It’s Not Hard to Find Scammers Selling Credit Card Information on Major Social Media Sites

Platforms say that violates their rules, but some of the posts have lingered online for years.

Getty Images

Let our journalists help you make sense of the noise: Subscribe to the Mother Jones Daily newsletter and get a recap of news that matters.

Major technology companies have let their platforms become home to one of the earliest scourges of the internet—credit card based cybercrime.

In the wake of a recent Wired story which found over 70 Facebook groups created to sell stolen credit card information, Zach Allen, director of threat operations at ZeroFOX, a cybersecurity company, ran his own analysis targeting a variety of platforms, including YouTube, Reddit, Medium, and Github.

Allen told Mother Jones that he’d found dozens of instances of internet criminals appearing to be openly selling stolen credit card information on those platforms in just about 15 minutes, and was confident that with more time, he could have found many others. It wasn’t hard: Scammers frequently included common terms indicating fraudulent or stolen card information—like “credit card insider” and “carder”—in their usernames.

While credit card scammers often operate on harder to access parts of the internet, using mainstream platforms can help lower the barriers to entry to capture new business by providing a wider audience of people seeking to buy the numbers. It can even help scammers scam would be credit card scammers by taking money from customers and never actually coming through with credit card information.

Many of the posts Allen found were as recent as the last several months, however, some were posted within the last several years—some on Github appeared to have on the site since 2016 without being noticed.

“This is a large and persistent issue and much broader than just Facebook. Carders are marketing across the full range of ‘social’ platforms,” Allen wrote in a document accompanying his findings.

After being alerted to Allen’s findings by Mother Jones, the tech companies quickly responded, pointing to their existing rules barring the content.

Google immediately deleted most of the flagged examples, saying they violated terms of service. A spokesperson said in a statement that “YouTube has strict policies that prohibit the sale of many illegal or regulated goods, including stolen credit card information. We quickly remove videos violating our policies when flagged by our users.”

Reddit said in a statement that its “site-wide policies prohibit content that shares personal and confidential information, and this is inclusive of credit card information. Communities focused on this content and users who post such content will be banned from the site.”

Allen says the massive size of technology platforms and the vast amounts of information shared on them can make it difficult to address such cybercrime. “It’s easy to criticize, but when you see the swaths of data and scale of the problem they’re dealing with, you can see how difficult it is,” he said.

Still, If Allen was able to find such content with a search tool, ostensibly multibillion-dollar companies would be able to as well.

Cybercrime isn’t a new issue for the platforms, and while they’ve taken steps to curb it, egregious examples have still slipped through the cracks, suggesting that some companies might not have prioritized the issue enough. In August, for example, Motherboard found that Facebook had hosted stolen Social Security numbers and other sensitive, identifying information for years.


Headshot of Editor in Chief of Mother Jones, Clara Jeffery

It sure feels that way to me, and here at Mother Jones, we’ve been thinking a lot about what journalism needs to do differently, and how we can have the biggest impact.

We kept coming back to one word: corruption. Democracy and the rule of law being undermined by those with wealth and power for their own gain. So we're launching an ambitious Mother Jones Corruption Project to do deep, time-intensive reporting on systemic corruption, and asking the MoJo community to help crowdfund it.

We aim to hire, build a team, and give them the time and space needed to understand how we got here and how we might get out. We want to dig into the forces and decisions that have allowed massive conflicts of interest, influence peddling, and win-at-all-costs politics to flourish.

It's unlike anything we've done, and we have seed funding to get started, but we're looking to raise $500,000 from readers by July when we'll be making key budgeting decisions—and the more resources we have by then, the deeper we can dig. If our plan sounds good to you, please help kickstart it with a tax-deductible donation today.

Thanks for reading—whether or not you can pitch in today, or ever, I'm glad you're with us.

Signed by Clara Jeffery

Clara Jeffery, Editor-in-Chief

payment methods

We Recommend