A ZenoX, a cybersecurity startup fromDefense Group and an artificial intelligence specialist against digital threats, conducted a detailed investigation into the leak of 3.4 million credit cards, called "JOKER". The incident, which was classified as the largest financial data leak so far in 2025, was attributed to the cybercriminal group B1ACK’S STASH, known for trading financial data on the dark web. The analysis revealed that malicious actors are stepping up their game by combining advanced phishing, e-commerce compromise, and artificial data generation to maximize impact and financial return.
Leakage strategy and methods
The campaigns identified do not appear to have been targeted at specific banks, but rather aimed at the mass collection of credit card data through different methods, such as:
- Fake payment gateways;
- Fraudulent websites;
- Phishing by e-mail;
- Man-in-the-Middle scripts on legitimate online stores.
The operating pattern shows that B1ack seeks to maximize its gains by reselling or using the stolen data. For this, explore markets of thedark web, forums ofcardingand direct transactions, strengthening its influence through an effective marketing strategy in the cybercriminal underworld,” says Ana Cerqueira, CRO at ZenoX
Impact and identified risks
Although the initially disclosed total was 3.4 million cards, ZenoX's investigation suggests that between 1.4 and 2 million records are authentic. Of this total, 93.96% remained active at the time of the investigation, representing a significant risk to consumers and financial institutions, especially in the Southeast Asian region.
It is also pointed out that a significant portion of the 3.4 million card records disclosed by B1ack may have been artificially generated and not obtained exclusively through legitimate breaches. Anomalies in CVV codes, expiration dates, and demographic data were identified, indicating significant artificial generation of some of the data.
“We estimate that between 40% and 60% of the records may have been created artificially. This artifice seeks to amplify the impact of the leak, increasing the reputation of the criminal group in the black market,” Cerqueira highlights.
The implications of this leak go beyond the immediate economic impact and highlight structural changes in the way compromised data is collected, manipulated, and commercially exploited. In this way, swift mitigation actions are required.
Brazil's exposure in the leak
Brazil ranks 40th among the most affected countries, with 3,367 compromised cards, representing 0.10% of the total. Despite the moderate exposure, the presence of Brazilian records is the largest in Latin America, surpassing Argentina (712), Chile (459), Colombia (139), and Mexico (2,791).
The analysis of IP addresses linked to national cards reveals a diversified pattern, indicating multiple phishing campaigns and possible e-commerce compromises, rather than a centralized attack. São Paulo leads in the volume of leaked data, reflecting its importance as a financial center.
The relatively lower exposure of Brazil, in contrast to the high concentration in Southeast Asia, can be attributed to factors such as differences in the security technologies of local financial institutions, the attacker's lesser focus on the region, or the geographical distance of B1ack's main operations. "Although it is not one of the most impacted countries, the presence of more than 3,000 compromised cards in Brazil highlights specific vulnerabilities that require the attention of financial institutions and regulatory agencies," concludes Cerqueira.
The full study carried out by ZenoX can be accessedhere.
