An example of successful cooperation between banks and law enforcement agencies in uncovering a carding network in Asia: Operation Carding Action 2021

[Student]

For educational purposes, I will analyze the example of Operation Carding Action 2021, coordinated by Europol and involving Asian entities, including Group-IB (headquartered in Singapore), banks, and payment systems. This case demonstrates how effective collaboration between various parties can lead to the discovery and disruption of complex carding networks that pose a threat to financial institutions and users in Asia and beyond.

What is carding and why is it important?​

Carding is a type of cybercrime in which criminals use stolen credit or debit card information to conduct unauthorized transactions, purchase goods, or withdraw funds through intermediaries (so-called "money mules"). In Asia, where digital payments are rapidly growing (for example, according to Statista, transaction volume in Southeast Asia will exceed $620 billion in 2024), carding has become a key threat to banks, payment systems, and consumers. Carders often operate through darknet marketplaces, selling stolen card information, making their networks difficult to trace.

The context of Operation Carding Action 2021​

Operation Carding Action 2021 was a continuation of similar initiatives launched in 2020 and aimed to combat carding networks operating globally, including in Asia. It was coordinated by Europol (the European Police Agency) and Eurojust (the EU Agency for Criminal Justice Cooperation), involving law enforcement agencies from Italy, the UK, and other countries, as well as private partners such as Group-IB, Visa, Mastercard, and banks. In Asia, Group-IB played a key role, with its Asia-Pacific Cyber Threat Analysis Center (Singapore) providing unique data and technology to track carders.

Stages of cooperation​

1. The role of banks and payment systems​

Banks and payment systems such as Visa and Mastercard played a critical role in providing data and analytics. Their contributions included:

• Anomaly detection: Banks analyzed transactions for suspicious activity, such as multiple attempts to withdraw small amounts or transactions originating from unusual locations. This allowed them to identify compromised cards.
• Damage assessment: According to Europol, the operation uncovered approximately 12 major merchants on underground platforms trading in card data. Banks estimated that the potential damage from this data could have amounted to €14 million in Europe alone, but a significant portion of the transactions also affected Asian banks, particularly in highly digitalized countries such as Singapore, Malaysia, and India.
• Card blocking: Payment systems promptly blocked compromised cards, preventing further losses. For example, Visa Asia Pacific, which operates extensively in the region, provided data on cards used in Asian transactions, enabling the localization of part of the network.

2. The role of law enforcement agencies​

Law enforcement agencies, including Europol, Interpol, and national agencies, coordinated the operation internationally. Their actions included:

• Intelligence sharing: Through Europol platforms such as SIENA (Secure Information Exchange Network Application), law enforcement agencies exchanged information on suspects and their infrastructure. This included IP addresses used by carders and transaction data provided by banks.
• Identification of criminals: The operation identified 12 key figures who managed the sale of these cards on darknet markets such as Joker's Stash and Ferum Shop. Some of them operated from Asian countries, including Indonesia and the Philippines.
• Arrests and Confiscation: Law enforcement officers made arrests and seized servers that stored databases containing stolen cards. This was particularly important in Asia, as the region is often used as a transit hub for money laundering through cryptocurrency.

3. The role of Group-IB and Asian structures​

Group-IB, as a specialized cybersecurity company with a strong presence in Asia, played a key role in the technical intelligence. Their contributions included:

• Darknet Analysis: Group-IB used its tools, such as Threat Intelligence & Attribution, to monitor underground forums and marketplaces. This allowed us to identify sellers, their methods, and data supply chains.
• Tracking JavaScript sniffers and botnets: Carders often use malware such as JavaScript sniffers (scripts injected into online stores to steal card data). Group-IB has detected such threats, including those targeting Asian e-commerce platforms.
• Localization of Asian networks: Group-IB's Singapore office monitored regional nodes of carding networks, including "mules" that cashed out funds through local bank accounts or cryptocurrency exchanges. This allowed law enforcement to shut down local operations.

4. Integration of efforts​

A key factor in success was the integration of data from all participants:

• Banks provided information about transactions and compromised cards.
• Group-IB analyzed the cyber infrastructure and transferred the data to law enforcement.
• Law enforcement agencies coordinated arrests and blocking infrastructure.

This approach made it possible to create a closed loop: from threat detection to its neutralization.

Results of the operation​

• Financial impact: Avoided losses of €14 million in Europe and significant amounts in Asia (exact figures for Asia were not published, but the region was key in the transaction chain).
• Infrastructure Blocking: Thousands of compromised cards were blocked, and some darknet platforms used to sell data were shut down.
• Arrests: 12 key figures, including operators from Asia, have been identified and some arrested.
• Preventative Effect: The operation demonstrated that joint efforts by banks, payment systems, and law enforcement can quickly stop complex cybercrimes, which is especially important in Asia, where the digital economy is growing faster than security systems.

Why is this important for Asia?​

Asia is one of the fastest-growing regions in digital payments, but this also makes it vulnerable to carding. According to Mastercard, approximately 30% of all global attacks on payment systems will target the Asia-Pacific region in 2023. Reasons for this include:

• High penetration rate of mobile payments (e.g. in China, India, South Korea).
• Active use of cryptocurrencies for money laundering.
• The presence of local darknet forums and "mules" makes tracking difficult.

Operation Carding Action 2021 demonstrated that regional banks (such as DBS in Singapore or HDFC in India) can collaborate effectively with global institutions if they use advanced analytics technologies and share data in real time.

Lessons and learning implications​

1. Cross-sector collaboration: The operation's success highlights the importance of integrating banks, payment systems, cybersecurity, and law enforcement. Each participant brings unique insights and tools.
2. The Role of Technology: Darknet analysis tools, like those used by Group-IB, enable early detection of threats. This is especially important for educational purposes: future cybersecurity professionals should study such technologies.
3. Global and local approaches: Carding is a global threat, but in Asia it has local specifics (for example, the use of regional payment systems). This requires adapting strategies.
4. Preventative measures: Banks can minimize risks by implementing real-time transaction monitoring systems and training customers to recognize phishing and other threats.

Conclusion​

Operation Carding Action 2021 is an example of how coordinated efforts by banks, payment systems, cybersecurity, and law enforcement can effectively counter carding networks. In Asia, where the digital economy is growing rapidly, such initiatives are especially important. This case demonstrates to students and professionals in cybersecurity and finance the importance of data integration, the use of advanced technologies, and international cooperation in protecting financial systems.