The dark web has a longstanding reputation as a haven for the worst kinds of criminal activity. This reputation is not wholly unjustified, as there are indeed terrible things happening around the world that can be bought and sold on the dark web.

The privacy offered by software such as TOR creates an environment where criminals can sell their wares on the dark web without the worry of law enforcement. Exploring the hidden economics of the dark web price index can help you understand security risks.

What’s more, many will have heard the horror stories of people’s bank accounts being cleaned out, or their identity stolen and turning up in custody in Mexico. Again, not unjustified horror.

You might be asking yourself, just how easy is it to obtain someone else’s personal information, documents, account details? 

We certainly were.

To see just how prevalent such items of personal data are being listed, and at what price, we sent our researchers on a data-gathering mission into the dark web.

Updated October 2020 to reflect up-to-date numbers.

Category Product Avg. dark web Price (USD)
Credit Card Data Cloned Mastercard with PIN $15
Cloned American Express with PIN $35
Cloned VISA with PIN $25
Credit card details, account balance up to $1000 $12
Credit card details, account balance up to $5000 $20
Stolen online banking logins, minimum $100 on account $35
Stolen online banking logins, minimum $2000 on account $65
Walmart account with credit card attached $10
Payment processing services Stolen PayPal account details, minimum $100 $198.56
PayPal transfer from stolen account, $1000 – $3000 $320.39
PayPal transfers from stolen account, $3000+ $155.94
Western Union transfer from stolen account, above $1000 $98.15
Forged documents US driving license, average quality $70
US driving license, high quality $550
Auto insurance card $70
AAA emergency road service membership card $70
Wells Fargo bank statement $25
Wells Fargo bank statement with transactions $80
Rutgers State University student ID $70
US, Canada, or Europe passport $1500
Europe national ID card $550
Social Media Hacked Facebook account $74.5
Hacked Instagram account $55.45
Hacked Twitter account $49
Hacked Gmail account $155.73
Instagram followers x 1000 $7
Spotify followers x 1000 $3
Twitch followers x 1000 $6
Tick Tok followers x 1000 $15
LinkedIn followers x 1000 $10
LinkedIn company page followers x 1000 $10
Pinterest followers x 1000 $5
Soundcloud plays x 1000 $1
Daily Motion views x 1000 $2
Twitter retweets x 1000 $25
Instagram likes x 1000 $6
Malware Global low quality, slow speed, low success rate x 1000 $70
Europe low quality, slow speed, low success rate x 1000 $300
USA, CA, UK, AU low quality, slow speed, low success rate x 1000 $800
Global med quality, 70% success rate x 1000 $80
Europe med quality, 70% success rate x 1000 $700
USA only med quality, 70% success rate x 1000 $900+
USA, CA, UK, AU med quality, 70% success rate x 1000 $1300
Europe fresh high quality x 1000 $2300
Europe aged high quality x 1000 $1400
USA high quality x 1000 $1700
CA high quality x 1000 $1500
UK high quality x 1000 $2000
Android x 1000 $600
Premium x 1000 $6000
DDoS Attack Unprotected website, 10-50k requests per second, 1 hour $10
Unprotected website, 10-50k requests per second, 24 hours $60
Unprotected website, 10-50k requests per second, 1 week
$400+
Unprotected website, 10-50k requests per second, 1 month $800+
Premium protected website, 20-50k requests per second, multiple elite proxies, 24 hours $200

What We Found

Whilst there are many marketplaces on the dark web, there are even more forum posts warning of scammers. This makes verified prices difficult to obtain without ordering the items to find out, which of course we didn’t.

Our methodology was to scan dark web marketplaces, forums, and websites, to create an index of the average prices for a range of specific products.

We were only interested in products and services relating to personal data, counterfeit documents, and social media.

This is what we found.

Cloned credit cards and associated data

Product Average dark web Price (USD)
Cloned Mastercard with PIN $15
Cloned American Express with PIN $35
Cloned VISA with PIN $25
Credit card details, account balance up to $1000 $12
Credit card details, account balance up to $5000 $20
Stolen online banking logins, minimum $100 on account $35
Stolen online banking logins, minimum $2000 on account $65
Walmart account with credit card attached $10

Credit card details usually come in the format CC|MM|YY|CVV|HOLDER_NAME|ZIP|CITY|ADDRESS|EMAIL|PHONE with the first 4 sections being the details on the card and the rest the details of the account holder. This will definitely cause a major inconvenience, but the prospect of someone using your online banking logins to gain full access to your account is far more daunting.

Vendors tend to offer a guarantee of 80%. Meaning that two of every ten cards either won’t work or will have less than the advertised balance. We didn’t order any so can’t verify whether this is true, but the prevalence of these claims alongside the well documented increase in identity fraud cases suggests that there is a high turnover of such data.

Payment processing services

Product  Average dark web Price (USD)
Stolen PayPal account details, minimum $100 $198.56
PayPal transfer from stolen account, $1000 – $3000 $320.39
PayPal transfers from stolen account, $3000+ $155.94
Western Union transfer from stolen account, above $1000 $98.15

PayPal account details were easily the most common items listed, and extremely cheap. More expensive was actual transfers from a hacked account.

Another very common item for sale was guides on how to “cash out” – actually get the money in a way that doesn’t alert the authorities. These guides go for a few cents, but whether or not they actually work is not what we were looking for.

Forged documents

Product  Average dark web Price (USD)
US driving license, average quality $70
US driving license, high quality $550
Auto insurance card $70
AAA emergency road service membership card $70
Wells Fargo bank statement $25
Wells Fargo bank statement with transactions $80
Rutgers State University student ID $70
US, Canada, or Europe passport $1500
Europe national ID card $550

These documents came with a range of guarantees and are available with any details the buyer chooses. With just a few pieces of real information about someone, a criminal could create a whole file of official documents to be used for all sorts of fraudulent activities. This one way in which an identity is stolen.

Counterfeit money

Counterfeit banknotes are extremely common, mainly in 20 or 50 denominations.

We came across USD, EUR, GBP, CAD, AUD most often. Some come with a UV pen test guarantee. The “quality” ones tend to cost around 30% of the banknote value.

Social media

Product  Average dark web Price (USD)
Hacked Facebook account $74.5
Hacked Instagram account $55.45
Hacked Twitter account $49
Hacked Gmail account $155.73
Instagram followers x 1000 $7
Spotify followers x 1000 $3
Twitch followers x 1000 $6
Tick Tok followers x 1000 $15
LinkedIn followers x 1000 $10
LinkedIn company page followers x 1000 $10
Pinterest followers x 1000 $5
Soundcloud plays x 1000 $1
Daily Motion views x 1000 $2
Twitter retweets x 1000 $25
Instagram likes x 1000 $6

Offers to hack accounts or sell them were relatively scarce, but not non-existent. Perhaps due to a lack of demand for the product coupled with increased security practices. Hackers trying to get the social media credentials from their victims mostly have to resort to using social engineering techniques, which have a very high effort input for relatively low success ratio.

The extremely low cost for social engagement should seriously make you question an account’s validity before blindly trusting their wealth of social currency.

Malware

Product  Average dark web Price (USD)
Global low quality, slow speed, low success rate x 1000 $70
Europe low quality, slow speed, low success rate x 1000 $300
USA, CA, UK, AU low quality, slow speed, low success rate x 1000 $800
Global med quality, 70% success rate x 1000 $80
Europe med quality, 70% success rate x 1000 $700
USA only med quality, 70% success rate x 1000 $900+
USA, CA, UK, AU med quality, 70% success rate x 1000 $1300
Europe fresh high quality x 1000 $2300
Europe aged high quality x 1000 $1400
USA high quality x 1000 $1700
CA high quality x 1000 $1500
UK high quality x 1000 $2000
Android x 1000 $600
Premium x 1000 $6000

Malicious tools are installed on comprised systems (Windows, Android and others) which gives attackers access to the system. Initial installation is via fake online casino, FB/social networks, warez websites etc.

Some forms of malware may simply use your computer’s resources for activities such as cryptocurrency mining. Others may be used to steal credentials as you enter them on a website. For each 1000 installs, hackers can often steal tens of thousands of dollars.

DDoS attack

Product  Average dark web Price (USD)
Unprotected website, 10-50k requests per second, 1 hour $10
Unprotected website, 10-50k requests per second, 24 hours $60
Unprotected website, 10-50k requests per second, 1 week
$400+
Unprotected website, 10-50k requests per second, 1 month $800+
Premium protected website, 20-50k requests per second, multiple elite proxies, 24 hours $200

A distributed denial of service (DDoS) attack aims to take a website offline by sending thousands of requests per second in order to overload the website’s server, causing it to crash.

Why This Data Is Important

For the average person, underground market data isn’t necessarily going to provide much use as they most likely aren’t shopping around for stolen card data or PayPal accounts. Though this is true, the prices at which these items sell provide a powerful perspective.

If someone gets their hands on your financial details or social media credentials, the prices mentioned above is basically what it’s worth to them. There’s a good chance that you value these things much more than they do, as to them you’re just another mark for a quick buck.

For far less than the amount your data would sell for on the black market, you can protect it from ever having to reach their hands with a couple of simple rules and habits. With this knowledge, there’s no excuse not to do what you can to protect your data.

Nothing is foolproof however, and anyone can have their data stolen, you can only make it much harder to do so and thus less worth the effort for criminals.

How to Protect Yourself From Identity Fraud

You can work with your bank to potentially recover most assets stolen from you, but it’s a long process and a major headache. There may also be other repercussions such as unexpected credit taken out in your name, which can take years to recover from.

  • When answering your phone, make sure to never give sensitive information (such as your SSN, your debit card number, passwords) to anyone regardless of whether this is a requirement for some process. If it’s that important, do it in person.
  • Whenever you visit an ATM, check the card reader doesn’t have a skimmer. Skimmers read a card before it’s inserted into an ATM, providing a criminal with a clone of your card’s magnetic strip. This is enough to recreate your card from a “blank.” Press around the sides of the card port and see if anything feels loose. Skimmers are often made to imitate the material around the ports, but they’re delicately mounted so they’ll move when pressed with a small amount of pressure. Check for glue around the edges or tape. If you see any glue material, stay away from that ATM and call the bank. Similarly, if you have difficulty putting your card into the machine, stop trying and stay away from it.
  • Check an ATM’s keypad by slightly lifting around its edges. Fake keypads are sometimes placed over the legitimate one to record your PIN number. They’re often very loosely mounted. If it jiggles around a bit or if you notice the keypad is off-center, you should avoid using it.
  • Check often for malware on your computer to ensure that your data isn’t being recorded as you input it. Use anti-malware tool such as AVG, and make sure it’s set to automatically update.
  • Avoid public or unsecured WiFi. If you must log into an account on a network you don’t 100% trust, use a VPN to encrypt all communications. Even bank websites can be forged to be almost undetectable if an attacker has administrative access to the network you’re using.
  • Delete accounts you don’t think you’ll use anymore. Old accounts can be compromised and this leads to problems in the future. However, this is only really an issue if you use the same password for multiple accounts.
  • Never use the same password for multiple accounts. This is the easiest way for an attacker to gain access. When a major list of account details is dumped on the dark web, your account details can be checked against other services such as email or banking, and you really don’t want them to have the same password.
  • Use a password manager such as LastPass or Keepass (both free) and you’ll always have super strong security for all your accounts but only need to remember one master password.

These rules may feel a bit complicated and burdensome, but once you get used to following them, they’ll become second nature. You develop a sense of cybersecurity that is vital  online and in daily life.

Article with thanks to Miguel Gomez