When a hacker writes up new malware, steals a database, or phishes someone for their credit card number, the next step is often toward dark net marketplaces. These black markets allow buyers and sellers to make anonymous transactions using a combination of encrypted messages, aliases, and cryptocurrency.
Comparitech researchers sifted through several illicit marketplaces on the dark web to find out how much our private information is worth. Where possible, we’ll also examine how prices have changed over time.
For this study, the researchers focused on PayPal accounts and credit cards.
Before we go into more detail, here are some of our key findings:
- US$17.36 is the average price of one stolen credit card’s information, about $0.0033 per dollar of credit limit
- US$171 is the average price of a physical, cloned credit card, or $0.0575 per dollar of credit limit
- US$197 is the average price of a hacked PayPal account or balance transfer, or 9.2 cents per dollar in the account balance
- Prices for stolen credit cards and PayPal accounts roughly correlate to their credit limits and account balances, respectively
- Compared to similar study 8 months prior, prices for credit cards fell this year by 27%, but prices for PayPal accounts went up 194%
Credit cards can be sold as physical or digital items on the dark web. Credit card details used for online fraud are cheaper and can be sent in a text message. Physical cards are usually cloned from details stolen online, but can be used to withdraw from ATMs. Because the merchant requires equipment to clone the card and must send the buyer a physical product complete with PIN number, the price for cloned cards is much higher.
US$17.36 is the average price for a credit card number, CVV, expiration date, cardholder name, and postal code—the basics. That’s more than double the average price we recorded about eight months prior in a similar study, though that’s not the whole story.
Back then, the median credit limit on a stolen credit card was 240 times the price of the stolen card, or about 0.42 cents (US$0.0042) per dollar. Our new results show the figure is now 0.33 cents per dollar, or 306 times the price of the stolen card.
The average price of a cloned, physical card is $171, or 5.75 cents per dollar of credit limit.
We noted a medium-strength positive correlation (r = 0.56) between a cloned card’s credit limit and it’s price. The correlation was less strong but still apparent in sales of credit card details (r = 0.41). The average credit limit on the listings we examined was $2,980.
Which type of credit card is worth the most on the dark web?
We divided the average price for cloned copies of each major brand of credit card by the average credit limit in the listings we examined to find out which types of credit cards are worth the most to criminals:
- American Express: 5.13 cents per dollar
- Discover: 6.27 cents per dollar
- MasterCard: 6.47 cents per dollar
- Visa: 5.75 cents per dollar
Brand is just one of many considerations, however. Credit card prices vary wildly. Several factors can contribute to a higher price on the dark web:
- Whether the product is a physical card (usually cloned) or digital (just the number and other information on the card)
- Expiration date – newer cards are more likely to be valid
- Credit limit
- Location and postal code – some buyers want cards from specific locations
- Card tier – Gold and Platinum cards tend to be worth more
- CVV – cards that include CVV numbers are worth more
- Whether the card has been sold before
- Cards with ATM PINs are worth more
- Balance and validity verification
- Whether the card is sold individually or in bulk
- Brand of card (VISA, AMEX, Discover, MasterCard, etc)
- Cardholder’s personal information (fullz)
- Daily withdrawal limit
What are stolen credit cards used for?
Thieves buy cards in order to cash them out or make purchases that can be resold. In the past, thieves would use the cards to buy less traceable forms of money like cryptocurrency or gift cards. Notably, that behavior has changed, as one vendor put it in his product description…
“We are in 2021 don’t think u can get BTC Or gift cards from carding” [sic]
That merchant specifically mentioned that using a stolen card on a store that uses Verified by Visa (VBV) will likely void the card. Verified by Visa is a service that prompts the cardholder for a one-time password whenever their card is used at participating stores. MasterCard has a similar feature called SecureCode, or MCSC.
Carders tend to target specific sites that don’t have VBV or other protections against fraud. Some vendors even sell lists of “cardable” sites for a few dollars. For fledgling criminals who don’t know how to use stolen credit cards, there are plenty of free and paid tutorials for carding on the dark web.
Some vendors sell additional information about the cardholder, denominated by the term “fullz”. Fullz, or full information, includes the cardholder’s social security number, street address, birth date, and more. Adding in fullz increases the price, but only marginally: about $30 for a physical card and less than a dollar when added to other card info.
A fair number of vendors include access to a SOCKS5 internet proxy that can be used by the buyer to match their computer’s IP address location with that of the cardholder in order to avoid being blacklisted.
Due to limited data on credit cards from other countries, we were unable to adequately compare prices for credit cards from different places.
Related: How to stay safe when paying online
The black market price of stolen PayPal accounts mainly comes down to the existing account balance (r = 0.87). The average price of a PayPal account across all of the marketplaces we examined was $196.50, with an average account balance of $2,133.61. That means buyers pay about 9.2 cents per dollar in the PayPal account, which is almost double the price-to-credit limit ratio on physical credit cards.
In a similar study earlier this year, we noted an average price of 3.13 cents per dollar in the account. So unlike credit cards, prices for PayPal accounts and transfers have gone up during the pandemic by 293 percent.
Like credit cards, PayPal accounts have different tiers. Most of use just have the standard personal account, but Premier and Business accounts also exist, and are up for sale on the dark web. But those tiers don’t have much influence on dark web prices, which are largely governed by account balance.
- Individual accounts cost $161.59 on average, with an average account balance of $1,732.85, or 9.32 cents per dollar
- Premier accounts cost $186.31 on average, with an average balance of $2029.95,or 9.18 cents per dollar
- Business accounts cost $246 on average, with an average balance of $2,684.29, or 9.18 cents per dollar
Why do cybercriminals hack PayPal accounts?
PayPal accounts are sought after by cybercriminals for a few reasons:
- They can be accessed from anywhere with a web browser
- They usually have existing balances
- It’s easy to send money on PayPal
- It’s a common form of payment; many merchants accept it
Hijacking a PayPal account requires a different approach than stealing a credit card number. Instead of card numbers and CVVs, criminals steal usernames and passwords that they’ve gathered either through phishing or malware. They can then sell the account credentials to a buyer who can log in and drains the funds, or the vendor can transfer the requested amount of money from the victim’s account to the buyer’s account.
In addition to PayPal account balances, they can also transfer money from any connected bank accounts or credit cards. On top of all that, they could make purchases or request money from contacts listed in the PayPal account.
Social Security numbers and fullz
- Americans have the cheapest fullz (full credentials), averaging $8 per record. Japan and the UAE have the most expensive identities at an average of $25.
Social Security numbers and other national ID numbers are for sale on the dark web but aren’t particularly useful to cybercriminals on their own.
They are usually accompanied by other personal information, including a person’s name, date of birth, address, phone number, account numbers, and other personal information that cybercriminals use for identity fraud, including opening up new lines of credit in the victim’s name, taking over accounts, and withdrawing from banks, among other crimes.
These bundles of personal info are called “fullz“, short for “full credentials.” So instead of looking at the prices of SSNs on their own, Comparitech researchers analyzed the prices of fullz.
A few factors affect the price of fullz:
As with credit cards, the location of the victim whose information is up for sale has a significant influence on price. Americans have the cheapest fullz, averaging $8 per record. Japan, the UAE, and Europe have the most expensive identities at an average of $25.
|Country||Fullz price on dark web (average, US$)|
Note that countries other than the US might not use Social Security numbers, but they usually have a similar national ID number, such as the UK’s SIN numbers.
Not all fullz are the same. While SSN, name, and DOB are all fairly standard in fullz, other information can be included or excluded and thereby change the price. Fullz that come with a driver’s license number, bank account statement, or utility bill will be worth more than those without, for example.
Some fullz even include photos or scans of identification cards, such as a passport or driver’s license.
Keeping your data safe
Credit cards, Paypal accounts, and fullz are the most popular types of stolen information traded on the dark web, but they’re far from the only data worth stealing. Sales of passports, driver’s licenses, frequent flyer miles, streaming accounts, dating profiles, social media accounts, bank accounts, and debit cards are also common, but not nearly as popular.
Most data bought and sold on dark web marketplaces is stolen through phishing, credential stuffing, data breaches, and card skimmers. Here’s a few tips for avoiding those attacks:
- There’s not much an end user can do about data breaches except to register fewer accounts and minimize your digital footprint.
- Keep an eye out for card skimmers at points of sale, particularly unmanned ones such as those at gas stations.
- Learn how to spot and avoid phishing emails and other messages.
- Credential stuffing can be avoided by using strong, unique passwords on all of your accounts.
Comparitech researchers gathered listings for stolen credit cards, PayPal accounts, and other illicit goods and services on 13 dark web marketplaces. For legal reasons, we will not publicly disclose which marketplaces were used. Information in the listings was entered into a spreadsheet for data analysis and statistical calculations.
In total, the analysis included more than 200 listings for PayPal accounts and about 400 listings for credit cards.