A ZenoX, cybersecurity startup ofDefense Group and the specialist in artificial intelligence against digital threats, conducted a detailed investigation into the leak of 3,4 million credit cards, called "JOKER". The incident, which was classified as the largest financial data leak so far in 2025, it was attributed to the cybercriminal group B1ACK’S STASH, known for selling financial data on the dark web. The analysis revealed that malicious actors are stepping up their game by combining advanced phishing, e-commerce compromise and artificial data generation to maximize impact and financial return
Leakage strategy and methods
The identified campaigns do not appear to have been directed at specific banks, but rather focused on the massive collection of credit card data through different methods, how
- Fake payment gateways
- Fraudulent websites
- Email phishing
- Man-in-the-Middle scripts in legitimate online stores
"The pattern of action shows that B1ack seeks to maximize its profits by reselling or using the stolen data". For that, explores markets ofdark web, forums ofcardingand direct transactions, strengthening your influence through an effective marketing strategy in the cybercriminal underworld, says Ana Cerqueira, CRO of ZenoX
Impact and identified risks
Although the initially disclosed total was 3,4 million cards, the investigation by ZenoX suggests that between 1,4 and 2 million records are authentic. From this total, 93,96% remained active at the time of the investigation, representing a significant risk to consumers and financial institutions, especially in the Southeast Asian region
It is pointed out, also, that a significant portion of the 3,4 million card records released by B1ack may have been generated artificially, and not obtained exclusively through legitimate commitments. Anomalies in CVV codes were identified, expiration dates and demographic data, indicating significant artificial generation of part of the data
"We estimate that between 40% and 60% of the records may have been created artificially". This device seeks to amplify the impact of the leak, increasing the reputation of the criminal group in the underground market, highlights Cerqueira
The implications of this leak transcend the immediate economic impact and highlight structural changes in the way compromised data is collected, manipulated and commercially exploited. In this way, agile mitigation actions are required
Brazil's exposure in the leak
Brazil ranks 40th among the most affected countries, with 3.367 compromised cards, representing 0,10% of the total. Despite the moderate exposure, the presence of Brazilian records is the largest in Latin America, surpassing Argentina (712), Chile (459), Colombia (139) and Mexico (2.791)
The analysis of IP addresses linked to national cards reveals a diverse pattern, indicating multiple phishing campaigns and possible compromises of e-commerce sites, and not by a centralized attack. São Paulo leads in the volume of leaked data, reflecting its relevance as a financial center.
The relatively lower exposure of Brazil, in contrast to the high concentration in Southeast Asia, can be attributed to factors such as differences in the security technologies of local financial institutions, less focus of the attacker in the region or the geographical distance of the main operations of B1ack. "Although it is not one of the most impacted countries", the presence of more than 3.000 compromised cards in Brazil highlight specific vulnerabilities that require the attention of financial institutions and regulatory bodies, concludes Cerqueira.
The full study carried out by ZenoX can be accessedhere.
