We extended our analysis this year from three to five of the biggest black markets on the dark web, making this edition of the Price Index the most comprehensive yet. We found that while the value of your entire online identity remained around the $1200 mark, individual hacked accounts for brands with recent privacy or security woes have become significantly more appealing to fraudsters.
We also created a UK edition of the dark web market price index that found the value of a full online identity in the UK to be less than £800.
Also steadily increasing value to cybercriminals are accounts for online services which have become a part of everyday life in recent years, such as Netflix and Uber, which along with gaming phenomenon Fortnite all sell for around $11 each on the dark web.
|Item for Sale||Avg. Price||Avg. Price Change|
Price change is difference in average price between 2018 and 2019, where 2018 data is available.
Jump to full Price Index
With a horror year receding in the rearview mirror, hacked Facebook accounts have almost doubled in value since this time last year to just over $9 after falling out of favor following the data breach affecting 50 million accounts. Stolen Amazon credentials have also rocketed in value, worth over three times as much year-over-year at $30 to be the most valuable brand on the dark web.
It’s not surprising that stolen financial account details remain a mainstay on the dark web markets and typically command the highest prices – especially high-balance bank account and debit card details, which change hands for close to $260.
However, the trade in entertainment accounts with less immediately obvious value for identity thieves continues to flourish. Accounts for games and streaming services including Spotify, Tidal, Steam and Minecraft typically sell for less than $4, cheaper than a Big Mac.
The average person has dozens of accounts which form their online identity, all of which can be hacked and sold. Our team of security experts reviewed tens of thousands of listings across five of the most popular dark web markets – Dream, Wallstreet, Empire, Berlusconi and Tochka Free. These sites deliberately obscure themselves from the public and can only be accessed through the Tor browser. They are often used to buy and sell personal data, along with other contraband including weapons and illicit drugs.
We focused on listings featuring stolen ID, personal data and hacked accounts for this update to the Dark Web Market Price Index. We excluded massive data ‘dumps’ to avoid distorting average prices, as individual accounts in these dumps equate to tiny fractions of a cent each. Our analysis has shown that it would cost only $1250 to buy up someone’s entire identity, assuming that they had all the accounts listed.
Protect Your Data: Quick Tips
We created the Price Index to help the US public understand the value of their personal data and why it’s worth protecting. Here’s some tips on how to do that:
- Get a good VPN – this will protect your personal data on public networks
- Check if you’ve been hacked – Use Have I Been Pwned to see whether any of your accounts have been breached
- Use a password manager – These are a cheap and effective way to make sure your accounts have unique (and therefore stronger) passwords
- Delete your old accounts – these accounts are useless to you but a treasure trove to hackers
The full price index is below.
Dark Web Market Price Index (February 2019 – US Edition)
Stolen ID, personal data and hacked accounts for sale
||Item for Sale||Avg. Sale Price|
|Personal Finance||Bank Details||$259.56|
|Proof of Identity||Driving License||$27.62|
|Proof of Identity||$16.52|
|News/Magazine||The New York Times||$5.95|
|The New Yorker||$5.45|
Sale Prices Explained
The trade in stolen financial details has long been the heart of the dark web’s economy. Credit card, debit cards, bank details and online payment accounts are listed in vast quantities and can command the highest prices, particularly when the lure of a high value balance is present.
Most fluctuation in this area is caused by where hackers have the most success in finding account details with high balances. In last year’s Price Index, PayPal‘s average price of $247 was inflated by the number of $10,000-plus accounts listed. This year, it’s listings for hacked bank accounts and debit card details where we found the biggest balances. Prices have inflated further as sellers demand a larger percentage cut of the balance – accounts now sell for 20% or even 30% of the balance, compared to 5-10% previously. This has driven the average price up to $260, suggesting the increasing difficulty of stealing this data.
The current scarcity of high-balance PayPal accounts is also likely due at least in part to eBay starting to eBay transition away from PayPal as its main payment processor last year. The two companies have long gone hand-in-hand (eBay accounted for 50% of PayPal’s profits in 2014) and eBay is a common use case for hacked PayPal accounts. If it becomes harder to exploit these accounts it is likely that their average price will continue to fall.
Proof of Identity
A preferred tactic of cybercriminals is to set up lines of credit in someone else’s name using digital proof of identity bought on the dark web.
One of the more popular kinds of listing advertises “fullz”, which are bundles of ‘full’ identifying data. Listings for fullz often advertise an individual’s name, address, mother’s maiden name, social security number, date of birth, credit reports and other forms of personal data. [NB: where related financial account details such as credit cards were included with fullz we considered these to be personal finance listings].
Bringing down the price this year was a wider tendency to sell passport scans and other forms of ID in bulk.
Hacked online shopping accounts are mostly used for credit card fraud, as criminals can exploit the stored card details for a variety of different scams.
The average shopping account sells for between $10 and $20, with the most expensive being Amazon ($30) and Best Buy ($26.50) – both of whom have huge high-value inventories. Hackers with stolen Amazon accounts can lock out the legitimate owners and go on spending sprees with the stored credit card, and often buy gift cards which they can then redeem on their personal accounts.
Stolen Amazon accounts have tripled in price, which may be in anticipation of a wider rollout for Amazon Go – thieves would potentially be able to wander in, fill a trolley and leave without detection. Prices for stolen Best Buy accounts have more than doubled in the aftermath of a chat bot breach that exposed credit card details.
Fraudsters have been caught setting up complex scams involving stolen Paypal and eBay accounts that they use to buy expensive electronics. A hacked FedEx account for $11 could be the missing piece of the puzzle that allows them to get their hands on the goods, which they would usually resell.
There is plenty of scope for the abuse of travel accounts. Compromised Airbnb accounts can be used to create bookings for houses which criminals then burgle, while hacked hosts on the same app can be used for phishing.
There have also been reports of scammers using hacked Uber accounts for their everyday travel, usually deep in Russia.
Criminals are even able to travel internationally, with hacked Jetblue accounts going for $8.50 apiece. Criminals could even be able to fly abroad, book a pricey hotel room, and take a whole holiday just from cheap hacked accounts purchased on the dark web.
Hacked Skype accounts have previously been used to spam people with phishing links that mimic LinkedIn and Baidu messages.
Another common scam is exploiting mobile phone carriers to get around two-factor authentication and into bank accounts. Mobile phone carrier accounts are mostly getting cheaper: Verizon has fallen 20% in price, while AT&T’s average cost has halved.
This price fall may be due to the growing move away from using text messages as two-factor authentication. SMS has been repeatedly shown up as an insecure form of two-factor authentication and as companies continue to pivot away from using it these accounts will become less useful to hackers.
Facebook spent much of 2018 as the whipping boy of the press and western governments and the value of its accounts slumped accordingly on the dark web. However, just as its stock price recovered so too has the blackmarket worth of hacked accounts for the social media giant. It’s clear that despite the popularity of #DeleteFacebook, there’s plenty of mileage yet in the social media platform.
What we do know is that once scammers have access to social media accounts, they can search through messages and other private data to crack into more directly lucrative accounts.
One avenue of attack is social engineering: the content of someone’s private messages is more than enough to crack their security questions.
Subscription-based software is also making its first appearance on the Dark Web Market Price Index. The listings – largely for security software – we found are exclusively pitched as being for personal use rather for further fraud.
These accounts aren’t used for identity fraud so much as straightforward theft: there have been reports that Grubhub has been exploited by hackers for up to $180 in a single order.
Most recently, a hacker spent $500 on McDonald’s through a hacked account in just five days.
It is also interesting to see what kind of food the average dark web criminal likes best: unsurprisingly, mostly pizza and burgers, with the most popular stolen accounts for sale including Pizza Hut and Domino’s.
Hacked dating accounts can be used for “catfishing”, a con in which scammers pose as romantic interests to socially engineer their way into targets’ bank accounts. The most commonly hacked dating accounts remain Match.com ($7) and Plenty of Fish ($4). However, buying genuinely hacked accounts is a costly and ineffective method to do this compared to simply starting a new account with fake pictures.
As with other types of account, dating accounts can be a rich source of personal info for use in identity theft.
These accounts are used both for identity theft and for leaching streaming content. Prices are steadily rising for these accounts and are even beginning to rival hacked financial accounts in terms of sheer volume (and variety) of listings.
Joining global megabrands Netflix ($11) and Apple ($11) as the most desirable accounts is Fortnite ($11). The gaming phenomenon is unique in that despite being free to play, hacked accounts may include valuable in-game perks that would otherwise be difficult to obtain.
It’s common for vendors of stolen streaming services to offer “lifetime accounts”. This is a form of warranty under which buyers can switch to freshly stolen accounts every time they are locked out of their previous account by its legitimate owner.
This is the first time that accounts for newspapers and magazines have appeared in the course of our research. The majority of the hacked accounts we found in this category were being sold by a single seller on Dream Market, the dark web’s biggest market.
Hacked email accounts tend to be sold either in massive dumps from large scale data breaches or as small batches of verified emails. We even found some individual verified emails for sale. For the purposes of the Price Index, we disregarded dumps as unit prices work out at tiny fractions of a cent each and the accounts in these dumps are not guaranteed to be accessible or even valid.
Verified emails on the other hand trade for a few dollars each. That may not seem much for an account that can act as a skeleton key to your online life, however increasing adoption of two-factor authentication keeps overall prices relatively low.
Gmail accounts trade for well over five times as much as they did last year, however, due to the vulnerability of accounts using SMS for 2FA.
How to Protect Your Data & Avoid Getting Hacked
Check If Your Data’s Been Stolen
The truth is some of your personal data is most likely already for sale on the dark web. The first step is to use Have I Been Pwned to see which email accounts and old passwords have been compromised. If you find your password listed, change it immediately.
Use a Password Manager
Start using a password manager, which helps generate strong passwords and save them securely. You can then autofill them to sign into your favorite websites and apps. LastPass is a good choice.
Use a Secure VPN
Use a secure VPN service to protect your data transfers and mask your IP address, which reveals a lot about your online identity. By encrypting your internet connections, VPNs are ideal to use on insecure public wifi networks. Read our review of ExpressVPN, our highest-rated VPN service.
Delete Old Accounts
Finally, delete old email and website accounts you don’t use anymore. These are still useful attack vectors for hackers and other bad actors. It’s best to be safe and delete them, in order to reduce your online data trail.
Our team reviewed all fraud-related listings on five of the largest dark web markets: Dream, Wallstreet, Empire, Berlusconi and Tochka Free. Relevant listings were collated and categorized in order to calculate average sale prices. We excluded large-scale ‘dumps’ to maintain the integrity of the data. Dark Web Market Price Index 2019 – Raw Data.