A huge database holding more than 1.3 million credit and debit card records of mostly Indian banks’ customers was uploaded to the most notorious underground card shops, Joker’s Stash. 

Group-IB, a Singapore-based cybersecurity company that specializes in preventing cyberattacks, has detected that a huge database holding more than 1.3 million credit and debit card records of mostly Indian banks’ customers was uploaded to Joker’s Stash on 28 October. The underground market value of the database is estimated at more than US$130 million.

The database has been on sale on one of the most notorious underground card shops, Joker’s Stash, since the upload date, and contains only credit and debit card dumps Track 2, while its name suggests that it holds both Track 1 and Track 2 records. Track 2 dumps can be used to produce cloned cards for further cashing out.

Group-IB’s Threat Intelligence team has analyzed all the card dumps from the database, more than 98% of which belong to Indian banks, and 1% to Colombian entities. More than 18% of the dumps in the database are linked to a single Indian bank. The full database has more than 1.3 million records in total. It is one of the biggest single databases ever uploaded at once on underground markets and probably one of the most expensive ones. Every single dump in the set is valued at US$100 which makes the total value of the database at least US$130 million.

According to Ilya Sachkov, CEO and founder of Group-IB: “It is true that big payment data leaks have happened before; however, the databases are usually uploaded in several smaller parts at different times. This is indeed the biggest card database encapsulated in a single file ever uploaded on underground markets at once. What is also interesting is that the database that went on sale had not been promoted prior either in the news, on card shops or even on dark net forums. The cards from this region are very rare on underground markets, in the past 12 months it is the only big sale of card dumps related to Indian banks.”

Information about the sale of this database has been shared with the proper authorities and the firm’s threat Intelligence customers, but at the time of publication the database sale was already offline.