·
Up for grabs: The cost of stolen payment card data
On average, stolen card data is as cheap as a movie ticket.
Between 2023 and 2025, prices increased by as much as 444%.
Criminals prioritize cards that won’t expire for years.
New data on payment card theft
Cybercrime often feels invisible, like something out of this world. You can’t touch it, you rarely see it, and even when you hear about it, it’s usually a headline about some unlucky stranger on the other side of the world. Yet the impact of cybercrime is very real. Every day, millions of stolen payment card details change hands in the hidden marketplaces of the dark web. Yours could be on sale right now, and you wouldn’t even know it.
Sold in bulk, they’re disturbingly cheap, and they rarely come alone. Payment card listings often include names, phone numbers, addresses, locations, and credentials. These sales don’t require a criminal mastermind behind them. For a few dollars, any wannabe criminal can purchase payment card data and use one of many ways to misuse that information.
A couple of years ago, NordVPN’s researchers mapped out how hackers steal these cards in the first place. This time, researchers from NordStellar dug deeper into how much these cards cost and why their prices have soared in recent years.
How much does payment card data cost?
Our research revealed that Japanese cards are the most expensive ($22.8), while cards from Kazakhstan, Guam, and Mozambique all hover around $16. The cheapest payment card data is from the Democratic Republic of Congo ($0.94), Barbados($1.30), and Georgia ($1.30). Criminals can get most of the European countries’ payment cards for about $8, but as low as $1.78 for Cypriot cards and as high as $11.92 for cards from Switzerland. A card from the US costs $11.51, while one from Canada goes for about $5.88.
Why do stolen payment card prices differ by 20x or more?
The payment card prices differ for a number of reasons:
Stolen-card prices depend on supply and demand.
Criminals pay more for cards from countries where the supply is low. Scammers also favor cards from their native country because it helps them slip past automated fraud checks.
Bundles are cheaper.
Cards sold in bulk cost less per card, a common practice for plentiful markets like the US, UK, and India.
Expiration date matters.
Cards with longer validity periods are worth more, because criminals can benefit from them longer and even resell them.
Additional information.
Payment cards that include additional personal information, such as the victim’s address, cost more than plain card data.
Why have stolen data prices soared?
Our analysis shows that in the past two years, the price of stolen data has increased significantly. While payment card data prices from some countries have declined slightly, they doubled in most cases — and in some instances, even tripled or quadrupled.
How do hackers set the price for payment cards? NordVPN’s cybersecurity advisor Adrianus Warmenhoven says that the simple answer is supply and demand:
Prices rise when usable cards are harder to come by, when listings include more personal data, or when scammers specifically search for local cards. Dark web markets behave like real ones: scarcity, demand, and added value drive up the cost.
Adrianus Warmenhoven
NordVPN’s cybersecurity advisor
Carding: How criminals cash in on stolen payment cards
Millions of payment cards are listed for sale on the dark web every day. While anyone on the dark web can purchase them, the buyers are often criminals operating in the same country where the cards were issued. This local approach helps them evade fraud detection because banks are more likely to flag transactions that come from foreign countries. Through a criminal activity called carding, scammers turn payment cards into money. Here’s how the scheme works:
The crucial step in this process is validation. Cybercriminals often use bots to fill in any missing payment card information and validate cards through micropayments at third-party vendors and even the ones they’ve set up themselves. Validated cards are then used to withdraw cash from ATMs or to buy gift cards.
Active cards can also be abused in other types of fraud, such as triangulation fraud, refund/return abuse, or wallet provisioning fraud.
How to stay safe from payment card fraud
If the company storing your payment data gets breached, you should contact your bank and request a new card. But while it’s unlikely you’ll know about the breach right away, you can take steps to secure your accounts and protect yourself.
Method
The research was conducted by NordStellar, a threat exposure management platform created by the company behind NordVPN. NordStellar researchers analyzed stolen payment card data being sold on dark web marketplaces. The dataset, collected in May 2025, included a total of 50,705 card records.
Please note: No individual payment card details or user credentials were accessed or purchased during this study. The researchers analyzed only the metadata provided in stolen data listings on dark web marketplaces.
Want to learn more about our digital life? Check out our other research!
Malware: The weapon of choice for payment card thieves
Millions of stolen payment cards are on sale on the dark web. How do they end up there? NordStellar’s researchers analyzed how cybercriminals used malware to steal data of 600,000 payment cards.
Payment card data: Analysis of 6 million stolen cards
Payment card theft puts millions of users at risk. The worst part? Most of the stolen payment info comes with a big bonus for cybercriminals — the users’ autofill information and account credentials.
Analyzing 4 million payment card details found on the dark web
Independent researchers uncovered millions of stolen payment card records on the underground black market. Here’s how criminals use brute force to hack payment card data — and how they use it for profit.
Press materials
Get assets and infographics.
For more information or interview requests, contact as at press@nordsec.com.