Darknet Market Prices: How Much Is Your Data Worth?

The Darknet Market Price Index is a series of research reports that track the average sale prices of stolen online account credentials and personal data.

It was first published in 2018 and includes data for both the US and UK.

This article summarizes our main findings, shares details of how hacked accounts sold on the dark web are most commonly used in fraud and shows how consumers can protect themselves from identity theft.

The average person has dozens of accounts which form their online identity, all of which can be hacked and sold.

Each time we update the Index, our team of security experts analyzes tens of thousands of listings across the most popular dark web markets at the time, looking for such accounts.

The individual markets themselves are transient. As soon as law enforcement shuts down a major market, a new one will pop up to take its place.

They deliberately obscure themselves from the public and can only be accessed through the Tor browser, ideally using a VPN (Virtual Private Network) for additional security. The markets are often used to buy and sell personal data, along with other contraband including weapons and illicit drugs.

A single hacked account can open the door to identity theft, due to password re-use and the wealth of personal details stored within that can be exploited.

Identify theft can be a deeply stressful – and expensive – experience.

The goal of buying stolen credentials is frequently to open lines of credit in someone else’s name. These loans, credit cards and overdrafts have long been drained before the victim is even aware of the crime, saddling them with responsibility for the debt.

Taking steps to prevent identity theft should be a priority for every single person online.

Here are some simple security tips that anyone can follow to protect your sensitive online information:

Get a Password Manager

A password manager is essential in 2021. Widespread password re-use across multiple accounts means hackers only need one set of login details to run a credential stuffing attack ^[1] and instantly gain access to many more.

A password manager helps to secure your online life by generating cryptographically strong and unique passwords for every site that you use, which they then autofill into login pages as you browse. All you have to remember is a single master password. The market leaders are 1Password and LastPass, both of which cost less than $5 a month and have good free versions.

Get Antivirus and Malware Protection Software

Malware such as keyloggers can steal your passwords and other personal data that can be used to access your online accounts and commit identify theft.

Scan your devices regularly using trusted software, such as Malwarebytes for Windows and macOS, and Avira Mobile Security for iOS and Android. It’s also well worth enabling real-time web protection too, even if you have to upgrade to the paid version to do so.

Enable Two-factor Authentication (2FA)

Most online services now allow you to set up 2FA. It’s very simple, secure and you should do it right away.

With 2FA switched on, criminals won’t be able to hack into your account even if they have your log-in details as a further step is required to gain access after entering your password.

Typically, this will require entering a security code generated in an app on another device, such as your smartphone. Services like Authy allow you to generate codes for multiple services in a single app. Google offers a range of 2FA methods (also known as two-step verification). While receiving codes via SMS might be tempting, this is best avoided, as messages can be hijacked.

Go To The Source

To avoid falling victim to phishing scams,^[2] it is always best to go straight to the source — by typing the company’s official URL into a new web browser.

If an email looks suspicious (ie strange format, slightly misspelt sender address) never click on any of the links or attachments in that email and always verify that the actual email address is from the person or company it says it is from.

Check For Data Breaches

The short, scary answer is that some of your personal data is almost certainly already for sale on the dark web. The first step is to find out which of your accounts have been stolen. haveibeenpwned.com should be your first port of call, as it’ll help you find out which of your email accounts and old passwords have been compromised in a data breach.

If you have been caught up in a breach, change your passwords immediately.

Use a Secure VPN

A VPN is an ideal software to safely use public WiFi, which is often insecure.

The software encrypts your internet connection, making it harder to monitor, intercept and sell your web activity.

Read our VPN reviews to find a service best-suited for your needs.

Delete Old Accounts

Close down any old accounts you have that you don’t use anymore. Old social media accounts or store accounts used once years ago don’t offer any value to you, but are useful attack vectors for hackers and other bad actors.

Where possible, remove your personal information from any websites that don’t require it. If your social media accounts are no longer important to you, you should delete them.

Stay Alert

The sooner fraud is detected, the lower the financial impact. In addition to the above measures, frequently checking your credit/debit card activity can allow you to quickly notice fraud.

Contact your financial institution as soon as you suspect fraudulent activities are happening on your account. Wherever possible, set up email or text alerts to notify you of suspicious activity such as unexpected orders for a new bank card or if a threshold transaction amount has been reached.

Key Findings

Published in February 2023, this report focuses on analyzing which online account details are most commonly put up for sale on the darknet markets.

It reveals the extent to which streaming and VPN account details dominate the illicit trade in personal data on the darknet markets.

Read the full Darknet Markets 2023 report

Key Findings

Published in August 2020, this report focuses on the impact of the global pandemic on dark web prices.

It reveals how the significant shifts to our lifestyles imposed by lockdowns and other social restrictions were reflected in not only in price fluctuations on the dark web markets but also in major changes to the types of hacked data being traded there.

Read the full Darknet Market Price Index 2020 report

Key Findings

We published two editions of the Index in 2019. The full report at the start of the year featured U.S. and UK data. This was followed up with a mid-year update of UK prices, conducted as part of our appearance on the BBC Watchdog consumer affairs TV show.

While the overall average value of a person’s identity hadn’t shifted significantly year-over-year in our initial report, by the middle of the year, the UK at least, it had surged threefold.

Read the full Darknet Market Price Index 2019 Report

Key Findings

The inaugural Darknet Market Price Index was published in February 2018 and calculated for the first time the value of an individual’s online identity on the dark web.

Thanks to worldwide media coverage of our findings, it has helped bring the conversation around personal information security further into the mainstream.

Read the full Darknet Market Price Index 2018 Report

Key Findings

As well as analyzing the trade in personal data on the dark web, we also investigated the sale of the tools used to steal these credentials. Our report on this topic was published in July 2018 and included data on U.S. and UK brands.

We found that the financial barrier to entry for this kind of cybercrime to be alarmingly low, with powerful tools selling for pocket change.

Read the full Darknet Market Price Index Hacking Tools Report

Our personal information has real value on the dark web because it can be used fraudulently in such a wide variety of ways to make a profit at your expense. Some of the more common scams are listed below, organized by type of hacked account.

Communication

Hacked Skype accounts have previously been used to spam people with phishing links that mimic LinkedIn and Baidu messages.^[3]

Another common scam is exploiting mobile phone carriers to get around two-factor authentication and into bank accounts.^[4]

Delivery

Fraudsters have been caught setting up complex schemes involving stolen Paypal and eBay accounts that they use to buy expensive electronics.^[5] A hacked DHL account could be the missing piece of the puzzle that allows them to get their hands on the goods, which would be typically resold.

Entertainment

Log-ins for everyday services like Netflix and Spotify primarily offer a route into potential identity theft, since it remains so common for people to reuse their passwords.

By gaining one set of valid credentials, hackers use software to automate checking that log-in against thousands of other online services. This is known as “credential stuffing”. The results will either be used for identity theft or sold on the dark web for a profit.

An added bonus is that opportunistic criminals can also stream TV shows and movies and music for free, at least until the true owner notices their account has been compromised.^[6]

Hacked Spotify accounts can also be used in click fraud. A Bulgarian scammer notoriously gamed the Spotify royalties system in 2017 to pocket $1M,^[7] however there is evidence that similar schemes continue to operate using compromised Spotify accounts.^[8]

Food

These services have an added appeal for hackers: as well as opportunities for identity theft and swiping stored credit card details, they can also enjoy expensive blowouts, often with top shelf alcohol jacking up the bill, on someone else’s dime.^[9]

Health

Accounts for services like Fitbit are a potential treasure trove of intimate personal information and health data uploaded from users’ wearable devices.^[10] Compromised account owners even become vulnerable to burglary or home invasion once criminals gain access to live and historical GPS location data.

Identity Documents

Genuine physical identity documents, such as passports and drivers licenses, are incredibly valuable for identity theft. Typically this means fraudulently opening lucrative lines of credit in the passport-holder’s name, which is then swiftly drained, leaving the unwitting victim with a huge debt.

Stolen documents of this nature – intercepted in the mail, for example, or stolen and sold to criminals by corrupt officials – fetch very high prices.

Passport scans sell for only a fraction of the price due to their digital nature and the greater risk of not being accepted.

Online Shopping

Accounts for brands like Amazon and Bestbuy are popular with fraudsters thanks to the prevalence of multiple stored payment methods, typically both credit and debit cards. Not only can they buy a huge range of costly items for resale but also high value gift cards to redeem on their own accounts.

The sheer scale and impersonal nature of Amazon and big box stores’ operations also make them appealing for scams.

Hacked eBay accounts are also particularly attractive as not only do they allow criminals to dupe buyers into sending them money for fake listings but also to buy expensive goods with the account owner’s funds to intercept and sell on.^[11]

Fraudsters also buy eBay accounts in the hope of gaining access to associated PayPal accounts.

Personal Finance

Stolen credit and debit card data, along with bank and online payment account details, have long been the most popular items for sale on the darknet markets. The lure of high account balances to cash out and access to new lines of credit understandably allows these items to always command the highest prices.

A concerning new trend is for hacked debit card data for high-balance accounts to be bundled with SIM cards and cryptocurrency accounts. These all-in-one fraud packages permit scammers to SIM-jack the account ^[12] and drain the funds into the intermediary crypto account, where the stolen cash is easily laundered.

Paypal has long been the scammer’s favorite. High balance accounts can be siphoned off directly, however as PayPal accounts are also often connected to multiple cards and bank accounts, thieves may also have access to significantly greater funds.^[13] This functionality also means that PayPal accounts are also typically used as “middleman” accounts to facilitate all sorts of online scams.

Fraudsters in possession of a hacked PayPal account can also try to double their money by using the account funds to run various well-established chargeback scams on merchants who accept PayPal.

Social Media

Hacked Facebook accounts offer three routes to profit for cybercriminals. First, they are an incredibly rich source of personal information that can be used to facilitate identity theft, helping criminals answer security questions for example.

Compromised accounts may also provide access to stored payment information used for Facebook game and marketplace transactions.

Finally, as with most online accounts, fraudsters bank on the fact that many people still reuse passwords across multiple accounts, especially those they use often like Facebook.

Travel

Compromised Airbnb accounts can be used to create bookings for houses which criminals then burgle,^[14] while hacked hosts on the same app can be used for phishing.^[15]

There have also been reports of hackers changing hosts payment details in order to steal their earnings.^[16]

There have been frequent reports of scammers using hacked Uber accounts for expensive trips, in place as far afield as Russia and Arizona.^[17][18] This cheeky scam is made simple thanks to the requirements for a credit card or PayPal account to be stored in the account.

Gaining access to other travel accounts, such as Booking.com, gives criminals the opportunity to send bogus emails tricking people into making high value payments related to their travel arrangements, as well stealing their credit card details.^[19]

^{[1] https://www.wired.com/story/what-is-credential-stuffing/” ↩}

^{[2] https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams ↩}

^{[3] https://www.windowscentral.com/how-make-skype-more-secure ↩}

^{[4] https://motherboard.vice.com/en_us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank ↩}

^{[5] https://web.archive.org/web/20210707152225/https://theonionweb.com/2018/01/26/german-man-charged-stolen-paypal-accounts-fraud-scheme/ ↩}

^{[6] https://www.cnet.com/how-to/your-hulu-or-netflix-may-be-hacked-heres-what-to-do/ ↩}

^{[7] https://qz.com/1212330/a-bulgarian-scheme-scammed-spotify-for-1-million-without-breaking-a-single-law/ ↩}

^{[8] https://www.technollama.co.uk/anatomy-of-a-spotify-scam ↩}

^{[9] https://www.dailydot.com/debug/doordash-users-hacked/ ↩}

^{[10] https://hackernoon.com/2-million-fitbit-accounts-was-exposed-by-cybercriminals-aa7u36pj↩}

^{[11] http://www.ebay.co.uk/gds/My-Account-Was-Hijacked-Lessons-From-My-Nightmare-/10000000003443645/g.html ↩}

^{[12] https://www.cnet.com/how-to/sim-swap-fraud-what-it-is-why-you-should-care-and-how-to-prevent-it/ ↩}

^{[13] https://www.telegraph.co.uk/money/jessica-investigates/paypal-says-owe-5680-following-account-fraud-wasnt-fault/ ↩}

^{[14] https://www.buzzfeednews.com/article/carolineodonovan/heres-how-hackers-used-airbnb-to-rob-hosts-homes ↩}

^{[15] https://www.airbnb.com/help/article/199/what-should-i-do-if-someone-asks-me-to-pay-outside-of-the-airbnb-website ↩}

^{[16] https://web.archive.org/web/20210303073900/https://community.withairbnb.com/t5/Help/ACCOUNT-HACKED/td-p/106616 ↩}

^{[17] https://www.buzzfeed.com/alanwhite/why-are-all-these-people-saying-their-uber-accounts-have-bee ↩}

^{[18] https://www.wftv.com/news/action9/woman-paid-hundreds-ghost-rides-after-uber-account-hacked/3ML3LRKRGZDEVPI3FDUXESUCQM/ ↩}

^{[19] https://www.bbc.co.uk/news/business-29942503↩}