Credit card theft campaign abuses Stripe to host stolen payment info

Key Points:

• Magecart campaign exploiting Stripe's API to host credit card skimming malware, leveraging Google Tag Manager for execution on checkout pages.
• Impact includes theft of sensitive payment information (credit card details, customer data) from Magento/Adobe Commerce sites, with stolen data stored in attackers' Stripe accounts.
• Recommended actions include implementing strict Content Security Policies, monitoring for unusual API calls to Stripe, and using virtual cards for transactions.

Technical Details: The malware uses Google Tag Manager to load a skimming payload that captures payment data and stores it in metadata fields of fake customer records on Stripe. The operation was reportedly active since December 24, 2025.

MITRE ATT&CK Techniques:

• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1040 - Network Sniffing (Credential Access)
• T1070.001 - Indicator Removal on Host: File Deletion (Defense Evasion)

IOCs Mentioned:

• api.stripe.com
• googletagmanager.com
• tracking/captcha (Firestore document)
• braintree-payment-app (Firestore project)