Finance / payments — Stripe-abusing Magecart and OFAC Iran sanctions

A Magecart variant delivering its skimmer through Stripe customer metadata and exfiltrating stolen card data back through api.stripe.com as fake customer records was documented by Sansec this week (Sansec, 2026-06-04; daily 2026-06-07). Because both payload delivery and exfiltration transit a universally allow-listed domain, CSP connect-src controls and WAF egress rules built around blocking unknown domains are blind to this variant. Detection must move server-side: audit GTM container IDs, monitor Stripe customer-creation events for non-order-matched calls, and inspect customer-metadata fields for encoded JavaScript. Separately, OFAC designated Nobitex and three Iranian exchanges for IRGC-affiliated ransomware proceeds — confirmed wallet clusters now carry an OFAC sanctions-nexus consideration for any EU institution with US correspondent relationships.