Carding via payment aggregators and their vulnerabilities (Shopify Payments, Stripe Connect)

[Good Carder]

From carder to carders. The battle against payment gateways like Stripe is becoming increasingly difficult. But there's another, more sophisticated tactic: attacking not the gateway itself, but its architecture. Payment aggregators and marketplaces built on Stripe Connect and Shopify Payments make the fight against fraud our game. You become not the buyer, but a shadow seller. You don't steal the card; you convince the platform to transfer the victim's money to you. In this article, I'll examine the aggregator's payment architecture, the "fake seller + self-purchase with a stolen card" scheme, weak seller verification on some platforms, delayed payments, and the risks of rapid blocking.

Part 1. Payment aggregator architecture: funds first go to the platform account, then to the merchant​

In a classic online store model (Stripe Standard), the buyer pays, and the money is transferred to the seller almost immediately. In the payment aggregator model (Stripe Connect, Shopify Payments), things are different.

A payment aggregator is a technical provider that receives funds and transfers the full payment amount (minus its commission) directly to the platform's bank account. As a seller on a marketplace (Etsy, eBay, Amazon Handmade), you don't receive the money instantly. It's first accumulated in the platform's account, and then, after fees and a hold period are deducted, it's transferred to you. This delay is the main problem for quick cashouts, but it's also our main loophole.

Let's look at the two most popular architectures.

1.1 Shopify Payments: Built-in Aggregator​

Shopify Payments isn't just a plugin, but a full-fledged payments ecosystem integrated into every Shopify store. It processes cards, PayPal, Apple Pay, and Google Pay. Shopify Payments uses machine learning to optimize authorizations and reduce declines. Shopify's fraud analysis also flags suspicious orders to alert you to potential fraud.

Key feature: Shopify Payments can hold payments (reserves) to protect against chargebacks and refunds. The typical hold period is 30 to 180 days. However, this doesn't prevent us from completing the transaction; the main thing is that the platform approves the transaction and the funds are held in escrow, not returned to the buyer.

1.2. Stripe Connect: a multi-stakeholder platform​

Stripe Connect is an architecture for platforms that connect multiple merchants and buyers. The merchant becomes the "connected account," and the platform acts as an agent, processing payments and transferring funds.

Connected account types:

• Standard (Standalone): The seller undergoes full verification and has a direct account with Stripe. Funds are received almost instantly.
• Express (Managed): The seller undergoes simplified verification. The platform manages payouts. Perfect for our purposes.
• Custom (Managed): Full control over the user interface and verification process. More complex to set up.

For a carder, an Express account is a gold mine. Verification requirements are minimal, and dozens of "merchants" can be quickly created with fake documents.

Stripe Connect, like Shopify Payments, operates by first depositing funds into the platform's account (or the merchant's account) and then releasing them to the merchant. However, the platform may also hold funds in escrow until delivery is confirmed or until the refund period (usually 7-14 days) expires.

Part 2. The "fake seller + purchase from yourself with a stolen card" scheme​

This is a classic scheme adapted for aggregators.

Participants:

• The victim-buyer is an unsuspecting user.
• A fake seller is an account you control on a marketplace (Etsy, eBay, Shopify Marketplace).
• You (the carder) manage both accounts.

Algorithm:

1. Registering a fake merchant. Create a merchant account on the platform using fake documents, a virtual office, and a drop bank account. For Shopify Payments, basic verification (name, address, and tax identification number) is sufficient. For Stripe Connect Express, a minimal set of information is required.
2. Create a decoy product. List a non-existent digital product (gift card, activation key) for sale at a high price ($500–$1000). Payment is confirmed instantly, eliminating the risk of physical delivery.
3. Purchasing with a stolen card. Using another account (or the same device through a clean proxy and anti-detection), you "purchase" this item from yourself. Payment is made with a stolen non-3DS card.
4. Payment processing. The payment reaches the platform. Shopify Payments or Stripe Connect processes the transaction and transfers the funds (minus the fee) to your merchant account. The buyer (your other account) receives the digital product.
5. Waiting and withdrawal. You wait for the hold period (the period when the platform can cancel the transaction) to end. In Shopify Payments and Stripe Connect, this period can range from a few days to a month. Then, withdraw the funds to a drop bank account or crypto wallet.
6. Disappearance. After the funds are withdrawn, you "burn" the merchant's account. The victim (the owner of the stolen card) can initiate a chargeback, but the money is already gone. The platform and the actual merchant (if they were involved) are left with losses.

In Stripe Connect, attackers are exploiting simplified Express account verification to create thousands of fake merchants who then "sell" products to themselves using stolen cards.

Part 3. Vulnerabilities: Weak Seller Verification and Delayed Payments​

3.1. Weak Verification (Express / Managed Accounts)​

The main vulnerability of aggregators is insufficient merchant verification, especially at the initial stage. Shopify Payments may request identity and business verification, but this often occurs after the first transactions or when fraud is suspected. Stripe Express accounts, which are designed for platforms, can also be opened with a minimal set of data, allowing for mass creation before the system blocks them.

Fraudsters actively use fake business registrations, disposable phone numbers, and even fake IDs (including deepfake videos for biometric verification) to bypass KYC. Stripe, however, uses a combination of machine learning, heuristic analysis, and manual verification to verify documents and checks them against a database of fake templates. However, as long as an account isn't flagged as suspicious, it can successfully accept payments.

3.2. Payment Hold/Reserve​

Shopify Payments and Stripe Connect can hold new merchants' funds for 7-21 days, and in some cases (for example, with a high risk of chargebacks) up to 180 days. But this isn't a problem for our system. The funds are already frozen in the platform's account and won't be recalled in the event of a chargeback if you've already withdrawn them.

Part 4. Risks: Quick blocking of the seller's account if there is suspicion​

4.1. Shopify Payments Blocking Triggers​

Shopify Payments uses machine learning to analyze suspicious orders and automatically test cards. If the system detects an anomaly (too many bounces in a short period of time, geolocation mismatches, suspicious emails), your account may be blocked or frozen.

Additional triggers:

• Exceeding the chargeback threshold. If the chargeback rate exceeds 1–2%, Shopify Payments may place a reserve or suspend payments.
• Complaints from real buyers. If a victim of a stolen card disputes the transaction before you withdraw the funds, the account will be blocked.
• Document inconsistency during verification. If you fail to provide the requested documents on time or they prove to be false, your account will be blocked.

4.2. Stripe Connect Risks​

Stripe also actively combats merchant fraud. Specialized tools, such as Guard Your Connect, identify suspicious merchants and alert platforms. In the event of a chargeback or refund, the platform may be held responsible, and they may, in turn, block your connected account.

Part 5. Bypass Methods and OPSEC​

5.1 Bypassing Weak Verification​

• For Shopify Payments: Use an already verified account (aged account) purchased on the dark web. Cost: $50–$150.
• For Stripe Connect: Register Express accounts with fake documents, but under different IP addresses and fingerprints. Use drop addresses and virtual offices.
• Deepfake documents: To pass video verification, use a deepfake video or hire an actor who looks like the one in your passport photo.

5.2. How to avoid account blocking​

• Warm up your seller account. Don't start with a large transaction. Make 5-10 small sales ($5-$20) using legitimate cards (or through drops) to build a history.
• Use digital products. They don't require physical delivery or confirmation, which speeds up the process.
• Withdraw funds in small instalments. Don't try to withdraw $10,000 in one transfer.
• Monitor your chargeback rate. If the chargeback rate exceeds 1%, immediately "burn" your account.
• Use different accounts for different amounts. Don't mix small legitimate sales with large fraudulent transactions.

Part 6. Checklist for attacking an aggregator​

• Choose a platform: Shopify Marketplace (easier verification) or Stripe Connect (more control).
• Create a fake seller: Use fake documents, a virtual office, and a drop bank account.
• List a digital product for $500-$1000.
• Make a purchase with a stolen non-3DS card from another account, using a clean proxy and anti-detection.
• Wait for payment confirmation (usually 1-7 days).
• Withdraw funds to a drop account or crypto wallet.
• "Burn" the seller's account after withdrawal.

Summary​

Payment aggregators (Shopify Payments, Stripe Connect) offer a unique opportunity for carders to become shadow merchants. The "fake merchant + purchase from yourself with a stolen card" scheme allows you to transfer the victim's funds to an account under your control, bypassing a direct attack on the payment gateway. The main vulnerabilities are weak merchant verification (especially at the initial stage) and delayed payouts, which gives you time to withdraw funds before a chargeback. But the risks are also high: account suspension if suspected, reserves, and confiscation of funds. Adhere to OPSEC, warm up your accounts, and don't be greedy, and aggregators will become your reliable tool.

A quick one-line reminder:
"An aggregator is not a gateway, but an intermediary. The funds are first transferred to the platform account, then to the merchant. Express verification is a weak point." The scheme: fictitious seller → digital product → purchase from yourself with a stolen card → withdrawal to a drop account. A hold of up to 180 days isn't a problem if you're faster. Blocking due to chargebacks is the main risk."