Darknet Markets 2023 Report: The Most Popular Hacked Accounts

In our most comprehensive analysis of the darknet yet, we investigated 13 markets to determine which stolen online account credentials were the most popular with cybercriminals. For the first time, our research also includes data from the biggest Russian darknet markets.
A screenshot of darknet market Kingdom showing fraud items for sale
Simon Migliano
Agata Michalak
Simon Migliano & Agata Michalak
  • 13 darknet markets analyzed: 3,013 sets of hacked online account credentials for sale across 13 markets, including two Russian-language sites.
  • Streaming: Over a third (37%) of all hacked online account log-in details listed on darknet markets are for streaming services.
  • VPN services: 20% of hacked online account credentials listed were for VPNs, more than double the next largest category of stolen log-ins.
  • Most popular brands: More darknet market listings for hacked NordVPN accounts (8% of all listings) than for any other brand, followed by PayPal and Netflix (both 4%).
  • Most expensive hacked accounts: Marriott Bonvoy ($1,840 on average), Google Ads ($652) and Southwest Airlines ($607).
  • Biggest darknet market for hacked account credentials: Nemesis market had 32% of all stolen log-ins for sale followed by Kingdom (16%)
  • Huge variety of accounts: Credentials for 516 different online accounts currently available to buy on darknet markets.

The Darknet Trade in Stolen Account Details

Since we last published new data on the illicit trade in hacked accounts on the dark web, the darknet market landscape has shifted significantly and become increasingly fragmented.

None of the darknet markets we looked at in our previous report are still operating in 2023. While AlphaBay, a formerly major site that was shut down in 2017,[1] has been resurrected, there are now a dozen other completely new darknet markets where hacked account details are bought and sold.

See all of our darknet market investigations, beginning in 2018

For this latest report, we have switched our primary focus from the average pricing of hacked accounts on the darknet markets to investigating which stolen log-ins were most frequently listed for sale.

The goal of our research was to determine which accounts were most popular with cybercriminals and therefore most at risk of hacking.

We also continued to gather average listing price data for each brand and have included that data in our report.

We also streamlined our focus to only look at online accounts in the strictest sense of the term, which means we excluded bank accounts and credit cards.

In the process we assembled perhaps the world’s largest dataset of darknet market listings for hacked account details. We sifted through around 100,000 listings in total from 13 markets, including two Russian-language sites, and while most of those listings were for illicit drugs, cracked software and other contraband, we were able to identify more than 3,000 sets of hacked log-in details for over 500 online services.

Our dataset is over three times as large as that underlying any of our previous dark web research reports and reveals just how popular hacked accounts for streaming and VPN (Virtual Private Network) services are with cybercriminals.

Why did we do this research? To educate the public about the value of their personal data to identity thieves. Our hope is that this will lead to improvements in day-to-day information security. We have shared some tips to help people protect their data.

EXPERT ADVICE: A VPN can help protect you online and avoid identity theft. Take a look at our unbiased, expert VPN reviews if you aren’t sure which service is the best for you.

Disclaimer

Our report does not suggest in any shape or form that the companies included or referenced have suffered security breaches. Furthermore, we have not purchased any of the credentials being sold on the Darknet.

Most Popular Hacked Accounts

This section contains our top-level findings. We ranked the most popular types of account (ie for streaming, VPN, payments etc) listed on the darknet markets. We also pulled out the 20 individual brands that appeared most frequently.

By Category

The following table shows which categories of hacked account credentials are most popular on the darknet markets. Number of listings refers to the total number of accounts identified, regardless of whether they are listed separately or together. Any listings in currencies other than USD have been converted to USD in order to calculate average prices.

By Brand

The following table shows which hacked account credentials are most popular on the darknet markets in terms of individual brands. It shows the top 20 only, to see the full list download the data sheet.

Number of listings refers to the total number of accounts identified, regardless of whether they are listed separately or together. Any listings in currencies other than USD have been converted to USD in order to calculate average prices.

Analysis

Streaming and VPN services dominate the listings on the darknet markets, together accounting for 58% of all hacked account details available for purchase. The proliferation of streaming services was well represented on the darknet markets with stolen credentials for 144 different services currently available.

Due in large part to its popularity in Russian darknet markets, NordVPN was the most popular individual account of any type with almost double the number of accounts listed than PayPal or Netflix, the next most popular brands. There were more than three times as many NordVPN accounts than ExpressVPN, the next most frequently listed VPN service.

Screenshot of darknet market listing for hacked NordVPN account details

Screenshot of darknet market listing for hacked NordVPN account details.

It’s likely that stolen account credentials for NordVPN and ExpressVPN appear so frequently on the darknet markets simply because they are such popular brands with the general public. The bigger the user base, the bigger the potential returns from credential stuffing, which underlines the need for strong, unique passwords.

In response to our findings NordVPN noted that credential stuffing was a cyberattack in which credentials obtained from a data breach on one service are used to attempt to log into another, unrelated service, such as NordVPN. The company said it employed preventive measures against users of hacked account details, including rate-limiting, smart detection systems and two-factor authentication. NordVPN also said that it notified any users whose credentials were discovered to be compromised to recommend changing their passwords.

If we were to exclude data from Russian markets then PayPal would be tied with NordVPN as the most popular brand. More generally, payment services were highly prevalent, even with bank accounts and credit cards excluded.

Outside of streaming, VPN services and online payments, the only brands with enough listings to make the top 20 were for Amazon (online shopping) and crypto platform Coinbase.

Darknet Market Analysis: By Category

This section analyzes current darknet market listings for hacked accounts and identifies the relative popularity of credentials for individual brands. Our analysis is organized by category and is limited to the six most popular account types. Click on the links below to jump to that section:

To see all brands in all categories, download the full data sheet.

Find out more about how different types of hacked credentials can be used for fraud in the common scams section of our Darknet Market Prices research hub.

Streaming Services

The table below shows the 20 streaming services whose hacked account credentials are most frequently listed for sale on the darknet markets. Number of listings refers to the total number of accounts for sale, regardless of whether they were listed separately or together. Any listings in currencies other than USD have been converted to USD in order to calculate average prices.

Streaming was by far the largest category in our dataset, with 1,121 accounts for sale across 150 services. Netflix was the most popular platform, accounting for 10% of all streaming listings.

Streaming was much less concentrated than other categories we analyzed, with the 20 most frequently-listed services accounting for 59% of all listings.

There was also a wide spread in average prices across the 20 most popular brands, ranging from around $2 to $20. The larger international platforms were generally at the higher end of the price range (Netflix, Hulu, Spotify, HBO, YouTube and Prime Video all had average prices over $10).

Screenshot of listings for streaming service account credentials on Nemesis darknet market

Screenshot of listings for streaming account credentials on Nemesis darknet market.

Three Russian streaming platforms, IVI, More.TV and Amediateka, were present in the top 20 most popular brands, due to their significant presence in the Russian-language markets. IVI was even the third most frequently-listed streaming service overall.

The demand for sports-focused streaming platforms was also notable. NBA TV, ESPN+, FuboTV and DAZN all appeared in the 20 most popular brands in the category. Overall, 172 listings (15% of the streaming category) were for sports services.

The markets with the most listings for hacked streaming accounts were Nemesis, Kingdom and Kraken, which hosted 67% of all such listings.

VPN Services

The following table shows the 20 VPN services whose hacked account credentials are most frequently listed for sale on the darknet markets. Number of listings refers to the total number of accounts for sale, regardless of whether they were listed separately or together. Any listings in currencies other than USD have been converted to USD in order to calculate average prices.

One in five of the darknet market listings for hacked accounts that we found was for a VPN service.

Hacked VPN accounts are very popular with cybercriminals as they can be used as “burner” VPNs with no formal connection to their new users.

Despite their popularity, the average price was less than $8. Account details for NordVPN, easily the most popular VPN service on the darknet markets, typically changed hands for even less than that ($6).

Such low average prices are reflective that these accounts may not last for long before the new user is locked out.

Screenshot of Tor2door darknet market showing listings for VPN accounts

Screenshot of Tor2door darknet market showing listings for VPN accounts.

NordVPN accounts were particularly prevalent in the Russian darknet markets, where we found half the listings for stolen NordVPN credentials included in this study. In fact, NordVPN log-in details accounted for 55% of all the VPN accounts for sale on the Russian darknet markets.

While we found hacked accounts from 35 VPN services for sale, the five most popular brands accounted for over 72% of all listings.

Kraken, Nemesis and Kingdom markets were home to the most stolen VPN credentials, with 60% of all such listings found on these three sites.

Online Payments

The following table shows the online payment platforms whose hacked account credentials are most frequently listed for sale on the darknet markets. Number of listings refers to the total number of accounts for sale, regardless of whether they were listed separately or together. Any listings in currencies other than USD have been converted to USD in order to calculate average prices.

Although we found stolen account credentials for 44 different online payment platforms, almost half of them (48%) were for PayPal, the most well-known brand in this category.

There were five times as many PayPal accounts for sale as for the next most popular brand, peer-to-peer payment platform CashApp, which accounted for around one in ten (9.5%) of the listings in this category.

Screenshot of Nemesis darknet market listing showing a PayPal account

Screenshot of Nemesis darknet market listing showing a PayPal account.

There was another steep drop in volume to the next five most popular platforms, which were only listed for sale on the darknet markets around a third as frequently as CashApp.

The greater prominence of CashApp on the darknet markets compared with its real-world rival Venmo may well reflect its cultural cachet and that it’s the more private by default of the two.[2]

CashApp accounts were also the most valuable of the most frequently-listed platforms, changing hands for $140 each on average. The most expensive of these tended to be Bitcoin-enabled, making them more suitable for use on the dark web.

The lower average sticker price for PayPal accounts, even for those with high associated balances, was likely due to the platform’s stronger security practices.

Bohemia, Nemesis and to a lesser extent, Mega, were the three biggest darknet markets for hacked payment platform credentials, playing host to 57% of all such listings.

Cryptocurrency

The following table shows the 20 cryptocurrency platforms whose hacked account credentials are most frequently listed for sale on the darknet markets. Number of listings refers to the total number of accounts for sale, regardless of whether they were listed separately or together. Any listings in currencies other than USD have been converted to USD in order to calculate average prices.

While the five most popular cryptocurrency platforms may account for almost half (47%) of all listings in this category, no single platform dominated.

Coinbase, which is the largest cryptocurrency exchange by trading volume in the U.S., accounted for 13% of listings in this category, and its controversial competitor Binance, which is banned in several countries, 11.5%.

Four of the five most popular brands in this category were conventional cryptocurrency exchanges, with only Paxful standing out as a peer-to-peer platform.

Notably LocalBitCoins accounts continue to be listed for sale despite the platform’s termination of its trading services.[3]

The average price for the category very high at $151, compared to $116 for the payment platforms category.

The three biggest markets for cryptocurrency account log-in details were Bohemia, Nemesis and Kingdom, which were host to 68% of all such listings.

Learning Platforms

The following table shows the 20 learning platforms whose hacked account credentials are most frequently listed for sale on the darknet markets. Number of listings refers to the total number of accounts for sale, regardless of whether they were listed separately or together. Any listings in currencies other than USD have been converted to USD in order to calculate average prices.

Only four out of the 34 brands in the learning category, Codecademy, Masterclass, Duolingo and DataCamp, had more than 10 listings. Over a third (36%) of the 145 listings in this category were for these four platforms, which was an outsize proportion given we found account details for 34 learning platforms in total. Codecademy account credentials were the most frequently offered for sale, with 18 listings.

Almost half of the 20 most popular brands in the category offered a variety of courses across a range of disciplines. Four platforms were focused on access to books and book summaries, while three were language learning platforms.

The average listing price for this accounts in this category was $11. Prices for the 20 most popular brands ranged from $5 to $15. Prices throughout the rest of the category were generally consistent, with the exceptions of Leetcode, a programming learning platform, and Ancestry, a genealogy company, which were listed for $50 and $66 respectively.

Learning accounts were particularly concentrated in the Nemesis darknet market (43% of all such listings) but a good number were also to be found in the Kerberos (25%) and Kingdom (19%) darknet markets.

Online Shopping

The following table shows the 20 online shopping brands whose hacked account credentials are most frequently listed for sale on the darknet markets. Number of listings refers to the total number of accounts for sale, regardless of whether they are listed separately or together. Any listings in currencies other than USD have been converted to USD in order to calculate average prices.

Amazon was by far the most popular brand in this category with 32 listings, which was more than two-and-a-half times as many as Groupon, the next most popular. Amazon alone accounted for 24% of all shopping listings, while the 10 most popular brands accounted for an astounding 80% of the 135 listings.

The type of brands featured in the table above are varied, from online marketplaces such as Amazon or eBay, to clothing brands, department stores and office suppliers. While no single type of online shopping brand dominated the top 20, the majority were focused around North America. All but two were founded in the United States, five of which operate only in North America.

Individual prices in this category varied significantly. While the average listing price was $23, average prices for individual brands ranged from $3 to $100.

Online shopping accounts were highly concentrated in the Nemesis darknet market (56% of all listings) and to a lesser extent Bohemia (24%). There were only a smattering of such accounts in the other markets, which is a big change compared to recent years.

Darknet Market Analysis

The following table compares the darknet markets included in this research. It is ordered by the number of listings, which refers to volume of hacked account credentials for sale.

Our research shows that Nemesis is currently the biggest darknet for hacked online account credentials. The market reportedly launched in 2021 and as recently as April 2022 only had 5,000 total listings, which suggests it has had a recent growth spurt.[4]

Despite currently having the most hacked account listings of any active darknet market, the category breakdown for Nemesis market ran counter to the overall trend with more hacked accounts for online shopping and learning platform hacked accounts than for payment or crypto platforms.

Screenshot of Nemesis market listings for hacked accounts

Screenshot of Nemesis market listings for hacked accounts.

Kingdom market, home to 17% of all hacked account listings, followed the top line trends more closely. However, it did skew more heavily towards streaming overall compared with other darknet markets, with 47% of its listings in this category. Hulu was more popular than average on this darknet market, with more of its accounts for sale than any other streaming service. Sling TV was also more frequently listed here than average.

Kraken was the bigger of the two Russian-language darknet markets and was home to 11% of all listings for hacked account details. However, Kraken had a much narrower offering than the other big markets with largely just streaming and VPN accounts for sale and just 19 brands in total.

Unsurprisingly local streaming service IVI was most popular, ahead even of global giant Netflix. The preference in Russian markets for multi-buy offers of streaming accounts meant that Start TV, a niche U.S. service focusing on classic women-led legal dramas, was the second-most listed streaming platform on Kraken.

Over a quarter (162) of all the VPN listings we identified across all 13 darknet markets were found on Kraken, with a 100 of those for NordVPN. This was due to vendors offering numerous NordVPN accounts for specific locations in Russia. ExpressVPN and Windscribe were the next most frequently listed VPN services on Kraken.

Prices

The following table shows the 20 most expensive account credentials we identified for sale on the darknet markets, ordered by average price. Only brands with more than one listing have been included to reduce the impact of anomalous pricing.

Our research shows that payment and travel accounts continue to be the most lucrative in the darknet market trade of hacked credentials. While streaming accounts are cheap and plentiful, the opposite is true for the brands listed above.

These accounts were only listed a handful of times each across the 13 darknet markets that we trawled for this study and this scarcity is at least one factor in driving up their prices.

The potential for higher-value identity theft is another, while for the lesser-known payment and crypto platforms, the hope is that security and money-laundering protections are weaker.

Methodology

We reviewed all darknet markets that were active in February 2023 that featured fraud-related listings. We captured listings offering access to online accounts only. This meant we excluded bank accounts, credit cards and software cracks for example.

The darknet markets with relevant listings were as follows:

  • AlphaBay
  • Ares
  • Bohemia
  • Cypher
  • Kerberos
  • Kingdom
  • Kraken
  • Mega
  • MGM
  • Nemesis
  • Quest
  • Tor2Door
  • We The North

Listings offering multiple accounts for a single price were split into their constituent parts and prices calculated equally according to the number of accounts offered.

Where listings offered a selection of accounts at specific prices, each account was treated as an individual listing.

All account prices were collected in the currency they were listed in and converted to USD at the exchange rate published on Bloomberg on February 17 2023.

To see individual listings download the public data sheet.

Disclaimer

Our report does not suggest in any shape or form that the companies included or referenced have suffered security breaches. Furthermore, we have not purchased any of the credentials being sold on the Darknet.

The authors of all our investigations abide by the journalists’ code of conduct.

References

[1] https://www.fbi.gov/news/stories/alphabay-takedown

[2] https://www.gq.com/story/cash-app-and-hip-hop-jack-dorsey-square-tidal-jay-z-guapdad-4000-amine-jim-jones

[3] https://localbitcoins.com/

[4] https://www.darknetstats.com/nemesis-market/