Darknet Markets 2023 Report: Most Popular Hacked Accounts

In our most comprehensive analysis of the darknet yet, we investigated 15 markets to determine which stolen online account credentials were the most popular with cybercriminals. For the first time, our research also includes data from all Russian darknet markets that sell hacked account details.
A screenshot of darknet market Kingdom showing identity theft and fraud items for sale
Simon Migliano
Agata Michalak
Simon Migliano & Agata Michalak

First published Mar 1, 2023. Last updated to expand the research to include data from two additional Russian darknet markets.

  • Most comprehensive study to date: 15 darknet markets analyzed, including all Russian-language sites, to identify all hacked online account credentials for sale.
  • Russian markets:
    • Almost one quarter (23%) of all hacked online log-ins for sale on darknet markets were on Russian sites.
    • VPNs were the most popular type of hacked account on the Russian markets, which were home to 43% of all hacked VPN log-ins globally.
  • Streaming: Over a third (36%) of all hacked online account log-in details listed on darknet markets were for streaming services. Two of the top 5 most frequently-listed streaming log-ins were for Russian services.
  • VPN services: 21% of hacked online account credentials listed were for VPNs, more than double the next largest category of stolen log-ins.
  • Most popular brands: More darknet market listings for hacked NordVPN accounts (8% of all listings) than for any other brand, followed by Netflix (4%) and PayPal (3.5%).
  • Kingpins: We identified 152 vendors in total but 5 “kingpins” were responsible for almost 40% of all listings. The top vendors overall were active on 3 markets but we also identified two vendors who were selling on 7 markets.
  • Most expensive hacked accounts: Marriott Bonvoy ($1,840 on average), Google Ads ($652) and Southwest Airlines ($607).
  • Biggest darknet market for hacked account credentials: Nemesis market had 29.5% of all stolen log-ins for sale followed by Kingdom (14.5%)
  • Huge variety of accounts: Credentials for 543 different online accounts were available to buy on darknet markets.

The Darknet Trade in Stolen Account Details

The darknet market landscape has shifted significantly and become increasingly fragmented since we last published new data on the illicit trade in hacked accounts on the dark web. It also appears to have been affected by the consequences of the war in Ukraine, in the Russian-language segment at least.[1]

None of the darknet markets we looked at in our previous report still operate in 2023. While AlphaBay, a formerly major site that was shut down in 2017,[2] has been resurrected, there are now 14 other completely new darknet markets where hacked account details are bought and sold. That number includes 4 Russian markets that sell this type of personal data.

See all of our darknet market investigations, beginning in 2018

For this latest report, we have switched our primary focus from the average pricing of hacked accounts on the darknet markets to investigating which stolen log-ins were most frequently listed for sale.

The goal of our research was to determine which accounts were most popular with cybercriminals and therefore most at risk of hacking.

We also continued to gather average listing price data for each brand and have included that data in our report.

We also streamlined our focus to only look at online accounts in the strictest sense of the term, which means we excluded traditional bank accounts and credit cards.

As well as analyzing the data by category of account and by brand, we also conducted a Russia-specific analysis in order to get a better understanding of the current landscape following the invasion of Ukraine in 2022.

Russian hackers are heavily targeting western VPN services, our data shows. Almost 30% of all stolen log-ins for sale on Russian markets were for NordVPN and Windscribe.

In conducting this research, we have assembled the world’s largest dataset of darknet market listings for hacked account details. We initially reviewed 27 darknet markets before excluding those that did not sell hacked log-ins.

We then sifted through more than 150,000 listings across 15 markets and while most of those listings were for illicit drugs, cracked software and other contraband, we were able to identify 3,275 sets of hacked log-in details for almost 550 online services.

It should be noted that the number of individual account log-ins actually for sale on the darknet markets will be much higher than the number of listings we have identified.

One reason for this is that some darknet market listings offer bulk dumps of hundreds of sets of account credentials. Another reason is that vendors will often use a single listing to make numerous sales from a pool of hacked credentials for a particular brand.

Our dataset is over three times as large as that underlying any of our previous dark web research reports and reveals just how popular hacked accounts for streaming are with cybercriminals.

Why did we do this research? To educate the public about the value of their personal data to identity thieves. Our hope is that this will lead to improvements in day-to-day information security. We have shared some tips to help people protect their data.

EXPERT ADVICE: A VPN can help protect you online and avoid identity theft. Take a look at our unbiased, expert VPN reviews if you aren’t sure which service is the best for you.

Disclaimer

Our report does not suggest in any shape or form that the companies included or referenced have suffered security breaches. Furthermore, we have not purchased any of the credentials being sold on the Darknet.

Most Popular Hacked Accounts

This section contains our top-level findings. We ranked the most popular types of account (ie for streaming, VPN, payments etc) listed on the darknet markets. We also pulled out the 20 individual brands that appeared most frequently.

By Category

The following table shows which categories of hacked account credentials were most popular on the darknet markets. Number of listings refers to the total number of accounts identified, regardless of whether they are listed separately or together. Any listings in currencies other than USD have been converted to USD in order to calculate average prices.

By Brand

The following table shows which hacked account credentials were most popular on the darknet markets in terms of individual brands. It shows the top 20 only, to see the full list download the data sheet.

Number of listings refers to the total number of accounts identified, regardless of whether they are listed separately or together. Any listings in currencies other than USD have been converted to USD in order to calculate average prices.

Analysis

Streaming and VPN services dominated the listings of hacked accounts for sale on the darknet markets, together accounting for 57% of all log-ins available for purchase. The recent real-world proliferation of streaming services was clearly reflected on the darknet markets, with stolen credentials for 150 different services identified.

Due in large part to its popularity on Russian darknet markets, NordVPN was the most popular individual account of any type with almost double the number of accounts listed than Netflix or PayPal, the next most popular brands. There were almost three times as many NordVPN accounts than Windscribe, the next most-frequently listed VPN service.

Screenshot of darknet market listing for hacked NordVPN account details

Screenshot of darknet market listing for hacked NordVPN account details.

It’s likely that stolen account credentials for NordVPN appear so frequently on the darknet markets simply because it is such a popular brand with the general public. The bigger the user base, the bigger the potential returns from credential stuffing, which underlines the need for strong, unique passwords.

In response to our findings NordVPN noted that credential stuffing was a cyberattack in which credentials obtained from a data breach on one service are used to attempt to log into another, unrelated service, such as NordVPN. The company said it employed preventive measures against users of hacked account details, including rate-limiting, smart detection systems and two-factor authentication. NordVPN also said that it notified any users whose credentials were discovered to be compromised to recommend changing their passwords.

If we were to exclude data from Russian markets then PayPal would be tied with NordVPN as the most popular brand. More generally, payment services were highly prevalent, even with bank accounts and credit cards excluded.

Outside of streaming, VPN services and online payments, the only brand with enough listings to make the top 20 was Amazon (online shopping).

Darknet Market Analysis: By Category

This section analyzes current darknet market listings for hacked accounts and identifies the relative popularity of credentials for individual brands. Our analysis is organized by category and is limited to the six most popular account types. Click on the links below to jump to that section:

To see all brands in all categories, download the full data sheet.

Find out more about how different types of hacked credentials can be used for fraud in the common scams section of our Darknet Market Prices research hub.

Streaming Services

The table below shows the 20 streaming services whose hacked account credentials were most frequently listed for sale on the darknet markets. Number of listings refers to the total number of accounts for sale, regardless of whether they were listed separately or together. Any listings in currencies other than USD have been converted to USD in order to calculate average prices.

  • Number of listings: 1,174
  • Average price: $9.10

Streaming was by far the largest category in our dataset, with 1,174 listings of accounts for sale across 150 services. Netflix was the most popular platform, accounting for almost 11% of all streaming listings and double the number of the next most popular services.

Streaming was much less concentrated than other categories we analyzed, with the 20 most frequently-listed services accounting for almost 60% of all listings.

There was also a wide spread in average prices across the 20 most popular brands, ranging from around $2 to $18. The larger international platforms were generally at the higher end of the price range (Netflix, Hulu, Spotify, HBO, YouTube and Prime Video all had average prices over $10).

Prime Video log-ins were the most expensive at almost $18, likely due to the additional opportunities for fraud offered by their connection with the wider Amazon ecosytem.

Screenshot of listings for streaming service account credentials on Nemesis darknet market

Screenshot of listings for streaming account credentials on Nemesis darknet market.

Two Russian streaming platforms, IVI and Amediateka, were among the top 5 most frequently-listed services, due to their significant presence in the Russian-language markets. A third, More.TV, was just outside the top 10.

The high volume of listings for hacked credentials for Russian streaming services were limited to Russian markets, which explains the lower prices (60% less on average).

The demand for sports-focused streaming platforms was also notable. NBA TV, ESPN+, FuboTV and DAZN all appeared in the 20 most popular brands in the category. Overall, sports services made up 15% of accounts in the streaming category that were listed for sale.

The markets with the most listings for hacked streaming accounts were Nemesis, Kingdom and Kraken, which hosted 63.5% of all such listings.

VPN Services

The following table shows the 20 VPN services whose hacked account credentials were most frequently listed for sale on the darknet markets. Number of listings refers to the total number of accounts for sale, regardless of whether they were listed separately or together. Any listings in currencies other than USD have been converted to USD in order to calculate average prices.

  • Number of listings: 695
  • Average price: $7.42

More than one in five of the darknet market listings for hacked accounts that we found was for a VPN service.

Hacked VPN accounts are very popular with cybercriminals as they can be used as “burner” VPNs with no formal connection to their new users.

Despite their popularity, the average price was around $7.50. Account details for NordVPN, easily the most popular VPN service on the darknet markets, typically changed hands for even less than that ($6).

Such low average prices are reflective that these accounts may not last for long before the new user is locked out.

Screenshot of Tor2door darknet market showing listings for VPN accounts

Screenshot of Tor2door darknet market showing listings for VPN accounts.

NordVPN accounts were particularly prevalent in the Russian darknet markets, where we found over half the listings for stolen NordVPN credentials included in this study. In fact, NordVPN log-in details accounted for 48% of all the VPN accounts for sale on the Russian darknet markets.

While we found hacked accounts from 36 VPN services for sale, the five most popular brands accounted for over 74% of all listings.

Kraken, Nemesis and Kingdom markets were home to the most stolen VPN credentials, with 60% of all such listings found on these three sites.

Hacked VPN log-ins were disproportionately popular on Russian markets, which accounted for 43% of all VPN listings.

For context, only 4 of the 15 markets we found to be selling stolen account details were Russian and one of those did not have any VPN credentials for sale at the time of our study.

Online Payments

The following table shows the online payment platforms whose hacked account credentials were most frequently listed for sale on the darknet markets. Number of listings refers to the total number of accounts for sale, regardless of whether they were listed separately or together. Any listings in currencies other than USD have been converted to USD in order to calculate average prices.

  • Number of listings: 288
  • Average price: $111.57

Although we found stolen account credentials for 50 different online payment platforms, 40% of them were for PayPal, the most well-known brand in this category.

There were four times as many PayPal accounts for sale as for the next most popular platform, the Russian payment service Qiwi, which accounted for one in ten (10%) of the listings in this category overall but was only found for sale on Russian markets.

PayPal’s decision to suspend services in Russia in 2022 may explain the high value of Qiwi credentials, which were on a par with PayPal, when elsewhere Russian darknet market listings tended to be priced much lower than on international sites.

Screenshot of Nemesis darknet market listing showing a PayPal account

Screenshot of Nemesis darknet market listing showing a PayPal account.

There was another steep drop in volume to the next five most popular platforms, which were only listed for sale on the darknet markets around a third as frequently as peer-to-peer payment platform CashApp.

The greater prominence of CashApp on the darknet markets compared with its real-world rival Venmo may well reflect its cultural cachet and that it’s the more private by default of the two.[3]

CashApp accounts were also the most valuable of the most frequently-listed platforms, changing hands for $140 each on average. The most expensive of these tended to be Bitcoin-enabled, making them more suitable for use on the dark web.

The lower average sticker price for PayPal accounts, even for those with high associated balances, was likely due to the platform’s stronger security practices.

Bohemia, Nemesis and, to a lesser extent, Blacksprut were the three biggest darknet markets for hacked payment platform credentials, playing host to 49% of all such listings.

Cryptocurrency

The following table shows the 20 cryptocurrency platforms whose hacked account credentials were most frequently listed for sale on the darknet markets. Number of listings refers to the total number of accounts for sale, regardless of whether they were listed separately or together. Any listings in currencies other than USD have been converted to USD in order to calculate average prices.

  • Number of listings: 232
  • Average price: $152.49

While the five most popular cryptocurrency platforms may account for almost half (44%) of all listings in this category, no single platform dominated.

Coinbase, which is the largest cryptocurrency exchange by trading volume in the U.S., and its controversial competitor Binance, which is banned in several countries, each accounted for 12% of listings in this category.

Four of the five most popular brands in this category were conventional cryptocurrency exchanges, with only Paxful standing out as a peer-to-peer platform.

Notably LocalBitCoins accounts continued to be listed for sale despite the platform’s termination of its trading services.[4]

The average price for the category was very high at over $152, compared to $112 for the payment platforms category.

The three biggest markets for cryptocurrency account log-in details were Bohemia, Nemesis and Blacksprut, which were host to 49% of all such listings.

Learning Platforms

The following table shows the 20 learning platforms whose hacked account credentials were most frequently listed for sale on the darknet markets. Number of listings refers to the total number of accounts for sale, regardless of whether they were listed separately or together. Any listings in currencies other than USD have been converted to USD in order to calculate average prices.

  • Number of listings: 148
  • Average price: $10.95

Only four out of the 36 brands in the learning category, Codecademy, Masterclass, Duolingo and DataCamp, had 10 listings or more. Over a third (35%) of the 148 listings in this category were for these four platforms, which was an outsize proportion given we found account details for 36 learning platforms in total. Codecademy account credentials were the most frequently offered for sale, with 18 listings.

Almost half of the 20 most popular brands in the category offered a variety of courses across a range of disciplines. Four platforms were focused on access to books and book summaries, while three were language learning platforms.

The average listing price for this accounts in this category was $11. Prices for the 20 most popular brands ranged from $5 to $15. Prices throughout the rest of the category were generally consistent, with the exceptions of Leetcode, a programming learning platform, and Ancestry, a genealogy company, which were listed for $50 and $66 respectively.

Learning accounts were particularly concentrated in the Nemesis darknet market (43% of all such listings) but a good number were also to be found in the Kerberos (25%) and Kingdom (19%) darknet markets.

Online Shopping

The following table shows the 20 online shopping brands whose hacked account credentials were most frequently listed for sale on the darknet markets. Number of listings refers to the total number of accounts for sale, regardless of whether they are listed separately or together. Any listings in currencies other than USD have been converted to USD in order to calculate average prices.

  • Number of listings: 139
  • Average price: $22.30

Amazon was by far the most popular brand in this category with 32 listings, which was more than two-and-a-half times as many as Groupon, the next most popular. Amazon alone accounted for 24% of all shopping listings, while the 10 most popular brands accounted for 78% of the 135 listings.

The type of brands featured in the table above are varied, from online marketplaces such as Amazon or eBay, to clothing brands, department stores and office suppliers. While no single type of online shopping brand dominated the top 20, the majority were focused around North America. All but two were founded in the United States, five of which operate only in North America.

Individual prices in this category varied significantly. While the average listing price was little more than $22, average prices for individual brands ranged from $3 to $100.

Online shopping accounts were highly concentrated in the Nemesis darknet market (56% of all listings) and to a lesser extent Bohemia (24%). There were only a smattering of such accounts in the other markets, which is a big change compared to recent years.

Darknet Market Analysis

The following table compares the darknet markets included in this research. It is ordered by the number of listings, which refers to volume of hacked account credentials for sale.

Our research shows that Nemesis is currently the biggest darknet for hacked online account credentials with 29.5% of all such listings. The market reportedly launched in 2021 and as recently as April 2022 only had 5,000 total listings, which suggests it has had a recent growth spurt.[5]

Despite currently having the most hacked account listings of any active darknet market, the category breakdown for Nemesis market ran counter to the overall trend with more hacked accounts for online shopping and learning platform hacked accounts than for payment or crypto platforms.

Screenshot of Nemesis market listings for hacked accounts

Screenshot of Nemesis market listings for hacked accounts.

Kingdom market, home to 14.5% of all hacked account listings, followed the top line trends more closely. However, it did skew more heavily towards streaming overall compared with other darknet markets, with 47% of its listings in this category. Hulu was more popular than average on this darknet market, with more of its accounts for sale than any other streaming service. Sling TV was also more frequently listed here than average.

Kraken was the biggest of the Russian-language darknet markets when it came to hacked account details, with 10% of all listings globally. However, Kraken had a much narrower offering than the other big markets with largely just streaming and VPN accounts for sale and just 19 brands in total.

Unsurprisingly local streaming service IVI was most popular, ahead even of global giant Netflix. The preference in Russian markets for multi-buy offers of streaming accounts meant that Start TV, a niche U.S. service focusing on classic women-led legal dramas, was the second-most listed streaming platform on Kraken.

Almost a quarter (23%) of all the VPN listings we identified across all 15 darknet markets were found on Kraken, with 62% of those for NordVPN. This was due to vendors offering numerous NordVPN accounts for specific locations in Russia. ExpressVPN and Windscribe were the next most frequently listed VPN services on Kraken.

Russian Darknet Markets

The following section focuses on the following four Russian-language darknet markets:

  • Kraken
  • Blacksprut
  • OMG!OMG!
  • Mega

By Category

The following table shows which categories of hacked account credentials were most popular on the Russian-language darknet markets. It shows the top 10 categories only, to see the full list download the data sheet.

Number of listings refers to the total number of accounts identified, regardless of whether they are listed separately or together. Any listings in currencies other than USD have been converted to USD in order to calculate average prices.

By Brand

The following table shows which hacked account credentials were most popular on the Russian-language darknet markets in terms of individual brands. It shows the top 20 only, to see the full list download the data sheet.

Number of listings refers to the total number of accounts identified, regardless of whether they are listed separately or together. Any listings in currencies other than USD have been converted to USD in order to calculate average prices.

The Russian darknet market landscape had some significant differences to the international scene.

Russian darknet market listings for stolen account credentials were much more concentrated around VPN and streaming log-ins, which account for 75% of all listings.

In the non-Russian darknet markets, this figure was a little less than 52%.

On the Russian darknet markets, VPN account log-ins were the most popular stolen credentials for sale, accounting for almost 40% of all listings. Indeed, Russian sites played host to an outsize proportion of hacked VPN account details, with 43% of VPN credentials globally from three of 15 darknet markets.

This was likely due, at least in part, to the blocking of social media sites in Russia and the restrictions on VPNs in the country.

Another key difference was the popularity of ISP account details on Russian darknet markets compared to elsewhere. Not only were these credentials found for sale more commonly but they were worth significantly more with an average price of $408 compared with $15 on non-Russian darknet markets.

In terms of individual brands, NordVPN was by far the most popular with 19% of all listings on Russian darknet markets. By comparison, the most popular brand outside of Russia was PayPal, which accounted for less than 5% of all listings on non-Russian darknet markets.

NordVPN was listed for sale over 80% more frequently than Windscribe, the next most popular VPN service. Windscribe was vastly more popular in Russia (10.5% of listings) than it was elsewhere (0.5%), most likely due to the fact that it remains one of the few VPN services with Russian servers.

Other notable differences included local brands, such as streaming platforms IVI Amediateka being as or even more popular than their international counterparts, such as Netflix. Similarly, local payment platform Qiwi was more popular in Russia than any global rival.

Prices

The following table shows the 20 most expensive account credentials we identified for sale on the darknet markets, ordered by average price. Only brands with more than one listing have been included to reduce the impact of anomalous pricing.

Our research show that payment and travel accounts continue to be the most lucrative in the darknet market trade of hacked credentials. While streaming accounts were cheap and plentiful, the opposite was true for the brands listed above.

These accounts were only listed a handful of times each across the 15 darknet markets that we trawled for this study and this scarcity was at least one factor in driving up their prices.

The potential for higher-value identity theft was another, while for the lesser-known payment and crypto platforms, the hope was likely that security and money-laundering protections were weaker.

Methodology

We reviewed all darknet markets that were active in February-March 2023 that featured fraud-related listings. We captured listings offering access to online accounts only. This meant we excluded bank accounts, credit cards and software cracks for example.

The darknet markets with relevant listings were as follows:

  • AlphaBay
  • Ares
  • Blacksprut (RU)
  • Bohemia
  • Cypher
  • Kerberos
  • Kingdom
  • Kraken (RU)
  • Mega (RU)
  • MGM
  • Nemesis
  • OMG!OMG! (RU)
  • Quest
  • Tor2Door
  • We The North

Listings offering multiple accounts for a single price were split into their constituent parts and prices calculated equally according to the number of accounts offered.

Where listings offered a selection of accounts at specific prices, each account was treated as an individual listing.

All account prices were collected in the currency they were listed in and converted to USD at the exchange rate published on Bloomberg on February 17 2023.

To see individual listings download the public data sheet.

Disclaimer

Our report does not suggest in any shape or form that the companies included or referenced have suffered security breaches. Furthermore, we have not purchased any of the credentials being sold on the Darknet.

The authors of all our investigations abide by the journalists’ code of conduct.

References

[1] https://www.aljazeera.com/news/2022/12/14/russia-ukraine-war-reaches-dark-side-of-the-internet

[2] https://www.fbi.gov/news/stories/alphabay-takedown

[3] https://www.gq.com/story/cash-app-and-hip-hop-jack-dorsey-square-tidal-jay-z-guapdad-4000-amine-jim-jones

[4] https://localbitcoins.com/

[5] https://www.darknetstats.com/nemesis-market/