device, texted code, fingerprint, or other security measure provides a huge step up in protection.
  • System security and fraud detection: Banks can use proven smart tools to detect and prevent attacks. Fraud detection systems can detect situations where thieves have succeeded. Banks can use tools like AI to track payment attempts, weeding out fraudulent attacks. Forcing payment systems and online merchants to bear the cost of fraud gives them a big incentive to improve their systems.
  • Dark web monitoring tools: Dark web monitoring involves regularly scanning underground marketplaces and hacker hangouts for signs of the user’s data. While many such tools (including NordVPN’s own Dark Web Monitor) are primarily geared toward rooting out leaked credentials, some financial institutions can monitor the dark web for stolen credit card information. By bringing the theft to your attention, dark web monitoring tools let you react quickly and alert the appropriate authorities before it’s too late.


Data collection: The data was compiled in partnership with independent researchers specializing in cybersecurity incident research. They evaluated a database that contained the details of 4,478,908 cards in total, including details of the type of card (credit or debit), issuing bank, and whether transactions were refundable. The data NordVPN received from the third-party researchers did not contain any information that relates to an identified or identifiable individual (such as names, contact information, or other personal information). We do not operate with the full numbers of payment card details sold on the dark web, because NordVPN has only analyzed a set of statistical data provided by independent researchers.

Analysis: The raw numbers only provide part of the picture. Population size and card usage vary between countries, and these are just two factors that can change the impact of the numbers.

We compared the statistical card data between countries with UN population stats and the number of cards in circulation by country or region from Visa, Mastercard, and American Express. This process allowed us to calculate a risk index to more directly compare how likely your card is to be available on the dark web by country.

We calculated the risk index using the following elements:

  • Number of cards in the database per capita for that country.
  • Number of cards in circulation for that country (based on country or regional data from Visa, Mastercard, and American Express)..
  • The proportion of non-refundable cards in the database for that country, with reduced influence on the overall index.

We then logarithmically normalized these numbers to produce scaled ratings between 0 and 1.

How 4 million payment card details wound up on the dark web (2024)


How did my card get on the dark web? ›

Your credit card information could have gotten published on the dark web due to a public data breach, having an online account compromised, credit card skimmers, using an unsecured WiFi network or falling for a spoofed website and entering your credit card information on it.

How much do credit card numbers go for on the dark web? ›

The Dark Web Price Index 2022 – based on data scanning dark web marketplaces, forums, and websites, revealed: Credit card details and associated information. Cost between $17-$120. Online banking login information costs $45.

How does credit card information get leaked? ›

Accidentally downloading malware or spyware can enable hackers to access information stored on your computer, including credit card information and other details. For example, a malware attack might use a keylogger that records your keystrokes or browser history and then sends that information to a hacker.

How many credit cards get hacked? ›

60% of U.S. credit card holders have been victimized by fraud, and 45% have experienced fraud multiple times. 52 million Americans had fraudulent charges on their credit or debit cards last year, with unauthorized purchases exceeding $5 billion.

How do you delete your data from the dark web? ›

It is generally implausible to remove data that has been disseminated within the Dark Web. Individuals whose PII has been discovered on the Dark Web are encouraged to enroll in an identity and credit monitoring service immediately.

What is the most common way of payment on the dark web? ›

Cryptocurrencies have become the preferred payment method on the Dark Web due to their anonymity, lack of regulation, and enhanced security features.

How much is someone's social security number worth? ›

A separate Experian estimate from 2017 has driver's licenses selling for $20 while, surprisingly, Social Security numbers can sell for as little as $1. Shopping logins range from $15.34 for Macy's Inc to $1.56 for Wayfair Inc and FreshDirect., Inc. and Walmart Inc logins each go for $9.00.

How much are stolen credit cards on the dark web? ›

US$17.36 is the average price of one stolen credit card's information, about $0.0033 per dollar of credit limit. US$171 is the average price of a physical, cloned credit card, or $0.0575 per dollar of credit limit.

How much is a credit card number worth on the black market? ›

According to this report, the going rate for a U.S. credit card number and a software-generated card verification number is worth $5 to $8. Data that includes the number as well as a bank ID number or a date of birth sells for $15.

Can the bank find out who used my credit card? ›

Yes. Tracking who used a credit card is often possible, especially if the fraud involved physical transactions at identifiable locations or digital transactions with traceable IP addresses and device information.

What happens if you buy something with a stolen credit card online? ›

A card issuer will typically issue a temporary refund while the company investigates a disputed charge, which sometimes takes 30 to 90 days. If your credit card information is stolen, your identity may have been, too. Freeze your credit until you can determine if your identity is safe.

How did someone get my debit card info if I never used it? ›

Thieves can obtain your card number, expiry date, and security code using different techniques. They can use skimming devices placed on ATMs or point-of-sale payment terminals or phishing scams where they trick you into revealing your card details or hacking into databases that store card information.

What information does a scammer need to access my bank account? ›

The easiest way to become a victim of a bank scam is to share your banking info — e.g., account numbers, PIN codes, social security number — with someone you don't know well and trust. If someone asks for sensitive banking details, proceed with caution.

Do banks refund scammed money? ›

Your bank may refund money from a scam depending on the type of scam and the bank's policies.

Can my debit card be scanned while in your wallet? ›

Similarly to card skimming, card scanning is a type of payment card theft where the fraudster with a scanning device gets close enough to your bag or wallet to scan your card number. This type of fraud is enabled by the fact that today's payment cards typically work on Radio Identification Frequency (RFID) technology.

How did my personal information get on the dark web? ›

If you're wondering “how does one's personal information get on the Dark Web?”, the answer includes data breaches, scams, and a very diverse range of cyber-attacks (phishing through email, private messages and voice calls, social media impersonation, malware infections or digital identity theft).

Why is my number on the dark web? ›

Your phone number might end up on the dark web through data breaches from websites or companies where you've shared your contact details, often due to weak security or cyberattacks.

Should I be worried if my information is on the dark web? ›

Being notified that your information has been found in a data breach or on the dark web, as its name suggests, shouldn't be taken lightly. It's likely not an occasion to full-on panic, but it probably suggests some next steps.

Can I check if my information is on the dark web? ›

Run a free Dark Web scan

This is a good place to start — however, free scanners only check for email addresses (and sometimes phone numbers). To see if your financial data, SSN, or IDs have been leaked, you need to sign up for a Dark Web monitoring service.


Top Articles
Latest Posts
Article information

Author: Virgilio Hermann JD

Last Updated:

Views: 5765

Rating: 4 / 5 (61 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Virgilio Hermann JD

Birthday: 1997-12-21

Address: 6946 Schoen Cove, Sipesshire, MO 55944

Phone: +3763365785260

Job: Accounting Engineer

Hobby: Web surfing, Rafting, Dowsing, Stand-up comedy, Ghost hunting, Swimming, Amateur radio

Introduction: My name is Virgilio Hermann JD, I am a fine, gifted, beautiful, encouraging, kind, talented, zealous person who loves writing and wants to share my knowledge and understanding with you.