Dark Web Market Price Index 2020: Covid-19 Edition

Our latest analysis of the dark web trade in hacked accounts reveals the impact of Coronavirus. Credentials for lockdown boom brands such as Peloton, Instacart, and Amazon now command some of the highest blackmarket prices.
Dark Web Market Price Index 2020 Covid-19 Edition Header Image
Simon Migliano

Key Findings

  • Popular in lockdown: Instacart ($22), Peloton ($18), Postmates ($15), and Amazon ($14.50) hacked credentials currently have some of the highest price tags on the dark web markets
  • Health & wellness: Daily Yoga ($9.50), Ten Percent Happier ($8.50), Aaptiv ($8.50) and Headspace ($7) accounts are more valuable than those of many streaming services and online stores
  • Streaming: Hacked Netflix accounts ($6) have dropped over 40% in value since last year. While Disney+ ($7) and Hulu ($5.50) logins sell for similar amounts, Amazon Prime Video ($13.50) credentials are worth double that.
  • Personal finance: Cash App ($47) and Venmo ($14) accounts are selling for more than PayPal ($11)

Introduction

This August 2020 update to the Price Index reveals the landscape of the dark web market trade in hacked accounts has significantly transformed once again since we last published the Index a year ago.

The two main drivers of these changes are:

  1. The dark web markets bouncing back after major busts in 2019
  2. Major shifts in consumer behavior due to the global pandemic

The emergence of new markets and vendors has prompted a correction to prices that spiked due to successive closures of major markets by law enforcement.

The global pandemic has caused profound shifts to consumer behavior around the world, with significant knock-on effects for the illicit trade in stolen data.

Locked-down populations have been forced to change their habits and this has been reflected in the types of accounts being hacked and the prices they are able to command.

With the illicit trade in stolen data very much in flux, this edition of the Dark Web Market Price Index focuses its analysis on the brands made popular by lockdowns and longer-term social restrictions. We also map out the broader landscape as it stands mid-way through 2020.

Highlights

The following table presents highlights from the Dark Web Market Price Index relating to hacked accounts for services that have enjoyed a surge in popularity since the start of the global Covid-19 pandemic.

Where available we show the average price for the same item in the most recent US edition of the Index, published in Feb 2019, and calculate the percentage difference.

Just as locked-down populations around the world have increasingly turned to a range of different online services in order to try to maintain a degree of normality in their lives, so too has the nature changed of what’s being traded on the dark web.

What really stands out when looking at the 25 services above — which we have highlighted based on their soaring popularity as a result of the pandemic — is that 19 of them weren’t being sold on the dark web last year.

Looking over our findings as a whole, well over half of the entries in the Index are for services that weren’t available for sale last year, which underscores just how profound the recent changes have been.

Hacked log-ins for health and wellness accounts like Peloton ($22), Daily Yoga ($9.50) and Ten Percent Happier ($8.50) are commanding premium prices, well above those of dark web market mainstays like Netflix or even Apple (both $6), as scammers eye up the potential of stealing the identities of their more well-heeled user bases.

It’s notable that hacked log-ins for Amazon Prime Video ($13.50) are worth almost double to scammers than those of hugely popular services like Disney+ ($7) as it’s often part of the broader Amazon Prime account package with all the lucrative opportunities for fraud that come with it.

Stolen credentials for food delivery apps has been another major growth area due to lockdown with Instacart ($22), Postmates ($15) and Drizly ($13.50) all changing hands for sums well above the average for accounts outside of personal finance items.

Interestingly, even hacked accounts for ostensibly niche services such as online learning platform MasterClass ($6) are popping up for sale, as lockdowns swell their membership with new users looking to alleviate the tedium.

Protect Your Data: Quick Tips

​We created the Price Index to help the public understand the value of their personal data and why it’s worth protecting. Here’s some tips on how to do that:

  1. Use a password manager – these are a cheap and effective way to make sure your accounts have unique (and therefore stronger) passwords
  2. Get antivirus and malware protection software – these utilities will keep your devices free from malware than can steal your personal data
  3. Enable two-factor authentication – this requires a code to be entered as well as a password to access your accounts. The codes are generated by free apps like Google Authenticator or Authy and refresh every 30 seconds
  4. Go to the sourcenever open any links or attachments from suspicious looking emails, go to the official website to avoid phishing scams
  5. Check for data breaches – use Have I Been Pwned to see whether any of your accounts have been compromised in a data breach
  6. Get a good VPN – this will protect your personal data on public networks
  7. Delete your old accounts – these accounts are useless to you but a treasure trove to hackers
  8. Stay alert – frequently check your credit/debit card activity to quickly spot fraudulent activity

Dark Web Price Index 2020

Stolen ID, personal data and hacked accounts for sale

Sale Prices Explained

Personal Finance

Stolen credit and debit card data, along with bank and online payment account details, remain the most popular items for sale on the dark web markets. The lure of high account balances to cash out and access to new lines of credit understandably allows these items to always command the highest prices.

An emerging trend at the very highest end of the pricing spectrum is where vendors are selling hacked debit card data for high-balance accounts bundled with SIM cards and cryptocurrency accounts. These all-in-one fraud packages permit scammers to SIM-jack the account and drain the funds into the intermediary crypto account, where the stolen cash is easily laundered.

These bundles change hands for up to $4,600 compared to just $17 for standard debit card details. This has really ratcheted up the average price ($1,307) as the vast majority of debit card details are now part of expensive bundles, unlike in previous years.

The value of hacked PayPal accounts ($11) continues to drop due to the scarcity of high balances compared to previous years amid the overall glut in listings for this venerable brand.

Instead, hacked account details for newer instant cash transfer services such as Cash App ($47) and to a lesser extent, Venmo ($14) have become more appealing as they become increasingly popular with small businesses and consumers.

Regardless of the individual service, hacked web wallets remain a mainstay of the dark web markets as they are central to so many scams. Fraudsters can cash them out directly, or use them for middleman accounts in any number of more complex schemes.

Communication

Cell phone accounts are perenially appealing to fraudsters as they are useful for a whole range of scams. With a successful account takeover, a hacker gains access, for example, to a utility bill that can be used to support a fraudulent credit application. The compromised account can also be used to circumvent two-factor authentication.

Hacked Verizon accounts ($102.50) are almost ten times more expensive than last year as they are currently being bundled with associated personal data, such as Social Security Number (SSN), Zip Code, and date of birth, and therefore tailor made for identifty theft and account takeovers.

Prior to the pandemic, Skype accounts ($7) were worth little more than a dollar. However, with the newfound reliance around the world on video calls, Skype log-ins are suddenly much more appealing to cybercriminals.

The longstanding scam where phishing links are sent via hacked Skype accounts to the account holder’s entire contact list, has more potential to be lucrative given the increased use of the platform.

Shopping

Criminals typically buy hacked online shopping accounts to commit credit card fraud, either by buying high-end goods using payment details stored on the account or by harvesting account information that can be used for identity theft.

With the world population in varying states of lockdown since March, online shopping activity has soared, with two-and-a-half times more orders than before the pandemic.

This increased activity is a boon to would-be fraudsters, with consumers more likely to create accounts with individual retailers and store payment details for more frequent orders. With more overall activity, fraudulent orders are less easy to spot, especially if account holders are less experienced online shoppers forced into new behavior by the pandemic.

Online retail accounts are currently selling for between $4 and $15, with the most expensive being Wowcher ($15), eBay and Amazon (both $14.50).

The 53% drop in price of hacked Amazon accounts compared to last year may well be due to Amazon tightening its controls following the discovery of a massive fraud last year. Despite this, Amazon accounts remain valuable to would-be fraudsters due to the high likelihood of stored payment details and sheer scope for scams.

Note the average price for Amazon accounts in general is slightly higher than for Amazon Prime Video ($13), as a number of cheaper listings for the streaming-only version of the service (ie lacking the full Prime membership benefits) brought down its average.

eBay remains highly popular with fraudsters as the company tends to side with the buyer during any dispute. One scheme involves a scammer impersonating a trusted buyer who buys goods only to request a refund. The scammer then ships an empty package with an altered Ebay returns label, to a random address in the seller’s Zip Code area. The seller is then left without the item, and without their money.

Travel

The collapse of the international travel industry due to the global pandemic may have killed off the trade in hacked airline accounts, however the rise in staycations in its place means that compromised Airbnb ($13.50) accounts have actually increased in value to scammers.

Hacked Airbnb guest accounts have previously been used to create bookings for houses which criminals then burgle, while host accounts can be used for phishing and other scams, such as fake listings.

There have also been reports of scammers using hacked Uber accounts for their everyday travel, in places as far afield as Russia and Arizona.

Health & Wellness

Unable to visit gyms and stuck at home for months on end, locked down populations around the world have increasingly turned to a range of apps and services to maintain their physical and mental health.

High-end subscriptions, such as increasingly popular Peloton ($18) that also requires a $2,000 exercise bike, mark out the owner as a potentially lucrative target for fraud and are priced accordingly on the dark web markets.

Wellness apps like Headspace ($7) are proving popular with scammers, partly because they are “fresh blood” but also due to the demographic of their users, who have the disposable income to pay for such services even during these economically uncertain times, making them appealing targets for identity theft.

Fitbit ($4) accounts are a potential treasure trove of intimate personal information and health data uploaded from users’ wearable devices. Compromised account owners even become vulnerable to burglary or home invasion once criminals gain access to live and historical GPS location data.

Food

These services have an added appeal for hackers: as well as opportunities for identity theft and swiping stored credit card details, they can also enjoy expensive blowouts, often with top shelf alcohol jacking up the bill, on someone else’s dime.

Food delivery is another category of stolen log-ins now commanding higher prices on the dark web as usage of these services soars due to the coronavirus pandemic keeping people indoors.

Instacart ($22) accounts are the most expensive, which could be due to shoppers being more likely to store payment details for convenience’ sake when they are making multiple orders per week, as well as the range of stores from which it delivers.

Services like Drizly ($13.50) give scammers free alcohol as well as users’ personal data.

Social Media

Facebook ($8) accounts with their wealth of personal information offer perfect source material for social engineering attacks on more lucrative accounts.

Social engineering is the technique of manipulating individuals, such as customer service agents, into providing access to accounts. One recent example was the hack of the high-profile Twitter users, including Jeff Bezos and Barack Obama.

Despite a major breach earlier this year, the price of hacked individual Facebook accounts is relatively stable at $8 on the dark web marketplaces.

Entertainment

Hacked streaming and gaming accounts continue to proliferate on the dark web with prices correcting to around the $7 mark after the temporary squeeze on supply forced up prices last year.

While identity theft is one motivator for buying up hacked Netflix ($6), Disney+ ($7) and YouTube Premium ($7.50) accounts, they are also being used to actually watch content too. The explosion in services also makes it easier for rogue streamers to go undetected for longer as users with multiple subscriptions are less likely to closely monitor their accounts.

Hacked Spotify ($3.50) accounts can also be used in click fraud. A Bulgarian scammer notoriously gamed the Spotify royalties system in 2017 to pocket $1M, however there is evidence that similar schemes continue to operate using compromised Spotify accounts.

Interesting outliers in the category include the subscription-based content platform OnlyFans ($16), most known for people charging their followers a monthly fee for adult content. It’s been flooded with new content creators hoping to make a living since the pandemic caused mass layoffs.

Email

Hacked email accounts tend to be sold either in massive dumps from large scale data breaches or as individual verified emails. As with previous editions of the Price Index, we disregarded dumps as unit prices work out at tiny fractions of a cent each while the accounts constituting these dumps are not guaranteed to be accessible or even valid.

Verified emails on the other hand trade for anything up to ten dollars each. Gmail ($6) in particular can be used in dot account scams or as part of more complex fraud and identity theft, thanks to the use of email as security for so many third-party accounts.

We are also seeing student emails ($6) specifically due to the authority of the “.edu” address.

Security

Subscription-based security software that we found is typically for personal use rather than for further fraud. Hackers use stolen VPN accounts that can’t be tracked back to them to disguise their IP addresses whilst they are carrying out illegal activities.

Hacked anti-virus software appeals to cheapskates who don’t want to pay for their own license and those who want to avoid signing up with their own details.

Education

With millions of people around the world stuck at home, with many on furlough, online learning and self-improvement platforms have enjoyed a surge in popularity as people look for new ways to relieve the tedium.

At one end of the spectrum is MasterClass ($6), whose glossy, star-studded platform and expensive annual subscription has been attracting increasing numbers from a highly appealing demographic for hackers looking for potentially lucrative identity theft.

At the other is the more prosaic Udemy ($3), whose technical courses cost as little as $10 and thus attract a more diverse user base.

Protect Your Data: Detailed Guide

Get a Password Manager

A password manager is essential in 2020. Widespread password re-use across multiple accounts means hackers only need one set of login details to run a credential stuffing attack and instantly gain access to many more.

A password manager helps to secure your online life by generating cryptographically strong and unique passwords for every site that you use, which they then autofill into login pages as you browse. All you have to remember is a single master password. The market leaders are 1Password and LastPass, both of which cost less than $5 a month and have good free versions.

Get Antivirus and Malware Protection Software

Malware such as keyloggers can steal your passwords and other personal data that can be used to access your online accounts and commit identify theft.

Scan your devicies regularly using trusted software, such as Malwarebytes for Windows and macOS, and Avira Mobile Security for iOS and Android. It’s also well worth enabling real-time web protection too, even if you have to upgrade to the paid version to do so.

Enable Two-factor Authentication (2FA)

Most online services now allow you to set up 2FA. It’s very simple, secure and you should do it right away.

With 2FA switched on, criminals won’t be able to hack into your account even if they have your log-in details as a further step is required to gain access after entering your password.

Typically, this will require entering a security code generated in an app on another device, such as your smartphone. Services like Authy allow you to generate codes for multiple services in a single app. Google offers a range of 2FA methods (also known as two-step verification). While receiving codes via SMS might be tempting, this is best avoided, as messages can be hijacked.

Go To The Source

To avoid falling victim to phishing scams, it is alway best to go straight to the source — by typing the company’s official URL into a new web browser.

If an email looks suspicious (ie strange format, slightly misspelt sender address) never click on any of the links or attachments in that email and always verify that the actual email address is from the person or company it says it is from.

Check For Data Breaches

The short, scary answer is that some of your personal data is almost certainly already for sale on the dark web. The first step is to find out which of your accounts have been stolen. Have I Been Pwned should be your first port of call, as it’ll help you find out which of your email accounts and old passwords have been compromised in a data breach.

If you have been caught up in a breach, change your passwords immediately.

Get a Good VPN

Once you know what’s been breached and fixed your passwords, your first proactive move towards browsing more safely online should be to get a good virtual private network (VPN).

This simple tool secures your browsing everywhere – meaning that nobody, not even your internet service provider nor the government, can monitor your internet activity.

A VPN also allows you to use public WiFi without having to worry about hackers or other bad actors. We recommend that all consumers research the VPN market to find a reliable and trustworthy option that’s best for them.

Delete Old Accounts

Close down any old accounts you have that you don’t use anymore. Old social media accounts or store accounts used once years ago don’t offer any value to you, but are useful attack vectors for hackers and other bad actors. If these accounts are no longer important to you, you should delete them.

Stay Alert

The sooner fraud is detected, the lower the financial impact. In addition to the above measures, frequently checking your credit/debit card activity can allow you to quickly notice fraud.

Contact your financial institution as soon as you suspect fraudulent activities are happening on your account. Wherever possible, set up email or text alerts to notify you of suspicious activity such as unexpected orders for a new bank card or if a threshold transaction amount has been reached.

Methodology

Our team reviewed all fraud-related listings on four of the largest dark web markets: Empire, Icarus, Versus and White House between July 8 – August 3 2020. Relevant listings were collated and categorized in order to calculate average sale prices. We excluded large-scale ‘dumps’ to maintain the integrity of the data.

Access the Dark Web Market Price Index 2020: Covid-19 Edition raw data on this Google Sheet.


Disclaimer

Our report does not suggest in any shape or form that the companies included or referenced have suffered security breaches. Furthermore, we have not purchased any of the credentials being sold on the Dark Web.


About Us

Top10VPN.com is the world’s largest VPN review website. We recommend the best VPN services to help protect consumers’ privacy online. We also aim to educate the general public about digital privacy and cybersecurity risks through our free online resources and research.

For more of our original cybersecurity research, check out our Covid-19 VPN Demand Statistics, Free VPN Chinese Ownership Investigation, or our earlier Dark Web Market Price Index – 2019 (US Edition).

Additional research by Christine O’Donnell