ZenoX investiga maior vazamento financeiro de 2025, com 3.4 milhões de cartões comprometidos

A ZenoX, the cybersecurity startup of Dfense Group especializada em inteligência artificial contra ameaças digitais, conduziu uma investigação detalhada sobre o vazamento de 3,4 milhões de cartões de crédito, denominado “JOKER”. O incidente, que foi classificado como o maior vazamento de dados financeiros até agora em 2025, foi atribuído ao grupo cibercriminoso B1ACK’S STASH, conhecido por comercializar dados financeiros na dark web. A análise revelou que atores maliciosos estão elevando seu jogo ao combinar phishing avançado, comprometimento de e-commerce e geração artificial de dados para maximizar impacto e retorno financeiro.

Leak strategy and methods
The campaigns identified do not appear to have been targeted at specific banks, but rather aimed at the mass capture of credit card data by different methods, such as:

• Fake payment gateways;
• Fraudulent websites;
• Phishing by e-mail;
• Man-in-the-middle scripts in legitimate online stores.

"The pattern of activity shows that B1ack seeks to maximize its profits by reselling or using the stolen data. To do this, it exploits dark webforums carding and direct transactions, strengthening their influence through an effective marketing strategy in the cybercriminal underworld," says Ana Cerqueira, CRO at ZenoX

Impact and risks identified
Although the total initially reported was 3.4 million cards, ZenoX's investigation suggests that between 1.4 and 2 million records are authentic. Of this total, 93,96% remained active at the time of the investigation, representing a significant risk for consumers and financial institutions, especially in the Southeast Asian region.

É apontado, também, que um parcela significativa dos 3,4 milhões de registros de cartões divulgados por B1ack pode ter sido gerada artificialmente, e não obtida exclusivamente por meio de comprometimentos legítimos. Foram identificadas anomalias de códigos CVVs, datas de expiração e dados demográficos, indicando  geração artificial significativa de parte dos dados.

"We estimate that between 40% and 60% of the records may have been artificially created. This artifice seeks to amplify the impact of the leak, increasing the reputation of the criminal group in the clandestine market," says Cerqueira.

The implications of this leak go beyond the immediate economic impact and highlight structural changes in the way compromised data is collected, manipulated and commercially exploited. Agile mitigation actions are therefore required

Brazil's exposure in the leak
Brazil ranks 40th among the most affected countries, with 3,367 compromised cards, representing 0.10% of the total. Despite the moderate exposure, the presence of Brazilian records is the largest in Latin America, surpassing Argentina (712), Chile (459), Colombia (139) and Mexico (2,791).

The analysis of IP addresses linked to national cards reveals a diverse pattern, indicating multiple phishing campaigns and possible compromises of e-commerces, rather than a centralized attack. São Paulo leads in the volume of leaked data, reflecting its relevance as a financial center. 

Brazil's relatively lower exposure, in contrast to the high concentration in Southeast Asia, can be attributed to factors such as differences in the security technologies of local financial institutions, the attacker's lesser focus on the region or the geographical distance from B1ack's main operations. "Although it is not one of the most affected countries, the presence of more than 3,000 compromised cards in Brazil highlights specific vulnerabilities that demand attention from financial institutions and regulatory bodies," concludes Cerqueira. 

The full ZenoX study can be accessed here here.