A mid-sized digital goods marketplace (selling game keys) was hit by a massive "Card Testing" attack. Fraudsters were using their checkout page to test thousands of stolen credit cards.
The problem? The attackers used high-quality Residential Proxies. To Stripe and standard firewalls, these requests looked like normal home users from ISP networks like Comcast and Verizon. Simple IP blocklists were useless because the IPs rotated every request.
Instead of trying to ban 50,000 individual IPs (whack-a-mole), the team integrated CandycornDB to look at the subnet behavior.
Our engine noticed that while the IPs were "Residential," they were all coming from specific /24 subnets that had seen zero prior traffic on the platform. The team set a simple rule:
Within 24 hours, the attack stopped. The attackers realized their cards were being rejected (or "burned") and moved on to a softer target. The company saved an estimated $12,000 in monthly dispute fees and avoided a ban from their payment processor.