The dark web has a longstanding reputation as a haven for the worst kinds of criminal activity. This reputation is not wholly unjustified, as there are indeed terrible things happening around the world that can be bought and sold on the dark web.
The privacy offered by software such as TOR creates an environment where criminals can sell their wares on the dark web without the worry of law enforcement.
Many will have heard the horror stories of people’s bank accounts being cleaned out, or their identity stolen and turning up in custody in Mexico. Again, not unjustified horror.
You might be asking yourself, just how easy is it to obtain someone else’s personal information, documents, account details?
We certainly were.
To see just how prevalent such items of personal data are being listed, and at what price, we sent our researchers on a data-gathering mission into the dark web.
Updated October 2020 to reflect up-to-date numbers.
Category | Product | Avg. dark web Price (USD) |
Credit Card Data | Cloned Mastercard with PIN | $15 |
Cloned American Express with PIN | $35 | |
Cloned VISA with PIN | $25 | |
Credit card details, account balance up to $1000 | $12 | |
Credit card details, account balance up to $5000 | $20 | |
Stolen online banking logins, minimum $100 on account | $35 | |
Stolen online banking logins, minimum $2000 on account | $65 | |
Walmart account with credit card attached | $10 | |
Payment processing services | Stolen PayPal account details, minimum $100 | $198.56 |
PayPal transfer from stolen account, $1000 – $3000 | $320.39 | |
PayPal transfers from stolen account, $3000+ | $155.94 | |
Western Union transfer from stolen account, above $1000 | $98.15 | |
Forged documents | US driving license, average quality | $70 |
US driving license, high quality | $550 | |
Auto insurance card | $70 | |
AAA emergency road service membership card | $70 | |
Wells Fargo bank statement | $25 | |
Wells Fargo bank statement with transactions | $80 | |
Rutgers State University student ID | $70 | |
US, Canada, or Europe passport | $1500 | |
Europe national ID card | $550 | |
Social Media | Hacked Facebook account | $74.5 |
Hacked Instagram account | $55.45 | |
Hacked Twitter account | $49 | |
Hacked Gmail account | $155.73 | |
Instagram followers x 1000 | $7 | |
Spotify followers x 1000 | $3 | |
Twitch followers x 1000 | $6 | |
Tick Tok followers x 1000 | $15 | |
LinkedIn followers x 1000 | $10 | |
LinkedIn company page followers x 1000 | $10 | |
Pinterest followers x 1000 | $5 | |
Soundcloud plays x 1000 | $1 | |
Daily Motion views x 1000 | $2 | |
Twitter retweets x 1000 | $25 | |
Instagram likes x 1000 | $6 | |
Malware | Global low quality, slow speed, low success rate x 1000 | $70 |
Europe low quality, slow speed, low success rate x 1000 | $300 | |
USA, CA, UK, AU low quality, slow speed, low success rate x 1000 | $800 | |
Global med quality, 70% success rate x 1000 | $80 | |
Europe med quality, 70% success rate x 1000 | $700 | |
USA only med quality, 70% success rate x 1000 | $900+ | |
USA, CA, UK, AU med quality, 70% success rate x 1000 | $1300 | |
Europe fresh high quality x 1000 | $2300 | |
Europe aged high quality x 1000 | $1400 | |
USA high quality x 1000 | $1700 | |
CA high quality x 1000 | $1500 | |
UK high quality x 1000 | $2000 | |
Android x 1000 | $600 | |
Premium x 1000 | $6000 | |
DDoS Attack | Unprotected website, 10-50k requests per second, 1 hour | $10 |
Unprotected website, 10-50k requests per second, 24 hours | $60 | |
Unprotected website, 10-50k requests per second, 1 week |
$400+ | |
Unprotected website, 10-50k requests per second, 1 month | $800+ | |
Premium protected website, 20-50k requests per second, multiple elite proxies, 24 hours | $200 |
While there are many marketplaces on the dark web, there are even more forum posts warning scammers. This makes verified prices difficult to obtain without ordering the items to find out, which we didn’t.
Our methodology was to scan dark web marketplaces, forums, and websites, to create an index of the average prices for a range of specific products.
We were only interested in products and services relating to personal data, counterfeit documents, and social media.
This is what we found.
Our guide on finding the top VPNs is a great resource for readers to learn about which VPNs are trusted these days.
You can also find country-specific VPN guides such as our Mexico VPN and Venezuela VPN services.
For specific use cases and unblocking, you can check out our DAZN VPN guide.
Product | Average dark web Price (USD) |
Cloned Mastercard with PIN | $15 |
Cloned American Express with PIN | $35 |
Cloned VISA with PIN | $25 |
Credit card details, account balance up to $1000 | $12 |
Credit card details, account balance up to $5000 | $20 |
Stolen online banking logins, minimum $100 on account | $35 |
Stolen online banking logins, minimum $2000 on account | $65 |
Walmart account with credit card attached | $10 |
Credit card details usually come in the format CC|MM|YY|CVV|HOLDER_NAME|ZIP|CITY|ADDRESS|EMAIL|PHONE, with the first four sections being the details on the card and the rest the details of the account holder. This will cause a major inconvenience, but the prospect of someone using your online banking logins to gain full access to your account is far more daunting.
Vendors tend to offer a guarantee of 80%. Meaning that two of every ten cards either won’t work or will have less than the advertised balance. We didn’t order any, so we can’t verify whether this is true. Still, the prevalence of these claims, alongside the well-documented increase in identity fraud cases, suggests a high turnover of such data.
Product | Average dark web Price (USD) |
Stolen PayPal account details, minimum $100 | $198.56 |
PayPal transfer from stolen account, $1000 – $3000 | $320.39 |
PayPal transfers from stolen account, $3000+ | $155.94 |
Western Union transfer from stolen account, above $1000 | $98.15 |
PayPal account details were easily the most common items listed and extremely cheap. More expensive were actual transfers from a hacked account.
Another very common item for sale was guided on how to “cash-out” – actually get the money in a way that doesn’t alert the authorities. These guides go for a few cents, but whether or not they work is not what we were looking for.
Product | Average dark web Price (USD) |
US driving license, average quality | $70 |
US driving license, high quality | $550 |
Auto insurance card | $70 |
AAA emergency road service membership card | $70 |
Wells Fargo bank statement | $25 |
Wells Fargo bank statement with transactions | $80 |
Rutgers State University student ID | $70 |
US, Canada, or Europe passport | $1500 |
Europe national ID card | $550 |
With just a few pieces of real information about someone, a criminal could create a whole file of official documents for all sorts of fraudulent activities. These documents come with various guarantees and are available with any details the buyer chooses. This is one way in which identity is stolen.
Counterfeit banknotes are extremely common, mainly in 20 or 50 denominations.
We often came across USD, EUR, GBP, CAD, and AUD. Some come with a UV pen test guarantee. The “quality” ones cost around 30% of the banknote value.
Offers to hack or sell accounts were relatively scarce but not non-existent. Perhaps due to a lack of demand for the product and increased security practices. Hackers trying to get the social media credentials from their victims mostly have to resort to using social engineering techniques, which have a very high effort input for relatively low success ratio.
The extremely low cost for the social engagement should seriously make you question an account’s validity before blindly trusting their wealth of social currency.
According to Alex Popa from Whizcase, frequent errors and bugs present in social media platforms can also result in attacks and breaches.
Malicious tools are installed on comprised systems (Windows, Android, and others) which give attackers access to the system. Initial installation is via a fake online casino, FB/social networks, warez websites, etc.
Some malware may use your computer’s resources for activities such as cryptocurrency mining. Others may be used to steal credentials as you enter them on a website. For every 1000 installs, hackers can often steal tens of thousands of dollars.
A distributed denial of service (DDoS) attack aims to take a website offline by sending thousands of requests per second to overload the website’s server, causing it to crash.
For the average person, underground market data isn’t necessarily going to provide much use as they most likely aren’t shopping around for stolen card data or PayPal accounts. Though this is true, the prices these items sell provide a powerful perspective.
If someone gets their hands on your financial details or social media credentials, the prices mentioned above are basically what it’s worth to them. There’s a good chance that you value these things much more than they do, as to them, you’re just another mark for a quick buck.
For far less than the amount your data would sell for on the black market, you can protect it from ever having to reach their hands with a couple of simple rules and habits. With this knowledge, there’s no excuse not to do what you can to protect your data.
Nothing is foolproof, however, and anyone can have their data stolen; you can only make it much harder to do so and thus less worth the effort for criminals.
You can work with your bank to potentially recover most assets stolen from you, but it’s a long process and a major headache. There may also be other repercussions, such as unexpected credit taken out in your name, which can take years to recover.
These rules may feel complicated and burdensome, but once you get used to following them, they’ll become second nature. You develop a sense of cybersecurity that is vital online and in daily life.
24 Comments
Dark Web Monitoring: Being One Step Ahead of Cybercriminals | Security Curated
August 15, 2024 2:18 pm
[…] to a report from Privacy Affairs, cybercriminals operating on the Dark Web will pay an average of $1,000 for a […]
O que é DDoS de Aluguel e por que é um problema? – makeuseoff
August 9, 2024 1:11 pm
[…] DDoS-for-hire é um serviço que permite que qualquer pessoa execute um ataque DDoS por apenas 10 dólares por hora. Aparentemente, é inspirado no modelo de negócios de Software como […]
Nope
June 28, 2023 3:19 am
Honestly,
Other than malware, can you find software online with a price?
Prince
May 29, 2023 8:29 am
Everything here is good
bun
September 11, 2022 1:56 pm
𝕞𝕖𝕣𝕔𝕚
Cool Person
June 23, 2022 2:59 am
There is a critical typo on the website. The paragraph on how to protect yourself states (emphasis added): “When answering your phone, ALWAYS give sensitive information (such as your SSN, debit card number, passwords) to anyone, regardless of whether this is a requirement for some process. If it’s that important, do it in person.”
ALWAYS should be NEVER.
Miklos Zoltan
June 23, 2022 10:11 am
Oh, wow. Yes, that looks bad. Thanks for letting us know. I’ve just fixed it.
Brook
June 15, 2022 1:38 pm
Do you think my mom who recently passed away and her name printed in the newspaper by public records. I purposely didn’t do a obit. Bcuz I thought it would make her a easy target and low and behold b4 I could close her account and her Amazon account both were hit. The public records laws need to change.or am I thinking too old school.
Shane Lilly
September 28, 2020 10:59 pm
This is fantastic information. I would like to feature this on NoShitSecurity.com alongside our other privacy-related content if that is ok with you.
Stevie
July 14, 2020 10:41 pm
Risk management. It’s less risky to collect BTC for account numbers than to try withdrawing funds.
J
July 14, 2020 6:41 am
@Miguel good work and interesting reading.
Two questions.
First, what is the number of different sources?
Second, is the prices in the PayPal section correct or are there typos?
$198.56 for $100? & 3000+ is cheaper than than 1000-3000.
Stolen PayPal account details, minimum $100 $198.56
PayPal transfer from stolen account, $1000 – $3000 $320.39
PayPal transfers from stolen account, $3000+ $155.94
Miklos Zoltan
July 7, 2021 6:32 pm
Chipping in for Miguel here.
This is all based on manual dark web research.
Uberpoopoo
July 14, 2020 2:53 am
It’s much easier to buy social media accounts and followers from a regular website that can be found via google.
Anonymous
July 13, 2020 11:51 pm
Because it’s much easier to sell a bank account and receive money for it in BTC, than it is to actually wire that money to your own account.
Tim S.
July 13, 2020 11:39 pm
Propeller, I’d imagine that they are doing this to make their profits less traceable to them, by effectively shifting risk to the people cashing out from these accounts
Anonymous
July 13, 2020 10:01 pm
There is practically zero risk in buying and selling information compared to actually trying to cash these things out. It’s also easy to scam people by making up fake information.
Henri Hannetel
July 13, 2020 9:02 pm
Premium protected website, 20-50k requests per second, multiple elite proxies, 24 hours $200
As an SRE, those prices looks pretty low to me.
K L
July 13, 2020 8:30 pm
@Propeller because it’s a scam. It’s one thing to sit on an account you have the access to, it’s another to move money from it to your account. They know that if they moved the money, they would get caught. It’s like having a live grenade in your collection and selling it. The minute the person pulls the pin they are gone.
yo
July 13, 2020 8:12 pm
Because it’s harder to consistently extract money from those accounts, that’s why they prefer the more sure-way to get money: sell those passwords
noone
July 13, 2020 8:06 pm
I guess it is because it is lower risk to get caught and less work. Less risk, less work, less money.
Propeller
July 13, 2020 12:24 pm
Why do they sell bank accounts w/ money instead of making profit from them directly? I always ask this…
Miklos Zoltan
July 7, 2021 6:33 pm
Like other commenters explained, it’s because it’s actually hard to get money out of these account. Also extremely risky if you get caught. So they just sell these to others instead. For the hackers, this way there’s almost no risk.
Maria Teresa
July 9, 2020 7:05 am
Hi,
I saw your following report. Can you provide me please legit darknet website for Western Union Transfer and PayPal Transfer. I like your advice properly.
Payment processing services
Product Average dark web Price (USD)
Stolen PayPal account details, minimum $100 $198.56
PayPal transfer from stolen account, $1000 – $3000 $320.39
PayPal transfers from stolen account, $3000+ $155.94
Western Union transfer from stolen account, above $1000 $98.15
Joe Robinson
July 9, 2020 11:51 am
Hi Maria, no. This piece was created as research, not to help you become a criminal. Don’t break the law.