On January 5, 2026, we discovered a sophisticated fraud ring testing stolen credit cards through our membership platform. Cards from Canada, Singapore, and Malaysia. Bot automation. Professional operation.
We stopped it in 24 hours. Here's what we learned — and what you need to know to protect your business.
What Is Card Testing Fraud?
Card testing fraud happens when criminals use stolen credit card numbers to make small purchases on your platform, testing whether the cards are valid before the actual cardholders notice.
Here's how it works:
- Criminals steal credit card data (data breaches, phishing, dark web purchases)
- They need to validate the cards before selling them (expired cards are worthless)
- They use automated bots to create accounts and make small purchases on your site
- If the charge succeeds, they know the card is active and sell it on the dark web for 10x what they paid
- If it fails, they move to the next card
Why your platform? Because you're processing payments. Small membership fees, subscription trials, or low-cost purchases are perfect for testing — small enough that cardholders don't notice immediately.
Why This Matters to Your Business
Card testing fraud isn't just a security issue. It's a financial and operational risk.
Direct Costs
- Chargeback fees: $15-25 per transaction when cardholders dispute the charges
- Lost revenue: Refunded payments you've already processed
- Processing fees: You pay Stripe/PayPal fees even on fraudulent transactions
Example from our attack: 6 fraudulent accounts × $69 average charge = $414 in charges + $90-150 in potential chargeback fees = ~$600 total exposure in just 11 days.
Indirect Costs
- Merchant account suspension: Multiple chargebacks flag your account as high-risk. Payment processors can suspend or terminate your account.
- Higher processing fees: If flagged as high-risk, processors raise your rates (sometimes 2-3x higher)
- Time and resources: Investigating fraud, handling disputes, refunding customers
- Reputation damage: Your platform becomes known as insecure
How to Spot Card Testing Fraud (Red Flags)
Here's what we noticed before we caught the attack:
1. Sequential or Pattern-Based Emails
anything1@gmail.com,anything2@gmail.com,anything3@gmail.com- Bots generate these automatically
- Real users don't create accounts like this
2. Fake or Identical Names
- Our attackers used "Error Op" across all 6 accounts
- Other common patterns: "Test User", "John Doe", "A B", or random character strings
3. International Cards from High-Risk Countries
- Cards from countries where your users typically don't come from
- In our case: Malaysia, Singapore, Canada (we have zero organic traffic from these regions)
4. Multiple Failed Payment Attempts
- Bots cycle through stolen card numbers rapidly
- Multiple failures from the same IP address or email pattern
5. Rapid Account Creation
- 6 accounts in 11 days with identical patterns
- Real user signups are random and varied
6. Unusual Purchase Patterns
- Accounts that signup and immediately purchase (no browsing behavior)
- Same subscription tier across all accounts
- No engagement after signup (no logins, no activity)
If you see 2-3 of these patterns together, investigate immediately.
How to Prevent Card Testing Fraud
We built a 7-layer defense system in under 24 hours. Here's what you can implement:
Layer 1: Geographic Blocking (Network Level)
What: Block high-risk countries at the firewall level before they reach your application
How:
- Use Cloudflare WAF (Web Application Firewall) or similar
- Block countries where you have zero legitimate users
- Allow exceptions for known users (VPNs, travelers)
Benefit: Stops 80% of automated bot traffic before it hits your server
Layer 2: Email Pattern Validation
What: Detect and block bot-generated email patterns
Examples to block:
- Sequential numbers:
anything1@gmail.com,user123@gmail.com - Random strings:
asdfgh@gmail.com,qwerty@mail.com - Disposable email domains:
tempmail.com,guerrillamail.com
Benefit: Catches automated bot signups instantly
Layer 3: Name Validation
What: Flag obviously fake names
Examples:
- Single characters: "A B", "X Y"
- Common test strings: "Test User", "Error Op", "John Doe"
- Identical names across multiple accounts
Benefit: Stops lazy bot scripts that don't randomize names
Layer 4: Rate Limiting
What: Limit how many signups or payment attempts can happen from the same IP in a time window
Recommended limits:
- Onboarding: 20 attempts per minute (generous for real users, restrictive for bots)
- Payment processing: 3 attempts per 10 minutes (prevents card cycling)
Benefit: Prevents rapid-fire bot automation
Layer 5: IP Address Tracking & Forensics
What: Log IP addresses for every signup and payment attempt
Why it matters:
- Detect multiple accounts from same IP
- Cross-reference with known fraud databases
- Build forensic evidence if you need to report to authorities
Benefit: Enables pattern detection across accounts
Layer 6: Behavioral Analysis
What: Detect suspicious patterns in how forms are submitted
Examples:
- Identical form completion times (bots fill forms in milliseconds)
- No mouse movement or keyboard events (automation tools)
- Identical user agents across accounts
- Same browser fingerprint for "different" users
Benefit: Catches sophisticated bots that bypass simpler checks
Layer 7: Comprehensive Monitoring & Alerts
What: Real-time alerts when suspicious patterns emerge
Monitor:
- Signups per hour (spike = potential bot attack)
- Failed payment attempts (multiple failures = card testing)
- Geographic anomalies (sudden traffic from new country)
- Email pattern clusters (5+ similar emails in short window)
Benefit: Catch attacks in real-time, not after the damage is done
Our Story: How We Stopped the Attack
January 5, 2026 - 2:47 PM: We noticed 6 accounts with identical patterns.
Hour 1: Deactivated accounts, refunded charges, documented the pattern.
Hours 2-4: Built the 7-layer defense system described above.
Hour 5-24: Detected a second wave (7 more attempts, different pattern). All blocked automatically.
Results:
- 13 fraud attempts in 48 hours post-implementation - 100% blocked
- 0 false positives - No legitimate users blocked
- $0 in fraud losses since the system went live
- 10 comprehensive unit tests to ensure reliability
Total time from detection to full prevention: 24 hours.
Action Items for Your Business
If You're Already Under Attack:
- Deactivate suspicious accounts immediately
- Refund fraudulent charges (prevents chargebacks)
- Document the pattern (emails, IPs, card BINs, timestamps)
- Implement rate limiting NOW (stops the bleeding while you build defenses)
- Contact your payment processor (Stripe, PayPal, etc.) to report the fraud
If You're Not (That You Know Of):
- Audit your recent signups for the red flags listed above
- Implement rate limiting (easiest, highest ROI)
- Add email validation (blocks 90% of bot patterns)
- Set up monitoring alerts (catch attacks early)
- Plan your layered defense (build it before you need it)
Long-Term Protection:
- Write unit tests for your fraud detection logic
- Review fraud patterns monthly (attackers evolve)
- Keep a fraud incident log (learn from each attack)
- Build forensic capabilities (IP logging, pattern analysis)
The Bottom Line
Card testing fraud isn't a matter of "if" — it's "when."
Building fraud prevention before an attack costs hours. Bolting it on after costs weeks, thousands in losses, and potential merchant account suspension.
We learned this the hard way so you don't have to.
Start with rate limiting and email validation today. Add the other layers as you grow. Test your defenses. Monitor your patterns.
And if you see something suspicious — act immediately.