Database Leaks and the Search for "Fresh Meat": OSINT for a Carder Without Hacking

Good Carder

Good Carder

Professional
Messages
753
Reaction score
493
Points
63
From carders to carders. Hacking servers is so last century. Why spend weeks searching for a vulnerability when you can simply download a ready-made database already circulating on the darknet? Or, even easier, find a person by phone number through a Telegram bot and get all their social media accounts, address, and even full name in two minutes.

A leak isn't a technical problem, but an indicator that your data is already in someone's hands. Year after year, high-profile leaks rock global corporations. In the first three months of 2026 alone, numerous data leaks occurred at large organizations, including social media and medical institutions.

But carders aren't afraid of leaks — in fact, they eagerly await them. Even if a database is two years out of date, it can still contain email addresses, phone numbers, password hashes, and even passport information. And if the database is completely new, you get Fullz (a full data package) for 50 cents, while on the black market such a package costs between 30 and 80. Isn't that a dream?

Part 1. Database Types: What to Look for and Where to Find Them​

To effectively search for victims, it is necessary to understand what databases circulate on the darknet and what can be extracted from them.

1.1 Where to find leaked databases​

The global volume of leaked data is growing every year. According to research by Positive Technologies, in the first quarter of 2026, more than 32% of leaked databases were published in open sources, and another 8% were available for download on hacker forums.
  • Telegram channels and bots. The fastest and most accessible method. There are thousands of bots and channels on Telegram where you can "check" someone's phone number for a small fee (or even for free). In May 2026, an extensive catalog of the best Telegram bots and tools for checking phone numbers, email addresses, and social media accounts was published on GitHub. These bots can check numbers against leaked delivery databases and reveal the "victim's" real name, address, and social media accounts.
  • Darknet forums (Exploit, XSS). These forums post links to torrents with multi-gigabyte archives of leaked databases and ads for the sale of up-to-date data. In April 2026, a request for an MFI database was recorded, dated 2026, although the compromise itself occurred in 2024. This confirms the persistent demand for leaked data, even years later.
  • Public leak archives. There are paid aggregators that collect thousands of leaked databases in one place and provide convenient search by email, username, or phone number. An example is the aggregator Leakbase, which distributes over 10 TB of dumps.

1.2. What are Fullz and why are they needed?​

Fullz is a "complete package" of a victim's personal data, sufficient for identification and use in fraudulent schemes. Standard Fullz includes:
  • Full name
  • Address (residence and billing)
  • Date of birth
  • Phone number
  • SSN (for the US) or passport information
  • Sometimes - credit card details, CVV, expiration date, email login and password.

Data prices in 2026:

Data typePrice (darknet)
Database (1000 rows)$0,50–1
Database of documents and passports (1000 lines)up to $1
Fullz (USA) from the credit bureau$30–80
Card number with CVV$10–40

On the secondary market, the price of leaked data is steadily rising, with fresh, verified packages selling for significantly more. If the database is "fresh" and contains data from real people with verified documents, the price can increase tenfold.

In May 2026, information appeared online about a 10 TB dataset containing a "full set of PII (Fullz)" — names, addresses, social security numbers, and dates of birth. This isn't just another leak, but a consolidation of numerous old and new databases. Researchers note that this poses a serious threat to digital identity systems for years to come.

1.3. Basic Data Formats (Combo Lists)​

A combo list is a text file containing login:password pairs. Most often, combo lists contain email:password pairs, but more exotic formats, such as phone number:password, are also encountered.

Carders actively use combo lists to brute-force accounts on popular services like PayPal, Amazon, and crypto exchanges. A single, well-designed combo list can unlock access to dozens of accounts in a couple of hours.

Part 2: Decrypting Hashes and Password Recovery​

A leaked database rarely contains passwords in cleartext. They are most often presented as hashes — irreversibly transformed strings. Hash-processing tools can automatically detect the encryption algorithm (MD5, SHA-1) and guess the password.

2.1 How a password is converted into a hash​

Hashing is an algorithmic transformation of input data into a fixed string. When you register on a website, it stores not your password, but its hash. The next time you log in, the website calculates the hash of the entered password and compares it with the stored one.

2.2. Rainbow tables и Ciphey​

One way to crack hashes is with rainbow tables. These are pre-computed sets of passwords and their corresponding hashes. If the hash is in the table, the password can be found in seconds. Online services like Key Decryptor or Dcode.fr allow you to decrypt hashes without installing software.

Ciphey is a more modern and powerful tool. It automatically detects the encryption type and brute-forces the password using a combination of built-in dictionaries and statistical algorithms, eliminating the need for manual command entry. Ciphey supports over 50 algorithms (from Base64 to AES) and can even handle multilayer encryption.

2.3. OSINT-based dictionary generation​

If the password isn't in the rainbow tables, you can try generating a personal dictionary. This involves collecting information about the victim: date of birth, first name, last name, nicknames, names of relatives, etc. PicoCTF 2026 included a task where participants were given the target's personal information and a password hash. The task was to recover the password by creating a custom dictionary based on the name and date of birth, taking into account possible substitutions and case-insensitive corrections.

Part 3. OSINT and Social Engineering: Obtaining Missing Data​

The leaked database only gave you partial information. For example, you only have a phone number. OSINT and social engineering will help you find the rest.

3.1. Searching for profiles by phone number​

One of the easiest ways is to search for a profile on a social network. Simply enter a phone number in the Facebook or Telegram search bar. If the number is publicly linked to the profile, it will appear immediately.

"Forgot Password" trick: Enter a phone number in the password recovery form on the website. If the service exists, it may partially display the username or its first letter.

Telegram bots. In May 2026, an extensive catalog of Telegram bots for forensic analysis appeared on GitHub — PRObivon Bot, Sherlock Report, Duhless. These bots, given a phone number, provide the owner's full name, address, a list of social networks, and even tags from GetContact in just a couple of minutes.

3.2. How Telegram's search algorithms work​

Telegram bots for verification work simply: the aggregator searches for a phone number in leaked databases of popular delivery services (SDEK, Yandex Food, Ozon) and marketplaces. If the victim has ever provided their phone number when ordering, their full name and delivery address are stored in the database. The bot then provides this information.

3.3. An army of bots in disguise​

The Telegram network has an entire infrastructure of hundreds of bots specialized in information mining. These bots cover everything from simple verification of a phone number's registration on Telegram to full provision of passport information, registered addresses, real estate, and transport information.

These bots process thousands of requests daily, providing attackers with complete information about the victim in minutes and for a small fee (sometimes even free as advertising).

Part 4. Social engineering techniques for data mining​

Sometimes OSINT hits a wall — data is insufficient or outdated. Then social engineering — a method of directly deceiving people to obtain confidential information — comes to the rescue.

Phishing and social engineering in 2026 are far more than just spam emails. Criminals use personalized schemes for each individual.

4.1 Classic Methods That Still Work​

  • Phishing. A copy of the login page of a popular service is created. The victim clicks the link and enters their username and password. In 2026, phishing attacks are becoming increasingly targeted, and their victims are increasingly senior managers of large companies.
  • Vishing. A call to the victim purporting to be from the bank's security service or technical support. The victim is convinced that someone is trying to steal money from their account and is asked to recite a code from an SMS.
  • Smishing. Fraudsters send SMS messages purporting to be from a bank, with a link to a phishing website and a demand to urgently confirm your details to "save your account."

4.2. New technologies and the industrialization of scams​

  • Well-established scripts and call centers. In 2026, cybercrime has become a mass production process. Large fraudulent organizations employ entire call centers staffed with professional operators who adhere to scripts, exert psychological pressure on victims, and use deepfake technology to conceal their identities during video calls.
  • Fake documents. Fraudsters send victims fake subpoenas, tax notices, and letters from government agencies, confirming the legitimacy of their demands.
  • Extortion through blackmail. If the scammer cannot convince the victim to voluntarily disclose information, they may threaten to publish existing information about them publicly.

Part 5. Carder OPSEC: How to Avoid Falling into Your Own Trap​

OSINT is a weapon that can easily be turned against you. If you don't take precautions, your investigation turns into a trap.

5.1. Your own digital shadow​

By using OSINT tools and bots, you leave your own traces.
  • Bot logs. All Telegram bots used for verification likely log your requests. If you're searching for information about a person, the bot owner can see the number you entered.
  • Using personal accounts. If you access darknet forums from your home IP address or without a proxy or VPN, these logs could be used against you in the event of an investigation.

5.2. Countermeasures​

  • Separate your identities. Use separate proxies, virtual machines, and accounts for OSINT research. Never mix them with your everyday activities.
  • Use anonymous payment systems. If you purchase access to paid databases or mining bots, use cryptocurrency (Monero) and disposable email addresses.
  • Clear your browsing history. After completing your research, delete temporary files, browser cache, and session logs. This applies to both personal computers and virtual machines.

Part 6. Data Collection and Verification Checklist​

  1. Download or purchase access to the target database. Check its freshness (by date of entries).
  2. Use a parser to extract the required strings. Write a script that, based on keywords (email domain, region), extracts target records from a multi-gigabyte dump and saves them to a file (e.g., targets.txt).
  3. Run the found data through forensic bots or OSINT tools to obtain or verify missing information (phone number, address, passport details).
  4. Create a profile of your target. Gather everything together: full name, date of birth, address, passport information, phone numbers, email address, information about relatives and habits.
  5. Verify your data through an independent source. If you have access to paid databases or government services, check the information you've received there. Make sure you're not dealing with a "dead" soul — many databases contain information about people who have already changed their address or phone number.
  6. Use social engineering to finish them off if you still don't have enough data. Prepare a call or message script.
  7. Encrypt and store your dossier. Use encryption (AES-256) and do not store files on your main computer. Use removable media that can be physically destroyed if necessary.

Resume from a carder​

Leaking databases and OSINT isn't hacking in the classic sense. It's working with information that someone has already left unattended. Even an "outdated" database contains email, phone number, password hash, and often passport details. And if the database is up-to-date and contains documents, you get Fullz for 0.50 instead of 30-80 on the black market.

Telegram isn't just a messenger, it's a treasure trove of bots for breaches. Any schoolchild can find out the full name, address, and social media profile of their victim in a couple of minutes based on their phone number. And if they have access to closed carder chats, they can buy databases of microfinance organizations and delivery companies for next to nothing.

A quick one-line reminder:
"Databases are a goldmine, not junk. Even an old database will give you an email and password hash. And the hash is the door that Ciphey or Key Decryptor opens." "Punching in the number is routine via a Telegram bot. Just one request, and you know everything about the victim. The main thing is to avoid becoming a victim yourself: use a proxy, encrypt archives, and never store everything on one computer."
 
You must log in or register to reply here.

Similar threads

Good Carder
OSINT for carders: How open data helps collect Fullz and bypass KYC
Replies
0
Views
9
Good Carder
Good Carder
Professor
Portrait of a Victim 2026: Not Randomness, but Targeted Selection. How Leaked Data Maps Digital Vulnerabilities.
Replies
0
Views
264
Professor
Professor
Good Carder
International Investigation Cases: How Major Carders Are Caught
Replies
0
Views
8
Good Carder
Good Carder
Professor
Fullz in 2026: Structure, Validation, Exploitation, and Why It's a Major Attack Vector
Replies
0
Views
719
Professor
Professor
Good Carder
Carding digital goods (software, subscriptions, games, crypto airdrops)
Replies
0
Views
17
Good Carder
Good Carder
Back
Top