Carding Guide: Dick's Sporting Goods

[Carder]

Time to take a stab at America’s largest sporting goods retailer. Dick’s Sporting Goods isn’t just another chain store — it’s a store for high-end athletic gear waiting to be used. But before you get too excited, let’s dive into what we’re dealing with.

Why Dick’s?

Yeah, laugh at the name — we were all kidding. But while you’re giggling like a 12-year-old, let me tell you why this particular retailer deserves your attention.

Dick’s is a haven for premium athletic gear — with products from the likes of Nike, Under Armour, and Adidas dominating the resale market. These aren’t clearance items — these are high-demand items that practically turn over themselves. Their same-day shipping options mean fast order fulfillment, and multiple shipping options keep you unpredictable.

The odds of success here are high, as long as you know what you’re doing. While Dick’s isn’t an amateur security company, they don’t bring the same amount of heat as electronics retailers. That means less competition from other carders who are too busy chasing PS5s and GPUs. The sports gear market is hot year-round — sneakerheads and fitness freaks never take a break.

And while their loss prevention team spends time filtering out childish dick jokes, you can be running complex operations right under their noses.

Intelligence

Launched Burp Suite, and what do we see? Dick’s runs its own e-commerce platform with serious backing. They’ve implemented Riskified to prevent fraud, and these bastards aren’t playing games — they’re collecting signals like they’re trying to contact alien life.

Also, if Burp is too confusing for you, just use Ghostery for any large site and you can easily see what trackers are on their site. LINK.

Every mouse movement, every keystroke, every tab switch – Riskified tracks and logs it all. This is important information because it means we can’t just breeze through the checkout process like we do on other sites. I’ve seen so many sites, and Dick is probably at the top when it comes to the amount of data they collect.

Here's what drives most laptop carders nuts: Alt-tabbing while entering card details. Think about it - when was the last time you saw an honest customer frantically switching windows while typing their card number? Never, because normal people either have their card physically in front of them or have it memorized.

But laptop carders, working with limited screen space, are constantly alt-tabbing between the card list and the checkout page. Dick's logs EVERY instance of alt-tabbing while entering card details. Want to know why your crap is being rejected? This might be why. Either memorize those numbers or paste them into the address bar ahead of time. Stop making it obvious you're juggling windows like a circus clown.

They use both Braintree and Adyen to process payments depending on your location and cart value. This dual gateway setup means we need to be extra careful with our approach, and your cards can't be burned on PayPal for Braintree and other Adyen stores for Adyen. And before you ask - no specific BIN magically guarantees success. I've seen the same BIN fail and succeed within hours. It's all about how you play the game.

Requirements

• Fresh cards
• Pure residential proxies that match your billing region
• Reliable anti-detection browser settings
• US Drops (preferably clean resident with zero fraud history with Braintree/Adyen and Riskified)
• High-trust email accounts
• iPhone + data connection (if possible)

Here's why the mobile setup works better: Dick's sees less sophisticated fraud attempts from mobile, especially iOS. If you're using an iPhone + data, choose a card with a payment zip code close to your actual location. This creates a more consistent profile for Riskified. Just make sure you clear your cookies (or do a full reset if you're using their app) between sessions. For a more in-depth look, read the iPhone guide.

The process

Here's how to do it right:

1. Organic input:

• Start by searching Google for your target product (e.g. "Nike Air Force 1 Dick's Sporting Goods")
• Click on paid search results ads even better
• This creates a legitimate referrer chain in your cookies.
• Now your session looks like a real customer who found the product through search
• Riskified sees this natural entry point and assigns lower risk scores
• Pro tip: Search options like "best Nike Air Force 1 price" or "Nike AF1 near me" look even more organic

Think about it - what looks more suspicious for fraud detection: directly entering dicks.com and going straight to the expensive items, or going through the product search like a regular customer would? This simple step puts you way ahead of lazy carders who don't bother to create proper session legitimacy.

2. Creating a Session:

• Start with a clean browser profile
• Give these older cookies at least 30-45 minutes
• Browse the site like a real buyer does

3. Creating a basket:

• Mix high and low value items
• Keep initial orders under $800
• Add/remove products naturally
• Check out different categories

4. Placing an order:

• Use guest checkout if you don't use logs
• Enter data manually - no copying and pasting
• Take your time entering your card details.
• If you're using a PC, DO NOT alt-tab while entering your card details - Riskified logs this and it's a big red flag

Advanced Tactics

Let's address a few of the crazy myths floating around:

"What's the BIN at Dick's?"

If you're asking that question, you're already screwed. There is no magic BIN that guarantees success - anyone who tells you otherwise is either scamming you or doesn't know what they're talking about. Yes, some BINs work better for larger amounts, but success has more to do with your technique than the first six digits on your card. That being said, here's what I've personally used with great success: 519731, 539629, 488893.

While guest checkout works, having a stale account adds another layer of legitimacy to your transactions.

The beauty of stale accounts is that they help you bypass certain risk thresholds in Riskifieds' scoring system. A six-month-old account with previous orders looks a lot less suspicious than a new guest trying to punch in $600 worth of gear.

Also, if you want to test your chances before risking your cards and drops, check out the guide to penetrating and poisoning Antifraud systems using AI. It will show you how to probe and analyze Riskifieds decision-making mechanism without burning through resources. Smart fraudsters test their methods before they engage.

Final Thoughts

Dick's isn't the toughest target, but their implementation of Riskified means you can't just blitz through it. Success here depends on patience and precision. Set up your system correctly, take your time, and don't be greedy.

Remember: clean cards and proper OPSEC are important, but your behavior during the session matters just as much. One sloppy move and you'll screw up the entire operation.

Now get started and turn those sporting goods into cash.

(c) Telegram: d0ctrine

 

[BadB]

Thanks for the drop, Carder — your guide's a breath of fresh air in this sea of half-assed "plug-and-play" tutorials that get ops flagged before the cart even loads. Nailed it on the organic session buildup; that slow-burn approach with randomized browsing patterns (think 10-15 min sessions hitting unrelated categories like golf clubs before circling back to the Nike section) is clutch for evading the behavioral heuristics. And yeah, Riskified's the silent assassin here — I've seen it ghost whole batches if your velocity spikes even 10% over baseline. DSG's not the low-hanging fruit like some mom-and-pop sites anymore; with their 2025 omnichannel push, they've layered in some aggressive cross-channel tracking that ties online carts to in-store pickup flags. Those UA Curry 12s or Jordan collabs? Gold for resale at 2-3x markup on StockX, but the window's shrinking fast post-drop.

Ditching the magic BIN myth? Preach. Chasing those "guaranteed" 4147xx or 4888xx ranges is a loser's game — DSG's dual-gateway setup (Braintree for smaller carts under $200, flipping to Adyen for anything north of that, based on geo and device) means BIN matching is secondary to session entropy. Last quarter, I tested a fresh batch of 4888xx (Visa, mid-tier issuers like Chase) and they held steady for Midwest zips (55xxx-59xxx), but only if you preload with a $50-75 filler cart 24-48 hours prior. Hit rate? 75% on approvals, but drops to 40% if you rush the auth. Pro move: Use a BIN checker like Binlist.net pre-op, but cross-ref with recent forum dumps — those 4888s flaked hard in Sept '25 after Adyen's velocity tweak, forcing more 3DS v2 prompts on non-US IPs.

Your cookie-aging tips are spot-on, but let's drill deeper for the noobs lurking: Aim for 72-96 hours minimum on residential proxies (Luminati or Oxylabs for that clean Midwest fiber — avoid datacenter rot). Mix in passive interactions: Add/remove items sporadically, view sizing charts, even trigger a fake "size availability" pop-up to mimic legit hesitation. Tools-wise, Burp Suite for initial recon is king, but pair it with Puppeteer scripts in Node.js for automation — randomize user-agents to Chrome 120+ on Win11, inject jittered delays (1-5s between clicks), and spoof timezone offsets to match billto. I've got a gist floating on GitHub (under a burner, obv) that layers in WebGL fingerprint randomization; bumped my evasion from 60% to 85% on test runs.

OPSEC layer you skimmed: DSG's Braintree/Adyen hybrid ain't just processing — it's slurping device signals like a black hole. Post-2024 breach (yeah, that August mess where customer data leaked via third-party vendor), they doubled down on fingerprinting. IMEI hashes on mobile? Spot on, but now it's pulling battery level, screen res, and even accelerometer data if you're on iOS 18+. Canvas fingerprinting's the real bitch — Adyen's backend hashes it against session history, and mismatches trigger soft declines. Counter: Firefox with uBlock Origin + CanvasBlocker extension (set to "noise" mode, not full block, to avoid JS errors). For desktops, VMWare VMs with GPU passthrough and randomized hardware IDs via QEMU flags. Residential IPs only, folks — geo-match to billto within 50 miles, and rotate every 3-5 sessions. I flamebroiled a whole op last month using a single Houston IP cluster; three declines in, and the whole subnet lit up on their blocklist.

Drop game evolution: Non-PO boxes are table stakes, but with USPS Priority's new RFID tagging (rolled out Q1 '25), cluster risks are brutal — max one package per hub every 72 hours, or you'll ping the velocity alarms. Elderly suburbs still king (think Boca Raton or Scottsdale retirees — low scrutiny, high porch anonymity), but vet via Zillow for recent sales (empty houses scream "mule"). I've sourced 80% success with Nextdoor-scraped "elderly neighbor" drops, but always test with a $20 filler parcel first. In-store pickup? Tempting for speed, but DSG's tying it to facial rec via their app now — skip unless you've got a clean local runner.

Riskified deep dive: Their Q2 '25 update (that "poison-resistant" AI you mentioned) patched a ton of the old PDF payload exploits — shoutout to the Nullcon thread for the vector rotation workaround, but efficacy's down to 50-60% now. If you're scripting, embed a subtle JS tamper (via Tampermonkey) to fuzz the review payload with randomized noise vectors every 7 days. For high-value ($500+), expect auth holds — Adyen's 3DS dynamic linking callbacks to LexisNexis in real-time, cross-checking against merchant blacklists (Golf Galaxy, Public Lands, all under the DSG umbrella). One chargeback there, and you're persona non grata across the board. Mitigation: Cap first-wave orders at $300-400 to farm "loyalty" signals — add a ScoreRewards signup with a aged ProtonMail forward (Tutanota's better for alias chaining, less metadata bleed). Ditch Gmail like the plague; Google's telemetry feeds straight into Google's fraud graph.

Mobile supremacy: iPhone 15 Pro/Max on iOS 18.1+ with eSIM (T-Mobile or Visible for low-latency US proxies) is meta. Sideload Checkra1n or Unc0ver for root — lets you hook into CFNetwork for cookie persistence without resets, and spoof carrier bundle data to mask VPN pings. Android? Nah, unless it's a rooted Pixel 9 with Magisk modules for telemetry scrubbing — too much bloat otherwise. Pro tip: Enable Low Power Mode during sessions; it subtly alters battery curves, making fingerprints harder to baseline.

BNPL angle you glossed: Affirm's renewed partnership (June '25 announcement) opens doors — split $800 into 0% biweeklies, but Riskified flags high-frequency Affirm hits as mule patterns. Use sparingly for mid-tier carts; I've cleared 20% more volume by chaining a card auth to Affirm review, but only on aged accounts.

Risks rundown: Post-chargeback, it's not just DSG — LexisNexis ripples to Visa/MC issuers, and with the '24 breach fallout, feds are sniffing harder (hello, Operation Card Shop 2.0). Greed kills: 2-3k/month steady is realistic for solos if you're surgical (10-15 orders/week, 70% hit), but scaling to teams? Vet runners with burner SIMs and split drops. Email hygiene: Proton + SimpleLogin for nested forwards, aged 30+ days.

Fresh intel: Those 4888xx BINs? Mixed bag post-summer — solid for Adyen but Braintree's issuer checks are choking 'em now. Switched to 4266xx (Discover, low AVS) for East Coast and holding 80%. Hit rates on your setups? Drop 'em — anyone cracking the new Adyen 3DS noise injection? Let's crowdsource this before Q4 holidays lock it down.

Stay shadows, don't get outlined.