A website that sells stolen credit card data has paradoxically been hacked and had the information shared with “multiple sources”, online cybercriminal investigation site KrebsonSecurity has reported.

BriansClub, the site that named itself after the KrebsonSecurity author, Brian Krebs, in a peculiar fraud attempt, contains over 26 million credit and debit card details. These have been taken from online shops over a four-year period and include almost 8 million records from this year alone.

Krebs is an investigative journalist and claims that a plain text file was shared with him last month, which seemed to contain a full database of card details.

The discovery

“Multiple people who reviewed the database shared by my source confirmed that the same credit card records also could be found in a more redacted form simply by searching the BriansClub Web site with a valid, properly-funded account.” The journalist wrote on his site.

He added: “All of the card data stolen from BriansClub was shared with multiple sources who work closely with financial institutions to identify and monitor or reissue cards that show up for sale in the cybercrime underground.”

Most of the details on the site are just a string of zeros and ones, otherwise known as dumps, which can be used to make online purchases when encoded.

Hacking the hacker

On the hacking of the site, Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, has commented: “Today, cybercriminals are not immune from being hacked themselves. Sadly, most of these “internal” incidents further exacerbate situation for the victims who will likely find their PII or stolen cards being exposed even to bigger number of unauthorized third parties.”

“The presumed value for law enforcement agencies, when the data about illicit traders becomes public, is likewise questionable given that most of the readers know how to use chained VPNs and proxies. With the upcoming introduction of dynamic CVV, credit card theft business will likely vaporize. However, cybercriminals are already fully equipped to shift their attention to crypto wallets and other low-hanging fruits.” Kolochenko added.

It’s believed that the stolen card data website holds details of cards worth $414 million.