What is ICC Crawler?

ICC Crawler is an automated scraping/indexing bot observed on dark-web markets and Telegram that aggregates payment-card “ICC” (credit card) listings and related fraud content. It normalizes data (e.g., BIN, country, price, freshness) and exposes searchable feeds/alerts or APIs.

Primary use cases
– Defender/Intel teams
– Monitor exposure of your BINs/brands and detect surges in compromised cards
– Track seller ecosystems, pricing, and dump/CVV trends for fraud modeling
– Feed threat intel to SIEM/FDS rules, prioritize takedowns, and measure ROI
– Identify compromised merchant clusters (potential skimmer/Magecart outbreaks)
– Criminal/illegal (for awareness; prohibited)
– Discover and compare stolen card inventories across shops/channels
– Set alerts for “fresh” BINs or geographies to optimize cash-out timing
– Automate sourcing and vendor reputation checks to scale carding operations

Note: Possession/use tied to stolen data is illegal in most jurisdictions.

Why is ICC Crawler crawling my site?

It’s likely performing automated reconnaissance and data harvesting: mapping your site structure and endpoints, scraping pricing/catalog content, extracting PII or email patterns, profiling checkout and payment flows, and fingerprinting your defenses (anti-bot signals, rate limits, error handling). This intel can fuel competitive scraping, account takeover and carding workflows, coupon/loyalty abuse, or targeted exploitation of weak endpoints and APIs. Potential negatives include elevated infrastructure and CDN costs, latency for real users, polluted analytics and funnel metrics, content/IP theft, inventory and price manipulation, discovery of misconfigurations or exposed data, and higher downstream fraud (credential stuffing success, BIN testing efficiency, mule onboarding). It can also increase noise for SOC teams, complicate anomaly baselines, and create compliance risk if regulated data is inadvertently exposed or scraped.

Threat research insights on ICC Crawler

All data in this section are produced by DataDome's Galileo Threat Research team from our proprietary detection network and reviewed by human analysts.

Verified Bot A verified bot has high identification strength
Verified
Robots.txt Compliance Whether this bot respects robots.txt directives
Not respected
Identification Strength How confidently DataDome can identify this bot
High

Traffic origins

Top 15 countries by bot traffic

JP JP 100.0%

Most used autonomous system (AS)

Top 5 by traffic share

National Institute of Information and Communications Technology
100.0%
Traffic Occupancy
<0.1%

On average, occupy <0.1% of the traffic from bots in the directory

Authorization Rate
100%

Businesses decide to authorize this bot 100% of the time

How to block ICC Crawler?

Here are 3 effective ways to block “ICC Crawler”:

 

1) Block by User-Agent (server-level)
– NGINX:
if ($http_user_agent ~* (ICC[s-]?Crawler)) { return 403; }
– Apache (.htaccess):
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (ICC[s-]?Crawler) [NC]
RewriteRule .* - [F]

2) IP/ASN blocking (network-level)
– Identify source IPs from logs; block at firewall or server.
– NGINX (inside server/location):
deny 203.0.113.0/24;
– Linux firewall:
iptables -A INPUT -s 203.0.113.45 -j DROP
– Maintain an IP blocklist; revisit periodically.

3) Rate limiting/throttling (behavioral)
– NGINX:
limit_req_zone $binary_remote_addr zone=bots:10m rate=1r/s;
server {
location / { limit_req zone=bots burst=5 nodelay; }
}

– Mitigates scraping even if UA/IPs rotate; combine with 403 on exceed.

Tip: Verify the exact User-Agent string and crawling patterns in access logs to tune rules.

DataDome

See which bots and AI agents bypass your defenses

Create your account to start analyzing and mitigating malicious bots and AI-drive threats in real-time