Cancel your old credit cards and buy stolen ones
— before all 40 million are gone!

February 9, 2014 — updated July 12, 2014
See also: Carders love Cloudflare
Card dumps by:  
    Protection by:
           Humor by:
On January 29, Attorney General Eric Holder told the Senate Judiciary Committee that
the Justice Department will try to find not only the perpetrators of the Target breach,
but also "any individuals and groups who exploit that data via credit card fraud."


Mr. Holder, why not tell CrimeFlare to pull the plug on these domains?
Is your boss afraid of Silicon Valley?
Half of the domains below (.org, .biz, .info, .net, .com) are under minimal control by ICANN. A registrar that handles registrations for these domains must provide contact information for abuse complaints. ICANN says (Section 3.18.2): "Well-founded reports of Illegal Activity submitted to these contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report."

Since the sale of stolen credit-card data is a violation of criminal law, and the sites below openly sell this data, it should be a simple matter to notify the ICANN-accredited registrar for these domains and get them disabled. But the registrar in this case is Webnic.cc in Malaysia. Their response is that they are trying to contact their reseller to find out what's going on. It has been more than a month so far, and they have done nothing.

Then we went to the three registries that handle .org, .biz, and .info. A registry, as opposed to a registrar, controls the actual root DNS servers for their domain. These three have their own abuse policies, and they responded by placing these domains on hold. A fourth registry, Verisign, handles .net and .com, but their senior corporate counsel, James Hubler, refused to take any action. At that point we again complained to Webnic.cc about ten of the .net and .com domains shown below. They suspended them, by which time we uncovered another dozen at a different registrar.

The remaining half of the domains shown below are almost all .su and .ru. As far as we can tell, there is no way to complain about those. Of course, CloudFlare could disconnect from everything on this page in a heartbeat. Their partner for SSL, GlobalSign, did respond to our complaints back in December. But CloudFlare itself doesn't even bother to answer abuse complaints. They believe in something called "Internet freedom," which apparently includes the freedom to break criminal laws and screw over other people.

allabinn.com
      approved1.biz    
(clientHold, 2014-02-11)
approved1.net
      approved1.org    
(serverHold, 2014-02-11)
approved1.ru
backstab.su
bestdumps.su
bigbase1.su
      bstab.biz    
(clientHold, 2014-02-11)
      bstab.net    
(clientHold, 2014-03-06)
carderpro.su
cardingthe.com
      cardplanet.org    
(serverHold, 2014-01-27)
cardrock.org
cardrock.su
ccbases.biz
      ccbases.net    
(clientHold, 2014-03-06)
      ccbases.org    
(serverHold, 2014-02-11)
ccbases.su
ccdumb.com
      ccstore.org    
(serverHold, 2014-02-11)
ccvalid.biz
ccvalid.su
      cheapdumps.org    
(SSL disabled by GlobalSign, 2013-12-30; serverHold, 2014-01-21)
cheapdumps.so    
(direct-connect 109.68.191.127, 2014-03-13)*
      consuella.biz    
(clientHold, 2014-02-11)
consuella.su
crdpro.net
      crdsu.info    
(HOLD, 2014-02-12)
cvv-shop.org
cvv2store.com
cvv4you.su
dnums.com
dnums.su
      dumps44.com    
(clientHold, 2014-03-06)
dumpsgate.com
dumpsmall.com
      feshop.info    
(HOLD, 2014-02-12)
feshop.org
feshop.su
feshop-card.com
feshop-card.su
feshop-store.ru
      galaxycvv.com    
(clientHold, 2014-03-06)
getcvvs.com
good-cvv.ru
      infraud.info    
(HOLD, 2014-02-12)
instantcvv.com
jbestcc.com
jbestcc.ru
jshop.su
just4valid.su
      justvalid.biz    
(clientHold, 2014-02-11)
      justvalid.org    
(serverHold, 2014-02-11)
justvalid.ru
jworldtopcc.com
jworldtopcc.ru
kaddafi.hk    
(SSL disabled by GlobalSign, 2013-12-26; direct-connect 109.68.191.127, 2014-02-27)*
      korovka.info    
(HOLD, 2014-02-12)
      korovka.org    
(serverHold, 2014-02-11)
lampeduza.su
logoshopcc.biz
      logoshopcc.net    
(clientHold, 2014-03-06)
logoshopcc.ru
maza.su
mn0g0.su
octavian.su    
(SSL disabled by GlobalSign, 2013-12-26); direct-connect 109.68.191.127, 2014-02-27)*
piretes-cc.ru
procvvshop.com
project84.su
      rescator.biz    
(clientHold, 2014-02-11)
      rescator.la    
(SSL disabled by GlobalSign, 2013-12-26; serverHold, 2013-12-27)
rescator.ru
rescator.so    
(SSL disabled by GlobalSign, 2013-12-26; direct-connect 109.68.191.127, 2014-02-27)*
rescator.su
      reskator.la    
(serverHold, 2014-03-10)
secinfo.su
secretshop.su
selldump.su
      slilpp.net    
(clientHold, 2014-03-06)
smartstripes.com
source4dumps.com
sruka.su
ssnfinder.su
      swiped.biz    
(clientHold, 2014-02-11)
swiped.ru
      thefreshcc.com    
(clientHold, 2014-03-06)
      thefreshdumps.com    
(clientHold, 2014-03-06)
      torcvv.com    
(clientHold, 2014-03-06)
uniccshop.biz
uniccshop.su
uniccshops.ru
validdumps.org
vendor.name
vipcvv.org
      worldcvv.com    
(clientHold, 2014-03-06)
      zapili.biz    
(clientHold, 2014-02-11)
zonecvv.net

*   Footnote   *

By using curl with the -H Host: option, the IP address 109.68.191.127 bypasses CloudFlare. The domains that handle nearly all of Rescator's traffic are octavian.su, rescator.so, kaddafi.hk, and cheapdumps.so. Even cheapdumps.org, another Rescator domain, responds on this IP address when you don't use DNS (the registry disabled it in January). This address was discovered accidentally on February 27 when rescator.so briefly disabled CloudFlare and we happened by at the right time. The server at this address is probably another pass-through proxy, but the owner of that address block might have a record of who is using it.

UPDATE 2014-04-23: The 109.68.191.127 address was checked daily after it was discovered, and it worked every day until April 22. That's when direct access attempts began timing out, although the sites themselves are still up. Either Rescator is using a different IP address on the same server, or he changed to a different server or different provider, or he is blocking all non-CloudFlare IP addresses that try to access his server directly.

UPDATE 2014-06-03: Rescator's cheapdumps.so and kaddafi.hk are now parked at 109.201.133.168 and 109.201.133.193 in Netherlands. Both redirect to octavian.su, which remains hidden behind CloudFlare, while these two parked domains are now using nameservers at cloudns.net.





Public Information Research
home page     Donate             Donate