{
	"id": "4c904abd-8772-415e-99d2-5bc00904a3ba",
	"created_at": "2026-04-06T00:13:22.451453Z",
	"updated_at": "2026-04-10T03:33:53.597684Z",
	"deleted_at": null,
	"sha1_hash": "e4f1843a841f5d66f14a2f70ab97f606bece5888",
	"title": "Card data from the Volusion web skimmer incident surfaces on the dark web",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 362671,
	"plain_text": "Card data from the Volusion web skimmer incident surfaces on the\r\ndark web\r\nBy Written by Catalin Cimpanu, ContributorContributor March 12, 2020 at 7:00 a.m. PT\r\nArchived: 2026-04-05 17:12:41 UTC\r\nCard data stolen last year from Volusion-hosted online stores has surfaced on the dark web, Gemini Advisory, a\r\nthreat intel firm specialized in fraud detection, reported today.\r\nThe stolen card data relates to a security breach that ZDNet reported last year, in October 2019.\r\nAt the time, hackers breached the servers of Volusion, a Shopify-like platform that provides hosting for online\r\nstores.\r\nHackers breached one of the company's servers and placed malicious JavaScript code that was eventually loaded\r\non some of the company's customer stores.\r\nThe malicious code, as analyzed and confirmed by multiple parties, recorded payment card details entered entered\r\nin checkout forms.\r\nExact number of impacted stores: 6,589\r\nThe Volusion hack was discovered on October 8, 2019, but Gemini researchers said today in a report shared with\r\nZDNet that the breach dated back to a month earlier, on September 7.\r\nFurthermore, researchers also said they found the malicious code to only 6,589 of Volusion's stores, reducing the\r\nimpact of the breach's initially reported size of 20,000 potentially impacted stores.\r\nhttps://www.zdnet.com/article/card-data-from-the-volusion-web-skimmer-incident-surfaces-on-the-dark-web/\r\nPage 1 of 2\n\nHowever, while the breach was smaller, it wasn't less impactful. Gemini Advisory said today the stolen card data\r\nwas uploaded a month later, in November 2019, on a dark web hacking forum where it has been up for sale ever\r\nsince.\r\nGemini Advisory said it suspects that hackers might have gotten their hands on almost 20 million payment card\r\ndetails during last year's hack, but, for now, it only tracked 239,000 Card Not Present (CNP) records back to\r\nVolusion-based stores.\r\nSome of the card details have been sold, Gemini said, estimating that the hackers made nearly $1.6 million in\r\nrevenue.\r\nIn subsequent report following ZDNet's coverage, Trend Micro later attributed the hack to a group known as\r\nFIN6, also believed to have been behind other web-skimming (Magecart) incidents, such as British Airways and\r\nretail giant Newegg.\r\nA Volusion representative was not immediately available for comment.\r\nEuropol’s top hacking ring takedowns\r\nSecurity\r\nEditorial standards\r\nSource: https://www.zdnet.com/article/card-data-from-the-volusion-web-skimmer-incident-surfaces-on-the-dark-web/\r\nhttps://www.zdnet.com/article/card-data-from-the-volusion-web-skimmer-incident-surfaces-on-the-dark-web/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.zdnet.com/article/card-data-from-the-volusion-web-skimmer-incident-surfaces-on-the-dark-web/"
	],
	"report_names": [
		"card-data-from-the-volusion-web-skimmer-incident-surfaces-on-the-dark-web"
	],
	"threat_actors": [
		{
			"id": "12517c87-040a-4627-a3df-86ca95e5c13f",
			"created_at": "2022-10-25T16:07:23.61665Z",
			"updated_at": "2026-04-10T02:00:04.689Z",
			"deleted_at": null,
			"main_name": "FIN6",
			"aliases": [
				"ATK 88",
				"Camouflage Tempest",
				"FIN6",
				"G0037",
				"Gold Franklin",
				"ITG08",
				"Skeleton Spider",
				"Storm-0538",
				"TAAL",
				"TAG-CR2",
				"White Giant"
			],
			"source_name": "ETDA:FIN6",
			"tools": [
				"AbaddonPOS",
				"Agentemis",
				"AmmyyRAT",
				"Anchor_DNS",
				"BlackPOS",
				"CmdSQL",
				"Cobalt Strike",
				"CobaltStrike",
				"FlawedAmmyy",
				"FrameworkPOS",
				"Grateful POS",
				"JSPSPY",
				"Kaptoxa",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"LockerGoga",
				"MMon",
				"Magecart",
				"Meterpreter",
				"Mimikatz",
				"More_eggs",
				"NeverQuest",
				"POSWDS",
				"Reedum",
				"Ryuk",
				"SCRAPMINT",
				"SONE",
				"SpicyOmelette",
				"StealerOne",
				"Taurus Loader Stealer Module",
				"Terra Loader",
				"TerraStealer",
				"Vawtrak",
				"WCE",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"cobeacon",
				"grabnew"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9",
			"created_at": "2022-10-25T15:50:23.317961Z",
			"updated_at": "2026-04-10T02:00:05.280403Z",
			"deleted_at": null,
			"main_name": "FIN6",
			"aliases": [
				"FIN6",
				"Magecart Group 6",
				"ITG08",
				"Skeleton Spider",
				"TAAL",
				"Camouflage Tempest"
			],
			"source_name": "MITRE:FIN6",
			"tools": [
				"FlawedAmmyy",
				"GrimAgent",
				"FrameworkPOS",
				"More_eggs",
				"Cobalt Strike",
				"Windows Credential Editor",
				"AdFind",
				"PsExec",
				"LockerGoga",
				"Ryuk",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e",
			"created_at": "2024-06-19T02:03:08.052814Z",
			"updated_at": "2026-04-10T02:00:03.659971Z",
			"deleted_at": null,
			"main_name": "GOLD FRANKLIN",
			"aliases": [
				"FIN6 ",
				"ITG08 ",
				"MageCart Group 6 ",
				"Skeleton Spider ",
				"Storm-0538 ",
				"White Giant "
			],
			"source_name": "Secureworks:GOLD FRANKLIN",
			"tools": [
				"FrameWorkPOS",
				"Metasploit",
				"Meterpreter",
				"Mimikatz",
				"PowerSploit",
				"PowerUpSQL",
				"RemCom"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ee3363a4-e807-4f95-97d8-b603c31b9de1",
			"created_at": "2023-01-06T13:46:38.485884Z",
			"updated_at": "2026-04-10T02:00:02.99385Z",
			"deleted_at": null,
			"main_name": "FIN6",
			"aliases": [
				"SKELETON SPIDER",
				"ITG08",
				"MageCart Group 6",
				"ATK88",
				"TA4557",
				"Storm-0538",
				"White Giant",
				"GOLD FRANKLIN",
				"G0037",
				"Camouflage Tempest"
			],
			"source_name": "MISPGALAXY:FIN6",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434402,
	"ts_updated_at": 1775792033,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e4f1843a841f5d66f14a2f70ab97f606bece5888.pdf",
		"text": "https://archive.orkl.eu/e4f1843a841f5d66f14a2f70ab97f606bece5888.txt",
		"img": "https://archive.orkl.eu/e4f1843a841f5d66f14a2f70ab97f606bece5888.jpg"
	}
}