Visa credit cards are arranged on a desk. (Photo Illustration by Justin Sullivan/Getty Images)

Researchers on Friday uncovered what they claim may be one of the largest fraudulent online credit card schemes active today.

The bad actors duped payment providers to accept payments and then the scammers use fake credit card numbers purchased on the darkweb to receive fraudulent payments.

In a blog post, ReasonLabs researchers said this widespread global credit card scam has been operating since 2019 and has amassed tens of millions of dollars in fraud from the stolen credit card numbers of tens of thousands of individuals.

The researchers believe the threat group functions as a crime syndicate that originated in Russia. This ongoing scam tends to abuse several security brands to execute fraudulent credit card charges. The threat group built its infrastructure on top of AWS and uses GoDaddy to circulate hundreds of domains.

Here's how it works: The syndicate operates a massive fake network of dating and adult websites with functional customer support capabilities. Once the sites are live, the scammers coerce payment providers and ultimately gain the ability to accept credit card payments. Once that happens, the threat actors search the darknet and acquire thousands of stolen credit cards and charge them to their fake website’s services.

“The size of the scam — in the tens of millions, coupled with the fact that it has been live for more than three years — is most surprising,” said Andrew Newman, founder and CTO of ReasonLabs. “The fact that it went unnoticed for so long, with so many parties involved, is also unique.”

Matt Mullins, senior security researcher at Cybrary, said that credit card scams have been around forever in a number of iterations, with this newer iteration having been a simple variation on old tricks. Mullins said typically, criminals will improve just enough to continue to acquire massive profit on minimal effort — thus, a great return on investment.

“This network of scamming websites appears to have the watermark of some modicum of sophistication, though, with even a potential degree of automation due to the re-use of multiple assets with throw-away domain names,” Mullins said.

Joseph Carson, chief security scientist and advisory CISO at Delinea, added that many fake, fraudulent websites that appear official are, in fact, scams. Carson said these scams can result in stealing the victims credentials, passwords, credit card information, infecting their computer or smartphone with malicious software or even ransomware.

“They could also lead the unknowing victim to spread malware to family and friends, losing sensitive data or resulting in a major financial impact, such as seen here,” Carson said. “It’s always important to be vigilant and cautious from any website links as to whether or not they are actually authenticate. Many scams are so good these days that they are difficult to detect. If it’s too good to be true, then it is more than likely a scam.”