Carding via mobile operators: balance top-up, smartphone purchases in installments

[Good Carder]

From carder to carders. While traditional carding struggles with 3DS and BIN filtering, mobile operators remain an unprotected platform. Billions of subscribers of M-Pesa, Airtel Money, Orange Money, and traditional mobile operators (T-Mobile, AT&T, Verizon) process thousands of transactions daily with minimal oversight. You can top up someone else's phone, pay your internet bill, or install a flagship smartphone without 3DS and AVS, with minimal risk of chargeback. In this article, we'll examine the vulnerabilities of mobile payments, crypto deposit and withdrawal schemes, installment plans and their cashing out, as well as the risks of IMEI blocking, when a operator bricks a fraudulently purchased phone.

Part 1: Why Mobile Operators Are an Easy Target for Carders​

Mobile operators and mobile money platforms have fundamental differences from traditional e-commerce merchants:

1. Low security threshold. Topping up a phone account, paying for internet, and buying a smartphone in installments are low-risk transactions from the perspective of payment gateways. Operators don't want to lose customers, so 3DS is often disabled for such payments, and CVV verification is a formality. Who would complain about someone else paying their phone bill?
2. No chargebacks. A cardholder who sees a $20 charge marked "T-Mobile" will chalk it up to their subscription and won't bother looking into it.
3. Instant conversion to cash. The most valuable vulnerability of mobile money systems: after topping up your phone balance, you can transfer those funds to another number or into cryptocurrency via a P2P exchange in minutes. In Africa, mobile money (M-Pesa, Airtel Money) is a fully-fledged financial ecosystem with trillions of dollars in turnover. In 2025, over $4 million was laundered through M-Pesa in Kenya alone, and $2.1 billion in suspicious cryptocurrency transactions related to mobile money were recorded in West Africa.

Part 2. The "replenish the drop balance → transfer to cryptocurrency" scheme​

2.1. Mobile money system architecture (USSD/SIM-linked)​

Africa has leapfrogged the era of bank cards in its financial sector. M-Pesa operates via USSD (a text-based interface that uses no internet connection) linked to the active SIM card in the phone. If the SIM card is compromised, all security is lost. There are also protocol vulnerabilities: fraudsters using a modified SIM card (ThinSIM) can intercept and initiate USSD commands without the victim's knowledge. The SIM card is a single point of entry: if a fraudster gains control of the SIM card, they gain access to everything — M-Pesa, mobile banking, and SMS messages with 2FA codes. Even with a VPN, billing shows which cell phone tower the money mule used to connect to the internet.

The agent network consists of cash pickup points (small shops, kiosks), where identification is limited to presenting an ID card, which can be counterfeited. Fraudsters posed as Safaricom agents to drain their float.

The Antidrop platform (Russia) and similar systems are tightening controls. Starting July 1, 2026, banks are required to transmit the client's tax identification number (TIN) for all transactions through the Fast Payment System (FPS), which links cash flows to the real taxpayer. The Antidrop platform, a centralized database where banks collect information on all suspicious transactions and clients, is scheduled to launch in 2027.

2.2 SIM swapping and phishing​

SIM swapping is the most reliable, but also the most dangerous method:

1. Data mining. Using leaked IDs and phishing SMS messages, fraudsters obtain victims' passport information.
2. SIM swapping. Using a fake ID, a fraudster goes to a mobile phone store and receives a duplicate SIM card in the victim's name. In Kenya, fraudsters use fake IDs and fake police letters to deceive officers. All SMS messages with 2FA codes and phone calls then go to the fraudster.
3. Access to M-Pesa. The fraudster uses the victim's SIM card to log into M-Pesa and transfer funds to the drop's account.

Social engineering (SMS phishing): This is a more widespread method. In Kenya, 46% of consumers reported receiving fraudulent calls, text messages, or online messages. Fraudsters use "easy money" tactics, offering winnings or threatening fines. In one operation in Kenya (2025), seven fraudsters drugged a victim, performed a SIM swap, and defrauded their account of 250,000 Kenyan shillings ($1,900). They used sleeping pills to gain access to the phone and then arranged for a SIM card replacement at a mobile phone store.

2.3. Transferring money through crypto exchanges without KYC (P2P)​

Once a fraudster has gained control of an M-Pesa/Airtel Money account, they can:

1. Transfer funds to a P2P exchange (NoOnes, Paxful, Binance P2P). On platforms like NoOnes, you can buy USDT with cash or by transferring it to a mobile wallet. You can buy USDT up to your account limit at a time.
2. Exchange M-Pesa for USDT. Find a merchant who accepts M-Pesa. You transfer money, and they transfer USDT back to you. P2P exchange fees are 1-2%, and the exchange rate is 90-95% of the market rate.
3. Withdraw USDT to a cold wallet and exchange it for XMR through a no-KYC exchanger (ChangeNOW, Godex). Then, through churning (5-10 transfers between your sub-addresses), disconnect.

USDT money laundering case: Fraudsters stole over $4 million from a Kenyan bank, laundering the stolen funds through USDT via P2P platforms. Mobile money serves as the primary channel for moving stolen funds.

Part 3. Buying smartphones on installment plans through a carrier​

The most lucrative way to cash out a stolen card is to pay off a flagship smartphone through a carrier (T-Mobile, AT&T, Verizon) and resell it. Unlike buying it from an electronics store, carriers check cards less thoroughly because they're interested in signing up new subscribers.

3.1. Installment plan + resale​

1. Register an account for the drop (name, address, SSN, credit history). People with bad credit are suitable — they won't get a loan anyway, but you will.
2. Choosing a plan. T-Mobile, AT&T, and Verizon require you to choose a plan (usually the cheapest one).
3. Applying for a smartphone installment plan. iPhone 15 Pro Max ($1,200) or Samsung Galaxy S24 Ultra ($1,300). The down payment is often $0–$100, with the remainder made up of monthly payments over 24–36 months.
4. Paying the down payment with a stolen non-3DS card.
5. Receiving the smartphone. The operator sends the phone to the drop's address (or to the store for pickup if the drop provides identification).
6. Smartphone resale. A new, sealed iPhone 15 Pro Max can be sold on Craigslist, OfferUp, and Facebook Marketplace for 80-90% of the retail price. Resellers will happily take the new device at a 10-20% discount.

3.2. Bypassing Verification and Scoring​

• Use prepaid plans. T-Mobile Prepaid and AT&T Prepaid do not require a credit check.
• Warm up your account. Don't sign up for an installment plan on the day of registration. Make a few small purchases (accessories, top-ups) to build your account history.
• Fake documents. Identity verification may be required to obtain an installment plan. Use fake IDs or buy an account with a history on the dark web.

Part 4: Direct Data Theft via USSD Skimming and Fake Apps​

While some steal cards, others go even further - they steal access to the phone itself.

4.1. Fake banking apps and USSD skimming​

In 2026, fraudsters created copies of popular banking apps (Safaricom, M-Pesa, Airtel Money) that requested USSD access permissions. Once the victim installed the app, it began intercepting USSD commands, debiting the balance, and transferring funds to the fraudster's account.

• Tools: Anatsa, Vultur, Massiv, TrickMo - these banking Trojans are used to steal mobile money data in Africa.
• Distribution via Google Play: All of these Trojans penetrate Google Play through downloaders (droppers), disguised as PDF readers and document reading utilities.
• Ghost Tapped and DevilNFC: These Trojans turn an Android smartphone into an NFC signal repeater, allowing funds to be withdrawn from cards linked to the victim's phone.

4.2. Malicious applications for iOS and Android​

Malicious apps disguised as official banking and mobile operator apps are actively spreading in Africa. Users enter their login credentials and M-Pesa PIN, which are then transferred to the fraudsters. Some Trojans also feature overlays for banking apps and SMS interception.

Part 5. Risks and how to minimize them​

5.1. Blocking the IMEI of phones purchased fraudulently​

The most serious risk with installment plans is that the carrier can block the phone's IMEI (International Mobile Equipment Identity) if the installment plan isn't paid. A blocked IMEI bricks the smartphone — it won't work on that carrier's network, and often on other networks as well, as carriers share IMEI blacklists.

How does blocking work?

1. You stop paying by installments.
2. The operator marks the phone's IMEI as lost or stolen.
3. IMEI is included in the global CEIR (Central Equipment Identity Register) database and is blocked by all operators in the country (and often abroad).
4. The buyer who bought the phone from you is left with a brick and goes to the police.

Risk minimization:

• Sell your phone in a country where the carrier has no influence. An IMEI blocked by T-Mobile in the US won't be blocked in Kenya or Nigeria. Take advantage of this.
• Don't sign up for installment plans on phones with eSIM. An eSIM is more tightly tied to your carrier and is harder to unlink. Use a physical SIM card (for drop-off).
• Warm up your account. If you've signed up for an installment plan, make 2-3 payments and then "forget about it." The carrier doesn't block the IMEI right away, giving you a 1-2 month window to resell the phone.
• Sell your phone to another country. Sell your smartphone through international marketplaces (Swappa, eBay) to a region where carriers don't share blacklists.

5.2. The operator requires identification confirmation.​

T-Mobile and AT&T may request identification (passport, SSN) when applying for an installment plan. Use a drop with real documents, who is willing to handle this process for a fee ($50-$100).

5.3. Blocking an M-Pesa/Airtel Money account​

If M-Pesa suspects money laundering, your account may be blocked and your funds frozen for 90 days. In Kenya, the Kenya Revenue Authority (KRA) automatically monitors all transactions over KSh 500,000 ($3,800) per month. If this threshold is exceeded, your account is audited, and your funds may be frozen for 14 days without a court order.

Solution: Don't exceed the daily and monthly limits. Use multiple accounts to spread your funds out.

Part 6. Checklist for carding through mobile operators​

• Top up your drop balance: Use a stolen non-3DS card to top up your drop number.
• Transfer to cryptocurrency: Use a P2P exchange (NoOnes) to convert your balance to USDT. Use an account that is not associated with you.
• Buying a smartphone on an installment plan: get an installment plan from a drop with bad credit, and pay the down payment with a stolen card. Sell the phone on Craigslist or an international marketplace.
• IMEI lock: Sell your phone to a region where the carrier can't lock it. Use re-export services to resell it abroad.
• SIM swapping: Use fake IDs or find a corrupt mobile phone store employee to obtain a duplicate SIM card for the victim. In Kenya, fraudsters forge IDs and police letters to gain access to accounts.
• Don't keep funds in your M-Pesa account for longer than 1 hour. Withdraw them to cryptocurrency or cash immediately after receiving them.

Summary​

Mobile operators and mobile money systems remain one of the most vulnerable sectors to carding in 2026. The "top up a drop's balance → P2P exchange → cryptocurrency" scheme allows for the conversion of stolen funds into USDT in 30 minutes with minimal losses (5-10%). An even more lucrative method is buying smartphones on installment plans through T-Mobile or AT&T and reselling them. The main risk is IMEI blocking, which bricks the phone if the operator isn't paid.

Africa (Kenya, Nigeria) is a gold mine for cashing out via mobile money (M-Pesa, Airtel Money). Billions of dollars flow through these systems with minimal anti-money laundering (AML) controls. But even there, regulators are tightening regulations: the Kenyan Tax Authority monitors all transactions over $3,800 per month.

A quick one-line reminder:
"Top up your drop balance with a card, convert it to USDT via NoOnes, and withdraw it to a cold wallet. M-Pesa + SIM swap = access to someone else's account. T-Mobile installment plan with a stolen card = a new iPhone. Sell it to a country without IMEI blacklists, otherwise the carrier will brick the phone."