The Darknet Trade in Stolen Account Details
The darknet market landscape has shifted significantly and become increasingly fragmented since we last published new data on the illicit trade in hacked accounts on the dark web. It also appears to have been affected by the consequences of the war in Ukraine, in the Russian-language segment at least.
None of the darknet markets we looked at in our previous report still operate in 2023. While AlphaBay, a formerly major site that was shut down in 2017, has been resurrected, there are now 14 other completely new darknet markets where hacked account details are bought and sold. That number includes 4 Russian markets that sell this type of personal data.
For this latest report, we have switched our primary focus from the average pricing of hacked accounts on the darknet markets to investigating which stolen log-ins were most frequently listed for sale.
The goal of our research was to determine which accounts were most popular with cybercriminals and therefore most at risk of hacking.
We also continued to gather average listing price data for each brand and have included that data in our report.
We also streamlined our focus to only look at online accounts in the strictest sense of the term, which means we excluded traditional bank accounts and credit cards.
As well as analyzing the data by category of account and by brand, we also conducted a Russia-specific analysis in order to get a better understanding of the current landscape following the invasion of Ukraine in 2022.
Russian hackers are heavily targeting western VPN services, our data shows. Almost 30% of all stolen log-ins for sale on Russian markets were for NordVPN and Windscribe.
In conducting this research, we have assembled the world’s largest dataset of darknet market listings for hacked account details. We initially reviewed 27 darknet markets before excluding those that did not sell hacked log-ins.
We then sifted through more than 150,000 listings across 15 markets and while most of those listings were for illicit drugs, cracked software and other contraband, we were able to identify 3,275 sets of hacked log-in details for almost 550 online services.
It should be noted that the number of individual account log-ins actually for sale on the darknet markets will be much higher than the number of listings we have identified.
One reason for this is that some darknet market listings offer bulk dumps of hundreds of sets of account credentials. Another reason is that vendors will often use a single listing to make numerous sales from a pool of hacked credentials for a particular brand.
Our dataset is over three times as large as that underlying any of our previous dark web research reports and reveals just how popular hacked accounts for streaming and VPN (Virtual Private Network) services are with cybercriminals.
Why did we do this research? To educate the public about the value of their personal data to identity thieves. Our hope is that this will lead to improvements in day-to-day information security. We have shared some tips to help people protect their data.
EXPERT ADVICE: A VPN can help protect you online and avoid identity theft. Take a look at our unbiased, expert VPN reviews if you aren’t sure which service is the best for you.
Our report does not suggest in any shape or form that the companies included or referenced have suffered security breaches. Furthermore, we have not purchased any of the credentials being sold on the Darknet.