What are Card Cracking & Carding? How to Prevent Them Effectively

Card cracking—also known as “card testing” and related to “carding”—is a type of brute force attack that involves using bots to guess missing values for stolen credit or debit card data on the payment interface of an e-commerce platform. If all card data is present, bots can test whether stolen payment details are valid by attempting small transactions. As a result, a lack of brute force attack prevention can lead to disaster.

Fraud is a prevalent issue in e-commerce. And today’s fraudsters rarely work alone: the majority of threats to your checkout endpoint are now coming from powerful networks of automated attackers—bots.

Both carding and card cracking are common examples of bot-driven card fraud. Cybercriminals leverage the firepower of credit card bots to test stolen card data against your payment processes to identify valid card details or missing values of stolen payment card information to commit carding fraud.

In this article, we explore how cybercriminals carry out automated credit card cracking and carding attacks, how carding and card cracking attacks unfold, what the most common defense strategies are, and how you can prevent carding and card cracking attacks with a real-time bot protection solution.

Key takeaways

Card cracking is a brute force attack where bots guess missing values for stolen credit or debit card data, such as expiration dates and CVV codes on e-commerce payment interfaces.
Carding attacks use bots to test complete sets of stolen card data through small transactions to verify which cards are valid and have available funds.
Carding and card cracking cause financial damage through payment authentication fees, high server resource consumption, customer complaints, and severe reputational harm to brands.
Traditional IP-based security approaches are no longer effective because threat actors now use residential proxies and bots-as-a-service platforms that make malicious requests appear legitimate.
DataDome’s 2025 Global Bot Security Report found that 61.2% of websites are fully unprotected against simple bot attacks, leaving their payment endpoints exposed to carding, credential stuffing, fake account creation, and more.

What is card cracking?

Card cracking (OAT-010), also known as “card testing”, is a type of brute force attack against the payment interface of e-commerce websites. Hackers use this method to guess missing values for stolen credit or debit card data, such as the expiration date, the card security code (CSC), and the card identification number (CID).

Once they have identified valid cards, fraudsters either sell the compromised payment account details through carding sites on the dark web, or cash out themselves.

What is carding?

In carding attacks (OAT-001), cybercriminals use bots to test the validity of stolen card data, often with small transactions to avoid drawing attention. A card testing attack enables a credit card bot to test large numbers of cards within a short time span. The method is used to test not only payment cards, but also gift cards and vouchers.

The impact of carding & card cracking attacks:

The value of fraudulent credit card transactions will reach $38.5 billion in 2027, according to Statista.
According to the FTC, credit card fraud reports are on the rise, reaching 449,076 complaints in 2024.
After a customer experiences card fraud at a retailer, 49% say they won’t return.

Typically, card cracking and carding attacks increase around main shopping holidays like Black Friday, in the hope that businesses and their systems will be too overwhelmed to identify unusual traffic and transaction activity.

They’ve grown in popularity since the early 2000s, enabled by the spread of online carding forums and markets. The current landscape is dominated by Russian and Chinese carding websites and forums, which are usually invitation-only and run by organizers skilled at identifying intelligence agents or security researchers.

Technology has evolved to make these criminals’ lives easier, too; the emergence of bots as a service (BaaS) provides on-demand bot armies that can be deployed easily to execute carding attacks at scale. Proxy services, too, allow them to launch attacks from customized IP ranges, giving them the appearance of legitimacy. Generative AI has also accelerated this threat curve, with carding models identifying which transaction patterns bypass scoring systems in real time.

These services are becoming more widespread and easily available each year. This is precisely why intent-based detection has become essential—analyzing what users do, not just where they come from, to stop fraud before it impacts your business.

How card cracking & carding impact e-commerce

Card cracking and carding have a number of undesirable consequences for e-commerce retailers.

Payment authentication fees

Card cracking and carding can increase payment authorization requests, meaning you’ll incur your payment processor’s authentication fee even when tested card numbers are invalid. Transaction fees can also be raised if your processor considers you “high risk”, and they might even stop processing payments completely until the situation is resolved. If you are using two-factor SMS authentication, it will further increase costs.

One online fashion retailer we worked with observed 8,400 carding attempts in just two days.

Customer complaints

Customers suffer when their stolen card details are used to make purchases, and complaints make their way to other customers and your business.

High server resource & bandwidth consumption

As well as using credit and debit cards, the anonymity of gift cards make them the perfect target for carding and card cracking. Bots can test large volumes of serial numbers across your systems, increasing server load and bandwidth costs and causing a poor customer experience if they lead to performance issues.

Reputational damage

The many consequences of carding and card cracking can cause chaos for your company; your resources will be spent mending fences with payment processors, hosting services, and customers. If attacks are not identified and dealt with promptly, your business could face significant reputational damage, pulling your focus away from the creative business opportunities you’d rather be tackling.

“Every single holiday, there's now a spike for carding attacks—including July 4th in the US, which is not a big gifting holiday, and yet there's a spike for carding attacks, where they're going to try every single sequence they possibly can. And all that does is put load on your website, preventing your real users from having a good experience.”

Amy DeMartine, VP, Research Director, Forrester Research

How do card cracking attacks work?

Card cracking attacks follow roughly this process:

Stolen partial cardholder data & brute forcing: Once fraudsters have obtained partial payment card numbers, they attempt to find the missing values, such as the expiration date, through the use of automated brute-force card cracking tools that test different variables for the missing values to obtain the complete data set.
Card payment process: Threat actors target merchant payment processes to continuously brute force test potential solutions for unknown payment card values.
Complete cardholder data: If successful, the cybercriminals identify full sets of valid cardholder data to use for malicious activity or sell online.

Figure 1: OWASP, OAT-010 Card Cracking Automated Bot Attack Process

How do carding attacks work?

Carding attacks follow this process:

Stolen payment cardholder data: Threat actors obtain complete sets of stolen payment card details from other applications, payment channels, or the dark web.
Card payment process: The lists of complete payment account details are used to make test purchases against e-commerce sites to validate the card details. The test purchases can start small and grow more substantial to determine the available balance.
Validated cardholder data: If successful, fraudsters can verify both the card details and the quality of the stolen account information to determine the value.

Figure 2: OWASP, OAT-001 Carding Automated Bot Attack Process

How to detect and prevent carding & card cracking attacks

1. Monitor high volumes of small orders

A frequent sign of a carding attack is high volumes of small order amounts. Fraudsters use their credit card bots to try to buy services or goods that aren’t expensive with different credit card details. If an order succeeds, the fraudster will only be charged a small amount of money. So always keep an eye on unusual spikes in attempted low-priced purchases.

2. Monitor orders where the shipping costs are high

Similarly, monitor small orders from overseas where shipping costs exceed the product price. Someone with good intentions rarely wants to pay more for shipping than for the product itself. Even in small volumes, such orders are worth investigating.

3. Ensure the IP matches the billing address

Use IP geolocation checks to ensure a user’s IP matches their billing address on the checkout page. If not, the user could be shopping from somewhere other than the address on their credit card. While not immediately an indicator of fraud, as many users browse through a VPN for more privacy, it can be used in combination with the other tips in this article to determine if it is a carding attack.

4. Build a customer block list

Any individual who is a known fraud offender should be put on a block list and no longer be able to shop at your online stores. A zero-tolerance policy will remove the people who tried to attack your store and serve as a warning for anyone else thinking of launching a card cracking attack.

5. Authorize cards

Authorization and capture is a mechanism that allows you to first authorize a user’s credit card, check if the card’s details are valid, and if the card has enough funds before you take payment. This allows you to review any suspicious transactions that could have been made during a carding attack before payment goes through.

6. Check the purchasing speed

Always keep an eye on how fast a user is trying to buy your goods or services. Genuine users don’t usually make several transactions a minute, but a credit card bot can make several transactions per second. Monitor the velocity of your transactions however works best for you: by dollar amount, IP address, billing address, device used, etc.

7. Use AVS and CVV

Address Verification System (AVS) and Card Verification Value (CVV) are two simple features to confirm that the address on a card and the three-digit CVV at the bank of the card are consistent with what the issuing bank has on record. Use these features in your payment gateway to make it much harder for fraudsters to execute carding attacks.

8. Use automated fraud prevention and bot protection tools

Traditional security solutions tend to rely heavily on IP reputation, based on the assumption that any malicious activity from an IP address means that all activity from that IP is likely to be hostile. Today, threat actors distribute bots via residential IPs, which benefit from excellent reputations. The requests they send are often indistinguishable from those generated by ordinary users. IP-based approaches are, therefore, no longer efficient.

To prevent online fraud, plus other automated bot attacks, a bot protection solution with real-time behavioral detection capabilities is crucial.

An intent-based bot and agent trust management platform analyzes thousands of behavioral signals in real time to detect card cracking and carding attempts with high accuracy. DataDome’s multi-layered detection engine delivers a false positive rate under 0.01%, blocking bad bots and malicious AI agents before they execute fraudulent transactions without disrupting genuine users.

“What I like best is Datadome’s AI algorithm and its ability to detect and block in real-time bot attacks. When we are under attack, the dashboard is very useful for us to note the attack but also to see that the AI is blocking automated traffic. Our websites also use multiple technologies (Linux, Hybris…) and the DataDome team has been able to integrate the module very easily on each technology.”

– Digital Group Delivery Manager, Enterprise customer (5,001-10,000 employees)

Prevent card cracking attacks with DataDome

Card cracking and carding attacks are primarily bot-driven attacks that test the validity of stolen card or voucher data. They cost retailers billions in revenue every year and can inflict severe reputational damage to your brand. The best way to prevent card cracking attacks—and all other forms of bot threats—is with an advanced bot protection solution that blocks the most sophisticated bots and automations from accessing your websites, apps, and APIs.

That’s DataDome. As a bot and agent trust management platform, DataDome stops all carding bots before they reach your website—analyzing intent in real time to distinguish malicious automation from legitimate users. Test your website’s defenses with a free Vulnerability Scan, or book a demo to learn more.

FAQs about carding and card cracking

What is the difference between carding and card cracking?

Carding involves using bots to test complete sets of stolen credit card details with small transactions to verify their validity. Card cracking, a type of brute force attack, is used when criminals only have partial card details and deploy bots to guess missing values like the expiration date or CVV.

How do bots execute carding attacks?

Fraudsters use credit card bots to automate thousands of small transactions on e-commerce checkout pages. These bots test stolen payment data at scale to identify which cards are active and have available funds.

What is the best way to stop card cracking?

The most effective way to prevent card cracking is to implement an intent-based bot and agent trust management software. Traditional IP-based blocking is no longer sufficient against modern distributed attacks. A robust cyberfraud protection platform analyzes behavioral signals to block malicious automation before it hits your payment processor.