Good Carder
Professional
- Messages
- 751
- Reaction score
- 493
- Points
- 63
From a carder to carders. No fluff, just proven 2026 methods.
You've bought fresh cards, set up anti-detection, and set up residential proxies. Now all you need to do is find a target — a store that will accept payments without 3DS, won't charge you by BIN, and won't trigger endless verification. Choose wrong, and you'll waste your card. Run into a tough nut to crack, and you'll get a fraud flag on your IP and profile.
In this article, I'll explain how experienced carders choose their targets. No abstract advice — only specific indicators, tools, and checklists that work right now.
The key rule: look for weak gateways, not pretty storefronts.
Large chains (Amazon, Walmart, Target) have budgets for top-tier anti-fraud systems. There's no point in using them unless you have a non-3DS card with a verified balance and experience bypassing their scoring. But small and medium-sized stores — especially new Shopify platforms, small branded online stores, and local services — often use default payment gateway settings that can be bypassed.
An experienced carder can determine the gateway in 5 seconds based on just the URL in the address bar when going to the payment page.
What to look for in the response:
Mistake 2. Ignoring the store's geolocation. If the store is registered in Europe (especially Germany, the Netherlands, or France), 3DS is almost always mandatory for European cards. For American cards, it may not be, but the BIN must match the IP address, and the IP must match the American one.
Mistake 3. Carding during peak hours. Stores with manual order verification (small brands) can only process orders during business hours. If you hit at 3 AM local time and the store doesn't process orders until the morning, you have a window of opportunity, but you also risk having your card blocked by the morning. Ideally, hit 1-2 hours before the store's fraud monitoring department closes.
I hit the card — it went through on the first try for $200. An hour later, I received a notification that the order had been processed. The card was a non-3DS US BIN, and the proxy was a residential US one. A week later, I tried again with a different card — again, success.
The shop failed because:
Conclusion: look for WooCommerce stores with older versions of payment plugins. They're easy to spot by their specific URLs and the lack of an iframe. They're like gatekeepers.
A quick reminder:
"Stripe with an iframe and a cardinal — quit immediately. WooCommerce without a captcha and with a custom gateway is your client. Determine the gateway before hit the card, 3DS — with a test card, BIN filter — with a fake BIN. And never carding the first thing that comes to hand."
You've bought fresh cards, set up anti-detection, and set up residential proxies. Now all you need to do is find a target — a store that will accept payments without 3DS, won't charge you by BIN, and won't trigger endless verification. Choose wrong, and you'll waste your card. Run into a tough nut to crack, and you'll get a fraud flag on your IP and profile.
In this article, I'll explain how experienced carders choose their targets. No abstract advice — only specific indicators, tools, and checklists that work right now.
Part 1: Why Choosing a Merchant is 50% of Success
You can have a perfect BIN, a clean proxy, and a well-tested profile. But if your store is running on Stripe with Radar enabled in "block everything that moves" mode, the payment will fail.The key rule: look for weak gateways, not pretty storefronts.
Large chains (Amazon, Walmart, Target) have budgets for top-tier anti-fraud systems. There's no point in using them unless you have a non-3DS card with a verified balance and experience bypassing their scoring. But small and medium-sized stores — especially new Shopify platforms, small branded online stores, and local services — often use default payment gateway settings that can be bypassed.
Part 2. Manual Target Selection: What to Look for on the Page
Manual selection takes time, but it's free and often produces results where bots fail.2.1. Identifying a payment gateway based on indirect indicators
Before you enter the first digit of your card, you need to understand who you are dealing with.| Sign | Gateway | What does it mean |
|---|---|---|
| Map fields inside an iframe with the domain js.stripe.com | Stripe | High risk if the store has Radar enabled. However, a 3DS isn't required for a non-3DS BIN. |
| Card fields in regular <input>, the form is sent to /payment | Your own custom gateway or old processing | Often low security, but you need to check that the cards are not stored in the open. |
| Redirect to checkout.paypal.com or paypal.com | PayPal | Useless for carding — you need a PayPal account. Skip it. |
| Redirect to braintreepayments.com | Braintree | A Stripe-like solution, but with slightly different scoring. Some BINs are accepted where Stripe's isn't. |
| A window appears with the choice of bank when entering a card | Adyen with 3DS | Almost guaranteed 3DS. Non-3DS cards only. |
| Map fields inside an iframe from adyen.com | Adyen (hosted fields) | Also Adyen, but without a redirect. There's a chance of success, but it's low. |
| Pop-up iframe from cardinalcommerce.com | Cardinal Commerce (3DS certifier) | 3DS is a must - drop this goal immediately. |
An experienced carder can determine the gateway in 5 seconds based on just the URL in the address bar when going to the payment page.
2.2 Test on 3DS without a real card
Sometimes you can check whether a store requires a 3DS card even without having a card. Some gateways send an AJAX request to /v1/payment_methods or a similar endpoint when you enter your card number. You can see this request and its response in the developer console (F12 → Network). If the response contains the authentication_required field or next_action[type]=redirect_to_url, the store will request a 3DS card upon confirmation.2.3. Checking BIN filtering
Some stores filter cards by BIN at the client-side JavaScript level. Enter a known prepaid BIN (e.g., 431294 for Vanilla Visa) in the card number field. If the page immediately returns a "card not accepted" error without a server request, the store is using a BIN blacklist on the front end. Such a store is useless for this BIN, but may accept a different one.Part 3: Tools for Scanning Weak Gateways
When manually sorting through magazines becomes tedious, automatic tools come into play.3.1. OpenBullet 2 with configurations for payment gateways
OpenBullet isn't just for checkers. Using special configurations, you can automatically check store traffic: send a request to create a payment intent with the BIN and analyze the response. Configurations for Stripe, Braintree, Adyen, and other gateways are sold on forums for $10–50.What to look for in the response:
- If the response contains "requires_action":true or "status":"requires_action" - 3DS is required.
- If the response contains "decline_code":"do_not_honor" - the card is dead, but the gateway is alive (the store does not ban BIN).
- If the response is 403 or "error":{"code":"fraudulent"}, the store uses strict anti-fraud measures.
3.2. PayPal API as a spy
Some carders use the PayPal API to check BINs. You create a test payment via the PayPal REST API specifying the BIN (without the full number), and the response will show whether PayPal supports that BIN for the store's country. This isn't a direct indicator, but it helps weed out obviously unsuitable targets.3.3. Aggregator services for "leaky" stores
Lists of "merchants with low fraud control" are published on shadow forums and Telegram channels. These are often new Shopify stores that haven't yet set up Radar. You don't usually have to pay for these lists — they're distributed as a way to show appreciation within the community. But always check for relevance: stores quickly patch up any gaps.Part 4. Carder checklist before hit (manual selection)
Before you spend your card, go through this list:- Determine the payment gateway (Stripe, Adyen, Braintree, custom).
- Check if 3DS pops up on test number 4000 0000 0000 0002.
- Make sure the payment page doesn't block you by BIN (enter your prepaid BIN and see what happens).
- Check your address bar to see if there's a redirect to cardinalcommerce.com or mastercard.com/3ds.
- Check the page for analytics scripts — the more (Google Analytics, Facebook Pixel, Hotjar), the higher the chance that the store is collecting data, but this is not a problem if the gateway is weak.
- Estimate the store's age (using whois). Stores less than 3 months old often have default gateway settings.
- Try adding an item to your cart and proceeding to checkout without logging in — the fewer registration requirements, the easier it is to pay.
Part 5. Typical mistakes when choosing a goal
Mistake 1. Chasing expensive items. The most valuable receipts (electronics, appliances) are often under enhanced security. Digital goods (gift cards, software, subscriptions) are processed more often for the same amount.Mistake 2. Ignoring the store's geolocation. If the store is registered in Europe (especially Germany, the Netherlands, or France), 3DS is almost always mandatory for European cards. For American cards, it may not be, but the BIN must match the IP address, and the IP must match the American one.
Mistake 3. Carding during peak hours. Stores with manual order verification (small brands) can only process orders during business hours. If you hit at 3 AM local time and the store doesn't process orders until the morning, you have a window of opportunity, but you also risk having your card blocked by the morning. Ideally, hit 1-2 hours before the store's fraud monitoring department closes.
Part 6. Case Study: Why I Ditched My Stripe Store and Switched to a Custom Gateway
A real-life example. I found a gift shop on WooCommerce. The card fields are standard HTML inputs, and the form is sent to /wc-api/ (the Woo standard). No iframes, no redirects. Apparently, it's a custom gateway using some old plugin.I hit the card — it went through on the first try for $200. An hour later, I received a notification that the order had been processed. The card was a non-3DS US BIN, and the proxy was a residential US one. A week later, I tried again with a different card — again, success.
The shop failed because:
- There was no protection against BIN attacks.
- The payment gateway did not check the CVV.
- There was no chargeback management.
Conclusion: look for WooCommerce stores with older versions of payment plugins. They're easy to spot by their specific URLs and the lack of an iframe. They're like gatekeepers.
Summary
Choosing a merchant isn't a matter of luck, but rather a systematic process. Spend 5-10 minutes analyzing your target before committing to an expensive card. Use manual checks, automated scanners, and lists of "weak" stores from forums. Remember: Stripe with a properly configured Radar is almost always a rejection, while old WooCommerce without updates is a goldmine.A quick reminder:
"Stripe with an iframe and a cardinal — quit immediately. WooCommerce without a captcha and with a custom gateway is your client. Determine the gateway before hit the card, 3DS — with a test card, BIN filter — with a fake BIN. And never carding the first thing that comes to hand."
