sign up log in
Want to go ad-free? Find out how, here.

Report from virtual private network provider NordVPN shows NZ punching above its weight in terms of volume & desirability of payments cards found on the dark web

Personal Finance / news
Report from virtual private network provider NordVPN shows NZ punching above its weight in terms of volume & desirability of payments cards found on the dark web

NordVPN, a virtual private network provider, says analysis of four million payments cards found for sale on the dark web show nearly 50,000 were New Zealand cards.

The company says the 4,481,379 payment cards belonged to people from 140 countries. Of the total 49,668 were NZ cards. NordVPN says the average price of all the cards was US$9.70, with the average price of a NZ card US$18.54.

At 38,429, a large majority of the NZ cards were Visa cards, followed by 6,565 Mastercard cards, and 197 American Express cards. Visa has the biggest share of the NZ market.

NordVPN says 60% of the cards were debit cards and 40% credit cards. Visa Classic cards were 17 times more likely to be found on the dark web than premium cards.

"Since 2014 we have been seeing a constant growth in payment card fraud around the world. We decided to look into how much a payment card costs on the dark web and why there’s a booming underground black market for them,” says Marijus Briedis, Chief Technology Officer at NordVPN.

“And the answer is that hackers can easily make a lot of money. Even if a card costs only $10 on average, a hacker can make $40 million by selling a single database, like the one that we analysed.”

At 1,561,739, the highest number of cards came from the United States. At 419,806 cards, Australia was second.

Based on NordVPN's risk indexing, NZ was found to be the third most vulnerable country behind Hong Kong and Australia. The Netherlands was determined to be the least vulnerable.

Briedis says "brute forcing" is a key way the cards got onto the dark web.

“Increasingly, the card numbers sold on the dark web are brute-forced. Brute-forcing is a bit like guessing. Think of a computer trying to guess your password. First it tries 000000, then 000001, then 000002, and so on until it gets it right. Being a computer, it can make thousands of guesses a second. After all, criminals don’t target specific individuals or specific cards. It’s all about guessing any viable card details that work to sell,” says Briedis.

"There is little users can do to protect themselves from this threat, short of abstaining from card use entirely. The most important thing is to stay vigilant."

“Review your monthly statement for suspicious activity and respond quickly and seriously to any notice from your bank that your card may have been used in an unauthorized manner. Another recommendation is to have a separate bank account for different purposes and only keep small amounts of money on the one your payment cards are connected to. Some banks also offer temporary virtual cards you can use if you don’t feel safe while shopping online,” Briedis says.

NordVPN says its data was compiled in partnership with what it describes as independent researchers specialising in cybersecurity incident research. These researchers evaluated a database with the details of 4,478,908 cards, including details of the type of card being credit or debit, the issuing bank, and whether it was refundable.

The researchers compared the card data between countries with United Nations population statistics and the number of cards in circulation by country or region from Visa, Mastercard, and American Express. NordVPN says this allowed it to calculate the risk index to compare by country how likely a card is to be available on the dark web.

*This article was first published in our email for paying subscribers. See here for more details and how to subscribe.

We welcome your comments below. If you are not already registered, please register to comment.

Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.


Hopefully some of the readers will find this useful.

Actually it is very simple to protect yourself.


You can easily generate digital VISA cards for payment.

One can freeze, unfreeze, replace, delete them.

You can use a digital card for a time period, then throw it away and replace it in a second.

Replace means you get new card details in seconds.

Good luck brute forcing those !



Thanks for that, I'll check it out.


Or simply lock your card via mobile banking app (all the big banks have this option I believe), unlock it when want to use, then re-lock.


Adds 30 seconds to each transaction, and is 100% effective.


My Visa card was used for 2 fraudulent Airbnb transactions last month. I have never used Airbnb. My bank BNZ notified me of suspicious activity and I cancelled the card. So far they have only recovered (ie refunded to me) one of the transactions. I am waiting to see if the second credit comes thru. No idea how /where the card was compromised. I do very very little online shopping. I have no doubt that if the BNZ had not alerted me promptly much more would have been charged.


For online use a debit card. Only put money in before you do transactions. That way any card hack is against the card will only find zero funds.