All Your Cards Are Belong To Us:

Understanding Online Carding Forums

Andreas Haslebacher, Jeremiah Onaolapo, and Gianluca Stringhini

University College London
andreas.haslebacher.14@ucl.ac.uk
{j.onaolapo,g.stringhini}@cs.ucl.ac.uk
Abstract—Underground online forums are platforms that The body of research into underground forums is growing
arXiv:1607.00117v2 [cs.CR] 24 Jan 2017

enable trades of illicit services and stolen goods. Carding forums, but still limited. In particular, there are only a few studies
in particular, are known for being focused on trading financial available about credit card related forums. These studies
information. However, little evidence exists about the sellers that mainly focus on the organisation and the structure of the
are present on active carding forums, the precise types of products forums but less on the content itself, that is, the products
they advertise, and the prices buyers pay. Existing literature
mainly focuses on the organisation and structure of the forums.
traded and the activity of the traders on these forums [3]–
Furthermore, studies on carding forums are usually based on [5]. In addition, existing studies are usually based on either
literature review, expert interviews, or data from forums that expert interviews or examinations of forums that have been
have already been shut down. This paper provides first-of-its-kind shut down by law enforcement agents. Active forums are
empirical evidence on active forums where stolen financial data is rarely analysed. The examination of closed forums may be
traded. We monitored five out of 25 discovered forums, collected problematic since they may differ from those still existing,
posts from the forums over a three-month period, and analysed especially when this difference is the reason why they are
them quantitatively and qualitatively. We focused our analyses on closed. Moreover, cybercrime evolves rapidly and tackling this
products, prices, seller prolificacy, seller specialisation, and seller type of crime requires an understanding of the current situation
reputation, and present a detailed discussion on our findings. and activities.
Keywords—carding forums · underground forums · CVV In this paper, we collected data directly from the dis-
cussions on the underground forums that we studied, with
I. I NTRODUCTION emphasis on product offers and advertisements posted by
potential sellers on the forums. Since sellers come earlier in
£479 million of fraud losses on UK issued credit and the fraud chain than the other actors, it might be more efficient
debit cards were recorded in 2014 [1]. Almost 70% of these to tackle credit card fraud by stopping sellers than buyers, for
losses originate from “remote purchase fraud.” This category example. As a result, we excluded buyers and money mules
of fraud denotes that card details obtained through illicit from this study (we will study them in future work).
methods such as phishing, skimming or hacking are used for
fraudulent online transactions. Since consumers have mostly Research question. In order to overcome the literature gaps
shifted from cash to transactions via payment cards and have and methodological concerns we highlighted earlier, this paper
become accustomed to online payments, opportunities for theft aims to shed light on the current situation of underground
of payment card details have soared and they have attracted online forums by analysing real data collected from active
the attention of cybercriminals. forums. We set out to answer the following research question:
What does the current situation of underground credit card
Theft of card information is usually the first step in the forums look like? That is, what are the typical features of the
chain of credit card fraud. Further stages are resale, validation forums, what products are sold and how can the activity of the
and monetization of the stolen data. These deals and activities traders be characterised?
take place in a massive underground economy, usually aided
by underground online forums. These forums are popular Hypotheses. After studying existing research literature, we
platforms where card details are traded, thus generating huge defined the following hypotheses to guide our analyses:
revenues for cybercriminals. On these forums, fraudsters typ- • Hypothesis 1 (H1 ). Prices of credit card numbers com-
ically open a thread and write an advertisement for their bined with additional information about the cardholder
products as a first posting. Potential buyers either reply within are higher than prices of credit card numbers alone.
that thread asking to contact them or they contact the seller
themselves using private message services or instant messaging • Hypothesis 2 (H2 ). On active carding forums, a small
services like ICQ. number of traders are responsible for a large propor-
tion of traffic.
The sales volumes thus generated appear to be substantial.
• Hypothesis 3 (H3 ). Specialisation is discernible on
It is estimated, for example, that the closure of several credit
carding forums, that is, most of the traders sell only
card related forums in 2012 prevented international fraud to the
one product type.
tune of £500 million [2]. It is therefore important to understand
the characteristics of these online forums and the activity of • Hypothesis 4 (H4 ). Specialised traders sell their prod-
cybercriminals using them. ucts at lower prices than unspecialised traders.
 • Hypothesis 5 (H5 ). The carding forums under analysis numbers were available for $0.06. Shulman [11] mentions
have working reputation systems that are sophisticated three reasons that account for this decline: CVVs are becoming
as those of legal marketplaces. a commodity, monetizing information is more difficult and
credit cards are beset by stolen online credentials. In the April
• Hypothesis 6 (H6 ). The vast majority of actors are not
2015 report on Internet security, Symantec [12] indicates a
operating on more than one forum.
price range of $0.50-$20 for CVVs. These rates, on the one
Our analyses confirmed H1 , H2 and H6 . H4 was partially hand, confirm that there are details sold at low prices and, on
rejected, while H3 and H5 were completely rejected. Details the other hand, show that there are still cards sold for $20.
of the analyses are in Section IV. Sood and Enbody [13] provide a more detailed estimation
Contributions. In this paper, we established an outline of of rates charged per credit card number. Numbers from the
active forums and their defining features. To this end, we ana- USA cost $4-$10 on average, from Canada $5-$7 and from the
lyzed five carefully selected active forums in detail regarding UK $6-$8. Classified according to credit card types, a classic
their traders and products. This investigation thus provides in- or standard credit card number from the USA or Canada costs
sights into current underground online forums, unlike previous $8-$10, a gold card $15-$20 and an Amex $6-$10. Classic
work that studied forums that were shut down. This paper and Amex cards are the cheapest in the listing of Sood and
provides some insights into product proportions on carding Enbody [13]. Nevertheless, they are still more expensive than
forums, since existing literature does not provide any sound the lower limits of their quoted price range ($4/$5). However,
information on that. Overall, we present a comprehensive it is not ideal that these rates have not been observed but
overview of carding forums. We identified various product estimated and it remains unclear on which basis they have
types with different prices. Our findings suggest that a small been calculated.
number of traders are responsible for the majority of the traffic
Reasons for price differences include the types of cards
observed on the underground forums. A distinct pattern of
and countries of origin, as already mentioned, in addition to
seller specialisation is not yet discernible from our findings.
the rarity and the quantity of the products to be purchased [14].
Discounts on purchases of large card quantities lower the price
II. BACKGROUND AND R ELATED W ORK per item. Furthermore, cards with more personal information
In this section, we explore products sold on underground available, with high balances and extended expiration dates
forums, their prices, seller prolificacy, seller specialization, and and freshly acquired cards tend to be more expensive [6].
seller reputation, as presented in previous work. In addition, we
Since there is no sound information available on the
develop some hypotheses from the general findings presented
product proportions on carding forums so far, this paper
in existing literature. These hypotheses form the basis of our
provides some insights into that. Existing literature does not
analysis, presented later in this paper.
state reliable prices for dumps or fullz. As cards containing
more information tend to be more expensive than those with
A. Products and prices less information, however, we infer and hypothesise (H1 ) that
Products and services traded on carding forums can gener- prices for fullz are higher than those for credit card numbers.
ally be classified as credit card information, bank account in- For dumps, no hypothesis can be formulated derived from ex-
formation, credentials or online payment services [6]. In 2011, isting research literature. Due to the effort needed to monetise
Motoyama et al. [7] analysed the records of six closed forums the information, low prices would be expected. However, once
and identified online payments, game-related accounts, credit copied and successfully used to conduct a transaction, such a
cards and financial accounts as being the items most traded. clone might be a lucrative means of payment. Also, the efforts
Stone-Gross et al. analysed the Spamdot forum, studying the necessary to steal the data (e.g. skimming dumps in a restaurant
tightly connected community of buyers and sellers that were or collecting data on fake Internet sites) does not give a clear
active on it [8]. Onaolapo et al. showed that cybercriminals indication of the expected price differences between dumps
active on such forums actively look for free samples of and CVVs.
stolen credentials, and assess their quality before making a
purchase [9]. B. Seller prolificacy
Credit card information is generally divided into three
Generally, there are several types of participants on the
groups: credit card numbers, dumps, and fullz [10]. Credit
forums: sellers, buyers, intermediaries, mules, administrators,
card numbers (also known as “CVV”) include at least the
and others. These roles are not mutually exclusive; sellers
information printed on the card, that is, actual credit card
may simultaneously be buyers. Although the total number
number, cardholder name, expiration date and security code
of participants is in unclear, Ablon et al. [6] argue that,
CCV2 on the back of the card (not to be confused with CVV),
based on expert interviews and literature review, the total
and sometimes, the billing address and phone number. Dumps
number of participants on the forums is likely to rise. The
denote information from the tracks on the magnetic stripe of
increasing spread of different marketplaces and forums would
a card. These data are required to clone physical credit cards.
facilitate access to one of them. At least from a historic
Fullz provide further information on the cardholder including,
perspective, Christin [15] confirmed this growth of participants
for example, date of birth or social security number [10].
on underground platforms as he observed a linear increase
On the prices sought for products on carding forums, of sellers during his half-year analysis of Silk Road, a large
Shulman [11] states that, in 2006, credit card numbers were underground marketplace. In the aftermath of Silk Road’s
traded for $1-$25 each. Only two years later, credit card take-down in 2013, the number of sellers on competitor- and
newcomer-marketplaces has substantially increased, surpassing Their findings are supported by research literature. Sood and
the original number of sellers on Silk Road [16]. Enbody [13] also identified specialisation as a trend in under-
ground markets. They argue that these markets are increasingly
In terms of geographic location, forum users come from accessible to people with various technical skills. Hence,
all over the world. Regarding the sellers, De Carbonnel [17] there is a division of labour due to differing skills. While
claims that Russian participants deliver the best quality, while analysing seller characteristics on black marketplaces, Soska
participants from China, Latin America and Eastern Europe and Christin [16] discovered numerous specialised sellers,
are the leaders with respect to quantity. These geographic though there was a notable number of vendors selling different
patterns, however, vary depending on the types of forums and products as well.
the services provided. An analysis of a marketplace offering
SEO services locates the sellers mainly in India, Bangladesh, These findings indicate that specialisation is present in the
and the USA [18]. underground ecosystem as in the legitimate business world.
Hence, we hypothesise (H3 ) that specialisation is also dis-
Examinations in relation to sales quantity reveal substantial cernible on carding forums, that is, most of the traders sell
differences in seller prolificacy. Farooqi et al. [18] identified only one product type.
an “insider ring” composed of several top sellers. This means
that a small number of traders account for a large proportion What does that mean in terms of product prices? We did not
of traffic on the marketplace. One common characteristic is find any association between specialisation and product prices
that they joined the community very early and are frequent in existing literature. Resorting to economic theories [23],
visitors to the pages. Christin [15] agrees on the existence of there are long-established economic “laws” that basically state
several long-time sellers but also reports on a continual “come that concentrating on one production task leads to a higher
and go” of sellers. It is unclear, however, whether they leave efficiency at that particular task. This efficiency enables an
the community after having made sales or due to unsuccessful increase in production compared to unspecialised suppliers.
attempts. Due to such economies of scale, products and services can
be offered at significantly lower costs and prices can be cut.
In terms of seller prolificacy, Motoyama et al. [7] analysed Applying this to traders on carding forums, we expect cost-
the records of 6 closed forums and concluded that 10% of and price-reducing effects when sellers specialise in trading
the sellers are responsible for 40%-50% of the goods traded. of a single product category (due to the economies of scale).
More generally expressed, Décary-Hétu and Leppänen [19] Thus, we hypothesise (H4 ) that specialised traders sell their
reason that some sellers are more effective than others. Their products at lower prices than unspecialised traders.
conclusion is based on counting of advertisements of sellers on
one underground forum. However, it is doubtful that counting
D. Seller reputation
ads is the right approach of quantifying success. Moreover, the
analysis of several forums instead of one might have produced One key aspect in the underground economy is reputa-
more reliable results. tion [6], [7], [19]. A reputable seller is more likely to be trusted
and thus more likely to engage in trades and to complete
It is common ground among crime scientists that crime is
transactions. On forums, reputation is usually established by
distributed neither randomly nor evenly [20]. That implies a
positive customer feedback. Buyers may rate their sellers
small group accounts for more offenses than its expected share
by giving positive ratings if the ordered products have been
would be. As earlier stated, studies on marketplaces suggest
successfully delivered, and negative ratings if the seller has
the presence of some highly prolific users. We hypothesise
not delivered and was rather a ripper. Consequently, a seller’s
(H2 ) that on active carding forums, a small number of traders
positive reputation score presents his/her threads in a more
are responsible for a large proportion of traffic.
credible light, and these sellers have a higher chance of
acquiring multiple customers [22].
C. Seller specialisation
However, the effort to establish baseline reputation appears
Looking at the products sold per seller, several studies to be laborious. Before half of traders receive their first
found evidence of specialisation amongst sellers. Derived from positive feedback, for example, they write approximately sixty
literature review and expert interviews, Kraemer-Mbula et posts [7]. In this case, the reputation process is intrinsically
al. [21], for example, promote an ecosystem perspective to peer-driven. Sellers are dependent on recommendations by
understand the actions of underground traders. Comparable to buyers. Sometimes, forum administrators provide a vetting
the legitimate business community, underground ecosystems process, often in addition to the peer-driven process and often
includes actors that compete against each other, targeting with intransparent criteria. In those cases, entry costs are
competitive advantage. They try to reach this advantage by relatively high and access to higher tiers is tight [6].
specialising in a particular type of product [21].
The emphasis on reputation and trust means that it is in-
By applying a framework of social organisation, Holt [22] dispensable for competitive forums to have a well-functioning
identified specialisation on underground forums too. While one reputation system. Again, since the above-mentioned findings
third of sellers offered various products, two thirds focused are widely based on expert interviews and therefore remain
on only one product category. As the Symantec report [12] relatively vague, the actual status regarding currently running
illustrates, there are perpetrators specialising in writing viruses, carding forums is not known. Since trades on carding forums
in distributing malware or in monetising credit cards, for depend on relationships between mutually distrustful parties,
example. In recent years, Symantec has observed an increasing we argue that trust is even more important than in legitimate
professionalisation in all aspects in the underground economy. trades. In the event of an unsuccessful deal, the parties hardly
 Forum name Forum address (http://...)
have any legal remedies and countermeasures available, except
Agoraforum lacbzxobeprssrfx.onion/
for a negative reputation rating. We thus hypothesise (H5 ) that Altenen www.altenen.com
the carding forums to be analysed have working reputation Crdpro crdpro.su
systems that are at least as sophisticated as those of legal Crimenetwork crimenc5wxi63f4r.onion
Cardingforum www.cardingforum.org
marketplaces, for instance eBay. This expectation applies only Hackingforum hackingforum.ru
to open forums where everybody can participate. Unixorder www.unixorder.com
Crdclub crdclub.ws
As discussed, the efforts needed for gaining trust are Carderscave www.carderscave.ru
extensive. A consequence might be that sellers concentrate on Infraud infraud.cc
Lampeduza lampeduza.so
establishing reputation on one specific forum instead of several Blackstuff www.blackstuff.net/forum.php
forums. It is therefore not expected that sellers are present on Bus1Nezz bus1nezz.biz
multiple forums. By assuming this, we support Motoyama’s Cardingmafia www.cardingmafia.ws
Bpcsquad www.bpcsquad.com
et al. [7] expectation of non-existing multiple accounts. In Procarder www.procarder.ru
contrast, we disagree with Ablon et al. [6] who argue without Cardersforum www.cardersforum.se/
providing any reasons that sellers would advertise on multiple Crimes crimes.ws/
Carderbase carderbase.su
marketplaces. We hypothesise (H6 ), therefore, that the vast Carder carder.me
majority of actors are not operating on more than one forum. Darkstuff www.darkstuff.net
Coinodeal coinodeal.com
Tuxedocrew www.tuxedocrew.biz
III. M ETHODOLOGY Privatemarket privatemarket.us
Omerta omerta.cm
In this section, we describe our data collection approach.
We collected names of underground forums from various TABLE I: Names and web addresses of discovered forums.
sources, and selected 5 forums that matched our selection The ones we focused on are highlighted in boldface text.
criteria for examination. Data spanning a period of three
months was collected from the forums, and we tested our
hypotheses on the data.
To narrow down the analyses, we chose five out of the
25 forums (see Table II) for detailed examination: Altenen,
A. Forum search Crdpro, Crimenetwork, Bpcsquad, and Tuxedocrew. The first
three are the largest forums we found (as measured by number
The first step of the examination is the forum search.
of posts) and should thus be the most fruitful ones. We
We took the following steps to find carding forums: First,
excluded Agoraforum despite possessing the greatest number
we collected names of forums that were mentioned by
of posts, because 99% of its posts are requests for referral
research literature. Second, we carried out searches via
links for registration on Agora Marketplace. Tuxedocrew is
Google. Third, we used other search engines and informa-
included as it is one of the smallest forums and has existed
tion pages, namely Onion.city search via Tor network,
for around two years. Thus, it is not entirely new and it might
webstatsdomain.org and “The Hidden Wiki.” Finally,
provide interesting insights when its content is compared to
we searched forums that we already found for references to
that of larger forums. Finally, we chose Bpcsquad since it
other forums. In the latter case, we adopted the method of
is a medium-sized forum. It is remarkable to note that it
snowball sampling [24]. The only selection criterion at this
is the largest one of the very new forums. To sum up, our
point was that, due to the authors’ language abilities, the
selection criteria are forum size, founding date, and, to a
forums had to be at least partly in English or in German.
lesser degree, content. These criteria should ensure a good mix.
By this means, we found 25 forums, 15 of them via Altenen, Bpcsquad and Tuxedocrew are mainly or exclusively
Google. The 25 forums are listed in Table I. The forum names in English, Crimenetwork in German and Crdpro half in
mentioned in existing literature research were of little use English, half in Russian.
since all the mentioned forums had already been shut down.
We found five forums through other forums, and five from B. Temporal sampling
listings and other search pages. Although numerous forums
were listed, most of them did not exist anymore. Two of the In order to have a comparable time-coverage of all five
forums discovered during the first search in February 2015 forums, we monitored activity on them over a period of three
were shut down at the beginning of the analysis in June 2015. months, specifically from April to June 2015. This means that
Notwithstanding, the carding underworld seems to be dynamic. a snapshot was made by the end of June and data of the
We found one active forum containing posts dating back to previous three months was collected. This three-month period
2008. was determined by the largest forum, Altenen.
Besides forums, we discovered more than two dozen stores This limitation to three months meant that no full activity-
(e.g. Globalcards and Dexter, offering mainly credit card record could be recorded. Furthermore, it introduced the risk
numbers). We did not include these single-vendor marketplaces of catching three “special” months instead of a whole year’s
in our analysis since they differ significantly from forums. coverage. However, we argue that the current situation is of
They do not gather multiple sellers, they have no reputation interest and not the past, and that three months are still more
systems, and users normally do not communicate with each advantageous than shorter periods. Moreover, the collected
other. Hence, they do not meet our interest in interactions data showed that a substantial volume of posts can be captured
between forum members. in three months, especially from the larger forums. Admittedly,
a longer period would be beneficial for the smaller forums. checked their personal profile sites. These pages display com-
In summary, a consistent and thus comparable time period is plete lists of all threads and posts written by the correspond-
favoured over a larger number of posts from small forums. ing users. This method enabled us to see whether multiple
products were advertised. The definition of specialisation is
relatively strict. For instance, if users sold credit card numbers
C. Data collection and PayPal-credentials, we did not consider them as being
specialised. Only very narrowly related categories, for instance
We collected information on the numbers of members and
credit card numbers and fullz, were treated as identical product
posts, content, forum-accessibility, languages, and founding
categories in this respect.
dates. For the selected forums, threads where potential sellers
advertise their products were collected. A systematic review Hypothesis H6 requires us to determine whether the same
of the entirety of these forums was not possible. No activity users are present on several forums. We carried out searches
records, copies of databases or web crawler services were for users throughout the selected forums, and compared their
available. The analysis was effected from the user’s perspec- identity details. Where applicable, these are username, email
tive. For instance, we did not analyse private messages used address, ICQ-number and Yahoo-ID. These details were col-
to arrange and complete trades. Nevertheless, this method pro- lected from the postings and the users’ profile pages.
vides an enlightening snapshot of the current carding situation.
Finally, we gathered information on the reputation system
Where necessary and possible, we set up login credentials to
of each forum from various sources. Depending on the forum,
gain wider access to the forums.
these are the FAQs, specially installed forum threads, terms and
Threads published between April and June 2015 were conditions or customer information sites. Also own observation
collected for further analysis. Ads that were created before the and interpretation were employed to grasp how the reputation
three-month observation period were not collected. However, systems functioned.
it is likely that older threads were still successfully promoting In total, we collected 388 threads. They advertised 987
products and generating sales. Therefore, we captured older individual products in total, that is, on average, each thread
threads in cases where an activity in the form of answer promoted 2.5 individual products (e.g. CVV USA Classic).
postings or vouchings during the three months was registered. The figures for the individual forums are in Table II.
Such activity suggests that deals had taken place. Indeed, it was
crucial to consider such older threads since it was expected that Forum Threads Individual products
long-established insider rings existed on the forums, as pointed Altenen 206 431
Crdpro 57 270
out by Farooqi et al. [18]. Crimenetwork 96 136
Bpcsquad 25 130
The threads usually describe the advertised products and Tuxedocrew 4 20
their prices. Whenever an unspecified price range was in-
dicated in an ad, we chose the lowest price for analysis. TABLE II: Threads and individual products per forum
Calculating the mean value may distort the picture presuming
that, for example, if only one high-priced gold card is offered
in addition to many low-priced standard cards. In cases where D. Analytical strategy
various products were advertised in a single thread, each entry
was considered equally. Monitoring of the forums required a combined methodical
approach. We analysed the content we collected both qual-
To keep the focus on carding, we limited the spectrum itatively and quantitatively. Qualitative analysis was applied
of investigation to typical financial cybercrime related data: for content categorisation and analysis of reputation, while
credit card numbers (CVVs), dumps, fullz, PayPal-credentials quantitative analysis was applied for comparisons of products
and Western Union (WU) payment transfers. We excluded and prices and determination of traffic per seller.
other carding-related services such as ordinary online store To prepare the data for analysis, a categorisation of thread
credentials or monetisation-services. content was necessary. This procedure required a qualitative
In order to operationalise “traffic” on the forums, as nec- research approach and was thus done manually in Excel
essary for hypothesis H2 , Décary-Hétu and Leppänen [19] using content analysis method. We stuck to clear coding
counted advertisements as indicators. In our view, however, the rules in order to avoid subjective and inconsistent categori-
consideration of vouchings would be more promising to obtain sations. Some approximate categories were already provided
an accurate impression of a seller’s “performance.” Vouchings by existing research literature (e.g. “credit cards”). However,
are evident signs that successful transactions have been made. these categories were somewhat too coarse and further sub-
Yet, since probably not every buyer vouches for the seller, categories had to be created (e.g. “CVV” or “dumps”). Hence,
counting the number of vouchings tends to underestimate the The categorisation process is a combined product of deductive
traffic. Conversely, there might be rippers vouching for each practice (assigning content to given categories) and inductive
other without having made any transaction. Since Farooqi practice (building new categories based on content) [25]. Yet,
et al. [18] and Christin [15] also relied on vouchings and it is important to ensure that the categories do not become
member feedbacks, using them to calculate revenues, counting too small and thus render subsequent quantitative calculations
vouchings seems to be an appropriate method. impossible. For example, dumps are sometimes advertised
divided into track 1 or track 2 dumps. Since the aim of
To determine whether users are specialised in one product the categorisation is to obtain meaningful product categories,
category, as a prerequisite to be able to test H3 and H4 , we we avoided such fine distinctions. Therefore, credit card data
was coded according to product category, country and product It is not clear how many of the members on each forum
type (e.g. CVV, UK, gold). Visa and Mastercard details were were actually contributing. Two forums indicated in their
not explicitly differentiated since they are usually treated forum statistics that only a fraction of members were really
interchangeably by the traders. active. On Altenen, these were 38,300 of its 148,800 members
(25.7%); on Carder, these were 1,500 of 10,200 (14.7%). Nei-
Next, we imported the data into SPSS software for statis- ther forum disclosed what “active members” actually meant.
tical analyses. At first, we ran general frequency calculations.
In order to test Hypothesis 2, the number of traders in relation Total posts. The number of posts varied between 150
to the generated traffic was quantitatively computed in the and 15,778,599. Besides advertisements, the posts comprised
shape of a Lorenz curve. For H3 , the frequencies of the mainly answers to advertisements or contributions to discus-
specialised users were compared to the unspecialised ones. sions. Typical answers to offers for sale are “interested please
H1 and H4 required the application of inference statistics. contact me” or “made deal and worked.” In line with the
Since their price distributions resembled Poisson rather than increase in number of members, the number of posts also
a normal distribution, we performed Mann-Whitney-U tests increased between the two searches (e.g. Cardingmafia from
to test whether there were significant differences between 31,900 to 37,600 posts, 17.9% increment). On Altenen, the
the values. Regarding H5 , the reputation systems of the number of posts doubled (from 607,100 to 1,265,500 posts,
forums were evaluated qualitatively. To assess the degree 108.5% increment).
of sophistication in relation to legitimate marketplaces, we
compared them to eBay’s system. Strictly speaking, eBay is Accessibility. Nine forums were completely open. This means
not a forum and thus not fully comparable. However, we that everybody could access them for free or even without
found no suitable legitimate large-scale forum set up to enable registration. More than half of the forums had private VIP
trading. Furthermore, eBay comes close to the system of areas that required special registration to join. Access to these
advertising, trading, and buying exercised on forums. Finally, areas usually required a recommendation or an invitation by
in order to examine whether sellers operated on more than one other members. Three forums charged registration fees, $50 in
forum (H6 ), we reproduced and interpreted the proportions of the case of Lampeduza, and $100 in the cases of Infraud and
multiple representations across all forums. Omerta respectively.

We carried out all these calculations both for the entirety Languages. The forums were mostly in English and Russian,
of the threads and for each forum separately. Therefore, the with two in German. Some forums contained international
results (Section IV) are reported in aggregated form, and sections in various languages. However, the number of posts
where applicable, and if enough cases are available, for every in such sections were consistently small.
individual forum. Founding date. We estimated the founding dates of the forums
from the oldest posts found on them, mostly in the introduc-
IV. DATA A NALYSIS tion or announcement sections. These are not necessarily the
founding dates as older posts might have been deleted in the
In this section, we describe our analyses of the five selected meantime. In addition, forums might have been shut down
forums, and our findings. and reopened under another name (e.g. Crdpro was formerly
Carderpro). We estimated founding dates between 2008 and
2014. A large number of the forums were launched in 2013.
A. Overview
In terms of size, the median number of members was
We discovered 25 forums, out of which we selected five
28,850, while the median number of posts was 58,150. Ex-
forums for analyses. In this section, we describe general
cluding the special case of Agoraforum, the number of posts
attributes of the 25 discovered forums. The attributes are name,
per member varied between 0.1 (Privatemarket) and 18.6
members, total posts, accessibility, languages, and founding
(Crimenetwork). There are thus forums where only a fraction
date.
of the members post messages and there are some where
Name. The names and full website addresses of the discovered members post numerous messages on average. However, these
forums are listed in Table I. They have a wide array of results have to be treated with caution as posts or members
top-level domains, for example .com, .ws (Samoa), and .so might have been deleted during the existence of the forums.
(Somalia). The locations that the forums really operate from
are usually unclear, and apart from two German-speaking B. Detailed analysis
platforms, cannot be derived from the forum content.
In this section, we present the results of hypotheses testing
Members. As of June 2015, the smallest forum had 1,100 for the five selected forums.
members, while the largest had 148,800 members. A com-
parison between the first search in February 2015 and the Products and prices. Table III presents the numbers, pro-
second in June 2015 revealed some substantial increases in portions (in %) and prices (in US$) per product category.
members. Cardersforum, for example, grew from 44,200 to CVVs are further divided by product type. Credit card numbers
45,700 members (3.4% increment), and Cardingmafia grew cost on average $10, dumps and fullz more than $30. PayPal
from 98,700 to 121,500 members (23.1% increment). Altenen, credentials are advertised for $3. Western Union payments of
already a large forum in February, was more than twice as large $100 are sold for $15. As hypothesised (H1 ), prices for fullz
four months later (from 60,700 to 148,800 members, 145.1% are higher than those for credit card numbers (CVV: mean =
increment). 10.08, median = 10.00; fullz: mean = 31.82, median = 30.00).
The difference is statistically significant (Mann-Whitney-U = Tuxedocrew have too few vouchings to calculate a Lorenz
4011, z = -12.86, p < 0.01). curve. However, Tuxedocrew has posts dating back to 2013
that still receive vouchings but only in small numbers. Crdpro
Products Number Proportion (%) Price ($) does not diverge from these distributions.
CVVs 465 47.1 10.08
Classic 98 9.9 9.93 Considering the total amount of traffic, however, it is
Gold 14 1.4 16.86
Amex 66 6.7 12.34
striking that the figures are low, both in the English and in
others 16 1.6 13.00 the Russian speaking part. Although Crdpro has 17 times as
unspecified 271 27.5 9.06 many users as Bpcsquad, for example, it produced only twice
Dumps 234 23.7 34.52
Fullz 140 14.2 31.82
as many advertising threads during the time of observation.
PayPal 133 13.5 3.01 Detailed analysis revealed that a substantial number of these
WU ($100) 15 1.5 15.00 threads contain links to shops. Furthermore, there have been
Total 987 100.0
no new entries in the two VIP areas since 2013 and the forum
TABLE III: Products and prices (mean) in total. appeared to have been disconnected during some summer
months in 2013.
In terms of products, the top three sellers on Altenen sell
Examined per individual forum, prices of CVVs do not CVVs and WU payments, on Crdpro they sell dumps and on
vary substantially, those for the other products show consider- Crimenetwork again CVVs. As far as reputation is concerned,
able variation. Besides price differences, the product propor- the high-profile sellers have usually high reputation ratings. To
tions alsi vary per forum. On Altenen, for example, dumps conclude this section, the hypothesis (H2 ) that a small number
have a share of 8% of the products analysed. On Crdpro, their of traders are responsible for a large proportion of traffic is
proportion is 52%. Yet the absolute numbers are partly very accepted. However, we could not confirm the presence of an
low and the values may thus lack reliability. insider ring, as proposed by Farooqi et al. [18]. Overall, only
The prices per product category depend widely on the five out of the twenty most prolific users registered in the
effective composition of these categories, that is, on the relative founding year of the according forum. The others joined later.
frequencies per product type and country of origin. Since However, it is possible that some sellers have more than one
the absolute numbers are too low to display these values account and have thus several “joining-dates.” This possibility
for each forum, Table IV shows them summarised across all does not seem to be very likely, mainly due to the expected
forums. Only product types consisting of at least 10 cases effort needed for establishing reputation for each account.
are considered. There is indeed substantial variation between Seller specialisation. In total, the majority of the users on the
different product types and countries. Amex and Gold cards are forums are not specialised (see Table V), that is, most users
consistently more expensive than classic VISA or Mastercard sell more than one type of product and Hypothesis 3 has to
cards. US products are the cheapest, while European products be rejected.
tend to be more expensive.
Regarding Crdpro, Bpcsquad and Tuxedocrew, the hy-
Seller prolificacy. The products are not sold evenly throughout pothesis would be true. However, a closer look on Crdpro
all sellers on the forums. The Lorenz curve in Figure 1a shows reveals that its users generally sell a large variety of the same
that around 70% do not generate any obvious traffic as seller, product category, instead, for instance credit cards from many
whereas a single user generates 44% of all traffic. This user different countries. This pattern is exactly the opposite of
joined Altenen in summer 2014 and sells CVVs of various Crimenetwork’s. Users on Crimenetwork usually sell different
countries. product categories but not various types within the same
Disentangling the individual forums from the total results product category, for example only CVVs from Germany.
in similar pictures (Figures 1b, 2a and 2b). Altenen has the The results for H3 raise the question about differences be-
most unequal distribution. Crimenetwork’s distribution is not tween specialised and unspecialised sellers. Building upon H2
as extreme but still far from being equal. Bpcsquad and and taking into account the number of vouchings these users
receive, no major differences are discernible. Regarding Al-
Number Price ($)
tenen, for example, seven out of the twenty users with the
CVV Australia Classic 12 12.75
most vouchings are specialised. This equals approximately the
Canada Amex 10 14.20 calculated specialisation rate of 31%.
Classic 14 10.92
UK Amex 10 15.10 In terms of prices per product, there are some differ-
Classic 17 11.94 ences. CVVs, dumps, and PayPal-credentials advertised by
USA Amex 25 7.02
Classic 31 5.46
specialised users are cheaper than those of unspecialised users;
Dumps Canada Classic 14 31.43 fullz are more expensive (see Table VI). However, only the
Gold 12 45.25 price difference for dumps is statistically significant at the
EU Classic 20 41.75
Gold 20 58.50
95% confidence level (Mann-Whitney-U = 1643, z = -4.83,
USA Classic 29 19.17 p < 0.01). Hypothesis 4 thus has to be partially rejected.
Gold 27 30.93
That said, it is delicate to summarise product types be-
TABLE IV: Products and prices (mean) per product type with cause every type and country has its own price. A careful
at least 10 cases. comparison would only contain a single product type. Hence,
we made such a price comparison for US Classic CVVs, the
 (a) All forums. (b) Altenen forum.

Fig. 1: Lorenz curves indicating cumulative percentage of traders against cumulative percentage of traffic on all forums, and
Altenen forum.

(a) Crdpro forum. (b) Crimenetwork forum.

Fig. 2: Lorenz curves indicating cumulative percentage of traders against cumulative percentage of traffic on Crdpro and
Crimenetwork forums.

most prevalent product type. The result shows no significant delivery [27]. Furthermore, a seller protection service identifies
difference (Mann-Whitney-U = 54, z = -0.63, n.s.). high-risk buyers in order to avoid non-payments [28].
A striking aspect that Table VI reveals is the distribution Altenen: Altenen’s basic reputation system works in the
of advertised product categories among specialised and unspe- same way as eBay’s. A user’s “reputation power” consists of
cialised users. Unspecialised users hardly advertise any dumps the number of positive minus the number of negative feedback
(7.5% of all products). In contrast, dumps are almost half of points. The median score of the observed sellers was 1. In
the products (45.4%) that specialised users advertise. addition, users are allowed to rate threads. Sellers also have
the opportunity of paying $50 to the “Altenen buyer protection
Seller reputation. We hypothesised (H5 ) that carding forums reserve” that is used as backup payment service. In case of
have working reputation systems at least as sophisticated as non-delivery, buyers receive their money back out of this fund.
those of legal marketplaces. The reputation systems are as Altenen also offers an escrow service that protects buyers
follows: from non-delivery and sellers from non-payment. In using that
service, a buyer pays the money plus a transaction fee of $5-
eBay: Buyers on eBay can leave feedback for a seller after $30 to Altenen. Once the requested products are delivered, the
a purchase and transaction ends. These ratings determine the amount is released to the seller.
“feedback score.” Positive feedback gives one point, neutral
feedback does not change the score, and negative feedback Crdpro: In theory, Crdpro has a feedback system identical
subtracts one point [26]. As an additional protection measure, to Altenen’s. However, the system was disabled during our
eBay refunds the purchase price in the event of a non- observation. As a consequence, apart from some long-standing
 Specialised users Unspecialised users
Number Proportion (%) Number Proportion (%)
Altenen 64 31.1 142 68.9
Crdpro 41 73.2 15 26.8
Crimenetwork 24 25.0 72 75.0
Bpcsquad 15 60.0 10 40.0
Tuxedocrew 3 100.0 0 0.0
Total 147 38.1 239 61.9

TABLE V: Number and proportion of specialised and unspecialised users per forum and in total.

Specialised users Unspecialised users

Number Proportion (%) Price ($) Number Proportion (%) Price ($)
CVV 166 39.1 9.28 299 54.7 10.46
Dumps 193 45.4 32.56 41 7.5 42.61
Fullz 45 10.6 35.86 95 17.4 30.20
Paypal 21 4.9 1.99 112 20.5 3.17
Total 425 100.0 547 100.0

TABLE VI: Number, proportion, and price of product categories per specialised and unspecialised users.

members, all other members had neutral feedback scores. An V. D ISCUSSION

escrow service was not provided.
In this section, we summarise our findings on the carding
forums that we studied. The apparent lack of specialisation of
Crimenetwork: Crimenetwork’s reputation system was forum users is also described. Finally, we highlight limitations
based on “likes,” similar to Facebook. Members may “like” of the study.
other members. Like-scores between 0 and 857 were recorded
with a median of 36 likes. Crimenetwork’s escrow service is Summary of our findings. The prices sought for the products
comparable to Altenen’s. A fee of 4% of the purchase price is offered on the forums lie within the range given by the
charged for successful transactions. reviewed literature. Dumps and fullz are relatively expensive;
they are more than three times as expensive as credit card
Bpcsquad: As seen with Altenen and Crdpro, members numbers (CVVs). This may be due to the effort needed to gain
may rate other members on Bpcsquad by giving positive, or monetise the data, the amount of information available, the
neutral or negative feedback. The scores ranged from 0 to higher rewarding potential, and differing demand and supply.
80, with a median of 0. Furthermore, there is a thread rating Brison [29] argues, for example, that dumps generally promise
possibility. Bpcsquad also activated an escrow service but did a higher payoff than CVVs. In contrast, CVVs are well-
not provide information on transaction fees. represented on the forums and thus seem to be available in
abundance, which might push prices downwards. However,
Tuxedocrew: Tuxedocrew’s reputation system differed from contrary to Shulman’s assumption [11], the prices of CVVs
those seen so far. Users could only rate threads but could are still solid. Taking into account the large proportion of
not give any feedback for other users. Instead, the forum CVVs on the investigated forums, trading credit card numbers
administrator could award users with special titles. The criteria is presumably still a lucrative business. PayPal-credentials are
that had to be met to receive these titles were not published well-represented on some forums as well, but so far do not
on the forum. Tuxedocrew also offered an escrow service and seem to replace credit cards as the most attractive trading
charged a 15% fee. goods. Western Union money transfer services play only a
marginal role on most of the forums.
Overall, only Altenen’s system appeared to be similarly The products are advertised by sellers with varied success.
elaborated as eBay’s. However, it had an amateurish touch, Even though some users complete hundreds of transactions,
especially the $50 buyer protection reserve which is not able to most users do not sell anything at all. This means that the
cover substantial amounts. The other forums had fewer features trading sections of the forums are profitable distribution chan-
than eBay and even those were not always working. H5 is thus nels for high-profile actors. This domination by a few traders
rejected. implies that the forums are not typical forums characterised
by mutual exchanging and participating users. In the carding
Presence of sellers on multiple forums. Finally, we examined world, there is somewhat a clash of prolificacy and - arguably
whether users were present on several forums. This was done - professionalism observable.
for all kind of sellers including high- and low-profile traders. Referring back to the methodology part, counting of vouch-
In total, only six sellers were found trading on more than one ings instead of ads, the latter [19] was probably more suitable
forum, namely two on Altenen and Crdpro, two on Altenen to determine criminal performance. Some prolific sellers had
and Bpcsquad, and two on Bpcsquad and Crdpro. A detailed only one ad but received dozens of vouchings. Counting of
analysis of these sellers showed that they were not high- ads would have overlooked that.
profile but rather low-profile unsuccessful traders trying their
luck on several platforms. Hypothesis 6 is thus confirmed; Specialisation is not a key characteristic of sellers, even not
concentration on a single forum was expected. of high-profile traders. Specialisation was observed mostly on
Crdpro. This might be due to the high proportion of dumps sold the reputation system does not work, and there is in general
on this forum. Dumps constitute almost half of the products not much traffic. It might be a question of time until the entire
sold by specialised users on Crdpro. Dealing with dumps ap- forum will be closed.
pears to demand a higher degree of specialisation than dealing
with only electronically obtainable products. Unlike CVVs or On Tuxedocrew, the smallest forum, there are only four
credentials, the acquisition of dumps requires a connection to recorded threads receiving any vouches. However, the number
the physical world. Therefore, perpetrators cannot stay in the of vouchings are low and it is thus questionable how fruitful
underground cyberworld only. As a result, it might be costlier the business really is. What might be possible is that some
for unspecialised users to acquire dumps, thus forcing them recurring customers buy a lot and do not always vouch. A
to sell dumps at higher prices, which would confirm Smith’s reason for the small size of this forum might be the high
economic theory [23]. charges for the escrow service or, even more likely, the lack
of a user-based reputation system. Only the administrator is
Yet the majority of sellers are not specialised. It could be able to assess other users, based on intransparent criteria. This
argued that if they are apt or have valuable data sources, they might be too little to build trust among the users and to boost
know and distribute other types of illicit products and services. trade.
On the contrary, unsuccessful sellers try their luck with another
product if it does not work with the first. These users, though, Bpcsquad and Altenen do not particularly diverge from
might as well be rippers. Advertising a large array of products the general findings. Bpcsquad is relatively small and the low
might be done to give the impression of a prosperous seller, number of ratings may denote unsuccessful deals. It is thus
or they just try various products in the hope that somebody uncertain how strongly this forum will grow in the future.
would engage in a trade eventually. In contrast, the enormous increase in members on Altenen
is impressive. Apparently, it is attractive to be part of this
Overall, it is possible that the scope of analysis regarding large community. Forums with numerous users usually have
specialisation was too narrow. There may be a specialisation in diverse products, and a multitude of potential buyers, that
the underground world in larger terms where carding itself is is, high supply and demand. Both platforms have reasonable
already a specialisation. Another reason might be that carding and working basic reputation systems. Altenen provides an
is not as complicated as other cybercrimes like DDoS-attacks additional, arguably pseudo-protection measure.
or large-scale spam campaigns. Regarding DDoS-attacks, for
example, taking advantage of security vulnerabilities and ma- Limitations. We encountered a number of limitations during
nipulating compromised machines to send huge amounts of the study, and they are mentioned in this section. Firstly,
data may require more time and skills than stealing and the three-month period does not allow long-term conclusions.
trading credit card data. Therefore, it makes more sense to After all, due to the technique of considering the vouchings
be specialised in those domains. of this time period, older and often very profitable ads were
At least on the investigated forums, and given the available included in the analysis. Secondly, the examination was carried
details, users are not present on more than one forum. It might out from a user’s perspective. That is, no private messages
thus be true that the effort needed to reach a certain reputation could be studied. In addition, VIP sections on the forums had
level deters users from establishing themselves on multiple to be ignored. Thus, the findings of this study do not give
forums, as Motoyama et al. [7] proposed. This effort could a complete picture of the forums. Nevertheless, we gathered
also be the reason why most users do not have any ratings at substantial amounts of data that allowed some analyses and
all, as the analysis showed. Another reason for this, however, conclusions. The third limitation concerns the internal validity
might be the presence of rippers. Regarding users with high of the data. It cannot be excluded that other investigators,
reputation and many vouchings, it is highly unlikely to find for instance, law enforcement agents engage in trades on the
any rippers among them. Among users without any reputation forums for research and investigative purposes. This might
scores and vouchings, the proportion of rippers could be large. bias the data. However, we do not consider this possibility
It is interesting to note that an expert interviewed by Ablon et a substantial threat.
al. [6] estimates that around 30% of all sellers are rippers. Another threat to internal validity is the recorded product
In general, and if not stated otherwise, all our findings prices. The prices advertised are not necessarily the prices
apply to all five examined forums. However, there are some that buyers eventually paid. No post was found where the
differences. Sales on Crimenetwork are not distributed as possibility of price negotiations was mentioned. Nevertheless,
extremely unevenly as on other forums, neither are there it cannot be excluded that users pay other, probably lower
numerous specialised users present. Various people sell various prices than those advertised.
goods. Crimenetwork is thus more forum-like in terms of
mutual exchange and participation than the other forums. The Finally, given that the examined forums trade different
high number of posts per member confirms this perception. goods or attract certain types of users, the findings are an
In addition, the forum gives the impression of being well- artefact of the forums in question and do not represent the
maintained. It has a myriad of banned users and the admin- entire carding underworld. The results are only valid for the
istrators comment rigorously if users do not stick to the rules five forums we analysed. The selection of the forums is
(e.g. in case a post does not fit into a thread). thus a threat to external validity. This limitation concerns all
hypotheses but especially H6 where an explicit cross-forum
Crdpro is the obvious opposite. Its best times were probably comparison was executed. In principle, this limitation was
in the past. It appears to be in decline. It does not seem to be overcome by selecting five different forums based on various
monitored by the administrators, there is no escrow service, selection criteria.
Future work. Sellers were focus of this study. Future re- [11] A. Shulman, “The underground credentials market,” Computer Fraud
search should also consider their counterparts, the buyers. The & Security, vol. 2010, no. 3, pp. 5–8, 2010.
reviewed literature did not cover buyers and they were also [12] S. Corporation, “2015 internet security threat report, vol. 20,” technical
neglected in this paper. It might be useful to examine whether report, Symantec Corporation, Tech. Rep., 2015.
there are high-profile buyers and observe what they buy, and [13] A. K. Sood and R. J. Enbody, “Crimeware-as-a-servicea survey of
commoditized crimeware in the underground market,” International
whether they resell the products, and to whom, if they resell. Journal of Critical Infrastructure Protection, vol. 6, no. 1, pp. 28–38,
Regarding research design and methodology, a long-term or 2013.
a follow-up study might be able to identify trends or confirm [14] A. Hutchings and T. J. Holt, “A crime script analysis of the online
the patterns found in this study, respectively. Researchers could stolen data market,” British Journal of Criminology, p. azu106, 2014.
also consider engaging in trades and getting in touch with the [15] N. Christin, “Traveling the silk road: A measurement analysis of a
traders, subject to ethical considerations. This method would large anonymous online marketplace,” in Proceedings of the 22nd
allow researchers to collect more information on traders and international conference on World Wide Web. International World
Wide Web Conferences Steering Committee, 2013, pp. 213–224.
gain better understanding of their roles within the fraud chain.
[16] K. Soska and N. Christin, “Measuring the longitudinal evolution of the
These findings would help to shed more light on how to online anonymous marketplace ecosystem,” in 24th USENIX Security
counter financial cybercrime in the future. Symposium (USENIX Security 15), 2015, pp. 33–48.
[17] A. de Carbonnel, “Hackers for hire: Ex-Soviet tech geeks play outsized
VI. C ONCLUSION role in global cyber crime,” http://www.nbcnews.com/technology/
hackers-hire-ex-soviet-tech-geeks-play-outsized-role-global-6C10981346,
This paper presented an overview of 25 existing online 2013, [Online: Accessed 23-February-2016].
carding forums and an in-depth analysis of five of these [18] S. Farooqi, M. Ikram, G. Irfan, E. De Cristofaro, A. Friedman, G. Jour-
forums, covering a three-month period of monitoring. What jon, M. A. Kaafar, M. Z. Shafiq, and F. Zaffar, “Characterizing seller-
driven black-hat marketplaces,” arXiv preprint arXiv:1505.01637, 2015.
differentiates this study from others is, first, we investigated
[19] D. Décary-Hétu and A. Leppänen, “Criminals and signals: An assess-
real data instead of drawing conclusions based solely on ex- ment of criminal performance in the carding underworld,” Security
isting literature or expert opinion, second, we examined active Journal, 2013.
forums instead of closed forums, and third, we applied a low- [20] M. Felson and R. L. Boba, Crime and everyday life. Sage, 2010.
level focus on products, prices and sellers. Our findings suggest [21] E. Kraemer-Mbula, P. Tang, and H. Rush, “The cybercrime ecosystem:
that the market of carding forums is dynamic. However, it Online innovation in the shadows?” Technological Forecasting and
is not clear how promising the future of carding forums is, Social Change, vol. 80, no. 3, pp. 541–555, 2013.
especially with the emergence of single-vendor stores which [22] T. J. Holt, “Exploring the social organisation and structure of stolen
could imply that high-profile sellers would leave existing data markets,” Global Crime, vol. 14, no. 2-3, pp. 155–174, 2013.
carding forums to open their own single-vendor stores. [23] A. Smith, An Inquiry into the Nature and Causes of the Wealth of
Nations. Random House, 1937.
[24] P. Biernacki and D. Waldorf, “Snowball sampling: Problems and tech-
R EFERENCES niques of chain referral sampling,” Sociological methods & research,
[1] F. F. A. UK, “Fraud The Facts 2015,” http://www.financialfraudaction. vol. 10, no. 2, pp. 141–163, 1981.
org.uk/Fraud-the-Facts-2015.asp, 2015, [Online: Accessed 23- [25] S. Kluge, “Empirisch begründete typenbildung: Zur konstruktion von
February-2016]. typen und typologien in der qualitativen forschung,” Opladen: Leske+
[2] S. Gold, “Identity crisis?” Engineering Technology, vol. 8, no. 10, pp. Budrich, 1999.
32–35, November 2013. [26] “How Feedback works,” http://pages.ebay.co.uk/help/feedback/
[3] L. Allodi, M. Corradin, and F. Massacci, “Then and now: on the howitworks.html, [Online: Accessed 23-February-2016].
maturity of the cybercrime markets (the lesson that black-hat marketeers [27] “eBay Money Back Guarantee,” http://pages.ebay.co.uk/
learned),” 2015. ebay-money-back-guarantee/, [Online: Accessed 23-February-2016].
[4] S. Afroz, V. Garg, D. McCoy, and R. Greenstadt, “Honor among thieves: [28] “eBay Seller Protection,” http://portal.ebay.co.uk/seller-protection/,
A common’s analysis of cybercrime economies,” in eCrime Researchers [Online: Accessed 23-February-2016].
Summit (eCRS), 2013. IEEE, 2013, pp. 1–11. [29] B. Uri, “‘Fullz’, ‘Dumps’, and more: Here’s what hackers are
[5] M. Yip, N. Shadbolt, and C. Webber, “Why forums?: an empirical selling on the black market,” http://venturebeat.com/2015/02/08/
analysis into the facilitating factors of carding forums,” in Proceedings fullz-dumps-and-cvvs-heres-what-hackers-are-selling-on-the-black-market/,
of the 5th Annual ACM Web Science Conference. ACM, 2013, pp. 2015, [Online: Accessed 23-February-2016].
453–462.
[6] L. Ablon, M. C. Libicki, and A. A. Golay, Markets for Cybercrime
Tools and Stolen Data: Hackers’ Bazaar. Rand Corporation, 2014.
[7] M. Motoyama, D. McCoy, K. Levchenko, S. Savage, and G. M. Voelker,
“An analysis of underground forums,” in Proceedings of the 2011 ACM
SIGCOMM conference on Internet measurement conference. ACM,
2011, pp. 71–80.
[8] B. Stone-Gross, T. Holz, G. Stringhini, and G. Vigna, “The underground
economy of spam: A botmaster’s perspective of coordinating large-scale
spam campaigns,” in USENIX Workshop on Large-Scale Exploits and
Emerging Threats (LEET), 2011.
[9] J. Onaolapo, E. Mariconti, and G. Stringhini, “What happens after you
are pwnd: Understanding the use of leaked webmail credentials in the
wild,” in ACM SIGCOMM Internet Measurement Conference (IMC),
2016.
[10] T. J. Holt and E. Lampke, “Exploring stolen data markets online:
products and market forces,” Criminal Justice Studies, vol. 23, no. 1,
pp. 33–50, 2010.