The $0 Transaction That Signaled a Nation-State Cyberattack

Key Points:

Fraud enables cyber operations: Threat actors used compromised payment cards validated through Chinese-operated card-testing services to attempt unauthorized access to Anthropic's AI platform during a reported state-sponsored espionage campaign.
Card testing signals downstream attacks: The observed fraud followed a predictable kill chain—compromise, validation, resale, and attempted cashout—providing early warning indicators that preceded the final malicious transaction.
Recorded Future’s take: Proactive fraud intelligence prevents broader threats. Tester merchant intelligence can identify compromised cards before they're used for high-value fraud or to support advanced threat actor operations.

What Happened

In November 2025, Anthropic disclosed the first known cyber-espionage campaign conducted primarily by an autonomous AI system, attributed to a Chinese state-sponsored threat actor. During the same period, Recorded Future's Payment Fraud Intelligence (PFI) team observed a parallel fraud incident with strong overlap in infrastructure and behavioral patterns.

Analysts tracked the late stages of a third-party payment fraud attack: a compromised card was validated through Chinese-operated tester services, then used in an attempted ~$200 purchase on Anthropic's platform. The timing aligned precisely with the publicly reported campaign.

This isn't an isolated tactic. Threat actors have long used compromised payment cards beyond simple financial theft—to fund phishing campaigns, bypass anti-money laundering controls, and evade geographic restrictions on services.

What's new is the likely use of stolen cards to access Western AI platforms while shielding attacker identities.

The Card Fraud Kill Chain

Payment Fraud Intelligence analysts observed a textbook fraud progression:

September 28, 2025: The card appeared in an authorization at a merchant known to be abused by Chinese card-testing services, likely a validation check shortly after compromise.

October 10, 2025: A second test transaction occurred at the same merchant, suggesting the attackers were confirming the card remained active after an "aging" period, common before listing cards for sale.

October 21, 2025: Two additional card-testing transactions occurred, consistent with the card changing hands on a dark web marketplace as buyers verify usability upon purchase.

October 22, 2025: Fraudsters attempted a payment on Anthropic's platform. Though Anthropic detected and blocked the activity, the attempt demonstrates how fraud infrastructure directly supports advanced threat operations.

Figure 1: Timeline of attack (Source: Recorded Future)

All four testing transactions occurred at a merchant abused by a card-testing service that likely serves Chinese-language threat actors. The service offers both English and Chinese interfaces and advertises in Chinese-language fraud-focused Telegram communities.

Why the card activity and timeline matter

While PFI analysts cannot definitively link this specific card activity to the Anthropic cyber espionage campaign, the fraud was almost certainly intended to fund illicit platform access. The coincidence of timing and infrastructure strongly suggests connection to broader threat operations.

This investigation reveals how fraud intelligence intersects with cybersecurity at multiple levels:

Strategic: Payment fraud doesn't exist in isolation. Card-testing activity and attempted fraudulent purchases may be components of larger operations with significant security implications for targeted organizations and industries.

Operational: Fraud with stolen payment instruments gives threat actors access to legitimate resources—including AI platforms—that can be weaponized against organizations, vendors, and customers.

Tactical: Tester merchant intelligence reliably identifies compromised cards before cashout attempts. Since card testing consistently precedes fraud events, detecting these early signals prevents larger downstream losses.

What mitigations exist?

For Financial Institutions:

A card interacting with known tester merchants is a high-fidelity compromise indicator. Financial institutions should use internal processes and Recorded Future Payment Fraud Intelligence Tester Data to identify affected cards, then re-issue them or raise their risk scores in fraud detection models.

For Businesses and Merchants:

Organizations in industries where products could be misused for malicious purposes should incorporate payment fraud indicators into their security posture:

Implement 3D Secure-based cardholder authentication, even where not legally required, to leverage card issuers as fraud detection partners.
Correlate cardholder payment information against account registration data. While not a hard requirement (to avoid customer friction), flag discrepancies to lower action thresholds when combined with other suspicious indicators.

The bottom line - and looking ahead

Most payment card fraud will continue to be motivated by personal financial gain. However, advanced threat actors will increasingly leverage the same fraud ecosystem—card-testing services and carding shops—to source compromised identities and payment methods.
As AI technologies advance, threat actors will likely operationalize these stolen credentials to access geo-restricted products and obscure their true identities, making the intersection of fraud intelligence and cybersecurity increasingly critical.
Recorded Future Payment Fraud Intelligence provides the tester merchant data, dark web monitoring, and fraud indicators your team needs to detect compromised cards before they enable downstream attacks. Explore our Payment Fraud Intelligence solutions.