Social Media and Phishing for Carders: How to Collect Fullz Without Digging Through Leaks

[Good Carder]

From carders to carders. Hacking databases is so last century. Today, Fullz (full data packages) are easier and faster to collect through human intervention. Social engineering, phishing, fake surveys, and bots — that's what brings in fresh meat every day. Leaks happen every six months, and victims are falling for the tricks hourly.

In this article, I'll tell you how we collect Fullz without wasting time on technically complex hacks. It's dirty work, but effective. If you know how to gain trust or set up a beautiful fake website, you'll always be in the money while others are digging through old databases.

Part 1. Why phishing and social media are king, while database hacking is a dying breed.​

In 2026, corporate network security has been strengthened, but people are still people. They still fall for scams like "you've won an iPhone," "your account will be blocked," and "confirm your details to get a refund." Why hack a bank's server when you can simply copy its page and collect hundreds of logins overnight?

The benefits of phishing:

• Fresh data - the victim gives you their login and password today, not a year ago.
• Minimal technical skills required – even a beginner can clone a website.
• Scalability - launch a campaign with 10,000 victims, and 1% will submit data.

Cons:

• The risk that your site will be quickly blocked by hosting providers or anti-phishing systems.
• You need to think about how to bypass 2FA (but this can be solved too).

A Fullz package includes not only the card number but also the name, address, phone number, date of birth, sometimes SSN (for the US), email or bank login and password. With this package, you can not only hit the card but also log into the victim's account, withdraw money, and apply for a loan. The price of a Fullz package on darknet markets ranges from 30 to 300, depending on the country and the specific type of card.

The most valuable Fullz packages are from the US and Western Europe, where they have high card limits and extensive credit lines. Fullz packages from the CIS are cheaper but are also in demand among local carders.

Part 2. OSINT on Social Media: Collecting Data Without Being Noticed​

Before phishing, you need to understand your target. Sometimes data can be collected for free and without hacking – simply from public profiles.

2.1. What can you find on social media?​

Social network	What does it give?	Examples
Facebook	Full name, date of birth, city, place of work/study, phone number (if provided), and friends list. You can get your card number through closed groups if the admin isn't keeping an eye on scammers. They often include an email address, a passport photo (if posted out of stupidity), and marital status. Facebook Marketplace can be used to determine what a person is selling or buying.	john.doe@gmail.com, lives in Los Angeles, is married, has children
Instagram	Geolocations (posts, stories), hobbies, social circle. Geolocation can be used to determine where a person spends time and tailor phishing to a specific location.	It's often found at Starbucks on 5th Avenue, which means you can fake a Starbucks promotion.
LinkedIn	Place of work, job title, professional contacts. Ideal for targeted phishing of company employees (BEC).	Works in Gazprom's finance department — you can slip him a fake letter from the tax office.
Telegram	You can find database leaks through bots and search engines, but direct social media is available in interest groups (crypto, investments, earnings). It's easy to recruit victims there by posing as an "expert."	A member of the "Crypto Investors" chat writes that he recently bought Bitcoin — an ideal target for phishing under the guise of an exchanger.

2.2. OSINT Collection Tools​

• Sherlock searches accounts by username on 300+ social networks.
• theHarvester — collects emails and domains.
• Maltego — builds a graph of connections (name → email → phone → address → friends).
• Telegram search bots (@get_contact, @tgsearch_bot) — search for a phone number to link to a Telegram account.

These tools are needed to gather primary information about the victim for spear phishing. For mass phishing, social media isn't necessary — you simply take a leaked email database (for example, 100,000 addresses) and send fake emails from PayPal or Amazon.

Part 3. Phishing Pages: Cloning Banks, Crypto Exchanges, and Services​

The most common method of collecting Fullz is a fake login or payment page. The victim thinks they've logged into PayPal, but in reality, they've sent you their username, password, and possibly a 2FA code.

3.1. Ready-made phishing kits (clones)​

Ready-made clones of popular websites are sold on darknet forums and Telegram:

Target	Where to get a clone	Price	Peculiarity
PayPal	PhishHunter Kits, PayPal Black	$20–50	Supports the "confirm account" page and card request
Amazon	Amazon Clone Kit	$15–30	Simulates a password change and login page
Gmail / Outlook	OpenBullet configs + clones	$10–20	Session cookies are being stolen
Binance / Coinbase	Crypto-phishing packs	$50–150	There is a way to bypass 2FA by spoofing SMS (but it's complicated).
Banks	Custom clones made to order	$100–500	They are made for a specific bank with real fonts.

If you don't have money, clones can be downloaded for free from GitHub (search for "paypal phishing template"), but such templates are often already detected by anti-phishing systems and don't last long.

3.2. Which fields to collect for Fullz​

On the phishing page, you should ask for enough data to receive the full package:

Minimum set (for carding):

• Card number, expiration date, CVV, cardholder name.
• Address (billing address): country, city, street, house, postal code.

Fullz:

• Login and password from your bank/PayPal/crypto exchange.
• Date of birth, SSN (for the US), phone number.
• Email and password for your mail (to intercept emails later).

The more data, the higher the price of Fullz on the market.

3.3. Where to host a phishing site to avoid detection​

• A cheap VPS with a bad reputation (for example, a VPS server in Russia, Ukraine, or the Netherlands) for $3–5 per month. The hosting company may shut down your website upon complaint, but by then you'll have collected enough data.
• Compromised WordPress sites: upload a phishing page to a legitimate site through a vulnerability. This lasts longer, but requires hacking skills.
• GitHub Pages / Cloudflare Pages — free, fast, but Google's antiphishing system can block your link within a few hours. But you can always create a new repository.
• Ngrok / Serveo — tunnel a local server to the internet. Ideal for testing, but not for mass campaigns (the link is different each time, and it's hard to remember).

Tip: Use short links (bit.ly, cutt.ly) with a spoofed preview to hide the phishing domain. However, Google may also block them. Another viable option is a Telegram link-distributing bot that automatically updates the domain if the old one is blocked.

Part 4. Bypassing 2FA and Session Hijacking​

If the victim uses two-factor authentication, a simple login and password aren't enough. But there are ways to intercept the 2FA credentials along with the data.

4.1. Proxy Tunneling (Evilginx2)​

Evilginx2 is an advanced phishing framework that works as a reverse proxy. You configure it like this:

1. You buy a domain similar to the target one (for example, google.com-secure-login.xyz).
2. Setting up Evilginx2 on VPS.
3. The victim clicks the link, sees the real Google page (which is proxied from the real site), enters the login, password, and 2FA code.
4. Evilginx2 intercepts both session cookies and all data, and passes the victim to the real site (they don't even notice the trick).

After that, you can paste the intercepted cookie into your browser and log into the victim's account, bypassing 2FA.

Where to get Evilginx2: GitHub, there are plenty of instructions. However, setting it up requires experience with Linux and Docker.

4.2. Fake 2FA apps​

Scammers create fake Google Authenticator or Microsoft Authenticator apps that supposedly "improve security." Victims install them and voluntarily grant access to their codes. This method is old, but it still works on older and less experienced users.

4.3. SIM swapping (expensive and risky)​

This is a last resort: trick the mobile operator into reissuing the victim's SIM card in your name. Then all 2FA SMS messages will be sent to you. However, this requires access to the victim's passport information and a thorough knowledge of the operator's procedures. In 2026, operators strengthened their security, making SIM swapping more complex. It's typically used only in targeted attacks involving large sums (over $50,000).

Part 5. Telegram bots for collecting CVV/CVC​

Telegram is a haven for mass data collection. People upload their cards to bots, believing they're "checking their balance" or "entering a raffle."

5.1. "Checker" bots posing as legitimate services​

The scheme is simple:

1. Create a bot called "Visa card check" or "Card balance online".
2. You set up a welcome message: “Enter your card details and I’ll show you your balance.”
3. Once the victim enters the number, expiration date, and CVV, the bot saves them into the database.
4. Next, the victim is told: “Error, try again later.”

This bot collects hundreds of cards a week. It works best in the CIS countries, where people still trust Telegram bots.

Where to get the bot script: The ready-made Python code with the python-telegram-bot library can be found on GitHub. Setup takes an hour.

5.2. Distribution and survey bots​

Create a channel with an iPhone or crypto giveaway. The entry requirement is: "Subscribe to the channel and enter your card details for verification (they won't charge your card, we'll just check)." People fall for it. You can add fake winners to make it look more convincing.

5.3. Protection from Disclosure​

Telegram blocks bots based on complaints. Therefore:

• Use different accounts to create bots (buy accounts on SMS activators for $0.5–1).
• Change the bot's name and avatar every 2-3 days.
• Don't store collected data in the bot itself — set up automatic uploads to Google Sheets or your server every 5–10 minutes.
• Answer victims with cliched phrases and do not engage in dialogue.

Part 6. OPSEC for Phishers: How to Avoid Getting Yourself Exposed​

Phishing is illegal not only in the US but in any country in the world. If they detect you, they'll come and search your home, even if you live in a cabin in the woods. Therefore, basic operational security is a must.

6.1. Infrastructure​

• Purchase a VPS using cryptocurrency (preferably Monero) and via Tor. Don't use your real email address when registering. A temporary email address will do.
• Register domains for phishing sites with registrars that accept cryptocurrency and don't require verification (e.g., Njalla, Namecheap with gift cards). Never register a domain in your own name.
• Be sure to use a proxy to access the phishing site's control panel. Ideally, use the following chain: home internet → VPN (Mullvad) → Tor → proxy in the VPS's country. The more layers, the harder it is to find you.

6.2. Communication​

• Never communicate with victims from personal social media accounts. Use separate accounts with fake credentials, registered through an anonymous VPN.
• When discussing phishing campaigns with partners, use encrypted messengers (Signal, Session, Matrix). Avoid WhatsApp or plain Telegram without encryption.
• If you use Telegram for bots, don't access the bot's admin panel from the phone linked to your number. Use a virtual number (Google Voice, SMS-activate) and access the web version via a VPN.

6.3. Data collection and storage​

• Don't store stolen data on the same VPS where the phishing website is running. The police could seize it. Set up automatic log sending to an external server (for example, another VPS or a cloud service like a Telegram bot).
• Encrypt collected databases before storing them (Veracrypt, AES-256). Keep the password in mind.
• Delete old logs regularly. Don't create more evidence.

6.4. Exit strategy​

As soon as you realize that the phishing campaign has run its course (or the hosting service is about to be blocked):

• Delete all files from the server.
• Stop the VPS (don't just turn it off, destroy the instance).
• Change all proxies and VPNs you used for administration.
• Change your crypto wallets if you accepted payments to them.

Forget about old domains and VPS - don't reuse them.

Part 7. Phishing Campaign Carder Checklist​

• The target has been selected. What are we collecting: cards, Fullz, account access?
• The page clone is ready. Should we use a ready-made template or create one ourselves?
• Hosting/VPS is configured. The domain has been purchased and the SSL certificate (Let's Encrypt) has been installed.
• The data collection script has been written. Logs are written to a secure location.
• The victim acquisition channel is well thought out: email campaigns, social media targeting, and referrals from another bot.
• Proxy and VPN for administration are configured. There is no direct internet access.
• A test victim (the carder) runs the entire chain. Make sure the data is logged and not lost.
• The campaign has been launched. Logs are monitored every 2-3 hours to promptly respond to any blocking.
• When finished, erase all traces. Delete everything, take the money, change the infrastructure.

Part 8. Summary​

Social media and phishing aren't high-tech, but pure psychology and a bit of automation. You're not hacking a bank; you're convincing someone to give you their keys. It's dirty, but effective. Fresh Fullz files, compiled today, are worth several times more than old leaks. And if you know how to create convincing fakes and aren't afraid of routine, this method will pay off for a long time. Disguise yourself well, don't be greedy, and always have a backup plan.

A quick one-line reminder:
"Phishing isn't hacking, it's manipulation. People are fooled by fear, greed, and a desire to help. Clone a page, set up Evilginx2 to bypass 2FA, use Telegram bots to collect CVV, hide your infrastructure behind a VPS, crypto, and a proxy. Never leave a trace — every log can become evidence."