(From privacyaffairs.com)You wouldn’t know it by watching the news, with everything that’s been happening surrounding the pandemic and global politics, but up until this point, 2020 has been one of the worst years for cyber attacks.
Notable corporations and organizations like NASA, McDonald’s, Microsoft, T-Mobile, Lockheed Martin, even cybersecurity companies FireEye and SolarWinds have all been victims to serious breaches in 2020 alone.
Where does all of this leaked information end up? For sale on the Dark Web of course. We investigated how the Dark Web market has changed since our previously reported Dark Web Price Index 2020, so you can understand what your personal information is worth and why you should protect it.
Info reflects data collected on May 9 2021.
This is what we found:
Category | Product | Avg. dark web Price (USD) |
Credit Card Data | Cloned Mastercard with PIN | $25 |
Cloned American Express with PIN | $35 | |
Cloned VISA with PIN | $25 | |
Credit card details, account balance up to $1,000 | $150 | |
Credit card details, account balance up to $5,000 | $240 | |
Stolen online banking logins, minimum $100 on account | $40 | |
Stolen online banking logins, minimum $2,000 on account | $120 | |
Walmart account with credit card attached | $14 | |
Hacked (Global) credit card details with CVV | $35 | |
USA hacked credit card details with CVV | $17 | |
UK hacked credit card details with CVV | $20 | |
Canada hacked credit card details with CVV | $28 | |
Australia hacked credit card details with CVV | $30 | |
Israel hacked credit card details with CVV | $65 | |
Spain hacked credit card details with CVV | $40 | |
Japan hacked credit card details with CVV | $40 | |
Payment processing services | Stolen PayPal account details, minimum $100 | $30 |
Stolen PayPal account details, minimum $1,000 | $120 | |
PayPal transfers from stolen account, $100-$1,000 | $50 | |
PayPal transfer from stolen account, $1,000 – $3,000 | $340 | |
PayPal transfers from stolen account, $3,000+ | $180 | |
Western Union transfer from stolen account, above $1,000 | $45 | |
Stolen PayPal account details, no balance | $14 | |
Stolen UK fully verified Skrill account details | $200 | |
Hacked TransferGo account | $510 | |
50 Hacked PayPal account logins | $200 | |
Hacked UK Neteller account | $70 | |
Hacked PerfectMoney account | $160 | |
Hacked Weststein Card account | $710 | |
Movo.Cash Login | $14 | |
Hacked Western Union Account | $45 | |
Verified Stripe account with payment gateway | $1,000 | |
Crypto Accounts | Hacked Coinbase verified account | $610 |
USA verified LocalBitcoins account | $350 | |
Crypto.com verified account | $300 | |
Coinfield.com verified account | $410 | |
Kraken verified account | $810 | |
Cex.io verified account | $710 | |
Blockchain.com verified account | $310 | |
Binance verified account | $410 | |
Social Media | Hacked Facebook account | $65 |
Hacked Instagram account | $45 | |
Hacked Twitter account | $35 | |
Hacked Gmail account | $80 | |
Instagram followers x 1000 | $5 | |
Spotify followers x 1000 | $2 | |
Twitch followers x 1000 | $5 | |
LinkedIn company page followers x 1000 | $12 | |
Pinterest followers x 1000 | $4 | |
Soundcloud plays x 1000 | $1 | |
Twitter retweets x 1000 | $25 | |
Instagram likes x 1000 | $5 | |
Hacked Services | Uber driver hacked account | $14 |
Uber hacked account | $8 | |
ZipCar account | $12 | |
Bet365 account | $50 | |
Lykke account | $260 | |
FedEx account | $22+ | |
Netflix account – 1 year subscription | $44 | |
Kaspersky account | $8 | |
Various adult site accounts | $5 | |
Canva Pro yearly | $6 | |
NBA League Pass | $8 | |
Orange TV | $4 | |
Hulu | $5 | |
The Telegraph UK Premium | $7 | |
CNBC Pro | $3 | |
Netflix 4K 1 year | $4 | |
HBO | $4 | |
Ancestry.com | $8 | |
Adobe Creative Cloud 1 year | $160 | |
eBay account with good reputation (1,000+ feedback) | $1,000 | |
Forged Documents – Scans | Alberta CA Drivers License (scan) | $32 |
Minnesota drivers license | $20 | |
Utility Bill templates | $39+ | |
US Business cheque templates | $15 | |
NSW (Australia) drivers license | $20 | |
Russian passport scan | $100 | |
New York drivers license | $80 | |
USA selfie with holding ID | $100 | |
US valid social security number | $2 | |
Forged Documents – Physical | Fake US Green Card | $150 |
New Jersey ID | $50 | |
Netherlands Passport | $4,000 | |
Poland Passport | $4,000 | |
Indiana ID | $185 | |
Texas ID | $145 | |
Utah ID | $160 | |
European Union National ID (avg.) | $120 | |
Latvian National ID | $500 | |
Louisiana ID | $125 | |
Montana ID | $150 | |
Nevada ID | $160 | |
Delaware ID | $185 | |
France Passport | $4,000 | |
Lithuanian passport | $1,500 | |
Maltese Passport | $6,500 | |
Maltese Passport | $6,500 | |
Various European Union passports | $4,000 | |
US driver’s license | $100 | |
Email Database Dumps | Fake US Green Card | $150 |
600k New Zealand emails | $10 | |
350k Czech emails | $10 | |
2,4 million Canada emails | $10 | |
4,78 million Mexico emails | $10 | |
380k Austria emails | $10 | |
Private USA dentists database 122k | $50 | |
USA Voter Database (various states) | $100 | |
Malware | Global low quality, slow speed, low success rate x 1000 | $50 |
Europe low quality, slow speed, low success rate x 1000 | $320 | |
USA, CA, UK, AU low quality, slow speed, low success rate x 1000 | $900 | |
Global med quality, 70% success rate x 1000 | $80 | |
Europe med quality, 70% success rate x 1000 | $500 | |
USA only med quality, 70% success rate x 1000 | $1,000 | |
USA, CA, UK, AU med quality, 70% success rate x 1000 | $1,400 | |
Europe fresh high quality x 1000 | $2,500 | |
Europe aged high quality x 1000 | $1,200 | |
USA high quality x 1000 | $1,900 | |
CA high quality x 1000 | $1,400 | |
UK high quality x 1000 | $2,200 | |
Android x 1000 | $900 | |
Premium x 1000 | $5,000 | |
DDOS Attacks | Unprotected website, 10-50k requests per second, 1 hour | $15 |
Unprotected website, 10-50k requests per second, 24 hours | $50 | |
Unprotected website, 10-50k requests per second, 1 week | $500 | |
Unprotected website, 10-50k requests per second, 1 month | $1,000 | |
Europe low quality, slow speed, low success rate x 1000 | $320 | |
Premium protected website, 20-50k requests per second, multiple elite proxies, 24 hours | $200 |
What We Found
As predicted, there is much more volume being sold now compared to last year, with fake ID and credit card vendors reporting sales in the several thousands. Not only quantity, but the variety of items to purchase has grown as well, such as hacked crypto accounts and web services like Uber accounts.
This is a vendor profile of someone selling stolen credit card data. It has accumulated more than 1,000 sales and over 600 positive reviews in just a year:
There are hundreds of vendors like the above.
With the massive influx of supply, buyers seem to be gravitating towards bigger, “trustworthy” sites, with White House Market holding the largest market share of sales. The Dark Web markets are even starting to parody traditional markets with comical offers of “buy 2 cloned credit cards and get 1 for free!!” for example.
In an effort to mitigate detection and tracking by law enforcement, the Dark Web is moving towards increased security on all ends. The markets have abandoned Bitcoin (BTC) as it is not secure, and vendors are demanding buyers to use Monero as payment and communicate only through PGP encryption.
Our methodology was to scan dark web marketplaces, forums, and websites, to create an index of the average prices for a range of specific products.
To further illustrate how this marketplace is thriving, below you can find a snapshot of a vendor profile with buyer ratings. This fake ID vendor seemingly registers sales every day:
Cloned Credit Cards and Cardholder Data
Despite the increasing supply, prices for cloned credit cards and associated cardholder data actually seemed to increase across the board. The price increase is most likely due to a combination of factors like the increasing risks of attaining the information, the increasing benefit for buyers to use the information, the increased quality/accuracy of the card data, or just good ol’ inflation.
Vendors of stolen credit card data tend to offer a guarantee of 80%, which means that two out of every ten cards either aren’t accurate or they have less than the advertised balance. Credit card records and cardholder data are typically sold in the format [CC|MM|YY|CVV|HOLDER_NAME|ZIP|CITY|ADDRESS|EMAIL|PHONE], the first 4 sections are card details and the following 5 sections show the cardholder information.
Updated Pricing (Oct. 2020 to Feb. 2021)
Product | Avg. Price USD (2020) | Avg. Price USD (2021) | YoY Difference |
Cloned Mastercard with PIN | $15 | $25 | +$10 |
Cloned American Express with PIN | $35 | $35 | $0 |
Cloned VISA with PIN | $25 | $25 | $0 |
Credit card details, account balance up to $1,000 | $12 | $15 | +$3 |
Credit card details, account balance up to $5,000 | $20 | $24 | +$4 |
Stolen online banking logins, minimum $100 on account | $35 | $40 | +$5 |
Stolen online banking logins, minimum $2,000 on account | $65 | $120 | +$55 |
Walmart account with credit card attached | $10 | $14 | +$4 |
We have also includes several new “products” that weren’t covered in our 2020 version of this index.
New Products on Price Index
Credit Card Details | Avg. Price USD (2021) |
Hacked (Global) credit card details with CVV | $35 |
USA hacked credit card details with CVV | $17 |
UK hacked credit card details with CVV | $20 |
Canada hacked credit card details with CVV | $28 |
Australia hacked credit card details with CVV | $30 |
Israel hacked credit card details with CVV | $65 |
Spain hacked credit card details with CVV | $40 |
Japan hacked credit card details with CVV | $40 |
Many new listings of credit card details are categorized by country, which suggests where the breach took place, the accuracy of the credit card details, and the usefulness of the stolen data.
You can see that USA hacked credit card details are valued the lowest (due to high supply), and Israel the highest.
Example of stolen credit cards being sold on the dark web (vendor names have been removed):
Payment Processing Services
PayPal account details are easily the most abundant items listed on these dark web marketplaces, and as such they’re extremely inexpensive to purchase. The more expensive option is actual transfers from a hacked account.
As you can see in the below table, account details have dropped significantly in price, while the price of transfers have increased.
To accompany the purchase of payment processing accounts, another commonly listed item is guides on how to cash out the transfer without alerting the authorities. These guides sell for cents on the dollar, and whether they actually work remains unclear.
Updated Pricing (Oct. 2020 to Feb. 2021)
Payment Processing Services | Avg. Price USD (2020) | Avg. Price USD (2021) | YoY Difference |
Stolen PayPal account details, minimum $100 | $199 | $30 | -$169 |
Stolen PayPal account details, minimum $1,000 | – | $120 | – |
PayPal transfers from stolen account, $100-$1,000 | – | $5 | – |
PayPal transfers from stolen account, $1,000-$3,000 | $320 | $340 | +$20 |
PayPal Transfer from stolen account, $3,000+ | $156 | $180 | +$24 |
Western Union verified account | $98 | $45 | -$53 |
New Products on Price Index
Payment Processing Services | Avg. Price USD (2021) |
Stolen PayPal account details, no balance | $14 |
Hacked TransferGo account | $510 |
50 Hacked PayPal account logins | $200 |
Hacked UK Neteller account | $70 |
Hacked PerfectMoney account | $160 |
Hacked Weststein Card account | $710 |
Movo.Cash Login | $14 |
Hacked Western Union Account | $45 |
Verified Stripe account with payment gateway | $1,000 |
Payment processors have become more and more prevalent as retailers accept mobile pay and other forms of online payment. These payment processors vary in cybersecurity capabilities and insurance, so the value of a hacked account is likely to fluctuate as a result.
Example of stolen banking and payment processing information being sold on the dark web:
Crypto Accounts
Hacked crypto accounts seem to be one of the most valuable items for purchase. Due to the skyrocketing prices of BTC and other cryptocurrencies, hacked accounts may hold large sums of coin-based currency and cash, protected by relaxed security measures after the initial verification process.
The high-value accounts matched with abundant BTC ATMs for anonymous cash-out make crypto accounts a very valuable item for hackers.
Crypto | $Avg. Price USD (2021) |
Hacked Coinbase verified account | $610 |
USA verified LocalBitcoins account | $350 |
Crypto.com verified account | $300 |
Coinfield.com verified account | $410 |
Kraken verified account | $810 |
Cex.io verified account | $710 |
Blockchain.com verified account | $310 |
Binance verified account | $410 |
Example listings of hacked cryptocurrency site accounts being sold:
Social Media
Whether it’s the increased supply of hacked information or the diminishing value of an individual hacked account, prices for hacked social media accounts seem to be dropping across all platforms. Additionally, offers to hack specific accounts or sell them were relatively scarce, but there were still some.
Given the recent increase in security measures (e.g., MFA, account locks on too many attempted passwords) implemented by social media platforms, hackers must resort to social engineering techniques to gain login credentials, which is a very labor intensive endeavor for a relatively low success ratio.
Also worth noting, the extremely low cost of social engagement (e.g., likes and follows). This just proves how easy it is for some to gain influence through social proof with just a few bucks.
Updated Pricing (Oct. 2020 to Feb. 2021)
Social Media | Avg. Price USD (2020) | Avg. Price USD (2021) | YoY Difference |
Hacked Facebook account | $75 | $65 | -$10 |
Hacked Instagram account | $55 | $45 | -$10 |
Hacked Twitter account | $49 | $35 | -$14 |
Hacked Gmail account | $156 | $80 | -$76 |
Instagram followers x 1000 | $7 | $5 | -$2 |
Spotify followers x 1000 | $3 | $2 | -$1 |
Twitch followers x 1000 | $6 | $5 | -$1 |
LinkedIn x 1000 | $10 | $12 | +$2 |
Pinterest followers x 1000 | $5 | $4 | -$1 |
Soundcloud plays x 1000 | $1 | $1 | $0 |
Twitter retweets x 1000 | $25 | $25 | $0 |
Instagram likes x 1000 | $6 | $5 | -$1 |
Example of hacked social media accounts for sale:
Hacked Services
Vendors even sell access to paid online subscription services at lower prices for those willing to take the risk.
Hacked Services | Avg. Price USD (2021) |
Uber driver hacked account | $14 |
Uber hacked account | $8 |
ZipCar account | $12 |
Bet365 account | $50 |
Lykke account | $260 |
FedEx account | $22+ |
Netflix account – 1 year subscription | $44 |
Kaspersky account | $8 |
Various adult site accounts | $5 |
Canva Pro yearly | $6 |
NBA League Pass | $8 |
Orange TV | $4 |
Hulu | $5 |
The Telegraph UK Premium | $7 |
CNBC Pro | $3 |
Netflix 4K 1 year | $4 |
HBO | $4 |
Ancestry.com | $8 |
Adobe Creative Cloud 1 year | $160 |
eBay account with good reputation (1,000+ feedback) | $1,000 |
Examples of various hacked online accounts being sold:
Forged Documents - Scans and Physical
Forged documents are available as digital scans or as physical documents. Depending on the vendor, they are highly customizable and can be made with any details that the buyer wants, so with just a few pieces of real information, a criminal could create an entire file of forged official-looking documents.
Document scans with selfie is another valuable purchase as they can be used for SIM swap attacks as well as personal data access requests in California and in the EU.
Besides the documents listed in the table below, counterfeit money is also extremely prevalent, mainly in denominations of 20 or 50 USD. We found USD, EUR, GBP, CAD, AUD were the most common, and some came with a UV pen test guarantee. The reported “high-quality” counterfeit banknotes typically cost around 30% of the banknote value.
Document Scans | Avg. Price USD (2021) |
Alberta CA Drivers License (scan) | $32 |
Minnesota drivers license | $20 |
Utility Bill templates | $39+ |
US Business cheque templates | $15 |
NSW (Australia) drivers license | $20 |
Russian passport scan | $100 |
New York drivers license | $80 |
USA selfie with holding ID | $100 |
US valid social security number | $2 |
Example listings of fake documents being sold on the dark web (digital form):
Physical forged documents are also being sold. These are the highest priced items on the dark web markets by far.
Physical Documents | Avg. Price USD (2021) |
Fake US Green Card | $150 |
New Jersey ID | $50 |
Netherlands Passport | $4,000 |
Poland Passport | $4,000 |
Indiana ID | $185 |
Texas ID | $145 |
Utah ID | $160 |
European Union National ID (avg.) | $120 |
Latvian National ID | $500 |
Louisiana ID | $125 |
Montana ID | $150 |
Nevada ID | $160 |
Delaware ID | $185 |
France Passport | $4,000 |
Lithuanian passport | $1,500 |
Maltese Passport | $6,500 |
Maltese Passport | $6,500 |
Various European Union passports | $4,000 |
US driver’s license | $100 |
Example listings of forged documents being sold on the dark web (physical form):
Email Database Dumps
Email dumps are very common and notoriously inexpensive due to their mainstream availability and low accuracy. Most email dumps are aggregations and collections of other email breaches.
Email Dumps | Avg. Price USD (2021) |
Fake US Green Card | $150 |
600k New Zealand emails | $10 |
350k Czech emails | $10 |
2,4 million Canada emails | $10 |
4,78 million Mexico emails | $10 |
380k Austria emails | $10 |
Private USA dentists database 122k | $50 |
USA Voter Database (various states) | $100 |
Example listings email database dumps being sold:
Malware
Once installed on compromised systems (e.g., Windows, Android and others), malware gives hackers full access to the machine, which can be used to hijack computer resources via ransomware or to steal information about the user.
Common ways of implementing the malware is via fake online casinos, FB/social networks, warez websites etc. so beware downloading anything from untrusted sites and sources.
For every 1,000 installs, hackers stand to steal tens of thousands of dollars.
Updated Pricing (Oct. 2020 to Feb. 2021)
Malware | Avg. Price USD (2020) | Avg. Price USD (2021) | YoY Difference |
Global low quality, slow speed, low success rate x 1000 | $70 | $50 | -$20 |
Europe low quality, slow speed, low success rate x 1000 | $300 | $320 | +$20 |
USA, CA, UK, AU low quality, slow speed, low success rate x 1000 | $800 | $900 | +$100 |
Global med quality, 70% success rate x 1000 | $80 | $80 | – |
Europe med quality, 70% success rate x 1000 | $700 | $500 | -$200 |
USA only med quality, 70% success rate x 1000 | $900 | $1,000 | +$100 |
USA, CA, UK, AU med quality, 70% success rate x 1000 | $1,300 | $1,400 | +$100 |
Europe fresh high quality x 1000 | $2,300 | $2,500 | +$200 |
Europe aged high quality x 1000 | $1,400 | $1,200 | -$200 |
USA high quality x 1000 | $1,700 | $1,900 | +$200 |
CA high quality x 1000 | $1,500 | $1,400 | -$100 |
UK high quality x 1000 | $2,000 | $2,200 | +$200 |
Android x 1000 | $600 | $900 | +$300 |
Premium x 1000 | $6,000 | $5,000 | -$1,000 |
Example listings of malware being sold on the dark web:
DDOS Attacks
A distributed denial of service (DDoS) attack sends the target website thousands of connection requests per second to overload and crash the website’s server, thereby taking a website offline. Typically, no information is stolen through these attacks, but they are used to dox a website or cover up other hacking activities.
Updated Pricing (Oct. 2020 to Feb. 2021)
DDOS Attacks | Avg. Price USD (2020) | Avg. Price USD (2021) | YoY Difference |
Unprotected website, 10-50k requests per second, 1 hour | $10 | $15 | +$5 |
Unprotected website, 10-50k requests per second, 24 hours | $60 | $50 | -$10 |
Unprotected website, 10-50k requests per second, 1 week | $400 | $500 | +$100 |
Unprotected website, 10-50k requests per second, 1 month | $800 | $1,000 | +$200 |
Premium protected website, 20-50k requests per second, multiple elite proxies, 24 hours | $200 | $200 | – |
Why This Data is Important
Dark web market data may not provide the average person with useful insights, but what they do provide is a powerful perspective into just how valuable your personal data really is, and how cheap it is to exploit you.
We’ve heard all the horror stories of unsuspecting victims losing their life savings or hackers selling cam footage on the deepest corners of the web, but it’s easy to think it will never happen to you. The sad truth is with the growing supply of personal information on the dark web, the likelihood and occurrence of devastating hacks increases every day.
The reality is that hackers rarely resort to targeting specific people. With the sheer quantity of data available for purchase, they just need to play the numbers game, and if you don’t protect yourself, you’ll be the one paying the price. By adopting a few, simple rules and habits, you’ll make it harder for hackers to get your data, and in doing so take yourself completely out of their crosshairs. Like we said, it’s just a numbers game.
How to Protect Yourself From Identity Theft
By following the below recommendations, you will be much more likely to avoid identity theft.
Avoid Public Wifi
Avoid public or unsecured WiFi. If you must log into an account on a network you don’t trust like at a coffee shop, use a VPN to encrypt all communications. If an attacker has admin access to the network you’re using, they can manipulate everything you’re doing and even forge bank websites.
Use Safe ATM Practices
Check for ATM skimmers. Skimmers are devices placed over an ATM (often exact replicas of the card reader) to read a card and send your information to a hacker. To check for skimmers, you should:
- Press around the sides of the card slot and see if anything feels loose, they’re delicately mounted so they’ll move when pressed with a small amount of pressure.
- Check for glue around the edges or tape. If you see any glue material, stay away from that ATM and call the bank.
- If you have difficulty putting your card into the machine, stop trying and report it to the bank.
Check for fake keypads. Fake keypads are sometimes placed over the legitimate one to record your PIN number. They’re also often very loosely mounted. If it jiggles around a bit or if you notice the keypad is off-center, you should avoid using it.
Keep your Information Private
Avoid giving sensitive information over the phone to anyone, regardless of whether it is a requirement for some process. If possible, do it in person. And be sure to verify who you are talking to is who they say.
Use Anti-Malware Tools
Use anti-malware software such as AVG on your personal computer to check for malware, and make sure it’s set to automatically update.
Use Account & Password Hygiene
Never use the same password for multiple accounts. This is the easiest way for an attacker to gain access to your accounts. When a major list of account details is dumped on the dark web, your account details can be checked against other services such as email or banking, and you really don’t want them to have the same password.
Delete accounts you don’t use anymore. Old accounts can be compromised and used for password resets or similar attacks. However, if you don’t reuse passwords on multiple accounts, this is not really an issue.
Use a password manager such as LastPass or Keepass (both free) so you can have super strong password security for your accounts, and only need to remember one master password.
These rules may feel a bit complicated and burdensome, but once you get used to following them, they’ll become second nature. You develop a sense of cybersecurity that is vital online and in daily life.
These habits may seem burdensome, but over time it will become second-nature. In the end, you will be doing your part in protecting your digital identity and safeguarding your own future.