How card fraud is powered by underground card checkers

Of all types of fraud on the internet, “carding” remains one of the most popular as a kind of entry-level gateway to cybercrime. The term refers to the theft and use of payment card details and the sale of those details to other threat actors for fraud. The details are stolen in a variety of ways, including phishing attacks, malware and skimming, and the compromise of e-commerce websites, point-of-sale (PoS) devices and payment processors. Fraudsters capitalize on a fundamental weakness in payment cards: if you have the person’s name, card number, expiration date and security code on the back of the card, it may be possible to use the details for a fraudulent purchase.

However, converting stolen card details into cash or goods has become more and more difficult. The financial industry uses a variety of security technologies and analytics to detect when a purchase is likely being made by someone who is not the authorized cardholder. These measures range from using geolocation data to two-step verification to bot detection. Entities that handle card data are also required to conform to the Payment Card Industry Data Security Standard (PCI DSS), which sets rules around the safe management of card data to minimize security risks. But for every defensive control, there are often workarounds, and the cybercriminal community is nothing but innovative in the face of new obstacles. As such, card fraud remains prevalent, and there’s hardly a person who has not experienced some type of payment card fraud at some point.

Once stolen, the card details may end up on underground markets, which serve as key platforms for the sale and distribution of stolen payment card information, personally identifiable information (PII), account credentials and other sensitive information. Markets that heavily focus on payment cards are often referred to as “dump shops,” and new tranches of stolen cards that are made available for purchase are referred to as “dumps.” Some dump shops are operated by a single individual or a small team, but the majority function as multi-vendor marketplaces. The more common and scalable approach is the multi-vendor model, where the dump shop acts as a central hub, attracting a broad network of vendors who supply a continuous and diverse stream of stolen data. These separate vendors pay a commission to the marketplace administrators to host and sell their goods.

The image depicts the position of dump shops in the credit card fraud ecosystem Aug. 27, 2025.

Sellers and buyers of card data, however, need to ensure that stolen card data is valid and that the card has not been cancelled. This is a critical quality control step where underground payment card “checkers” come into play. These are tools used to verify if stolen payment card information is active and usable for fraudulent activity. Card checker operators often use compromised online merchants as well as legitimate online services to conduct microtransactions to perform their malicious operations. These checkers employ a variety of methods to test the validity of card numbers, often by making small unauthorized transactions or checking card details against databases. By quickly and efficiently identifying valid cards from large dumps of stolen data, cybercriminals can focus their efforts on exploiting active accounts. This validation process allows them to make unauthorized online purchases, create counterfeit cards for in-person transactions or sell the verified card details to other criminals for further exploitation. The existence of these tools significantly lowers the barrier to entry for payment card fraud and contributes to substantial financial losses for consumers, businesses and financial institutions globally.

This graphic depicts the payment card fraud cycle for marketplaces and actors.

Law enforcement has undertaken efforts to disrupt payment card checkers. The Try2Check service was one of the premier payment card-checking services prior to its takedown by U.S. authorities in May 2023. Try2Check was allegedly founded in 2005 by Denis Gennadievich Kulkov, 35, of Samara, Russia, who was indicted in federal court in New York on four counts of access device fraud, computer intrusion and money laundering. Prosecutors alleged Kulkov, who went by the monikers Kreenjo, Nordex, Nordexin and Try2Check, made at least US $18 million in bitcoin from Try2Check, which became the “gold standard” service for verifying valid payment card numbers. Over nine months in 2018, prosecutors contend Try2Check executed 16 million checks. In a 13-month period starting in September 2021, Try2Check performed at least 17 million checks. Kulkov allegedly used some of the revenue to buy a Ferrari and other luxury items. Kulkov is believed to be in Russia, and the U.S. State Department and Secret Service have notices on their websites offering up to US $10 million for information leading to his arrest.

Denis Gennadievich Kulkov, 35, was indicted for allegedly administering Try2Check, a now-defunct payment card checker service. (Source: U.S. Secret Service)

Card-checking methods

There are a variety of “checks” payment card-checker services and tools can perform. Not all of them are offered by every service, so the number of different checks a service offers can be a differentiator. Some of the most common checks offered include:

• 3D Secure (3DS): 3DS is a security protocol used for online credit card transactions. 3DS adds an extra layer of authentication, typically by requiring customers to enter a password or code from their card issuer, verifying their identity before authorizing the transaction. Sometimes actors refer to this as Verified by Visa (VBV), which is Visa’s branded program that implements 3DS. While card-checking services do not offer an avenue to bypass 3DS, some checkers provide the ability for cybercriminals to determine if a compromised card has 3DS enabled, which allows potential buyers to filter 3DS-protected cards out if they do not wish to purchase them.
• Balance: A balance checker is a method or tool used to determine the current balance of a financial account such as a bank account, payment card or gift card. They often are used to check if a requested amount is available on a card. If the pre-authorization amount is approved, the pre-authorization request will be cancelled automatically and the funds are returned to the card.
• Bank identification number (BIN): BIN checkers allow users to validate the BIN details of payment cards in card-not-present (CNP) data format. This allows users to determine the type, issuer and category of a specific card.
• Dump: A dump checker allows users to validate payment card credentials in CNP data or dump format. These are used to check the track data’s validity with the issuing bank.
• Authorization aka auth: An authorization check authorizes a tiny amount on the card — typically a few cents up to a dollar. If the authorization goes through, the card is confirmed live. This method provides real-time, accurate information but can trigger fraud alarms and lock the card.
• Simple: A simple check uses compromised merchant connections to scan real-time blacklists. This method essentially asks “is this card flagged?” rather than attempting a microtransaction, so the check does not risk potentially locking the card. However, simple checks may verify a card as “live” even when it is inactive or has insufficient funds, so this method can be less reliable than an authorization check.

A screenshot of a checker service that provides an application programming interface (API) and web interface and allows users to validate payment card credentials in CNP data or dump format.

Assessment

Payment card validity checkers continue to act as enablers for payment card fraud, which remains a significant global challenge for financial institutions. The relationship between card-checking services and payment card marketplaces is symbiotic. Checkers offer supplemental functionality to ensure cards are active at the time of purchase, thus increasing buyers’ efficiency and potential success rate and allowing marketplace operators or vendors to increase their prices for high-validity cards. The combination of payment card dump shops and integrated card-checking services significantly lowers the barrier to entry into financial crime, providing unsophisticated threat actors an avenue to conduct fraudulent activity quickly and successfully. With the prevalence of online transactions in our daily lives, the ability for cybercriminals to cherry-pick compromised cards while avoiding those with 3DS protection allows them to be particularly effective in illicit CNP transactions. Underground marketplaces likely will continue to leverage card-checking services as long as they remain efficient and cost-effective.

Criminal cyber infrastructure and marketplaces in particular present a compelling target for law enforcement agencies as a takedown is likely to impact a large number of criminal operations. Many law enforcement operations have taken the form of domain seizures and others have seen the administrators arrested. We have observed several popular marketplaces succumb to the effects of a well-implemented disruption over the years. Checker services are a critical component of being considered a reliable and trustworthy vendor, so we would expect new entrants to replace displaced ones.

Further, Intel 471’s Marketplaces dashboard can assist in determining what is relevant to your organization. The dashboard can be used for centralized threat monitoring and situational awareness, allowing security teams to gain a panoramic view of underground marketplaces. The dashboard can provide insights into the cybercrime ecosystem’s most influential vendors, prominent marketplaces and popular illicit goods. This can assist organizations in understanding the broader threat landscape and determine if their industry or company is at a heightened risk for targeting by cybercriminals.

This is an excerpt from a full Intelligence Bulletin about card checkers, including the names and specific details of new and popular card checkers, as well as rates charged and threat actors involved. For more information and this complete report, contact Intel 471.