Identification of Public Infrastructure Linked to 'Best CVV Online, Fresh CVV' Dark Web Marketplace
By Threat Intelligence Unit
Executive Summary
- "Best CVV Online, Fresh CVV", a dark web site engaged in selling credit card-related information, operates 15 onion domains.
- The site offers credit card-related information associated with the US, UK, AU, JP, CA, FR, and GE.
- Seven public IP addresses were identified in connection with these onion domains.
Site Analysis
The following image shows the interface of “Best CVV Online, Fresh CVV,” a dark web marketplace engaged in the sale of credit card-related information.
The site operates multiple onion domains.
During the initial investigation, all the onion domains listed below were operational and accessible. However, at the time of writing, they are no longer reachable.
Identified Onion Domains
Main Onion Address
vbdqzxc4uanwyypyywt2lyvvc4pvklc4hh46keb6ylthq4qdpg62xeqd.onion
Figure 1. Best CVV Online marketplace site
Additional Onion Domains
bvccshopqusaceri7nzq2erpbkhppifwk7wrl2rhgcusxiil4jmtmaid.onionbvccshop3gcywlshbpoqtq3co7wvfj2au6uywd6kmcu2i2dbgn7ixcyd.onionbvccshop66bze4f7wy7mkavyhzvdctabbrxymse3hzmx7gou5jih6id.onionbvccshopquom77zsikwpmon2idgnsmv6evxnjweh4mk5duzdz2wu3hid.onionbvccshopuk2iyiehpzs5v6f7qem3shkaafkmgehg5g4sbqmfmjwghjad.onionbvccshopz4civ6g76kday44jz2fafp62xib7ajdn26yzzleqcufwffqd.onionbvcvvshopouzmrcj4lhtj3kpz3fh5w5vxmiqiyiakyugh3mid2utjuad.onionbvccrumudihleuhwscquhrc7z6wklxeh5oe6zblekt5vf7ai7khhvpid.onionbvcvvrutq4pjdkb2xlprnfyyl6qn6dqure5pf5mu3wcyxk2a2mlsc2yd.onionbvshop7ebgtrznddy64pwx2oouze5sla6yfh3toiqd3zgzdsktxglqad.onioncvvshopilz57dqlbv6qf43m6zd7edszh24auy5y6zlq5hqslyc3txyad.onionbvccrup5dez6n4fxt57bo4mgizzrlzdfvcv5c4xz4elaln4ultfqcyyd.onionbvshopkrtlnghm5k25d7qkoybdwlusyknssyna3ubaqkwebnotjmtfqd.onionbvshopputad3thnjq4xnsx22qbghym5r7usyispalqhd2bc76de5jcid.onion
Upon logging into the site, a main dashboard is displayed which includes menus for purchasing and selling credit card information.
Figure 2. Best CVV Online marketplace main dashboard
Site Activity
The main page features a news board containing operational updates.
According to the site's own post, approximately 40,000 credit card entries were newly uploaded.
These entries reportedly include data associated with:
- United States
- United Kingdom
- Australia
- Japan
- Canada
- France
- Georgia
- Other regions
Figure 3. Main page news board
CVV Search Menu
The CVV Search section allows users to browse various credit card entries and view associated prices.
Figure 4. Credit card details with associated prices
Latest Fresh CVV Menu
The Latest Fresh CVV section appears to provide newly uploaded card-related information.
Figure 5. Latest Fresh CVV main dashboard
Figure 6. Newly updated card details with associated prices
Infrastructure Analysis
Multiple public IP addresses were identified through Oasis Security’s dark web infrastructure analysis service Arthur.
Identified Onion Infrastructure
Onion Address:
vbdqzxc4uanwyypyywt2lyvvc4pvklc4hh46keb6ylthq4qdpg62xeqd.onion
| IP | Country | ASN |
|---|---|---|
107.172.***.*** | United States | AS36352 |
103.214.***.*** | Netherlands | AS137409 |
Onion Address:
bvshop7ebgtrznddy64pwx2oouze5sla6yfh3toiqd3zgzdsktxglqad.onion
| IP | Country | ASN |
|---|---|---|
103.214.***.*** | Netherlands | AS137409 |
Onion Address:
bvccrumudihleuhwscquhrc7z6wklxeh5oe6zblekt5vf7ai7khhvpid.onion
| IP | Country | ASN |
|---|---|---|
205.185.***.*** | United States | AS53667 |
Onion Address:
cvvshopilz57dqlbv6qf43m6zd7edszh24auy5y6zlq5hqslyc3txyad.onion
| IP | Country | ASN |
|---|---|---|
107.189.***.*** | Luxembourg | AS53667 |
Onion Address:
bvcvvshopouzmrcj4lhtj3kpz3fh5w5vxmiqiyiakyugh3mid2utjuad.onion
| IP | Country | ASN |
|---|---|---|
178.208.***.*** | Netherlands | AS214798 |
Onion Address:
bvcvvrutq4pjdkb2xlprnfyyl6qn6dqure5pf5mu3wcyxk2a2mlsc2yd.onion
| IP | Country | ASN |
|---|---|---|
192.210.***.*** | United States | AS36352 |
Associated Network Ranges
| ASN | Network Range |
|---|---|
| AS137409 | GSL Networks Pty LTD |
| AS214798 | Digital City FZE |
| AS36352 | HostPapa |
| AS53667 | FranTech Solutions |
| AS33993 | UFO Hosting LLC |
External Promotion Activity
The site operators were also observed promoting the marketplace on general hacking forums.
Figure 7. Promotional activity of Best CVV Online marketplace observed on a hacking forum
Conclusion
The Best CVV Online, Fresh CVV marketplace operates through numerous Tor hidden services and appears to distribute credit card-related information across multiple geographic regions. Infrastructure analysis identified seven public IP addresses associated with the platform’s backend infrastructure.