惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

宝玉的分享
宝玉的分享
Recent Commits to openclaw:main
Recent Commits to openclaw:main
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
Tailwind CSS Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
罗磊的独立博客
V
Visual Studio Blog
爱范儿
爱范儿
H
Help Net Security
J
Java Code Geeks
I
InfoQ
Recent Announcements
Recent Announcements
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Recorded Future
Recorded Future
Jina AI
Jina AI
Microsoft Security Blog
Microsoft Security Blog
WordPress大学
WordPress大学
GbyAI
GbyAI
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Y
Y Combinator Blog
Google DeepMind News
Google DeepMind News
Scott Helme
Scott Helme
S
SegmentFault 最新的问题
S
Securelist
L
LINUX DO - 热门话题
Cyberwarzone
Cyberwarzone
C
Cisco Blogs
Simon Willison's Weblog
Simon Willison's Weblog
G
Google Developers Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
博客园 - 叶小钗
T
The Blog of Author Tim Ferriss
博客园_首页
B
Blog
F
Fortinet All Blogs
AWS News Blog
AWS News Blog
V
Vulnerabilities – Threatpost
S
Secure Thoughts
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Forbes - Security
Forbes - Security
S
Security @ Cisco Blogs
T
Threat Research - Cisco Blogs
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
S
Schneier on Security
Project Zero
Project Zero
Martin Fowler
Martin Fowler
C
Cybersecurity and Infrastructure Security Agency CISA
N
Netflix TechBlog - Medium
N
News and Events Feed by Topic

Recorded Future

The Threat Isn’t the Frontier Model Iran-Nexus TAG-182 Disseminates MarkiRAT Surveillance Tool Where Expertise Meets Algorithm: The Insikt Group® Intelligence Edge Evaluating Mexico’s New Cybersecurity Plan The Purchase Scam Tactic Headed for the World Cup | Recorded Future FortiBleed Campaign Exposing Credentials for 73,932 FortiGate Systems The Klue Security Incident and Its Impact on Recorded Future State Digital Surveillance Risk Landscape The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine Cyber-Enabled Maritime Sanctions Evasion Recorded Future Launches Impact and Metrics Dashboard 2026 FIFA World Cup: What Public Safety Officials Need to Know China's Noncombatant Evacuation Operations: 2005–2025 Russia’s Defense-Based Economy Risks Forcing Putin to Fight Wars May 2026 CVE Landscape Why Holistic Sourcing Wins: The Numbers Behind the Recorded Future Advantage Threats to the 2026 FIFA World Cup Remembering Sir Alex Younger Iran Expands Handala Brand to Physical Threats The Vulnerability Flood Is Now a Board Conversation. Here's How to Lead It. At Mythos Speed: A Defender's Playbook for the AI Vulnerability Surge in 2026 April 2026 CVE Landscape Beyond Acceleration and Automation: How AI + Intelligence Changes Cyber Defense NIST NVD Enrichment Policy Change: Prioritizing Vulnerabilities with Attacker Behavior Signals A Complete History of Cybersecurity: From Early Viruses to AI-Powered Threats The Different Types of Payment Fraud and How to Prevent Them Digital Citizenship Glossary: Key Terms Every Internet User Should Know Quantum Risk Explained Threat Activity Enablers: The Backbone of Today’s Threat Landscape Recorded Future Named a Leader in the 2026 Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies. And there’s more. Hacking Embodied AI Working in London at the World’s Largest Intelligence Company Risk Scenarios for the US’s Strategic Pivot Building with AI: Here's What No Briefing Will Tell You Lazarus Doesn't Need AGI The Money Mule Solution: What Every Scam Has in Common From Overwhelmed to Autonomous: Rethinking Threat Intelligence in 2026 Critical minerals and cyber operations Today, trust is the superpower that makes innovation possible AI Hype vs. Reality: Is AI Really Rewriting the Vulnerability Equation? Evolution of Chinese-Language Guarantee Telegram Marketplaces Emerging Enterprise Security Risks of AI From Bazooka to Fake Nikes Your Supply Chain Breach Is Someone Else's Payday 4 Essential Integration Workflows for Operationalizing Threat Intelligence Recorded Future Iran War: Future Scenario and Business Implications A New Way to Buy Recorded Future: Solutions and Packages Built for the 2026 Threat Landscape March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day VIP Credential Monitoring Blog Third-Party Risk Is an Intelligence Operation. It's Time We Treated It Like One. Understanding and Anticipating Venezuelan Government Actions The Iran War: What You Need to Know Day in the Life: Product Manager at Recorded Future Panorama del cibercrimen en América Latina y el Caribe Latin America and the Caribbean Cybercrime Landscape Panorama do cibercrime na América Latina e Caribe Industrialization of the Fraud Ecosystem Blog The Shift: An Era of Quantum Geopolitics ClickFix Campaigns Targeting Windows and macOS 2025 Year in Review: Malicious, Infrastructure 2025 Identity Threat Landscape Report: Inside the Infostealer Economy: Credential Threats in 2025 February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January Latin America's Cybersecurity Turning Point: From Reactive Defense to Threat Intelligence Recorded Future Expands Coverage of Scams and Financial Fraud with Money Mule Intelligence from CYBERA January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day Preparing for Russia’s New Generation Warfare in Europe 2025 Cloud Threat Hunting and Defense Landscape GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack Network Intelligence: Your Questions, Global Answers Fragmentation Defined 2025's Threat Landscape. Here's What It Means for 2026 State of Security Report | Recorded Future From 27 Steps to 5: How Recorded Future Reimagined Threat Hunting with Autonomous Threat Operations Rublevka Team: Anatomy of a Russian Crypto Drainer Operation Autonomous Threat Operations in action: Real results from Recorded Future’s own SOC team | Recorded Future PurpleBravo’s Targeting of the IT Software Supply Chain Threat and Vulnerability Management in 2026 Best Ransomware Detection Tools December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity Practitioners Reveal What Makes Threat Intelligence Programs Mature GRU-Linked BlueDelta Evolves Credential Harvesting New ransomware tactics to watch out for in 2026 Digital Threat Detection Tools & Best Practices BlueDelta’s Persistent Campaign Against UKR.NET China’s Zero-Day Pipeline: From Discovery to Deployment Cyber on the Geopolitical, Battlefield: Beyond the, “Big Fourˮ What’s Next for Enterprise Threat Intelligence in 2026 Palestine Action: Operations and Global Network Implications of Russia-India-China Trilateral Cooperation GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October 5 Real-Word Third-Party Risk Examples When the Digital World Turns Physical: The Expanding Role of Threat Intelligence in Executive Protection Critical React2Shell Vulnerability Under Active Exploitation by Chinese Threat Actors The Bug That Won't Die: 10 Years of the Same Mistake The Hidden Cascade: Why Law Firm Breaches Destroy More than Data Intellexa’s Global Corporate Web The Maturity Gap: The Next Frontier in Threat Intelligence Inside the CopyCop Playbook: How to Fight Back in the Age of Synthetic Media AI Malware: Hype vs. Reality
The $0 Transaction That Signaled a Nation-State Cyberattack
2025-12-17 · via Recorded Future

What Happened

In November 2025, Anthropic disclosed the first known cyber-espionage campaign conducted primarily by an autonomous AI system, attributed to a Chinese state-sponsored threat actor. During the same period, Recorded Future's Payment Fraud Intelligence (PFI) team observed a parallel fraud incident with strong overlap in infrastructure and behavioral patterns.

Analysts tracked the late stages of a third-party payment fraud attack: a compromised card was validated through Chinese-operated tester services, then used in an attempted ~$200 purchase on Anthropic's platform. The timing aligned precisely with the publicly reported campaign.

This isn't an isolated tactic. Threat actors have long used compromised payment cards beyond simple financial theft—to fund phishing campaigns, bypass anti-money laundering controls, and evade geographic restrictions on services.

What's new is the likely use of stolen cards to access Western AI platforms while shielding attacker identities.

The Card Fraud Kill Chain

Payment Fraud Intelligence analysts observed a textbook fraud progression:

September 28, 2025: The card appeared in an authorization at a merchant known to be abused by Chinese card-testing services, likely a validation check shortly after compromise.

October 10, 2025: A second test transaction occurred at the same merchant, suggesting the attackers were confirming the card remained active after an "aging" period, common before listing cards for sale.

October 21, 2025: Two additional card-testing transactions occurred, consistent with the card changing hands on a dark web marketplace as buyers verify usability upon purchase.

October 22, 2025: Fraudsters attempted a payment on Anthropic's platform. Though Anthropic detected and blocked the activity, the attempt demonstrates how fraud infrastructure directly supports advanced threat operations.

Figure 1: Timeline of attack (Source: Recorded Future)

All four testing transactions occurred at a merchant abused by a card-testing service that likely serves Chinese-language threat actors. The service offers both English and Chinese interfaces and advertises in Chinese-language fraud-focused Telegram communities.

Why the card activity and timeline matter

While PFI analysts cannot definitively link this specific card activity to the Anthropic cyber espionage campaign, the fraud was almost certainly intended to fund illicit platform access. The coincidence of timing and infrastructure strongly suggests connection to broader threat operations.

This investigation reveals how fraud intelligence intersects with cybersecurity at multiple levels:

Strategic: Payment fraud doesn't exist in isolation. Card-testing activity and attempted fraudulent purchases may be components of larger operations with significant security implications for targeted organizations and industries.

Operational: Fraud with stolen payment instruments gives threat actors access to legitimate resources—including AI platforms—that can be weaponized against organizations, vendors, and customers.

Tactical: Tester merchant intelligence reliably identifies compromised cards before cashout attempts. Since card testing consistently precedes fraud events, detecting these early signals prevents larger downstream losses.

What mitigations exist?

For Financial Institutions:

A card interacting with known tester merchants is a high-fidelity compromise indicator. Financial institutions should use internal processes and Recorded Future Payment Fraud Intelligence Tester Data to identify affected cards, then re-issue them or raise their risk scores in fraud detection models.

For Businesses and Merchants:

Organizations in industries where products could be misused for malicious purposes should incorporate payment fraud indicators into their security posture:

  • Implement 3D Secure-based cardholder authentication, even where not legally required, to leverage card issuers as fraud detection partners.
  • Correlate cardholder payment information against account registration data. While not a hard requirement (to avoid customer friction), flag discrepancies to lower action thresholds when combined with other suspicious indicators.

The bottom line - and looking ahead

Most payment card fraud will continue to be motivated by personal financial gain. However, advanced threat actors will increasingly leverage the same fraud ecosystem—card-testing services and carding shops—to source compromised identities and payment methods.
As AI technologies advance, threat actors will likely operationalize these stolen credentials to access geo-restricted products and obscure their true identities, making the intersection of fraud intelligence and cybersecurity increasingly critical.
Recorded Future Payment Fraud Intelligence provides the tester merchant data, dark web monitoring, and fraud indicators your team needs to detect compromised cards before they enable downstream attacks. Explore our Payment Fraud Intelligence solutions.