Darknet Market Price Index: 2019 Report
This 2019 update to the Price Index shows hacked accounts are still cheap on the dark web: even big brands like Apple, Fortnite, Netflix and Airbnb cost less than $15.
UPDATED 1 Sep 2021 to consolidate all 2019 data and reformat for improved user experience.
2019 Full Report
- $1,250: average value of the online identity of an individual in the U.S. on the darknet markets. For UK residents, it was £770.
- Amazon: most valuable brand on the darknet. Accounts selling for over $30 on average followed by Best Buy log-ins ($27) and eBay ($22)
- Games and streaming: Fortnite log-ins at $11 three times as valuable as Netflix, Minecraft, Spotify and similar accounts that typically sell for sub-$4
- Apple: losing its lustre with scammers, as value of accounts drops 26% to $11
2019 Mid-Year UK Update
- £2,400: average value of the online identity of an individual in the UK on the dark web.
- Price spike: up 200% on average since the start of the year
- Notable price surges: Airbnb (£20), Facebook (£14) and PayPal (£84.50)
- Bank details: value surges threefold to over £1,000 per hacked account
Identity Theft Trends in 2019
We extended our analysis this year from three to five of the biggest black markets on the dark web, making this edition of the Darknet Market Price Index the most comprehensive yet.
Read all our research reports on the darknet trade in hacked personal data
Our analysis of the trade in stolen online credentials and personal data revealed individual hacked accounts for brands with recent privacy or security woes have become significantly more appealing to fraudsters.
Despite these individual price increases, we found the value of someone’s entire online identity remained around the $1,200 mark. For UK residents it was a little less at around £800.
Also steadily increasing value to cybercriminals were accounts for online services which have become a part of everyday life in recent years, such as Netflix and Uber, which along with gaming phenomenon Fortnite all sell for around $11 each on the dark web.
Hacked Accounts: Notable Findings
The following table pulls out some of the most notable prices for accounts that a resident of the US or the UK might expect to have.
Individual accounts marked with US or UK are based on data applicable to that country only, otherwise prices in GBP have been converted from USD at the FX rate at the writing, $1.31.
Price change is difference in average price between 2018 and 2019, where 2018 data is available.
With a horror year receding in the rearview mirror, hacked Facebook accounts have almost doubled in value since this time last year to just over $9 (or around £7) after falling out of favor following the data breach affecting 50 million accounts. Stolen Amazon credentials have also rocketed in value, worth over three times as much year-over-year at $30 (or around £14.50 for UK accounts) to be the most valuable brand on the dark web.
It’s not surprising that stolen financial account details remain a mainstay on the dark net markets and typically command the highest prices – especially high-balance bank account and debit card details, which change hands for close to $260. For UK bank accounts, prices are even higher at almost £348.
However, the trade in entertainment accounts with less immediately obvious value for identity thieves continues to flourish. Accounts for games and streaming services including Spotify, Tidal, Steam and Minecraft typically sell for less than $4 (or sub-£3), cheaper than a Big Mac.
The average person has dozens of accounts which form their online identity, all of which can be hacked and sold. Our team of security experts reviewed tens of thousands of listings across five of the most popular dark net markets – Dream, Wallstreet, Empire, Berlusconi and Tochka Free. These sites deliberately obscure themselves from the public and can only be accessed through the Tor browser, preferably also with a Tor-optimized VPN for added security. They are often used to buy and sell personal data, along with other contraband including weapons and illicit drugs.
We focused on listings featuring stolen ID, personal data and hacked accounts for this update to the Darknet Market Price Index. We excluded massive data ‘dumps’ to avoid distorting average prices, as individual accounts in these dumps equate to tiny fractions of a cent each. Our analysis has shown that it would cost only $1,250 to buy up the entire identity of someone in the US, assuming that they had all the accounts listed. In the UK, that figure is around £800.
Why did we publish this research? By showing how much fraudsters are willing to pay for stolen credentials, our goal is to raise awareness about the value of our personal data. We hope this will lead to a rise in standards of day-to-day personal information security for the average internet user.
UPDATE Jun 2019: we published a follow-up to the full 2019 report that focused on UK data. Jump straight to those findings.
Darknet Market Price Index 2019
US Data
The following table shows average prices for US stolen ID, personal data and hacked accounts for sale on the darknet markets. It’s ordered by category, most valuable to least valuable.
UK Data
The following table shows average prices for UK stolen ID, personal data and hacked accounts for sale on the dark web. It’s ordered by category, most valuable to least valuable.
Darknet Price Analysis 2019
The following section analyzes current darknet market prices for hacked accounts and explores why credentials for individual brands are currently valued as they are. It incorporates both US and UK data.
Find out more about how different types of hacked credentials can be used for fraud in the common scams section of our Dark Web Prices research hub.
Personal Finance
The trade in stolen financial details has long been the heart of the dark web’s economy. Credit card, debit cards, bank details and online payment accounts are listed in vast quantities and can command the highest prices, particularly when the lure of a high value balance is present.
Most fluctuation in this area is caused by where hackers have the most success in finding account details with high balances.
In last year’s Price Index, PayPal‘s average price of $247 was inflated by the number of accounts listed with balances in excess of $10,000.
This year, it’s listings for hacked bank accounts and debit card details where we found the highest balances.
Prices have inflated further as sellers demand a larger percentage cut of the balance. Accounts now sell for 20% or even 30% of the balance, compared to 5-10% previously. This has driven the average price up to $260, suggesting the increasing difficulty of stealing this data. In the UK, this is even higher at £348.
The current scarcity of high-balance PayPal accounts is also likely due at least in part to eBay starting to eBay transition away from PayPal as its main payment processor last year.[1] The two companies have long gone hand-in-hand (eBay accounted for 50% of PayPal’s profits in 2014[2]) and eBay is a common use case for hacked PayPal accounts. If it becomes harder to exploit these accounts it is likely that their average price will continue to fall.
Proof of Identity
One of the more popular kinds of listing advertises “fullz”, which are bundles of “full” identifying data.[3] Listings for fullz often advertise an individual’s name, address, mother’s maiden name, social security number, date of birth, credit reports and other forms of personal data. [Note: where related financial account details such as credit cards were included with fullz we considered these to be personal finance listings].
Bringing down the price this year was a wider tendency to sell passport scans and other forms of ID in bulk.
Online Shopping
The average shopping account sells for between $10 and $20 in the US, with the most expensive being Amazon ($30) and Best Buy ($26.50), both of whom have huge high-value inventories.
Stolen US Amazon accounts have tripled in price, which may be in anticipation of a wider rollout for Amazon Go. Thieves would potentially be able to wander in, fill a trolley and leave without detection.
Prices for stolen Best Buy accounts have more than doubled in the aftermath of a chat bot breach that exposed credit card details.[4]
In the UK, there’s some irony in that budget supermarket Morrison’s accounts (£16) were the most expensive on the dark web in this category. This was likely due to the potential for exploiting its rewards system.[5] At £14.50 on average, Amazon UK credentials were less pricey than those for US accounts.
Delivery
Fraudsters have been caught setting up complex scams involving stolen Paypal and eBay accounts that they use to buy expensive electronics. A hacked FedEx account for $11 could be the missing piece of the puzzle that allows them to get their hands on the goods, which they would usually resell.
Travel
The average value of hacked accounts for travel brands more than doubled year-over-year, due to the high value transactions associated with the category. There also remains plenty of scope for the abuse of such accounts.
British Airways accounts are typically associated with Avios airmiles that can be used on multiple airlines. Credentials more than quadrupled in value to £32 following its huge data breach last year.[6]
Uber accounts jumped 60% compared to last year to over $11 as they become more ubiquitous in our daily lives, making it less likely that fraudulent transactions will be spotted as quickly.
Communication
Mobile phone carrier accounts are mostly getting cheaper. Verizon has fallen 20% in price, while AT&T’s average cost has halved.
This price fall may be due to the growing move away from using text messages as two-factor authentication. SMS has been repeatedly shown up as an insecure form of two-factor authentication and as companies continue to pivot away from using it these accounts will become less useful to hackers.[7][8][9]
Social Media
Facebook ($9) spent much of 2018 under siege from the media and western governments and the value of its accounts slumped accordingly on the dark web.
However, just as its stock price recovered, so too has the dark-web worth of hacked accounts for the social media giant. It’s clear that despite the popularity of #DeleteFacebook, there’s plenty of mileage yet in the social media platform.
Software
Subscription-based software is also making its first appearance on the Darknet Markets Price Index. The listings – largely for security software – we found are exclusively pitched as being for personal use rather for further fraud.
Food
These accounts aren’t used for identity fraud so much as straightforward theft.
It follows then that hacked accounts for a delivery platform like Grubhub would be the most valuable at $9. There are reports of accounts being exploited by hackers for up to $180 in a single order.[10] Log-ins for Deliveroo, a similar service in the UK, trade for £3.
It is also interesting to see what kind of food the average dark web criminal likes best: unsurprisingly, mostly pizza and burgers, with the most popular stolen accounts for sale including Pizza Hut and Domino’s.
Dating
The most commonly hacked dating accounts remain Match.com ($7) and Plenty of Fish ($4).
Prices remain relatively low despite the potential for “catfishing” on top of identity theft, as buying genuinely hacked accounts is a costly and ineffective method to do this compared to simply starting a new account with fake pictures.
Entertainment
Prices are steadily rising for these accounts and are even beginning to rival hacked financial accounts in terms of sheer volume (and variety) of listings.
Joining global megabrands Netflix ($11) and Apple ($11) as the most desirable accounts is Fortnite ($11). The gaming phenomenon is unique in that despite being free to play, hacked accounts may include valuable in-game perks that would otherwise be difficult to obtain.
It’s common for vendors of stolen streaming services to offer “lifetime accounts”. This is a form of warranty under which buyers can switch to freshly stolen accounts every time they are locked out of their previous account by its legitimate owner.
News/Magazine
This is the first time that accounts for newspapers and magazines have appeared in the course of our research. The majority of the hacked accounts we found in this category were being sold by a single seller on Dream Market, the dark web’s biggest market.
Hacked email accounts tend to be sold either in massive dumps from large scale data breaches or as small batches of verified emails. We even found some individual verified emails for sale. For the purposes of the Price Index, we disregarded dumps as unit prices work out at tiny fractions of a cent each and the accounts in these dumps are not guaranteed to be accessible or even valid.
Verified emails on the other hand trade for a few dollars each. That may not seem much for an account that can act as a skeleton key to your online life, however increasing adoption of two-factor authentication keeps overall prices relatively low.
Gmail accounts trade for well over five times as much as they did last year, however, due to the vulnerability of accounts using SMS for 2FA.
Mid-Year UK Update
This June 2019 update of the Price Index comes at a unique time, following the takedown of two major darknet markets in quick succession by the authorities and a sharp spike in prices.
In order to assess the potential impact of this on consumers, we have reviewed a selection of the most important hacked log-ins and accounts to track their changing value to identity thieves.
Alarmingly, the prices have increased on average by almost three times compared to the start of the year, meaning that someone’s entire identity could potentially now be worth £2,400, up from around £800 at the start of the year.
Stolen consumer data is more lucrative for hackers and cybercriminals than ever before. This should serve as notice for everyone to be on their guard against identity theft, or risk becoming a victim.
Notable price surges include Airbnb (£20), Facebook (£14) and PayPal (£84.50) due to the sheer scope of potential fraud that can be committed by scammers in possession of these accounts.
Darknet Markets Price Index
Stolen ID, personal data and hacked accounts for sale
Analysis
In this section we explore what’s behind pricing movements. For more information about how these accounts are used in fraud, read about Common Scams.
The value of bank accounts on the darknet markets has almost tripled in just six months. This increase is likely driven by a range of factors. The fall of two big markets in such a short time, along with the likely subsequent arrest of key vendors, has caused a major – if temporary – reduction in easy availability of all accounts. Those sellers still active can therefore charge a premium.
We are also seeing in increase in listings that not only offer online banking credentials and relevant personal information but also full packages including debit cards, PINs, and for mobile banking services such as Monese, a burner phone and SIM to access them.
We are also currently seeing more hacked bank accounts for sale that have high balances, giving criminals access to thousands of pounds instantly.
Hacked credit cards are the bread and butter of the dark web economy in stolen data and prices remain stable at around £33 per account. Our data focuses solely on genuinely hacked accounts, as opposed to fraudulently-opened new credit cards using stolen identities.
Debit cards are similarly priced at around £46. The higher value is because it’s easier to realize the value of debit cards into cash, and because accounts with high balances are being put up for sale more often.
Paypal has long been a favorite for online fraud. The recent surge in pricing for these accounts to around £84.50 each is likely due to the squeeze in supply caused by the disappearance of two major darknet markets, along with the growth of PayPal Credit.
Hacked PayPal personal and business accounts can be used to set up PayPal Credit accounts with high credit limits, which are then either drained or sold on for a huge profit. PayPal Credit accounts with high limits in the tens of thousands that have been created in this way sell for an average of £3,000, and as much as £12,000 each.
Genuine physical identity documents, such as passports and drivers licenses, are incredibly valuable for identity theft. Stolen documents of this nature – intercepted in the mail, for example, or stolen and sold to criminals by corrupt officials – fetch very high prices. UK passports, marriage and birth certificates all trade for around £2,000, but can fetch as much as £5,000.
Passport scans sell for only a fraction of the price due to their digital nature and the greater risk of not being accepted. They are typically sold in batches of ten scans or more for around £22 each.
In the travel category, prices for British Airways accounts have increased since the mega breach the airline suffered last year, where the payment and passport details of 380,000 customers were stolen.[6] The value of accounts increase in line with the total number of air miles available. Double the points typically equals double the price tag. The current rate is just 18p per 100 air miles.
Prices for hijacked Facebook accounts continue to enjoy a resurgence as it becomes increasingly clear that the platform’s 2.38 billion users aren’t abandoning it any time soon, despite the scandals that have rocked the social media giant.
As with Facebook, Netflix and Spotify log-ins offer a route into potential identity theft. An added bonus is that opportunistic criminals can also stream TV shows and movies and music for free, at least until the true owner notices their account has been compromised.
The continued growth in the value of streaming accounts reflects just how ubiquitous they have become.
Similarly, accounts for news sites like The Times and The Economist give the buyers access to high-quality media that’s otherwise locked behind a paywall. Prices have increased significantly in a short space of time, suggesting that there is strong demand for these accounts – although it does remain a niche offering on the darknet markets.
Looking to online retail, stolen accounts for budget supermarket Morrison’s (£16) are actually more expensive than those of its more upmarket competitors due to the potential for exploiting its rewards system.
This is four times the cost of high-end grocer Ocado (£4) for example, while Tesco accounts are least appealing, priced at less than a £1 each.
Given that pricing reflects demand, Ocado and Tesco accounts have proven less profitable for scammers in the past, likely due to better security, less lucrative rewards schemes or fewer vulnerable stored payment methods.
Hacked email accounts tend to be sold either in massive dumps from large scale data breaches or as small batches of, or even individual, verified emails.
Unit prices on the dumps work out at tiny fractions of a penny each to account for the risk that most won’t be accessible or even valid.
Verified emails, such as Yahoo and Gmail, on the other hand, trade for a few pounds each. The increasing adoption of two-factor authentication keeps overall prices relatively low.
Methodology
For the February 2019 report, our team reviewed all fraud-related listings on five of the largest darknet markets: Dream, Wallstreet, Empire, Berlusconi and Tochka Free. Relevant listings were collated and categorized in order to calculate average sale prices. We excluded large-scale ‘dumps’ to maintain the integrity of the data. Darknet Market Price Index 2019 – Raw Data.
For the mid-year update, the team reviewed fraud-related listings on three of the largest remaining active darknet markets: Berlusconi, Tochka and Nightmare. Darknet Market Price Index – June 2019 UK Update Source data.
Average prices per item for digital items only (ie excluding physical documents) were compared to the relevant entries from the Feb 2019 Index to calculate the price change as percentage difference. The average of these latest percentage changes was applied to the most recent price index total to provide an estimated new price index total.
The authors of all our investigations abide by the journalists’ code of conduct.
References
[1] https://www.ebayinc.com/stories/news/ebay-to-intermediate-payments-on-its-marketplace-platform/ ↩
[2] https://www.recode.net/2018/1/31/16957212/ebay-adyen-paypal-payments-agreement ↩
[3] https://venturebeat.com/2015/02/08/fullz-dumps-and-cvvs-heres-what-hackers-are-selling-on-the-black-market/ ↩
[4] https://www.pymnts.com/news/security-and-risk/2018/best-buy-payments-data-breach-malware/ ↩
[5] https://forums.moneysavingexpert.com/showthread.php?t=5893844 ↩
[6] https://www.theguardian.com/business/2018/sep/07/ba-british-airways-customers-hacked-credit-card-details-dark-web ↩
[7] https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin ↩
[8] https://www.theregister.co.uk/2018/08/01/reddit_hacked_sms_2fa/ ↩
[9] https://arstechnica.com/information-technology/2018/11/millions-of-sms-texts-in-unsecured-database-expose-2fa-codes-and-reset-links/ ↩
[10] https://abc7chicago.com/technology/grubhub-user-claims-hacker-ordered-feast-to-another-state/1648468/ ↩