RecordedFuture Payment Fraud Intelligence Report 2025

Keypoints

• Typical report structure: Executive Summary that frames high-level themes and risk posture; Key Findings that list headline statistics and notable incidents; Top Risks & Strategic Implications outlining how risks will evolve and what leaders should do; Data Exposure analyzing quantities, sources, and contexts of exposed payment data; Attack Vectors describing upstream techniques and operational workflows; Mitigations offering prioritized recommendations for leadership, CTI, and fraud teams; Outlook forecasting near-term trends and defensive implications.
• Executive Summary purpose: synthesize year-over-year shifts, emphasize primary drivers (industrialization, AI enablement, OTP interception, agentic commerce), and set strategic priorities for proactive, intelligence-informed defenses.
• Key Findings purpose: present the most consequential data points and incidents (volumes, malware/kits, threat actors, large-scale scam ecosystems) that define operational and strategic risk for the coming year.
• Data Exposure section scope: aggregates multiple datasets (dark web carding marketplaces, freely exposed card data on Telegram/dark web sources, and stolen US paper check images) and interprets how exposure quality and quantity change attack surface and downstream fraud risk.
• Attack Vectors section scope: maps upstream compromises (Magecart e-skimmers, tester-merchant abuse, purchase-scam networks), authentication bypass techniques (OTP interception, NFC relay), and emerging surfaces (agentic commerce) to likely fraud outcomes.
• Mitigations section scope: provides recommended actions at three levels—executive (alignment, investment, institutionalize CTI–fraud fusion), CTI teams (early signals, prioritized intelligence sharing), and fraud ops (intelligence-driven automation, proactive controls).
• Headline data — carding marketplaces: ~142 million stolen card records posted for sale in 2025 (down 19% vs. 2024), while the attack surface expanded via richer attributes accompanying records.
• Attribute-rich exposure: 82% of CNP card records for sale included contact information (up nine percentage points), increasing ATO and social-engineering risk.
• Freely exposed data: freely exposed payment card records rose ~26% year-over-year, reaching volumes comparable to dark web-for-sale totals and increasing spearphishing/ATO threat vectors.
• Paper checks: total US payment check images posted on Telegram decreased ~42% to 1.3 million, but unique check images rose ~3% to ~233,000, indicating persistent and shifting mail-theft patterns (deurbanization toward non-urban areas).
• Magecart/e-skimmer impact: ~10,500+ e-skimmer infections active in 2025 (7,300+ new), likely compromising >23 million online transactions; e-skimmer kits and MaaS lowered barriers to entry and increased scale.
• Top e-skimmer kit: “Sniffer by Fleras” (aka Surki) accounted for ~26% of observed e-skimmer infections; new MaaS offerings like AcceptCar emerged in H2 2025 with revenue-sharing models and strong obfuscation.
• Card-present (CP) fraud signals: >21 million stolen CP card records posted in 2025 (94% US-issued); MajikPOS remained observed in POS malware activity and an October spike coincided with ATM fraud in Poland.
• Purchase-scam ecosystems: detections of scam merchant accounts quadrupled vs. 2024; >3,600 scam merchant accounts identified across 40+ countries and 230+ acquirers, with linkages to for-sale card data and subscription/secondary-charge tactics.
• Card testing and tester merchants: >1,350 tester merchants abused in 2025 (94% were new); Telegram-based card-testing services validated ~27 million card records, enabling BIN attacks and large-scale card validation workflows.
• OTP interception and wallet/NFC fraud: OTP theft cemented as a widespread technique to bypass strong authentication, supporting digital-wallet provisioning, trusted wallet transactions, and NFC relay (“ghost-tapping”) attacks.
• AI enablement and agentic commerce: threat actors integrated AI into targeting, phishing, and orchestration workflows; agentic commerce pilots (e.g., Amazon Buy for Me, Visa Intelligent Commerce, Mastercard Agent Pay) introduced intent-as-identity challenges and liability ambiguity for disputes.
• Notable threat actors/incidents: threat actor references and toolnames included OTPExplorer (e-skimmer group with OTP functionality), the proof-of-concept actor “d0ctrine” on agentic abuse, and the Anthropic-related autonomous AI orchestration incident tied to a fraudulent purchase attempt.
• Recurring themes: industrialization of fraud ecosystems (MaaS, kits, professional services), expanding and richer data exposure making signals more actionable, social-engineering resurgence (purchase scams, OTP theft), and an AI arms race—attackers adopting agentic/AI tools as defenders scale AI-enabled detection.
• Strategic implications and takeaways: leadership must fund CTI–fraud fusion (intelligence-driven fraud centers), prioritize early-stage disruption and predictive signals, adopt automation to operationalize intelligence, and prepare for operational costs and liability complexity introduced by agentic commerce.
• Operational recommendations summary: prioritize intelligence-sharing with fraud ops, ingest external Payment Fraud Intelligence signals to detect merchant compromise and tester abuse, deploy automation for proactive account remediation, and accelerate AI-assisted predictive defenses while retaining human-in-the-loop for contested attribution cases.
• Outlook: expect continued growth in downstream CNP fraud enabled by social engineering and OTP interception, broader and more complex Magecart campaigns sustained by MaaS, persistent check-fraud risk with geographic shifts, sustained scale of purchase scams, and evolving agentic-commerce risks until industry guardrails and intent-authentication mature.