This new edition of the Price Index is the most comprehensive yet, as we expanded our data sources from three to five of the biggest black markets on the dark web. We found that while the value of your entire online identity remained around the £800 mark, individual hacked accounts for brands with recent privacy or security woes have become significantly more appealing to fraudsters.
We also created a US edition of the dark web market price index that found the value of a full online identity in the United States to be around $1250.
Also steadily increasing in value to cybercriminals are accounts for services that have only become part of everyday life in recent years, such as Netflix and Uber, which along with gaming phenomenon Fortnite are all worth around £8 each.
|Item for Sale||Avg. Price||Avg. Price Change|
Price change is difference in average price between 2018 and 2019, where 2018 data is available.
Jump to full Price Index
Following its huge breach last year, British Airways accounts have more than quadrupled in price to almost £32 each. With its own mega-breach receding in the rearview mirror, hacked Facebook accounts have almost doubled in value since this time last year to £7. Stolen Amazon credentials are also worth more than twice as much at £14.50.
It’s no surprise that stolen financial account details remain a lucrative mainstay on the dark web markets, typically commanding the highest prices – especially high-balance bank details, which change hands for close to £350.
However, the trade in everyday online accounts with less immediately obvious value – and security – continues to flourish. Streaming and gaming accounts such as Spotify, Tidal, Steam and Minecraft typically sell for under £4, or cheaper than the price of a pint.
The average person has dozens of accounts which form their online identity, all of which can be hacked and sold. Our team of security experts reviewed tens of thousands of listings across five of the most popular dark web markets – Dream, Wallstreet, Empire, Berlusconi and Tochka Free. These sites deliberately obscure themselves from the public and can only be accessed through the Tor browser. They are used to buy and sell personal data, along with other contraband including weapons and illicit drugs.
We focused on listings featuring stolen ID, personal data and hacked accounts for this update to the Dark Web Market Price Index. Note that we excluded massive data ‘dumps’ to avoid distorting average prices, as individual accounts equate to tiny fractions of a penny each. Our analysis has found that it would only cost £770 to buy up someone’s entire identity, assuming that they had all the accounts listed.
We did this research in order to raise public awareness about how their personal data holds real value for cybercriminals. Our hope is that this will lead to improving standards of everyday information security.
Protect Your Data: Quick Tips
- Use a VPN – this will protect your personal data on public networks
- Check if you’ve been hacked – Use Have I Been Pwned to see whether any of your accounts have been breached
- Use a password manager – A cheap, effective way to make sure all accounts have unique (and therefore stronger) passwords
- Delete your old accounts – these accounts are useless to you but a treasure trove to hackers
The full Price Index is below.
Dark Web Market Price Index (February 2019 – UK Edition)
Stolen ID, personal data and hacked accounts for sale
||Item for Sale||Avg. Sale Price|
|Personal Finance||Bank Details||£347.68|
|Proof of Identity||Driving License||£13.28|
|Proof of Identity||£4.87|
Sale Prices Explained
The trade in stolen financial details has long been the traditional heart of the dark web’s economy. Credit cards, debit cards, bank and online payment accounts are listed in vast quantities and can command the very highest prices, particularly when the lure of a high value balance is present.
What fluctuates over time is where hackers have the most success in getting their hands on account details with the highest balances. In last year’s Price Index, the PayPal average price of £280 was inflated by the number of $10,000-plus accounts listed. This year, it’s listings for hacked bank accounts where we found the biggest balances. Prices have inflated further as sellers demand a larger percentage cut of the balance – accounts now sell for 20% or even 30% of the balance, compared to 5-10% previously. This has driven the average price up to £348, suggesting the increasing difficulty of stealing this data.
The current scarcity of high-balance PayPal accounts is also likely due at least in part to eBay starting to transition away from PayPal as its main payment processor last year. The two companies have long gone hand-in-hand; eBay accounted for 50% of PayPal’s profits in 2014. eBay is also a common use case for hacked PayPal accounts. If it becomes harder to exploit these accounts, the average price of £14 may fall even further.
There is plenty of scope for the abuse of travel accounts. Compromised Airbnb accounts can be used to create bookings for houses which criminals then burgle, while hacked hosts on the same app can be used for phishing. Airbnb has introduced two-factor authentication, but that hasn’t stopped the abuse from continuing.
There have also been reports of scammers using hacked Uber accounts for their everyday travel, usually deep in Russia.
Criminals are even able to travel internationally, as Avios siphoned off from hacked BA accounts can be used on multiple airlines. It’s entirely possible that a criminal would be able to fly abroad, book a pricey hotel room, and take a whole holiday just from cheap hacked accounts purchased on the dark web.
Proof of Identity
A preferred tactic of cybercriminals is to set up lines of credit in someone else’s name using digital proof of identity bought on the dark web.
One of the more popular kinds of listing advertises “fullz”, which are bundles of ‘full’ identifying data. Listings for fullz often advertise an individual’s name, address, mother’s maiden name, social security number, date of birth, credit reports and other forms of personal data. [NB: where related financial account details such as credit cards were included with fullz we considered these to be personal finance listings].
Bringing the price down this year was an increase in bulk prices for passport scans and other forms of proof of identity.
Hacked online shopping accounts are mostly used for credit card fraud, as criminals can exploit the stored card details for a variety of different scams.
Ironically, budget supermarket Morrison’s (£16) was the most expensive UK brand due to the potential for exploiting its rewards system. Amazon accounts (£14.50) remain appealing to fraudsters as multiple stored cards are more common than not. Not only can they buy costly items for resale but also purchase gift cards to redeem on their own accounts.
Stolen Amazon accounts have tripled in price, which may be in anticipation of a wider rollout for Amazon Go in the USA – thieves would be able to wander in, fill a trolley and leave without detection.
Facebook spent much of 2018 as the whipping boy of the press and western governments and the value of its accounts slumped accordingly on the dark web. However, just as its stock price recovered so too has the black-market worth of hacked accounts for the social media giant. It’s clear that despite the popularity of #DeleteFacebook, there’s plenty of mileage yet in the social media platform.
What hasn’t changed is that once scammers have access to social media accounts, they can search through messages and other private data to gather enough information to crack into more directly lucrative accounts. One avenue of attack is social engineering: the content of someone’s private messages is more than enough to crack their security questions.
Subscription-based software is also making its first appearance on the Dark Web Market Price Index. The listings – largely for security software – we found are exclusively pitched as being for personal use rather for further fraud.
In the past, hacked Skype accounts have been used to send spam, bypassing Microsoft’s two-factor authentication. The spam messages are usually phishing links, most notably to LinkedIn and Baidu.
Exploiting mobile phone carriers and the cellular network is a common method of getting accounts. Communication account prices are volatile: T-Mobile logins have surged in price by 66%, while Skype accounts are worth little over a third of their value last year.
This may be due to the growing move away from using text messages as a form of
two-factor authentication – SMS has been repeatedly shown up as an insecure form of two-factor authentication  and as companies continue to pivot towards the use of authentication apps or hardware it’s likely that the prices of communication accounts will continue to fluctuate.
Hacked dating accounts can be used for “catfishing”, a con in which scammers pose as romantic interests to socially engineer their way into targets’ bank accounts. The most commonly hacked dating accounts remain Match.com (£6) and Plenty of Fish (£3). However, buying genuinely hacked accounts is a costly and ineffective method to do this compared to simply starting a new account with fake pictures.
As with other types of account, dating accounts can be a rich source of personal info for use in identity theft.
These accounts are used both for identity theft and for leaching streaming content. Prices are steadily rising in this category and even beginning to rival hacked financial accounts in terms of sheer volume (and variety) of listings.
Joining global megabrands Netflix (£8) and Apple (£9) as the most desirable accounts is Fortnite (£9). The gaming phenomenon is unique in that despite being free to play, hacked accounts may include valuable in-game perks that would otherwise be difficult to obtain.
It’s common for vendors of stolen streaming service memberships to offer “lifetime accounts”. This is a form of warranty under which buyers can switch to freshly stolen accounts every time they are locked out of their previous account by its legitimate owner.
This is the first time that accounts for newspapers and magazines have appeared in the course of our research. The majority of the hacked accounts we found in this category were being sold by a single seller on Dream Market, the dark web’s biggest market.
As well for run-of-the-mill ID theft, scammers buy up these accounts for more straightforward reasons: there have been reports of Deliveroo accounts being used by hackers to place £200 orders in the UK,. Meanwhile in the US, Grubhub has also been exploited by hackers for up to £140 in a single order.
It is also interesting to see what kind of food the average dark web criminal likes best: mostly pizza and burgers, with the most popular stolen accounts for sale including Pizza Hut and Domino’s.
Hacked email accounts tend to be sold either in massive dumps from large scale data breaches or as small batches of, or even individual, verified emails. For the purposes of the Price Index, we disregarded big dumps as unit prices work out at tiny fractions of a penny each as accounts are not guaranteed to be accessible or even valid.
Verified emails, on the other hand, trade for a few pounds each. That may not seem much for an account that can act as a skeleton key to your online life, however increasing adoption of two-factor authentication keeps overall prices relatively low.
Gmail accounts trade for nearly five times as much as they did last year however due to the vulnerability of accounts using SMS for 2FA.
Tips on How to Protect Your Data
Check If You’ve Been Hacked
The short, scary answer is that some of your personal data is almost certainly already for sale on the dark web. The first step is to find out which of your accounts have been stolen. Have I Been Pwned should be your first port of call, as it’ll help you find out which of your email accounts and old passwords have been compromised. If you have been breached, change your passwords.
Get a Good VPN
Secure your internet browsing with a good virtual private network (VPN). VPN software encrypts your internet connection, and hides your IP address, concealing your web activity from snoopers. A secure VPN like NordVPN will let you use public WiFi securely, without having to worry about hackers and snoopers.
Get a Password Manager
You should also get a password manager. It helps to secure your online life by generating cryptographically b and unique passwords for every site that you use, which they then autofill into login pages as you browse. This allows you to forget all the individual passwords, as all you have to remember is the password to get into the manager. The market leaders in this area are 1Password and LastPass, both of which cost less than £5 a month.
Delete Old Accounts
Finally, close down any old accounts you have that you don’t use anymore. Old social media and gaming accounts untouched in years don’t hold any use to you, but are useful attack vectors for hackers and other bad actors. If these accounts are no longer important to you, you should delete them.
Our team reviewed all fraud-related listings on five of the largest dark web markets: Dream, Wallstreet, Empire, Berlusconi and Tochka Free. Relevant listings were collated and categorised in order to calculate average sale prices. We excluded large-scale ‘dumps’ to maintain the integrity of the data. Dark Web Market Price Index 2019 – Raw Data.
The authors of all our investigations abide by the journalists’ code of conduct.
 https://www.theguardian.com/business/2018/sep/07/ba-british-airways-customers-hacked-credit-card-details-dark-web ↩
 https://www.ebayinc.com/stories/news/ebay-to-intermediate-payments-on-its-marketplace-platform/ ↩
 https://www.recode.net/2018/1/31/16957212/ebay-adyen-paypal-payments-agreement ↩
 https://krebsonsecurity.com/2015/12/when-undercover-credit-card-buys-go-bad/ ↩
 https://forums.moneysavingexpert.com/showthread.php?t=5893844 ↩
 https://www.pcworld.com/article/3075487/security/celebrity-hacker-guccifers-confession-gives-us-all-a-lesson-in-security.html ↩
 https://www.theverge.com/2016/11/8/13561024/microsoft-skype-baidu-linkedin-hack ↩
 https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin ↩
 https://www.theregister.co.uk/2018/08/01/reddit_hacked_sms_2fa/ ↩
 https://arstechnica.com/information-technology/2018/11/millions-of-sms-texts-in-unsecured-database-expose-2fa-codes-and-reset-links/ ↩
 https://metro.co.uk/2016/11/23/deliveroo-accounts-hacked-and-hundreds-of-pounds-worth-of-food-stolen-6277025/ ↩
 https://abc7chicago.com/technology/grubhub-user-claims-hacker-ordered-feast-to-another-state/1648468/ ↩
 https://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/ ↩
 https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin ↩