Next-generation BIN attacks: API-based card number selection and brute-force attacks

[Good Carder]

From a carder to carders. Do you know what a BIN attack is? It's when an attacker tries possible card numbers within a single BIN range, hoping to find a valid card. Previously, this required enormous computing resources and time. In 2026, API gateways and distributed botnets made BIN attacks accessible to everyone. In a few hours, you can try millions of combinations and find hundreds of valid cards.

In this article, I'll examine modern BIN attack methods: how to guess card numbers via APIs (Stripe, Braintree, Adyen), how to automate brute-force attacks using proxy rotation, how to bypass rate limiting protection, and how to avoid being banned. You'll learn which BINs are the most vulnerable, how to use incomplete data leaks to fine-tune brute-force attacks, and how to turn a BIN attack into a stable source of cards.

Part 1: What is a BIN attack and why is it back in fashion?​

A BIN attack is the generation and verification of a large number of card numbers within a single BIN range. The first six digits are fixed, while the remaining 10–12 digits are randomly selected. If the payment gateway doesn't block mass requests, valid cards that haven't yet been compromised can be found.

BIN attacks were popular in 2018–2020, but gateways strengthened their defenses (rate limiting, CAPTCHA, IP blocking). In 2025–2026, attacks returned due to:

1. Distributed botnets (thousands of IPs, each making 1–2 requests per minute).
2. Using APIs instead of web forms (APIs often have less strict limits).
3. Specialized checkers (scripts optimized for specific gateways).
4. Partial data leaks (the card number is known except for the last 4 digits, or CVV).

Why it's profitable: a live card found through a BIN attack costs $0.01–0.05 in verification costs, but can be sold for $20–50. Profitability is up to 1000x.

Part 2. Vulnerable BINs: Which Ranges Are Most Easily Attacked?​

Not all BINs are equally suitable for brute-force attacks. The best candidates are:

• BIN with a low fraud rate (less than 30 according to IPQualityScore). Such cards are rarely blocked by gateways.
• BINs that don't have CVV2 verification (or it's optional). For example, some gift cards and loyalty cards.
• BINs that support $0 authorization (you can check your card without debiting funds).
• BINs, recently released (new ranges that are not yet blacklisted).

Examples of vulnerable BINs (2026):

BIN	Bank	Type	Why is it vulnerable?
414720	Chase	Credit	Non-3DS, low fraud score
476485	Vanilla	Prepaid	No CVV check for $0 auth
528703	Vanilla Mastercard	Prepaid	Old range, not yet blocked
451568	Visa Prepaid	Prepaid	Often used for BIN attacks
536425	Mastercard	Credit	Non-3DS, weak AVS

Where to find up-to-date BIN lists: closed Telegram channels, forums (Exploit, XSS, Carder.su), paid BIN databases, free BIN database - BinX.vip.

Part 3. Tools for BIN attacks​

3.1. Stripe as an ideal gateway for brute-force attacks​

Stripe provides an API for creating a PaymentMethod and SetupIntent. For a BIN attack, use SetupIntent — it doesn't charge money but checks the card's validity.

How it works: send a request with the card number (the first six digits are fixed, the rest are randomly generated), expiration date, and CVV (can be randomly generated). Stripe returns an invalid_number error if the number doesn't pass Luhn, or do_not_honor if the card doesn't exist. If the card exists, Stripe can return generic_decline (additional verification required) or insufficient_funds (the card is valid).

An example Python script for brute-forcing Stripe:

from curl_cffi import requests
import random
import time

def check_card(bin, last4, proxy):
card_number = bin + last4
# Генерируем случайные срок и CVV
exp_month = random.randint(1,12)
exp_year = 2028
cvc = f"{random.randint(0,999):03d}"
   
response = requests.post(
"https://api.stripe.com/v1/payment_methods",
headers={"Authorization": "Bearer sk_live_..."},
data={
"type": "card",
"card[number]": card_number,
"card[exp_month]": exp_month,
"card[exp_year]": exp_year,
"card[cvc]": cvc
},
impersonate="chrome120",
proxies={"https": proxy}
)
   
if response.status_code == 200:
return True, card_number
else:
error = response.json().get('error', {}).get('code')
if error == 'invalid_number':
return False, None
elif error == 'do_not_honor':
# Карта существует, но мертва (потенциально можно продать)
return True, card_number
else:
return False, None

3.2. Braintree and Adyen​

Braintree (creating payment_method_nonce) and Adyen (/payments with amount=0) have similar APIs. The principle is the same.

3.3. OpenBullet 2 with BIN attack configurations​

OpenBullet is a framework for mass verification. It includes ready-made configurations for Stripe BIN attacks that generate card numbers, rotate proxies, and keep live ones.

Part 4. Bypassing rate limiting and blocking protection​

Modern gateways have protection: if a large number of requests are made from a single IP address or API key, they block access.

Bypass methods:

4.1. Load balancing via proxy pool​

Each request must originate from a unique residential proxy. No more than 5-10 requests per proxy per minute.

proxies = [
'http://user:pass@proxy1:8080',
'http://user:pass@proxy2:8080',
# ... 100+ proxies
]

for last4 in generate_last4():
proxy = random.choice(proxies)
check_card(bin, last4, proxy)
time.sleep(0.5) # delay between requests

4.2. Multiple Stripe accounts​

A single Stripe account can handle 100–200 requests per hour before being suspended. Create 20–30 accounts (using different email addresses, proxies, and with minimal data). Rotate API keys.

4.3. Imitation of human behavior​

Add random delays (0.5–2 seconds), change User-Agent, use different TLS fingerprints (curl_cffi).

4.4 Using custom fields​

Some gateways allow test requests without a CVV or with a fake expiration date. Experiment.

Part 5. Card Number Generation Strategies​

5.1. Sequential enumeration​

We're trying all possible combinations from 0000000000 to 9999999999 for BIN 414720. That's 10 billion possibilities — too many. We need to narrow it down.

5.2. Using incomplete data from leaks​

You have a leak where the first 10 digits of a card are known, but the last 6 are hidden. You can generate 1 million variants for the last 6 digits and check them using the API. The chance of finding a valid card is 1–5%.

5.3. Generation according to the Luhn template​

The Luhn algorithm determines the check digit of the card number. It can generate numbers that pass the Luhn check and discard the rest (95% of numbers will be rejected).

def luhn_checksum(card_number):
def digits_of(n):
return [int(d) for d in str(n)]
digits = digits_of(card_number)
odd_digits = digits[-1::-2]
even_digits = digits[-2::-2]
checksum = sum(odd_digits)
for d in even_digits:
checksum += sum(digits_of(d*2))
return checksum % 10

def is_luhn_valid(card_number):
return luhn_checksum(card_number) == 0

5.4 Using Known BIN Patterns​

For some BINs (for example, gift cards), the numbers are not generated randomly, but rather according to a specific algorithm (increment, fixed prefix). Study the documentation or analyze leaks.

Part 6. Risks and how to minimize them​

6.1. Blocking the API key​

Stripe may block your account for suspicious activity. Use test keys (sk_test_*) — they're more secure, but don't always provide accurate answers.

Solution: Create new accounts using temporary email addresses (10minutemail) and proxies.

6.2. Legal risks​

BIN attacks are outright fraud. If you are identified, the penalties can be severe. Don't use your real IP address, real email address, or real payment information.

6.3. False Positives​

Some gateways return do_not_honor even for non-existent cards. You should check any found cards using another gateway or a micro-check.

Part 7. BIN Attack Checklist​

• Choose a low-fraud, non-3DS BIN, preferably prepaid or gift.
• Create a pool of residential proxies (50+ IPs, each no more than 5 requests per minute).
• Register 10-20 Stripe accounts using different email addresses and proxies.
• Write a script to generate card numbers (sequentially or using a template).
• Use asynchrony for speed, but no more than 10-20 parallel requests.
• Rotate proxies and API keys after every 100-200 requests.
• Save found cards in a separate file.
• Check the cards you find using a real micro-check ($0.50 on Wikipedia).
• Sell live cards on the darknet or use them for carding.

Summary​

Next-generation BIN attacks are a powerful card mining method accessible to anyone with a little code and a proxy pool. Stripe, Braintree, and Adyen are still vulnerable if you properly distribute the load and use multiple accounts. The cost of verifying a single card is fractions of a cent, and the selling price is tens of dollars. But be careful: BIN attacks are easily detected if OPSEC is not followed. One burned account is not a problem, but dozens of burned IPs can attract attention.

A quick one-line reminder:
“A BIN attack is a numbers game. 10 billion combinations per BIN, but Luhn cuts out 95%. 100 proxies, 20 Stripe accounts, 10 threads = 10,000 checks per hour. 1 live card per 10,000 checks = $30 at a cost of $0.50. A BIN attack is not a hack, it's patience and math.”