Intro to Criminal Infrastructure
Understanding the underground fraud economy: dark web markets, criminal tools, and how fraud operations are organized
By Benjamin, Fraud Attacks · Updated
Criminal infrastructure refers to the marketplaces, tools, and specialists that enable modern fraud at scale. Card vendors, tool makers, money launderers, and cash-out crews each handle one part of an operation, then sell their output to the next link in the chain. This article walks through how the ecosystem works, who plays which role, and why shutting down individual actors rarely disrupts the system.
It started with a chargeback. Customer in Ohio claimed she never made a $47 purchase from an electronics retailer in Miami. Standard stuff.
Marcus pulled the transaction data. Shipping address was different from billing. Email domain looked strange. He flagged it and moved on.
A week later, a pattern emerged. Fourteen more chargebacks with the same characteristics. Different cards, different cardholders, but all shipping to addresses within a three-mile radius of each other. The email addresses followed a template: random words, underscore, two digits, all at the same obscure domain.
He started digging. The IP addresses traced to residential proxies. Device fingerprints showed virtual machines. Phone numbers used for verification were VoIP. Every piece of data that should have been unique was manufactured.
This wasn't fourteen separate fraudsters. This was one operation using fourteen stolen identities.
Somewhere out there was a marketplace that had sold them everything they needed: the card numbers, the personal information to pass verification, the tools to mask their location, and the network of addresses to receive the goods.
This story is fictional, but the patterns are real.
Why This Matters
In the previous articles, you learned about fraud types and how attacks work. But here's what most people miss: modern fraud isn't a solo act. It's a supply chain.
The person who steals your credit card number probably isn't the person who uses it. The hacker who breaches a database probably doesn't know how to cash out. The scammer on the phone probably bought their script from someone else.
Understanding this ecosystem matters because it explains why fraud keeps growing despite better security. When one operation gets shut down, the suppliers just find new customers. When one vulnerability gets patched, the toolmakers adapt. The infrastructure persists even as individual actors come and go.
The Criminal Marketplace Ecosystem
How do criminal markets work?
Criminal marketplaces operate like any e-commerce site. They have storefronts, product listings, customer reviews, escrow services, and even customer support.
In June 2025, U.S. authorities seized approximately 145 domains belonging to BidenCash, a marketplace that had been operating since 2022. The numbers tell the story of an organized business: over 117,000 customers, more than 15 million payment card numbers traded, and over $17 million in revenue.[1]
BidenCash wasn't unusual in its structure. It was unusual only in getting caught.
These markets typically offer:
| Category | What's Sold | How It's Used |
|---|---|---|
| Payment data | Stolen card numbers with CVV | Direct purchases or resale |
| Fullz | Complete identity packages (SSN, DOB, address) | Account opening, loan fraud |
| Account access | Login credentials, session tokens | Account takeover |
| Tools | Checkers, proxies, fake ID templates | Operational support |
| Services | Money laundering, cash-out crews | Monetization |
What does stolen data cost?
Pricing follows supply and demand, just like legitimate markets. A basic U.S. credit card number with CVV runs $10 to $40. Cards with high limits (over $5,000) fetch $110 to $120. Bank login credentials cost $200 to $1,000 or more, depending on the account balance.[2]
"Fullz" packages, which include name, Social Security number, date of birth, and sometimes a driver's license scan, sell for $20 to $100 or more. The more complete the package, the more fraud it enables.
Fresh data commands a premium. Immediately after a major breach, high-quality records sell at top prices. But the market floods quickly. Within weeks, those same records become a low-cost commodity as thousands of copies circulate.
The Specialization Economy
What makes criminal infrastructure so resilient is specialization. Each role in the supply chain focuses on what they do best.
Data suppliers harvest stolen credentials through breaches, phishing, skimming devices, or infostealer malware. They sell raw data in bulk.
Processors take raw data and enrich it. They run card numbers through "checkers" to verify which ones still work. They match partial records to build complete identity profiles. They package data for specific use cases.
Tool makers build the technology. Proxy networks that mask location. Virtual machine configurations that evade device fingerprinting. Bots that automate account creation. Templates for fake identity documents.
Operators execute the fraud. Some specialize in card-not-present purchases. Others run social engineering campaigns. Some coordinate networks of money mules to move funds.
Cash-out specialists turn stolen value into spendable money. This might involve purchasing gift cards, buying and reselling merchandise, converting cryptocurrency, or running funds through shell companies.
No single person needs to master every skill. The marketplace connects specialists, each taking a cut of the final profit.
How do fraudsters move stolen money?
Getting money out is often the hardest part. Stolen card numbers are worthless if you can't convert them to cash.
Common cash-out methods include:
Reshipping networks: Operators purchase goods with stolen cards and ship them to "drops," addresses controlled by money mules who forward packages overseas. The mules often don't know they're participating in fraud.
Gift card laundering: Purchase gift cards online, sell them on secondary markets at a discount. The buyer gets a bargain; the seller converts stolen payment credentials into untraceable cash.
Cryptocurrency mixing: Convert stolen funds to cryptocurrency, run them through "mixers" or "tumblers" that blend transactions to obscure the source, then cash out through exchanges with weak verification.
High-risk merchant accounts: Some merchants knowingly or unknowingly process fraudulent transactions. The funds settle to a bank account before chargebacks arrive, then disappear.
Reconstructing these flows is its own discipline. See Money Movement Investigation for the techniques investigators use to trace stolen funds back through mules, mixers, and shell accounts.
The Role of Platforms
Until recently, criminal marketplaces operated primarily on the dark web, requiring specialized software to access. That's changing.
Telegram has become a major hub for fraud services. Channels advertise stolen data, hacking services, and fraud tools. The platform's perceived privacy and ease of use make it attractive, though Telegram has stepped up enforcement in response to pressure.
Huione Guarantee, operating under a Cambodian financial conglomerate, aggregates Telegram channels offering everything from stolen personal data to money laundering services and deepfake tools.[3] Cambodia's National Bank revoked its banking license in March 2025 following international pressure.
The platforms shift, but the infrastructure adapts. When one channel gets shut down, operators move to another. When one marketplace gets seized, competitors absorb its customer base.
How big is the fraud economy?
The FBI's Internet Crime Complaint Center reported $16.6 billion in cybercrime losses in 2024, with fraud accounting for $13.7 billion of that total.[4] Cryptocurrency-related fraud alone reached $9.3 billion, a 66% increase from 2023.
These numbers only capture reported losses in the United States. Global estimates are harder to pin down, but industry reports suggest fraud costs exceed $1 trillion annually.
The scale explains why the infrastructure persists. With that much money flowing, there's enormous incentive to innovate, specialize, and professionalize.
Key Takeaways
- Fraud operates as a supply chain with specialized roles: data suppliers, tool makers, operators, and cash-out specialists
- Criminal marketplaces function like legitimate e-commerce, with storefronts, reviews, escrow, and support
- Stolen data pricing follows supply and demand; fresh data commands premiums while breached records become commodities
- The infrastructure's resilience comes from specialization; shutting down one actor doesn't disrupt the supply chain
- Platforms shift from dark web to Telegram to gray-market hubs, but the underlying economy adapts
Key Terms
| Term | Definition |
|---|---|
| Carding | Using stolen payment card data for unauthorized purchases |
| Fullz | Complete identity package including name, SSN, DOB, and often more |
| Checker | Tool that tests stolen card numbers to verify which are still active |
| Drop | Address used to receive goods purchased with stolen credentials |
| Money mule | Person who moves fraudulent funds, often unknowingly |
| Escrow | Third-party service holding payment until buyer confirms goods |
| Mixer/Tumbler | Service that blends cryptocurrency transactions to obscure origins |
| Proxy | Server that masks the user's real IP address and location |
| Infostealer | Malware that harvests credentials and personal data from infected devices |
| Cash-out | Converting stolen value (cards, credentials, access) into spendable money |
References
1. BleepingComputer: BidenCash carding market domains seized in international operation↗ (June 2025)
2. DeepStrike: Dark Web Data Pricing 2025↗
3. Recorded Future: How Huione Marketplace Fuels Global Cyber Fraud↗
Test Your Knowledge
Ready to test what you've learned? Take the quiz to reinforce your understanding.
Continue learning
- Fraud BasicsFraud 101: What Is Fraud?Absolute basics for someone who has never looked at fraud: what is fraud, how is it different from other crimes, and why does it matter
- Fraud BasicsCommon Fraud Types Every Analyst Should KnowThe most frequent fraud types you will encounter as a fraud analyst: identity theft, payment fraud, account takeover, and business fraud
- Fraud BasicsSQL Crash Course for Fraud AnalystsEssential SQL skills for investigating fraud cases: learn to query transaction data, analyze patterns, and gather evidence
- More from Money Movement & Transaction FraudPayment Systems 101: How Money Really MovesEssential foundation for understanding how ACH, wire transfers, card payments, and digital payments actually work - and why criminals target them
- More from Account TakeoverATO FundamentalsEssential foundation every fraud professional needs to know about account takeover attacks
- More from Social EngineeringSocial Engineering FundamentalsThe psychology of manipulation and how attackers exploit human trust