ZenoX investiga maior vazamento financeiro de 2025, com 3.4 milhões de cartões comprometidos

A Zenox, cybersecurity startup of Dfense Group especializada em inteligência artificial contra ameaças digitais, conduziu uma investigação detalhada sobre o vazamento de 3,4 milhões de cartões de crédito, denominado “JOKER”. O incidente, que foi classificado como o maior vazamento de dados financeiros até agora em 2025, foi atribuído ao grupo cibercriminoso B1ACK’S STASH, conhecido por comercializar dados financeiros na dark web. A análise revelou que atores maliciosos estão elevando seu jogo ao combinar phishing avançado, comprometimento de e-commerce e geração artificial de dados para maximizar impacto e retorno financeiro.

Leak strategy and methods
The campaigns identified do not seem to have been directed to specific banks, but rather aimed at the massive capture of credit card data by different methods, such as:

• Fake payment gateways;
• Fraudulent websites;
• Phishing by email;
• Man-in-the-Middle scripts in legitimate online stores.

The standard of action shows that B1ack seeks to maximize its earnings by reselling or using the stolen data dark web, forums of carding and direct transactions, strengthening their influence through an effective marketing strategy in the cybercriminal underworld”, says Ana Cerqueira, CRO at ZenoX

Impact and risks identified
Although the initial total was 3.4 million cards, ZenoX's calculation suggests that between 1.4 and 2 million records are authentic.Of this total, 93.96% remained active at the time of the investigation, posing a significant risk to consumers and financial institutions, especially in the Southeast Asia region.

É apontado, também, que um parcela significativa dos 3,4 milhões de registros de cartões divulgados por B1ack pode ter sido gerada artificialmente, e não obtida exclusivamente por meio de comprometimentos legítimos. Foram identificadas anomalias de códigos CVVs, datas de expiração e dados demográficos, indicando  geração artificial significativa de parte dos dados.

“We estimate that between 40% and 60% of the records may have been artificially created. This artifice seeks to expand the impact of the leak, increasing the reputation of the criminal group in the clandestine market”, Cerqueira says.

The implications of this leak transcend the immediate economic impact and highlight structural changes in the way compromised data is collected, manipulated and exploited commercially. Thus, agile mitigation actions are required

Brazil exposure in the leak
Brazil ranks 40th among the most affected countries, with 3,367 compromised cards, representing 0.10% of the total. Despite moderate exposure, the presence of Brazilian records is the largest in Latin America, surpassing Argentina (712), Chile (459), Colombia (139) and Mexico (2,791).

The analysis of IP addresses linked to national cards reveals a diverse pattern, indicating multiple phishing campaigns and possible e-commerce compromises, rather than a centralized attack. 

The relatively lower exposure of Brazil, in contrast to the high concentration in Southeast Asia, can be attributed to factors such as differences in the security technologies of local financial institutions, less focus of the attacker in the region or the geographical distance of the main operations of B1ack. “Although not one of the most impacted countries, the presence of more than 3,000 compromised cards in Brazil highlights specific vulnerabilities that require attention from financial institutions and regulatory bodies”, concludes Cerqueira. 

The full ZenoX study can be accessed here.