Cyber Incident Victim: BriansClub
Date:
Oct 2019
Location:
United States of America
Summary
A prominent underground marketplace specializing in stolen credit card data was compromised, resulting in the theft of over 26 million payment card records accumulated over several years. The leaked database, containing card details from both online and physical retailers, was shared with financial institutions to facilitate fraud mitigation efforts. Analysis indicated the platform generated substantial illicit revenue through sales of stolen data, with potential losses estimated in the billions based on historical transaction volumes. The operators falsely claimed to have removed the breached records from their inventory, contradicting independent verification. The entity had also misappropriated a security researcher's identity and branding to legitimize its operations, leveraging linguistic associations with cybercriminal terminology to appeal to its target audience.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 15, 2019, KrebsOnSecurity reported that BriansClub, a prominent underground marketplace for stolen credit card data, suffered a significant breach resulting in the theft of its entire database. An anonymous source provided a plaintext file containing over 26 million credit and debit card records accumulated between 2015 and August 2019. The data included 1.7 million cards added in 2015, 2.89 million in 2016, 4.9 million in 2017, 9.2 million in 2018, and 7.6 million in the first eight months of 2019. Security firm Flashpoint analyzed the database, determining it contained approximately $414 million worth of stolen cards based on BriansClub’s pricing tiers. The shop had sold roughly 9.1 million cards since 2015, generating $126 million in Bitcoin revenue. Financial institutions received the stolen data to identify and reissue compromised cards.
The breach exposed BriansClub’s operational patterns, including frequent batch uploads of stolen cards from affiliates. The site primarily sold "dumps"—magnetic stripe data for creating counterfeit cards. Analysis indicated over 14 million unsold cards had future expiration dates, suggesting ongoing validity. BriansClub’s administrator, contacted via the site’s support portal, claimed affected data had been removed from sale, but Flashpoint’s comparison of the leaked data to active listings contradicted this assertion. The administrator did not address queries about the site’s unauthorized use of Brian Krebs’ name and likeness, which leveraged the Russian hacker slang "crab" (krab) for "carder." The incident highlighted the scale of the carding ecosystem, with unsold inventory vastly exceeding buyer demand. KrebsOnSecurity’s disclosure provided law enforcement and financial institutions with actionable intelligence to mitigate fraud risks stemming from the compromised records.