Depop is a mobile-first, peer-to-peer marketplace focused on second-hand fashion, streetwear, vintage items, and accessories. It has around 45 million users worldwide, with heavy concentration in the US, UK, EU, and Australia. The platform operates like a mix of Instagram (social feeds, likes, follows) and eBay (listings, offers, direct buys), but all transactions are mandated to occur in-app via the official "Buy" button.
In 2025, Depop remains one of the least "cardable" mainstream e-commerce/resale platforms for traditional card-not-present (CNP) fraud using stolen card details (CCs/fullz). Underground carding communities (e.g., monitored forums like carder.market and crdpro.cc) rarely feature Depop-specific methods, working BINs, or success stories. It's generally classified as low-ROI and high-risk, with discussions shifting to easier targets like non-3DS gift card sites or crypto conversions.
Estimated success rate for direct CNP carding (adding stolen CC and buying): Under 20-30% even with premium setups (residential SOCKS5 matching cardholder location, aged accounts, anti-detect). Most attempts fail at card add or checkout with "declined" or "risk review" errors.
Depop's response: Quick account bans, in-app reporting tools, education prompts, and collaboration with law enforcement (e.g., rising reports to IDCARE in Australia).
2025 Bottom Line: Depop prioritizes safety with mandatory in-app flows, heavy 3DS reliance, and processor-level AI — making it a poor target for carders. Fraud exists but overwhelmingly via off-app manipulation, not stolen card adds. For legitimate users: Always transact in-app, use tracked shipping, document everything, and enable notifications. Platforms like this are safer when rules are followed strictly.
In 2025, Depop remains one of the least "cardable" mainstream e-commerce/resale platforms for traditional card-not-present (CNP) fraud using stolen card details (CCs/fullz). Underground carding communities (e.g., monitored forums like carder.market and crdpro.cc) rarely feature Depop-specific methods, working BINs, or success stories. It's generally classified as low-ROI and high-risk, with discussions shifting to easier targets like non-3DS gift card sites or crypto conversions.
Why Direct Carding on Depop Has Extremely Low Success Rates in 2025
Depop enforces strict payment rules and leverages advanced processors, making it hostile to standard carding techniques:- Mandatory In-App Payments Only: All buys must use Depop's integrated checkout (no external links, PayPal direct, Venmo, or bank transfers allowed). Off-app deals void all protections and trigger bans. Payments are handled exclusively through Stripe (primary in most regions) and Adyen (EU/UK heavy), both of which enforce aggressive fraud controls.
- Widespread 3D Secure (3DS/SCA) Enforcement:
- In the EU/UK/Australia, PSD2 regulations require Strong Customer Authentication (SCA) for nearly all transactions. This means 3DS (Verified by Visa, Mastercard Identity Check) triggers frequently — often on every purchase over low thresholds (~€20-50 or equivalent).
- Even in the US, Depop applies risk-based 3DS via Stripe, challenging suspicious adds/purchases with OTP, biometrics, or push notifications.
- Without access to the victim's phone/app for authentication, transactions hard-decline. True non-VBV/non-3DS bins are virtually nonexistent on Depop in 2025.
- Advanced Anti-Fraud Layering:
- Device Fingerprinting: Stripe and Adyen collect extensive browser/device signals (canvas hashing, WebGL, fonts, hardware concurrency, timezone, etc.) to detect anti-detect browsers, VMs, or mismatched fingerprints.
- Velocity Checks: Monitors purchase speed/frequency — multiple buys from a new account, rapid adds to cart, or high-value items on fresh profiles flag instantly.
- Geo-Matching and Behavioral AI: IP/billing/shipping address mismatches, unusual session behavior (e.g., fast scrolling, no engagement with listings), or velocity anomalies trigger declines or holds.
- Machine Learning Models: Real-time risk scoring flags "card testing" patterns or known fraud signals.
Estimated success rate for direct CNP carding (adding stolen CC and buying): Under 20-30% even with premium setups (residential SOCKS5 matching cardholder location, aged accounts, anti-detect). Most attempts fail at card add or checkout with "declined" or "risk review" errors.
Common Attempted Techniques and Why They Fail
- Standard Fullz/CC Add: Using stolen card details on a new/farmed Depop account → High failure due to 3DS challenges and fingerprint/geo flags.
- Account Warming: Starting with low-value buys to build trust → Occasionally slips small amounts (<$20-30), but scaling triggers velocity bans.
- Chargeback Abuse (Friendly Fraud): Buy legitimately (or semi), receive item, then dispute via bank → Possible but risky; Depop investigates with tracking proof, in-app messages, and seller evidence. Stripe/Adyen share data, leading to account/IP blacklists.
- No Dedicated Underground Tools: No "Depop bins" lists or custom scripts circulate widely — contrast with Shopify or standalone stores.
Primary Fraud Trends on Depop in 2025 (Mostly Non-Carding)
Fraud reports (from sources like FTC, IDCARE, and cybersecurity analyses) show the platform's biggest issues are social engineering, not direct payment fraud:- Off-Platform Lures: Scammers push buyers/sellers to Instagram, WhatsApp, or direct PayPal/Venmo for "better deals" — bypassing protections. Common for fake payments or overpayment refunds.
- Bait-and-Switch/Swap Scams: Seller sends wrong/damaged/counterfeit item; buyer disputes.
- Fake Returns/Chargebacks: Buyer swaps item and returns fake/damaged version.
- Phishing for Account Takeover: Fake "shipping issue" emails/links to steal logins.
- Seller-Targeted Overpayment: Fake "extra funds sent" screenshots, asking for refund.
Depop's response: Quick account bans, in-app reporting tools, education prompts, and collaboration with law enforcement (e.g., rising reports to IDCARE in Australia).
Buyer and Seller Protections
- Buyer Protection: Full refunds if item not received, damaged, or not as described (via in-app buys only; report within 30-180 days depending on region).
- Seller Protection: Covers lost/damaged shipments (up to $300/£250/A$300) with tracked Depop labels; defends against false claims with evidence.
2025 Bottom Line: Depop prioritizes safety with mandatory in-app flows, heavy 3DS reliance, and processor-level AI — making it a poor target for carders. Fraud exists but overwhelmingly via off-app manipulation, not stolen card adds. For legitimate users: Always transact in-app, use tracked shipping, document everything, and enable notifications. Platforms like this are safer when rules are followed strictly.
