Jerry’s Store, a marketplace for stolen credit cards, left an unprotected server, revealing that carding marketplaces use Amazon, Temu, Lyft, and other legitimate merchants to do their validity checks. Our team believes the leak happened after AI executed an insecure command.
-
Jerry's Store marketplace leaked 345,000 stolen credit card details through an exposed, insecurely configured server created using AI assistance.
-
Scammers verify stolen cards using Amazon, Temu, Lyft, and Grubhub by making small transactions to evade detection.
-
The leak occurred after Cursor AI generated flawed code without authentication, exposing credit card numbers, names, addresses, and security codes.
-
Valid stolen credit cards sell for $7-18 on dark web markets, making Jerry's Store's exposed inventory worth over million of dollars.
Threat actors, like so many programmers around the world, are no strangers to AI assisting in their operations. However, like so many vibecoders, scammers also run into security issues.
On April 16th, the Cybernews research team discovered an exposed server owned by a threat actor. The exposed information is controlled by a carding market called Jerry’s Store. The tool provides credit card validity percentages for each seller. In other words, threat actors use this tool to check if the stolen payment card is still operational.
According to our team, Jerry’s Store operators extensively used Cursor, an AI-assisted development environment, to set up the leaking server and administrator-facing dashboards. Cursor is a legitimate service, developed by the US software company Anysphere.
Researchers believe that relying on an AI assistant to set up the server was the main reason why it ended up exposed. Based on the chat logs our team was able to access, the threat actor received flawed instructions for building the dashboards.
“We were able to confirm that the leak originated from the user asking to create a statistics dashboard, and Cursor created an unauthenticated open web directory to serve the webpage, ignoring the need to set up authentication or ensure that only the intended dashboard would be accessible,” our team explained.
Moreover, the chat history reveals that there was enough information for Cursor LLM to identify that it was helping set up a credit card verification service, indicating a lack of sufficient guardrails to prevent abuse.
“While in this case it helped identify credit card fraud-related abuse, it's also a lesson for developers using Cursor for legitimate uses, showing how it can lead to accidental data leaks,” researchers said.
We have reached out to Cursor for comment and will update this article once we receive a reply.
What does the Jerry’s Store data leak reveal about the carding marketplace?
Operations such as Jerry’s Store are integral to the cybercrime infrastructure. Once scammers obtain stolen credit card information, they need to verify which cards can still be exploited. Jerry’s Store provides exactly that service.
Interestingly, our team noticed that to complete the task, Jerry’s Store operators use legitimate, well-known merchants.
“Threat actors used multiple legitimate merchant websites, such as Amazon US, Amazon JP, Grubhub, Sam's Club, Temu, Lyft, Elf Cosmetics, and CountryMax, utilizing hundreds or in some cases, thousands of accounts on these platforms to perform credit card validity checks,” our team explained.
“Threat actors used multiple legitimate merchant websites, such as Amazon US, Amazon JP, Grubhub, Sam's Club, Temu, Lyft, Elf Cosmetics, and CountryMax, utilizing hundreds or in some cases, thousands of accounts on these platforms to perform credit card validity checks,”
researchers said.
What that means is that attackers created accounts to register stolen cards and perform “low-risk” actions. These could include adding cards as a payment method or making a very small purchase. If the platform accepts the card, threat actors mark the card as valid and sell it to other threat actors on the dark web.
Using large merchants like Amazon or Grubhub is a way to mask their activities. Since large merchants process billions of payments, small transactions on a well-known website don't ring any alarm bells.
The Cybernews community is talking about this. Be a part of the conversation.
According to our team, the exposed server contained a treasure trove of credit card details. Researchers identified nearly 200K credit card details that the service deemed “invalid,” and over 145K counts of valid payment card information.
The exposed information includes all details that payment cards hold, including:
- Credit card numbers
- Expiration dates
- Security codes
- Cardholder names
- Cardholder addresses
Typically, valid credit card details are sold for $7-18 on the dark web, meaning that the value of the stolen data on Jerry’s Store ranges between $1M and $2.6M. However, our team added that the actual value of the exposed infrastructure may be a lot higher, since Jerry’s Store sells a lot more data.
While it is unclear where Jerry’s Store is located, internal tooling and leaked LLM chat logs suggest that the marketplace's administrator is fluent in Chinese. The server itself appears to be hosted in Germany by a suspected bulletproof hosting provider.
The market, launched in late 2023, is a well-known tool in the cybercrime underground, targeting primarily victims in the US and the EU.
Unlock exclusive Cybernews content on YouTube
Your email address will not be published. Required fields are markedmarked