Dark Web Scammers Expose 345,000 Stolen Credit Card Records Due to Vibe Coding Risks

A significant breach in cybersecurity has emerged from a dark web marketplace known as “Jerry’s Store,” which specializes in selling stolen credit card data. This incident, which has exposed over 345,000 credit card records, underscores the vulnerabilities associated with the increasing reliance on artificial intelligence (AI) coding tools in the cybercrime landscape. Researchers are now highlighting the dangers of “vibe coding,” a practice where AI-generated software is deployed without adequate security measures or human oversight.

The Incident Unfolds

Researchers at Cybernews recently identified an unsecured server linked to Jerry’s Store, a platform that not only sold stolen payment card information but also provided tools for customers to verify the validity of these cards before purchase. The exposed data included internal systems, validation logs, and administrative dashboards, revealing a troubling lack of security protocols.

The breach occurred because the operators of Jerry’s Store constructed substantial parts of their infrastructure using AI coding assistants, specifically Cursor, developed by Anysphere, a U.S.-based software company. While Cursor is a legitimate tool employed by many developers, the operators of Jerry’s Store reportedly relied on it excessively to create both backend systems and internal dashboards without implementing necessary security checks.

The Risks of Vibe Coding

This incident serves as a stark example of the risks associated with vibe coding, a growing trend where users provide vague instructions in plain language, allowing AI systems to generate code automatically. The lack of specificity in these instructions can lead to significant oversights, particularly in security measures.

Cybernews researchers noted that the problems began when the operators issued unclear directives to the AI system, which resulted in an exposed web dashboard accessible via a standard browser, devoid of password protection or authentication barriers. The server was discovered on April 16, revealing sensitive information that had been left unguarded on the internet.

The leaked data comprised approximately 145,000 valid payment card records, including full card numbers, expiration dates, CVV codes, names, and billing addresses. Additionally, around 200,000 records were flagged as invalid by the system.

How the Card Validation System Operated

The exposed platform functioned as a card verification service for criminals purchasing stolen payment details. Instead of selling untested card data, the system performed real-world payment tests through legitimate companies to ascertain whether the cards were still active.

The operators created fake accounts on various platforms, including Amazon, Grubhub, and Lyft, conducting small transactions or adding stolen cards as payment methods to verify their functionality. Cards that passed these checks were marked as valid and sold at higher prices on dark web marketplaces, as verified cards are significantly more valuable in cybercrime forums.

Cybernews traced the leak back to a specific request within the operators’ chat history with Cursor. An administrator had asked the AI to generate a statistics dashboard, which was subsequently deployed online without any security measures in place. This incident highlights the potential for accidental data leaks, even in legitimate software development contexts.

Regulatory Scrutiny and Broader Implications

The revelations surrounding Jerry’s Store come at a time when regulators worldwide are facing increasing pressure to address the rise of sophisticated online financial scams and digital fraud operations. In India, the Reserve Bank of India recently mandated five banks—Axis Bank, City Union Bank, ICICI Bank, IndusInd Bank, and Yes Bank—to compensate a victim of a large-scale “digital arrest” scam. The RBI ombudsman ordered the banks to collectively pay Rs 1.31 crore after identifying failures related to monitoring mule accounts and KYC compliance.

This case involves a retired banker, Naresh Malhotra, who claims that fraudsters siphoned off nearly Rs 23 crore through an elaborate scam operation currently under scrutiny by the Supreme Court of India. Together, these incidents illustrate a rapidly evolving cybercrime landscape where AI tools, inadequate security practices, and lapses in financial oversight are increasingly converging in perilous ways.

The exposure of sensitive data from Jerry’s Store not only raises concerns about the effectiveness of security measures in the dark web but also serves as a cautionary tale for developers and organizations utilizing AI tools in their operations. The need for robust security protocols and human oversight has never been more critical in safeguarding sensitive information in an era where cyber threats are becoming more sophisticated.

Source: www.firstpost.com

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.