Scammers are selling 3.2 million payment records stolen from Indian cardholders

Researchers analyzed roughly 60 underground markets for payment-card data. All of them sold Indian card data.
credit cards, banking, bank cards
(Getty Images)

Cybercriminals have reaped a healthy profit by buying and selling on the dark web financial information that belongs to cardholders in India, according to new research.

Underground forums contained 3.2 million records of stolen Indian card data last year, a 219 percent uptick from 2017, Gemini Advisory, a dark-web intelligence company, said Thursday. India now ranks third internationally when it comes to the number of stolen records for sale on the dark web, following the U.S. and U.K.

“Criminals continuously search for payment cards from specific banks that provide the highest return on investment, and largely spend money only when confident that they stand to make a profit,” researchers said in a report.

In the world’s second-most-populous country, fraudsters target online vendors that have weak cyberdefenses and offer access to a trove of card data. Many payment breaches go unreported in India, meaning banks are slow to stop cards from being used for fraudulent purposes, said Stas Alforov, Gemini Advisory’s director of research and development.


“Such a closed ecosystem presents plenty of opportunities for Indian cybercriminals seeking to defraud local banking customers,” Alforov told CyberScoop in an email.

The firm analyzed roughly 60 underground markets for payment card information. All of them sold data belonging to Indian cardholders, and half of that data had been purchased, according Alforov.

The median price of the stolen card data in India jumped from roughly $7 in 2017 to $17 last year, Gemini Advisory found.

“The rising cost of Indian compromised payment cards and the demand for such cards suggests that criminals have identified multiple reliable ways of monetizing such data,” Alforov said.

Many of those affected by the fraud were in Indian metropolises like Hyderabad, Chennai, and Mumbai, according to the study. But financial cybercrime has also hit obscure towns like Jamtara in the country’s northeast which, according to The Hindu newspaper, has “emerged as one of the biggest hubs of cybercrime” in India.


Jobless youth have a knack for first stealing SIM cards and then using social-engineering to dupe people into revealing their ATM card numbers, the paper reported.

The Reserve Bank of India has responded by requiring banks to issue ATM cards with EMV chips, which are more secure. That will make it a lot harder for fraudsters to exploit “card present” transactions – ones in which the user has physical access to the card, Gemini Advisory said. However, it was “card not present” transactions – when the user buys something online, for example – that accounted for more of the stolen card data in India last year.

More people in the U.S and U.K. have had their payment card data stolen and posted for sale, according to the research, despite India being far more populous than those countries.

One reason for that is that cybercriminals have had their sights on the U.S. and U.K. for years, whereas India is a relatively new target, according to Alforov. But that is changing: the company expects India to surpass the U.K. next year to rank second in this category.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts