Your IP: Unknown · Your Status: ProtectedUnprotectedUnknown

Skip to main content

Analyzing 4 million payment card details found on the dark web

male credit cards leak phishing

We all know that it’d be a disaster if a thief got their hands on your payment card information. But your details are safe as long as you know your card or your card data haven’t been stolen, right?


Not only is there a way for hackers to discover payment card numbers without breaking into a database, there’s also a booming underground black market for them. These numbers are being sold by the millions. We even know the average cost – about $10 USD per card.

NordVPN analyzed statistical data gathered by independent researchers specializing in cybersecurity incident research from markets where payment card numbers are being sold. Here’s what we learned.

Mapping payment card detail hacks

The independent researchers discovered mountains of data on the dark web that helped us map out the statistical scope of payment card detail hacking online. Records revealed the types of cards that were the most in demand in different countries and their average price. This enabled us to assign risk indices to each country covered by the data. How does your country rank?

Here are some of the researchers’ key findings:

  • An average hacked payment card’s data costs less than $10, and hackers have millions of these ready to sell.
  • Visa card data was the most commonly available, followed by that of Mastercard and American Express.
  • Debit card info was more common than credit card info in the markets the independent researchers surveyed. Hacked debit cards put their victims at greater risk because debit cards tend to have fewer protective mechanisms in place.
  • The independent researchers found 1,561,739 sets of card details for sale on the dark web from the US during their research. This was far more than from anywhere else. But people in the US are not necessarily more at risk. Türkiye, for example, had less than half the card details available for sale per capita than the US, but the high proportion of non-refundable cards gives Türkiye a higher risk index score.
  • The risk index is based on one card per person, so the more cards you have, the more likely it is that one of them could have been hacked! This problem is particularly prevalent in the US, where more cards per person are in circulation, but Europeans also need to be aware of this phenomenon.

Hacked payment card numbers per US state

credit card leaks map md

Theft without theft? Brute-forcing explained

Database breaches aren’t the only way to get hacked payment card details anymore. Increasingly, the card numbers sold on the dark web are brute forced. But how does a brute force attack work?

Brute forcing is a little bit like guessing. Think of a computer trying to guess your password. First it tries 000000, then 000001, then 000002, continuing until it gets it right. Being a computer, it can make thousands of guesses a second. Most systems limit the number of guesses you can make in a short space of time to prevent these kinds of attacks, hackers have ways to get around this limit. After all, in such cases, bad actors don’t target specific individuals or specific cards. It’s all about guessing active card details that can then be sold through dark web marketplaces.

Here’s how it works:

Clever hackers can significantly cut down how many numbers they need to guess and check to find your payment card number. In fact, researchers at Newcastle University estimate that an attack like this could take as few as six seconds.

Tips on how to stay secure

Users can do little to protect themselves from this threat short of abstaining from card use entirely. The most important thing is to stay vigilant. Review your monthly statement for suspicious activity and respond quickly and seriously to notices from your bank that your card may have been used in an unauthorized manner.

Here’s what banks and other service providers can do to protect users:

  • Stronger password systems: Payment and other systems need to use passwords, and those passwords need to be strong. Every extra step is one that will make it harder for attackers to break in. To prevent inconveniences for users, banks could provide password managers — but good consumer options are also available.
  • MFA: Multi-factor authentication is becoming the minimum standard for security, so if your bank doesn’t offer it already, demand it or consider switching banks. Passwords are only one step, but verifying your identity using a device, texted code, fingerprint, or other security measure provides a huge step up in protection.
  • System security and fraud detection: Banks can use proven smart tools to detect and prevent attacks. Fraud detection systems can detect situations where thieves have succeeded. Banks can use tools like AI to track payment attempts, weeding out fraudulent attacks. Forcing payment systems and online merchants to bear the cost of fraud gives them a big incentive to improve their systems.
  • Dark web monitoring tools: Dark web monitoring involves regularly scanning underground marketplaces and hacker hangouts for signs of the user’s data. While many such tools (including NordVPN’s own Dark Web Monitor) are primarily geared toward rooting out leaked credentials, some financial institutions can monitor the dark web for stolen credit card information. By bringing the theft to your attention, dark web monitoring tools let you react quickly and alert the appropriate authorities before it’s too late.


Data collection: The data was compiled in partnership with independent researchers specializing in cybersecurity incident research. They evaluated a database that contained the details of 4,478,908 cards in total, including details of the type of card (credit or debit), issuing bank, and whether transactions were refundable. The data NordVPN received from the third-party researchers did not contain any information that relates to an identified or identifiable individual (such as names, contact information, or other personal information). We do not operate with the full numbers of payment card details sold on the dark web, because NordVPN has only analyzed a set of statistical data provided by independent researchers.

Analysis: The raw numbers only provide part of the picture. Population size and card usage vary between countries, and these are just two factors that can change the impact of the numbers.

We compared the statistical card data between countries with UN population stats and the number of cards in circulation by country or region from Visa, Mastercard, and American Express. This process allowed us to calculate a risk index to more directly compare how likely your card is to be available on the dark web by country.

We calculated the risk index using the following elements:

  • Number of cards in the database per capita for that country.
  • Number of cards in circulation for that country (based on country or regional data from Visa, Mastercard, and American Express)..
  • The proportion of non-refundable cards in the database for that country, with reduced influence on the overall index.

We then logarithmically normalized these numbers to produce scaled ratings between 0 and 1.

Similar reports

sharing device

Device sharing and privacy

We analyzed how people share their personal devices and what measures they take to protect themselves and their family members online.

Find out more
computer privacy

National Privacy Test

Thousands of users tested their cybersecurity savvy. Find country rankings and average scores for different demographics.

Find out more
parenting control app

Parental monitoring apps

We analyzed the top four parental monitoring apps, their popularity trends, how they work, and what problems the increased usage of these apps might create.

Find out more

Let’s talk

Have some ideas? Want to learn more?