Hackers abused Stripe and Google Tag Manager to launch a credit card theft campaign and host stolen payment details

1. Pro
2. Security

Hackers abused Stripe and Google Tag Manager to launch a credit card theft campaign and host stolen payment details News By Sead Fadilpašić published 5 June 2026

Someone found a way to turn Stripe into a malware hosting platform

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Getty Images)

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter

• Attackers abuse Stripe API via Google Tag Manager
• Malware skims checkout data from compromised Magento sites
• Stolen card details exfiltrated through api.stripe.com

Cybercriminals have turned Stripe into a malware hosting platform, in a new attack that steals people’s payment information from online shoppers. This is according to cybersecurity researchers Sansec, who discovered the campaign earlier this week.

Sansec says that the attackers managed to compromise certain Magento/Adobe Commerce store websites, and add a malicious Google Tag Manager (GTM) container.

However, when a shopper visits the website, the browser loads the GTM container from Google’s servers, and when they reach checkout, the GTM code makes a request to Stripe’s API.

Latest Videos FromWatch full video here:

Stealing the information

GTM is a free tool that lets website owners manage tracking, analytics, and other scripts on a website without directly modifying the site's code. Since GTM is a widely used tool, loading code from googletagmanager.com looks completely normal and raises no red flags.

Since Stripe is an online payment processing platform that enables businesses to process financial transactions over the internet, there is still no foul play. But GTM actually retrieves a Stripe customer record controlled by the attackers, inside which are pieces of malicious JavaScript. The website downloads those pieces, reassembles them into a working script, then runs them in the browser, turning Stripe into a storage locker for malware code.

You may like

• Now that's different - hackers use miniature SVG images to try and hide credit card stealer
• Funnel Builder WordPress plugin exploited to steal credit card details
• Huge numbers of web stores are facing attack from this dangerous new malware

Once that script is running, it starts “watching” the checkout page, so when the victim types in their card details, the script copies everything, including the card number, CVV, name, address, and other relevant details.

Then, instead of sending the data to the attackers immediately, the malware first combines all stolen information into one string, applies XOR obfuscation, and stores the result locally in the browser. Then the malware creates a fake Stripe customer, splits the stolen data into two chunks, creates a new Stripe customer object in the attacker’s stripe account, and uploads the stolen information.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

"Both the payload and the stolen cards move through api.stripe.com. Stores allow that domain by default, so the skimmer slips past Content Security Policy rules and network filters that would otherwise flag traffic to an unknown skimmer domain," Sansec explained.

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

CATEGORIES Cyber Security Computing Security Computing Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

View More

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more Security Now that's different - hackers use miniature SVG images to try and hide credit card stealer    Security Funnel Builder WordPress plugin exploited to steal credit card details    Security Huge numbers of web stores are facing attack from this dangerous new malware    Security Hackers hijack Google Ads to spread phishing campaign spoofing top GoDaddy tool    Security Steam Community Profiles abused as C2 network in new WordPress malware infection campaign    Security Kash Patel's 'BasedApparel' website is apparently hosting ClickFix malware    Latest in Security Security Russian hackers attack Europe for the Motherland in crypto fueled Great Patriotic Cyber War    Security FIFA World Cup 2026 hype kicks off fraud, fake apps, and ransomware targeting fans and businesses    Security ‘Data can place the lives of frontline military or other personnel at risk’: FBI warns that China is luring Western military and intelligence operatives with 'gig-work' job offers to steal secrets    Security Hackers could use poisoned WhatsApp and Slack notifications to take over your Google Gemini – and make it work on their behalf    Security OpenAI’s Codex helps discover HTTP/2 Bomb DoS attack that can nuke over 30GB of RAM within seconds, knocking web servers offline before they can react    Security NSA warns that cybercriminals are targeting this one critical component that the energy, chemical, food, agriculture, and transportation sectors rely on - here's what we know    Latest in News Gaming This year's PC Gaming Show will provide looks at more than 50 games and also feature a behind-the-scenes look at one of my most anticipated games of the year — here's how to tune in    VPN Privacy & Security Russian Roskomnadzor accused of launching active DDoS attacks on VPN services — here's what we know so far    Gaming One of my all-time favourite JRPGs has been announced for the Xbox Game Pass lineup for June ahead of the Xbox Games Showcase    Gaming 'Nintendo products are fully compliant with these requirements' — A new Nintendo Switch 2 model featuring a removable battery will be released in the EU soon to meet regulations    GPU Nvidia RTX 5000 Super GPU refreshes could arrive in 2026 after all    Security Russian hackers attack Europe for the Motherland in crypto fueled Great Patriotic Cyber War    LATEST ARTICLES

1. 1Hackers abused Stripe and Google Tag Manager to launch a credit card theft campaign and host stolen payment details
2. 2Nvidia RTX 5000 Super GPU refreshes could arrive in 2026 after all — with a surprise addition that won't destroy your wallet like the others
3. 3This year's PC Gaming Show will provide looks at more than 50 games and also feature a behind-the-scenes look at one of my most anticipated games of the year — here's how to tune in
4. 4One of my all-time favourite JRPGs has been announced for the Xbox Game Pass lineup for June ahead of the Xbox Games Showcase
5. 5The 11 best headphones, speakers, soundbars, and streamers we saw at the High End Vienna 2026 hi-fi show