Disguising transactions as legitimate purchases: substituting the descriptor and MCC

[Good Carder]

From carder to carders. You successfully swiped your card, the money was debited, and the goods were received. But the transaction left a digital trace: a line with the store name and MCC (Merchant Category Code) appeared on the cardholder's statement. If the victim sees "Crypto Exchange" or "Gift Card Store," they'll immediately suspect something is wrong. But if they see "Starbucks" or "Netflix," they won't even notice. The art of transaction masking isn't just about choosing the right BIN, it's about replacing the data the victim sees with secure data.

In this article, I'll discuss what a descriptor and MCC are, how they appear in statements, whether they can be spoofed, masking techniques through PayPal, Stripe Connect, and other payment aggregators, as well as actual tools and their availability in 2026. The main goal is to ensure that the victim doesn't notice the charge or writes it off as a legitimate purchase, thereby reducing the risk of a chargeback.

Important: Substituting the descriptor and MCC is a technically complex task that requires access to the payment gateway settings or the use of specific schemes. Not all methods are available to the average carder. However, even basic techniques can reduce the risk of detection by 30–50%.

Part 1: What is a descriptor and MCC and why are they important?​

1.1. Descriptor (Descriptor)​

A descriptor is a text string that the cardholder sees on their statement. For example, AMZN DIGITAL *GIFT CARD or PAYPAL *NETFLIX. The descriptor typically includes the company name, and sometimes an order number or product type. By default, the descriptor is generated by the payment gateway based on merchant data. In Stripe, the default descriptor is COMPANYNAME*PRODUCT (up to 22 characters).

Why this is important: If a victim sees CRYPTO EXCHANGE BINANCE on their statement, they will immediately know the card has been compromised. If they see PAYPAL *SPOTIFY, they will think it's their own subscription.

1.2. MCC (Merchant Category Code)​

An MCC is a four-digit code that identifies a product/service category. Banks and payment systems use MCCs for risk scoring and cashback accrual. For example, MCC 5812 is for restaurants, MCC 5816 is for games and digital goods, and MCC 6012 is for financial services (crypto exchanges). Payments with MCC 6012 have a high fraud score, often require 3DS, and can be blocked.

Why this is important: Even if the descriptor appears innocuous, the bank sees the real MCC. If the MCC doesn't match the descriptor, this can raise suspicion, but banks typically don't check for consistency between the descriptor and the MCC. However, the MCC plays a key role in risk scoring.

Part 2. Is it possible to spoof the descriptor and MCC?​

The short answer: yes, but it's complicated. Complete substitution at the payment gateway level requires merchant rights or the use of specific schemes.

2.1. Substituting a descriptor through merchant account settings​

If you have a merchant account with Stripe, Braintree, or Adyen, you can change the descriptor in your settings. For example, in Stripe: Dashboard → Settings → Branding → Customer statement descriptor. By default, the descriptor can be changed to any text up to 22 characters. However, banks still see the real MCC, and if your business has an MCC of 6012 (cryptocurrency) and the descriptor is STARBUCKS, this may trigger additional checks.

For carders: creating your own merchant account is complicated and requires documents and verification. However, you can use a drop merchant account or buy an existing one on the darknet. The price is $200-$500 for an account with a history.

2.2. Substitution via payment aggregators (Stripe Connect, PayPal)​

The easiest way to change a customer's descriptor for a regular buyer is to use PayPal as a front. When you pay for an item with PayPal, your cardholder statement displays PAYPAL *MERCHANT_NAME (or simply PAYPAL). If PayPal supports "masking" the descriptor (for example, PAYPAL *NETFLIX), the victim will see a familiar brand, not the real seller.

In 2026, PayPal allows sellers to customize their descriptor under Account Settings → Seller Tools → Customer Service Descriptor. However, this doesn't apply to buyers—only sellers. But if you buy an item through PayPal and the seller sets their descriptor to NETFLIX, the victim will see PAYPAL *NETFLIX on their statement.

A carder's scheme: register a fake PayPal account for the seller, set the descriptor to a safe brand (for example, NETFLIX), then make a purchase from yourself through another account using a stolen card. The victim will see *NETFLIX on their PAYPAL statement and won't suspect anything. This brings us back to the "fake seller + purchase from yourself" scheme (Article 167).

2.3. MCC substitution: technically difficult, but there are loopholes​

The MCC is assigned to a merchant upon registration with the payment gateway and depends on their primary activity. Changing the MCC after the fact is virtually impossible. However:

• Some payment gateways (e.g. Stripe) allow the merchant to change the MCC for individual transactions via the payment_method_options[card][mcc] parameter (but this requires a special agreement and is only available to large customers).
• PayPal may change the MCC depending on the item category selected by the seller. If the seller lists the category as "Digital Goods" but the item is actually cryptocurrency, the MCC may be more secure (for example, 5816 instead of 6012). However, PayPal may still check and block the item.
• Stripe Connect allows the platform (marketplace) to set MCCs for connected accounts. If you create a dummy account through Stripe Connect, you can select MCC 5812 (restaurant) instead of 6012 (crypto exchange). However, Stripe may require verification of activity.

For the average carder, MCC substitution is an overkill. It's better to focus on masking the descriptor.

Part 3. Techniques for masking transactions without access to a merchant account​

3.1 Using PayPal as a Buffer​

The most accessible method. Instead of paying directly with a stolen card on the merchant's website, link the card to a PayPal account and then pay through PayPal. The victim's statement will show PAYPAL *MERCHANT_NAME or simply PAYPAL, not the actual store name. If the seller has configured their handle to a secure brand, the chances of detection are significantly reduced.

How to use:

1. Register a PayPal account for the drop (or use your own with IP substitution).
2. Link a stolen non-3DS card to PayPal.
3. Pay for the item via PayPal by selecting it as your payment method.
4. The victim will see PAYPAL on the statement, not the store name.

Disadvantage: PayPal may require verification when linking a new card (micropayments or 2FA). This is a risk.

3.2. Purchasing Amazon Gift Cards as a Separator​

An Amazon eGift appears on the statement as AMZN DIGITAL *GIFT CARD. A victim, seeing AMZN, might think it's their own Amazon purchase. And if the amount is small ($20-$50), they might not even notice.

The diagram:

1. Buy an Amazon eGift with a stolen card.
2. Use eGift code to buy anything (even convert to crypto via NoOnes).
3. The victim's statement will show AMZN DIGITAL *GIFT CARD, which does not raise suspicion.

3.3. Using aggregator services (Privacy.com, Revolut)​

Privacy.com (US) allows you to create one-time virtual cards with a custom handle. You can name the card "NETFLIX," and transactions will appear as PRIVACY *NETFLIX. Revolut (EU) also supports creating virtual cards with custom handles (via the "Merchant name spoofing" feature).

The scheme is:

1. Issue a virtual card at Privacy.com in the name of NETFLIX.
2. Are you topping up your card with a stolen card? No, Privacy.com doesn't allow you to top up your card from outside the bank. However, you can issue a card linked to the stolen card (the source). However, Privacy.com requires identity verification.
3. Pay for the goods with this virtual card. The victim's statement will show "PRIVACY *NETFLIX."

Problem: Privacy.com and Revolut require KYC, and using them is directly linked to your identity. Use through drop-based payment methods.

3.4 Using crypto-cards (RedotPay) with a custom descriptor​

RedotPay allows you to set a "Merchant Name" for each card. You can name the card "STARBUCKS" or "NETFLIX," and when you pay, the statement will show REDOTPAY *STARBUCKS. To the victim, this looks like a Starbucks purchase, not a crypto card.

The scheme:

1. Issue a RedotPay card (no KYC).
2. In the card settings, specify the desired descriptor, for example NETFLIX.
3. Pay for the item (e.g. Amazon gift card).
4. The victim's statement will contain REDOTPAY *NETFLIX.

This is perhaps the simplest and most accessible method for a carder.

Part 4. Real-World Tools for Handle Substitution in 2026​

Tool	Is it possible to change the descriptor?	Complexity	KYC	Risk of blocking
PayPal (seller)	Yes (setting in the account)	Average	Yes	Average
Privacy.com	Yes (set map name)	Low	Yes	High (closed for spoofing)
Revolut	Yes (via Merchant name spoofing)	Low	Yes	Average
RedotPay	Yes (in map settings)	Low	No	Short
Stripe (merchant)	Yes (in settings)	High	Yes	Low (legitimate)

Conclusion: RedotPay is the best choice for carders. It doesn't require KYC, allows you to set any descriptor, and its cards are accepted everywhere Mastercard is available.

Part 5. Practical example: from hit to checkout with a secure descriptor​

Let's say you want to buy a $100 Amazon gift card.

1. Issue a RedotPay virtual card with a NETFLIX handle. Top it up with USDT.
2. Using a stolen non-3DS card? No, RedotPay is already topped up. You don't have to use the stolen card directly; instead, you can transfer funds to RedotPay from a clean wallet. However, if you need to use the stolen card, you can:
   • Buy USDT on a P2P exchange using a stolen card (via a drop account).
   • Transfer USDT to RedotPay.
3. Pay for your Amazon gift card using RedotPay.
4. The victim (the owner of the stolen card) will see REDOTPAY *NETFLIX on their statement. There's a 90% chance they won't suspect anything.

So, you've turned a "dirty" transaction into a "clean" Netflix subscription.

Section 6. Limitations and Risks​

6.1. The bank can see the real recipient​

Despite the spoofed descriptor, the issuing bank sees the real merchant (Amazon, Binance, etc.) in its internal systems. If the victim contacts the bank and says, "I didn't buy anything from Netflix," the bank will easily determine that it was actually an Amazon purchase. However, victims rarely contact the bank about a suspicious transaction if the descriptor appears innocuous.

6.2. 3DS and AVS are still being tested​

Masking the handle does not cancel 3DS and AVS. If the site requests 3DS, the transaction may be blocked, regardless of the handle.

6.3. Risk of account blocking on RedotPay​

RedotPay may block your card if it suspects it's impersonating a well-known brand. Avoid using names like NETFLIX, UBER, or AMAZON if you don't want to get into trouble. Use neutral names like SUB, MEDIA, or STREAM.

6.4 PayPal may request documents​

If you use PayPal as a buffer, it may block your account if fraud is suspected. Use only verified drop accounts.

Part 7. Checklist for transaction masking​

• Select a method: RedotPay (easiest), PayPal (if you have a verified account), Privacy.com/Revolut (if you have a drop).
• Set your handle to a safe, neutral brand (STREAM, MEDIA, DIGITAL). Avoid direct brand names (Netflix, Amazon).
• Use non-3DS cards to pay through your chosen service.
• Check how a $1 test purchase transaction (e.g., a Wikipedia donation) displays. Check the descriptor displayed in your test card's mobile app.
• Minimize the amount - the smaller the amount, the less likely the victim will notice.
• Don't rely on obfuscation alone - still follow OPSEC (proxy, warmup, clean BINs).

Summary​

Masking transactions as legitimate purchases is an important step in carding that many ignore. Substituting the descriptor and MCC can reduce the risk of chargeback by 30-50%. The most accessible method for carders is using RedotPay crypto cards with a custom descriptor. PayPal and Privacy.com are also suitable, but they require KYC. Completely substituting the MCC is practically impossible, but it is possible to influence the displayed descriptor.

The main rule: even with masking, don't be greedy. A sum of $50-$100 with a descriptor STREAMwill go unnoticed. A sum of $500 with a STREAM descriptor will arouse suspicion in the victim.

A quick one-line reminder:
"RedotPay: name the card "STREAM," and the victim will see a streaming subscription on their statement. PayPal, like a buffer, will turn any transaction into a PAYPAL *MERCHANT." Masking isn't a panacea, but it does reduce the risk of a chargeback by half. Don't call your card "AMAZON" if you don't want to be blocked.