Informal training of carders in underground darknet ecosystems

[Good Carder]

Informal Carder Training in Darknet Underground Ecosystems: Evolution, Structure, and High-Level Analysis for Threat Intelligence and Cybersecurity Purposes​

(educational and scientific purposes only)
This title accurately reflects the content: it emphasizes the informal nature, the focus on analysis (not instructions), the scientific approach, and the strict limitation on security goals. Alternatives: "The Evolution of Carder 'Schools' and Tutorials on the Darknet: A Review of Public Reports on Cyberthreats" or "From Self-Training to 'Cybercrime Academies': An Analysis of Carder Training Programs through the Lens of Threat Intelligence."

Below is a significantly expanded, detailed, and restructured version of the entire material. I've improved the logic (from the general to the specific, with clear sections and subsections), added depth based on public reports from cybersecurity researchers (Group-IB, Recorded Future, SOCRadar, ISACA, Forbes, and academic papers from 2020–2026), and introduced specific examples (high-level only, without any actionable details), statistics, and comparisons. Everything is exclusively for understanding threats, developing protective measures and threat intelligence.

1. Introduction: Why carders are trained this way​

Unlike legitimate cybersecurity, which offers accredited universities, certifications (CISSP, CEH), and open courses, carder training is entirely informal, closed, and commercialized. It takes place within darknet forums, Telegram channels, and marketplaces, where knowledge is monetized as "Fraud-as-a-Service" (part of the broader Cybercrime-as-a-Service (CaaS) model).

According to research conducted in 2025–2026, the "Courses/Tutorials" category (courses and guides on fraud, including carding) occupies a leading position among "Access Crime" offerings on darknet marketplaces — thousands of listings, often more than malware or phishing kits. This reflects a trend: the barrier to entry into cybercrime is being lowered by ready-made "training packages," allowing newcomers without a technical background to quickly master the schemes. The goal of such programs is not education in the academic sense, but rather a quick path to profit.

2. Historical evolution of carder training​

The training went through several stages, parallel to the evolution of carding itself:

• 2000s - early 2010s (chaotic period): IRC channels and the first large forums (Vendorsname, Mazafaka, Shadowcrew). Knowledge was shared through open discussions, simple text guides, and personal communication. Newbies ("noobs") copied others' methods through trial and error. For example, forums like Darkmarket (closed by law enforcement) had sections with basic tutorials on exchanging dumps (map data).
• 2010s (structuring): The emergence of specialized carding forums (Club2Crd, WWH-Club, Russian-language XSS). Separate sections emerged: "Newbie Section," "Guides & Tutorials," and "Questions for Beginners." The first paid manuals appeared. Training became more systematic, ranging from anonymity to cash-out.
• 2020s (professionalization and CaaS): Migration to Telegram and darknet marketplaces. Education has become a full-fledged business: paid courses, mentoring, "academies." According to reports from Group-IB and Recorded Future, this is due to the industrialization of fraud — carding is being integrated with other services (drops, mules, automation). Trend 2026: Despite a decline in the volume of traditional carding (due to improved banking protection), demand for "educational content" remains high.

3. Modern formats and channels of training (detailed classification)​

Today, training takes place through four main channels (all closed):

• Self-study through forums and discussions.
  Open (within the community) sections with free guides. Example: "Tutorials" subsections on forums like Carder.su or XSS, where they publish OPSEC checklists, discussions on "why old methods are dead," and analyses of new bank defenses. Newbies read archives and ask questions in "Newbie" threads.
• Paid tutorials and "training packages."
  Ready-made PDFs, videos, or lesson series (priced from tens to hundreds of dollars in crypto). Basic ones are cheap or free; advanced ones (bypassing specific systems, automation) are expensive. Sold in the "Guides & Tutorials" sections with "guarantees" from the author. An example from a marketplace analysis: thousands of "Course" listings on fraudulent methods for beginners.
• Mentoring and closed "schools."
  Experienced participants form groups in private chats. Format: assignments, feedback, homework, a roadmap from beginner to pro. Sometimes with support until the first profit.
• "Academies" and "Universities" on the Darknet
  The most prominent and thoroughly publicly described example is HackTown (active c. 2020–2022, mentioned in ISACA reports, Forbes, and podcasts). It positioned itself as a "Hogwarts for hackers" or a "college for cybercriminals."
  What HackTown offered (according to public descriptions):
  • Free trial courses: OPSEC (operational security) basics, network attacks, Wi-Fi hacking, basic carding (card data trading, theft, and money laundering).
  • Paid access (~$125 for registration): a complete package with tools + step-by-step guides.
  • Programs: Carding Diploma (focus on card fraud) and Professional Cybercriminal Degree (more broadly).
  • The goal: to turn someone without programming skills into a "pro" in a short period of time using hands-on materials. Such projects are unstable, often shut down, or turn out to be scams, but they illustrate the trend toward "certified" training.

4. Typical structure of a training “program” (reconstruction from research)​

Researchers (crime script analysis of tutorials) distinguish 4 conditional levels (not instructions, but generalization):

1. Basic (1-2 weeks, beginner): Anonymity and OPSEC (VPN, VM, proxy, anti-detection browsers). Basic concepts (BIN, fullz, dumps). Example topic: "How to leave no trace."
2. Intermediate: Validating card data, searching for "cardable" sites, simple testing operations. Example: analyzing validators and checkers (high-level).
3. Advanced: Cash-out, bypassing 3D-Secure/additional protections, working with drops and mules, integration with other fraud schemes (phishing, ATO).
4. "Graduation"/professional: Scaling, team building, moving into related niches (RaaS, insider schemes). Example: "How to build your own carding business."

Many tutorials are structured like a crime script — a step-by-step analysis of a crime with risks at each stage.

5. Risks and the "dark side" of learning​

• Scams within the community: 80–90% of "courses" are scams (the author disappears). Beginners are deliberately deceived by "training sellers."
• Legal: Even passive reading is monitored by law enforcement.
• Technical and financial: Bad advice leads to quick blocking; start-up capital is lost.
• Social: Low trust — forums have "blacklists of rippers." Example: constant "board wars" between forums due to scams.

Conclusion​

Carder training has evolved from chaotic chat rooms to commercial "academies" like HackTown, reflecting the industrialization of cybercrime. However, it remains an extremely risky and illegal industry, where most "students" lose money.