Carding Mafia, a cybercrime forum dedicated to the trading of stolen payment cards and related fraud tactics, suffered two data breaches during 2021 with the breach data subsequently indexed across multiple Have I Been Pwned listings. The March 2021 breach was disclosed by Have I Been Pwned on March 23, 2021 after security researcher Troy Hunt verified the dataset by confirming that Mailinator throwaway email addresses present in the dataset were recognized by the Carding Mafia password-reset workflow. A separate December 2021 breach was indexed shortly after the December incident. DataBreach.com subsequently consolidated the breach indexing on February 12, 2025.

The breach affected approximately 178,317 unique customer email addresses based on the deduplicated records indexed by DataBreach.com (with the March 2021 incident exposing 297,744 unique users per Have I Been Pwned and the December 2021 incident exposing approximately 300,000 additional records per Have I Been Pwned). The total exfiltrated dataset across both incidents was approximately 990 gigabytes including 660,000 forum posts and 130,000 threads. Compromised fields included email addresses, usernames, IP addresses, and passwords stored as salted MD5 hashes. The earlier of the two 2021 breaches was advertised for free distribution on a separate hacking forum on January 27, 2021, indicating that the underlying compromise predated public disclosure by approximately two months.

For individuals whose email addresses appear in the Carding Mafia datasets, the practical risk profile is exceptionally severe and bifurcated. For users who actively participated in carding activity through Carding Mafia, the breach exposed their identification as participants in a forum dedicated to federal-felony-level payment fraud, with substantial criminal-prosecution risk under U.S. federal wire fraud, bank fraud, and Computer Fraud and Abuse Act statutes (and equivalent statutes in other jurisdictions). The breach data may be used by law enforcement to cross-reference pseudonymous identities across multiple cybercrime forums and to map participation patterns. The salted MD5 hashing means original passwords are recoverable through brute-force cracking for many users. Affected users should change any reused passwords on other accounts because the password exposure means any account where the same password was reused is potentially compromised. Users whose IP address data may have included real (non-VPN) addresses are at elevated identification risk. The U.S. Wiretap Act, the Computer Fraud and Abuse Act, the federal Wire Fraud statute (18 U.S.C. § 1343), the federal Bank Fraud statute (18 U.S.C. § 1344), and equivalent statutes in other jurisdictions may apply to Carding Mafia members whose forum activity constituted unauthorized account access or payment-card fraud.

Carding forums collect user accounts, messages, trade histories, service listings, and discussion records tied to stolen-payment trading and cybercrime operations.

Carding Mafia did not make any public acknowledgment of either the March 2021 or December 2021 breaches and did not warn its users through the forum or its public Telegram channel. The forum has been broadly cited in cybersecurity coverage as exemplifying both the recurring vulnerability of cybercrime forum infrastructure and the value of such breach data to law enforcement investigations. The case sits within a broader pattern of cybercrime forum compromises during 2017-2021 including Darkode (2017), OGUSERS (2019 and 2020), and three major Russian-language cybercrime forums that were breached in early 2021. Although the breach data is widely available, the fragmentary nature of the data (with VPN-anonymized IP addresses making individual identification difficult) has limited its immediate utility for law enforcement prosecution, though the data is more useful for cross-referencing pseudonymous user identities across multiple cybercrime forums.