B1ack’s Stash, one of the most active dark-web marketplaces for stolen payment card data, released 4.6 million stolen credit card records for free on May 19, 2026 — not as a result of a compromise, but as a deliberate response to sellers who were reselling its inventory on competing platforms, violating the marketplace’s rules.
B1ack’s Stash Free Release as a Punitive Market Strategy
The marketplace’s decision to release the data rather than delete it was a calculated punishment and promotional move. By flooding the market with cards that resellers had been profitably selling elsewhere, B1ack’s Stash destroyed the value of inventory those sellers had monetized and drew attention to its own platform among the broader carding community. Dark web marketplaces have previously used similar large-scale free releases as promotional tools — BidenCash employed the same tactic in 2022 and 2023 to build recognition among carding forum users.
Operating since at least 2023, B1ack’s Stash has established itself as one of the more active carding markets currently running. The volume of the release — 4.6 million cards in a single drop — reflects the scale of its inventory and its willingness to absorb financial losses in order to enforce marketplace rules against resellers.
B1ack’s Stash Record Format: Full Card Number, CVV2, Billing Address, and Contact Data
Each of the 4.6 million released records includes the full card number, expiration date, CVV2 code, cardholder name, billing address, email address, phone number, and IP address. That combination of data — payment card details alongside linked personal contact information — exceeds the fields required for basic card-not-present fraud and enables a broader set of downstream criminal applications.
The 4.3 Million Actionable Cards and U.S.-Heavy Geographic Breakdown
Analysis of the released data found approximately 4.3 million records appear fresh and usable for fraud; the remainder are duplicates or expired cards. Approximately 70% of the usable cards belong to U.S. cardholders, with Canada, the United Kingdom, France, and Malaysia comprising the next tier by volume. U.S. financial institutions bear the most concentrated exposure from the release.
Fraud Vectors Enabled by a Full-Detail Card Dump
Large-scale free carding data releases historically generate immediate surges in fraud attempts as opportunistic actors exploit inventory that carries no acquisition cost. The full-detail nature of the B1ack’s Stash records — card numbers, expiration dates, and CVV2 codes alongside cardholder names, billing addresses, emails, and phone numbers — opens multiple parallel fraud pathways.
B1ack’s Stash Dump Enables Phishing, Unauthorized Credit Applications, and Account Fraud
Card-not-present fraud is the most direct application of the released data, but the included contact information expands the scope of what attackers can do with each record. Email addresses and phone numbers linked to active credit accounts enable highly targeted phishing and smishing campaigns — messages that reference a recipient’s actual billing address and card details are substantially harder for the recipient to identify as fraudulent. The data also supports unauthorized credit applications and fraudulent account creation at financial services that rely on billing address verification as an identity check. Financial institutions and payment processors whose customers appear in the released dataset face elevated fraud volume in the near term as the free inventory circulates across criminal forums.
