Carding Trends Related to Metaverses and Virtual Payment Systems: A Comprehensive Educational Overview

[Student]

Carding is a form of cyber fraud in which criminals use stolen credit card information (numbers, CVV, expiration dates) to make unauthorized purchases. In the context of metaverses (virtual worlds like Decentraland, The Sandbox, or Roblox with VR/AR elements) and virtual payment systems (cryptocurrencies, NFTs, DeFi wallets), carding is evolving, exploiting immersiveness and decentralization. The growth of metaverses by 2025 exacerbates these risks: by 2026, 25% of people are predicted to spend at least an hour a day in metaverses for work, shopping, and entertainment, creating new opportunities for fraud. Total e-commerce fraud could reach $107 billion by 2029, with a focus on alternative payments, including virtual ones.

This review is based on an analysis of cybersecurity and financial trend reports for 2024–2025. We'll analyze key trends at a high level, explain risk mechanisms (without providing implementation instructions), provide examples and statistics, and discuss educational aspects—why this is happening and how to understand the threats. The goal is to raise awareness of risks in the digital economy.

1. Phishing and Social Engineering in Immersive Virtual Environments​

Metaverses offer immersive interactions through avatars, VR headsets, and AR apps, making phishing more convincing. Attackers masquerade as trusted users or brands to trick users into revealing card details or accessing wallets.

• Why is this a trend? In 2025, deepfakes (AI-generated fake voices/videos) are expected to increase for authorized push payment (APP) scams, where victims are persuaded to transfer funds or share data. This is amplified in metaverses: avatars can "interact" in real time, impersonating friends or merchants. Fraud attack rates for payments in fintech are expected to increase by 90% in 2024–2025.
• Examples of risks: A hypothetical scenario: a fake virtual store in the metaverse, where a "seller" avatar offers "exclusive" NFT clothing, requesting card details for a "quick purchase." Or the use of stolen avatars to track other users and steal personal data for carding. In VR/AR devices, hackers can intercept data input through vulnerabilities, similar to AR spoofing.
• Educational aspect: This illustrates the "fraud triangle" (opportunity, pressure, rationalization): in metaverses, the anonymity of avatars reduces rationalization (guilt), while decentralization creates opportunities for attacks. Losses from APP scams amount to billions of dollars annually.

2. Hacking VR/AR devices and intercepting payment data​

VR headsets (such as Meta Quest) and AR glasses integrate with payment systems for seamless transactions, but their vulnerabilities allow data to be intercepted.

• Why is this a trend? By 2025, AR/VR devices will be vulnerable to hacking, malware, and cyberattacks, as they require personal data. The 80% growth of instant payments (FedNow, RTP) by 2026 increases the risks, as fraudsters exploit the speed. In metaverses, 80%+ of transactions are made via crypto or cards, making them a target.
• Examples of risks: Hackers could hack a device to steal card data during a virtual purchase (for example, by voice spoofing for confirmation). They could also use stolen avatars to access virtual wallets and conduct fraudulent transactions. In 2024–2025, fraud in ticketing (an analogue of virtual events) increased by 85%.
• Educational aspect: Devices store data on servers, and a compromise leads to a chain reaction: from data theft to carding. This highlights the importance of device security in the IoT+VR ecosystem.

3. NFT and Virtual Asset Scams​

NFTs (non-fungible tokens) and virtual real estate are key assets in the metaverse, but their decentralization makes them easy to launder through stolen cards.

• Why is this a trend? The NFT market will grow to $80 billion by 2030, with 2025 as the year of growth. Fraudsters use stolen cards to buy NFTs, then sell them for cash. Crypto fraud grew by 516% between 2024 and 2025, with metaverses becoming a new layer. Smart contract vulnerabilities in DeFi allow for exploitation.
• Examples of risks: Fake marketplaces in metaverses, where stolen cards buy virtual land, then launder the assets through cryptocurrency. Or pump-and-dump schemes with NFTs, where fraudsters inflate the price of stolen funds. Virtual economies are vulnerable to bubble formation and scams.
• Educational aspect: This shows how blockchain, designed for security, becomes vulnerable without regulation. Consumers prefer traditional cards (61%) in metaverses due to fraud protection.

4. Account takeover and ransomware in virtual wallets​

Decentralized wallets (MetaMask, WalletConnect) integrate with metaverses, but weak MFA makes them a target.

• Why is this a trend? In 2025, Fraud-as-a-Service democratizes scams, making takeover accessible. First-party misuse increased by 5–25% in 2024, with a focus on digital wallets. In metaverses, pseudo-anonymity increases AML/KYC risks.
• Examples of risks: Account hacking to use stolen cards for virtual purchases, or ransomware blocking access to NFTs with a ransom demand. 57% of companies reported an increase in fraud losses in 2024.
• Educational aspect: Highlights data silos in banks, where the lack of data integration (device ID, biometrics) gives an advantage to fraudsters.

Forecasts and general insights for 2025​

• Overall fraud in payments will increase due to AI (66% of merchants use genAI for detection). Metaverses will add a layer: 76% of consumers want fraud protection from cards.
• The risks are aggravated by the lack of regulations (GDPR-like for VR).
• Protection: Risk awareness, MFA use, platform verification, transaction monitoring. Banks integrate AI, preventing $41 billion in fraud by 2024.

This overview helps understand how innovation creates vulnerabilities, highlighting the balance between technology and security. For a more in-depth look, I recommend the FICO and Mastercard reports.