After learning the few basics of carding from a private paid telegram channel and experiencing some successes and failures on my real carding attempts I found this forum and the information was nothing like I had seen on other forums. So my family routine is spending hours learning from this forum , planning scenarios in my mind with the knowledge I have accumulated and then a real attempt for beginner friendly sites like steam and razer gold. I have the temptation of trying highly secure sites like apple.com , bestbuy etc but I have restrained myself till i actually learn so I don't loose money. I have learnt that in 2026 if you want to actually earn a living from carding you can't treat it like a hobby but like a real profession.
Anyways in today's post I will be talking about what I learnt about opsec and carding setups after reading the posts related to this topic on this forum I will also be asking some questions on things that are not yet clear to me
Proxies
1. The types of Proxies listed from the worst to the best - Data center , rotating residential, static residential and the best ie mobile proxies. I have heard that mobile proxies don't get flagged easily and are highly trusted my most websites
2. The reason residential proxies always don't result in success is most websites know carders use residential proxies so they are trained to detect or especially if it's not from the best services and are not know to be from known proxy ranges. I checked my residential proxy on ipinfo.com the fraud score of proxy was low but in the proxy detection section it listed as proxy. I guess this would result in my profile getting flagged despite using proxies with low fraud score.
3.Mainstream providers like ip royal, bright data are better than proxy services sold in carders which don't follow the best industry standards and have lots of issues. I want to purchase bright data , ip royal or oxylabs because these are the best . However they ask kyc verification which isn't possible for me to do as it will ruin my opsec. Can anyone help me out in this. I can try availing the services of certain kyc verification sellers but I haven't found anyone offering one for proxy providers. If I have to use services from carding forum shops I might use 922 proxy or LTE easy residential proxies .
4.In 2026 you need proxies with exact zip targeting to beat avs. My proxy server doesn't have zip targeting currently
5.Use proxies from multiple proxy providers for different operations. Don't use the proxy from the same proxy provider when you are going to card a website using a new profile and card immediately after using the same proxy on a previous hit. This is hard for beginners as we don't have much money to purchase subscriptions of multiple proxy providers but for now I have decided to use two proxy providers alternatively.
6.I learnt about proxy fingerprinting from @Student guide on proxy fingerprinting. Earlier I thought only rotating proxies too often , not routing dns through proxy , performing bot like behaviour , using data center proxies results in websites finding out you use a proxy but it seems many new arsenal of weapons have been added to anti fraud systems in 2026 one of them being proxy fingerprinting. I have heard it's impossible to beat this. Only the amount of hops and latency can be reduced by using an rdp of country close to proxy location and then connecting to residential proxies.
Rdps
1.The types of rdps from the worst to the best - cheap rdps with known data center ips , rdps with residential ips and the best - bare metal rdp
2.Rdps can be detected by detections of virtualization, data center ips etc. Residential rdps are better than data center rdps but they still have signs of virtualization. The best is bare metal rdp although many of them still use a data center ip. To solve this i will use residential proxy.
3.Find providers that accept crypto and if possible look for ones that atleast claim to not keep logs. And it's better to clean logs regularly ( clean them slowly and not all at a time to not raise suspicion) and change rdps you use regularly like once a month.
4.Do not go for 15,20 $ rdps They are useless except on few sites.
5. Use rdps with ssid and good storage and 2 to 4 cpu cores.
Other anti-detect tools i have considered
1. I have heard that hijacked desktops or hacked rdps are sold although rare but it does have risks like the owner finding out about it and filing a complaint. Another idea I have is of finding someone in the US or country of cc holder and asking them to provide remote access of their laptop through tools like anyteam viewer. I will pay him for it. But this has some issues like some websites can find this out through java scripts which check the services running in the background. I can ask the owner to use rootkits to hide this but still this is an obstacle and also one more thing is it can cause legal issues.
2.Anti detect browsers - I currently use multi login will be shifting to linkensphere or dolphin anty . But one thing I have realised is anti detect can only hide some identifiers. You can still be detected by hardware identifiers. So it's better to use this on a rdp.
3.Virtual machines - They are almost useless as most sites easily detect them. I have found one anti detect vm sold by dmitry momoto from vector t13 . I watch a lot of his webinars. Looks like he has a good product but it costs 90$ per month and if you want the most advanced version for lifetime you need to spend 1800$ or 10000 to get custom presets of sites to work with . This is too expensive for me currently.
4.Real phones for rent - you can use these real phones remotely. One such service the first one I have found is droiddesk.io . And this is not a virtual phone or a cloud phone. It is better than any RDP with real device fingerprints and real ip adresses. But the prices are a bit expensive for beginners 45$ a day and 120$ for a week
Opsec
Geolocation
1.I have learnt from a lecture on YouTube there are many ways your geolocation can be exposed. Many of them like bluetooth scanning , windows update logs, trace route can be easily dealt with and spoofed. But geolocation through gps from your hardware and geolocation through wifi scanning is really hard to hide. Most highly secure sites use geolocation through wifi scanning. Can anyone help me in finding a solution for this. I would appreciate it greatly.
2. I currently use my home wifi or the hotspot of my samsung device which I know is dangerous but I do as I know no other solution. I am not a tech nerd who knows how to setup everything. I can't afford advanced setups. Few videos on YouTube from channels focusing on opsec have suggested in use wifi adapters and antaennas to connect through wifi networks of others but I don't know how to do this. And I heard the mac adress of the wifi adapter can be tracked by a determined adversary.
Compartmentalisation
Keep your work devices and devices used for carding seperately. Do not login with any personal accounts on your carding machine. I follow this partly except one thing I am doing which I shouldn't is connect to the internet through the hotspot of my samsung device.
Other common sense rules and hiding money trails while cashing out
1.Do not sell gift cards , any digital items directly on mainstream gift card reselling marketplaces. Most of them are monitored by feds. It's better to sell them through telegram vendors and get paid through crypto
2.I am not a crypto expert but I am learning. Don't pay through kyc crypto exchanges to any marketplace. Purchase crypto from non kyc p2p platform to non kyc crypto wallets or through telegram and then mix it manually through swappers, swap it to monero and then to your main coin and then make the transaction to the marketplace. To cash out from non kyc wallets to fiat requires more advanced forms which I am still learning.
3.Do not talk about what you do to anyone in your personal life. Try to have a normal life and routine in the eyes of others as much as possible. Do not look or show your guilt in any way. Basically following the 10 rules listed in the legendary thread in the opsec section by the admin
My ideal setup for operations for both opsec and to beat the anti fraud systems of websites
1.Use a Linux based operating system for carding. Learn how to harden it through many tutorials and guides.
2.Connect to mullvad or any real no logs vpn.
3.Then connect to a gateway vps. Then finally from there to the bare metal rdp.
4.Then connect to residential proxies of cc holder exact city and zip. I will use an anti detect browser if needed for eg if I am farming or warming up lots of profiles of a single website
I read a guide prescribing the use of multiple rdps and proxies which make it hard for law enforcement but I thought about it and it will cause latency issues and look suspicious to the websites. So I decided to use a no logs vpn instead before connecting to the rdp. The only main rule that I need to follow is always pay for everything through crypto and never card on my main os.
Other rules that I will follow
1.Use a seperate device only for carding operations. Use tails os for managing my crypto wallets and for browsing carding forums and shops
2.Use another seperate device that you never connect to the internet and use it to only store passwords , for planning , noting down important stuff. This will be fully encrypted through file encryption software. I am still learning on how to become better at this
3.Do not perform your carding operations at your home. Find a location where there aren't cameras or even if there are you can easily blend in and perform your carding operations there. Change your locations regularly. And also do not carry your real devices connected to your personal life when you card. Still don't know how to do this as I use hotspot of my samsung device. And also don't boot up your device used for carding in your home.
4.Try to avoid telegram or any other so called mainstream app for communication. Use pgp encryption.
5.Regularly change the devices you use and purchase them through cash mostly resold laptops from facebook marketplace or from any local marketplace.
This is all I can remember right now. If I am wrong about any of these things i would love to be corrected by the professionals in this group. In the next post i will talking about what I learnt about anti fraud systems
Anyways in today's post I will be talking about what I learnt about opsec and carding setups after reading the posts related to this topic on this forum I will also be asking some questions on things that are not yet clear to me
Proxies
1. The types of Proxies listed from the worst to the best - Data center , rotating residential, static residential and the best ie mobile proxies. I have heard that mobile proxies don't get flagged easily and are highly trusted my most websites
2. The reason residential proxies always don't result in success is most websites know carders use residential proxies so they are trained to detect or especially if it's not from the best services and are not know to be from known proxy ranges. I checked my residential proxy on ipinfo.com the fraud score of proxy was low but in the proxy detection section it listed as proxy. I guess this would result in my profile getting flagged despite using proxies with low fraud score.
3.Mainstream providers like ip royal, bright data are better than proxy services sold in carders which don't follow the best industry standards and have lots of issues. I want to purchase bright data , ip royal or oxylabs because these are the best . However they ask kyc verification which isn't possible for me to do as it will ruin my opsec. Can anyone help me out in this. I can try availing the services of certain kyc verification sellers but I haven't found anyone offering one for proxy providers. If I have to use services from carding forum shops I might use 922 proxy or LTE easy residential proxies .
4.In 2026 you need proxies with exact zip targeting to beat avs. My proxy server doesn't have zip targeting currently
5.Use proxies from multiple proxy providers for different operations. Don't use the proxy from the same proxy provider when you are going to card a website using a new profile and card immediately after using the same proxy on a previous hit. This is hard for beginners as we don't have much money to purchase subscriptions of multiple proxy providers but for now I have decided to use two proxy providers alternatively.
6.I learnt about proxy fingerprinting from @Student guide on proxy fingerprinting. Earlier I thought only rotating proxies too often , not routing dns through proxy , performing bot like behaviour , using data center proxies results in websites finding out you use a proxy but it seems many new arsenal of weapons have been added to anti fraud systems in 2026 one of them being proxy fingerprinting. I have heard it's impossible to beat this. Only the amount of hops and latency can be reduced by using an rdp of country close to proxy location and then connecting to residential proxies.
Rdps
1.The types of rdps from the worst to the best - cheap rdps with known data center ips , rdps with residential ips and the best - bare metal rdp
2.Rdps can be detected by detections of virtualization, data center ips etc. Residential rdps are better than data center rdps but they still have signs of virtualization. The best is bare metal rdp although many of them still use a data center ip. To solve this i will use residential proxy.
3.Find providers that accept crypto and if possible look for ones that atleast claim to not keep logs. And it's better to clean logs regularly ( clean them slowly and not all at a time to not raise suspicion) and change rdps you use regularly like once a month.
4.Do not go for 15,20 $ rdps They are useless except on few sites.
5. Use rdps with ssid and good storage and 2 to 4 cpu cores.
Other anti-detect tools i have considered
1. I have heard that hijacked desktops or hacked rdps are sold although rare but it does have risks like the owner finding out about it and filing a complaint. Another idea I have is of finding someone in the US or country of cc holder and asking them to provide remote access of their laptop through tools like anyteam viewer. I will pay him for it. But this has some issues like some websites can find this out through java scripts which check the services running in the background. I can ask the owner to use rootkits to hide this but still this is an obstacle and also one more thing is it can cause legal issues.
2.Anti detect browsers - I currently use multi login will be shifting to linkensphere or dolphin anty . But one thing I have realised is anti detect can only hide some identifiers. You can still be detected by hardware identifiers. So it's better to use this on a rdp.
3.Virtual machines - They are almost useless as most sites easily detect them. I have found one anti detect vm sold by dmitry momoto from vector t13 . I watch a lot of his webinars. Looks like he has a good product but it costs 90$ per month and if you want the most advanced version for lifetime you need to spend 1800$ or 10000 to get custom presets of sites to work with . This is too expensive for me currently.
4.Real phones for rent - you can use these real phones remotely. One such service the first one I have found is droiddesk.io . And this is not a virtual phone or a cloud phone. It is better than any RDP with real device fingerprints and real ip adresses. But the prices are a bit expensive for beginners 45$ a day and 120$ for a week
Opsec
Geolocation
1.I have learnt from a lecture on YouTube there are many ways your geolocation can be exposed. Many of them like bluetooth scanning , windows update logs, trace route can be easily dealt with and spoofed. But geolocation through gps from your hardware and geolocation through wifi scanning is really hard to hide. Most highly secure sites use geolocation through wifi scanning. Can anyone help me in finding a solution for this. I would appreciate it greatly.
2. I currently use my home wifi or the hotspot of my samsung device which I know is dangerous but I do as I know no other solution. I am not a tech nerd who knows how to setup everything. I can't afford advanced setups. Few videos on YouTube from channels focusing on opsec have suggested in use wifi adapters and antaennas to connect through wifi networks of others but I don't know how to do this. And I heard the mac adress of the wifi adapter can be tracked by a determined adversary.
Compartmentalisation
Keep your work devices and devices used for carding seperately. Do not login with any personal accounts on your carding machine. I follow this partly except one thing I am doing which I shouldn't is connect to the internet through the hotspot of my samsung device.
Other common sense rules and hiding money trails while cashing out
1.Do not sell gift cards , any digital items directly on mainstream gift card reselling marketplaces. Most of them are monitored by feds. It's better to sell them through telegram vendors and get paid through crypto
2.I am not a crypto expert but I am learning. Don't pay through kyc crypto exchanges to any marketplace. Purchase crypto from non kyc p2p platform to non kyc crypto wallets or through telegram and then mix it manually through swappers, swap it to monero and then to your main coin and then make the transaction to the marketplace. To cash out from non kyc wallets to fiat requires more advanced forms which I am still learning.
3.Do not talk about what you do to anyone in your personal life. Try to have a normal life and routine in the eyes of others as much as possible. Do not look or show your guilt in any way. Basically following the 10 rules listed in the legendary thread in the opsec section by the admin
My ideal setup for operations for both opsec and to beat the anti fraud systems of websites
1.Use a Linux based operating system for carding. Learn how to harden it through many tutorials and guides.
2.Connect to mullvad or any real no logs vpn.
3.Then connect to a gateway vps. Then finally from there to the bare metal rdp.
4.Then connect to residential proxies of cc holder exact city and zip. I will use an anti detect browser if needed for eg if I am farming or warming up lots of profiles of a single website
I read a guide prescribing the use of multiple rdps and proxies which make it hard for law enforcement but I thought about it and it will cause latency issues and look suspicious to the websites. So I decided to use a no logs vpn instead before connecting to the rdp. The only main rule that I need to follow is always pay for everything through crypto and never card on my main os.
Other rules that I will follow
1.Use a seperate device only for carding operations. Use tails os for managing my crypto wallets and for browsing carding forums and shops
2.Use another seperate device that you never connect to the internet and use it to only store passwords , for planning , noting down important stuff. This will be fully encrypted through file encryption software. I am still learning on how to become better at this
3.Do not perform your carding operations at your home. Find a location where there aren't cameras or even if there are you can easily blend in and perform your carding operations there. Change your locations regularly. And also do not carry your real devices connected to your personal life when you card. Still don't know how to do this as I use hotspot of my samsung device. And also don't boot up your device used for carding in your home.
4.Try to avoid telegram or any other so called mainstream app for communication. Use pgp encryption.
5.Regularly change the devices you use and purchase them through cash mostly resold laptops from facebook marketplace or from any local marketplace.
This is all I can remember right now. If I am wrong about any of these things i would love to be corrected by the professionals in this group. In the next post i will talking about what I learnt about anti fraud systems
Not whole process but I wanna know about device you used and rdp especially.
