After a data breach or successful phishing campaign, much of the stolen personal information is sold on black markets. Many such marketplaces reside on the dark web. But how does the sale of stolen information work, exactly, and how much money are criminals making from stolen data?
Comparitech researchers analyzed the prices of stolen credit cards, hacked PayPal accounts, and private Social Security numbers on more than 40 different dark web marketplaces. We looked at prices based on account balance, credit limit, country, and what information is included with a given listing.
You might be surprised to find out how little—or how much—your data is worth depending on a few key factors.
- Americans have the cheapest fullz (full credentials), averaging $8 per record. Japan and the UAE have the most expensive identities at an average of $25.
- Prices for stolen credit cards range widely from $0.11 to $986.
- Hacked PayPal accounts range from $5 to $1,767.
- US and UK accounted for highest percentage of stolen credit cards which reflected in lower average price of $1.50 and $2.50 respectively.
- The median credit limit on a stolen credit card is 24 times the price of the card.
- The median account balance of a hacked PayPal account is 32 times the price on the dark web.
Social Security numbers and fullz
Social Security numbers and other national ID numbers are for sale on the dark web but aren’t particularly useful to cybercriminals on their own.
They are usually accompanied by other personal information, including a person’s name, date of birth, address, phone number, account numbers, and other personal information that cybercriminals use for identity fraud, including opening up new lines of credit in the victim’s name, taking over accounts, and withdrawing from banks, among other crimes.
These bundles of personal info are called “fullz“, short for “full credentials.” So instead of looking at the prices of SSNs on their own, Comparitech researchers analyzed the prices of fullz.
A few factors affect the price of fullz:
As with credit cards, the location of the victim whose information is up for sale has a significant influence on price. Americans have the cheapest fullz, averaging $8 per record. Japan, the UAE, and Europe have the most expensive identities at an average of $25.
|Country||Fullz price on dark web (average, US$)|
Note that countries other than the US might not use Social Security numbers, but they usually have a similar national ID number, such as the UK’s SIN numbers.
Not all fullz are the same. While SSN, name, and DOB are all fairly standard in fullz, other information can be included or excluded and thereby change the price. Fullz that come with a driver’s license number, bank account statement, or utility bill will be worth more than those without, for example.
Some fullz even include photos or scans of identification cards, such as a passport or driver’s license.
Credit card vs PayPal: which is worth more on the dark web?
Credit cards make up the biggest portion of stolen payment data on the dark web, researchers say, followed by PayPal accounts.
Prices for stolen credit cards range widely from $0.11 to $986.
Hacked PayPal accounts are worth more on average, ranging from $5 to $1,767.
We looked into several factors that determine the price of stolen credit cards and PayPal accounts:
Wholesale data dumps
Stolen credit card data can be sold individually or in bulk, the latter of which is called a “dump”. A dump contains the information of dozens, hundreds, or even thousands of credit card numbers, usually from the same source. They might all have been collected from a single data breach, for example, or from the same card skimmer placed on a gasoline pump.
The wholesale price of a single credit card is typically at least half that of one sold individually, if not a much higher discount.
Country of issuance greatly influences credit card prices
Nearly two out of every three stolen credit cards are issued in the US, according to cybersecurity firm Sixgill. No other country accounted for more than 10 percent of stolen cards. The second-largest source of stolen card data came from the U.K.
|Country||Price of CC on dark web (average, US$)|
The huge supply from those countries is reflected in their lower average price. US credit cards were priced at a median of $1.50, while UK cards cost $2.50 on average.
The most valuable credit cards come from the EU, with a median price of US$8 each.
Japan, the UAE, Mexico, New Zealand, Australia, and Colombia all tied for second-most expensive cards, with a median value of $8 each.
Countries are not typically listed on hacked PayPal accounts, so we couldn’t compare prices for those.
More card info = higher price
How could a credit card number only be worth 11 cents, you might ask?
The answer: if it’s only a number.
Additional info including the cardholder’s name, CVV, postal code, and expiration date all contribute to a stolen card’s worth, researchers explain.
Most stolen credit cards are used in card-not-present (CNP) transactions. Almost all online purchases are CNP transactions, meaning the card isn’t actually swiped, scanned, or tapped at a point of sale. CNP transactions often require all of the above information before processing payment.
Additionally, the expiration date indicates whether a card number is still valid.
So is a card number by itself worthless? Not quite. A criminal could use special hardware to forge simple magnetic-strip duplicates of cards and use them where magnetic strip readers are still in use. Gas stations in the US, for example, are often still equipped with magnetic strip readers instead of tap or chip card readers.
Return on investment: account balance and credit limit
When listed, researchers took note of the credit limits on credit cards and the account balances of debit cards, bank accounts, and PayPal accounts. They used this to calculate a maximum return on investment for each item.
The median credit limit on a stolen credit card is 24 times the price of the card. The median account balance of a hacked PayPal account is 32 times what a cybercriminal would pay for it on the dark web. That could explain why prices for PayPal accounts are higher than credit cards on average.
Surprisingly, however, prices of stolen credit cards didn’t correlate to their credit limits (r = -0.2). It seems paying a higher price for a credit card with a higher limit is not worth it to cybercriminals.
The balance available on PayPal accounts had a slight but not strong correlation to their price (r = 0.46).
Black market vendors have a strong incentive to keep their customers happy. Reputation and positive feedback play a huge role in a vendor’s success, and many customers are willing to pay a premium for goods and services they know they can rely on.
One listing, for example, listed a PayPal account for US$811. The vendor promised the balance on the account would be €5000 +/- €200 with a 48-hour replacement guarantee in case of chargebacks. The customer can request a date and time that the account be handed over. If an account with the full amount is not available, the vendor will split it into separate transactions.
I wish my bank had that kind of customer service.
Keeping your data safe
Credit cards, Paypal accounts, and fullz are the most popular types of stolen information traded on the dark web, but they’re far from the only data worth stealing. Sales of passports, driver’s licenses, frequent flyer miles, streaming accounts, dating profiles, social media accounts, bank accounts, and debit cards are also common, but not nearly as popular.
Most data bought and sold on dark web marketplaces is stolen through phishing, credential stuffing, data breaches, and card skimmers. Here’s a few tips for avoiding those attacks:
- There’s not much an end user can do about data breaches except to register fewer accounts and minimize your digital footprint.
- Keep an eye out for card skimmers at points of sale, particularly unmanned ones such as those at gas stations.
- Learn how to spot and avoid phishing emails and other messages.
- Credential stuffing can be avoided by using strong, unique passwords on all of your accounts.