ZenoX investigates biggest financial leak of 2025, with 3.4 million cards compromised

A Zenox, cybersecurity startup of Dfense Group a specialist in artificial intelligence against digital threats, she conducted a detailed investigation into the leak of 3.4 million credit cards, called “JOKER”. The incident, which was ranked as the largest financial data leak so far in 2025, was attributed to the cybercriminal group B1ACK’S STASH, known for marketing financial data on the dark web. The analysis revealed that malicious actors are elevating their game by combining advanced phishing, e-commerce compromise and artificial data generation to maximize impact and financial return.

Leak strategy and methods
The campaigns identified do not seem to have been directed to specific banks, but rather aimed at the massive capture of credit card data by different methods, such as:

• Fake payment gateways;
• Fraudulent websites;
• Phishing by email;
• Man-in-the-Middle scripts in legitimate online stores.

The standard of action shows that B1ack seeks to maximize its earnings by reselling or using the stolen data dark web, forums of carding and direct transactions, strengthening their influence through an effective marketing strategy in the cybercriminal underworld”, says Ana Cerqueira, CRO at ZenoX

Impact and risks identified
Although the initial total was 3.4 million cards, ZenoX's calculation suggests that between 1.4 and 2 million records are authentic.Of this total, 93.96% remained active at the time of the investigation, posing a significant risk to consumers and financial institutions, especially in the Southeast Asia region.

It is also pointed out that a significant portion of the 3.4 million card records disclosed by B1ack may have been artificially generated, and not obtained exclusively through legitimate compromises.Anomaly of CVV codes, expiration dates and demographic data were identified, indicating significant artificial generation of part of the data.

“We estimate that between 40% and 60% of the records may have been artificially created. This artifice seeks to expand the impact of the leak, increasing the reputation of the criminal group in the clandestine market”, Cerqueira says.

The implications of this leak transcend the immediate economic impact and highlight structural changes in the way compromised data is collected, manipulated and exploited commercially. Thus, agile mitigation actions are required

Brazil exposure in the leak
Brazil ranks 40th among the most affected countries, with 3,367 compromised cards, representing 0.10% of the total. Despite moderate exposure, the presence of Brazilian records is the largest in Latin America, surpassing Argentina (712), Chile (459), Colombia (139) and Mexico (2,791).

The analysis of IP addresses linked to national cards reveals a diverse pattern, indicating multiple phishing campaigns and possible e-commerce compromises, rather than a centralized attack. 

The relatively lower exposure of Brazil, in contrast to the high concentration in Southeast Asia, can be attributed to factors such as differences in the security technologies of local financial institutions, less focus of the attacker in the region or the geographical distance of the main operations of B1ack. “Although not one of the most impacted countries, the presence of more than 3,000 compromised cards in Brazil highlights specific vulnerabilities that require attention from financial institutions and regulatory bodies”, concludes Cerqueira. 

The full ZenoX study can be accessed here.