B1ack’s Stash Releases 4.6 Million Stolen Credit Cards in Punitive Dark Web Move
On May 19, 2026, the dark web marketplace B1ack’s Stash released 4.6 million stolen credit card records for free not due to a breach, but as a deliberate punishment against resellers violating its rules by offloading inventory on rival platforms. The move flooded the market with compromised data, devaluing resellers’ stock while boosting the marketplace’s own visibility among cybercriminals.
Operational since at least 2023, B1ack’s Stash has become a major hub for stolen payment card data. The 4.6 million records included full card details numbers, CVV2 codes, expiration dates as well as cardholder names, billing addresses, emails, phone numbers, and IP addresses. This level of detail enables fraud beyond basic card-not-present transactions, including phishing, unauthorized credit applications, and account takeovers.
Of the released records, 4.3 million were deemed usable, with 70% tied to U.S. cardholders. Canada, the U.K., France, and Malaysia accounted for the next largest shares. The dump follows a tactic previously used by other dark web markets, such as BidenCash, which released free card data in 2022 and 2023 to attract users.
The release is expected to trigger a surge in fraud attempts, as criminals exploit the zero-cost inventory. Financial institutions, particularly in the U.S., face heightened exposure as the data circulates across criminal forums.
Source: https://dailysecurityreview.com/cyber-security/b1acks-stash-releases-4-6m-stolen-credit-cards-free/
B1ack’s Stash TPRM report: https://www.rankiteo.com/company/socradar
"id": "soc1779279938",
"linkid": "socradar",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '3.22 million (70% of 4.6 '
'million)',
'industry': 'Finance',
'location': 'United States',
'name': 'U.S. Financial Institutions',
'type': 'Financial Institutions'},
{'industry': 'Finance',
'location': 'Canada',
'name': 'Canadian Financial Institutions',
'type': 'Financial Institutions'},
{'industry': 'Finance',
'location': 'United Kingdom',
'name': 'U.K. Financial Institutions',
'type': 'Financial Institutions'},
{'industry': 'Finance',
'location': 'France',
'name': 'French Financial Institutions',
'type': 'Financial Institutions'},
{'industry': 'Finance',
'location': 'Malaysia',
'name': 'Malaysian Financial Institutions',
'type': 'Financial Institutions'}],
'attack_vector': 'Dark Web Marketplace Release',
'data_breach': {'number_of_records_exposed': '4.6 million',
'personally_identifiable_information': 'Cardholder names, '
'billing addresses, '
'emails, phone '
'numbers, IP addresses',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Credit card records, personally '
'identifiable information'},
'date_detected': '2026-05-19',
'date_publicly_disclosed': '2026-05-19',
'description': 'On May 19, 2026, the dark web marketplace *B1ack’s Stash* '
'released 4.6 million stolen credit card records for free as a '
'deliberate punishment against resellers violating its rules '
'by offloading inventory on rival platforms. The move flooded '
'the market with compromised data, devaluing resellers’ stock '
'while boosting the marketplace’s own visibility among '
'cybercriminals.',
'impact': {'data_compromised': '4.6 million credit card records',
'identity_theft_risk': 'High',
'operational_impact': 'Surge in fraud attempts',
'payment_information_risk': 'High'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes'},
'motivation': 'Punitive action against resellers, market visibility',
'post_incident_analysis': {'root_causes': 'Punitive action by dark web '
'marketplace against resellers'},
'references': [{'date_accessed': '2026-05-19',
'source': 'Dark Web Marketplace Announcement'}],
'threat_actor': 'B1ack’s Stash',
'title': 'B1ack’s Stash Releases 4.6 Million Stolen Credit Cards in Punitive '
'Dark Web Move',
'type': 'Data Breach'}