Fraud is something I have been doing for many years, even before internet fraud was a thing. So it is safe to say I have a vast knowledge and experience in this business. I have written this
tutorial with the intention of helping beginners and even advanced fraudsters take their operations
to the absolute next level. I have included most if not all of my knowledge from this part of the
business in this guide. For many of you who have read my previous tutorials, I’m sure you are
already familiar with my tendency to go much in-depth over everything and I plan on keeping that same level of quality on this tutorial as well. This guide is amazing for advanced fraudsters who want to make a lot more money. Beginners who are just starting out in the online fraud business will also find this guide extremely helpful to kickstart their journey as many of the things I will go over are used every single day during different fraud operations and will be valid for many years to come. I recommend you DO NOT skip any chapters of this guide, even if you are already familiar with the topic being discussed. Every chapter has its own equal importance and skipping chapters are for lazy people who do not want to learn. If you do not learn in this business, you WILL fail. Success requires patience and perseverance so keep that in mind.
This is someone’s entire data cluster and it’s what is used to create bank drop accounts,
and for setting up payment processors on fake online stores. This could also be used for many
different things such as conducting an ATO (Account- Take-Over) on someone’s bank account, opening
new lines of credit under their name, and much more. Fullz are extremely valuable information to
us and in fact a NECESSITY to be able to open bank drops. Fullz usually comprise of Background
Checks, Credit Reports, Credit Scores, Full Names, Addresses, Social Security Number (SSN), Date
of Birth (DOB), Driver’s License Numbers, and more.
This can either be someone’s full credit card details, or someone’s full debit card details.
CVV is simply a fraud slang for credit/debit card details, there’s not much to it. We can use
these details to “card” information on someone online, such as background or credit reports that
can be used for various purposes such as opening bank drops and conducting an ATO
(Account-Take-Over) on the victim’s bank account, or we can use these CVV details to order
physical/digital products that will be sent to a drop address.
A credit card dump, is an unauthorized digital copy of all the information contained in
the magnetic strip of an active credit card, created with the intention of illegally making a fake
credit card that can be used by cybercriminals to make purchases. Credit card dumps are used by
fraudsters to capture valuable card data such as the card number and expiration date. These can be
obtained in a number of ways. The most popular method nowadays is “skimming”, a process in which
an illegal card reader is used to copy the data from a credit card. Other methods include hacking
into a retailer’s network or when a malware-infected point-of-sale device is unwittingly used by a
retailer, sending the information to the criminals.
DUMPS SERVICE CODE:
Many fraudsters think that there are only 2 types of dumps, 101 and 201. The
truth is there are many other types of dumps. Carders usually work with either 101 or 201 but the
majority will prefer 101. This is known as the SERVICE CODE of a dump. The service code contains 3
characters and you can find a dump service code just by looking at a dump, regardless of the fact
if it has both TRACK1+TRACK2 or just TRACK2. Example, let’s say we’re looking at the dump 4256
746500930321=1402101700102054. The service code of this dump is 101, which is located right after
the expiration date of the card, which in this case is 1402 (FEB 2014). The value of the service
code determines where the cards are suitable to be used and in what way. Below is a detailed
explanation of each service code available today.
First digit (usage variables):
– 1xx: Worldwide use, usually doesn’t have a smart chip.
– 2xx: Worldwide use, does have a smart chip and required to use smart chip if the card reader
reads the chip
– Sxx: National use, a list of regions can be allowed by the bank (often called region
– 6xx: National use, a list of regions can be allowed by the bank but required to use smart chip if
the card reader reads the chip
– 7xx: Only useable according to what has been agreed with the bank
Second digit (authorization)
– x0x: Normal authorization, normal usage.
– x2x: Contact issuing bank.
– x4x: Contact issuing bank, exceptions rules by bank.
Third digit (services that the card can be used for):
– xx0: Can be used for anything, require PIN.
– xx1: Can be used for anything without PIN.
– xx2: Can be used to buy goods or pay a service, cannot retrieve cash, PIN not required.
– xx3: ATM only ,PIN required.
– xx4: Cash only, PIN not required.
– xx5: Can be used to buy goods or pay a service, cannot retrieve cash. PIN required
– xx6: No restrictions to use, will ask for PIN when possible.
– xx7: Can be used to buy goods or pay a service, cannot retrieve cash. PIN required when possible.
There are up to three tracks on magnetic cards known as tracks 1, 2, and 3.
Track 3 is virtually unused by the major worldwide networks, and often isn’t even physically
present on the card by virtue of a narrower magnetic stripe. Point-of-sale card readers almost
always read track 1, or track 2, and sometimes both, in case one track is unreadable. The minimum
cardholder account information needed to complete a transaction is present on both tracks. Track 1
has a higher bit density, is the only track that may contain alphabetic text,
and hence is the only track that contains the cardholder’s name. The information on track 1 on
financial cards is contained in several formats that goes from A to M. The “A” is only used by the
bank itself, so we do not need to pay much attention to it. The “B” is where the holder’s financial
information is stored, the most
important section of the magnetic stripe. C to M, is used for the ANSI Subcommittee X3B10, and N
to Z is the information that is available for use of individual card issuers. This is how the track
1 looks like.
• % for Start Sentinel
• B for Bank Type Credit Card
• 5XXXXXXXXXXXXXX2 is the Primary Account Number, which in most cases is the number printed on
the front of the card, but not always.
• ^ is the separator
• GEORGENULL is the card holder’s last name
• / is the separator
• MAX is the card holder’s first name
• ^ another separator
• 11 expiration year, 03 expiration month
• 101 SERVICE CODE
• 0000000010000000003000000 is the discretionary data
• ? is the end
So now that you’ve seen the information that is stored in track 1 and the letter containers, you
should have already figured out that credit card dumps are mainly the first 2 tracks.
Track 2 data is used by ATMs, physical payment processors and in any online website. There are a
lot of components in this track, the layout is shown below.
START SENTINEL | PRIMARY ACCOUNT NUMBER I FIELD SEPARATOR ADDITIONAL DATA | END SENTINEL |
LONGITUDE REDUNDANCY CHECK
With a more in-depth examination of the data, you can see how a credit card number and holder’s
main information is stored into the track 2 data.
5XXXXXXXXXXXXXX2=1103200XXXX00000000?* ** ** * * ** ||_ CARD NUMBER
_ ENCRYPTED ||_ LRC |_ START SENTINEL| I I PIN*** |_ END SENTINEL || |_ SERVICE CODE FIELD
SEPARATOR _||_ EXPIRATION
Now let’s break it down.
• : Start Sentinel
• 5XXXXXXXXXXXXXX2: Primary account number, the PAN. This would be the credit card number you
always see printed on the front of the plastic.
• 1103: Expiry Date. Always year first then month.
• 200: Service code.
• XXXXOOOOOOOO: Discretionary data, which includes the PIN verification, the card verification
value and the last 3 digits on the back of the card aka the CSC/CVV2 code.
• ?: The End Sentinel
• With ^^ ^^ ^ ^ ^^ begins the track 3 data, which as said previously is completely useless.
Most carders and hackers, will only seek out the TR1 and TR2 data. That’s where the term CVV dumps
This is a program or web service that allows users to store and control their
online shopping information, like logins, passwords, shipping address and credit card/bank
details, in one central place. It also provides a convenient and technologically quick method for
consumers to purchase products from any person or store across the globe. Such examples of web
wallets are PayPal, Google Wallet, and Venmo. We can use such wallets for many purposes that will
be discussed in further guides.
This is a device made to be affixed to the mouth of an ATM and secretly swipe credit and
debit card information when bank customers slip their cards into the machines to pull out money.
Skimmers have been around for years, of course, but fraudsters are constantly improving them. Card
skimming accounts for more than 80 percent of ATM fraud. Some sophisticated skimmers are even able
to transmit stolen data via text message.
A device that stamps the cards to produce the raised lettering where the CVV holder’s
name is, card number, etc…
A device that adds the gold/silver accents to the embossed characters.
MSR (MAGNETIC STRIPE READER/WRITER):
Used by fraudsters to write dumps into actual physical blank
cards or gift cards (and driver’s licenses, student IDs, etc..). If you want to use blank white
cards, you will need a printer for the card template, embosser and tipper, which can be pretty
expensive, however it is worth it if you know how to correctly use these things.
POS (POINT-OF-SALE) SYSTEM:
This is the time and place where a retail transaction is completed.
At the point of sale, the merchant calculates the amount owed by the customer, indicates that
amount, may prepare an invoice for the customer (which may be a cash register printout), and
indicates the options for the customer to make payment. It is also the point at which a customer
makes a payment to the merchant in exchange for goods or after provision of a service.
After receiving payment, the merchant may issue a receipt for the transaction.
This stands for Automated Clearing House, which is an electronic network for financial
transactions in the United States. ACH processes large volumes of credit and debit transactions in
batches. ACH credit transfers include direct deposit, payroll and vendor payments. Moving money and
information from one bank account to another is done through Direct Deposit or via ACH
transactions, credit or debit. This is used a lot by fraudsters to siphon money out of the bank
accounts of unsuspecting victims, which is extremely easy.
A payment processor is a company (often a third party) appointed by a merchant
to handle transactions from various channels such as credit cards and debit cards for merchant
acquiring banks. They are usually broken down into two types: front-end and back-end. Front-end
processors have connections to various card associations and supply authorization and settlement
services to the merchant banks’ merchants. Back-end processors accept settlements from front-end
processors and, via The Federal Reserve Bank for example, move the money from the issuing bank to
the merchant bank. In an operation that will usually take a few seconds, the payment processor will
both check the details received by forwarding them to the respective card’s issuing bank or card
association for verification, and also carry out a series of anti-fraud measures against the
transaction. Additional paraments, including the card’s country of issue and its previous payment
history, are also used to gauge the probability of the transaction being approved. Once the
payment processor has received confirmation that the credit card details have been verified, the
information will be relayed back via the payment gateway to the merchant, who will then complete
the payment transaction. If verification is denied by the card association, the payment processor
will relay the information to the merchant, who will then decline the transaction. Such examples
of payment processors are Square, PayPal, Stripe and Flint
This is a merchant service provided by an e-commerce website that authorizes
credit card or direct payments processing for e-businesses, online retailers, or traditional brick
and mortar stores. The payment gateway may be provided by a bank to its customers but can be
provided by a specialized financial service provider as a separate service. It facilitates a
payment transaction by the transfer of information between a payment portal (such as a website,
mobile phone or interactive voice response service) and the front-end processor or acquiring bank.
Here’s how a typical transaction plays out.
1. A customer places an order on a website by pressing the “Submit Order” or equivalent button, or
perhaps enters their card details using an automatic phone answering service.
2. If the order is via a website, the customer’s web browser encrypts the information to be sent
between the browser and the merchant’s webserver. In between other methods, this may be done via
SSL encryption. The payment gateway may allot transaction data to be sent directly from the
customer’s browser to the gateway, bypassing the merchant’s systems. This reduces the merchant’s
Payment Card Industry Data Security Standard compliance obligations without redirecting the
customer away from the website.
3. The merchant then forwards the transaction details to their payment gateway.
4. The payment gateway converts the message from XML to ISO 8583 or a variant message format and then forwards the transaction information to the payment processor used by the merchant’s
5. The payment processor forwards the transaction information to the card association (e.g.
Visa/Mastercard/AMEX). If an American Express or Discover Card was used, then the card association
also acts as the issuing bank and directly provides a response of approved or declined to the
payment gateway. Otherwise, the card association routes the transaction to the correct card issuing
6. The credit card issuing bank receives the authorization request, verifies the credit or debit
available and then sends a response back to the processor with a response code (approved or
denied). In addition to communicating the fate of the authorization request, the response code is
also used to define the reason why the transaction failed (e.g. insufficient funds, or bank link
not available). Meanwhile, the credit card issuer holds an authorization associated with that
merchant and consumer for the approved amount. This can impact the consumer’s ability to spend
further (because it reduces the line of credit available or it puts a hold on a portion of the
funds in a debit account).
7. The processor forwards the authorization response to the payment gateway.
8. The payment gateway receives the response, and forwards it on to the website (or whatever
interface was used to process the payment) where it is interpreted as a relevant response then
relayed back to the merchant and cardholder. This is known as the Authorization or “Auth”
9. This entire process typically takes 2-3 seconds.
This is traditionally known as the name or URL of a website and is sometimes called
the host name. The host name is a more memorable name to stand in for the numeric, and hard to
remember, IP address of a website. This allows the website visitors to find and return to a web
page more easily. It also allows advertisers the ability to give a website a memorable name that
visitors will remember and come to, hopefully leading to conversions for the web page. The
flexibility of website domains allows several IP addresses to be linked to the same website domain,
thus giving a website several different pages while remaining at the easily remembered address.
This is the process of purchasing physical or digital goods online using someone
else’s credit/debit card details.
This is the process of purchasing physical goods by going to an actual physical
store in-person and using pre-made credit cards with dumps punched in them to conduct the
fraudulent transactions. Transactions are also possible to be conducted with an Android phone
using NFC payments with TR1+TR2 data.
Term used when referring to using someone else’s CVV details to conduct a fraudulent
purchase on an online website or physically in person in a store using DUMPS. Example, we can CARD
a cellphone using someone else’s details through Amazon, or CARD a $400 belt at a Gucci Store using
dumps that were punched into a blank card using devices specifically made for such purposes.
The owner of the CVV that we’re using to conduct the fraudulent transaction.
An address directly attached to a CVV. This is where the card holder’s bank sends
his bills, hence the name BILLING.
An address used exclusively to receive mail. Most websites do not allow
transactions to be accepted if the billing address on a credit card and the shipping address
provided to the website are different.
AVS & NON-AVS:
AVS stands for Address Verification System. This is a system used to verify the
address of a person claiming to own a credit card. The system will check the billing address of the
credit card provided by the user with the address on file at the credit card company. AVS is used
by mostly all merchants in the US, Canada, and UK. Because AVS only verifies the numeric portion of
the address, certain anomalies like apartment numbers can cause false declines; however, it is
reported to be a rare occurrence. AVS verifies the numeric portions of a cardholder’s billing
address. For example, if the address is 101 Main Street, Highland, CA 92346, United States, AVS
will check 101 and 92346. Cardholders may receive false negatives, or partial declines for AVS
from e-commerce verification systems, which may require manual overrides, voice authorization, or
reprogramming of the AVS entries by the card issuing bank. Cardholders with a bank that does not
support AVS may receive an error from Internet stores due to lack of data. All countries besides
UK, US & Canada, are NON-AVS.
VBV & NON-VBV:
This is an XML-based protocol designed to be an additional security layer for online
credit and debit card transactions. VBV stands for Verified by Visa. This is used to validate the
card holder’s identity and prevent fraudulent transactions. It works by asking for additional
information either from the card holder directly or by analyzing data behind the scenes to see if
the purchase fits the usual payment behavior. When a website and a card have Verified by Visa, a
message box pops up on screen after you have entered the Visa card details. You are then asked to
identify yourself with your Verified by Visa password or a code sent to your phone. What you need
to do at this stage varies but your bank will tell you about the method they use and what they
expect from you. If you don’t notice the VBV message box appearing but instead see a revolving wheel, all the security associated with VBV is still happening but in the background. And you don’t need to do anything. The bank is
verifying the purchase by making background checks to see that everything is at it should be. Any
Visa card that does not have the above feature in place, is known as NON-VBV and you should
ultimately look for NON- VBV cards instead of VBV, because as you can see this verification process
is a huge hassle.
MASTERCARD SECURECODE (MCSC):
MasterCard SecureCode is very much similar to Visa’s VBV. It is a
private code for a MasterCard account that gives the card holder an additional layer of online
shopping security. Only the card holder and the financial institution know what the code is,
merchants are not able to see it.
Fortunately, the majority of MasterCard cards do not have this security in place.
AMERICAN EXPRESS SAFEKEY:
This is one of the least used security measures around, and it is not
even available in the United States. However, it is the same thing as MasterCard SecureCode and
NEAR-FIELD COMMUNICATION (NFC):
NFC technology lets smartphones and other enabled devices
communicate with other devices containing an NFC tag. It is widely used as a payment method, all
you have to do is swipe your smartphone at the checkout in any store, and most stores support NFC.
Apple Pay for example, uses NFC.
Social Security Number. This is a nine-digit number issued to U.S. citizens, permanent
residents, and temporary (working) residents in the United States. Although its primary purpose is
to track individuals for Social Security purposes, the Social Security number has become the
national identification number for taxation and other purposes. SSN is frequently used by those
involved in identity theft, since it is interconnected with many other forms of identification, and
because people asking for it treat as an authenticator. Financial institutions generally require an
SSN to set up bank accounts, credit cards, and loans-partly because they assume that no one except
the person it was issued to knows it.
Mother’s Maiden Name. This is the name of someone’s mother BEFORE they got married, that is,
her name with her original family name (or “surname”), the name she used when she was a girl and a
young woman. “Maiden” here means “unmarried woman”. So “maiden name” refers to a woman’s name when
she was still an unmarried woman. In many cultures, when a woman gets married, she takes the family
name of her husband’s family, so her name changes. Example, let us say your mother’s name was Mary
and she was born into the Smith family. Her maiden name would be “Mary Smith”. Then, let us say,
she married your father, whose name was Tom Jones. When she married him, she became Mary Jones.
That is her married name, but her maiden name will always be Mary Smith. This is one of the most
important aspects to conducting successful transactions online for high value products, as most
banks ask this as a security question for making any changes to the account.
Date of Birth. This is one of the most important pieces of information you can get on your
victim. The reason for that because with the date of birth, full name and hometown, you can easily
find the person’s SSN. And also because you need this information if the bank ever asks you for it.
A mail drop is a location where you are able to freely receive illegal products that
were either carded, or drugs. You never want to use your own house for these purposes as it will
bring a lot of headache for you in the future. With a mail drop, you can use it let’s say a month,
and never show your face there again. This will make extremely hard for any law enforcement
official to track you down and arrest you or conduct an investigation into your life.
BIN: Bank Identification Number.
This is the first four to six numbers that appear on a credit
card. The bank identification number uniquely identifies the institution issuing the card. The BIN
is key in the process of matching transactions to the issuer of the charge card. This numbering
system also applies to charge cards, gift cards, debit cards, prepaid cards and even electronic
benefit cards. This numbering system helps identify identity theft or potential security breaches
data, such as the address of the institution issuing the card and the address of the cardholder.
The first digit of the BIN specifies the Major Industry Identifier, such as airline, banking or
travel, and the next five digits specify the issuing institution or bank. For example, the MII for
a Visa credit card starts with a 4. The BIN helps merchants evaluate and assess their payment card
transactions. After submitting the first four to six digits of the card, the online retailer can
detect which institution issued the customer’s card, the card brand (such as Visa or MasterCard),
the card level (such as corporate or platinum), the card type (such as debit card or a credit
card), and the issuing bank country. BINs can be check through the websites below.
Every time you reach out to a website or connect with anyone online, your online
connection gives your computer “address” to the site/person you’re connecting with. This is so
that the other end knows how to send information back to your computer. That address is your public
IP address. IP stands for Internet Protocol and you can check yours by going to whoer.net.
Without an IP address, you wouldn’t be able to do any Internet/online activity and others online
wouldn’t be able to reach you. It is how you connect to the world.
Your IP address comes from your Internet Service Provider (ISP). Unfortunately, there are a lot of
privacy concerns when it comes to public IP addresses such as
• Your IP address identifies where you are in the world, sometimes to the street level.
• It can be used by websites to block you from accessing their content.
• It ultimately ties your name and home address to your IP address, because someone is paying for
an Internet connection at a specific location.
A proxy lets you go online under a different IP address identity. You don’t change your Internet
provider; you simply get a proxy server. A proxy server is a computer on the web that redirects
your web browsing activity. Here’s what that means.
• Normally, when you type in a website name (Amazon.com or any other), your Internet Service
Provider (ISP) makes the request for you and connects you with the destination-and reveals your
real IP address, as mentioned before.
• When you use a proxy, your online requests get rerouted.
• While using a proxy, your Internet request goes from your computer to your ISP as usual, but
then gets sent to the proxy server, and then to the website/destination. Along the way, the proxy
uses the IP address you chose in your setup, masking your real IP address.
Proxy servers are commonly used by identity thieves to fake their location to the cardholder’s
billing address. The reason for that is because some websites will not allow a transaction to be
accepted, if the purchase is being made from a location much farther away than the cardholder’s
Bank drops are bank accounts that are opened specifically for the purpose of storing
your dirty funds. Once you open them, you can decide whether you wish to withdraw the funds
directly from the account as cash by going to the bank ATM, or possibly clean them with specific
methods, and only after cleaning them, cashing them out (my preferred method and much safer). It is
important to mention also, that all bank drop accounts, are opened ONLY with the information of
someone else (aka FULLZ), so there is absolutely no possibility of these dirty funds ever being
traced back to your real identity. To open one of these bank drop accounts, you will usually
require the person’s DOB + SSN + DL + BACKGROUND CHECK + FULL CREDIT REPORT + MVR/DRIVING RECORD
for maximum success.
When it comes to fraud detection, finding proxies is a big topic. Fraud detection
begins with thinking intelligently about the IP address associated with a transaction. Where is
that IP address, and how does that location relate to other transaction data? Whereas most IP
addresses inspire confidence, those associated with a proxy generate suspicion. As the name
suggests, a proxy acts as an intermediary, passing requests from one computer to other servers.
But although there are legitimate uses of proxies, fraudsters are well known to use proxies.
Detecting proxies comes with two challenges. The first is how to recognize an IP address as a
proxy. The second is how to distinguish a “good” proxy from a “bad” one; since by definition, a
proxy is merely an intermediary, a proxy is not high risk in and of itself. To consider how best
to address these challenges, it’s helpful to look to the primary goal of ecommerce fraud
detection: thinking intelligently about the IP address associated with a transaction in order to
assess risk. Fraud detection uses transaction data as the basis for this thinking and risk
assessment. Using this data and analysis, they’re able to gain insight into the kind of traffic on
a particular IP address. The Proxy Score, is a summary of risk associated with an IP address. You
want this to be as low as possible (0.80 MAX).
Anything above 0.80, you should move on and look for another proxy as that will lead to a declined
transaction 70-80% of the time. You can check your proxy score on the websites below. Ideally you
want the lowest proxy score that you can find, I have used RDPs with a proxy score of 0.01 many
• https://www.maxmind.com/en/request-service-trial?service minfraud=1 (FREE TRIAL)
• xdedicvhnguh5s6k.onion (private RDP provider website, but the best one to check this kind of
stuff, send me a PM and I will send you an invite)
Every online transaction is given what is called a “Fraud Score”. This is a number
ranging between 0 and 999. It gives the merchant a number from which he can determine if a given
transaction is fraudulent or not. Transactions that are given high fraud scores (over 300), are
placed under manual verification by an agent, who will decide if they contact the cardholder or
let it through. Scores
over 500 with auto-decline, will block the card and an agent will immediately contact the
cardholder. Some banks have different criterias but certain things that can affect the fraud score
• Comparison with the usual spending pattern of the cardholder
• Location of the charge
• Risk factor associated with the merchant
For example, a $15.56 charge in the cardholder’s local Walmart will not trigger anything, while a
purchase of $2000 on Newegg will have an extremely high fraud score and probably auto-decline if
the cardholder rarely makes purchases online.
This is a percentage given to each transaction that ranges from 0.00% to 100.00%. The
factors that determine this score are whether an IP address, email, device and proxy used are high
risk or low risk. This is determined by fraud systems that websites have in place such as MaxMind,
which establishes the reputations of IP addresses, emails, geolocation and other parameters. This
should always be checked before purchasing an RDP. Anything above 1.00% will lead to declined
transactions most of the time.
Whether you work in a wired network, or a wireless one, one thing is common for both
environments. It takes both network software and hardware (cables, routers, etc.) to transfer data
from your computer to another-or from a computer thousands of miles away to yours. In the end, to
get the data you want right to YOU, it comes down to addresses. So not surprisingly, along with an
IP address, there’s also a hardware address. Typically, it is tied to a key connection device in
your computer called the network interface card, or NIC. The NIC is essentially a computer circuit
card that makes it possible for your computer to connect to a network. An NIC turns data into an
electrical signal that can be transmitted over the network.
Every NIC has a hardware address that’s known as a MAC, for Media Access Control. Where IP
addresses are associated with TCP/IP (networking software), MAC addresses are linked to the
hardware of network adapters. A MAC address is given to a network adapter when it is manufactured.
It is hardwired or hard-coded onto your computer’s network interface card (NIC) and is unique to
Unfortunately, a MAC address can be used by law enforcement in combination with Internet Service
Providers, to find someone’s true location and consequently his identity. Further in this guide I
will explain how to mitigate this risk.
VIRTUAL PRIVATE NETWORK (VPN):
An essential step of conducting a successful fraudulent transaction,
is having a VPN. Most of you already know what this is, but for those of you who don’t, VPNs are
used to funnel your entire traffic to an encrypted tunnel. This way, none of your traffic is able
to be captured by your ISP or an attacker, and consequently sniffed upon. Nor can your real
location be revealed if you are using a good and reliable VPN that prevents DNS leaks. This will be
discussed in more detail further in this guide.
RDP: Remote Desktop Protocol.
This is a protocol developed my Microsoft, which provides a user
with a graphical interface to connect to another computer over a network connection. You can for
example, be using a Linux machine, and connect to a Windows 7 RDP. RDPs are absolutely essential to
conducting a successful fraudulent transaction, especially HACKED RESIDENTIAL RDPs. The reason
for that is because these RDPs are from a REAL PERSON, with a REAL LOCATION/IP, and REAL COMPUTER
and BROWSER FINGERPRINT. They will exponentially increase your success rate. They will also be
discussed in more detail further in this guide.
This is a proxy server that allows us to fake our real location. This is very good if let’s
say, we have a credit card with a billing address in Miami, we can use a SOCKSS near the billing
address in Miami so that the website we are conducting the fraudulent transaction in doesn’t raise
our fraud score because the transaction
is being conducted in another state/far away from the credit card’s billing address as this will
lead to a declined transaction most of the time.
This is an emulation of a computer system. Virtual machines are based on computer
architectures and provide functionality of a physical computer. They allow you to run an operating
system using an app window on your desktop that behaves like a full, separate computer. The most
used software for virtual machines are respectively, Virtual Box and VMWare. Unfortunately, they
are not as reliable as using an RDP, but they are very good to CONNECT to an RDP, so as to leave no
traces on your original computer. Windows and OS X are still not reliable enough in the aspect of
leaving no traces, as the virtual machine in these operating systems, will leak information to the
host OS, and consequently leave a lot of illegal evidence/traces on your computer that could later
be used as potential evidence in an investigation. However, you should never let it get to that
point the first place.
OPERATIONS SECURITY (OPSEC)
This is the most important aspect of being a successful fraudster. The reason for this is because
there’s no point in doing all of this, if we’re going to eventually be caught, and have all of your
assets seized by the government. Unfortunately, the United States doesn’t take these things
lightly, and they will do everything they can to persecute cybercriminals and put them in jail,
which most of the time are given sentences of over 10 years in jail for minor offenses. They are
the biggest and most powerful nation in the entire world, and their resources are absolutely
endless. We MUST take every precaution possible to mitigate any of these risks and to make sure our
hard work will never be taken from us by such governments. Even if you do not live in the United
States, you should still very much worry about them as they are involved in pretty much every
single international issue that occurs, especially in cybercrime cases.
I have written an extensive guide over 100 pages long on just the topic of OPSEC and creating your
perfect fraud expert setup for maximum success, and security against such adversaries, of which I
am currently selling for $25 ONLY for a limited time. If you are any serious about doing this
business and following my guidance, I HIGHLY recommend you purchase my guide and follow each and
every step outlined in it to secure yourself to the max. Remember, if you want to be a criminal,
then do your homework, or don’t be a criminal.
With that said, in this chapter I won’t go into as much detail as my OPSEC guide goes, as there are
many things to keep in mind and I wouldn’t be able to fit everything into only one chapter, that’s
the reason I made a guide specifically for the purpose of explaining privacy and security. However,
I will give you a perfect setup in this tutorial.
First of all, I want to introduce you to the absolute best operating system available today when it
comes to security and privacy. It is called Qubes OS. This operating system allows us to run
isolated environments. It is basically a giant virtual box.
You can run different OSs in Qubes as different virtual machines. For example, we have a virtual
machine for the Whonix OS, another for Fedora, Debian, and those are only the VMs that come
pre-installed with the OS. You can install Kali Linux in Qubes, Windows, and all kinds of
different OSs. If one of these VMs ever get compromised, we are fine. We simply delete the VM and
create a new one. If you want to learn more about the Qubes OS, then navigate to the link below, it
is full of tutorials and even videos about the OS so you can get a good look at what we’ll be
Qubes has a very small compatibility range and so will not work with most computers unfortunately.
However, if you want to become truly a professional cyber-criminal, then I highly recommend you
invest in a new computer. Don’t be lazy or close-fisted with security, as that will lead to
problems and much headache
for you in the future, trust me on that. Below are the laptops I recommend, from best (most
expensive) to worst (cheapest). All of them work perfectly with the current Qubes 4.0. All of the
prices were taken from Amazon at the time of this writing, so keep in mind, you may get cheaper, or
LENOVO THINKPAD X1 CARBON STH GEN ($1845): This laptop is absolutely amazing, and if you have money
to buy it, then do it. It’s totally worth it, as it will last you for many years to come. This was
voted the best business laptop at CES 2018. The performance of this laptop is absolutely incredible
and will make your work incredibly smooth and easy. This is the laptop that I currently use and the
one I recommend to all my clients on top of every other one.
LENOVO THINKPAD T460P ($1350): Also works perfectly with Qubes 4.0 and the performance is amazing.
The one above is much better, but if you want to get this one instead and save some money, I’d say
LENOVO THINKPAD T450S ($530): This laptop is also very good, although the performance of the above
one is much better, this one does boast some impressive features. You can get it on Amazon for very
cheap. It comes with i7 processor, 8GB RAM, 256GB SSD (you may want to upgrade the SSD). I have
tested this computer with Qubes 4.0 and it also works perfectly and smooth.
LENOVO THINKPAD X23O ($235): This is a last resort type of laptop, and you should only get it if
you’re really low on money. The performance will be terrible, but definitely usable. Qubes 4.0
runs perfectly with it, and everything works exactly as it should, just really slow due to the old
processor and low memory. If you’re thinking of buying this laptop, keep in mind you will most
likely need to upgrade some of the components to make it run smoothly.
BEST QUBES SETUP FOR FRAUDULENT ACTIVITIES
Having a perfect setup for your fraudulent activities, is one of the most important aspects of
being successful in this business. If you have a bad setup, you will most
likely run into problems, and declined transactions on a daily basis. As I have explained
previously in this guide, Qubes OS is the absolute best operating system for our purposes, and is
the OS I use for my fraudulent activities, in fact it is THE ONLY ONE I use. Not only will Qubes
protect you to the maximum extent possible, to ensure that LE can’t successfully uncover your real
identity, but to websites, you will look like just another shopper looking for something expensive
to buy, which in turn will make us extremely successful. Below I will outline the perfect setup
for Qubes OS. All of the setup outlined below is explained in much more detail on my OPSEC guide,
so I would highly recommend you get that one as well.
• First, we will anonymize our MAC address by following this tutorial
(https://www.pubes-os.org/doc/anonymizing-your-mac-address/) for our NetVM.
• Once we have fully anonymized our MAC address, we will route our NetVM to the FirewaIIVM. From
there, we will route the traffic to the VPN VM.
• Now we need to setup our VPN VM to route all traffic to the VPN tunnel and restrict all non-VPN
connections with iptables rules. If you are running Qubes 4.0, please follow this tutorial
(https://github.com/tasket/Qubes-vpn- support). If you are on Qubes 3.2, follow this tutorial
(https://www.reddit.com/r/Qubes/comments/6h4ue2/guide setting up a vpn with mullvad on
qubes/). Feel free to send me a message if you run into any problems. Check everything is good and
that there are no leaks in your connection by navigating to whoer.net and dnsIeaktest.com and
conducting tests. Even with webRTC enabled, you should have 0 leaks because of the iptables rules.
• Once we have setup our VPN VM, we will create another VPN VM and route our traffic to the 2ⁿᵈ
VPN tunnel. This is extremely important, as it will add an amazing extra layer of security to your
setup. You should use 2 different VPN providers. The ones I recommend are respectively from best to
worst, NordVPN, TorGuard, and Mullvad. You should follow the same steps as the 1ˢᵗ VPN VM to
create the 2ⁿᵈ. Check everything is good and that there are no leaks in your connection by
navigating to whoer.net and dnsIeaktest.com and
conducting tests. Even with webRTC enabled, you should have 0 leaks because of the iptables rules.
• From the 2ⁿᵈ VPN VM, we will send our traffic to our Tor network VM (usually called
• In sys-whonix, we will edit the torrc configuration file and make sure we are using obfs4
bridges to connect to it. This will make much harder for anyone snooping on our traffic to see we
are using Tor (although I seriously doubt anyone would be able to do so if you followed the steps
above correctly). You can do that by following this tutorial (https://www.whonix.org/wiki/Bridges).
• Now that we have our network completely set up, we will move on to actually connecting to our
RDP to conduct our work. To do that, simply create a new AppVM, name it whatever you so wish, use
the Template WHONIX-WS for it, give it network access through sys-whonix, and open a new Terminal
on it. Once you have done that, run the following command on that Terminal: sudo apt-get install
• That command will install a program called “remmina” which will enable us to connect to our
RDPs anonymously with the Tor network.
• For the RDP, I recommend you purchase a Windows 7 one from xDedic (if you don’t have an account
there, send me a message and I will sell you an RDP from there, or you can also purchase an invite
to the website from me if you so prefer, that way you won’t rely on me or anyone else to purchase
your RDPs, you can simply login the website and purchase them yourself). xDedic is the best website
for RDPs, and the reason for that is because they sell clean hacked RDPs, that belong to an actual
real person, with a real digital fingerprint, and with a real IP/real location. The reason we want
this is so that the website we are conducting our work in, doesn’t realize we are a fraudster and
declines our transaction. I prefer not to use Socks5 as they are far from being reliable as RDPs
are, and PLEASE, do not use a Socks5 in
conjunction with one of these RDPs, as that would be dumb, and will mess up your entire setup.
• Once you have all of this setup, all you need to do is pick a website that you want to card,
get a CVV close to the zip code of your RDP (some websites will
decline your transaction if you are placing an order too far away from the CVVs billing/shipping
address) and work your magic! This “magic” will vary from website to website, and one thing you
need to keep in mind is that most websites will require you to call the card holder’s bank using a
burner spoofed to the card holder’s number to change his billing address. The reason for that is
because as mentioned previously, websites in Canada, United States and United Kingdom, all have AVS
systems in place that will check your billing address with the card holder’s bank. If you use a
shipping address that differs from the billing address, especially a shipping address too far from
the card holder’s address, you will get a declined transaction. You could still get approved if the
shipping address you are using is not too far from the card holder’s billing address (anything
30-50 miles away is already too much), but it’s always better to call the bank and do a change of
• If you are purchasing anything above $600 dollars, chances are you will need to conduct a what
is known as an ATO on the card holder’s account. ATO stands for Account-Take-Over. This is a
process in which you will call the bank, change the card holder’s phone number, then wait 5-7 days
and call again to change his billing address, you can also add a temporary address if you prefer,
which is much better in my opinion (Bank of America doesn’t allow temporary addresses
unfortunately, Chase is the best one for this). The reason for this is because most websites will
require you to put the card holder’s billing phone number on check out and for orders above $600,
they will call the card holder to confirm the transaction. Not to mention that the bank may find
all of this very suspicious, especially if the card holder hasn’t done a purchase as big as that in
months and will ring them to confirm. And, there is also the possibility of the card holder having
what is known as “text updates/alerts” for charges that big on his account. All of those things may
lead to declined transaction, and a burnt card.
• I also recommend you use a .edu, .org or .gov email with the card holder’s name, to conduct
such high value fraudulent transactions. This will significantly lower your fraud score and will
help you a lot in getting approved.
• Make sure you act like a real shopper. Wait 2-3 days before purchasing and during that
meantime, put products in your cart, look around the website, make it look LEGIT. Make it look like
you care about how much you’re spending, because people do care about that. If you register an
account, and then right off the bat purchase a laptop worth $1500, you can’t expect to be approved.
I will further explain in detail all of this in this guide.
WINDOWS & MAC OS X VIRTUALBOX SETUP
I realize most people will not go as far as the setup above requires them. And although that is
very unfortunate, it is a fact that I can’t neglect. Below I will outline a good, but much more
unsuccessful and unsafe setup. Unfortunately, OS X and Windows, are both closed-source operating
systems, and particularly Windows, is full of zero-day exploits and vulnerabilities that are
easily exploitable by law enforcement officials. Not to mention these OSs are full of NSA/FBI/CIA
backdoors and are just not safe from a privacy standpoint, proceed with caution and most
importantly, ATTENTION to detail. Do not skip any steps.
Now, when it comes to the Virtual Box setup, what you need to do is first of all, download Virtual
Box obviously (https://www.virtuaIbox.org/wiki/Downloads), then download VeraCrypt
(https://www.veracrypt.fr/en/Downloads.html) and create a hidden encrypted volume with at least
30GB of space, then mount that hidden encrypted volume. Then, download WinISO
(http://www.winiso.com/download.html), and google “WinISO serial number” so that you are able to
complete the next step. Next, download MagiclSO (http://www.magiciso.com/download.htm), get a .iso
of Windows 7 and burn it into a bootable media on a blank CD using WinISO. Then mount the .iso into
the virtual drive using MagiclSO.
Then, create a new virtual machine on Virtual Box and name it whatever you so wish. Go to settings
and on “System” use at least 2GB RAM for the base memory. On boot order use HDD and CD/DVD. Then,
go to storage and add your virtual drive letter where you mounted the .iso on Controller:IDE. On
NAT and refresh the MAC address (refresh every single time you boot the Machine). Then, install
Windows 7 on the virtual machine.
Once you have done all that, move the .vdi files into the hidden encrypted VeraCrypt volume. Then,
on the Windows 7 virtual machine install TMAC to change the MAC address every time you connect to
the internet (https://technitium.com/tmac/), CCleaner, and Bleachbit to clean your cookies and
Then every time you start the machine, go to the Windows 7 CMD, and type these commands:
ipconfig /reIease ipconfig /renew ipconfig /fIushdns
Once you have completed all these steps, download the VPN of your choice and install it on your
newly created virtual machine. You can also get another VPN and install it on your main OS, that
way you have 2 VPNs for added security. I recommend 2 different providers, and make sure you use an
anonymous email that can’t be traced back to you, and only pay with clean BTCs.
From that virtual machine, connect to an RDP by going to the Start menu and typing “Remote Desktop”
in the search box. When “Remote Desktop Connection” appears in the search results, click on it.
Next, enter the IP address of the target computer and press connect. Enter the login credentials,
click OK and you should be inside the RDP.
Now that you have your OPSEC set up, I will teach you about how to card successfully.
As I have mentioned previously in the fraud dictionary section of this guide, virtual carding is
the process of purchasing physical or digital goods online using someone else’s credit/debit card
details. However, there is A LOT more to it. You can’t simply get someone’s CVV details and go on a
shopping spree, that will not work and will only lead to burnt cards & declined transactions.
There are many things you need to keep in mind and in this chapter I will go into detail on how
exactly all of it works.
The main goal of a carder, is to cheat websites into thinking he’s the legit owner of a CVV. This
is the most important aspect of carding, because if you can’t do that, nothing else will work. To
be able to cheat the website, there are a couple of things we need to keep in mind.
• We need to use an extra clean hacked residential Windows 7 RDP (available on xDedic, again, if
you don’t have an account there just send me a message and we can work something out). Windows 7 is
the 2ⁿᵈ most used operating system in existence today, right behind Windows 10 so that is why we
are using it. We want to appear as generic as possible to the website, and never appear to be a
“unique” user as that will raise our fraud score. A RESIDENTIAL RDP is essential, because it
already has a digital fingerprint from a legit user, which will tell the website that we are a real
person, from a real location, with a real computer, and not a fraudster using a proxy server in a
• We should either use Firefox or Chrome for fraudulent transactions inside of our hacked RDP.
The reason for that is because again, we want to appear as generic as possible to the website, and
those browsers are currently the most used browsers in existence. It is important to note that no
changes should be done to those browsers, and no addons should be installed, you should use them AS
THEY ARE BY DEFAULT.
• With Firefox or Chrome inside of your RDP, navigate to dnsIeaktest.com and ipIeak.net, then
conduct tests to see if your real location is leaking. Then navigate to whoer.net and check your
anonymity score, it should be 1000/. Sometimes it won’t be because of the time-zone difference
between your IP location and the system time, if that happens then simply change the system time to
match your IP location, and do a re-test, it should then say 100% in your score. You should do this
every time you wish to conduct a fraudulent transaction.
• Now we get a CVV that is close to the CITY and STATE that our RDP is located in. Example, if we
have an RDP located in MIAMI FL, we want a CVV from MIAMI FL. The level of the CVV you need to get
will depend much on the value of the transaction that you want to conduct. A card that would be
used to purchase movie tickets/food delivery online, is not the same card you would use to
purchase a $1000 laptop. However, a card that can be used to purchase a $1000 laptop, would easily
approve a small movie ticket/food delivery purchase transaction, but you would never use a card
like that for such purposes unless you don’t know what you’re doing.
• If you are carding something worth $500 or more, you will need to get a free
.edu email registered in the name of the CVV holder by navigating to the website
http://home.cccappIy.org and selecting Cuesta College from the drop-down menu (this changes from
time to time so Cuesta may not work for you, if it doesn’t just try other colleges and one of them
should eventually work). From there you apply to the college, and for the Social Security Number
(SSN) you navigate to http://fakenamegenerator.com/, select MALE/FEMALE and then hit GENERATE.
This will generate a new identity, from that you just need the SSN which will look something like
XXXX. Just substitute the xxxx for any numbers and that should do fine. Fill out all the rest with
the fake info (phone, address, etc…), just provide the correct sex. If you have his SSN, then you
can use that as well and it will be a HUGE plus. For the email, you can use disroot.org, navigate
to their website, create a new account with the CVV holder’s name and use it for registering for
the college. You will soon receive on that email your newly created @.my.smccd.edu email address
• If the .edu email method doesn’t seem to be working for you, then you can simply card a domain
with ipage.com and use a .org email that the domain provider will let you generate. You can also
generate as many .org emails as you wish with your domain, just make the domain name something
legit such as https://nmnenterprises.org or https://pierceandassociates.com/. To card the domain,
follow the same steps outlined above and register with the domain provider with a yahoo email in
the name of the CVV holder.
• Once you got the email ready, then you are finally ready to conduct the fraudulent transaction.
Navigate to the website you want to card. If you are carding something worth $200 or more, then you
should first create an account on the website using the .edu/.org email, browse the website to look
like a real buyer, wait 2 days and browse the website during those 2 days for at least 30-40 min
looking at products, putting stuff in your cart, etc… After you have done that, you can go ahead
and proceed with the transaction.
• Keep in mind that as I mentioned previously, some websites will not accept transactions in
which the billing and shipping addresses are too far away from each other (30 miles is already too
much). If you get a card with a billing address less than 30 miles from your drop address, then you
are very very lucky and you can proceed. If not, you will need to call the bank using a spoofed
burner number (spoof to the CVV holder’s number) and ask them to add a temporary shipping
address/add an additional billing address to the account. They should be able to do that for you,
unless it’s Bank of America, I’ve run into problems before doing that with BoA. They will require
you to change the billing address entirely.
• For the burner phone, it is entirely up to you to either purchase a phone for
$40 dollars at somewhere like WaI-Mart or go to Amazon and purchase a phone like this
(https://www.amazon.com/Phone-4-5mm-Ultra-Pocket- Black/dp/B00JN82EFO) which you can use for a
month, and destroy it completely when done with carding for a few websites/CVVs. For the SIM card,
you can go to T-Mobile and ask them for the $30 monthly plan (make sure you show them your phone so
that they give you the right SIM card and ALWAYS pay with cash, you can even go a step further and
use a hoodie when going to the store to mitigate the threat of cameras).
• To spoof your phone number, you can use the service https://www.spoofmyphone.com/ they allow
you to pay with BTC and are very reliable.
• Before buying your RDP, ALWAYS check its PROXY, RISK, and FRAUD score. You can check all of
that through the xDedic website (if you don’t have an account there contact me and we can work
There are a lot of websites nowadays on the web that will sell you stolen CVV. However, the
problem with these websites is that they will most of the time, sell you CVVs that are either dead,
or that are complete shit. I know this from my own personal experience with these websites, so I
have completely given up on them. The only one I can currently recommend under good conscience is
Benumb (https://benumb.store), however, the registration to it is closed at the moment, and I have
spoken to the owner, he is not currently selling registrations, but will very soon for 200-300
dollars (that money will be added to your balance on the website). So, if you want to purchase the
registration, keep checking the website.
I am an experienced hacker, and I have taken advantage of flaws in website security systems many
times to hack their databases. With that said, I currently have in my possession over 70k CVV and
over 50k dumps for sale from different online databases. I check my CVVs for validity every single
time before sending them out to my buyers, so you can be safe you will get valid cards from me.
To check out the balance of a card and check its validity, you can simply call the bank to which
the card belongs to using your burner phone. Let’s say it’s Chase, you call Chase bank and use the
automated prompt by typing your CVV number and its zip code. From there the automated prompt will
tell you the balance of the card, its credit access line, amount in pending transaction
authorizations, and recent transactions. You should take note of the 8 most recent transactions in
case you need it. It is also good to know the CVV holder’s spending patterns so we can mimic it.
This will make things look much less suspicious to the bank.
When it comes to carding, there are 3 different levels to it. They are each outlined and explained
LEVEL 1 CARDING: This is the entry point for most carders, it includes such things as ordering
pizza, movie tickets, and small purchases below $50. This is considered very easy carding and you
will usually just require the CVV details, along with the full billing address of the CVV.
LEVEL 2 CARDING: This would be intermediate carding, and includes such things as carding
background reports, credit reports, or physical products with a value below $200. For this you
will require the same details as LEVEL 1 CARDING. However, it will vary depending on the website
you are carding. Different websites have different security measures in place to curb fraudulent
transactions and will require specific strategies.
LEVEL 3 CARDING: This is advanced carding, and not recommended for beginners. Things that fall
under this category are for example, high value physical products above $400 in value, and
everything on high security websites such as Amazon, Newegg, TigerDirect, etc… All of these
websites will require you to perform an ATO (Account-Take-Over) on the CVV holder’s account. This
will require you to have the CVV details, full billing address, along with the victim’s DOB, MMN,
SSN, and background report. For this it is always good to get as much information as you can on the
victim, as we will have to call the bank and perform changes in the holder’s account to take over.
This will be explained in much detail further in this guide.
As mentioned previously in this guide, different cards are used for different purposes. You would
never use a Signature Visa, with a credit access line of
$30,000 to card movie tickets or pizza. Below I will outline all the card levels in existence
today. It is important to mention, that for high value purchases you should ALWAYS look for CREDIT
CARDS. Debit Cards are not good for making these high value purchases online. However, they could
still have many uses such as purchasing background reports, credit reports, and all purchases below
CLASSIC — Classic cards are recognized and accepted by a large number of merchants all over the
world, including the Internet. This card is usually used by students, young couples, or people
trying to establish credit. The limits of these cards are usually around $1000.
GOLD — A premium card used by people around the world. With higher spending limits and greater
purchasing power, the Visa Gold card is the choice of consumers who want more from their cards.
Average limit of this type of card is $3000.
PLATINUM — Platinum is one of the best cards around. Average limit could be around $8000.
BUSINESS — Very high limits, often around $15,000
CORPORATE — This is used by large corporations. The limits are usually around
$15,000 as well.
SIGNATURE — The 2ⁿᵈ best card around. I’ve gotten many signature cards with a limit of $30,000.
PREMIER — Same as Signature. Limits are usually $30,000.
INFINITE — This is the absolutely best card around. However, it is incredibly hard to find. If you
do manage to get your hands on one of these, you are very lucky. There are usually no limits to
It is important to note that all these numbers are subject to change depending on the subject’s
credit score, history, and spending pattern.