ZenoX investigates biggest financial leak of 2025, with 3.4 million cards compromised

A ZenoX, the cybersecurity startup of Dfense Group a specialist in artificial intelligence against digital threats, she conducted a detailed investigation into the leak of 3.4 million credit cards, called “JOKER”. The incident, which was ranked as the largest financial data leak so far in 2025, was attributed to the cybercriminal group B1ACK’S STASH, known for marketing financial data on the dark web. The analysis revealed that malicious actors are elevating their game by combining advanced phishing, e-commerce compromise and artificial data generation to maximize impact and financial return.

Leak strategy and methods
The campaigns identified do not appear to have been targeted at specific banks, but rather aimed at the mass capture of credit card data by different methods, such as:

• Fake payment gateways;
• Fraudulent websites;
• Phishing by e-mail;
• Man-in-the-middle scripts in legitimate online stores.

"The pattern of activity shows that B1ack seeks to maximize its profits by reselling or using the stolen data. To do this, it exploits dark webforums carding and direct transactions, strengthening their influence through an effective marketing strategy in the cybercriminal underworld," says Ana Cerqueira, CRO at ZenoX

Impact and risks identified
Although the total initially reported was 3.4 million cards, ZenoX's investigation suggests that between 1.4 and 2 million records are authentic. Of this total, 93,96% remained active at the time of the investigation, representing a significant risk for consumers and financial institutions, especially in the Southeast Asian region.

It is also pointed out that a significant portion of the 3.4 million card records disclosed by B1ack may have been artificially generated, and not obtained exclusively through legitimate compromises.Anomaly of CVV codes, expiration dates and demographics were identified, indicating significant artificial generation of part of the data.

"We estimate that between 40% and 60% of the records may have been artificially created. This artifice seeks to amplify the impact of the leak, increasing the reputation of the criminal group in the clandestine market," says Cerqueira.

The implications of this leak go beyond the immediate economic impact and highlight structural changes in the way compromised data is collected, manipulated and commercially exploited. Agile mitigation actions are therefore required

Brazil's exposure in the leak
Brazil ranks 40th among the most affected countries, with 3,367 compromised cards, representing 0.10% of the total. Despite the moderate exposure, the presence of Brazilian records is the largest in Latin America, surpassing Argentina (712), Chile (459), Colombia (139) and Mexico (2,791).

The analysis of IP addresses linked to national cards reveals a diverse pattern, indicating multiple phishing campaigns and possible compromises of e-commerces, rather than a centralized attack. São Paulo leads in the volume of leaked data, reflecting its relevance as a financial center. 

Brazil's relatively lower exposure, in contrast to the high concentration in Southeast Asia, can be attributed to factors such as differences in the security technologies of local financial institutions, the attacker's lesser focus on the region or the geographical distance from B1ack's main operations. "Although it is not one of the most affected countries, the presence of more than 3,000 compromised cards in Brazil highlights specific vulnerabilities that demand attention from financial institutions and regulatory bodies," concludes Cerqueira. 

The full ZenoX study can be accessed here here.