Over the past few months, multiple Telegram channels have been actively trading stolen data, compromised accounts, and carding-related intelligence. These channels range from long-established groups with millions of published accounts to newer actors quickly gaining traction. Each operates differently, with unique targets, techniques, and subscription models that cater to cybercriminals looking for fresh logs, compromised information, or fraudulent cash-out methods.

In this blog, we will explore some of the most recent and active log-selling and carding channels, highlighting what makes them stand out, their scale of activity, and why they matter in today’s threat landscape.

» Get started for free with KELA and strengthen your cybersecurity

Five Log Channels 
(Last 3 Months)

1. Channel Name: Daisy Cloud

This service offers daily fresh logs through a subscription model and also provides thousands of free bots each day. It has published 34,702,426 compromised accounts and is known for providing very good and unique information, contributing to its strong reputation.

2. Channel Name: Bugatti Cloud

This established group provides daily fresh logs through a subscription service, in addition to offering multiple free bots. They have been active for several years and have published 16,143,189 compromised accounts. 

3. Channel Name: Cuckoo Cloud

This service offers daily fresh logs through a subscription model, alongside sharing multiple free bots. It has compromised 14,239,114 accounts and, despite being a relatively new group established in 2025, it shows promise with unique information. 

4. Channel Name: Red Cloud

This service offers subscription-based access to fresh logs daily and also shares multiple free bots. It has compromised 5,385,824 accounts and maintains a good reputation for providing unique information, despite being continuously blocked.

5. Channel Name: StarLink Cloud

This veteran group has been active for a couple of years and offers subscription-based access to fresh logs daily, alongside sharing multiple free bots. It has compromised 2,953,321 accounts and is known for providing a mass of information.

» Find out why your organization needs cyber threat intelligence

Advanced Cyber Threat Intelligence

KELA’s cyber threat intelligence platform helps you and your business identify risks in real time and act before damage occurs.

Contact Us



Five Carding Channels (Since January 1, 2025)

1. Channel Name: CrdPro Corner

The telegram group of CrdPro carding forum with almost 7K members, acts as active marketplace facilitating an exchange of information among users, who are seeking reputable credit card shops and BINs, trading tools such as OTP bots, checkers, and RDP/SOCKS, looking for partners, and identifying specific brands or transaction flows to target.

The primary languages used are English, Spanish, and Russian. This platform is valuable because it offers precise targeting intelligence, insights into Tactics, Techniques, and Procedures (TTPs) that highlight control failures, and practical opportunities for monitoring and takedown efforts. 

» Learn more: Is Telegram safe to use?

2. Channel Name: AsCarding Underground

The telegram group ASCarding carding forum with almost 5K members, focuses on various illicit activities, including BIN hunting, non-VBV (Verified by Visa) requests, and targeted cash-out methods for platforms like PayPal/Zettle, Amazon/Steam, and Best Buy. It also covers bank top-ups for institutions such as Chase, Wells Fargo, Capital One, and TD. The content delves into OTP-bot/phishing playbooks, workarounds for Apple Pay provisioning without OTP/KYC, and POS/NFC or ATM cash-outs. Additionally, there's a consistent trade in fullz/SSNs, check-cloning kits, gift-card/EBT schemes, and eSIMs.

The value of this information lies in its ability to pinpoint concrete, near-term targets and cash-out rails, while simultaneously exposing the exact Tactics, Techniques, and Procedures (TTPs) used to bypass security controls (e.g., OTP interception, device/ASN churn, provisioning gaps). This yields actionable intelligence for security professionals, including insights for developing detections, merchant-specific rules, and watchlist pivots (for handles, domains, and tools) across card-not-present (CNP), card-present (CP), and check-fraud pipelines.

» Discover how Telegram Clouds of Logs are the fastest gateway to your network

3. Channel Name: Canada Union

A Canada-focused Telegram carding group operates as a one-stop marketplace for financial crime: members coordinate bank account open-ups and trade “drops” (mules), solicit and sell PII (SSN/DOB, etc.), advertise CAD bill-paying as a laundering/cash-out service, lease RDP/VPS infrastructure for ops, offer manual 2FA/OTP compromise services, and hawk access to online bank accounts plus stolen accounts for major shops—alongside selling “pros” (high-score credit profiles) to bypass KYC and boost limits.

This information is valuable because it identifies active TTPs (OTP social engineering, mule orchestration, session hijack/ATO), reveals cash-out methods (bill pay, account access resale), and points to infrastructure clues (RDP/VPS ASNs, device/geo churn) and identity fraud (synthetics/borrowed IDs). All of these insights can be used to improve detections, map mule networks, and implement targeted controls for Canadian banks, telcos, and merchants.

4. Channel Name: "Qianxun 🇯🇵 Japan Company — Direct Buy/Receiving” (Translated From Chinese)

A Japan-focused Chinese-speaking carding group helps criminals use stolen credit card information. They frequently change delivery addresses and order methods. It advertises easy-to-sell items like iPhones, electronics, luxury goods, beauty products, outdoor gear, and whisky. They also advertise live scams to get access to Japanese online accounts, share tools and data, and even leak raw credit card numbers. This shows they are probably a sophisticated group that manages the logistics of selling stolen goods in Japan.

This is valuable because it reveals their specific targets and how they convert stolen data into cash (e.g., minimum item values, using the same receiver names and phones, parcels worth over 30,000 JPY). It also shows their methods for avoiding detection (e.g., account takeovers through phishing, accessing inboxes), which helps businesses create better security rules, stop recurring suspicious deliveries, and quickly identify compromised credit card numbers.

» Here's everything you need to know about infostealers

5. Channel Name: “Genius Qi Jiusi — Japan Real-Time Phishing (Service)” (Translated From Chinese)

A Japan-focused Chinese-speaking carding channel offers mixed and specific JCB batches, with minimum orders of 50-100 units. They target various Japanese companies (especially JCB) like Amazon-JP, Apple ID, Amex, and Rakuten, often at specific times. It also posts updates about Yahoo inboxing success; sells securities and ANA digital coupons; posts raw card data; and how they convert data, like using Amazon-JP for redemptions.

This information is useful because it shows how attacks happen, what they target (like JCB cards and Amazon Japan), how often they occur, and what buyers need. It also reveals real-time hacking methods, which helps us detect them quickly and find urgent indicators of compromise.

» Discover how Telegram’s new data sharing rules affect cybercriminals

How KELA Supports You

The channels highlighted here reveal just how structured and widespread illicit marketplaces have become, from massive log-selling groups to region-specific carding hubs. They demonstrate not only the scale of compromised data but also the evolving tactics cybercriminals use to exploit it.

With KELA’s cyber threat intelligence platform, you and your business can continuously monitor these channels, identify relevant threats in real time, and act before the damage occurs.

» Ready to get started? Contact us to learn more