You're right, but they do it in a sneaky way to try and avoid that.

The Russian/Ukrainian rings that hit Target and Home Depot (and various other companies) gathered the cards in secret over many months, while not actually using or selling any of them. Then once they feel like they've gathered enough cards to compensate them for their time, or if they feel like they'll lose access or get caught in the near future, they dump them in bulk batches. Generally these breaches, and the company that was breached, get discovered after the very first dump batch. The banks who issue the credit cards can often figure out what store was breached if they're given a random sample of 1000 or so credit cards; they just correlate the cardholder locations with the stores in the area, and see what store has the most overlap. Often bank security personnel are some of the first to buy the credit card dumps. In fact, this is how Home Depot and Target both found out they were even breached at all: the banks ran their analytics on the dumps and informed them.

After the first batch is released, the subsequent batches are usually less likely to work, but sometimes the banks will just issue notices saying "you recently shopped at Home Depot, please check your account statement" instead of blanket disabling all the cards. In those cases, staggering the dumps in batches increases the overall fraud gain.

You can learn more about these kinds of tactics on Brian Krebs' blog: http://krebsonsecurity.com/

Probably the most strategic way to use 50mm credit cards would be to use them destructively, rather than just for direct gain. (All of this is illegal as well as immoral, but just presented so people can develop countermeasures)

Know that using the credit cards will cause the accounts to get frozen, which will cause decreased purchasing; it will also scare people away from those stores, and possibly from purchasing in general.

A nation state could do this for disruption directly; Russia could filter the 50mm cards to find cards belonging to US people (or just assume home depot = usa), and intentionally cause transactions requiring replacement. Do this on the last week before xmas, or black friday, or some other strategic time.

A criminal organization could use the breach to manipulate the stock market -- either directly (shares in the breached company tank, although this doesn't happen to a very large extent), or by blocking cards used at one merchant in particular, raise the sales of a competitor indirectly.

There's also straight extortion -- we'll sell these back to you and go away IFF you pay us.

Interesting tactic, and I could definitely see it being employed by an intelligence agency, but it's unlikely the fraudsters would be able to see any significant monetary gain from it. As you alluded, Home Depot's stock didn't decrease that much, and it bounced back shortly afterwards.

Some of the fraudsters and criminals are politically motivated to an extent, especially with the recent US sanctions against Russia (the codename for the Home Depot card dump is "American Sanctions"), which you can read more about here: http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-ma... The POS malware even has some not so subtle anti-American images embedded within it.

But that said, they care about the money above all else. The rest is just a little added motivation.

For the hackers who broke in and gathered the numbers, large batches of fresh numbers make them the most money. They sell the dumps and the more numbers/the more recent, the more they make. So hitting a big target, gathering a huge collection, and then dumping it all at once is the most profitable. The people who buy the dumps have to worry about cards getting flagged, but not the people selling them, and the hackers dumping the cards don't really care what the people who buy the dumps have to deal with, they just care about getting the most cash they can.

Also since any release at all is highly likely to trigger an investigation, a small dump could be the last, so a big dump is the lowest risk.