This had happened with one of my family members in 2014. They had added their Credit Card to Paypal. One afternoon, they got a message that around 19 GBP had been spent for buying something via Paypal. That transaction was reversed by the merchant itself (likely because the Credit card company intervened somehow as that card was never used for international transactions before that) but what followed afterward is much more interesting.
After that happened, the hacker tried to take over the Paypal account by adding a new email address and make it the primary email of that Paypal account (essentially trying to lock us out of the Paypal account). We tried calling Paypal India customer care but they were of no help. But, thankfully that process (aka making a new email ID as the primary email ID) required approval which was sent to the existing email address present in the Paypal account.
But then, we started to get 2FA login codes on SMS, essentially meaning that someone was trying to login into the Gmail account linked to that Paypal account (the odd thing about those SMS’s was that those were not in English, something like “קוד האימות שלך ב-Google הוא” (this is Hebrew) which revealed to us that hacker wasn’t from India (or was masking/hidding their location)). From what I understood later, the hacker likely had somehow gotten their hands on the password for the Gmail account as well. Fortunately, a few months earlier, we had enabled Two Factor Authentication on all family Gmail accounts and that became our saving grace. Eventually, we were able to reset the Paypal account password and remove the new email address from the account. The first thing we did after that was removing the stored credit card from Paypal.
After that incident, I become somewhat paranoid and try to enable 2FA everywhere (even my TradingQnA account has 2FA enabled) and prevent storing cards wherever possible.
But after reading about your experience, I am a bit scared. Your case does look like its related to SIM swapping/cloning but Isn’t there any way to approach Amazon India and report that your card was used for doing an illegal transaction via the Amazon platform? The hacker would have likely covered their tracks (aka created a fake Amazon account) but given that they had entered your card details in Amazon Pay to make a payment, Amazon would likely know to which merchant that payment was done to. In case they are willing to share those details, you could then approach that specific merchant to get more details about that transaction. But something like this wouldn’t be possible without some kind of legal action.
Also, I have come across a recent news story related to curbs being introduced by RBI for storing card data after the rising incidents involving card data leakages -