Scammers leak details of 345,000 credit cards via vibecoding

Revolut has long awaited a banking licence in its home market – Copyright AFP GABRIEL BOUYS

On April 16th, the Cybernews research team discovered an exposed server owned by a threat actor. The exposed information is controlled by a carding market called Jerry’s Store.

Jerry’s Store is a tool that provides credit card validity percentages. In other words, threat actors used this tool to check if stolen payment cards are still operational. Jerry’s Store operators used Cursor, an AI-assisted development environment, to set up the leaking server and administrator-facing dashboards. Cursor is a legitimate service, developed by the U.S. software company Anysphere.

Researchers believe that relying on an AI assistant to set up the server was the main reason why it ended up exposed, and that the threat actor received flawed instructions for building the dashboards.

The cyber-attackers deployed vibe code programming. In computer programming, vibe coding is a software development practice assisted by artificial intelligence (AI) such as by chatbots (programs that simulate conversation) or AI agents such as Codex or Claude Code.

Dark web

This relies on the dark web to maximize the gains from the stolen data. Dark-web carding sites verify stolen credit cards through automated testing suites, marketplaces’ built-in “card checkers,” and selective manual validation to separate high-value “fullz” from bulk dumps, because validated cards command higher resale prices and enable larger frauds.

“While in this case it helped identify credit card fraud-related abuse, it’s also a lesson for developers using Cursor for legitimate uses, showing how it can lead to accidental data leaks,” Cybernews reported. 

The researchers identified nearly 200,000 credit card details that the service deemed “invalid,” and over 145,000 counts of valid payment card information, including:

• Credit card numbers;
• Expiration dates;
• Security codes;
• Cardholder names;
• Cardholder addresses.

The threat actors used multiple legitimate merchant websites, such as Amazon US, Amazon JP, Grubhub, Sam’s Club, Temu, Lyft, Elf Cosmetics, and CountryMax, utilizing hundreds or in some cases, thousands of accounts on these platforms to perform credit card validity checks.

False accounts

Here, the attackers created accounts to register stolen cards and perform “low-risk” actions. These could include adding cards as a payment method or making a very small purchase. If the platform accepts the card, threat actors mark the card as valid and sell it to other threat actors on the dark web.

According to the security experts: “We were able to confirm that the leak originated from the user asking to create a statistics dashboard, and Cursor created an unauthenticated open web directory to serve the webpage, ignoring the need to set up authentication or ensure that only the intended dashboard would be accessible.”

Moreover, the chat history reveals that there was enough information for Cursor LLM to identify that it was helping set up a credit card verification service, indicating a lack of sufficient guardrails to prevent abuse.

While in this case this factor helped identify credit card fraud-related abuse, it also presents a lesson for developers using Cursor for legitimate uses, showing how it can lead to accidental data leaks”,