What are Fullz? How Hackers & Fraudsters Obtain & Use Fullz

‘Fullz’ is a slang word that cybercriminals use to describe a full package of personal information. Fullz can be used to commit credit card fraud, identity theft, or conduct an account takeover attack.

Hackers and fraudsters can obtain fullz by buying complete sets of personal data on the dark web, web scraping, running scams, or via data breaches and malware.

Keeping personal information and customer data safe is vital for any type of business. In this article, we take a close look at what fullz are. We’ll explain how criminals obtain and use fullz and explore how you can stop sensitive personal information from falling into the wrong hands.

Key Takeaways

• Fullz is a slang term used by hackers and fraudsters to describe a full set of personal information.
• A fullz set can include identification information, credit card details, financial information, or healthcare data.
• Cybercriminals can buy fullz sets on the black market or obtain them through scams, malware, credit card skimmers, targeted web scraping or account takeover attacks.
• By the year 2028, cybercrime is set to increase by ~70% and be worth an estimated US $13.82 trillion.
• You can take measures to protect your personal data from being stolen by cybercriminals, hackers, and fraudsters. Anti-fraud software like DataDome can keep your personal information safe.

Fullz–what does it mean?

Fullz is a slang term used by hackers and fraudsters to describe a complete set of a person’s structured personal information. Fullz was first used by credit card fraudsters in the early 2000s. The popularity of the colloquialism has grown, and it’s now commonly used in the digital criminal underworld. While the exact origins of the term are unknown, it is believed to be derived from ‘full information’, ‘full data set’, or ‘full credentials’.

There are various types of fullz packages that cybercriminals obtain, buy, and sell on the digital black market:

• ID fullz includes personal information such as a person’s name, date of birth, address, social security number (SSN), passport details, email address, and phone number.
• Payment fullz data contains a person’s billing address, bank details, and credit card information such as the card number, the CVV code, the issue date, and the expiration date.
• Healthcare fullz details a person’s medical records and treatment history and often contains information on a person’s relatives.
• Dead fullz refers to data that belonged to a deceased person or information stolen from accounts that were closed due to inactivity.

How much do fullz cost? The price of a Fullz package varies based on the victim’s credit score and the completeness of the data. Recent reports indicate that while a simple social security number can sell for as little as $1, a complete Fullz profile typically commands between $20 and $100, with high-value targets reaching up to $500.

Two other terms used in the murky world of fullz are ‘kitz’ and ‘dumps’. Dumps refer to the raw data on a credit card’s black magnetic strip. Kitz is used to describe sets of forged identification created by using stolen personal data.

How do hackers & fraudsters acquire fullz?

Cybercriminals use a variety of ways to illegally obtain personal data and financial information. From web scraping or account takeover attacks to elaborate social engineering scams to simply buying fullz from other criminals, there are many methods a criminal can use to get access to sensitive personal information.

Account Takeover

Online accounts contain a wealth of personal data such as a person’s name, identification, details, banking information, and date of birth. Since many people reuse passwords, once a hacker has taken over one account they can easily obtain access to others. If a hacker takes over a person’s email account, they can often gain access to other online accounts by resetting passwords and intercepting authentication emails.

Phishing & Spear Phishing

Phishing and spear phishing are often referred to as social engineering. A more common term would be a scam or a con. Social engineering techniques trick or manipulate people into divulging personal information they would otherwise keep secret.

Phishing attacks are where a hacker sends a victim a message that looks like it is from a legitimate entity. A hacker might pretend to be from a bank, for example, and ask a victim to provide them with their banking details. Phishing attacks can also take the form of fake invoices or phone calls where fraudsters pretend to be company representatives.

Spear phishing attacks can use the same techniques but are directed against a targeted individual or group. Spear phishing attacks use stolen personal information to personalize the attack. They are often successful as the victim is more likely to be convinced by the fraudster.

Data Breaches

Hackers often release large amounts of information gained by illegally accessing government or corporate databases. A data breach can put the details of millions of people at risk. A major US newspaper was recently the victim of a hacking attack that resulted in the release of over 270 gigabytes of internal data, much of which contained sensitive corporate and personal information.

Credit Card Skimming

Information from a credit card can be physically obtained by the use of a card skimmer. The skimmer reads the data on the magnetic strip of a credit or debit card and sends it to a fraudster. This type of skimming fraud is often difficult to detect, as credit card skimmers can be compact and are easily fitted over a legitimate terminal or concealed in the hands of a scammer.

Malware

Malware can give a cybercriminal access to your data. A computer can be infected by malware when a user clicks on a link or downloads an app. In some cases, malware is hidden in a useful application, or a person might unknowingly download a piece of malware and not realize it’s running in the background.

Web Scraping

While web scraping often doesn’t give hackers access to a complete data set right away, it can be used to slowly compile a fullz package. Web scraper bots can attack a business website to obtain basic personal information on customers or employees. Once a hacker has this information, they can then use it to cross-reference against information gained from data breaches and gradually gather enough information to complete a fullz set.

The Dark Web

Cybercriminals don’t need to be able to use technology or be experienced scammers. They can simply log onto the dark web and buy fullz sets. The dark web is made up of sites that are not indexed by search engines and are not accessible without the use of specialized software. Hackers steal fullz sets and then sell them on dark web marketplaces or forums. The price of fullz sets on the dark web varies depending on the amount of information in the package. Hackers often use cryptocurrencies to pay for fullz sets.

Physical Thefts

A more old-fashioned way of obtaining someone’s personal information is to steal their documents or belongings. Burglaries of personal homes, government offices, or businesses can provide criminals with large swathes of personal information that can be used to create fullz sets.

How do hackers use fullz?

Once a fraudster or hacker has a fullz set they can then use it to commit a host of criminal acts. In the vast majority of cases, fullz sets are used for financial gain.

Some of the methods that cybercriminals use to generate funds with fullz sets include:

• Credit card fraud: Fullz sets can be used to put through fraudulent transactions using a stolen credit card number or steal money via cash transfers.
• Loan fraud: Fraudsters use fullz data sets to apply for loans with high interest and easy application terms, like online loans or payday loans.
• Identity fraud: A set of fullz data can be used to steal a person’s identity. Fraudsters can then open bank accounts, apply for loans and credit cards, and obtain identification.
• Account takeovers: Account takeover fraud gives a hacker access to sensitive personal or business-related information. The hacker can then make fraudulent transactions using an individual’s details or the details of the business.
• Medical identity fraud: Many fraudsters use medical fullz sets to commit insurance fraud by making claims for treatments or medication the victim never received.
• Tax refund fraud: By impersonating tax authorities, a fraudster can fool a victim into giving up information that can then be used to file an illicit tax return.
• Buy now pay later fraud: Using a fullz set, a fraudster can make a fake account on an e-commerce site, order an item using a pay later scheme and then simply not pay for it. The victim may find themselves liable for the item or may have their credit score negatively impacted.

What is the cost of cybercrime for a business?

Despite the efforts of law enforcement agencies, cybercrime continues to escalate. In 2024 alone, account takeover (ATO) fraud costs reached approximately $15.6 billion, a 23% increase from the previous year. With 83% of organizations reporting at least one account takeover incident annually, the threat has moved from a “risk” to an inevitability for most digital businesses.

Within the next five years, losses from credit card fraud alone are projected to be worth more than US $43 billion. Recent figures suggest around 353 million people worldwide were the victims of identity theft. A report found that 77% of people were concerned that their personal information could be stolen by hackers or fraudsters.

E-commerce companies are goldmines for hackers and fraudsters. If a business does not have sufficient security measures in place, hackers can steal fullz sets derived from corporate data, causing huge financial losses for customers and employees.

A business that has been hit by cybercriminals can suffer significant damage to its reputation and brand value, and could face serious legal repercussions including criminal charges and civil suits for negligence. Existing customers may lose all trust in the business and potential customers may be deterred entirely. The cost of investigating and repairing the damage caused by the theft of personal information can ruin a business.

It’s essential that businesses take precautions to detect fraudulent activity and prevent cybercriminals from accessing sensitive data to compile fullz sets.

How can you protect yourself from a fullz attack?

All business owners have a legal and moral obligation to protect customer information and employee data from hackers and fraudsters. Safeguarding sensitive corporate data requires the adoption of both internal and external security measures.

On the external side, businesses should always implement SSL (secure-socket layering) forms on e-commerce websites, as well as ID proofing protocols and two-factor authentication (2FA) or multi-factor authentication (MFA) measures. Website terms of service (TOS) and robot.txt files should clearly prohibit web scraping or restrict it to certain areas.

Internal measures can also be taken to stop data from falling into the wrong hands. Teams should receive training on how to recognize phishing scams and malware. Having robust and reliable security software is perhaps the best way to protect your company’s data.

DataDome’s bot and agent trust management software stops bots and aggregators that test stolen fullz credentials against your login pages. Unlike traditional tools that rely on IP blocklists, DataDome analyzes intent in real time—blocking fraud in under 2 milliseconds with 99.99% accuracy.

We stop over 20,000 attacks every second, ensuring stolen data from the dark web cannot be weaponized against your platform. Customers like Patreon have seen a 93% reduction in accounts impacted by ATO attacks after implementing DataDome.