A ZenoX, a cybersecurity startup from Dfense Group and a specialist in artificial intelligence against digital threats, conducted a detailed investigation into the leak of 3.4 million credit cards, dubbed ‘JOKER’. The incident, which was classified as the largest financial data breach so far in 2025, was attributed to the cybercriminal group B1ACK’S STASH, known for trading financial data on the dark web. The analysis revealed that malicious actors are upping their game by combining advanced phishing, e-commerce compromises, and artificial data generation to maximize impact and financial returns.
Strategy and methods of the leak
The identified campaigns do not appear to have targeted specific banks but rather focused on the mass collection of credit card data through various methods, such as:
- Fake payment gateways;
- Fraudulent websites;
- Email phishing;
- Man-in-the-Middle scripts on legitimate online stores.
“The pattern of operation shows that B1ack seeks to maximize its profits by reselling or utilizing the stolen data. To do this, it exploits markets on the dark web, carding forums, and direct transactions, strengthening its influence through an effective marketing strategy in the cybercriminal underworld,” says Ana Cerqueira, CRO of ZenoX.
Impact and identified risks
Although the total initially disclosed was 3.4 million cards, ZenoX’s investigation suggests that between 1.4 and 2 million records are authentic. Of this total, 93.96% were still active at the time of the investigation, posing a significant risk to consumers and financial institutions, particularly in the Southeast Asia region.
It is also noted that a significant portion of the 3.4 million card records disclosed by B1ack may have been artificially generated and not exclusively obtained through legitimate breaches. Anomalies in CVV codes, expiration dates, and demographic data were identified, indicating significant artificial generation of part of the data.
“We estimate that between 40% and 60% of the records may have been artificially created. This artifice aims to amplify the impact of the leak, enhancing the criminal group’s reputation in the underground market,” highlights Cerqueira.
The implications of this breach go beyond immediate economic impact and highlight structural changes in how compromised data is collected, manipulated, and commercially exploited. As such, swift mitigation actions are required.
Brazil’s exposure in the leak
Brazil ranks 40th among the most affected countries, with 3,367 compromised cards, representing 0.10% of the total. Despite moderate exposure, the presence of Brazilian records is the highest in Latin America, surpassing Argentina (712), Chile (459), Colombia (139), and Mexico (2,791).
The analysis of IP addresses linked to national cards reveals a diverse pattern, indicating multiple phishing campaigns and possible e-commerce breaches, rather than a centralized attack. São Paulo leads in the volume of leaked data, reflecting its importance as a financial hub.
Brazil’s relatively lower exposure, in contrast to the high concentration in Southeast Asia, may be attributed to factors such as differences in security technologies of local financial institutions, lower attacker focus on the region, or the geographical distance from B1ack’s main operations. ‘Although not one of the most impacted countries, the presence of over 3,000 compromised cards in Brazil highlights specific vulnerabilities that require attention from financial institutions and regulatory bodies,’ concludes Cerqueira.
The full study conducted by ZenoX can be accessed here.
