Chinese fraudsters: evading detection and monetizing stolen credit card information

April 4, 2023  |  Strawberry Donut

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Cyber attacks are common occurrences that often make headlines, but the leakage of personal information, particularly credit card data, can have severe consequences for individuals. It is essential to understand the techniques employed by cyber criminals to steal this sensitive information.

Credit card fraud in the United States has been on the rise, with total losses reaching approximately $12.16 billion in 2021, according to Insider Intelligence. Card-Not-Present (CNP) fraud constituted 72% of these losses, with a substantial portion attributed to Chinese fraudsters.

This article discusses the tactics employed by Chinese cyber actors in committing CNP fraud and their value chain.

Chinese fraudsters primarily target the United States for two reasons: the large population makes phishing attacks more effective, and credit card limits in the country are higher compared to other nations. These factors make the US an attractive market for card fraudsters.

Common methods for acquiring card information include phishing, JavaScript injection through website tampering, and stealing data via Trojan horse infections. Phishing is the most prevalent method, and this analysis will focus on phishing tactics and the monetization value chain of stolen credit card information.


Chinese fraudsters have developed extensive ecosystems for their operations. In a card fraud community targeting Japan and the US, over 96,000 users have joined. For 3,000 Chinese yuan in Bitcoin, individuals can enroll in a bootcamp to learn phishing techniques through recorded videos and access resources for creating phishing sites and profiting from stolen credit cards.

According to the community leader, more than 500 students enrolled in the first half of 2022 alone. This leader has made significant profits, receiving 56 BTC over the past three years.

Chinese fraudster ecosystem: actor’s value chain

The value chain of Card Non-present fraud is shown as the following picture.

actor's value chain

To carry out these activities, Chinese fraudsters establish a value chain for CNP fraud, starting with setting up a secure environment. They anonymize IDs, falsify IP addresses, change time zones and language settings, alter MAC addresses and device IDs, modify user agents, and clear cookies to evade detection by security researchers and bypass various security measures.

value chain 2

Fraudsters also use residential proxies, which are infected domestic devices, to access targeted websites indirectly and avoid tracking. These proxies can be purchased from online providers, with payments made via stolen credit cards or bitcoin. By selecting the desired IP address, users can access the target site with a fake IP address, making it difficult to trace their activities.

One residential proxy service popular among Chinese fraudsters is "911," which is built using software distributed under the guise of a free VPN service. Once installed, users are unknowingly transformed into valuable residential proxies for fraudsters without their consent. The service offers locations at city granularity to match the target user's geographic location.

911 fraud tool

Additionally, fraudsters can select ISP and device fingerprints, such as browser version, operating system, and screen size. This information is usually acquired through phishing, and fraudsters select the ones used by the victims to imitate each victim's user behavior.

Researchers at Sherbrooke University in Canada recently published an analysis of the "911" service and found that about 120,000 PCs are rented through the service, with the largest number located in the United States. More information about the research can be found at

Although the "911" service was shut down in July 2022, many new residential proxy providers have emerged, which are now used by Chinese fraudsters.

alt 911alt 911 2

In-depth analysis: evasion techniques in anti-fraud systems to elude detection

To set up phishing sites, several elements must be in place, including an email database to disseminate phishing emails and a phishing kit to create the phishing site. These elements can be acquired online through various channels. There are two methods to create phishing sites: by tampering with an existing website or by using rented servers or virtual private servers (VPS). The former has the advantage of a high reputation but is often detected and removed quickly. The latter method involves using the server and templates included in the phishing kit to impersonate various companies and brands.

Phishing kit templates are also available on the dark web, covering card companies, payment services, and online banking. These phishing kits incorporate various measures to avoid detection, such as blocking bot access and preparing a blacklist to prevent access from security companies and researchers. Additionally, these phishing kits also attempt to obtain the actual IP addresses of individuals accessing them through proxies, check their geolocation information, and return errors for access from outside China and the US.

Chinese fraudsters use elaborate phishing infrastructures and kits to create phishing sites and deceive users who access them via emails. To avoid being blocked by spam filters or reputation-based blocks, they continuously improve their content and environment. They change their IP addresses while maintaining a clean state and use multiple domain names to spread their risk, ensuring that they can continue phishing even if one domain is blocked.

Moreover, these fraudsters use URL redirect tools to show high-reputation URLs and disguise their phishing URLs as normal ones. If a phishing URL is blocked by email filters, they can use a different URL to continue phishing.

In summary, Chinese fraudsters use sophisticated phishing kits to evade tracking and detection. These phishing kits include anti-fraud features to counteract security researchers and organizations. They continuously improve their content and environment to avoid being blocked by spam filters and reputation-based blocks. They use multiple domain names and change their IP addresses to spread their risk, and they use URL redirect tools to disguise their phishing URLs as normal ones.

Cashing out through popular platforms: TikTok and NFT exploitation

Chinese fraudsters have a value chain that extends from the setup and misuse of cards to the cashing out stage, where they obtain unjust gains.

monetization process

There are various methods of cashing out. One method is to directly purchase cryptocurrency or gift cards through websites using stolen credit card information, which is popular for U.S. cards.

Another method is to purchase products on an eCommerce site using stolen credit card information and have a domestic collaborator receive the products. The domestic collaborator then sends the purchased goods to China and obtains money, which is commonly used in Japan and other Asian countries that are geographically close to China.

In the monetization stage, fraudsters prefer products that can be easily resold, such as home appliances, brand bags, mobile phones, and gift cards.

monetization approaches

In the past three years, new methods using TikTok and NFTs have emerged. One method involves purchasing TikTok coins with stolen card information and donating them to malicious influencers. In some cases, the fraudster and the influencer may be the same person, or another person may receive a commission fee. Additionally, NFTs and eBooks are also suitable for money laundering.

It is challenging to distinguish whether the credit card abuser is a fraudster or simply someone who wants to donate to a favorite influencer when donations are made on TikTok.

As a preliminary step to cashing out, fraudsters confirm the credit card limit. They may use methods such as pretending to be the rightful owner (social engineering) and calling the card company's call center to confirm the limit, disabling the one-time password authentication required for card use, or using other social engineering tactics. However, due to the language barrier, Chinese fraudsters don't often use this method.

Preventing fraud at the monetization stage: Enhancing security measures

preventing monetization

In the value chain of fraud, actors' roles are divided into three categories: phishers, credit card misusers who misuse credit card information, and monetization dealers who monetize the stolen information. By dividing the roles, they can concentrate on their area of expertise, and even if they are investigated by the police, they can avoid legal sanctions by stating that they merely received something from their friends and are unaware of what is happening.

Dealing with CNP fraud is difficult when focusing on upstream. It is critical to prevent misuse at the monetization process. Nowadays, man-in-the-middle attack phishing techniques have become the mainstream, and one-time-password (OTP) authentication is insufficient to defend against these attacks anymore. More advanced authentication methods, such as FIDO or passkeys, and more sophisticated machine learning models, will be indispensable soon.

Share this with others

Get price Free trial