ZenoX, a cybersecurity startup from Grupo Dfense and an expert in artificial intelligence against digital threats, conducted a detailed investigation into the leak of 3.4 million credit cards, named “JOKER”. The incident, classified as the largest financial data leak so far in 2025, was attributed to the cybercriminal group B1ACK’S STASH, known for trading financial data on the dark web. The analysis revealed that malicious actors are stepping up their game by combining advanced phishing, e-commerce compromise, and artificial data generation to maximize impact and financial return.
Leak strategy and methodsThe identified campaigns do not seem to have been targeted at specific banks, but rather aimed at massive credit card data collection through various methods such as:
- Fake payment gateways;
- Fraudulent websites;
- Email phishing;
- Man-in-the-Middle scripts on legitimate online stores.
“The pattern of actions shows that B1ack seeks to maximize profits by reselling or using stolen data. To do this, they exploit markets on the dark web, carding forums, and direct transactions, strengthening their influence through an effective marketing strategy in the cybercriminal underworld,” says Ana Cerqueira, CRO of ZenoX
Identified Impact and Risks
Although the initially disclosed total was 3.4 million cards, ZenoX’s investigation suggests that between 1.4 and 2 million records are authentic. Of this total, 93.96% remained active at the time of the investigation, posing a significant risk to consumers and financial institutions, especially in the Southeast Asian region.
It is also noted that a significant portion of the 3.4 million card records disclosed by B1ack may have been artificially generated, not solely obtained through legitimate compromises. Anomalies in CVV codes, expiration dates, and demographic data have been identified, indicating significant artificial generation of part of the data.
“We estimate that between 40% and 60% of the records may have been artificially created. This artifice aims to expand the impact of the leak, boosting the criminal group’s reputation in the underground market,” highlights Cerqueira.
The implications of this leak go beyond immediate economic impact and demonstrate structural changes in how compromised data is collected, manipulated, and commercially exploited. Therefore, swift mitigation actions are required.
Brazil’s Exposure in the Leak
Brazil ranks 40th among the most affected countries, with 3,367 compromised cards, representing 0.10% of the total. Despite a moderate exposure, the presence of Brazilian records is the highest in Latin America, surpassing Argentina (712), Chile (459), Colombia (139), and Mexico (2,791).
The analysis of IP addresses linked to national cards reveals a diversified pattern, indicating multiple phishing campaigns and possible compromises of e-commerce, rather than a centralized attack. São Paulo leads in leaked data volume, reflecting its relevance as a financial center.
The relatively lower exposure of Brazil, in contrast to the high concentration in Southeast Asia, can be attributed to factors such as differences in security technologies of local financial institutions, less focus of the attacker in the region, or the geographical distance of B1ack’s main operations. “Although not one of the most impacted countries, the presence of over 3,000 compromised cards in Brazil highlights specific vulnerabilities that require attention from financial institutions and regulatory bodies,” concludes Cerqueira.
The complete study conducted by ZenoX can be accessed here.
