Singapore Ranks Second Worldwide for Stolen Payment Cards as Dark Web Trade Grows

Singapore’s high digital adoption brings exposure, not weakness

Singapore ranks second worldwide by share of stolen payment cards traded on dark web marketplaces, trailing the United States and ahead of Spain. The finding comes from analysis of about 50,700 card records collected in May 2025 by a threat exposure platform. More than 60 percent of the stolen cards in the sample belonged to American users, about 11 percent to users in Singapore, and about 10 percent to users in Spain.

Security specialists caution that this ranking reflects scale and digitalization, not a uniquely unsafe banking system. Singapore has one of the highest rates of online payments, mobile wallet use, and cross border e commerce in Asia. A larger digital footprint generates more opportunities for criminals to harvest card data, even when banks and merchants maintain strong controls.

Prices in these markets have risen over the past two years. New Zealand saw the steepest rise, more than 444 percent, with large jumps also reported in Argentina and Poland. Even with higher prices, stolen card data remains inexpensive for low tier criminals. A single card often costs about the price of a movie ticket. The global average sits around US$9, with wide variation by country. In Asia, Japan commands the highest average price at about US$22.80, followed by Kazakhstan at US$16.87 and Thailand at US$15.08. Cards issued in Singapore sell for about US$13.19 on average, an increase of roughly 29 percent from 2023. In Europe, prices cluster around US$11 to US$12 in Spain, France, and Switzerland.

How stolen card markets operate

The dark web is a set of hidden services that use anonymity software to mask identities and locations. It hosts markets where vendors list stolen card numbers, expiration dates, and sometimes full data with CVV, billing address, and device fingerprints. Data comes from malware on consumer devices, phishing pages that mimic bank and merchant sites, merchant system breaches, and compromised third party processors.

On these markets, cards are sold in bulk or one by one. Sellers often tag listings by issuing bank, country, and whether the card supports 3D Secure authentication. Buyers test small transactions, then attempt larger purchases of gift cards, flight tickets, or resellable goods. Industry research indicates a high share of listed card details remain usable for months, which gives criminals ample time to cash out if early test charges do not trigger fraud rules.

Supply, demand and pricing

Pricing follows simple supply and demand. Where supply is high, or where banks have aggressive fraud controls, cards are cheaper. Where supply is scarce and anti fraud checks are tight, cards cost more because successful fraud requires more preparation and patience. This dynamic explains why Japanese cards are among the most expensive and why a country with many cards listed, like Singapore, can have a moderate average price despite a large share of the overall sample.

Why Singapore sees a large share of stolen cards

Singapore is a financial and logistics hub with high card ownership and near universal acceptance of contactless payments. Consumers shop online with local and international merchants, pay for transport and dining with mobile wallets, and travel frequently. This creates a huge volume of legitimate transactions and stored card profiles across many services. Criminals harvest at scale from phishing kits that target regional banks and from malware that sweeps saved credentials and autofill data from browsers.

High adoption of tokenized mobile payments has also shifted fraud patterns. When banks and merchants block card not present fraud, criminals move to alternative paths, including provisioning stolen cards into phone wallets or tricking retailers during in person transactions. The market share of stolen Singapore issued cards in underground shops reflects this wide attack surface, not a lack of protections.

Anti fraud systems limit monetization

Banks in Singapore apply layered defenses. Transaction monitoring looks for unusual merchant categories or locations. 3D Secure pushes many online purchases through step up authentication. Alerts arrive within seconds, giving cardholders and banks a chance to freeze cards quickly. These controls, combined with strong chargeback rights, raise the cost and risk for criminals. That is one reason Singapore issued cards, while common on the dark web, are not priced at the top of the market.

From phishing to ghost tapping, how fraudsters cash out

Phishing remains the entry point for many cases. Attackers send fake delivery notices or bank security messages and lure victims to login pages that capture card and account credentials. Infostealer malware families such as Racoon, Azorult, and others quietly harvest saved logins and form data from browsers. Stolen identities, including national ID numbers and selfies collected for know your customer checks, are circulated on underground forums. These assets let criminals open mule accounts, launder money, and attempt account takeovers.

Mobile wallet abuse and in store fraud

A growing tactic links stolen card data to Apple Pay or Google Pay on burner phones for in store purchases. Analysts call part of this ecosystem ghost tapping because criminals can relay contactless signals or pre provision stolen cards and hand phones to recruited shoppers. Syndicates coordinate logistics, from recruiting mules and scripting shopping runs to fencing goods on Telegram or e commerce platforms. Reports describe large retail losses in Singapore with mules posing as tourists and moving quickly between stores. In late 2024, police recorded at least 656 cases and S$1.2 million in losses from credit card phishing and mobile wallet scams over three months.

Recent cases in Singapore show the playbook

Courts have heard several cases that mirror these methods. In one case, a 29 year old Chinese national was jailed for 30 months for using stolen card data to buy 20 iPhone 16 devices worth more than S$40,000 over three days. He was given a phone with an app that remotely loaded stolen card details obtained from phishing. Purchases were made at major electronics stores, the phones were resold for cash, and proceeds were collected by handlers.

In a separate case, a 25 year old Malaysian woman was sentenced for helping sell iPhones bought with card details loaded into a mobile wallet. Her partner made multiple purchases at Apple stores using virtual cards linked to victims. Bank alerts notified victims and police intervened before the pair could leave the country with the remaining proceeds. These prosecutions underscore how cross border syndicates dispatch runners to carry out quick, high value shopping sprees.

Insider risk and poor data handling

Risks also arise inside organizations. A former bank employee in Singapore was convicted for disclosing information on more than 1,000 customers after being deceived by callers posing as foreign police. While credit and debit numbers were not involved in a separate incident at a major automotive distributor, a breach that exposed 147,000 customer records shows how personal information circulates once attackers gain a foothold. Documents and identity data feed fraud by helping criminals pass verification checks or social engineering challenges.

How banks, retailers and regulators are responding

Banks continue to tighten controls for mobile wallet provisioning. Device risk analysis checks whether the phone requesting a token has been seen before, whether it is jailbroken, and whether the request matches the customer profile. Some issuers ask customers to confirm new wallet links through the bank app instead of SMS to reduce social engineering. Real time analytics and machine learning models help block suspicious purchases at the authorization stage.

Retailers are reinforcing point of sale checks. Staff training highlights red flags such as repeated failed attempts, customers cycling through multiple phones or cards, and efforts to split high value purchases into many small transactions. Stores can require an ID check for expensive electronics, coordinate closely with acquiring banks, and keep CCTV evidence ready for rapid investigations. Payment providers are adjusting rules to flag risky merchant and device combinations that indicate organized shopping runs.

Law enforcement and cross border cooperation

Coordinated operations that bring together banks, card networks, airlines, and police have proven effective against specific fraud types. In a previous Airport Action Days operation, officers detained scores of travelers who tried to use stolen card details to buy flight tickets. INTERPOL coordinated activity across Asia from its innovation hub in Singapore. Similar joint efforts with national police are used today to disrupt phishing kits, mule recruitment channels, and the underground markets where stolen cards are traded.

What consumers can do right now

Most issuers reimburse unauthorized card purchases, yet speed matters. Early detection limits losses and shortens the time criminals have to test and reuse your details. The steps below reduce the chance of compromise and help you catch fraud quickly.

• Turn on real time transaction alerts in your bank app for every card, including wallet transactions and online purchases.
• Review statements weekly and dispute any charge you do not recognize right away.
• Use a strong and unique password for your bank and card accounts and store it in a reputable password manager.
• Do not save card numbers or passwords in web browsers. Infostealer malware targets browser autofill storage.
• Enable two factor authentication on banking, email, and shopping accounts. Prefer authentication through your bank app over SMS.
• Use virtual card numbers or per purchase tokens when your bank offers them, especially for merchants you rarely use.
• Lock, freeze, or set transaction limits on cards in your bank app when you are not shopping. Disable overseas or card not present transactions unless needed.
• Keep phones and computers updated, install security patches promptly, and avoid unofficial app stores or downloads.
• Protect your national digital identity accounts, such as SingPass. Change passwords if you suspect phishing, and report any compromise quickly.
• Be cautious with messages about deliveries, refunds, or security warnings. Access your bank by typing the official web address or using the app, not by tapping links in messages.

Key Points

• Singapore accounts for about 11 percent of stolen payment cards traded in a May 2025 dataset, behind the United States and ahead of Spain.
• Average prices for stolen Singapore issued cards are about US$13.19, up roughly 29 percent from 2023, while Japanese cards fetch about US$22.80.
• Experts attribute Singapore’s ranking to high digital adoption and transaction volume rather than weak bank controls.
• Fraud techniques include phishing, infostealer malware, and mobile wallet abuse that enables in store purchases by recruited mules.
• Local prosecutions show transnational syndicates buying iPhones and other goods with stolen card data and reselling them for cash.
• Banks and merchants are tightening authentication for wallet provisioning and enhancing point of sale checks, while law enforcement coordinates cross border operations.
• Consumers can lower risk with alerts, careful password practices, two factor authentication, and by avoiding saving card data in browsers.